Action not permitted
Modal body text goes here.
Modal Title
Modal Body
wid-sec-w-2024-3251
Vulnerability from csaf_certbund
Published
2024-10-21 22:00
Modified
2025-01-20 23:00
Summary
Linux Kernel: Mehrere Schwachstellen ermöglichen Denial of Service
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Der Kernel stellt den Kern des Linux Betriebssystems dar.
Angriff
Ein Angreifer kann mehrere Schwachstellen in Linux Kernel ausnutzen, um einen Denial of Service Angriff durchzuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen..
Betroffene Betriebssysteme
- Linux
{ document: { aggregate_severity: { text: "mittel", }, category: "csaf_base", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "de-DE", notes: [ { category: "legal_disclaimer", text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.", }, { category: "description", text: "Der Kernel stellt den Kern des Linux Betriebssystems dar.", title: "Produktbeschreibung", }, { category: "summary", text: "Ein Angreifer kann mehrere Schwachstellen in Linux Kernel ausnutzen, um einen Denial of Service Angriff durchzuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen..", title: "Angriff", }, { category: "general", text: "- Linux", title: "Betroffene Betriebssysteme", }, ], publisher: { category: "other", contact_details: "csaf-provider@cert-bund.de", name: "Bundesamt für Sicherheit in der Informationstechnik", namespace: "https://www.bsi.bund.de", }, references: [ { category: "self", summary: "WID-SEC-W-2024-3251 - CSAF Version", url: "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-3251.json", }, { category: "self", summary: "WID-SEC-2024-3251 - Portal Version", url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-3251", }, { category: "external", summary: "Kernel CVE Announce Mailingliste", url: "https://lore.kernel.org/linux-cve-announce/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-47726", url: "https://lore.kernel.org/linux-cve-announce/2024102104-CVE-2024-47726-ae53@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-47729", url: "https://lore.kernel.org/linux-cve-announce/2024102105-CVE-2024-47729-8985@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-47730", url: "https://lore.kernel.org/linux-cve-announce/2024102106-CVE-2024-47730-2f1e@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-47731", url: "https://lore.kernel.org/linux-cve-announce/2024102106-CVE-2024-47731-fd73@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-47732", url: "https://lore.kernel.org/linux-cve-announce/2024102106-CVE-2024-47732-f8aa@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-50003", url: "https://lore.kernel.org/linux-cve-announce/2024102106-CVE-2024-50003-43bc@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-47733", url: "https://lore.kernel.org/linux-cve-announce/2024102107-CVE-2024-47733-6591@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-47734", url: "https://lore.kernel.org/linux-cve-announce/2024102107-CVE-2024-47734-ad75@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-47735", url: "https://lore.kernel.org/linux-cve-announce/2024102107-CVE-2024-47735-5d51@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-50004", url: "https://lore.kernel.org/linux-cve-announce/2024102108-CVE-2024-50004-101e@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-50005", url: "https://lore.kernel.org/linux-cve-announce/2024102108-CVE-2024-50005-3479@gregkh/#u", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-50006", url: "https://lore.kernel.org/linux-cve-announce/2024102108-CVE-2024-50006-fe44@gregkh/#u", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-50007", url: "https://lore.kernel.org/linux-cve-announce/2024102109-CVE-2024-50007-0253@gregkh/#u", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-50008", url: "https://lore.kernel.org/linux-cve-announce/2024102109-CVE-2024-50008-0152@gregkh/#u", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-50009", url: "https://lore.kernel.org/linux-cve-announce/2024102109-CVE-2024-50009-1b62@gregkh/#u", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-50010", url: "https://lore.kernel.org/linux-cve-announce/2024102109-CVE-2024-50010-57e8@gregkh/#u", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-50011", url: "https://lore.kernel.org/linux-cve-announce/2024102109-CVE-2024-50011-98c9@gregkh/#u", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-50012", url: "https://lore.kernel.org/linux-cve-announce/2024102109-CVE-2024-50012-db7d@gregkh/#u", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49863", url: "https://lore.kernel.org/linux-cve-announce/2024102110-CVE-2024-49863-6a74@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-50013", url: "https://lore.kernel.org/linux-cve-announce/2024102110-CVE-2024-50013-05ef@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-50014", url: "https://lore.kernel.org/linux-cve-announce/2024102110-CVE-2024-50014-d684@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-50015", url: "https://lore.kernel.org/linux-cve-announce/2024102110-CVE-2024-50015-1eb0@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-50016", url: "https://lore.kernel.org/linux-cve-announce/2024102110-CVE-2024-50016-745a@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-50017", url: "https://lore.kernel.org/linux-cve-announce/2024102110-CVE-2024-50017-f157@gregkh/#u", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-50018", url: "https://lore.kernel.org/linux-cve-announce/2024102111-CVE-2024-50018-65e9@gregkh/#u", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-47749", url: "https://lore.kernel.org/linux-cve-announce/2024102112-CVE-2024-47749-c227@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-47750", url: "https://lore.kernel.org/linux-cve-announce/2024102113-CVE-2024-47750-390b@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-47751", url: "https://lore.kernel.org/linux-cve-announce/2024102113-CVE-2024-47751-7a96@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-47752", url: "https://lore.kernel.org/linux-cve-announce/2024102113-CVE-2024-47752-1b11@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49864", url: "https://lore.kernel.org/linux-cve-announce/2024102113-CVE-2024-49864-5158@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49865", url: "https://lore.kernel.org/linux-cve-announce/2024102113-CVE-2024-49865-ae89@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49866", url: "https://lore.kernel.org/linux-cve-announce/2024102113-CVE-2024-49866-159b@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49867", url: "https://lore.kernel.org/linux-cve-announce/2024102113-CVE-2024-49867-b47a@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49868", url: "https://lore.kernel.org/linux-cve-announce/2024102113-CVE-2024-49868-8dce@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-47753", url: "https://lore.kernel.org/linux-cve-announce/2024102114-CVE-2024-47753-45cf@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-47754", url: "https://lore.kernel.org/linux-cve-announce/2024102114-CVE-2024-47754-a412@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49869", url: "https://lore.kernel.org/linux-cve-announce/2024102114-CVE-2024-49869-f804@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49870", url: "https://lore.kernel.org/linux-cve-announce/2024102114-CVE-2024-49870-44f0@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49871", url: "https://lore.kernel.org/linux-cve-announce/2024102114-CVE-2024-49871-1293@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49872", url: "https://lore.kernel.org/linux-cve-announce/2024102114-CVE-2024-49872-16d4@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49873", url: "https://lore.kernel.org/linux-cve-announce/2024102114-CVE-2024-49873-3190@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-47755", url: "https://lore.kernel.org/linux-cve-announce/2024102115-CVE-2024-47755-2cb3@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-47756", url: "https://lore.kernel.org/linux-cve-announce/2024102115-CVE-2024-47756-1c60@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-47757", url: "https://lore.kernel.org/linux-cve-announce/2024102115-CVE-2024-47757-2b1e@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49874", url: "https://lore.kernel.org/linux-cve-announce/2024102115-CVE-2024-49874-6deb@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49876", url: "https://lore.kernel.org/linux-cve-announce/2024102115-CVE-2024-49876-7fe2@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49877", url: "https://lore.kernel.org/linux-cve-announce/2024102115-CVE-2024-49877-038a@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49885", url: "https://lore.kernel.org/linux-cve-announce/2024102117-CVE-2024-49885-d5d0@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49886", url: "https://lore.kernel.org/linux-cve-announce/2024102117-CVE-2024-49886-3477@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49887", url: "https://lore.kernel.org/linux-cve-announce/2024102117-CVE-2024-49887-04ba@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49888", url: "https://lore.kernel.org/linux-cve-announce/2024102117-CVE-2024-49888-027c@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49889", url: "https://lore.kernel.org/linux-cve-announce/2024102117-CVE-2024-49889-6140@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49890", url: "https://lore.kernel.org/linux-cve-announce/2024102118-CVE-2024-49890-ba65@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49891", url: "https://lore.kernel.org/linux-cve-announce/2024102118-CVE-2024-49891-931a@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49892", url: "https://lore.kernel.org/linux-cve-announce/2024102118-CVE-2024-49892-b04d@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49893", url: "https://lore.kernel.org/linux-cve-announce/2024102118-CVE-2024-49893-72a4@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49894", url: "https://lore.kernel.org/linux-cve-announce/2024102118-CVE-2024-49894-08a0@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49858", url: "https://lore.kernel.org/linux-cve-announce/2024102123-CVE-2024-49858-b7c4@gregkh/#u", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49859", url: "https://lore.kernel.org/linux-cve-announce/2024102124-CVE-2024-49859-9917@gregkh/#u", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49860", url: "https://lore.kernel.org/linux-cve-announce/2024102124-CVE-2024-49860-2a48@gregkh/#u", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49861", url: "https://lore.kernel.org/linux-cve-announce/2024102124-CVE-2024-49861-5288@gregkh/#u", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49862", url: "https://lore.kernel.org/linux-cve-announce/2024102125-CVE-2024-49862-b995@gregkh/#u", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-50022", url: "https://lore.kernel.org/linux-cve-announce/2024102129-CVE-2024-50022-0531@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-50023", url: "https://lore.kernel.org/linux-cve-announce/2024102129-CVE-2024-50023-0e72@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-50024", url: "https://lore.kernel.org/linux-cve-announce/2024102129-CVE-2024-50024-a052@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49955", url: "https://lore.kernel.org/linux-cve-announce/2024102130-CVE-2024-49955-f517@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-50025", url: "https://lore.kernel.org/linux-cve-announce/2024102130-CVE-2024-50025-38d8@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-50026", url: "https://lore.kernel.org/linux-cve-announce/2024102130-CVE-2024-50026-a7cf@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-50027", url: "https://lore.kernel.org/linux-cve-announce/2024102130-CVE-2024-50027-91e1@gregkh/#u", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-50028", url: "https://lore.kernel.org/linux-cve-announce/2024102130-CVE-2024-50028-5655@gregkh/#u", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49959", url: "https://lore.kernel.org/linux-cve-announce/2024102131-CVE-2024-49959-ce09@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49960", url: "https://lore.kernel.org/linux-cve-announce/2024102131-CVE-2024-49960-f9cb@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49961", url: "https://lore.kernel.org/linux-cve-announce/2024102131-CVE-2024-49961-7541@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49962", url: "https://lore.kernel.org/linux-cve-announce/2024102132-CVE-2024-49962-8d16@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49963", url: "https://lore.kernel.org/linux-cve-announce/2024102132-CVE-2024-49963-a198@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49964", url: "https://lore.kernel.org/linux-cve-announce/2024102132-CVE-2024-49964-e06e@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-50043", url: "https://lore.kernel.org/linux-cve-announce/2024102133-CVE-2024-50043-86f8@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-50044", url: "https://lore.kernel.org/linux-cve-announce/2024102133-CVE-2024-50044-2ee1@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-50045", url: "https://lore.kernel.org/linux-cve-announce/2024102133-CVE-2024-50045-283d@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-50046", url: "https://lore.kernel.org/linux-cve-announce/2024102134-CVE-2024-50046-a9b4@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-50047", url: "https://lore.kernel.org/linux-cve-announce/2024102134-CVE-2024-50047-7a27@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-50048", url: "https://lore.kernel.org/linux-cve-announce/2024102134-CVE-2024-50048-f299@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-50049", url: "https://lore.kernel.org/linux-cve-announce/2024102134-CVE-2024-50049-26da@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-50055", url: "https://lore.kernel.org/linux-cve-announce/2024102134-CVE-2024-50055-7d1f@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-50056", url: "https://lore.kernel.org/linux-cve-announce/2024102135-CVE-2024-50056-78bf@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-50057", url: "https://lore.kernel.org/linux-cve-announce/2024102135-CVE-2024-50057-d046@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-50058", url: "https://lore.kernel.org/linux-cve-announce/2024102135-CVE-2024-50058-e827@gregkh/#u", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-50059", url: "https://lore.kernel.org/linux-cve-announce/2024102135-CVE-2024-50059-4ccd@gregkh/#u", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-50060", url: "https://lore.kernel.org/linux-cve-announce/2024102135-CVE-2024-50060-6994@gregkh/#u", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49985", url: "https://lore.kernel.org/linux-cve-announce/2024102136-CVE-2024-49985-0b2a@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49986", url: "https://lore.kernel.org/linux-cve-announce/2024102136-CVE-2024-49986-19eb@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49987", url: "https://lore.kernel.org/linux-cve-announce/2024102136-CVE-2024-49987-e897@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-50061", url: "https://lore.kernel.org/linux-cve-announce/2024102136-CVE-2024-50061-50ab@gregkh/#u", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-50062", url: "https://lore.kernel.org/linux-cve-announce/2024102136-CVE-2024-50062-1ea1@gregkh/#u", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-50063", url: "https://lore.kernel.org/linux-cve-announce/2024102136-CVE-2024-50063-1a59@gregkh/#u", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-50064", url: "https://lore.kernel.org/linux-cve-announce/2024102136-CVE-2024-50064-33d1@gregkh/#u", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-50065", url: "https://lore.kernel.org/linux-cve-announce/2024102136-CVE-2024-50065-c751@gregkh/#u", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49988", url: "https://lore.kernel.org/linux-cve-announce/2024102137-CVE-2024-49988-89d5@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49989", url: "https://lore.kernel.org/linux-cve-announce/2024102137-CVE-2024-49989-8165@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49990", url: "https://lore.kernel.org/linux-cve-announce/2024102137-CVE-2024-49990-c3e9@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49991", url: "https://lore.kernel.org/linux-cve-announce/2024102137-CVE-2024-49991-59d4@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49992", url: "https://lore.kernel.org/linux-cve-announce/2024102137-CVE-2024-49992-fd66@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49993", url: "https://lore.kernel.org/linux-cve-announce/2024102138-CVE-2024-49993-5b57@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49994", url: "https://lore.kernel.org/linux-cve-announce/2024102138-CVE-2024-49994-de99@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49995", url: "https://lore.kernel.org/linux-cve-announce/2024102138-CVE-2024-49995-ec59@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49996", url: "https://lore.kernel.org/linux-cve-announce/2024102138-CVE-2024-49996-0d29@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49997", url: "https://lore.kernel.org/linux-cve-announce/2024102138-CVE-2024-49997-0d01@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49998", url: "https://lore.kernel.org/linux-cve-announce/2024102139-CVE-2024-49998-1a69@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49999", url: "https://lore.kernel.org/linux-cve-announce/2024102139-CVE-2024-49999-e815@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-50000", url: "https://lore.kernel.org/linux-cve-announce/2024102139-CVE-2024-50000-c542@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-50001", url: "https://lore.kernel.org/linux-cve-announce/2024102139-CVE-2024-50001-67e4@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-50002", url: "https://lore.kernel.org/linux-cve-announce/2024102139-CVE-2024-50002-bdfd@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-48983", url: "https://lore.kernel.org/linux-cve-announce/2024102147-CVE-2022-48983-7e0c@gregkh/#u", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-48987", url: "https://lore.kernel.org/linux-cve-announce/2024102147-CVE-2022-48987-c88b@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-48988", url: "https://lore.kernel.org/linux-cve-announce/2024102148-CVE-2022-48988-188f@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-48989", url: "https://lore.kernel.org/linux-cve-announce/2024102148-CVE-2022-48989-54c3@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-48990", url: "https://lore.kernel.org/linux-cve-announce/2024102148-CVE-2022-48990-1cf1@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-48991", url: "https://lore.kernel.org/linux-cve-announce/2024102148-CVE-2022-48991-3987@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-48992", url: "https://lore.kernel.org/linux-cve-announce/2024102148-CVE-2022-48992-2962@gregkh/#u", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49850", url: "https://lore.kernel.org/linux-cve-announce/2024102151-CVE-2024-49850-4cc6@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49851", url: "https://lore.kernel.org/linux-cve-announce/2024102152-CVE-2024-49851-edd9@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49852", url: "https://lore.kernel.org/linux-cve-announce/2024102152-CVE-2024-49852-875e@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-49016", url: "https://lore.kernel.org/linux-cve-announce/2024102153-CVE-2022-49016-c7bb@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-49017", url: "https://lore.kernel.org/linux-cve-announce/2024102153-CVE-2022-49017-ae90@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-49018", url: "https://lore.kernel.org/linux-cve-announce/2024102153-CVE-2022-49018-7ee3@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-49019", url: "https://lore.kernel.org/linux-cve-announce/2024102153-CVE-2022-49019-435d@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49853", url: "https://lore.kernel.org/linux-cve-announce/2024102153-CVE-2024-49853-b3ea@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49854", url: "https://lore.kernel.org/linux-cve-announce/2024102153-CVE-2024-49854-1ba5@gregkh/#u", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49855", url: "https://lore.kernel.org/linux-cve-announce/2024102153-CVE-2024-49855-8997@gregkh/#u", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-49020", url: "https://lore.kernel.org/linux-cve-announce/2024102154-CVE-2022-49020-2d32@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-49021", url: "https://lore.kernel.org/linux-cve-announce/2024102154-CVE-2022-49021-9979@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-49022", url: "https://lore.kernel.org/linux-cve-announce/2024102154-CVE-2022-49022-c605@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-49023", url: "https://lore.kernel.org/linux-cve-announce/2024102154-CVE-2022-49023-381d@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-49024", url: "https://lore.kernel.org/linux-cve-announce/2024102154-CVE-2022-49024-e31a@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49856", url: "https://lore.kernel.org/linux-cve-announce/2024102154-CVE-2024-49856-f5f7@gregkh/#u", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49857", url: "https://lore.kernel.org/linux-cve-announce/2024102154-CVE-2024-49857-7233@gregkh/#u", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-49025", url: "https://lore.kernel.org/linux-cve-announce/2024102155-CVE-2022-49025-4bcc@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-49026", url: "https://lore.kernel.org/linux-cve-announce/2024102155-CVE-2022-49026-f8d1@gregkh/#u", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-49027", url: "https://lore.kernel.org/linux-cve-announce/2024102155-CVE-2022-49027-3006@gregkh/#u", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-49028", url: "https://lore.kernel.org/linux-cve-announce/2024102155-CVE-2022-49028-78e7@gregkh/#u", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-49029", url: "https://lore.kernel.org/linux-cve-announce/2024102155-CVE-2022-49029-0ffd@gregkh/#u", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-49030", url: "https://lore.kernel.org/linux-cve-announce/2024102155-CVE-2022-49030-cee8@gregkh/#u", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-49031", url: "https://lore.kernel.org/linux-cve-announce/2024102156-CVE-2022-49031-5b75@gregkh/#u", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-49032", url: "https://lore.kernel.org/linux-cve-announce/2024102156-CVE-2022-49032-d2a1@gregkh/#u", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-49033", url: "https://lore.kernel.org/linux-cve-announce/2024102156-CVE-2022-49033-a8c6@gregkh/#u", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2023-52917", url: "https://lore.kernel.org/linux-cve-announce/2024102100-CVE-2023-52917-f16d@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-47675", url: "https://lore.kernel.org/linux-cve-announce/2024102103-CVE-2024-47675-643d@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-47722", url: "https://lore.kernel.org/linux-cve-announce/2024102103-CVE-2024-47722-dc6e@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-47723", url: "https://lore.kernel.org/linux-cve-announce/2024102103-CVE-2024-47723-d904@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-47724", url: "https://lore.kernel.org/linux-cve-announce/2024102103-CVE-2024-47724-c771@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-47725", url: "https://lore.kernel.org/linux-cve-announce/2024102104-CVE-2024-47725-f698@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-47676", url: "https://lore.kernel.org/linux-cve-announce/2024102105-CVE-2024-47676-016b@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-47727", url: "https://lore.kernel.org/linux-cve-announce/2024102105-CVE-2024-47727-1049@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-47728", url: "https://lore.kernel.org/linux-cve-announce/2024102105-CVE-2024-47728-824a@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-47677", url: "https://lore.kernel.org/linux-cve-announce/2024102106-CVE-2024-47677-714d@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-47678", url: "https://lore.kernel.org/linux-cve-announce/2024102106-CVE-2024-47678-0b1b@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-47679", url: "https://lore.kernel.org/linux-cve-announce/2024102106-CVE-2024-47679-e793@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-47680", url: "https://lore.kernel.org/linux-cve-announce/2024102107-CVE-2024-47680-194f@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-47681", url: "https://lore.kernel.org/linux-cve-announce/2024102107-CVE-2024-47681-bd36@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-47682", url: "https://lore.kernel.org/linux-cve-announce/2024102108-CVE-2024-47682-0582@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-47683", url: "https://lore.kernel.org/linux-cve-announce/2024102108-CVE-2024-47683-8cf2@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-47684", url: "https://lore.kernel.org/linux-cve-announce/2024102108-CVE-2024-47684-4869@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-47736", url: "https://lore.kernel.org/linux-cve-announce/2024102108-CVE-2024-47736-712a@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-47737", url: "https://lore.kernel.org/linux-cve-announce/2024102108-CVE-2024-47737-b77e@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-47738", url: "https://lore.kernel.org/linux-cve-announce/2024102108-CVE-2024-47738-3f0e@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-47685", url: "https://lore.kernel.org/linux-cve-announce/2024102109-CVE-2024-47685-af1e@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-47686", url: "https://lore.kernel.org/linux-cve-announce/2024102109-CVE-2024-47686-e46a@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-47687", url: "https://lore.kernel.org/linux-cve-announce/2024102109-CVE-2024-47687-9a03@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-47739", url: "https://lore.kernel.org/linux-cve-announce/2024102109-CVE-2024-47739-8bc4@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-47740", url: "https://lore.kernel.org/linux-cve-announce/2024102109-CVE-2024-47740-ae86@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-47688", url: "https://lore.kernel.org/linux-cve-announce/2024102110-CVE-2024-47688-0fe1@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-47689", url: "https://lore.kernel.org/linux-cve-announce/2024102110-CVE-2024-47689-cdec@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-47690", url: "https://lore.kernel.org/linux-cve-announce/2024102110-CVE-2024-47690-113f@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-47741", url: "https://lore.kernel.org/linux-cve-announce/2024102110-CVE-2024-47741-5974@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-47742", url: "https://lore.kernel.org/linux-cve-announce/2024102110-CVE-2024-47742-b72d@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-47743", url: "https://lore.kernel.org/linux-cve-announce/2024102110-CVE-2024-47743-77c3@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-47691", url: "https://lore.kernel.org/linux-cve-announce/2024102111-CVE-2024-47691-ab21@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-47692", url: "https://lore.kernel.org/linux-cve-announce/2024102111-CVE-2024-47692-38d2@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-47744", url: "https://lore.kernel.org/linux-cve-announce/2024102111-CVE-2024-47744-7571@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-47745", url: "https://lore.kernel.org/linux-cve-announce/2024102111-CVE-2024-47745-42e6@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-47746", url: "https://lore.kernel.org/linux-cve-announce/2024102111-CVE-2024-47746-f737@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-47693", url: "https://lore.kernel.org/linux-cve-announce/2024102112-CVE-2024-47693-f12d@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-47694", url: "https://lore.kernel.org/linux-cve-announce/2024102112-CVE-2024-47694-5594@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-47695", url: "https://lore.kernel.org/linux-cve-announce/2024102112-CVE-2024-47695-2d7b@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-47747", url: "https://lore.kernel.org/linux-cve-announce/2024102112-CVE-2024-47747-8dca@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-47748", url: "https://lore.kernel.org/linux-cve-announce/2024102112-CVE-2024-47748-a134@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-47696", url: "https://lore.kernel.org/linux-cve-announce/2024102113-CVE-2024-47696-e1f7@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-47697", url: "https://lore.kernel.org/linux-cve-announce/2024102113-CVE-2024-47697-5277@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-47698", url: "https://lore.kernel.org/linux-cve-announce/2024102113-CVE-2024-47698-d5fe@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-47699", url: "https://lore.kernel.org/linux-cve-announce/2024102114-CVE-2024-47699-c54c@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-47700", url: "https://lore.kernel.org/linux-cve-announce/2024102114-CVE-2024-47700-00ff@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-47701", url: "https://lore.kernel.org/linux-cve-announce/2024102114-CVE-2024-47701-7db5@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-47702", url: "https://lore.kernel.org/linux-cve-announce/2024102115-CVE-2024-47702-c5c4@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-47703", url: "https://lore.kernel.org/linux-cve-announce/2024102115-CVE-2024-47703-36ea@gregkh/#u", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49875", url: "https://lore.kernel.org/linux-cve-announce/2024102115-CVE-2024-49875-02ba@gregkh/#u", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-47704", url: "https://lore.kernel.org/linux-cve-announce/2024102116-CVE-2024-47704-d937@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-47705", url: "https://lore.kernel.org/linux-cve-announce/2024102116-CVE-2024-47705-12bc@gregkh/#u", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-47706", url: "https://lore.kernel.org/linux-cve-announce/2024102116-CVE-2024-47706-7312@gregkh/#u", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49883", url: "https://lore.kernel.org/linux-cve-announce/2024102116-CVE-2024-49883-ca93@gregkh/#u", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49884", url: "https://lore.kernel.org/linux-cve-announce/2024102116-CVE-2024-49884-fa56@gregkh/#u", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-47707", url: "https://lore.kernel.org/linux-cve-announce/2024102117-CVE-2024-47707-d8db@gregkh/#u", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-47708", url: "https://lore.kernel.org/linux-cve-announce/2024102117-CVE-2024-47708-2b8f@gregkh/#u", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-47709", url: "https://lore.kernel.org/linux-cve-announce/2024102117-CVE-2024-47709-8e66@gregkh/#u", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-47710", url: "https://lore.kernel.org/linux-cve-announce/2024102118-CVE-2024-47710-3882@gregkh/#u", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-47711", url: "https://lore.kernel.org/linux-cve-announce/2024102118-CVE-2024-47711-349d@gregkh/#u", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-47712", url: "https://lore.kernel.org/linux-cve-announce/2024102118-CVE-2024-47712-13c2@gregkh/#u", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-47713", url: "https://lore.kernel.org/linux-cve-announce/2024102119-CVE-2024-47713-2624@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-47714", url: "https://lore.kernel.org/linux-cve-announce/2024102119-CVE-2024-47714-f88b@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-47715", url: "https://lore.kernel.org/linux-cve-announce/2024102120-CVE-2024-47715-ff4e@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-47716", url: "https://lore.kernel.org/linux-cve-announce/2024102120-CVE-2024-47716-72df@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-47717", url: "https://lore.kernel.org/linux-cve-announce/2024102120-CVE-2024-47717-f7fc@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-47718", url: "https://lore.kernel.org/linux-cve-announce/2024102121-CVE-2024-47718-c7cd@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-47719", url: "https://lore.kernel.org/linux-cve-announce/2024102121-CVE-2024-47719-09a2@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-47720", url: "https://lore.kernel.org/linux-cve-announce/2024102121-CVE-2024-47720-c007@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-47721", url: "https://lore.kernel.org/linux-cve-announce/2024102122-CVE-2024-47721-cb0a@gregkh/#u", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49915", url: "https://lore.kernel.org/linux-cve-announce/2024102123-CVE-2024-49915-42ec@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49916", url: "https://lore.kernel.org/linux-cve-announce/2024102123-CVE-2024-49916-3384@gregkh/#u", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49920", url: "https://lore.kernel.org/linux-cve-announce/2024102124-CVE-2024-49920-038d@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49921", url: "https://lore.kernel.org/linux-cve-announce/2024102124-CVE-2024-49921-621b@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49922", url: "https://lore.kernel.org/linux-cve-announce/2024102124-CVE-2024-49922-5435@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49923", url: "https://lore.kernel.org/linux-cve-announce/2024102124-CVE-2024-49923-3462@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49924", url: "https://lore.kernel.org/linux-cve-announce/2024102124-CVE-2024-49924-93af@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49925", url: "https://lore.kernel.org/linux-cve-announce/2024102124-CVE-2024-49925-b469@gregkh/#u", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49926", url: "https://lore.kernel.org/linux-cve-announce/2024102125-CVE-2024-49926-f707@gregkh/#u", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49927", url: "https://lore.kernel.org/linux-cve-announce/2024102125-CVE-2024-49927-86cf@gregkh/#u", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49928", url: "https://lore.kernel.org/linux-cve-announce/2024102125-CVE-2024-49928-05d6@gregkh/#u", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49929", url: "https://lore.kernel.org/linux-cve-announce/2024102125-CVE-2024-49929-1031@gregkh/#u", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49930", url: "https://lore.kernel.org/linux-cve-announce/2024102125-CVE-2024-49930-34e8@gregkh/#u", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-50019", url: "https://lore.kernel.org/linux-cve-announce/2024102126-CVE-2024-50019-5896@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-50020", url: "https://lore.kernel.org/linux-cve-announce/2024102129-CVE-2024-50020-e41a@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-50021", url: "https://lore.kernel.org/linux-cve-announce/2024102129-CVE-2024-50021-d60d@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49956", url: "https://lore.kernel.org/linux-cve-announce/2024102130-CVE-2024-49956-5278@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-50029", url: "https://lore.kernel.org/linux-cve-announce/2024102130-CVE-2024-50029-8df2@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49957", url: "https://lore.kernel.org/linux-cve-announce/2024102131-CVE-2024-49957-3302@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49958", url: "https://lore.kernel.org/linux-cve-announce/2024102131-CVE-2024-49958-1bc6@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-50030", url: "https://lore.kernel.org/linux-cve-announce/2024102131-CVE-2024-50030-13ae@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-50031", url: "https://lore.kernel.org/linux-cve-announce/2024102131-CVE-2024-50031-c158@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-50032", url: "https://lore.kernel.org/linux-cve-announce/2024102131-CVE-2024-50032-e7ba@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-50033", url: "https://lore.kernel.org/linux-cve-announce/2024102131-CVE-2024-50033-ce5e@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-50034", url: "https://lore.kernel.org/linux-cve-announce/2024102131-CVE-2024-50034-46ef@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49965", url: "https://lore.kernel.org/linux-cve-announce/2024102132-CVE-2024-49965-9ed0@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49966", url: "https://lore.kernel.org/linux-cve-announce/2024102132-CVE-2024-49966-2893@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-50035", url: "https://lore.kernel.org/linux-cve-announce/2024102132-CVE-2024-50035-82d8@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-50036", url: "https://lore.kernel.org/linux-cve-announce/2024102132-CVE-2024-50036-9d91@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-50037", url: "https://lore.kernel.org/linux-cve-announce/2024102132-CVE-2024-50037-770e@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-50038", url: "https://lore.kernel.org/linux-cve-announce/2024102132-CVE-2024-50038-dc41@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-50039", url: "https://lore.kernel.org/linux-cve-announce/2024102132-CVE-2024-50039-41b0@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-50040", url: "https://lore.kernel.org/linux-cve-announce/2024102132-CVE-2024-50040-f156@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49967", url: "https://lore.kernel.org/linux-cve-announce/2024102133-CVE-2024-49967-a58a@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49968", url: "https://lore.kernel.org/linux-cve-announce/2024102133-CVE-2024-49968-ce10@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49969", url: "https://lore.kernel.org/linux-cve-announce/2024102133-CVE-2024-49969-cf83@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49970", url: "https://lore.kernel.org/linux-cve-announce/2024102133-CVE-2024-49970-a345@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49971", url: "https://lore.kernel.org/linux-cve-announce/2024102133-CVE-2024-49971-ad07@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-50041", url: "https://lore.kernel.org/linux-cve-announce/2024102133-CVE-2024-50041-6118@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-50042", url: "https://lore.kernel.org/linux-cve-announce/2024102133-CVE-2024-50042-ca9e@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49972", url: "https://lore.kernel.org/linux-cve-announce/2024102134-CVE-2024-49972-9c6d@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49973", url: "https://lore.kernel.org/linux-cve-announce/2024102134-CVE-2024-49973-8824@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49974", url: "https://lore.kernel.org/linux-cve-announce/2024102134-CVE-2024-49974-bda6@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49975", url: "https://lore.kernel.org/linux-cve-announce/2024102134-CVE-2024-49975-4533@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49976", url: "https://lore.kernel.org/linux-cve-announce/2024102134-CVE-2024-49976-83a3@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49977", url: "https://lore.kernel.org/linux-cve-announce/2024102135-CVE-2024-49977-b657@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49978", url: "https://lore.kernel.org/linux-cve-announce/2024102135-CVE-2024-49978-2bff@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49979", url: "https://lore.kernel.org/linux-cve-announce/2024102135-CVE-2024-49979-f897@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49980", url: "https://lore.kernel.org/linux-cve-announce/2024102135-CVE-2024-49980-da73@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49981", url: "https://lore.kernel.org/linux-cve-announce/2024102135-CVE-2024-49981-0fb7@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49982", url: "https://lore.kernel.org/linux-cve-announce/2024102136-CVE-2024-49982-c6b7@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49983", url: "https://lore.kernel.org/linux-cve-announce/2024102136-CVE-2024-49983-275e@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2024-49984", url: "https://lore.kernel.org/linux-cve-announce/2024102136-CVE-2024-49984-e47f@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-48946", url: "https://lore.kernel.org/linux-cve-announce/2024102138-CVE-2022-48946-5989@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-48947", url: "https://lore.kernel.org/linux-cve-announce/2024102140-CVE-2022-48947-0ab5@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-48948", url: "https://lore.kernel.org/linux-cve-announce/2024102140-CVE-2022-48948-588a@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-48949", url: "https://lore.kernel.org/linux-cve-announce/2024102140-CVE-2022-48949-a7a1@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-48950", url: "https://lore.kernel.org/linux-cve-announce/2024102141-CVE-2022-48950-dc5f@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-48951", url: "https://lore.kernel.org/linux-cve-announce/2024102141-CVE-2022-48951-da5f@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-48952", url: "https://lore.kernel.org/linux-cve-announce/2024102141-CVE-2022-48952-a932@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-48953", url: "https://lore.kernel.org/linux-cve-announce/2024102141-CVE-2022-48953-c6c0@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-48954", url: "https://lore.kernel.org/linux-cve-announce/2024102141-CVE-2022-48954-30f2@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-48955", url: "https://lore.kernel.org/linux-cve-announce/2024102141-CVE-2022-48955-d31e@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-48956", url: "https://lore.kernel.org/linux-cve-announce/2024102142-CVE-2022-48956-75c8@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-48957", url: "https://lore.kernel.org/linux-cve-announce/2024102142-CVE-2022-48957-8250@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-48958", url: "https://lore.kernel.org/linux-cve-announce/2024102142-CVE-2022-48958-bb88@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-48959", url: "https://lore.kernel.org/linux-cve-announce/2024102142-CVE-2022-48959-6120@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-48960", url: "https://lore.kernel.org/linux-cve-announce/2024102142-CVE-2022-48960-c9af@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-48961", url: "https://lore.kernel.org/linux-cve-announce/2024102143-CVE-2022-48961-d44b@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-48962", url: "https://lore.kernel.org/linux-cve-announce/2024102143-CVE-2022-48962-1842@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-48963", url: "https://lore.kernel.org/linux-cve-announce/2024102143-CVE-2022-48963-9cf2@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-48964", url: "https://lore.kernel.org/linux-cve-announce/2024102143-CVE-2022-48964-8230@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-48965", url: "https://lore.kernel.org/linux-cve-announce/2024102143-CVE-2022-48965-0039@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-48966", url: "https://lore.kernel.org/linux-cve-announce/2024102143-CVE-2022-48966-d8f6@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-48967", url: "https://lore.kernel.org/linux-cve-announce/2024102144-CVE-2022-48967-c2ae@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-48968", url: "https://lore.kernel.org/linux-cve-announce/2024102144-CVE-2022-48968-9b4a@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-48969", url: "https://lore.kernel.org/linux-cve-announce/2024102144-CVE-2022-48969-8fe7@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-48970", url: "https://lore.kernel.org/linux-cve-announce/2024102144-CVE-2022-48970-7c96@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-48971", url: "https://lore.kernel.org/linux-cve-announce/2024102144-CVE-2022-48971-6025@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-48972", url: "https://lore.kernel.org/linux-cve-announce/2024102145-CVE-2022-48972-4ccd@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-48973", url: "https://lore.kernel.org/linux-cve-announce/2024102145-CVE-2022-48973-a0e7@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-48974", url: "https://lore.kernel.org/linux-cve-announce/2024102145-CVE-2022-48974-d2d0@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-48975", url: "https://lore.kernel.org/linux-cve-announce/2024102145-CVE-2022-48975-d7f9@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-48976", url: "https://lore.kernel.org/linux-cve-announce/2024102145-CVE-2022-48976-2980@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-48977", url: "https://lore.kernel.org/linux-cve-announce/2024102145-CVE-2022-48977-0990@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-48978", url: "https://lore.kernel.org/linux-cve-announce/2024102146-CVE-2022-48978-8a19@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-48979", url: "https://lore.kernel.org/linux-cve-announce/2024102146-CVE-2022-48979-d40f@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-48980", url: "https://lore.kernel.org/linux-cve-announce/2024102146-CVE-2022-48980-0fec@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-48981", url: "https://lore.kernel.org/linux-cve-announce/2024102146-CVE-2022-48981-a877@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-48982", url: "https://lore.kernel.org/linux-cve-announce/2024102146-CVE-2022-48982-717d@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-48984", url: "https://lore.kernel.org/linux-cve-announce/2024102147-CVE-2022-48984-ea9e@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-48985", url: "https://lore.kernel.org/linux-cve-announce/2024102147-CVE-2022-48985-40b5@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-48986", url: "https://lore.kernel.org/linux-cve-announce/2024102147-CVE-2022-48986-cd7d@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-48993", url: "https://lore.kernel.org/linux-cve-announce/2024102149-CVE-2022-48993-8b27@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-48994", url: "https://lore.kernel.org/linux-cve-announce/2024102149-CVE-2022-48994-530f@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-48995", url: "https://lore.kernel.org/linux-cve-announce/2024102149-CVE-2022-48995-8d2e@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-48996", url: "https://lore.kernel.org/linux-cve-announce/2024102149-CVE-2022-48996-e9ca@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-48997", url: "https://lore.kernel.org/linux-cve-announce/2024102149-CVE-2022-48997-cd65@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-48998", url: "https://lore.kernel.org/linux-cve-announce/2024102149-CVE-2022-48998-1016@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-48999", url: "https://lore.kernel.org/linux-cve-announce/2024102150-CVE-2022-48999-c5fd@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-49000", url: "https://lore.kernel.org/linux-cve-announce/2024102150-CVE-2022-49000-2c9c@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-49001", url: "https://lore.kernel.org/linux-cve-announce/2024102150-CVE-2022-49001-589c@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-49002", url: "https://lore.kernel.org/linux-cve-announce/2024102150-CVE-2022-49002-5b24@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-49003", url: "https://lore.kernel.org/linux-cve-announce/2024102150-CVE-2022-49003-482c@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-49004", url: "https://lore.kernel.org/linux-cve-announce/2024102151-CVE-2022-49004-18ac@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-49005", url: "https://lore.kernel.org/linux-cve-announce/2024102151-CVE-2022-49005-c5ba@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-49006", url: "https://lore.kernel.org/linux-cve-announce/2024102151-CVE-2022-49006-83c9@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-49007", url: "https://lore.kernel.org/linux-cve-announce/2024102151-CVE-2022-49007-c02b@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-49008", url: "https://lore.kernel.org/linux-cve-announce/2024102151-CVE-2022-49008-d62f@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-49009", url: "https://lore.kernel.org/linux-cve-announce/2024102152-CVE-2022-49009-9bee@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-49010", url: "https://lore.kernel.org/linux-cve-announce/2024102152-CVE-2022-49010-f8e1@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-49011", url: "https://lore.kernel.org/linux-cve-announce/2024102152-CVE-2022-49011-069a@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-49012", url: "https://lore.kernel.org/linux-cve-announce/2024102152-CVE-2022-49012-8eb3@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-49013", url: "https://lore.kernel.org/linux-cve-announce/2024102152-CVE-2022-49013-dd61@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-49014", url: "https://lore.kernel.org/linux-cve-announce/2024102153-CVE-2022-49014-1627@gregkh/", }, { category: "external", summary: "Linux Kernel CVE Announcement CVE-2022-49015", url: "https://lore.kernel.org/linux-cve-announce/2024102153-CVE-2022-49015-1fd0@gregkh/", }, { category: "external", summary: "Ubuntu Security Notice USN-7088-1 vom 2024-10-31", url: "https://ubuntu.com/security/notices/USN-7088-1", }, { category: "external", summary: "Ubuntu Security Notice USN-7088-2 vom 2024-11-04", url: "https://ubuntu.com/security/notices/USN-7088-2", }, { category: "external", summary: "Ubuntu Security Notice USN-7088-3 vom 2024-11-06", url: "https://ubuntu.com/security/notices/USN-7088-3", }, { category: "external", summary: "Ubuntu Security Notice USN-7100-1 vom 2024-11-11", url: "https://ubuntu.com/security/notices/USN-7100-1", }, { category: "external", summary: "Oracle Linux Security Advisory ELSA-2024-12813 vom 2024-11-13", url: "https://linux.oracle.com/errata/ELSA-2024-12813.html", }, { category: "external", summary: "Ubuntu Security Notice USN-7100-2 vom 2024-11-12", url: "https://ubuntu.com/security/notices/USN-7100-2", }, { category: "external", summary: "Oracle Linux Security Advisory ELSA-2024-12815 vom 2024-11-13", url: "https://linux.oracle.com/errata/ELSA-2024-12815.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3986-1 vom 2024-11-13", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/CIC23R3UQSPF2K4P2CX54TPCX5T7KWQG/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3985-1 vom 2024-11-13", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/KB6DG7QR5KXDQRV57H4IY2TB2LW42K4S/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3983-1 vom 2024-11-13", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/QUOFKELDJYP3JMHIXPCVKVI4REVXAKTX/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3984-1 vom 2024-11-13", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/L52VEDNTEHWEPR56WZN4KZNMEUYGCJX6/", }, { category: "external", summary: "Ubuntu Security Notice USN-7088-5 vom 2024-11-14", url: "https://ubuntu.com/security/notices/USN-7088-5", }, { category: "external", summary: "openSUSE Security Update OPENSUSE-SU-2024:14500-1 vom 2024-11-16", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/2NO44GTYBSPPWKFDREFWHITK4XKTNVLP/", }, { category: "external", summary: "Ubuntu Security Notice USN-7119-1 vom 2024-11-20", url: "https://ubuntu.com/security/notices/USN-7119-1", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4038-1 vom 2024-11-19", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-November/019838.html", }, { category: "external", summary: "Ubuntu Security Notice USN-7123-1 vom 2024-11-20", url: "https://ubuntu.com/security/notices/USN-7123-1", }, { category: "external", summary: "Debian Security Advisory DSA-5818 vom 2024-11-24", url: "https://lists.debian.org/debian-security-announce/2024/msg00233.html", }, { category: "external", summary: "Google Container-Optimized OS Release Notes vom 2024-11-18", url: "https://cloud.google.com/container-optimized-os/docs/release-notes#November_18_2024", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4081-1 vom 2024-11-27", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-November/019852.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4082-1 vom 2024-11-27", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-November/019851.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4103-1 vom 2024-11-28", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-November/019863.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4100-1 vom 2024-11-28", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-November/019864.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4140-1 vom 2024-12-02", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-December/019890.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4131-1 vom 2024-12-02", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-December/019887.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4157-1 vom 2024-12-03", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-December/019904.html", }, { category: "external", summary: "Oracle Linux Security Advisory ELSA-2024-12868 vom 2024-12-09", url: "https://linux.oracle.com/errata/ELSA-2024-12868.html", }, { category: "external", summary: "Ubuntu Security Notice USN-7144-1 vom 2024-12-09", url: "https://ubuntu.com/security/notices/USN-7144-1", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2024:10942 vom 2024-12-11", url: "https://access.redhat.com/errata/RHSA-2024:10942", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2024:10939 vom 2024-12-11", url: "https://access.redhat.com/errata/RHSA-2024:10939", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2024:10943 vom 2024-12-11", url: "https://access.redhat.com/errata/RHSA-2024:10943", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2024:10944 vom 2024-12-11", url: "https://access.redhat.com/errata/RHSA-2024:10944", }, { category: "external", summary: "Oracle Linux Security Advisory ELSA-2024-10939 vom 2024-12-12", url: "https://linux.oracle.com/errata/ELSA-2024-10939.html", }, { category: "external", summary: "Oracle Linux Security Advisory ELSA-2024-10943 vom 2024-12-12", url: "https://linux.oracle.com/errata/ELSA-2024-10943.html", }, { category: "external", summary: "Ubuntu Security Notice USN-7154-1 vom 2024-12-12", url: "https://ubuntu.com/security/notices/USN-7154-1", }, { category: "external", summary: "Ubuntu Security Notice USN-7155-1 vom 2024-12-12", url: "https://ubuntu.com/security/notices/USN-7155-1", }, { category: "external", summary: "Ubuntu Security Notice USN-7156-1 vom 2024-12-12", url: "https://ubuntu.com/security/notices/USN-7156-1", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4317-1 vom 2024-12-13", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-December/020000.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4316-1 vom 2024-12-13", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/S4I5Z6ALCJLHTP25U3HMJHEXN4DR2USM/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4318-1 vom 2024-12-13", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-December/019999.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4314-1 vom 2024-12-13", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/SARXL66CQHD5VSFG5PUBNBVBPVFUN4KT/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4315-1 vom 2024-12-13", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/LQPWDP54GSTHYCV4CTCOE67D2ANVPPUW/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4313-1 vom 2024-12-13", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/PCO2TL4OCZ4YUXTF7OMLI6WH3WKDUC2G/", }, { category: "external", summary: "Oracle Linux Security Advisory ELSA-2024-12884 vom 2024-12-17", url: "https://linux.oracle.com/errata/ELSA-2024-12884.html", }, { category: "external", summary: "Ubuntu Security Notice USN-7170-1 vom 2024-12-17", url: "https://ubuntu.com/security/notices/USN-7170-1", }, { category: "external", summary: "Ubuntu Security Notice USN-7173-1 vom 2024-12-17", url: "https://ubuntu.com/security/notices/USN-7173-1", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4367-1 vom 2024-12-17", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-December/020025.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4345-1 vom 2024-12-17", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-December/020018.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4346-1 vom 2024-12-17", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/2FJJW5HEWYSYWAJBRWARBIZ4AQHAXLNG/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4364-1 vom 2024-12-17", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-December/020019.html", }, { category: "external", summary: "Ubuntu Security Notice USN-7169-1 vom 2024-12-17", url: "https://ubuntu.com/security/notices/USN-7169-1", }, { category: "external", summary: "Ubuntu Security Notice USN-7167-1 vom 2024-12-17", url: "https://ubuntu.com/security/notices/USN-7167-1", }, { category: "external", summary: "Ubuntu Security Notice USN-7166-1 vom 2024-12-17", url: "https://ubuntu.com/security/notices/USN-7166-1", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4376-1 vom 2024-12-18", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/WFOJHFFEHK42VPQ6XLZWB77H5OEJ3FF4/", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2024:11486 vom 2024-12-19", url: "https://access.redhat.com/errata/RHSA-2024:11486", }, { category: "external", summary: "Oracle Linux Security Advisory ELSA-2024-12887 vom 2024-12-18", url: "https://linux.oracle.com/errata/ELSA-2024-12887.html", }, { category: "external", summary: "Rocky Linux Security Advisory RLSA-2024:10944 vom 2024-12-19", url: "https://errata.build.resf.org/RLSA-2024:10944", }, { category: "external", summary: "Ubuntu Security Notice USN-7169-2 vom 2024-12-18", url: "https://ubuntu.com/security/notices/USN-7169-2", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4387-1 vom 2024-12-19", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-December/020032.html", }, { category: "external", summary: "Amazon Linux Security Advisory ALASKERNEL-5.10-2024-074 vom 2024-12-19", url: "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.10-2024-074.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4388-1 vom 2024-12-19", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-December/020034.html", }, { category: "external", summary: "Amazon Linux Security Advisory ALASKERNEL-5.15-2024-059 vom 2024-12-19", url: "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.15-2024-059.html", }, { category: "external", summary: "Amazon Linux Security Advisory ALASKERNEL-5.4-2024-088 vom 2024-12-19", url: "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.4-2024-088.html", }, { category: "external", summary: "Ubuntu Security Notice USN-7166-3 vom 2024-12-20", url: "https://ubuntu.com/security/notices/USN-7166-3", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:4397-1 vom 2024-12-20", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-December/020041.html", }, { category: "external", summary: "Ubuntu Security Notice USN-7173-2 vom 2024-12-20", url: "https://ubuntu.com/security/notices/USN-7173-2", }, { category: "external", summary: "Debian Security Advisory DLA-4008 vom 2025-01-03", url: "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html", }, { category: "external", summary: "Oracle Linux Security Advisory ELSA-2024-11486 vom 2025-01-07", url: "https://linux.oracle.com/errata/ELSA-2024-11486.html", }, { category: "external", summary: "Ubuntu Security Notice USN-7154-2 vom 2025-01-06", url: "https://ubuntu.com/security/notices/USN-7154-2", }, { category: "external", summary: "Ubuntu Security Notice USN-7184-1 vom 2025-01-06", url: "https://ubuntu.com/security/notices/USN-7184-1", }, { category: "external", summary: "Ubuntu Security Notice USN-7187-1 vom 2025-01-06", url: "https://ubuntu.com/security/notices/USN-7187-1", }, { category: "external", summary: "Ubuntu Security Notice USN-7186-1 vom 2025-01-06", url: "https://ubuntu.com/security/notices/USN-7186-1", }, { category: "external", summary: "Ubuntu Security Notice USN-7183-1 vom 2025-01-06", url: "https://ubuntu.com/security/notices/USN-7183-1", }, { category: "external", summary: "Ubuntu Security Notice USN-7169-3 vom 2025-01-07", url: "https://ubuntu.com/security/notices/USN-7169-3", }, { category: "external", summary: "Ubuntu Security Notice USN-7167-2 vom 2025-01-07", url: "https://ubuntu.com/security/notices/USN-7167-2", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2025:0034-1 vom 2025-01-08", url: "https://lists.suse.com/pipermail/sle-security-updates/2025-January/020071.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2025:0035-1 vom 2025-01-08", url: "https://lists.suse.com/pipermail/sle-security-updates/2025-January/020070.html", }, { category: "external", summary: "Ubuntu Security Notice USN-7169-4 vom 2025-01-09", url: "https://ubuntu.com/security/notices/USN-7169-4", }, { category: "external", summary: "Ubuntu Security Notice USN-7185-2 vom 2025-01-09", url: "https://ubuntu.com/security/notices/USN-7185-2", }, { category: "external", summary: "Ubuntu Security Notice USN-7196-1 vom 2025-01-09", url: "https://ubuntu.com/security/notices/USN-7196-1", }, { category: "external", summary: "Ubuntu Security Notice USN-7195-1 vom 2025-01-09", url: "https://ubuntu.com/security/notices/USN-7195-1", }, { category: "external", summary: "Ubuntu Security Notice USN-7194-1 vom 2025-01-09", url: "https://ubuntu.com/security/notices/USN-7194-1", }, { category: "external", summary: "Ubuntu Security Notice USN-7186-2 vom 2025-01-09", url: "https://ubuntu.com/security/notices/USN-7186-2", }, { category: "external", summary: "Ubuntu Security Notice USN-7169-5 vom 2025-01-10", url: "https://ubuntu.com/security/notices/USN-7169-5", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2025:0091-1 vom 2025-01-14", url: "https://lists.suse.com/pipermail/sle-security-updates/2025-January/020100.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2025:0089-1 vom 2025-01-14", url: "https://lists.suse.com/pipermail/sle-security-updates/2025-January/020102.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2025:0090-1 vom 2025-01-14", url: "https://lists.suse.com/pipermail/sle-security-updates/2025-January/020101.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2025:0101-1 vom 2025-01-14", url: "https://lists.suse.com/pipermail/sle-security-updates/2025-January/020116.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2025:0109-1 vom 2025-01-14", url: "https://lists.suse.com/pipermail/sle-security-updates/2025-January/020110.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2025:0106-1 vom 2025-01-14", url: "https://lists.suse.com/pipermail/sle-security-updates/2025-January/020113.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2025:0107-1 vom 2025-01-14", url: "https://lists.suse.com/pipermail/sle-security-updates/2025-January/020112.html", }, { category: "external", summary: "Ubuntu Security Notice USN-7195-2 vom 2025-01-14", url: "https://ubuntu.com/security/notices/USN-7195-2", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2025:0094-1 vom 2025-01-14", url: "https://lists.suse.com/pipermail/sle-security-updates/2025-January/020108.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2025:0097-1 vom 2025-01-14", url: "https://lists.suse.com/pipermail/sle-security-updates/2025-January/020107.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2025:0105-1 vom 2025-01-14", url: "https://lists.suse.com/pipermail/sle-security-updates/2025-January/020114.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2025:0098-1 vom 2025-01-14", url: "https://lists.suse.com/pipermail/sle-security-updates/2025-January/020106.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2025:0100-1 vom 2025-01-14", url: "https://lists.suse.com/pipermail/sle-security-updates/2025-January/020117.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2025:0103-1 vom 2025-01-14", url: "https://lists.suse.com/pipermail/sle-security-updates/2025-January/020115.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2025:0108-1 vom 2025-01-14", url: "https://lists.suse.com/pipermail/sle-security-updates/2025-January/020111.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2025:0111-1 vom 2025-01-15", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/2IXCN5JTEUUWORLKQVOQYQKMHTJ73CSG/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2025:0115-1 vom 2025-01-15", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/VK2D63Q2FKHJWXOLVAS7HPIWURVL3MQQ/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2025:0114-1 vom 2025-01-15", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/YC7MKFCHLBJHUQM2SLPOGVG4DUWP2J4E/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2025:0112-1 vom 2025-01-15", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/VKNKHAJX3LTXNPTXUJXVJL67P2P7Z7YO/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2025:0110-1 vom 2025-01-15", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/PLWCG227VUGPKNXHW6FOCW727UUPVLLU/", }, { category: "external", summary: "Ubuntu Security Notice USN-7173-3 vom 2025-01-15", url: "https://ubuntu.com/security/notices/USN-7173-3", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2025:0124-1 vom 2025-01-15", url: "https://lists.suse.com/pipermail/sle-security-updates/2025-January/020125.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2025:0132-1 vom 2025-01-15", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/U2TCRAW6MN33ZU3TBEQGGYRWFSJ6BPOU/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2025:0131-1 vom 2025-01-15", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/NVEFJ5TKVGVJIR3Y7Y6XQIAGC5P5TTK7/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2025:0123-1 vom 2025-01-15", url: "https://lists.suse.com/pipermail/sle-security-updates/2025-January/020126.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2025:0117-1 vom 2025-01-15", url: "https://lists.suse.com/pipermail/sle-security-updates/2025-January/020131.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2025:0136-1 vom 2025-01-16", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/2VG6PE7ZMNWIM7E4TIKCXL4DVBGBXJN5/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2025:0150-1 vom 2025-01-16", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/USHZQFRYGMLVCVQRQLPH4FARDBDAEC6G/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2025:0137-1 vom 2025-01-16", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/YHBMZ4MND2ONRG4N26VJNJGAZBXMYEDV/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2025:0138-1 vom 2025-01-16", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/ET3TDUWYDTZV554NRC7LB5HGM4TCIIGZ/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2025:0146-1 vom 2025-01-16", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/C6ANXHEO54VUUFEWI6QYB2M3L2SS7OOW/", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2025:0153-1 vom 2025-01-17", url: "https://lists.suse.com/pipermail/sle-security-updates/2025-January/020150.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2025:0158-1 vom 2025-01-17", url: "https://lists.suse.com/pipermail/sle-security-updates/2025-January/020154.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2025:0172-1 vom 2025-01-17", url: "https://lists.suse.com/pipermail/sle-security-updates/2025-January/020164.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2025:0177-1 vom 2025-01-17", url: "https://lists.suse.com/pipermail/sle-security-updates/2025-January/020162.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2025:0164-1 vom 2025-01-17", url: "https://lists.suse.com/pipermail/sle-security-updates/2025-January/020153.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2025:0154-1 vom 2025-01-17", url: "https://lists.suse.com/pipermail/sle-security-updates/2025-January/020151.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2025:0185-1 vom 2025-01-20", url: "https://lists.suse.com/pipermail/sle-security-updates/2025-January/020171.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2025:0180-1 vom 2025-01-20", url: "https://lists.suse.com/pipermail/sle-security-updates/2025-January/020174.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2025:0181-1 vom 2025-01-20", url: "https://lists.suse.com/pipermail/sle-security-updates/2025-January/020173.html", }, ], source_lang: "en-US", title: "Linux Kernel: Mehrere Schwachstellen ermöglichen Denial of Service", tracking: { current_release_date: "2025-01-20T23:00:00.000+00:00", generator: { date: "2025-01-21T09:09:35.277+00:00", engine: { name: "BSI-WID", version: "1.3.10", }, }, id: "WID-SEC-W-2024-3251", initial_release_date: "2024-10-21T22:00:00.000+00:00", revision_history: [ { date: "2024-10-21T22:00:00.000+00:00", number: "1", summary: "Initiale Fassung", }, { date: "2024-10-31T23:00:00.000+00:00", number: "2", summary: "Neue Updates von Ubuntu aufgenommen", }, { date: "2024-11-04T23:00:00.000+00:00", number: "3", summary: "Neue Updates von Ubuntu aufgenommen", }, { date: "2024-11-05T23:00:00.000+00:00", number: "4", summary: "Neue Updates von Ubuntu aufgenommen", }, { date: "2024-11-11T23:00:00.000+00:00", number: "5", summary: "Neue Updates von Ubuntu aufgenommen", }, { date: "2024-11-12T23:00:00.000+00:00", number: "6", summary: "Neue Updates von Oracle Linux und Ubuntu aufgenommen", }, { date: "2024-11-13T23:00:00.000+00:00", number: "7", summary: "Neue Updates von SUSE aufgenommen", }, { date: "2024-11-14T23:00:00.000+00:00", number: "8", summary: "Neue Updates von Ubuntu aufgenommen", }, { date: "2024-11-17T23:00:00.000+00:00", number: "9", summary: "Neue Updates von openSUSE aufgenommen", }, { date: "2024-11-19T23:00:00.000+00:00", number: "10", summary: "Neue Updates von Ubuntu und SUSE aufgenommen", }, { date: "2024-11-20T23:00:00.000+00:00", number: "11", summary: "Neue Updates von Ubuntu aufgenommen", }, { date: "2024-11-24T23:00:00.000+00:00", number: "12", summary: "Neue Updates von Debian aufgenommen", }, { date: "2024-11-25T23:00:00.000+00:00", number: "13", summary: "Neue Updates aufgenommen", }, { date: "2024-11-27T23:00:00.000+00:00", number: "14", summary: "Neue Updates von SUSE aufgenommen", }, { date: "2024-11-28T23:00:00.000+00:00", number: "15", summary: "Neue Updates von SUSE aufgenommen", }, { date: "2024-12-02T23:00:00.000+00:00", number: "16", summary: "Neue Updates von SUSE aufgenommen", }, { date: "2024-12-03T23:00:00.000+00:00", number: "17", summary: "Neue Updates von SUSE aufgenommen", }, { date: "2024-12-09T23:00:00.000+00:00", number: "18", summary: "Neue Updates von Oracle Linux und Ubuntu aufgenommen", }, { date: "2024-12-10T23:00:00.000+00:00", number: "19", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2024-12-11T23:00:00.000+00:00", number: "20", summary: "Neue Updates von Oracle Linux aufgenommen", }, { date: "2024-12-12T23:00:00.000+00:00", number: "21", summary: "Neue Updates von Oracle Linux und Ubuntu aufgenommen", }, { date: "2024-12-15T23:00:00.000+00:00", number: "22", summary: "Neue Updates von SUSE aufgenommen", }, { date: "2024-12-16T23:00:00.000+00:00", number: "23", summary: "Neue Updates von Oracle Linux aufgenommen", }, { date: "2024-12-17T23:00:00.000+00:00", number: "24", summary: "Neue Updates von Ubuntu und SUSE aufgenommen", }, { date: "2024-12-18T23:00:00.000+00:00", number: "25", summary: "Neue Updates von SUSE, Red Hat und Oracle Linux aufgenommen", }, { date: "2024-12-19T23:00:00.000+00:00", number: "26", summary: "Neue Updates von SUSE und Amazon aufgenommen", }, { date: "2024-12-22T23:00:00.000+00:00", number: "27", summary: "Neue Updates von Ubuntu und SUSE aufgenommen", }, { date: "2025-01-02T23:00:00.000+00:00", number: "28", summary: "Neue Updates von Debian aufgenommen", }, { date: "2025-01-06T23:00:00.000+00:00", number: "29", summary: "Neue Updates von Oracle Linux und Ubuntu aufgenommen", }, { date: "2025-01-07T23:00:00.000+00:00", number: "30", summary: "Neue Updates von Ubuntu aufgenommen", }, { date: "2025-01-08T23:00:00.000+00:00", number: "31", summary: "Neue Updates von SUSE aufgenommen", }, { date: "2025-01-09T23:00:00.000+00:00", number: "32", summary: "Neue Updates von Ubuntu aufgenommen", }, { date: "2025-01-12T23:00:00.000+00:00", number: "33", summary: "Neue Updates von Ubuntu aufgenommen", }, { date: "2025-01-13T23:00:00.000+00:00", number: "34", summary: "Neue Updates von SUSE aufgenommen", }, { date: "2025-01-14T23:00:00.000+00:00", number: "35", summary: "Neue Updates von SUSE und Ubuntu aufgenommen", }, { date: "2025-01-15T23:00:00.000+00:00", number: "36", summary: "Neue Updates von Ubuntu und SUSE aufgenommen", }, { date: "2025-01-16T23:00:00.000+00:00", number: "37", summary: "Neue Updates von SUSE aufgenommen", }, { date: "2025-01-19T23:00:00.000+00:00", number: "38", summary: "Neue Updates von SUSE aufgenommen", }, { date: "2025-01-20T23:00:00.000+00:00", number: "39", summary: "Neue Updates von SUSE aufgenommen", }, ], status: "final", version: "39", }, }, product_tree: { branches: [ { branches: [ { category: "product_name", name: "Amazon Linux 2", product: { name: "Amazon Linux 2", product_id: "398363", product_identification_helper: { cpe: "cpe:/o:amazon:linux_2:-", }, }, }, ], category: "vendor", name: "Amazon", }, { branches: [ { category: "product_name", name: "Debian Linux", product: { name: "Debian Linux", product_id: "2951", product_identification_helper: { cpe: "cpe:/o:debian:debian_linux:-", }, }, }, ], category: "vendor", name: "Debian", }, { branches: [ { category: "product_name", name: "Google Container-Optimized OS", product: { name: "Google Container-Optimized OS", product_id: "1607324", product_identification_helper: { cpe: "cpe:/o:google:container-optimized_os:-", }, }, }, ], category: "vendor", name: "Google", }, { branches: [ { category: "product_name", name: "Open Source Linux Kernel", product: { name: "Open Source Linux Kernel", product_id: "T008144", product_identification_helper: { cpe: "cpe:/a:linux:linux_kernel:-", }, }, }, ], category: "vendor", name: "Open Source", }, { branches: [ { category: "product_name", name: "Oracle Linux", product: { name: "Oracle Linux", product_id: "T004914", product_identification_helper: { cpe: "cpe:/o:oracle:linux:-", }, }, }, ], category: "vendor", name: "Oracle", }, { branches: [ { category: "product_name", name: "RESF Rocky Linux", product: { name: "RESF Rocky Linux", product_id: "T032255", product_identification_helper: { cpe: "cpe:/o:resf:rocky_linux:-", }, }, }, ], category: "vendor", name: "RESF", }, { branches: [ { category: "product_name", name: "Red Hat Enterprise Linux", product: { name: "Red Hat Enterprise Linux", product_id: "67646", product_identification_helper: { cpe: "cpe:/o:redhat:enterprise_linux:-", }, }, }, ], category: "vendor", name: "Red Hat", }, { branches: [ { category: "product_name", name: "SUSE Linux", product: { name: "SUSE Linux", product_id: "T002207", product_identification_helper: { cpe: "cpe:/o:suse:suse_linux:-", }, }, }, { category: "product_name", name: "SUSE openSUSE", product: { name: "SUSE openSUSE", product_id: "T027843", product_identification_helper: { cpe: "cpe:/o:suse:opensuse:-", }, }, }, ], category: "vendor", name: "SUSE", }, { branches: [ { category: "product_name", name: "Ubuntu Linux", product: { name: "Ubuntu Linux", product_id: "T000126", product_identification_helper: { cpe: "cpe:/o:canonical:ubuntu_linux:-", }, }, }, ], category: "vendor", name: "Ubuntu", }, ], }, vulnerabilities: [ { cve: "CVE-2016-10044", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2016-10044", }, { cve: "CVE-2022-48946", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2022-48946", }, { cve: "CVE-2022-48947", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2022-48947", }, { cve: "CVE-2022-48948", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2022-48948", }, { cve: "CVE-2022-48949", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2022-48949", }, { cve: "CVE-2022-48950", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2022-48950", }, { cve: "CVE-2022-48951", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2022-48951", }, { cve: "CVE-2022-48952", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2022-48952", }, { cve: "CVE-2022-48953", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2022-48953", }, { cve: "CVE-2022-48954", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2022-48954", }, { cve: "CVE-2022-48955", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2022-48955", }, { cve: "CVE-2022-48956", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2022-48956", }, { cve: "CVE-2022-48957", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2022-48957", }, { cve: "CVE-2022-48958", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2022-48958", }, { cve: "CVE-2022-48959", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2022-48959", }, { cve: "CVE-2022-48960", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2022-48960", }, { cve: "CVE-2022-48961", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2022-48961", }, { cve: "CVE-2022-48962", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2022-48962", }, { cve: "CVE-2022-48963", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2022-48963", }, { cve: "CVE-2022-48964", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2022-48964", }, { cve: "CVE-2022-48965", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2022-48965", }, { cve: "CVE-2022-48966", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2022-48966", }, { cve: "CVE-2022-48967", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2022-48967", }, { cve: "CVE-2022-48968", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2022-48968", }, { cve: "CVE-2022-48969", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2022-48969", }, { cve: "CVE-2022-48970", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2022-48970", }, { cve: "CVE-2022-48971", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2022-48971", }, { cve: "CVE-2022-48972", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2022-48972", }, { cve: "CVE-2022-48973", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2022-48973", }, { cve: "CVE-2022-48974", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2022-48974", }, { cve: "CVE-2022-48975", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2022-48975", }, { cve: "CVE-2022-48976", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2022-48976", }, { cve: "CVE-2022-48977", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2022-48977", }, { cve: "CVE-2022-48978", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2022-48978", }, { cve: "CVE-2022-48979", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2022-48979", }, { cve: "CVE-2022-48980", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2022-48980", }, { cve: "CVE-2022-48981", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2022-48981", }, { cve: "CVE-2022-48982", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2022-48982", }, { cve: "CVE-2022-48983", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2022-48983", }, { cve: "CVE-2022-48984", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2022-48984", }, { cve: "CVE-2022-48985", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2022-48985", }, { cve: "CVE-2022-48986", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2022-48986", }, { cve: "CVE-2022-48987", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2022-48987", }, { cve: "CVE-2022-48988", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2022-48988", }, { cve: "CVE-2022-48989", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2022-48989", }, { cve: "CVE-2022-48990", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2022-48990", }, { cve: "CVE-2022-48991", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2022-48991", }, { cve: "CVE-2022-48992", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2022-48992", }, { cve: "CVE-2022-48993", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2022-48993", }, { cve: "CVE-2022-48994", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2022-48994", }, { cve: "CVE-2022-48995", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2022-48995", }, { cve: "CVE-2022-48996", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2022-48996", }, { cve: "CVE-2022-48997", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2022-48997", }, { cve: "CVE-2022-48998", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2022-48998", }, { cve: "CVE-2022-48999", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2022-48999", }, { cve: "CVE-2022-49000", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2022-49000", }, { cve: "CVE-2022-49001", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2022-49001", }, { cve: "CVE-2022-49002", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2022-49002", }, { cve: "CVE-2022-49003", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2022-49003", }, { cve: "CVE-2022-49004", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2022-49004", }, { cve: "CVE-2022-49005", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2022-49005", }, { cve: "CVE-2022-49006", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2022-49006", }, { cve: "CVE-2022-49007", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2022-49007", }, { cve: "CVE-2022-49008", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2022-49008", }, { cve: "CVE-2022-49009", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2022-49009", }, { cve: "CVE-2022-49010", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2022-49010", }, { cve: "CVE-2022-49011", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2022-49011", }, { cve: "CVE-2022-49012", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2022-49012", }, { cve: "CVE-2022-49013", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2022-49013", }, { cve: "CVE-2022-49014", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2022-49014", }, { cve: "CVE-2022-49015", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2022-49015", }, { cve: "CVE-2022-49016", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2022-49016", }, { cve: "CVE-2022-49017", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2022-49017", }, { cve: "CVE-2022-49018", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2022-49018", }, { cve: "CVE-2022-49019", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2022-49019", }, { cve: "CVE-2022-49020", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2022-49020", }, { cve: "CVE-2022-49021", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2022-49021", }, { cve: "CVE-2022-49022", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2022-49022", }, { cve: "CVE-2022-49023", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2022-49023", }, { cve: "CVE-2022-49024", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2022-49024", }, { cve: "CVE-2022-49025", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2022-49025", }, { cve: "CVE-2022-49026", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2022-49026", }, { cve: "CVE-2022-49027", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2022-49027", }, { cve: "CVE-2022-49028", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2022-49028", }, { cve: "CVE-2022-49029", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2022-49029", }, { cve: "CVE-2022-49030", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2022-49030", }, { cve: "CVE-2022-49031", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2022-49031", }, { cve: "CVE-2022-49032", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2022-49032", }, { cve: "CVE-2022-49033", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2022-49033", }, { cve: "CVE-2023-52917", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2023-52917", }, { cve: "CVE-2023-52918", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2023-52918", }, { cve: "CVE-2023-52919", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2023-52919", }, { cve: "CVE-2023-6270", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2023-6270", }, { cve: "CVE-2024-47675", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-47675", }, { cve: "CVE-2024-47676", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-47676", }, { cve: "CVE-2024-47677", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-47677", }, { cve: "CVE-2024-47678", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-47678", }, { cve: "CVE-2024-47679", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-47679", }, { cve: "CVE-2024-47680", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-47680", }, { cve: "CVE-2024-47681", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-47681", }, { cve: "CVE-2024-47682", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-47682", }, { cve: "CVE-2024-47683", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-47683", }, { cve: "CVE-2024-47684", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-47684", }, { cve: "CVE-2024-47685", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-47685", }, { cve: "CVE-2024-47686", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-47686", }, { cve: "CVE-2024-47687", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-47687", }, { cve: "CVE-2024-47688", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-47688", }, { cve: "CVE-2024-47689", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-47689", }, { cve: "CVE-2024-47690", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-47690", }, { cve: "CVE-2024-47691", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-47691", }, { cve: "CVE-2024-47692", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-47692", }, { cve: "CVE-2024-47693", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-47693", }, { cve: "CVE-2024-47694", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-47694", }, { cve: "CVE-2024-47695", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-47695", }, { cve: "CVE-2024-47696", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-47696", }, { cve: "CVE-2024-47697", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-47697", }, { cve: "CVE-2024-47698", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-47698", }, { cve: "CVE-2024-47699", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-47699", }, { cve: "CVE-2024-47700", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-47700", }, { cve: "CVE-2024-47701", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-47701", }, { cve: "CVE-2024-47702", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-47702", }, { cve: "CVE-2024-47703", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-47703", }, { cve: "CVE-2024-47704", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-47704", }, { cve: "CVE-2024-47705", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-47705", }, { cve: "CVE-2024-47706", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-47706", }, { cve: "CVE-2024-47707", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-47707", }, { cve: "CVE-2024-47708", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-47708", }, { cve: "CVE-2024-47709", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-47709", }, { cve: "CVE-2024-47710", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-47710", }, { cve: "CVE-2024-47711", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-47711", }, { cve: "CVE-2024-47712", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-47712", }, { cve: "CVE-2024-47713", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-47713", }, { cve: "CVE-2024-47714", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-47714", }, { cve: "CVE-2024-47715", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-47715", }, { cve: "CVE-2024-47716", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-47716", }, { cve: "CVE-2024-47717", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-47717", }, { cve: "CVE-2024-47718", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-47718", }, { cve: "CVE-2024-47719", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-47719", }, { cve: "CVE-2024-47720", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-47720", }, { cve: "CVE-2024-47721", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-47721", }, { cve: "CVE-2024-47722", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-47722", }, { cve: "CVE-2024-47723", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-47723", }, { cve: "CVE-2024-47724", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-47724", }, { cve: "CVE-2024-47725", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-47725", }, { cve: "CVE-2024-47726", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-47726", }, { cve: "CVE-2024-47727", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-47727", }, { cve: "CVE-2024-47728", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-47728", }, { cve: "CVE-2024-47729", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-47729", }, { cve: "CVE-2024-47730", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-47730", }, { cve: "CVE-2024-47731", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-47731", }, { cve: "CVE-2024-47732", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-47732", }, { cve: "CVE-2024-47733", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-47733", }, { cve: "CVE-2024-47734", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-47734", }, { cve: "CVE-2024-47735", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-47735", }, { cve: "CVE-2024-47736", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-47736", }, { cve: "CVE-2024-47737", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-47737", }, { cve: "CVE-2024-47738", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-47738", }, { cve: "CVE-2024-47739", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-47739", }, { cve: "CVE-2024-47740", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-47740", }, { cve: "CVE-2024-47741", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-47741", }, { cve: "CVE-2024-47742", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-47742", }, { cve: "CVE-2024-47743", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-47743", }, { cve: "CVE-2024-47744", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-47744", }, { cve: "CVE-2024-47745", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-47745", }, { cve: "CVE-2024-47746", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-47746", }, { cve: "CVE-2024-47747", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-47747", }, { cve: "CVE-2024-47748", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-47748", }, { cve: "CVE-2024-47749", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-47749", }, { cve: "CVE-2024-47750", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-47750", }, { cve: "CVE-2024-47751", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-47751", }, { cve: "CVE-2024-47752", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-47752", }, { cve: "CVE-2024-47753", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-47753", }, { cve: "CVE-2024-47754", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-47754", }, { cve: "CVE-2024-47755", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-47755", }, { cve: "CVE-2024-47756", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-47756", }, { cve: "CVE-2024-47757", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-47757", }, { cve: "CVE-2024-49850", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49850", }, { cve: "CVE-2024-49851", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49851", }, { cve: "CVE-2024-49852", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49852", }, { cve: "CVE-2024-49853", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49853", }, { cve: "CVE-2024-49854", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49854", }, { cve: "CVE-2024-49855", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49855", }, { cve: "CVE-2024-49856", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49856", }, { cve: "CVE-2024-49857", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49857", }, { cve: "CVE-2024-49858", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49858", }, { cve: "CVE-2024-49859", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49859", }, { cve: "CVE-2024-49860", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49860", }, { cve: "CVE-2024-49861", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49861", }, { cve: "CVE-2024-49862", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49862", }, { cve: "CVE-2024-49863", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49863", }, { cve: "CVE-2024-49864", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49864", }, { cve: "CVE-2024-49865", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49865", }, { cve: "CVE-2024-49866", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49866", }, { cve: "CVE-2024-49867", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49867", }, { cve: "CVE-2024-49868", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49868", }, { cve: "CVE-2024-49869", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49869", }, { cve: "CVE-2024-49870", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49870", }, { cve: "CVE-2024-49871", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49871", }, { cve: "CVE-2024-49872", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49872", }, { cve: "CVE-2024-49873", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49873", }, { cve: "CVE-2024-49874", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49874", }, { cve: "CVE-2024-49875", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49875", }, { cve: "CVE-2024-49876", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49876", }, { cve: "CVE-2024-49877", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49877", }, { cve: "CVE-2024-49878", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49878", }, { cve: "CVE-2024-49879", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49879", }, { cve: "CVE-2024-49880", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49880", }, { cve: "CVE-2024-49881", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49881", }, { cve: "CVE-2024-49882", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49882", }, { cve: "CVE-2024-49883", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49883", }, { cve: "CVE-2024-49884", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49884", }, { cve: "CVE-2024-49885", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49885", }, { cve: "CVE-2024-49886", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49886", }, { cve: "CVE-2024-49887", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49887", }, { cve: "CVE-2024-49888", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49888", }, { cve: "CVE-2024-49889", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49889", }, { cve: "CVE-2024-49890", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49890", }, { cve: "CVE-2024-49891", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49891", }, { cve: "CVE-2024-49892", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49892", }, { cve: "CVE-2024-49893", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49893", }, { cve: "CVE-2024-49894", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49894", }, { cve: "CVE-2024-49895", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49895", }, { cve: "CVE-2024-49896", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49896", }, { cve: "CVE-2024-49897", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49897", }, { cve: "CVE-2024-49898", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49898", }, { cve: "CVE-2024-49899", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49899", }, { cve: "CVE-2024-49900", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49900", }, { cve: "CVE-2024-49901", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49901", }, { cve: "CVE-2024-49902", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49902", }, { cve: "CVE-2024-49903", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49903", }, { cve: "CVE-2024-49905", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49905", }, { cve: "CVE-2024-49906", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49906", }, { cve: "CVE-2024-49907", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49907", }, { cve: "CVE-2024-49908", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49908", }, { cve: "CVE-2024-49909", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49909", }, { cve: "CVE-2024-49911", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49911", }, { cve: "CVE-2024-49912", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49912", }, { cve: "CVE-2024-49913", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49913", }, { cve: "CVE-2024-49914", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49914", }, { cve: "CVE-2024-49915", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49915", }, { cve: "CVE-2024-49916", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49916", }, { cve: "CVE-2024-49917", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49917", }, { cve: "CVE-2024-49918", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49918", }, { cve: "CVE-2024-49919", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49919", }, { cve: "CVE-2024-49920", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49920", }, { cve: "CVE-2024-49921", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49921", }, { cve: "CVE-2024-49922", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49922", }, { cve: "CVE-2024-49923", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49923", }, { cve: "CVE-2024-49924", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49924", }, { cve: "CVE-2024-49925", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49925", }, { cve: "CVE-2024-49926", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49926", }, { cve: "CVE-2024-49927", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49927", }, { cve: "CVE-2024-49928", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49928", }, { cve: "CVE-2024-49929", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49929", }, { cve: "CVE-2024-49930", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49930", }, { cve: "CVE-2024-49931", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49931", }, { cve: "CVE-2024-49932", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49932", }, { cve: "CVE-2024-49933", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49933", }, { cve: "CVE-2024-49934", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49934", }, { cve: "CVE-2024-49935", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49935", }, { cve: "CVE-2024-49936", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49936", }, { cve: "CVE-2024-49937", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49937", }, { cve: "CVE-2024-49938", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49938", }, { cve: "CVE-2024-49939", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49939", }, { cve: "CVE-2024-49940", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49940", }, { cve: "CVE-2024-49941", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49941", }, { cve: "CVE-2024-49942", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49942", }, { cve: "CVE-2024-49943", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49943", }, { cve: "CVE-2024-49944", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49944", }, { cve: "CVE-2024-49945", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49945", }, { cve: "CVE-2024-49946", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49946", }, { cve: "CVE-2024-49947", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49947", }, { cve: "CVE-2024-49948", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49948", }, { cve: "CVE-2024-49949", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49949", }, { cve: "CVE-2024-49950", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49950", }, { cve: "CVE-2024-49951", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49951", }, { cve: "CVE-2024-49952", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49952", }, { cve: "CVE-2024-49953", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49953", }, { cve: "CVE-2024-49954", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49954", }, { cve: "CVE-2024-49955", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49955", }, { cve: "CVE-2024-49956", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49956", }, { cve: "CVE-2024-49957", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49957", }, { cve: "CVE-2024-49958", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49958", }, { cve: "CVE-2024-49959", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49959", }, { cve: "CVE-2024-49960", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49960", }, { cve: "CVE-2024-49961", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49961", }, { cve: "CVE-2024-49962", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49962", }, { cve: "CVE-2024-49963", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49963", }, { cve: "CVE-2024-49964", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49964", }, { cve: "CVE-2024-49965", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49965", }, { cve: "CVE-2024-49966", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49966", }, { cve: "CVE-2024-49967", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49967", }, { cve: "CVE-2024-49968", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49968", }, { cve: "CVE-2024-49969", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49969", }, { cve: "CVE-2024-49970", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49970", }, { cve: "CVE-2024-49971", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49971", }, { cve: "CVE-2024-49972", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49972", }, { cve: "CVE-2024-49973", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49973", }, { cve: "CVE-2024-49974", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49974", }, { cve: "CVE-2024-49975", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49975", }, { cve: "CVE-2024-49976", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49976", }, { cve: "CVE-2024-49977", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49977", }, { cve: "CVE-2024-49978", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49978", }, { cve: "CVE-2024-49979", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49979", }, { cve: "CVE-2024-49980", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49980", }, { cve: "CVE-2024-49981", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49981", }, { cve: "CVE-2024-49982", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49982", }, { cve: "CVE-2024-49983", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49983", }, { cve: "CVE-2024-49984", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49984", }, { cve: "CVE-2024-49985", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49985", }, { cve: "CVE-2024-49986", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49986", }, { cve: "CVE-2024-49987", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49987", }, { cve: "CVE-2024-49988", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49988", }, { cve: "CVE-2024-49989", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49989", }, { cve: "CVE-2024-49990", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49990", }, { cve: "CVE-2024-49991", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49991", }, { cve: "CVE-2024-49992", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49992", }, { cve: "CVE-2024-49993", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49993", }, { cve: "CVE-2024-49994", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49994", }, { cve: "CVE-2024-49995", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49995", }, { cve: "CVE-2024-49996", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49996", }, { cve: "CVE-2024-49997", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49997", }, { cve: "CVE-2024-49998", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49998", }, { cve: "CVE-2024-49999", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-49999", }, { cve: "CVE-2024-50000", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-50000", }, { cve: "CVE-2024-50001", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-50001", }, { cve: "CVE-2024-50002", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-50002", }, { cve: "CVE-2024-50003", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-50003", }, { cve: "CVE-2024-50004", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-50004", }, { cve: "CVE-2024-50005", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-50005", }, { cve: "CVE-2024-50006", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-50006", }, { cve: "CVE-2024-50007", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-50007", }, { cve: "CVE-2024-50008", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-50008", }, { cve: "CVE-2024-50009", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-50009", }, { cve: "CVE-2024-50010", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-50010", }, { cve: "CVE-2024-50011", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-50011", }, { cve: "CVE-2024-50012", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-50012", }, { cve: "CVE-2024-50013", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-50013", }, { cve: "CVE-2024-50014", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-50014", }, { cve: "CVE-2024-50015", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-50015", }, { cve: "CVE-2024-50016", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-50016", }, { cve: "CVE-2024-50017", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-50017", }, { cve: "CVE-2024-50018", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-50018", }, { cve: "CVE-2024-50019", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-50019", }, { cve: "CVE-2024-50020", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-50020", }, { cve: "CVE-2024-50021", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-50021", }, { cve: "CVE-2024-50022", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-50022", }, { cve: "CVE-2024-50023", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-50023", }, { cve: "CVE-2024-50024", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-50024", }, { cve: "CVE-2024-50025", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-50025", }, { cve: "CVE-2024-50026", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-50026", }, { cve: "CVE-2024-50027", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-50027", }, { cve: "CVE-2024-50028", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-50028", }, { cve: "CVE-2024-50029", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-50029", }, { cve: "CVE-2024-50030", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-50030", }, { cve: "CVE-2024-50031", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-50031", }, { cve: "CVE-2024-50032", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-50032", }, { cve: "CVE-2024-50033", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-50033", }, { cve: "CVE-2024-50034", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-50034", }, { cve: "CVE-2024-50035", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-50035", }, { cve: "CVE-2024-50036", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-50036", }, { cve: "CVE-2024-50037", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-50037", }, { cve: "CVE-2024-50038", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-50038", }, { cve: "CVE-2024-50039", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-50039", }, { cve: "CVE-2024-50040", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-50040", }, { cve: "CVE-2024-50041", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-50041", }, { cve: "CVE-2024-50042", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-50042", }, { cve: "CVE-2024-50043", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-50043", }, { cve: "CVE-2024-50044", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-50044", }, { cve: "CVE-2024-50045", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-50045", }, { cve: "CVE-2024-50046", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-50046", }, { cve: "CVE-2024-50047", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-50047", }, { cve: "CVE-2024-50048", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-50048", }, { cve: "CVE-2024-50049", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-50049", }, { cve: "CVE-2024-50055", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-50055", }, { cve: "CVE-2024-50056", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-50056", }, { cve: "CVE-2024-50057", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-50057", }, { cve: "CVE-2024-50058", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-50058", }, { cve: "CVE-2024-50059", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-50059", }, { cve: "CVE-2024-50060", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-50060", }, { cve: "CVE-2024-50061", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-50061", }, { cve: "CVE-2024-50062", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-50062", }, { cve: "CVE-2024-50063", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-50063", }, { cve: "CVE-2024-50064", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-50064", }, { cve: "CVE-2024-50065", notes: [ { category: "description", text: "Im Linux Kernel existieren mehrere Schwachstellen. Zu den Ursachen zählen unter anderem Fehler in der Speicherverwaltung oder unvollständige Eingabeprüfungen in verschiedenen Schnittstellen wie Netzwerk, WLAN, Bluetooth, sowie verschiedenen Dateisystemen und Treibern. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen oder andere, nicht näher bekannte Auswirkungen zu erzielen.", }, ], product_status: { known_affected: [ "2951", "T002207", "67646", "T000126", "T027843", "398363", "T004914", "1607324", "T032255", "T008144", ], }, release_date: "2024-10-21T22:00:00.000+00:00", title: "CVE-2024-50065", }, ], }
cve-2024-47690
Vulnerability from cvelistv5
Published
2024-10-21 11:53
Modified
2024-12-19 09:26
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
f2fs: get rid of online repaire on corrupted directory
syzbot reports a f2fs bug as below:
kernel BUG at fs/f2fs/inode.c:896!
RIP: 0010:f2fs_evict_inode+0x1598/0x15c0 fs/f2fs/inode.c:896
Call Trace:
evict+0x532/0x950 fs/inode.c:704
dispose_list fs/inode.c:747 [inline]
evict_inodes+0x5f9/0x690 fs/inode.c:797
generic_shutdown_super+0x9d/0x2d0 fs/super.c:627
kill_block_super+0x44/0x90 fs/super.c:1696
kill_f2fs_super+0x344/0x690 fs/f2fs/super.c:4898
deactivate_locked_super+0xc4/0x130 fs/super.c:473
cleanup_mnt+0x41f/0x4b0 fs/namespace.c:1373
task_work_run+0x24f/0x310 kernel/task_work.c:228
ptrace_notify+0x2d2/0x380 kernel/signal.c:2402
ptrace_report_syscall include/linux/ptrace.h:415 [inline]
ptrace_report_syscall_exit include/linux/ptrace.h:477 [inline]
syscall_exit_work+0xc6/0x190 kernel/entry/common.c:173
syscall_exit_to_user_mode_prepare kernel/entry/common.c:200 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:205 [inline]
syscall_exit_to_user_mode+0x279/0x370 kernel/entry/common.c:218
do_syscall_64+0x100/0x230 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0010:f2fs_evict_inode+0x1598/0x15c0 fs/f2fs/inode.c:896
Online repaire on corrupted directory in f2fs_lookup() can generate
dirty data/meta while racing w/ readonly remount, it may leave dirty
inode after filesystem becomes readonly, however, checkpoint() will
skips flushing dirty inode in a state of readonly mode, result in
above panic.
Let's get rid of online repaire in f2fs_lookup(), and leave the work
to fsck.f2fs.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 510022a85839a8409d1e6a519bb86ce71a84f30a Version: 510022a85839a8409d1e6a519bb86ce71a84f30a Version: 510022a85839a8409d1e6a519bb86ce71a84f30a Version: 510022a85839a8409d1e6a519bb86ce71a84f30a Version: 510022a85839a8409d1e6a519bb86ce71a84f30a Version: 510022a85839a8409d1e6a519bb86ce71a84f30a |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-47690", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T13:06:03.889382Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T13:14:15.315Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "fs/f2fs/f2fs.h", "fs/f2fs/namei.c", "include/linux/f2fs_fs.h", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "e8d64f598eeb079c42a52deaa3a91312c736a49d", status: "affected", version: "510022a85839a8409d1e6a519bb86ce71a84f30a", versionType: "git", }, { lessThan: "f4746f2d79507f65cfbde11d3c39ee8338aa50af", status: "affected", version: "510022a85839a8409d1e6a519bb86ce71a84f30a", versionType: "git", }, { lessThan: "f9ce2f550d53d044ecfb5ce996406cf42cd6b84d", status: "affected", version: "510022a85839a8409d1e6a519bb86ce71a84f30a", versionType: "git", }, { lessThan: "8be95cd607478d85fa4626e86f811e785905bcbf", status: "affected", version: "510022a85839a8409d1e6a519bb86ce71a84f30a", versionType: "git", }, { lessThan: "bcefd0b0611f35b560d0a7281d87529fbe7a1e32", status: "affected", version: "510022a85839a8409d1e6a519bb86ce71a84f30a", versionType: "git", }, { lessThan: "884ee6dc85b959bc152f15bca80c30f06069e6c4", status: "affected", version: "510022a85839a8409d1e6a519bb86ce71a84f30a", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "fs/f2fs/f2fs.h", "fs/f2fs/namei.c", "include/linux/f2fs_fs.h", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "4.1", }, { lessThan: "4.1", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.54", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.13", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.2", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: get rid of online repaire on corrupted directory\n\nsyzbot reports a f2fs bug as below:\n\nkernel BUG at fs/f2fs/inode.c:896!\nRIP: 0010:f2fs_evict_inode+0x1598/0x15c0 fs/f2fs/inode.c:896\nCall Trace:\n evict+0x532/0x950 fs/inode.c:704\n dispose_list fs/inode.c:747 [inline]\n evict_inodes+0x5f9/0x690 fs/inode.c:797\n generic_shutdown_super+0x9d/0x2d0 fs/super.c:627\n kill_block_super+0x44/0x90 fs/super.c:1696\n kill_f2fs_super+0x344/0x690 fs/f2fs/super.c:4898\n deactivate_locked_super+0xc4/0x130 fs/super.c:473\n cleanup_mnt+0x41f/0x4b0 fs/namespace.c:1373\n task_work_run+0x24f/0x310 kernel/task_work.c:228\n ptrace_notify+0x2d2/0x380 kernel/signal.c:2402\n ptrace_report_syscall include/linux/ptrace.h:415 [inline]\n ptrace_report_syscall_exit include/linux/ptrace.h:477 [inline]\n syscall_exit_work+0xc6/0x190 kernel/entry/common.c:173\n syscall_exit_to_user_mode_prepare kernel/entry/common.c:200 [inline]\n __syscall_exit_to_user_mode_work kernel/entry/common.c:205 [inline]\n syscall_exit_to_user_mode+0x279/0x370 kernel/entry/common.c:218\n do_syscall_64+0x100/0x230 arch/x86/entry/common.c:89\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0010:f2fs_evict_inode+0x1598/0x15c0 fs/f2fs/inode.c:896\n\nOnline repaire on corrupted directory in f2fs_lookup() can generate\ndirty data/meta while racing w/ readonly remount, it may leave dirty\ninode after filesystem becomes readonly, however, checkpoint() will\nskips flushing dirty inode in a state of readonly mode, result in\nabove panic.\n\nLet's get rid of online repaire in f2fs_lookup(), and leave the work\nto fsck.f2fs.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:26:09.544Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/e8d64f598eeb079c42a52deaa3a91312c736a49d", }, { url: "https://git.kernel.org/stable/c/f4746f2d79507f65cfbde11d3c39ee8338aa50af", }, { url: "https://git.kernel.org/stable/c/f9ce2f550d53d044ecfb5ce996406cf42cd6b84d", }, { url: "https://git.kernel.org/stable/c/8be95cd607478d85fa4626e86f811e785905bcbf", }, { url: "https://git.kernel.org/stable/c/bcefd0b0611f35b560d0a7281d87529fbe7a1e32", }, { url: "https://git.kernel.org/stable/c/884ee6dc85b959bc152f15bca80c30f06069e6c4", }, ], title: "f2fs: get rid of online repaire on corrupted directory", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-47690", datePublished: "2024-10-21T11:53:29.870Z", dateReserved: "2024-09-30T16:00:12.942Z", dateUpdated: "2024-12-19T09:26:09.544Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-47722
Vulnerability from cvelistv5
This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Show details on NVD website{ containers: { cna: { providerMetadata: { dateUpdated: "2024-10-21T12:58:26.199Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, rejectedReasons: [ { lang: "en", value: "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", }, ], }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-47722", datePublished: "2024-10-21T12:13:56.954Z", dateRejected: "2024-10-21T12:58:26.199Z", dateReserved: "2024-09-30T16:00:12.950Z", dateUpdated: "2024-10-21T12:58:26.199Z", state: "REJECTED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-48992
Vulnerability from cvelistv5
Published
2024-10-21 20:06
Modified
2024-12-19 08:12
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: soc-pcm: Add NULL check in BE reparenting
Add NULL check in dpcm_be_reparent API, to handle
kernel NULL pointer dereference error.
The issue occurred in fuzzing test.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-48992", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:16:24.291488Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:18:42.055Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "sound/soc/soc-pcm.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "0760acc2e6598ad4f7bd3662db2d907ef0838139", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "d4dd21a79dbb862d2ebcf9ed90e646416009ff0d", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "e7166d6821c15f3516bcac8ae3f155924da1908c", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "f2ba66d8738584d124aff4e760ed1337f5f6dfb6", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "f6f45e538328df9ce66aa61bafee1a5717c4b700", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "9f74b9aa8d58c18927bb9b65dd5ba70a5fd61615", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "34a9796bf0684bfd54e96a142560d560c21c983b", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "db8f91d424fe0ea6db337aca8bc05908bbce1498", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "sound/soc/soc-pcm.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "4.9.*", status: "unaffected", version: "4.9.336", versionType: "semver", }, { lessThanOrEqual: "4.14.*", status: "unaffected", version: "4.14.302", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.269", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.227", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.159", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.83", versionType: "semver", }, { lessThanOrEqual: "6.0.*", status: "unaffected", version: "6.0.13", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.1", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: soc-pcm: Add NULL check in BE reparenting\n\nAdd NULL check in dpcm_be_reparent API, to handle\nkernel NULL pointer dereference error.\nThe issue occurred in fuzzing test.", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:12:03.765Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/0760acc2e6598ad4f7bd3662db2d907ef0838139", }, { url: "https://git.kernel.org/stable/c/d4dd21a79dbb862d2ebcf9ed90e646416009ff0d", }, { url: "https://git.kernel.org/stable/c/e7166d6821c15f3516bcac8ae3f155924da1908c", }, { url: "https://git.kernel.org/stable/c/f2ba66d8738584d124aff4e760ed1337f5f6dfb6", }, { url: "https://git.kernel.org/stable/c/f6f45e538328df9ce66aa61bafee1a5717c4b700", }, { url: "https://git.kernel.org/stable/c/9f74b9aa8d58c18927bb9b65dd5ba70a5fd61615", }, { url: "https://git.kernel.org/stable/c/34a9796bf0684bfd54e96a142560d560c21c983b", }, { url: "https://git.kernel.org/stable/c/db8f91d424fe0ea6db337aca8bc05908bbce1498", }, ], title: "ASoC: soc-pcm: Add NULL check in BE reparenting", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-48992", datePublished: "2024-10-21T20:06:09.495Z", dateReserved: "2024-08-22T01:27:53.636Z", dateUpdated: "2024-12-19T08:12:03.765Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-49030
Vulnerability from cvelistv5
Published
2024-10-21 20:06
Modified
2024-12-19 08:12
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
libbpf: Handle size overflow for ringbuf mmap
The maximum size of ringbuf is 2GB on x86-64 host, so 2 * max_entries
will overflow u32 when mapping producer page and data pages. Only
casting max_entries to size_t is not enough, because for 32-bits
application on 64-bits kernel the size of read-only mmap region
also could overflow size_t.
So fixing it by casting the size of read-only mmap region into a __u64
and checking whether or not there will be overflow during mmap.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-49030", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:11:21.316890Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:18:35.905Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "tools/lib/bpf/ringbuf.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "8a549ab6724520aa3c07f47e0eba820293551490", status: "affected", version: "bf99c936f9478a05d51e9f101f90de70bee9a89c", versionType: "git", }, { lessThan: "0140e079a42064680394fff1199a7b5483688dec", status: "affected", version: "bf99c936f9478a05d51e9f101f90de70bee9a89c", versionType: "git", }, { lessThan: "535a25ab4f9a45f74ba38ab71de95e97474922ed", status: "affected", version: "bf99c936f9478a05d51e9f101f90de70bee9a89c", versionType: "git", }, { lessThan: "927cbb478adf917e0a142b94baa37f06279cc466", status: "affected", version: "bf99c936f9478a05d51e9f101f90de70bee9a89c", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "tools/lib/bpf/ringbuf.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.8", }, { lessThan: "5.8", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.158", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.82", versionType: "semver", }, { lessThanOrEqual: "6.0.*", status: "unaffected", version: "6.0.12", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.1", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nlibbpf: Handle size overflow for ringbuf mmap\n\nThe maximum size of ringbuf is 2GB on x86-64 host, so 2 * max_entries\nwill overflow u32 when mapping producer page and data pages. Only\ncasting max_entries to size_t is not enough, because for 32-bits\napplication on 64-bits kernel the size of read-only mmap region\nalso could overflow size_t.\n\nSo fixing it by casting the size of read-only mmap region into a __u64\nand checking whether or not there will be overflow during mmap.", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:12:46.415Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/8a549ab6724520aa3c07f47e0eba820293551490", }, { url: "https://git.kernel.org/stable/c/0140e079a42064680394fff1199a7b5483688dec", }, { url: "https://git.kernel.org/stable/c/535a25ab4f9a45f74ba38ab71de95e97474922ed", }, { url: "https://git.kernel.org/stable/c/927cbb478adf917e0a142b94baa37f06279cc466", }, ], title: "libbpf: Handle size overflow for ringbuf mmap", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-49030", datePublished: "2024-10-21T20:06:34.571Z", dateReserved: "2024-08-22T01:27:53.651Z", dateUpdated: "2024-12-19T08:12:46.415Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49893
Vulnerability from cvelistv5
Published
2024-10-21 18:01
Modified
2024-12-19 09:28
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Check stream_status before it is used
[WHAT & HOW]
dc_state_get_stream_status can return null, and therefore null must be
checked before stream_status is used.
This fixes 1 NULL_RETURNS issue reported by Coverity.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49893", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:44:01.825946Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:48:48.772Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/gpu/drm/amd/display/dc/core/dc.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "4914c8bfee1843fae046a12970b6f178e6642659", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "58a8ee96f84d2c21abb85ad8c22d2bbdf59bd7a9", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/gpu/drm/amd/display/dc/core/dc.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Check stream_status before it is used\n\n[WHAT & HOW]\ndc_state_get_stream_status can return null, and therefore null must be\nchecked before stream_status is used.\n\nThis fixes 1 NULL_RETURNS issue reported by Coverity.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:28:31.025Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/4914c8bfee1843fae046a12970b6f178e6642659", }, { url: "https://git.kernel.org/stable/c/58a8ee96f84d2c21abb85ad8c22d2bbdf59bd7a9", }, ], title: "drm/amd/display: Check stream_status before it is used", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49893", datePublished: "2024-10-21T18:01:27.681Z", dateReserved: "2024-10-21T12:17:06.025Z", dateUpdated: "2024-12-19T09:28:31.025Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-49011
Vulnerability from cvelistv5
Published
2024-10-21 20:06
Modified
2024-12-19 08:12
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
hwmon: (coretemp) fix pci device refcount leak in nv1a_ram_new()
As comment of pci_get_domain_bus_and_slot() says, it returns
a pci device with refcount increment, when finish using it,
the caller must decrement the reference count by calling
pci_dev_put(). So call it after using to avoid refcount leak.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 14513ee696a0cd12a19318e433b75a786808adc3 Version: 14513ee696a0cd12a19318e433b75a786808adc3 Version: 14513ee696a0cd12a19318e433b75a786808adc3 Version: 14513ee696a0cd12a19318e433b75a786808adc3 Version: 14513ee696a0cd12a19318e433b75a786808adc3 Version: 14513ee696a0cd12a19318e433b75a786808adc3 Version: 14513ee696a0cd12a19318e433b75a786808adc3 Version: 14513ee696a0cd12a19318e433b75a786808adc3 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-49011", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:13:51.210098Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:18:38.763Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/hwmon/coretemp.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "bb75a0d1223d43f97089841aecb28a9b4de687a9", status: "affected", version: "14513ee696a0cd12a19318e433b75a786808adc3", versionType: "git", }, { lessThan: "0dd1da5a15eeecb2fe4cf131b3216fb455af783c", status: "affected", version: "14513ee696a0cd12a19318e433b75a786808adc3", versionType: "git", }, { lessThan: "2f74cffc7c85f770b1b1833dccb03b8cde3be102", status: "affected", version: "14513ee696a0cd12a19318e433b75a786808adc3", versionType: "git", }, { lessThan: "ea5844f946b1ec5c0b7c115cd7684f34fd48021b", status: "affected", version: "14513ee696a0cd12a19318e433b75a786808adc3", versionType: "git", }, { lessThan: "c40db1e5f316792b557d2be37e447c20d9ac4635", status: "affected", version: "14513ee696a0cd12a19318e433b75a786808adc3", versionType: "git", }, { lessThan: "6e035d5a2a6b907cfce9a80c5f442c2e459cd34e", status: "affected", version: "14513ee696a0cd12a19318e433b75a786808adc3", versionType: "git", }, { lessThan: "f598da27acbeee414679cacd14294db3e273e3d2", status: "affected", version: "14513ee696a0cd12a19318e433b75a786808adc3", versionType: "git", }, { lessThan: "7dec14537c5906b8bf40fd6fd6d9c3850f8df11d", status: "affected", version: "14513ee696a0cd12a19318e433b75a786808adc3", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/hwmon/coretemp.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "3.14", }, { lessThan: "3.14", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.9.*", status: "unaffected", version: "4.9.335", versionType: "semver", }, { lessThanOrEqual: "4.14.*", status: "unaffected", version: "4.14.301", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.268", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.226", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.158", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.82", versionType: "semver", }, { lessThanOrEqual: "6.0.*", status: "unaffected", version: "6.0.12", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.1", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nhwmon: (coretemp) fix pci device refcount leak in nv1a_ram_new()\n\nAs comment of pci_get_domain_bus_and_slot() says, it returns\na pci device with refcount increment, when finish using it,\nthe caller must decrement the reference count by calling\npci_dev_put(). So call it after using to avoid refcount leak.", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:12:24.347Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/bb75a0d1223d43f97089841aecb28a9b4de687a9", }, { url: "https://git.kernel.org/stable/c/0dd1da5a15eeecb2fe4cf131b3216fb455af783c", }, { url: "https://git.kernel.org/stable/c/2f74cffc7c85f770b1b1833dccb03b8cde3be102", }, { url: "https://git.kernel.org/stable/c/ea5844f946b1ec5c0b7c115cd7684f34fd48021b", }, { url: "https://git.kernel.org/stable/c/c40db1e5f316792b557d2be37e447c20d9ac4635", }, { url: "https://git.kernel.org/stable/c/6e035d5a2a6b907cfce9a80c5f442c2e459cd34e", }, { url: "https://git.kernel.org/stable/c/f598da27acbeee414679cacd14294db3e273e3d2", }, { url: "https://git.kernel.org/stable/c/7dec14537c5906b8bf40fd6fd6d9c3850f8df11d", }, ], title: "hwmon: (coretemp) fix pci device refcount leak in nv1a_ram_new()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-49011", datePublished: "2024-10-21T20:06:22.099Z", dateReserved: "2024-08-22T01:27:53.644Z", dateUpdated: "2024-12-19T08:12:24.347Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-48989
Vulnerability from cvelistv5
Published
2024-10-21 20:06
Modified
2024-12-19 08:12
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
fscache: Fix oops due to race with cookie_lru and use_cookie
If a cookie expires from the LRU and the LRU_DISCARD flag is set, but
the state machine has not run yet, it's possible another thread can call
fscache_use_cookie and begin to use it.
When the cookie_worker finally runs, it will see the LRU_DISCARD flag
set, transition the cookie->state to LRU_DISCARDING, which will then
withdraw the cookie. Once the cookie is withdrawn the object is removed
the below oops will occur because the object associated with the cookie
is now NULL.
Fix the oops by clearing the LRU_DISCARD bit if another thread uses the
cookie before the cookie_worker runs.
BUG: kernel NULL pointer dereference, address: 0000000000000008
...
CPU: 31 PID: 44773 Comm: kworker/u130:1 Tainted: G E 6.0.0-5.dneg.x86_64 #1
Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022
Workqueue: events_unbound netfs_rreq_write_to_cache_work [netfs]
RIP: 0010:cachefiles_prepare_write+0x28/0x90 [cachefiles]
...
Call Trace:
netfs_rreq_write_to_cache_work+0x11c/0x320 [netfs]
process_one_work+0x217/0x3e0
worker_thread+0x4a/0x3b0
kthread+0xd6/0x100
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-48989", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:16:49.876509Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:18:42.490Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "fs/fscache/cookie.c", "include/trace/events/fscache.h", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "37f0b459c9b67e14fe4dcc3a15d286c4436ed01d", status: "affected", version: "12bb21a29c19aae50cfad4e2bb5c943108f34a7d", versionType: "git", }, { lessThan: "b5b52de3214a29911f949459a79f6640969b5487", status: "affected", version: "12bb21a29c19aae50cfad4e2bb5c943108f34a7d", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "fs/fscache/cookie.c", "include/trace/events/fscache.h", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.17", }, { lessThan: "5.17", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.0.*", status: "unaffected", version: "6.0.13", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.1", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nfscache: Fix oops due to race with cookie_lru and use_cookie\n\nIf a cookie expires from the LRU and the LRU_DISCARD flag is set, but\nthe state machine has not run yet, it's possible another thread can call\nfscache_use_cookie and begin to use it.\n\nWhen the cookie_worker finally runs, it will see the LRU_DISCARD flag\nset, transition the cookie->state to LRU_DISCARDING, which will then\nwithdraw the cookie. Once the cookie is withdrawn the object is removed\nthe below oops will occur because the object associated with the cookie\nis now NULL.\n\nFix the oops by clearing the LRU_DISCARD bit if another thread uses the\ncookie before the cookie_worker runs.\n\n BUG: kernel NULL pointer dereference, address: 0000000000000008\n ...\n CPU: 31 PID: 44773 Comm: kworker/u130:1 Tainted: G E 6.0.0-5.dneg.x86_64 #1\n Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022\n Workqueue: events_unbound netfs_rreq_write_to_cache_work [netfs]\n RIP: 0010:cachefiles_prepare_write+0x28/0x90 [cachefiles]\n ...\n Call Trace:\n netfs_rreq_write_to_cache_work+0x11c/0x320 [netfs]\n process_one_work+0x217/0x3e0\n worker_thread+0x4a/0x3b0\n kthread+0xd6/0x100", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:12:00.273Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/37f0b459c9b67e14fe4dcc3a15d286c4436ed01d", }, { url: "https://git.kernel.org/stable/c/b5b52de3214a29911f949459a79f6640969b5487", }, ], title: "fscache: Fix oops due to race with cookie_lru and use_cookie", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-48989", datePublished: "2024-10-21T20:06:05.854Z", dateReserved: "2024-08-22T01:27:53.635Z", dateUpdated: "2024-12-19T08:12:00.273Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-50046
Vulnerability from cvelistv5
Published
2024-10-21 19:39
Modified
2024-12-19 09:32
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
NFSv4: Prevent NULL-pointer dereference in nfs42_complete_copies()
On the node of an NFS client, some files saved in the mountpoint of the
NFS server were copied to another location of the same NFS server.
Accidentally, the nfs42_complete_copies() got a NULL-pointer dereference
crash with the following syslog:
[232064.838881] NFSv4: state recovery failed for open file nfs/pvc-12b5200d-cd0f-46a3-b9f0-af8f4fe0ef64.qcow2, error = -116
[232064.839360] NFSv4: state recovery failed for open file nfs/pvc-12b5200d-cd0f-46a3-b9f0-af8f4fe0ef64.qcow2, error = -116
[232066.588183] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000058
[232066.588586] Mem abort info:
[232066.588701] ESR = 0x0000000096000007
[232066.588862] EC = 0x25: DABT (current EL), IL = 32 bits
[232066.589084] SET = 0, FnV = 0
[232066.589216] EA = 0, S1PTW = 0
[232066.589340] FSC = 0x07: level 3 translation fault
[232066.589559] Data abort info:
[232066.589683] ISV = 0, ISS = 0x00000007
[232066.589842] CM = 0, WnR = 0
[232066.589967] user pgtable: 64k pages, 48-bit VAs, pgdp=00002000956ff400
[232066.590231] [0000000000000058] pgd=08001100ae100003, p4d=08001100ae100003, pud=08001100ae100003, pmd=08001100b3c00003, pte=0000000000000000
[232066.590757] Internal error: Oops: 96000007 [#1] SMP
[232066.590958] Modules linked in: rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache netfs ocfs2_dlmfs ocfs2_stack_o2cb ocfs2_dlm vhost_net vhost vhost_iotlb tap tun ipt_rpfilter xt_multiport ip_set_hash_ip ip_set_hash_net xfrm_interface xfrm6_tunnel tunnel4 tunnel6 esp4 ah4 wireguard libcurve25519_generic veth xt_addrtype xt_set nf_conntrack_netlink ip_set_hash_ipportnet ip_set_hash_ipportip ip_set_bitmap_port ip_set_hash_ipport dummy ip_set ip_vs_sh ip_vs_wrr ip_vs_rr ip_vs iptable_filter sch_ingress nfnetlink_cttimeout vport_gre ip_gre ip_tunnel gre vport_geneve geneve vport_vxlan vxlan ip6_udp_tunnel udp_tunnel openvswitch nf_conncount dm_round_robin dm_service_time dm_multipath xt_nat xt_MASQUERADE nft_chain_nat nf_nat xt_mark xt_conntrack xt_comment nft_compat nft_counter nf_tables nfnetlink ocfs2 ocfs2_nodemanager ocfs2_stackglue iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi ipmi_ssif nbd overlay 8021q garp mrp bonding tls rfkill sunrpc ext4 mbcache jbd2
[232066.591052] vfat fat cas_cache cas_disk ses enclosure scsi_transport_sas sg acpi_ipmi ipmi_si ipmi_devintf ipmi_msghandler ip_tables vfio_pci vfio_pci_core vfio_virqfd vfio_iommu_type1 vfio dm_mirror dm_region_hash dm_log dm_mod nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 br_netfilter bridge stp llc fuse xfs libcrc32c ast drm_vram_helper qla2xxx drm_kms_helper syscopyarea crct10dif_ce sysfillrect ghash_ce sysimgblt sha2_ce fb_sys_fops cec sha256_arm64 sha1_ce drm_ttm_helper ttm nvme_fc igb sbsa_gwdt nvme_fabrics drm nvme_core i2c_algo_bit i40e scsi_transport_fc megaraid_sas aes_neon_bs
[232066.596953] CPU: 6 PID: 4124696 Comm: 10.253.166.125- Kdump: loaded Not tainted 5.15.131-9.cl9_ocfs2.aarch64 #1
[232066.597356] Hardware name: Great Wall .\x93\x8e...RF6260 V5/GWMSSE2GL1T, BIOS T656FBE_V3.0.18 2024-01-06
[232066.597721] pstate: 20400009 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[232066.598034] pc : nfs4_reclaim_open_state+0x220/0x800 [nfsv4]
[232066.598327] lr : nfs4_reclaim_open_state+0x12c/0x800 [nfsv4]
[232066.598595] sp : ffff8000f568fc70
[232066.598731] x29: ffff8000f568fc70 x28: 0000000000001000 x27: ffff21003db33000
[232066.599030] x26: ffff800005521ae0 x25: ffff0100f98fa3f0 x24: 0000000000000001
[232066.599319] x23: ffff800009920008 x22: ffff21003db33040 x21: ffff21003db33050
[232066.599628] x20: ffff410172fe9e40 x19: ffff410172fe9e00 x18: 0000000000000000
[232066.599914] x17: 0000000000000000 x16: 0000000000000004 x15: 0000000000000000
[232066.600195] x14: 0000000000000000 x13: ffff800008e685a8 x12: 00000000eac0c6e6
[232066.600498] x11: 00000000000000
---truncated---
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 0e65a32c8a569db363048e17a708b1a0913adbef Version: 0e65a32c8a569db363048e17a708b1a0913adbef Version: 0e65a32c8a569db363048e17a708b1a0913adbef Version: 0e65a32c8a569db363048e17a708b1a0913adbef Version: 0e65a32c8a569db363048e17a708b1a0913adbef Version: 0e65a32c8a569db363048e17a708b1a0913adbef |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-50046", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:24:06.853763Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:28:43.571Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "fs/nfs/client.c", "fs/nfs/nfs42proc.c", "fs/nfs/nfs4state.c", "include/linux/nfs_fs_sb.h", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "f892165c564e3aab272948dbb556cc20e290c55a", status: "affected", version: "0e65a32c8a569db363048e17a708b1a0913adbef", versionType: "git", }, { lessThan: "584c019baedddec3fd634053e8fb2d8836108d38", status: "affected", version: "0e65a32c8a569db363048e17a708b1a0913adbef", versionType: "git", }, { lessThan: "632344b9efa064ca737bfcdaaaced59fd5f18ae9", status: "affected", version: "0e65a32c8a569db363048e17a708b1a0913adbef", versionType: "git", }, { lessThan: "fca41e5fa4914d12b2136c25f9dad69520b52683", status: "affected", version: "0e65a32c8a569db363048e17a708b1a0913adbef", versionType: "git", }, { lessThan: "ef9189bb15dcbe7ed3f3515aaa6fc8bf7483960d", status: "affected", version: "0e65a32c8a569db363048e17a708b1a0913adbef", versionType: "git", }, { lessThan: "a848c29e3486189aaabd5663bc11aea50c5bd144", status: "affected", version: "0e65a32c8a569db363048e17a708b1a0913adbef", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "fs/nfs/client.c", "fs/nfs/nfs42proc.c", "fs/nfs/nfs4state.c", "include/linux/nfs_fs_sb.h", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.5", }, { lessThan: "5.5", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.57", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.4", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSv4: Prevent NULL-pointer dereference in nfs42_complete_copies()\n\nOn the node of an NFS client, some files saved in the mountpoint of the\nNFS server were copied to another location of the same NFS server.\nAccidentally, the nfs42_complete_copies() got a NULL-pointer dereference\ncrash with the following syslog:\n\n[232064.838881] NFSv4: state recovery failed for open file nfs/pvc-12b5200d-cd0f-46a3-b9f0-af8f4fe0ef64.qcow2, error = -116\n[232064.839360] NFSv4: state recovery failed for open file nfs/pvc-12b5200d-cd0f-46a3-b9f0-af8f4fe0ef64.qcow2, error = -116\n[232066.588183] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000058\n[232066.588586] Mem abort info:\n[232066.588701] ESR = 0x0000000096000007\n[232066.588862] EC = 0x25: DABT (current EL), IL = 32 bits\n[232066.589084] SET = 0, FnV = 0\n[232066.589216] EA = 0, S1PTW = 0\n[232066.589340] FSC = 0x07: level 3 translation fault\n[232066.589559] Data abort info:\n[232066.589683] ISV = 0, ISS = 0x00000007\n[232066.589842] CM = 0, WnR = 0\n[232066.589967] user pgtable: 64k pages, 48-bit VAs, pgdp=00002000956ff400\n[232066.590231] [0000000000000058] pgd=08001100ae100003, p4d=08001100ae100003, pud=08001100ae100003, pmd=08001100b3c00003, pte=0000000000000000\n[232066.590757] Internal error: Oops: 96000007 [#1] SMP\n[232066.590958] Modules linked in: rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache netfs ocfs2_dlmfs ocfs2_stack_o2cb ocfs2_dlm vhost_net vhost vhost_iotlb tap tun ipt_rpfilter xt_multiport ip_set_hash_ip ip_set_hash_net xfrm_interface xfrm6_tunnel tunnel4 tunnel6 esp4 ah4 wireguard libcurve25519_generic veth xt_addrtype xt_set nf_conntrack_netlink ip_set_hash_ipportnet ip_set_hash_ipportip ip_set_bitmap_port ip_set_hash_ipport dummy ip_set ip_vs_sh ip_vs_wrr ip_vs_rr ip_vs iptable_filter sch_ingress nfnetlink_cttimeout vport_gre ip_gre ip_tunnel gre vport_geneve geneve vport_vxlan vxlan ip6_udp_tunnel udp_tunnel openvswitch nf_conncount dm_round_robin dm_service_time dm_multipath xt_nat xt_MASQUERADE nft_chain_nat nf_nat xt_mark xt_conntrack xt_comment nft_compat nft_counter nf_tables nfnetlink ocfs2 ocfs2_nodemanager ocfs2_stackglue iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi ipmi_ssif nbd overlay 8021q garp mrp bonding tls rfkill sunrpc ext4 mbcache jbd2\n[232066.591052] vfat fat cas_cache cas_disk ses enclosure scsi_transport_sas sg acpi_ipmi ipmi_si ipmi_devintf ipmi_msghandler ip_tables vfio_pci vfio_pci_core vfio_virqfd vfio_iommu_type1 vfio dm_mirror dm_region_hash dm_log dm_mod nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 br_netfilter bridge stp llc fuse xfs libcrc32c ast drm_vram_helper qla2xxx drm_kms_helper syscopyarea crct10dif_ce sysfillrect ghash_ce sysimgblt sha2_ce fb_sys_fops cec sha256_arm64 sha1_ce drm_ttm_helper ttm nvme_fc igb sbsa_gwdt nvme_fabrics drm nvme_core i2c_algo_bit i40e scsi_transport_fc megaraid_sas aes_neon_bs\n[232066.596953] CPU: 6 PID: 4124696 Comm: 10.253.166.125- Kdump: loaded Not tainted 5.15.131-9.cl9_ocfs2.aarch64 #1\n[232066.597356] Hardware name: Great Wall .\\x93\\x8e...RF6260 V5/GWMSSE2GL1T, BIOS T656FBE_V3.0.18 2024-01-06\n[232066.597721] pstate: 20400009 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[232066.598034] pc : nfs4_reclaim_open_state+0x220/0x800 [nfsv4]\n[232066.598327] lr : nfs4_reclaim_open_state+0x12c/0x800 [nfsv4]\n[232066.598595] sp : ffff8000f568fc70\n[232066.598731] x29: ffff8000f568fc70 x28: 0000000000001000 x27: ffff21003db33000\n[232066.599030] x26: ffff800005521ae0 x25: ffff0100f98fa3f0 x24: 0000000000000001\n[232066.599319] x23: ffff800009920008 x22: ffff21003db33040 x21: ffff21003db33050\n[232066.599628] x20: ffff410172fe9e40 x19: ffff410172fe9e00 x18: 0000000000000000\n[232066.599914] x17: 0000000000000000 x16: 0000000000000004 x15: 0000000000000000\n[232066.600195] x14: 0000000000000000 x13: ffff800008e685a8 x12: 00000000eac0c6e6\n[232066.600498] x11: 00000000000000\n---truncated---", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:32:02.408Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/f892165c564e3aab272948dbb556cc20e290c55a", }, { url: "https://git.kernel.org/stable/c/584c019baedddec3fd634053e8fb2d8836108d38", }, { url: "https://git.kernel.org/stable/c/632344b9efa064ca737bfcdaaaced59fd5f18ae9", }, { url: "https://git.kernel.org/stable/c/fca41e5fa4914d12b2136c25f9dad69520b52683", }, { url: "https://git.kernel.org/stable/c/ef9189bb15dcbe7ed3f3515aaa6fc8bf7483960d", }, { url: "https://git.kernel.org/stable/c/a848c29e3486189aaabd5663bc11aea50c5bd144", }, ], title: "NFSv4: Prevent NULL-pointer dereference in nfs42_complete_copies()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-50046", datePublished: "2024-10-21T19:39:43.780Z", dateReserved: "2024-10-21T12:17:06.071Z", dateUpdated: "2024-12-19T09:32:02.408Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49981
Vulnerability from cvelistv5
Published
2024-10-21 18:02
Modified
2024-12-19 09:30
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: venus: fix use after free bug in venus_remove due to race condition
in venus_probe, core->work is bound with venus_sys_error_handler, which is
used to handle error. The code use core->sys_err_done to make sync work.
The core->work is started in venus_event_notify.
If we call venus_remove, there might be an unfished work. The possible
sequence is as follows:
CPU0 CPU1
|venus_sys_error_handler
venus_remove |
hfi_destroy |
venus_hfi_destroy |
kfree(hdev); |
|hfi_reinit
|venus_hfi_queues_reinit
|//use hdev
Fix it by canceling the work in venus_remove.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: af2c3834c8ca7cc65d15592ac671933df8848115 Version: af2c3834c8ca7cc65d15592ac671933df8848115 Version: af2c3834c8ca7cc65d15592ac671933df8848115 Version: af2c3834c8ca7cc65d15592ac671933df8848115 Version: af2c3834c8ca7cc65d15592ac671933df8848115 Version: af2c3834c8ca7cc65d15592ac671933df8848115 Version: af2c3834c8ca7cc65d15592ac671933df8848115 Version: af2c3834c8ca7cc65d15592ac671933df8848115 Version: af2c3834c8ca7cc65d15592ac671933df8848115 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49981", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:32:30.301335Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:38:44.376Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/media/platform/qcom/venus/core.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "5098b9e6377577fe13d03e1d8914930f014a3314", status: "affected", version: "af2c3834c8ca7cc65d15592ac671933df8848115", versionType: "git", }, { lessThan: "63bbe26471ebdcc3c20bb4cc3950d666279ad658", status: "affected", version: "af2c3834c8ca7cc65d15592ac671933df8848115", versionType: "git", }, { lessThan: "60b6968341a6dd5353554f3e72db554693a128a5", status: "affected", version: "af2c3834c8ca7cc65d15592ac671933df8848115", versionType: "git", }, { lessThan: "bf6be32e2d39f6301ff1831e249d32a8744ab28a", status: "affected", version: "af2c3834c8ca7cc65d15592ac671933df8848115", versionType: "git", }, { lessThan: "2a541fcc0bd2b05a458e9613376df1289ec11621", status: "affected", version: "af2c3834c8ca7cc65d15592ac671933df8848115", versionType: "git", }, { lessThan: "b0686aedc5f1343442d044bd64eeac7e7a391f4e", status: "affected", version: "af2c3834c8ca7cc65d15592ac671933df8848115", versionType: "git", }, { lessThan: "d925e9f7fb5a2dbefd1a73fc01061f38c7becd4c", status: "affected", version: "af2c3834c8ca7cc65d15592ac671933df8848115", versionType: "git", }, { lessThan: "10941d4f99a5a34999121b314afcd9c0a1c14f15", status: "affected", version: "af2c3834c8ca7cc65d15592ac671933df8848115", versionType: "git", }, { lessThan: "c5a85ed88e043474161bbfe54002c89c1cb50ee2", status: "affected", version: "af2c3834c8ca7cc65d15592ac671933df8848115", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/media/platform/qcom/venus/core.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "4.13", }, { lessThan: "4.13", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.323", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.285", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: venus: fix use after free bug in venus_remove due to race condition\n\nin venus_probe, core->work is bound with venus_sys_error_handler, which is\nused to handle error. The code use core->sys_err_done to make sync work.\nThe core->work is started in venus_event_notify.\n\nIf we call venus_remove, there might be an unfished work. The possible\nsequence is as follows:\n\nCPU0 CPU1\n\n |venus_sys_error_handler\nvenus_remove |\nhfi_destroy\t \t\t |\nvenus_hfi_destroy\t |\nkfree(hdev);\t |\n |hfi_reinit\n\t\t\t\t\t |venus_hfi_queues_reinit\n |//use hdev\n\nFix it by canceling the work in venus_remove.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:30:38.263Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/5098b9e6377577fe13d03e1d8914930f014a3314", }, { url: "https://git.kernel.org/stable/c/63bbe26471ebdcc3c20bb4cc3950d666279ad658", }, { url: "https://git.kernel.org/stable/c/60b6968341a6dd5353554f3e72db554693a128a5", }, { url: "https://git.kernel.org/stable/c/bf6be32e2d39f6301ff1831e249d32a8744ab28a", }, { url: "https://git.kernel.org/stable/c/2a541fcc0bd2b05a458e9613376df1289ec11621", }, { url: "https://git.kernel.org/stable/c/b0686aedc5f1343442d044bd64eeac7e7a391f4e", }, { url: "https://git.kernel.org/stable/c/d925e9f7fb5a2dbefd1a73fc01061f38c7becd4c", }, { url: "https://git.kernel.org/stable/c/10941d4f99a5a34999121b314afcd9c0a1c14f15", }, { url: "https://git.kernel.org/stable/c/c5a85ed88e043474161bbfe54002c89c1cb50ee2", }, ], title: "media: venus: fix use after free bug in venus_remove due to race condition", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49981", datePublished: "2024-10-21T18:02:27.142Z", dateReserved: "2024-10-21T12:17:06.052Z", dateUpdated: "2024-12-19T09:30:38.263Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-48951
Vulnerability from cvelistv5
Published
2024-10-21 20:05
Modified
2024-12-19 08:11
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: ops: Check bounds for second channel in snd_soc_put_volsw_sx()
The bounds checks in snd_soc_put_volsw_sx() are only being applied to the
first channel, meaning it is possible to write out of bounds values to the
second channel in stereo controls. Add appropriate checks.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-48951", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:21:37.733749Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:28:40.630Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "sound/soc/soc-ops.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "56288987843c3cb343e81e5fa51549cbaf541bd0", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "cf1c225f1927891ae388562b78ced7840c3723b9", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "18a168d85eadcfd45f015b5ecd2a97801b959e43", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "9796d07c753164b7e6b0d7ef23fb4482840a9ef8", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "50b5f6d4d9d2d69a7498c44fd8b26e13d73d3d98", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "cf611d786796ec33da09d8c83d7d7f4e557b27de", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "1798b62d642e7b3d4ea3403914c3caf4e438465d", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "97eea946b93961fffd29448dcda7398d0d51c4b2", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "sound/soc/soc-ops.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "4.9.*", status: "unaffected", version: "4.9.337", versionType: "semver", }, { lessThanOrEqual: "4.14.*", status: "unaffected", version: "4.14.303", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.270", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.228", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.160", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.84", versionType: "semver", }, { lessThanOrEqual: "6.0.*", status: "unaffected", version: "6.0.14", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.1", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: ops: Check bounds for second channel in snd_soc_put_volsw_sx()\n\nThe bounds checks in snd_soc_put_volsw_sx() are only being applied to the\nfirst channel, meaning it is possible to write out of bounds values to the\nsecond channel in stereo controls. Add appropriate checks.", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:11:08.200Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/56288987843c3cb343e81e5fa51549cbaf541bd0", }, { url: "https://git.kernel.org/stable/c/cf1c225f1927891ae388562b78ced7840c3723b9", }, { url: "https://git.kernel.org/stable/c/18a168d85eadcfd45f015b5ecd2a97801b959e43", }, { url: "https://git.kernel.org/stable/c/9796d07c753164b7e6b0d7ef23fb4482840a9ef8", }, { url: "https://git.kernel.org/stable/c/50b5f6d4d9d2d69a7498c44fd8b26e13d73d3d98", }, { url: "https://git.kernel.org/stable/c/cf611d786796ec33da09d8c83d7d7f4e557b27de", }, { url: "https://git.kernel.org/stable/c/1798b62d642e7b3d4ea3403914c3caf4e438465d", }, { url: "https://git.kernel.org/stable/c/97eea946b93961fffd29448dcda7398d0d51c4b2", }, ], title: "ASoC: ops: Check bounds for second channel in snd_soc_put_volsw_sx()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-48951", datePublished: "2024-10-21T20:05:39.092Z", dateReserved: "2024-08-22T01:27:53.626Z", dateUpdated: "2024-12-19T08:11:08.200Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-50021
Vulnerability from cvelistv5
Published
2024-10-21 19:39
Modified
2024-12-19 09:31
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ice: Fix improper handling of refcount in ice_dpll_init_rclk_pins()
This patch addresses a reference count handling issue in the
ice_dpll_init_rclk_pins() function. The function calls ice_dpll_get_pins(),
which increments the reference count of the relevant resources. However,
if the condition WARN_ON((!vsi || !vsi->netdev)) is met, the function
currently returns an error without properly releasing the resources
acquired by ice_dpll_get_pins(), leading to a reference count leak.
To resolve this, the check has been moved to the top of the function. This
ensures that the function verifies the state before any resources are
acquired, avoiding the need for additional resource management in the
error path.
This bug was identified by an experimental static analysis tool developed
by our team. The tool specializes in analyzing reference count operations
and detecting potential issues where resources are not properly managed.
In this case, the tool flagged the missing release operation as a
potential problem, which led to the development of this patch.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-50021", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:27:23.008969Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:28:47.259Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/net/ethernet/intel/ice/ice_dpll.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "aefecead9d08f4a35ab6f51ba2e408d2cef4e31d", status: "affected", version: "d7999f5ea64bb10d2857b8cbfe973be373bac7c9", versionType: "git", }, { lessThan: "ccca30a18e36a742e606d5bf0630e75be7711d0a", status: "affected", version: "d7999f5ea64bb10d2857b8cbfe973be373bac7c9", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/net/ethernet/intel/ice/ice_dpll.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.7", }, { lessThan: "6.7", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.4", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nice: Fix improper handling of refcount in ice_dpll_init_rclk_pins()\n\nThis patch addresses a reference count handling issue in the\nice_dpll_init_rclk_pins() function. The function calls ice_dpll_get_pins(),\nwhich increments the reference count of the relevant resources. However,\nif the condition WARN_ON((!vsi || !vsi->netdev)) is met, the function\ncurrently returns an error without properly releasing the resources\nacquired by ice_dpll_get_pins(), leading to a reference count leak.\n\nTo resolve this, the check has been moved to the top of the function. This\nensures that the function verifies the state before any resources are\nacquired, avoiding the need for additional resource management in the\nerror path.\n\nThis bug was identified by an experimental static analysis tool developed\nby our team. The tool specializes in analyzing reference count operations\nand detecting potential issues where resources are not properly managed.\nIn this case, the tool flagged the missing release operation as a\npotential problem, which led to the development of this patch.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:31:31.179Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/aefecead9d08f4a35ab6f51ba2e408d2cef4e31d", }, { url: "https://git.kernel.org/stable/c/ccca30a18e36a742e606d5bf0630e75be7711d0a", }, ], title: "ice: Fix improper handling of refcount in ice_dpll_init_rclk_pins()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-50021", datePublished: "2024-10-21T19:39:27.212Z", dateReserved: "2024-10-21T12:17:06.064Z", dateUpdated: "2024-12-19T09:31:31.179Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-49008
Vulnerability from cvelistv5
Published
2024-10-21 20:06
Modified
2024-12-19 08:12
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
can: can327: can327_feed_frame_to_netdev(): fix potential skb leak when netdev is down
In can327_feed_frame_to_netdev(), it did not free the skb when netdev
is down, and all callers of can327_feed_frame_to_netdev() did not free
allocated skb too. That would trigger skb leak.
Fix it by adding kfree_skb() in can327_feed_frame_to_netdev() when netdev
is down. Not tested, just compiled.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-49008", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:14:13.879522Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:18:39.394Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/net/can/can327.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "797b1d9fc0e1f4351e4ad49b078c1a3cdc0d4a08", status: "affected", version: "43da2f07622f41376c7ddab8f73dc2b1d3ab9715", versionType: "git", }, { lessThan: "8fa452cfafed521aaf5a18c71003fe24b1ee6141", status: "affected", version: "43da2f07622f41376c7ddab8f73dc2b1d3ab9715", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/net/can/can327.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.0", }, { lessThan: "6.0", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.0.*", status: "unaffected", version: "6.0.12", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.1", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: can327: can327_feed_frame_to_netdev(): fix potential skb leak when netdev is down\n\nIn can327_feed_frame_to_netdev(), it did not free the skb when netdev\nis down, and all callers of can327_feed_frame_to_netdev() did not free\nallocated skb too. That would trigger skb leak.\n\nFix it by adding kfree_skb() in can327_feed_frame_to_netdev() when netdev\nis down. Not tested, just compiled.", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:12:20.946Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/797b1d9fc0e1f4351e4ad49b078c1a3cdc0d4a08", }, { url: "https://git.kernel.org/stable/c/8fa452cfafed521aaf5a18c71003fe24b1ee6141", }, ], title: "can: can327: can327_feed_frame_to_netdev(): fix potential skb leak when netdev is down", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-49008", datePublished: "2024-10-21T20:06:20.158Z", dateReserved: "2024-08-22T01:27:53.643Z", dateUpdated: "2024-12-19T08:12:20.946Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-48955
Vulnerability from cvelistv5
Published
2024-10-21 20:05
Modified
2024-12-19 08:11
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: thunderbolt: fix memory leak in tbnet_open()
When tb_ring_alloc_rx() failed in tbnet_open(), ida that allocated in
tb_xdomain_alloc_out_hopid() is not released. Add
tb_xdomain_release_out_hopid() to the error path to release ida.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-48955", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:21:07.811793Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:28:39.994Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/net/thunderbolt.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "b9274dbe399952a8175db2e1ee148b7c9ba2b538", status: "affected", version: "180b0689425c6fb2b35e69a3316ee38371a782df", versionType: "git", }, { lessThan: "ed6e955f3b7e0e622c080f4bcb5427a5e1af4c2a", status: "affected", version: "180b0689425c6fb2b35e69a3316ee38371a782df", versionType: "git", }, { lessThan: "ed14e5903638f6eb868e3e2b4e610985e6a6c876", status: "affected", version: "180b0689425c6fb2b35e69a3316ee38371a782df", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/net/thunderbolt.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.13", }, { lessThan: "5.13", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.83", versionType: "semver", }, { lessThanOrEqual: "6.0.*", status: "unaffected", version: "6.0.13", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.1", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: thunderbolt: fix memory leak in tbnet_open()\n\nWhen tb_ring_alloc_rx() failed in tbnet_open(), ida that allocated in\ntb_xdomain_alloc_out_hopid() is not released. Add\ntb_xdomain_release_out_hopid() to the error path to release ida.", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:11:12.774Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/b9274dbe399952a8175db2e1ee148b7c9ba2b538", }, { url: "https://git.kernel.org/stable/c/ed6e955f3b7e0e622c080f4bcb5427a5e1af4c2a", }, { url: "https://git.kernel.org/stable/c/ed14e5903638f6eb868e3e2b4e610985e6a6c876", }, ], title: "net: thunderbolt: fix memory leak in tbnet_open()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-48955", datePublished: "2024-10-21T20:05:41.715Z", dateReserved: "2024-08-22T01:27:53.627Z", dateUpdated: "2024-12-19T08:11:12.774Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-49022
Vulnerability from cvelistv5
Published
2024-10-21 20:06
Modified
2024-12-19 08:12
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: mac8021: fix possible oob access in ieee80211_get_rate_duration
Fix possible out-of-bound access in ieee80211_get_rate_duration routine
as reported by the following UBSAN report:
UBSAN: array-index-out-of-bounds in net/mac80211/airtime.c:455:47
index 15 is out of range for type 'u16 [12]'
CPU: 2 PID: 217 Comm: kworker/u32:10 Not tainted 6.1.0-060100rc3-generic
Hardware name: Acer Aspire TC-281/Aspire TC-281, BIOS R01-A2 07/18/2017
Workqueue: mt76 mt76u_tx_status_data [mt76_usb]
Call Trace:
<TASK>
show_stack+0x4e/0x61
dump_stack_lvl+0x4a/0x6f
dump_stack+0x10/0x18
ubsan_epilogue+0x9/0x43
__ubsan_handle_out_of_bounds.cold+0x42/0x47
ieee80211_get_rate_duration.constprop.0+0x22f/0x2a0 [mac80211]
? ieee80211_tx_status_ext+0x32e/0x640 [mac80211]
ieee80211_calc_rx_airtime+0xda/0x120 [mac80211]
ieee80211_calc_tx_airtime+0xb4/0x100 [mac80211]
mt76x02_send_tx_status+0x266/0x480 [mt76x02_lib]
mt76x02_tx_status_data+0x52/0x80 [mt76x02_lib]
mt76u_tx_status_data+0x67/0xd0 [mt76_usb]
process_one_work+0x225/0x400
worker_thread+0x50/0x3e0
? process_one_work+0x400/0x400
kthread+0xe9/0x110
? kthread_complete_and_exit+0x20/0x20
ret_from_fork+0x22/0x30
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-49022", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:12:26.001640Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:18:37.055Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "net/mac80211/airtime.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "0184ede0ec61b9cd075babfaa45081b1bf322234", status: "affected", version: "db3e1c40cf2f973fbdd52ae0b59a9472b1c04f4a", versionType: "git", }, { lessThan: "59b54f0563b6546c94bdb6823d3b382c75407019", status: "affected", version: "db3e1c40cf2f973fbdd52ae0b59a9472b1c04f4a", versionType: "git", }, { lessThan: "f0fcad4c7201ecfaa17357f4ce0c50b4708df22d", status: "affected", version: "db3e1c40cf2f973fbdd52ae0b59a9472b1c04f4a", versionType: "git", }, { lessThan: "3e8f7abcc3473bc9603323803aeaed4ffcc3a2ab", status: "affected", version: "db3e1c40cf2f973fbdd52ae0b59a9472b1c04f4a", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "net/mac80211/airtime.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.5", }, { lessThan: "5.5", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.158", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.82", versionType: "semver", }, { lessThanOrEqual: "6.0.*", status: "unaffected", version: "6.0.12", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.1", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac8021: fix possible oob access in ieee80211_get_rate_duration\n\nFix possible out-of-bound access in ieee80211_get_rate_duration routine\nas reported by the following UBSAN report:\n\nUBSAN: array-index-out-of-bounds in net/mac80211/airtime.c:455:47\nindex 15 is out of range for type 'u16 [12]'\nCPU: 2 PID: 217 Comm: kworker/u32:10 Not tainted 6.1.0-060100rc3-generic\nHardware name: Acer Aspire TC-281/Aspire TC-281, BIOS R01-A2 07/18/2017\nWorkqueue: mt76 mt76u_tx_status_data [mt76_usb]\nCall Trace:\n <TASK>\n show_stack+0x4e/0x61\n dump_stack_lvl+0x4a/0x6f\n dump_stack+0x10/0x18\n ubsan_epilogue+0x9/0x43\n __ubsan_handle_out_of_bounds.cold+0x42/0x47\nieee80211_get_rate_duration.constprop.0+0x22f/0x2a0 [mac80211]\n ? ieee80211_tx_status_ext+0x32e/0x640 [mac80211]\n ieee80211_calc_rx_airtime+0xda/0x120 [mac80211]\n ieee80211_calc_tx_airtime+0xb4/0x100 [mac80211]\n mt76x02_send_tx_status+0x266/0x480 [mt76x02_lib]\n mt76x02_tx_status_data+0x52/0x80 [mt76x02_lib]\n mt76u_tx_status_data+0x67/0xd0 [mt76_usb]\n process_one_work+0x225/0x400\n worker_thread+0x50/0x3e0\n ? process_one_work+0x400/0x400\n kthread+0xe9/0x110\n ? kthread_complete_and_exit+0x20/0x20\n ret_from_fork+0x22/0x30", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:12:37.010Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/0184ede0ec61b9cd075babfaa45081b1bf322234", }, { url: "https://git.kernel.org/stable/c/59b54f0563b6546c94bdb6823d3b382c75407019", }, { url: "https://git.kernel.org/stable/c/f0fcad4c7201ecfaa17357f4ce0c50b4708df22d", }, { url: "https://git.kernel.org/stable/c/3e8f7abcc3473bc9603323803aeaed4ffcc3a2ab", }, ], title: "wifi: mac8021: fix possible oob access in ieee80211_get_rate_duration", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-49022", datePublished: "2024-10-21T20:06:29.239Z", dateReserved: "2024-08-22T01:27:53.649Z", dateUpdated: "2024-12-19T08:12:37.010Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-47679
Vulnerability from cvelistv5
Published
2024-10-21 11:53
Modified
2024-12-19 09:25
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
vfs: fix race between evice_inodes() and find_inode()&iput()
Hi, all
Recently I noticed a bug[1] in btrfs, after digged it into
and I believe it'a race in vfs.
Let's assume there's a inode (ie ino 261) with i_count 1 is
called by iput(), and there's a concurrent thread calling
generic_shutdown_super().
cpu0: cpu1:
iput() // i_count is 1
->spin_lock(inode)
->dec i_count to 0
->iput_final() generic_shutdown_super()
->__inode_add_lru() ->evict_inodes()
// cause some reason[2] ->if (atomic_read(inode->i_count)) continue;
// return before // inode 261 passed the above check
// list_lru_add_obj() // and then schedule out
->spin_unlock()
// note here: the inode 261
// was still at sb list and hash list,
// and I_FREEING|I_WILL_FREE was not been set
btrfs_iget()
// after some function calls
->find_inode()
// found the above inode 261
->spin_lock(inode)
// check I_FREEING|I_WILL_FREE
// and passed
->__iget()
->spin_unlock(inode) // schedule back
->spin_lock(inode)
// check (I_NEW|I_FREEING|I_WILL_FREE) flags,
// passed and set I_FREEING
iput() ->spin_unlock(inode)
->spin_lock(inode) ->evict()
// dec i_count to 0
->iput_final()
->spin_unlock()
->evict()
Now, we have two threads simultaneously evicting
the same inode, which may trigger the BUG(inode->i_state & I_CLEAR)
statement both within clear_inode() and iput().
To fix the bug, recheck the inode->i_count after holding i_lock.
Because in the most scenarios, the first check is valid, and
the overhead of spin_lock() can be reduced.
If there is any misunderstanding, please let me know, thanks.
[1]: https://lore.kernel.org/linux-btrfs/000000000000eabe1d0619c48986@google.com/
[2]: The reason might be 1. SB_ACTIVE was removed or 2. mapping_shrinkable()
return false when I reproduced the bug.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 63997e98a3be68d7cec806d22bf9b02b2e1daabb Version: 63997e98a3be68d7cec806d22bf9b02b2e1daabb Version: 63997e98a3be68d7cec806d22bf9b02b2e1daabb Version: 63997e98a3be68d7cec806d22bf9b02b2e1daabb Version: 63997e98a3be68d7cec806d22bf9b02b2e1daabb Version: 63997e98a3be68d7cec806d22bf9b02b2e1daabb Version: 63997e98a3be68d7cec806d22bf9b02b2e1daabb Version: 63997e98a3be68d7cec806d22bf9b02b2e1daabb Version: 63997e98a3be68d7cec806d22bf9b02b2e1daabb |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-47679", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T13:07:33.659444Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T13:14:16.951Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "fs/inode.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "6cc13a80a26e6b48f78c725c01b91987d61563ef", status: "affected", version: "63997e98a3be68d7cec806d22bf9b02b2e1daabb", versionType: "git", }, { lessThan: "489faddb1ae75b0e1a741fe5ca2542a2b5e794a5", status: "affected", version: "63997e98a3be68d7cec806d22bf9b02b2e1daabb", versionType: "git", }, { lessThan: "47a68c75052a660e4c37de41e321582ec9496195", status: "affected", version: "63997e98a3be68d7cec806d22bf9b02b2e1daabb", versionType: "git", }, { lessThan: "3721a69403291e2514d13a7c3af50a006ea1153b", status: "affected", version: "63997e98a3be68d7cec806d22bf9b02b2e1daabb", versionType: "git", }, { lessThan: "540fb13120c9eab3ef203f90c00c8e69f37449d1", status: "affected", version: "63997e98a3be68d7cec806d22bf9b02b2e1daabb", versionType: "git", }, { lessThan: "0eed942bc65de1f93eca7bda51344290f9c573bb", status: "affected", version: "63997e98a3be68d7cec806d22bf9b02b2e1daabb", versionType: "git", }, { lessThan: "0f8a5b6d0dafa4f533ac82e98f8b812073a7c9d1", status: "affected", version: "63997e98a3be68d7cec806d22bf9b02b2e1daabb", versionType: "git", }, { lessThan: "6c857fb12b9137fee574443385d53914356bbe11", status: "affected", version: "63997e98a3be68d7cec806d22bf9b02b2e1daabb", versionType: "git", }, { lessThan: "88b1afbf0f6b221f6c5bb66cc80cd3b38d696687", status: "affected", version: "63997e98a3be68d7cec806d22bf9b02b2e1daabb", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "fs/inode.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "2.6.37", }, { lessThan: "2.6.37", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.323", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.285", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.54", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.13", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.2", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nvfs: fix race between evice_inodes() and find_inode()&iput()\n\nHi, all\n\nRecently I noticed a bug[1] in btrfs, after digged it into\nand I believe it'a race in vfs.\n\nLet's assume there's a inode (ie ino 261) with i_count 1 is\ncalled by iput(), and there's a concurrent thread calling\ngeneric_shutdown_super().\n\ncpu0: cpu1:\niput() // i_count is 1\n ->spin_lock(inode)\n ->dec i_count to 0\n ->iput_final() generic_shutdown_super()\n ->__inode_add_lru() ->evict_inodes()\n // cause some reason[2] ->if (atomic_read(inode->i_count)) continue;\n // return before // inode 261 passed the above check\n // list_lru_add_obj() // and then schedule out\n ->spin_unlock()\n// note here: the inode 261\n// was still at sb list and hash list,\n// and I_FREEING|I_WILL_FREE was not been set\n\nbtrfs_iget()\n // after some function calls\n ->find_inode()\n // found the above inode 261\n ->spin_lock(inode)\n // check I_FREEING|I_WILL_FREE\n // and passed\n ->__iget()\n ->spin_unlock(inode) // schedule back\n ->spin_lock(inode)\n // check (I_NEW|I_FREEING|I_WILL_FREE) flags,\n // passed and set I_FREEING\niput() ->spin_unlock(inode)\n ->spin_lock(inode)\t\t\t ->evict()\n // dec i_count to 0\n ->iput_final()\n ->spin_unlock()\n ->evict()\n\nNow, we have two threads simultaneously evicting\nthe same inode, which may trigger the BUG(inode->i_state & I_CLEAR)\nstatement both within clear_inode() and iput().\n\nTo fix the bug, recheck the inode->i_count after holding i_lock.\nBecause in the most scenarios, the first check is valid, and\nthe overhead of spin_lock() can be reduced.\n\nIf there is any misunderstanding, please let me know, thanks.\n\n[1]: https://lore.kernel.org/linux-btrfs/000000000000eabe1d0619c48986@google.com/\n[2]: The reason might be 1. SB_ACTIVE was removed or 2. mapping_shrinkable()\nreturn false when I reproduced the bug.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:25:45.420Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/6cc13a80a26e6b48f78c725c01b91987d61563ef", }, { url: "https://git.kernel.org/stable/c/489faddb1ae75b0e1a741fe5ca2542a2b5e794a5", }, { url: "https://git.kernel.org/stable/c/47a68c75052a660e4c37de41e321582ec9496195", }, { url: "https://git.kernel.org/stable/c/3721a69403291e2514d13a7c3af50a006ea1153b", }, { url: "https://git.kernel.org/stable/c/540fb13120c9eab3ef203f90c00c8e69f37449d1", }, { url: "https://git.kernel.org/stable/c/0eed942bc65de1f93eca7bda51344290f9c573bb", }, { url: "https://git.kernel.org/stable/c/0f8a5b6d0dafa4f533ac82e98f8b812073a7c9d1", }, { url: "https://git.kernel.org/stable/c/6c857fb12b9137fee574443385d53914356bbe11", }, { url: "https://git.kernel.org/stable/c/88b1afbf0f6b221f6c5bb66cc80cd3b38d696687", }, ], title: "vfs: fix race between evice_inodes() and find_inode()&iput()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-47679", datePublished: "2024-10-21T11:53:22.469Z", dateReserved: "2024-09-30T16:00:12.939Z", dateUpdated: "2024-12-19T09:25:45.420Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49915
Vulnerability from cvelistv5
Published
2024-10-21 18:01
Modified
2024-12-19 09:28
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Add NULL check for clk_mgr in dcn32_init_hw
This commit addresses a potential null pointer dereference issue in the
`dcn32_init_hw` function. The issue could occur when `dc->clk_mgr` is
null.
The fix adds a check to ensure `dc->clk_mgr` is not null before
accessing its functions. This prevents a potential null pointer
dereference.
Reported by smatch:
drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn32/dcn32_hwseq.c:961 dcn32_init_hw() error: we previously assumed 'dc->clk_mgr' could be null (see line 782)
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49915", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:41:07.421469Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:48:45.551Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/gpu/drm/amd/display/dc/hwss/dcn32/dcn32_hwseq.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "0d94d9cbd9fec7344d230c4f7b781826f7799c60", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "ec1be3c527b4a5fc85bcc1b0be7cec08bf60c796", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "f0454b3cb0584a6bf275aeb49be61a760fd546a2", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "7d1854c86d02cea8f8a0c0ca05f4ab14292baf3d", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "c395fd47d1565bd67671f45cca281b3acc2c31ef", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/gpu/drm/amd/display/dc/hwss/dcn32/dcn32_hwseq.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.120", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.64", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add NULL check for clk_mgr in dcn32_init_hw\n\nThis commit addresses a potential null pointer dereference issue in the\n`dcn32_init_hw` function. The issue could occur when `dc->clk_mgr` is\nnull.\n\nThe fix adds a check to ensure `dc->clk_mgr` is not null before\naccessing its functions. This prevents a potential null pointer\ndereference.\n\nReported by smatch:\ndrivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn32/dcn32_hwseq.c:961 dcn32_init_hw() error: we previously assumed 'dc->clk_mgr' could be null (see line 782)", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:28:57.547Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/0d94d9cbd9fec7344d230c4f7b781826f7799c60", }, { url: "https://git.kernel.org/stable/c/ec1be3c527b4a5fc85bcc1b0be7cec08bf60c796", }, { url: "https://git.kernel.org/stable/c/f0454b3cb0584a6bf275aeb49be61a760fd546a2", }, { url: "https://git.kernel.org/stable/c/7d1854c86d02cea8f8a0c0ca05f4ab14292baf3d", }, { url: "https://git.kernel.org/stable/c/c395fd47d1565bd67671f45cca281b3acc2c31ef", }, ], title: "drm/amd/display: Add NULL check for clk_mgr in dcn32_init_hw", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49915", datePublished: "2024-10-21T18:01:42.866Z", dateReserved: "2024-10-21T12:17:06.033Z", dateUpdated: "2024-12-19T09:28:57.547Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49996
Vulnerability from cvelistv5
Published
2024-10-21 18:02
Modified
2024-12-19 09:30
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
cifs: Fix buffer overflow when parsing NFS reparse points
ReparseDataLength is sum of the InodeType size and DataBuffer size.
So to get DataBuffer size it is needed to subtract InodeType's size from
ReparseDataLength.
Function cifs_strndup_from_utf16() is currentlly accessing buf->DataBuffer
at position after the end of the buffer because it does not subtract
InodeType size from the length. Fix this problem and correctly subtract
variable len.
Member InodeType is present only when reparse buffer is large enough. Check
for ReparseDataLength before accessing InodeType to prevent another invalid
memory access.
Major and minor rdev values are present also only when reparse buffer is
large enough. Check for reparse buffer size before calling reparse_mkdev().
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: d5ecebc4900df7f6e8dff0717574668885110553 Version: d5ecebc4900df7f6e8dff0717574668885110553 Version: d5ecebc4900df7f6e8dff0717574668885110553 Version: d5ecebc4900df7f6e8dff0717574668885110553 Version: d5ecebc4900df7f6e8dff0717574668885110553 Version: d5ecebc4900df7f6e8dff0717574668885110553 Version: d5ecebc4900df7f6e8dff0717574668885110553 Version: d5ecebc4900df7f6e8dff0717574668885110553 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49996", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:30:36.265660Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:38:41.853Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "fs/smb/client/reparse.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "7b222d6cb87077faf56a687a72af1951cf78c8a9", status: "affected", version: "d5ecebc4900df7f6e8dff0717574668885110553", versionType: "git", }, { lessThan: "73b078e3314d4854fd8286f3ba65c860ddd3a3dd", status: "affected", version: "d5ecebc4900df7f6e8dff0717574668885110553", versionType: "git", }, { lessThan: "01cdddde39b065074fd48f07027757783cbf5b7d", status: "affected", version: "d5ecebc4900df7f6e8dff0717574668885110553", versionType: "git", }, { lessThan: "ec79e6170bcae8a6036a4b6960f5e7e59a785601", status: "affected", version: "d5ecebc4900df7f6e8dff0717574668885110553", versionType: "git", }, { lessThan: "c6db81c550cea0c73bd72ef55f579991e0e4ba07", status: "affected", version: "d5ecebc4900df7f6e8dff0717574668885110553", versionType: "git", }, { lessThan: "803b3a39cb096d8718c0aebc03fd19f11c7dc919", status: "affected", version: "d5ecebc4900df7f6e8dff0717574668885110553", versionType: "git", }, { lessThan: "c173d47b69f07cd7ca08efb4e458adbd4725d8e9", status: "affected", version: "d5ecebc4900df7f6e8dff0717574668885110553", versionType: "git", }, { lessThan: "e2a8910af01653c1c268984855629d71fb81f404", status: "affected", version: "d5ecebc4900df7f6e8dff0717574668885110553", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "fs/smb/client/reparse.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.3", }, { lessThan: "5.3", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.287", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.231", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.174", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.120", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: Fix buffer overflow when parsing NFS reparse points\n\nReparseDataLength is sum of the InodeType size and DataBuffer size.\nSo to get DataBuffer size it is needed to subtract InodeType's size from\nReparseDataLength.\n\nFunction cifs_strndup_from_utf16() is currentlly accessing buf->DataBuffer\nat position after the end of the buffer because it does not subtract\nInodeType size from the length. Fix this problem and correctly subtract\nvariable len.\n\nMember InodeType is present only when reparse buffer is large enough. Check\nfor ReparseDataLength before accessing InodeType to prevent another invalid\nmemory access.\n\nMajor and minor rdev values are present also only when reparse buffer is\nlarge enough. Check for reparse buffer size before calling reparse_mkdev().", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:30:56.064Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/7b222d6cb87077faf56a687a72af1951cf78c8a9", }, { url: "https://git.kernel.org/stable/c/73b078e3314d4854fd8286f3ba65c860ddd3a3dd", }, { url: "https://git.kernel.org/stable/c/01cdddde39b065074fd48f07027757783cbf5b7d", }, { url: "https://git.kernel.org/stable/c/ec79e6170bcae8a6036a4b6960f5e7e59a785601", }, { url: "https://git.kernel.org/stable/c/c6db81c550cea0c73bd72ef55f579991e0e4ba07", }, { url: "https://git.kernel.org/stable/c/803b3a39cb096d8718c0aebc03fd19f11c7dc919", }, { url: "https://git.kernel.org/stable/c/c173d47b69f07cd7ca08efb4e458adbd4725d8e9", }, { url: "https://git.kernel.org/stable/c/e2a8910af01653c1c268984855629d71fb81f404", }, ], title: "cifs: Fix buffer overflow when parsing NFS reparse points", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49996", datePublished: "2024-10-21T18:02:37.046Z", dateReserved: "2024-10-21T12:17:06.056Z", dateUpdated: "2024-12-19T09:30:56.064Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-48946
Vulnerability from cvelistv5
Published
2024-10-21 20:05
Modified
2024-12-19 08:11
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
udf: Fix preallocation discarding at indirect extent boundary
When preallocation extent is the first one in the extent block, the
code would corrupt extent tree header instead. Fix the problem and use
udf_delete_aext() for deleting extent to avoid some code duplication.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-48946", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:22:15.056500Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:28:41.431Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "fs/udf/truncate.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "c8b6fa4511a7900db9fb0353b630d4d2ed1ba99c", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "7665857f88557c372da35534165721156756f77f", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "72f651c96c8aadf087fd782d551bf7db648a8c2e", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "4d835efd561dfb9bf5409f11f4ecd428d5d29226", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "1a075f4a549481ce6e8518d8379f193ccec6b746", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "63dbbd8f1499b0a161e701a04aa50148d60bd1f7", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "ae56d9a017724f130cf1a263dd82a78d2a6e3852", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "12a88f572d6d94b5c0b72e2d1782cc2e96ac06cf", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "cfe4c1b25dd6d2f056afc00b7c98bcb3dd0b1fc3", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "fs/udf/truncate.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "4.9.*", status: "unaffected", version: "4.9.337", versionType: "semver", }, { lessThanOrEqual: "4.14.*", status: "unaffected", version: "4.14.303", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.270", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.229", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.161", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.85", versionType: "semver", }, { lessThanOrEqual: "6.0.*", status: "unaffected", version: "6.0.15", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.1", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.2", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nudf: Fix preallocation discarding at indirect extent boundary\n\nWhen preallocation extent is the first one in the extent block, the\ncode would corrupt extent tree header instead. Fix the problem and use\nudf_delete_aext() for deleting extent to avoid some code duplication.", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:11:02.332Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/c8b6fa4511a7900db9fb0353b630d4d2ed1ba99c", }, { url: "https://git.kernel.org/stable/c/7665857f88557c372da35534165721156756f77f", }, { url: "https://git.kernel.org/stable/c/72f651c96c8aadf087fd782d551bf7db648a8c2e", }, { url: "https://git.kernel.org/stable/c/4d835efd561dfb9bf5409f11f4ecd428d5d29226", }, { url: "https://git.kernel.org/stable/c/1a075f4a549481ce6e8518d8379f193ccec6b746", }, { url: "https://git.kernel.org/stable/c/63dbbd8f1499b0a161e701a04aa50148d60bd1f7", }, { url: "https://git.kernel.org/stable/c/ae56d9a017724f130cf1a263dd82a78d2a6e3852", }, { url: "https://git.kernel.org/stable/c/12a88f572d6d94b5c0b72e2d1782cc2e96ac06cf", }, { url: "https://git.kernel.org/stable/c/cfe4c1b25dd6d2f056afc00b7c98bcb3dd0b1fc3", }, ], title: "udf: Fix preallocation discarding at indirect extent boundary", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-48946", datePublished: "2024-10-21T20:05:35.818Z", dateReserved: "2024-08-22T01:27:53.624Z", dateUpdated: "2024-12-19T08:11:02.332Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49953
Vulnerability from cvelistv5
Published
2024-10-21 18:02
Modified
2024-12-19 09:30
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5e: Fix crash caused by calling __xfrm_state_delete() twice
The km.state is not checked in driver's delayed work. When
xfrm_state_check_expire() is called, the state can be reset to
XFRM_STATE_EXPIRED, even if it is XFRM_STATE_DEAD already. This
happens when xfrm state is deleted, but not freed yet. As
__xfrm_state_delete() is called again in xfrm timer, the following
crash occurs.
To fix this issue, skip xfrm_state_check_expire() if km.state is not
XFRM_STATE_VALID.
Oops: general protection fault, probably for non-canonical address 0xdead000000000108: 0000 [#1] SMP
CPU: 5 UID: 0 PID: 7448 Comm: kworker/u102:2 Not tainted 6.11.0-rc2+ #1
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
Workqueue: mlx5e_ipsec: eth%d mlx5e_ipsec_handle_sw_limits [mlx5_core]
RIP: 0010:__xfrm_state_delete+0x3d/0x1b0
Code: 0f 84 8b 01 00 00 48 89 fd c6 87 c8 00 00 00 05 48 8d bb 40 10 00 00 e8 11 04 1a 00 48 8b 95 b8 00 00 00 48 8b 85 c0 00 00 00 <48> 89 42 08 48 89 10 48 8b 55 10 48 b8 00 01 00 00 00 00 ad de 48
RSP: 0018:ffff88885f945ec8 EFLAGS: 00010246
RAX: dead000000000122 RBX: ffffffff82afa940 RCX: 0000000000000036
RDX: dead000000000100 RSI: 0000000000000000 RDI: ffffffff82afb980
RBP: ffff888109a20340 R08: ffff88885f945ea0 R09: 0000000000000000
R10: 0000000000000000 R11: ffff88885f945ff8 R12: 0000000000000246
R13: ffff888109a20340 R14: ffff88885f95f420 R15: ffff88885f95f400
FS: 0000000000000000(0000) GS:ffff88885f940000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f2163102430 CR3: 00000001128d6001 CR4: 0000000000370eb0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<IRQ>
? die_addr+0x33/0x90
? exc_general_protection+0x1a2/0x390
? asm_exc_general_protection+0x22/0x30
? __xfrm_state_delete+0x3d/0x1b0
? __xfrm_state_delete+0x2f/0x1b0
xfrm_timer_handler+0x174/0x350
? __xfrm_state_delete+0x1b0/0x1b0
__hrtimer_run_queues+0x121/0x270
hrtimer_run_softirq+0x88/0xd0
handle_softirqs+0xcc/0x270
do_softirq+0x3c/0x50
</IRQ>
<TASK>
__local_bh_enable_ip+0x47/0x50
mlx5e_ipsec_handle_sw_limits+0x7d/0x90 [mlx5_core]
process_one_work+0x137/0x2d0
worker_thread+0x28d/0x3a0
? rescuer_thread+0x480/0x480
kthread+0xb8/0xe0
? kthread_park+0x80/0x80
ret_from_fork+0x2d/0x50
? kthread_park+0x80/0x80
ret_from_fork_asm+0x11/0x20
</TASK>
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49953", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:36:07.266917Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:38:48.825Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "fab615ac9fcb8589222303099975d464d8857527", status: "affected", version: "b2f7b01d36a9b94fbd7489bd1228025ea7e7a2f4", versionType: "git", }, { lessThan: "0b1672834634df9ac9cedf856db9fc36d92c50ef", status: "affected", version: "b2f7b01d36a9b94fbd7489bd1228025ea7e7a2f4", versionType: "git", }, { lessThan: "151e7dead1f5399a73c19c4b50307ea48aff1dc0", status: "affected", version: "b2f7b01d36a9b94fbd7489bd1228025ea7e7a2f4", versionType: "git", }, { lessThan: "7b124695db40d5c9c5295a94ae928a8d67a01c3d", status: "affected", version: "b2f7b01d36a9b94fbd7489bd1228025ea7e7a2f4", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.4", }, { lessThan: "6.4", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Fix crash caused by calling __xfrm_state_delete() twice\n\nThe km.state is not checked in driver's delayed work. When\nxfrm_state_check_expire() is called, the state can be reset to\nXFRM_STATE_EXPIRED, even if it is XFRM_STATE_DEAD already. This\nhappens when xfrm state is deleted, but not freed yet. As\n__xfrm_state_delete() is called again in xfrm timer, the following\ncrash occurs.\n\nTo fix this issue, skip xfrm_state_check_expire() if km.state is not\nXFRM_STATE_VALID.\n\n Oops: general protection fault, probably for non-canonical address 0xdead000000000108: 0000 [#1] SMP\n CPU: 5 UID: 0 PID: 7448 Comm: kworker/u102:2 Not tainted 6.11.0-rc2+ #1\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n Workqueue: mlx5e_ipsec: eth%d mlx5e_ipsec_handle_sw_limits [mlx5_core]\n RIP: 0010:__xfrm_state_delete+0x3d/0x1b0\n Code: 0f 84 8b 01 00 00 48 89 fd c6 87 c8 00 00 00 05 48 8d bb 40 10 00 00 e8 11 04 1a 00 48 8b 95 b8 00 00 00 48 8b 85 c0 00 00 00 <48> 89 42 08 48 89 10 48 8b 55 10 48 b8 00 01 00 00 00 00 ad de 48\n RSP: 0018:ffff88885f945ec8 EFLAGS: 00010246\n RAX: dead000000000122 RBX: ffffffff82afa940 RCX: 0000000000000036\n RDX: dead000000000100 RSI: 0000000000000000 RDI: ffffffff82afb980\n RBP: ffff888109a20340 R08: ffff88885f945ea0 R09: 0000000000000000\n R10: 0000000000000000 R11: ffff88885f945ff8 R12: 0000000000000246\n R13: ffff888109a20340 R14: ffff88885f95f420 R15: ffff88885f95f400\n FS: 0000000000000000(0000) GS:ffff88885f940000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f2163102430 CR3: 00000001128d6001 CR4: 0000000000370eb0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n <IRQ>\n ? die_addr+0x33/0x90\n ? exc_general_protection+0x1a2/0x390\n ? asm_exc_general_protection+0x22/0x30\n ? __xfrm_state_delete+0x3d/0x1b0\n ? __xfrm_state_delete+0x2f/0x1b0\n xfrm_timer_handler+0x174/0x350\n ? __xfrm_state_delete+0x1b0/0x1b0\n __hrtimer_run_queues+0x121/0x270\n hrtimer_run_softirq+0x88/0xd0\n handle_softirqs+0xcc/0x270\n do_softirq+0x3c/0x50\n </IRQ>\n <TASK>\n __local_bh_enable_ip+0x47/0x50\n mlx5e_ipsec_handle_sw_limits+0x7d/0x90 [mlx5_core]\n process_one_work+0x137/0x2d0\n worker_thread+0x28d/0x3a0\n ? rescuer_thread+0x480/0x480\n kthread+0xb8/0xe0\n ? kthread_park+0x80/0x80\n ret_from_fork+0x2d/0x50\n ? kthread_park+0x80/0x80\n ret_from_fork_asm+0x11/0x20\n </TASK>", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:30:03.644Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/fab615ac9fcb8589222303099975d464d8857527", }, { url: "https://git.kernel.org/stable/c/0b1672834634df9ac9cedf856db9fc36d92c50ef", }, { url: "https://git.kernel.org/stable/c/151e7dead1f5399a73c19c4b50307ea48aff1dc0", }, { url: "https://git.kernel.org/stable/c/7b124695db40d5c9c5295a94ae928a8d67a01c3d", }, ], title: "net/mlx5e: Fix crash caused by calling __xfrm_state_delete() twice", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49953", datePublished: "2024-10-21T18:02:08.381Z", dateReserved: "2024-10-21T12:17:06.047Z", dateUpdated: "2024-12-19T09:30:03.644Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49976
Vulnerability from cvelistv5
Published
2024-10-21 18:02
Modified
2024-12-19 09:30
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tracing/timerlat: Drop interface_lock in stop_kthread()
stop_kthread() is the offline callback for "trace/osnoise:online", since
commit 5bfbcd1ee57b ("tracing/timerlat: Add interface_lock around clearing
of kthread in stop_kthread()"), the following ABBA deadlock scenario is
introduced:
T1 | T2 [BP] | T3 [AP]
osnoise_hotplug_workfn() | work_for_cpu_fn() | cpuhp_thread_fun()
| _cpu_down() | osnoise_cpu_die()
mutex_lock(&interface_lock) | | stop_kthread()
| cpus_write_lock() | mutex_lock(&interface_lock)
cpus_read_lock() | cpuhp_kick_ap() |
As the interface_lock here in just for protecting the "kthread" field of
the osn_var, use xchg() instead to fix this issue. Also use
for_each_online_cpu() back in stop_per_cpu_kthreads() as it can take
cpu_read_lock() again.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49976", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:33:08.568915Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:38:45.341Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "kernel/trace/trace_osnoise.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "a4a05ceffe8fad68b45de38fe2311bda619e76e2", status: "affected", version: "b4fdabffae14cca2c80d99bd81f3f27239ac7f5e", versionType: "git", }, { lessThan: "09cb44cc3d3df7ade2cebc939d6257a2fa8afc7a", status: "affected", version: "4679272d5252720746fd9c5465352cbc5665f230", versionType: "git", }, { lessThan: "db8571a9a098086608c11a15856ff585789e67e8", status: "affected", version: "5bfbcd1ee57b607fd29e4645c7f350dd385dd9ad", versionType: "git", }, { lessThan: "b484a02c9cedf8703eff8f0756f94618004bd165", status: "affected", version: "5bfbcd1ee57b607fd29e4645c7f350dd385dd9ad", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "kernel/trace/trace_osnoise.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.11", }, { lessThan: "6.11", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing/timerlat: Drop interface_lock in stop_kthread()\n\nstop_kthread() is the offline callback for \"trace/osnoise:online\", since\ncommit 5bfbcd1ee57b (\"tracing/timerlat: Add interface_lock around clearing\nof kthread in stop_kthread()\"), the following ABBA deadlock scenario is\nintroduced:\n\nT1 | T2 [BP] | T3 [AP]\nosnoise_hotplug_workfn() | work_for_cpu_fn() | cpuhp_thread_fun()\n | _cpu_down() | osnoise_cpu_die()\n mutex_lock(&interface_lock) | | stop_kthread()\n | cpus_write_lock() | mutex_lock(&interface_lock)\n cpus_read_lock() | cpuhp_kick_ap() |\n\nAs the interface_lock here in just for protecting the \"kthread\" field of\nthe osn_var, use xchg() instead to fix this issue. Also use\nfor_each_online_cpu() back in stop_per_cpu_kthreads() as it can take\ncpu_read_lock() again.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:30:31.917Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/a4a05ceffe8fad68b45de38fe2311bda619e76e2", }, { url: "https://git.kernel.org/stable/c/09cb44cc3d3df7ade2cebc939d6257a2fa8afc7a", }, { url: "https://git.kernel.org/stable/c/db8571a9a098086608c11a15856ff585789e67e8", }, { url: "https://git.kernel.org/stable/c/b484a02c9cedf8703eff8f0756f94618004bd165", }, ], title: "tracing/timerlat: Drop interface_lock in stop_kthread()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49976", datePublished: "2024-10-21T18:02:23.774Z", dateReserved: "2024-10-21T12:17:06.052Z", dateUpdated: "2024-12-19T09:30:31.917Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49917
Vulnerability from cvelistv5
Published
2024-10-21 18:01
Modified
2024-12-19 09:29
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Add NULL check for clk_mgr and clk_mgr->funcs in dcn30_init_hw
This commit addresses a potential null pointer dereference issue in the
`dcn30_init_hw` function. The issue could occur when `dc->clk_mgr` or
`dc->clk_mgr->funcs` is null.
The fix adds a check to ensure `dc->clk_mgr` and `dc->clk_mgr->funcs` is
not null before accessing its functions. This prevents a potential null
pointer dereference.
Reported by smatch:
drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c:789 dcn30_init_hw() error: we previously assumed 'dc->clk_mgr' could be null (see line 628)
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49917", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:40:51.944829Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:48:45.284Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/gpu/drm/amd/display/dc/hwss/dcn30/dcn30_hwseq.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "23cb6139543580dc36743586ca86fbb3f7ab2c9d", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "205e3b96cc9aa9211fd2c849a16245cf236b2d36", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "5443c83eb8fd2f88c71ced38848fbf744d6206a2", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "56c326577971adc3a230f29dfd3aa3abdd505f5d", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "cba7fec864172dadd953daefdd26e01742b71a6a", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/gpu/drm/amd/display/dc/hwss/dcn30/dcn30_hwseq.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.120", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.64", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add NULL check for clk_mgr and clk_mgr->funcs in dcn30_init_hw\n\nThis commit addresses a potential null pointer dereference issue in the\n`dcn30_init_hw` function. The issue could occur when `dc->clk_mgr` or\n`dc->clk_mgr->funcs` is null.\n\nThe fix adds a check to ensure `dc->clk_mgr` and `dc->clk_mgr->funcs` is\nnot null before accessing its functions. This prevents a potential null\npointer dereference.\n\nReported by smatch:\ndrivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c:789 dcn30_init_hw() error: we previously assumed 'dc->clk_mgr' could be null (see line 628)", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:29:00.358Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/23cb6139543580dc36743586ca86fbb3f7ab2c9d", }, { url: "https://git.kernel.org/stable/c/205e3b96cc9aa9211fd2c849a16245cf236b2d36", }, { url: "https://git.kernel.org/stable/c/5443c83eb8fd2f88c71ced38848fbf744d6206a2", }, { url: "https://git.kernel.org/stable/c/56c326577971adc3a230f29dfd3aa3abdd505f5d", }, { url: "https://git.kernel.org/stable/c/cba7fec864172dadd953daefdd26e01742b71a6a", }, ], title: "drm/amd/display: Add NULL check for clk_mgr and clk_mgr->funcs in dcn30_init_hw", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49917", datePublished: "2024-10-21T18:01:44.295Z", dateReserved: "2024-10-21T12:17:06.033Z", dateUpdated: "2024-12-19T09:29:00.358Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-48947
Vulnerability from cvelistv5
Published
2024-10-21 20:05
Modified
2024-12-19 08:11
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: L2CAP: Fix u8 overflow
By keep sending L2CAP_CONF_REQ packets, chan->num_conf_rsp increases
multiple times and eventually it will wrap around the maximum number
(i.e., 255).
This patch prevents this by adding a boundary check with
L2CAP_MAX_CONF_RSP
Btmon log:
Bluetooth monitor ver 5.64
= Note: Linux version 6.1.0-rc2 (x86_64) 0.264594
= Note: Bluetooth subsystem version 2.22 0.264636
@ MGMT Open: btmon (privileged) version 1.22 {0x0001} 0.272191
= New Index: 00:00:00:00:00:00 (Primary,Virtual,hci0) [hci0] 13.877604
@ RAW Open: 9496 (privileged) version 2.22 {0x0002} 13.890741
= Open Index: 00:00:00:00:00:00 [hci0] 13.900426
(...)
> ACL Data RX: Handle 200 flags 0x00 dlen 1033 #32 [hci0] 14.273106
invalid packet size (12 != 1033)
08 00 01 00 02 01 04 00 01 10 ff ff ............
> ACL Data RX: Handle 200 flags 0x00 dlen 1547 #33 [hci0] 14.273561
invalid packet size (14 != 1547)
0a 00 01 00 04 01 06 00 40 00 00 00 00 00 ........@.....
> ACL Data RX: Handle 200 flags 0x00 dlen 2061 #34 [hci0] 14.274390
invalid packet size (16 != 2061)
0c 00 01 00 04 01 08 00 40 00 00 00 00 00 00 04 ........@.......
> ACL Data RX: Handle 200 flags 0x00 dlen 2061 #35 [hci0] 14.274932
invalid packet size (16 != 2061)
0c 00 01 00 04 01 08 00 40 00 00 00 07 00 03 00 ........@.......
= bluetoothd: Bluetooth daemon 5.43 14.401828
> ACL Data RX: Handle 200 flags 0x00 dlen 1033 #36 [hci0] 14.275753
invalid packet size (12 != 1033)
08 00 01 00 04 01 04 00 40 00 00 00 ........@...
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-48947", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:22:07.757358Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:28:41.276Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "net/bluetooth/l2cap_core.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "49d5867819ab7c744852b45509e8469839c07e0e", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "95f1847a361c7b4bf7d74c06ecb6968455082c1a", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "ad528fde0702903208d0a79d88d5a42ae3fc235b", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "9fdc79b571434af7bc742da40a3405f038b637a7", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "f3fe6817156a2ad4b06f01afab04638a34d7c9a6", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "19a78143961a197de8502f4f29c453b913dc3c29", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "5550bbf709c323194881737fd290c4bada9e6ead", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "bcd70260ef56e0aee8a4fc6cd214a419900b0765", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "net/bluetooth/l2cap_core.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "4.9.*", status: "unaffected", version: "4.9.337", versionType: "semver", }, { lessThanOrEqual: "4.14.*", status: "unaffected", version: "4.14.303", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.270", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.229", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.161", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.85", versionType: "semver", }, { lessThanOrEqual: "6.0.*", status: "unaffected", version: "6.0.15", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.1", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix u8 overflow\n\nBy keep sending L2CAP_CONF_REQ packets, chan->num_conf_rsp increases\nmultiple times and eventually it will wrap around the maximum number\n(i.e., 255).\nThis patch prevents this by adding a boundary check with\nL2CAP_MAX_CONF_RSP\n\nBtmon log:\nBluetooth monitor ver 5.64\n= Note: Linux version 6.1.0-rc2 (x86_64) 0.264594\n= Note: Bluetooth subsystem version 2.22 0.264636\n@ MGMT Open: btmon (privileged) version 1.22 {0x0001} 0.272191\n= New Index: 00:00:00:00:00:00 (Primary,Virtual,hci0) [hci0] 13.877604\n@ RAW Open: 9496 (privileged) version 2.22 {0x0002} 13.890741\n= Open Index: 00:00:00:00:00:00 [hci0] 13.900426\n(...)\n> ACL Data RX: Handle 200 flags 0x00 dlen 1033 #32 [hci0] 14.273106\n invalid packet size (12 != 1033)\n 08 00 01 00 02 01 04 00 01 10 ff ff ............\n> ACL Data RX: Handle 200 flags 0x00 dlen 1547 #33 [hci0] 14.273561\n invalid packet size (14 != 1547)\n 0a 00 01 00 04 01 06 00 40 00 00 00 00 00 ........@.....\n> ACL Data RX: Handle 200 flags 0x00 dlen 2061 #34 [hci0] 14.274390\n invalid packet size (16 != 2061)\n 0c 00 01 00 04 01 08 00 40 00 00 00 00 00 00 04 ........@.......\n> ACL Data RX: Handle 200 flags 0x00 dlen 2061 #35 [hci0] 14.274932\n invalid packet size (16 != 2061)\n 0c 00 01 00 04 01 08 00 40 00 00 00 07 00 03 00 ........@.......\n= bluetoothd: Bluetooth daemon 5.43 14.401828\n> ACL Data RX: Handle 200 flags 0x00 dlen 1033 #36 [hci0] 14.275753\n invalid packet size (12 != 1033)\n 08 00 01 00 04 01 04 00 40 00 00 00 ........@...", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:11:03.504Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/49d5867819ab7c744852b45509e8469839c07e0e", }, { url: "https://git.kernel.org/stable/c/95f1847a361c7b4bf7d74c06ecb6968455082c1a", }, { url: "https://git.kernel.org/stable/c/ad528fde0702903208d0a79d88d5a42ae3fc235b", }, { url: "https://git.kernel.org/stable/c/9fdc79b571434af7bc742da40a3405f038b637a7", }, { url: "https://git.kernel.org/stable/c/f3fe6817156a2ad4b06f01afab04638a34d7c9a6", }, { url: "https://git.kernel.org/stable/c/19a78143961a197de8502f4f29c453b913dc3c29", }, { url: "https://git.kernel.org/stable/c/5550bbf709c323194881737fd290c4bada9e6ead", }, { url: "https://git.kernel.org/stable/c/bcd70260ef56e0aee8a4fc6cd214a419900b0765", }, ], title: "Bluetooth: L2CAP: Fix u8 overflow", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-48947", datePublished: "2024-10-21T20:05:36.491Z", dateReserved: "2024-08-22T01:27:53.624Z", dateUpdated: "2024-12-19T08:11:03.504Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-48985
Vulnerability from cvelistv5
Published
2024-10-21 20:06
Modified
2024-12-19 08:11
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: mana: Fix race on per-CQ variable napi work_done
After calling napi_complete_done(), the NAPIF_STATE_SCHED bit may be
cleared, and another CPU can start napi thread and access per-CQ variable,
cq->work_done. If the other thread (for example, from busy_poll) sets
it to a value >= budget, this thread will continue to run when it should
stop, and cause memory corruption and panic.
To fix this issue, save the per-CQ work_done variable in a local variable
before napi_complete_done(), so it won't be corrupted by a possible
concurrent thread after napi_complete_done().
Also, add a flag bit to advertise to the NIC firmware: the NAPI work_done
variable race is fixed, so the driver is able to reliably support features
like busy_poll.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-48985", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:17:20.394145Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:18:43.146Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/net/ethernet/microsoft/mana/gdma.h", "drivers/net/ethernet/microsoft/mana/mana_en.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "fe50a9bbeb1f042e756c5cfa7708112c944368de", status: "affected", version: "e1b5683ff62e7b328317aec08869495992053e9d", versionType: "git", }, { lessThan: "6740d8572ccd1bca50d8a1ca2bedc333f50ed5f3", status: "affected", version: "e1b5683ff62e7b328317aec08869495992053e9d", versionType: "git", }, { lessThan: "18010ff776fa42340efc428b3ea6d19b3e7c7b21", status: "affected", version: "e1b5683ff62e7b328317aec08869495992053e9d", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/net/ethernet/microsoft/mana/gdma.h", "drivers/net/ethernet/microsoft/mana/mana_en.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.15", }, { lessThan: "5.15", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.83", versionType: "semver", }, { lessThanOrEqual: "6.0.*", status: "unaffected", version: "6.0.13", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.1", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mana: Fix race on per-CQ variable napi work_done\n\nAfter calling napi_complete_done(), the NAPIF_STATE_SCHED bit may be\ncleared, and another CPU can start napi thread and access per-CQ variable,\ncq->work_done. If the other thread (for example, from busy_poll) sets\nit to a value >= budget, this thread will continue to run when it should\nstop, and cause memory corruption and panic.\n\nTo fix this issue, save the per-CQ work_done variable in a local variable\nbefore napi_complete_done(), so it won't be corrupted by a possible\nconcurrent thread after napi_complete_done().\n\nAlso, add a flag bit to advertise to the NIC firmware: the NAPI work_done\nvariable race is fixed, so the driver is able to reliably support features\nlike busy_poll.", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:11:55.577Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/fe50a9bbeb1f042e756c5cfa7708112c944368de", }, { url: "https://git.kernel.org/stable/c/6740d8572ccd1bca50d8a1ca2bedc333f50ed5f3", }, { url: "https://git.kernel.org/stable/c/18010ff776fa42340efc428b3ea6d19b3e7c7b21", }, ], title: "net: mana: Fix race on per-CQ variable napi work_done", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-48985", datePublished: "2024-10-21T20:06:01.802Z", dateReserved: "2024-08-22T01:27:53.633Z", dateUpdated: "2024-12-19T08:11:55.577Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-49005
Vulnerability from cvelistv5
Published
2024-10-21 20:06
Modified
2024-12-19 08:12
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: ops: Fix bounds check for _sx controls
For _sx controls the semantics of the max field is not the usual one, max
is the number of steps rather than the maximum value. This means that our
check in snd_soc_put_volsw_sx() needs to just check against the maximum
value.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 9e5c40b5706d8aae2cf70bd7e01f0b4575a642d0 Version: 4977491e4b3aad8567f57e2a9992d251410c1db3 Version: 9a12fcbf3c622f9bf6b110a873d62b0cba93972e Version: c33402b056de61104b6146dedbe138ca8d7ec62b Version: 038f8b7caa74d29e020949a43ca368c93f6b29b9 Version: e8e07c5e25a29e2a6f119fd947f55d7a55eb8a13 Version: 4f1e50d6a9cf9c1b8c859d449b5031cacfa8404e Version: 4f1e50d6a9cf9c1b8c859d449b5031cacfa8404e |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-49005", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:14:37.897186Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:18:39.966Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "sound/soc/soc-ops.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "e46adadf19248d59af3aa6bc52e09115bf479bf7", status: "affected", version: "9e5c40b5706d8aae2cf70bd7e01f0b4575a642d0", versionType: "git", }, { lessThan: "4a95a49f26308782b4056401989ecd7768fda8fa", status: "affected", version: "4977491e4b3aad8567f57e2a9992d251410c1db3", versionType: "git", }, { lessThan: "46bab25cc0230df60d1c02b651cc5640a14b08df", status: "affected", version: "9a12fcbf3c622f9bf6b110a873d62b0cba93972e", versionType: "git", }, { lessThan: "73dce3c1d48c4662bdf3ccbde1492c2cb4bfd8ce", status: "affected", version: "c33402b056de61104b6146dedbe138ca8d7ec62b", versionType: "git", }, { lessThan: "b50c9641897274c3faef5f95ac852f54b94be2e8", status: "affected", version: "038f8b7caa74d29e020949a43ca368c93f6b29b9", versionType: "git", }, { lessThan: "98b15c706644bebc19d2e77ccc360cc51444f6d0", status: "affected", version: "e8e07c5e25a29e2a6f119fd947f55d7a55eb8a13", versionType: "git", }, { lessThan: "325d94d16e3131b54bdf07356e4cd855e0d853fc", status: "affected", version: "4f1e50d6a9cf9c1b8c859d449b5031cacfa8404e", versionType: "git", }, { lessThan: "698813ba8c580efb356ace8dbf55f61dac6063a8", status: "affected", version: "4f1e50d6a9cf9c1b8c859d449b5031cacfa8404e", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "sound/soc/soc-ops.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.17", }, { lessThan: "5.17", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.9.*", status: "unaffected", version: "4.9.335", versionType: "semver", }, { lessThanOrEqual: "4.14.*", status: "unaffected", version: "4.14.301", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.268", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.226", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.158", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.82", versionType: "semver", }, { lessThanOrEqual: "6.0.*", status: "unaffected", version: "6.0.12", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.1", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: ops: Fix bounds check for _sx controls\n\nFor _sx controls the semantics of the max field is not the usual one, max\nis the number of steps rather than the maximum value. This means that our\ncheck in snd_soc_put_volsw_sx() needs to just check against the maximum\nvalue.", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:12:17.561Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/e46adadf19248d59af3aa6bc52e09115bf479bf7", }, { url: "https://git.kernel.org/stable/c/4a95a49f26308782b4056401989ecd7768fda8fa", }, { url: "https://git.kernel.org/stable/c/46bab25cc0230df60d1c02b651cc5640a14b08df", }, { url: "https://git.kernel.org/stable/c/73dce3c1d48c4662bdf3ccbde1492c2cb4bfd8ce", }, { url: "https://git.kernel.org/stable/c/b50c9641897274c3faef5f95ac852f54b94be2e8", }, { url: "https://git.kernel.org/stable/c/98b15c706644bebc19d2e77ccc360cc51444f6d0", }, { url: "https://git.kernel.org/stable/c/325d94d16e3131b54bdf07356e4cd855e0d853fc", }, { url: "https://git.kernel.org/stable/c/698813ba8c580efb356ace8dbf55f61dac6063a8", }, ], title: "ASoC: ops: Fix bounds check for _sx controls", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-49005", datePublished: "2024-10-21T20:06:18.143Z", dateReserved: "2024-08-22T01:27:53.643Z", dateUpdated: "2024-12-19T08:12:17.561Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-50020
Vulnerability from cvelistv5
Published
2024-10-21 19:39
Modified
2024-12-19 09:31
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ice: Fix improper handling of refcount in ice_sriov_set_msix_vec_count()
This patch addresses an issue with improper reference count handling in the
ice_sriov_set_msix_vec_count() function.
First, the function calls ice_get_vf_by_id(), which increments the
reference count of the vf pointer. If the subsequent call to
ice_get_vf_vsi() fails, the function currently returns an error without
decrementing the reference count of the vf pointer, leading to a reference
count leak. The correct behavior, as implemented in this patch, is to
decrement the reference count using ice_put_vf(vf) before returning an
error when vsi is NULL.
Second, the function calls ice_sriov_get_irqs(), which sets
vf->first_vector_idx. If this call returns a negative value, indicating an
error, the function returns an error without decrementing the reference
count of the vf pointer, resulting in another reference count leak. The
patch addresses this by adding a call to ice_put_vf(vf) before returning
an error when vf->first_vector_idx < 0.
This bug was identified by an experimental static analysis tool developed
by our team. The tool specializes in analyzing reference count operations
and identifying potential mismanagement of reference counts. In this case,
the tool flagged the missing decrement operation as a potential issue,
leading to this patch.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-50020", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:27:30.418652Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:28:47.408Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/net/ethernet/intel/ice/ice_sriov.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "416dbb815ca69684de148328990ba0ec53e6dbc1", status: "affected", version: "4d38cb44bd321c81da3457cfbc38501ed8cb6714", versionType: "git", }, { lessThan: "d517cf89874c6039e6294b18d66f40988e62502a", status: "affected", version: "4d38cb44bd321c81da3457cfbc38501ed8cb6714", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/net/ethernet/intel/ice/ice_sriov.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.7", }, { lessThan: "6.7", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.4", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nice: Fix improper handling of refcount in ice_sriov_set_msix_vec_count()\n\nThis patch addresses an issue with improper reference count handling in the\nice_sriov_set_msix_vec_count() function.\n\nFirst, the function calls ice_get_vf_by_id(), which increments the\nreference count of the vf pointer. If the subsequent call to\nice_get_vf_vsi() fails, the function currently returns an error without\ndecrementing the reference count of the vf pointer, leading to a reference\ncount leak. The correct behavior, as implemented in this patch, is to\ndecrement the reference count using ice_put_vf(vf) before returning an\nerror when vsi is NULL.\n\nSecond, the function calls ice_sriov_get_irqs(), which sets\nvf->first_vector_idx. If this call returns a negative value, indicating an\nerror, the function returns an error without decrementing the reference\ncount of the vf pointer, resulting in another reference count leak. The\npatch addresses this by adding a call to ice_put_vf(vf) before returning\nan error when vf->first_vector_idx < 0.\n\nThis bug was identified by an experimental static analysis tool developed\nby our team. The tool specializes in analyzing reference count operations\nand identifying potential mismanagement of reference counts. In this case,\nthe tool flagged the missing decrement operation as a potential issue,\nleading to this patch.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:31:29.905Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/416dbb815ca69684de148328990ba0ec53e6dbc1", }, { url: "https://git.kernel.org/stable/c/d517cf89874c6039e6294b18d66f40988e62502a", }, ], title: "ice: Fix improper handling of refcount in ice_sriov_set_msix_vec_count()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-50020", datePublished: "2024-10-21T19:39:26.555Z", dateReserved: "2024-10-21T12:17:06.064Z", dateUpdated: "2024-12-19T09:31:29.905Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49882
Vulnerability from cvelistv5
Published
2024-10-21 18:01
Modified
2024-12-19 09:28
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix double brelse() the buffer of the extents path
In ext4_ext_try_to_merge_up(), set path[1].p_bh to NULL after it has been
released, otherwise it may be released twice. An example of what triggers
this is as follows:
split2 map split1
|--------|-------|--------|
ext4_ext_map_blocks
ext4_ext_handle_unwritten_extents
ext4_split_convert_extents
// path->p_depth == 0
ext4_split_extent
// 1. do split1
ext4_split_extent_at
|ext4_ext_insert_extent
| ext4_ext_create_new_leaf
| ext4_ext_grow_indepth
| le16_add_cpu(&neh->eh_depth, 1)
| ext4_find_extent
| // return -ENOMEM
|// get error and try zeroout
|path = ext4_find_extent
| path->p_depth = 1
|ext4_ext_try_to_merge
| ext4_ext_try_to_merge_up
| path->p_depth = 0
| brelse(path[1].p_bh) ---> not set to NULL here
|// zeroout success
// 2. update path
ext4_find_extent
// 3. do split2
ext4_split_extent_at
ext4_ext_insert_extent
ext4_ext_create_new_leaf
ext4_ext_grow_indepth
le16_add_cpu(&neh->eh_depth, 1)
ext4_find_extent
path[0].p_bh = NULL;
path->p_depth = 1
read_extent_tree_block ---> return err
// path[1].p_bh is still the old value
ext4_free_ext_path
ext4_ext_drop_refs
// path->p_depth == 1
brelse(path[1].p_bh) ---> brelse a buffer twice
Finally got the following WARRNING when removing the buffer from lru:
============================================
VFS: brelse: Trying to free free buffer
WARNING: CPU: 2 PID: 72 at fs/buffer.c:1241 __brelse+0x58/0x90
CPU: 2 PID: 72 Comm: kworker/u19:1 Not tainted 6.9.0-dirty #716
RIP: 0010:__brelse+0x58/0x90
Call Trace:
<TASK>
__find_get_block+0x6e7/0x810
bdev_getblk+0x2b/0x480
__ext4_get_inode_loc+0x48a/0x1240
ext4_get_inode_loc+0xb2/0x150
ext4_reserve_inode_write+0xb7/0x230
__ext4_mark_inode_dirty+0x144/0x6a0
ext4_ext_insert_extent+0x9c8/0x3230
ext4_ext_map_blocks+0xf45/0x2dc0
ext4_map_blocks+0x724/0x1700
ext4_do_writepages+0x12d6/0x2a70
[...]
============================================
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: ecb94f5fdf4b72547fca022421a9dca1672bddd4 Version: ecb94f5fdf4b72547fca022421a9dca1672bddd4 Version: ecb94f5fdf4b72547fca022421a9dca1672bddd4 Version: ecb94f5fdf4b72547fca022421a9dca1672bddd4 Version: ecb94f5fdf4b72547fca022421a9dca1672bddd4 Version: ecb94f5fdf4b72547fca022421a9dca1672bddd4 Version: ecb94f5fdf4b72547fca022421a9dca1672bddd4 Version: ecb94f5fdf4b72547fca022421a9dca1672bddd4 Version: ecb94f5fdf4b72547fca022421a9dca1672bddd4 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49882", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:45:30.617937Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:48:50.395Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "fs/ext4/extents.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "d4574bda63906bf69660e001470bfe1a0ac524ae", status: "affected", version: "ecb94f5fdf4b72547fca022421a9dca1672bddd4", versionType: "git", }, { lessThan: "f9fd47c9d9548f9e47fa60098eab99dde175401d", status: "affected", version: "ecb94f5fdf4b72547fca022421a9dca1672bddd4", versionType: "git", }, { lessThan: "b6c29c8f3d7cb67b505f3b2f6c242d52298d1f2e", status: "affected", version: "ecb94f5fdf4b72547fca022421a9dca1672bddd4", versionType: "git", }, { lessThan: "32bbb59e3f18facd7201bef110010bf35819b8c3", status: "affected", version: "ecb94f5fdf4b72547fca022421a9dca1672bddd4", versionType: "git", }, { lessThan: "78bbc3d15b6f443acb26e94418c445bac940d414", status: "affected", version: "ecb94f5fdf4b72547fca022421a9dca1672bddd4", versionType: "git", }, { lessThan: "68a69cf60660c73990c1875f94a5551600b04775", status: "affected", version: "ecb94f5fdf4b72547fca022421a9dca1672bddd4", versionType: "git", }, { lessThan: "7633407ca4ab8be2916ab214eb44ccebc6a50e1a", status: "affected", version: "ecb94f5fdf4b72547fca022421a9dca1672bddd4", versionType: "git", }, { lessThan: "230ee0535d01478bad9a3037292043f39b9be10b", status: "affected", version: "ecb94f5fdf4b72547fca022421a9dca1672bddd4", versionType: "git", }, { lessThan: "dcaa6c31134c0f515600111c38ed7750003e1b9c", status: "affected", version: "ecb94f5fdf4b72547fca022421a9dca1672bddd4", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "fs/ext4/extents.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "3.7", }, { lessThan: "3.7", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.323", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.285", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix double brelse() the buffer of the extents path\n\nIn ext4_ext_try_to_merge_up(), set path[1].p_bh to NULL after it has been\nreleased, otherwise it may be released twice. An example of what triggers\nthis is as follows:\n\n split2 map split1\n|--------|-------|--------|\n\next4_ext_map_blocks\n ext4_ext_handle_unwritten_extents\n ext4_split_convert_extents\n // path->p_depth == 0\n ext4_split_extent\n // 1. do split1\n ext4_split_extent_at\n |ext4_ext_insert_extent\n | ext4_ext_create_new_leaf\n | ext4_ext_grow_indepth\n | le16_add_cpu(&neh->eh_depth, 1)\n | ext4_find_extent\n | // return -ENOMEM\n |// get error and try zeroout\n |path = ext4_find_extent\n | path->p_depth = 1\n |ext4_ext_try_to_merge\n | ext4_ext_try_to_merge_up\n | path->p_depth = 0\n | brelse(path[1].p_bh) ---> not set to NULL here\n |// zeroout success\n // 2. update path\n ext4_find_extent\n // 3. do split2\n ext4_split_extent_at\n ext4_ext_insert_extent\n ext4_ext_create_new_leaf\n ext4_ext_grow_indepth\n le16_add_cpu(&neh->eh_depth, 1)\n ext4_find_extent\n path[0].p_bh = NULL;\n path->p_depth = 1\n read_extent_tree_block ---> return err\n // path[1].p_bh is still the old value\n ext4_free_ext_path\n ext4_ext_drop_refs\n // path->p_depth == 1\n brelse(path[1].p_bh) ---> brelse a buffer twice\n\nFinally got the following WARRNING when removing the buffer from lru:\n\n============================================\nVFS: brelse: Trying to free free buffer\nWARNING: CPU: 2 PID: 72 at fs/buffer.c:1241 __brelse+0x58/0x90\nCPU: 2 PID: 72 Comm: kworker/u19:1 Not tainted 6.9.0-dirty #716\nRIP: 0010:__brelse+0x58/0x90\nCall Trace:\n <TASK>\n __find_get_block+0x6e7/0x810\n bdev_getblk+0x2b/0x480\n __ext4_get_inode_loc+0x48a/0x1240\n ext4_get_inode_loc+0xb2/0x150\n ext4_reserve_inode_write+0xb7/0x230\n __ext4_mark_inode_dirty+0x144/0x6a0\n ext4_ext_insert_extent+0x9c8/0x3230\n ext4_ext_map_blocks+0xf45/0x2dc0\n ext4_map_blocks+0x724/0x1700\n ext4_do_writepages+0x12d6/0x2a70\n[...]\n============================================", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:28:17.697Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/d4574bda63906bf69660e001470bfe1a0ac524ae", }, { url: "https://git.kernel.org/stable/c/f9fd47c9d9548f9e47fa60098eab99dde175401d", }, { url: "https://git.kernel.org/stable/c/b6c29c8f3d7cb67b505f3b2f6c242d52298d1f2e", }, { url: "https://git.kernel.org/stable/c/32bbb59e3f18facd7201bef110010bf35819b8c3", }, { url: "https://git.kernel.org/stable/c/78bbc3d15b6f443acb26e94418c445bac940d414", }, { url: "https://git.kernel.org/stable/c/68a69cf60660c73990c1875f94a5551600b04775", }, { url: "https://git.kernel.org/stable/c/7633407ca4ab8be2916ab214eb44ccebc6a50e1a", }, { url: "https://git.kernel.org/stable/c/230ee0535d01478bad9a3037292043f39b9be10b", }, { url: "https://git.kernel.org/stable/c/dcaa6c31134c0f515600111c38ed7750003e1b9c", }, ], title: "ext4: fix double brelse() the buffer of the extents path", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49882", datePublished: "2024-10-21T18:01:20.144Z", dateReserved: "2024-10-21T12:17:06.021Z", dateUpdated: "2024-12-19T09:28:17.697Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-48957
Vulnerability from cvelistv5
Published
2024-10-21 20:05
Modified
2024-12-19 08:11
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
dpaa2-switch: Fix memory leak in dpaa2_switch_acl_entry_add() and dpaa2_switch_acl_entry_remove()
The cmd_buff needs to be freed when error happened in
dpaa2_switch_acl_entry_add() and dpaa2_switch_acl_entry_remove().
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-48957", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:20:52.870701Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:28:39.719Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/net/ethernet/freescale/dpaa2/dpaa2-switch-flower.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "54d830e24247fa8361b016dd2069362866f45cb6", status: "affected", version: "1110318d83e8011c4dfcb2f7dd343bcfb1623c5f", versionType: "git", }, { lessThan: "785ee7a82297e1512d9061aae91699212ed65796", status: "affected", version: "1110318d83e8011c4dfcb2f7dd343bcfb1623c5f", versionType: "git", }, { lessThan: "4fad22a1281c500f15b172c9d261eff347ca634b", status: "affected", version: "1110318d83e8011c4dfcb2f7dd343bcfb1623c5f", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/net/ethernet/freescale/dpaa2/dpaa2-switch-flower.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.13", }, { lessThan: "5.13", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.83", versionType: "semver", }, { lessThanOrEqual: "6.0.*", status: "unaffected", version: "6.0.13", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.1", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ndpaa2-switch: Fix memory leak in dpaa2_switch_acl_entry_add() and dpaa2_switch_acl_entry_remove()\n\nThe cmd_buff needs to be freed when error happened in\ndpaa2_switch_acl_entry_add() and dpaa2_switch_acl_entry_remove().", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:11:20.162Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/54d830e24247fa8361b016dd2069362866f45cb6", }, { url: "https://git.kernel.org/stable/c/785ee7a82297e1512d9061aae91699212ed65796", }, { url: "https://git.kernel.org/stable/c/4fad22a1281c500f15b172c9d261eff347ca634b", }, ], title: "dpaa2-switch: Fix memory leak in dpaa2_switch_acl_entry_add() and dpaa2_switch_acl_entry_remove()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-48957", datePublished: "2024-10-21T20:05:43.107Z", dateReserved: "2024-08-22T01:27:53.627Z", dateUpdated: "2024-12-19T08:11:20.162Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-47742
Vulnerability from cvelistv5
Published
2024-10-21 12:14
Modified
2024-12-19 09:27
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
firmware_loader: Block path traversal
Most firmware names are hardcoded strings, or are constructed from fairly
constrained format strings where the dynamic parts are just some hex
numbers or such.
However, there are a couple codepaths in the kernel where firmware file
names contain string components that are passed through from a device or
semi-privileged userspace; the ones I could find (not counting interfaces
that require root privileges) are:
- lpfc_sli4_request_firmware_update() seems to construct the firmware
filename from "ModelName", a string that was previously parsed out of
some descriptor ("Vital Product Data") in lpfc_fill_vpd()
- nfp_net_fw_find() seems to construct a firmware filename from a model
name coming from nfp_hwinfo_lookup(pf->hwinfo, "nffw.partno"), which I
think parses some descriptor that was read from the device.
(But this case likely isn't exploitable because the format string looks
like "netronome/nic_%s", and there shouldn't be any *folders* starting
with "netronome/nic_". The previous case was different because there,
the "%s" is *at the start* of the format string.)
- module_flash_fw_schedule() is reachable from the
ETHTOOL_MSG_MODULE_FW_FLASH_ACT netlink command, which is marked as
GENL_UNS_ADMIN_PERM (meaning CAP_NET_ADMIN inside a user namespace is
enough to pass the privilege check), and takes a userspace-provided
firmware name.
(But I think to reach this case, you need to have CAP_NET_ADMIN over a
network namespace that a special kind of ethernet device is mapped into,
so I think this is not a viable attack path in practice.)
Fix it by rejecting any firmware names containing ".." path components.
For what it's worth, I went looking and haven't found any USB device
drivers that use the firmware loader dangerously.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: abb139e75c2cdbb955e840d6331cb5863e409d0e Version: abb139e75c2cdbb955e840d6331cb5863e409d0e Version: abb139e75c2cdbb955e840d6331cb5863e409d0e Version: abb139e75c2cdbb955e840d6331cb5863e409d0e Version: abb139e75c2cdbb955e840d6331cb5863e409d0e Version: abb139e75c2cdbb955e840d6331cb5863e409d0e Version: abb139e75c2cdbb955e840d6331cb5863e409d0e Version: abb139e75c2cdbb955e840d6331cb5863e409d0e Version: abb139e75c2cdbb955e840d6331cb5863e409d0e |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-47742", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T12:59:04.060717Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T13:04:14.368Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/base/firmware_loader/main.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "d1768e5535d3ded59f888637016e6f821f4e069f", status: "affected", version: "abb139e75c2cdbb955e840d6331cb5863e409d0e", versionType: "git", }, { lessThan: "9b1ca33ebd05b3acef5b976c04e5e791af93ce1b", status: "affected", version: "abb139e75c2cdbb955e840d6331cb5863e409d0e", versionType: "git", }, { lessThan: "c30558e6c5c9ad6c86459d9acce1520ceeab9ea6", status: "affected", version: "abb139e75c2cdbb955e840d6331cb5863e409d0e", versionType: "git", }, { lessThan: "a77fc4acfd49fc6076e565445b2bc5fdc3244da4", status: "affected", version: "abb139e75c2cdbb955e840d6331cb5863e409d0e", versionType: "git", }, { lessThan: "3d2411f4edcb649eaf232160db459bb4770b5251", status: "affected", version: "abb139e75c2cdbb955e840d6331cb5863e409d0e", versionType: "git", }, { lessThan: "7420c1bf7fc784e587b87329cc6dfa3dca537aa4", status: "affected", version: "abb139e75c2cdbb955e840d6331cb5863e409d0e", versionType: "git", }, { lessThan: "28f1cd94d3f1092728fb775a0fe26c5f1ac2ebeb", status: "affected", version: "abb139e75c2cdbb955e840d6331cb5863e409d0e", versionType: "git", }, { lessThan: "6c4e13fdfcab34811c3143a0a03c05fec4e870ec", status: "affected", version: "abb139e75c2cdbb955e840d6331cb5863e409d0e", versionType: "git", }, { lessThan: "f0e5311aa8022107d63c54e2f03684ec097d1394", status: "affected", version: "abb139e75c2cdbb955e840d6331cb5863e409d0e", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/base/firmware_loader/main.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "3.7", }, { lessThan: "3.7", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.323", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.285", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.54", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.13", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.2", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware_loader: Block path traversal\n\nMost firmware names are hardcoded strings, or are constructed from fairly\nconstrained format strings where the dynamic parts are just some hex\nnumbers or such.\n\nHowever, there are a couple codepaths in the kernel where firmware file\nnames contain string components that are passed through from a device or\nsemi-privileged userspace; the ones I could find (not counting interfaces\nthat require root privileges) are:\n\n - lpfc_sli4_request_firmware_update() seems to construct the firmware\n filename from \"ModelName\", a string that was previously parsed out of\n some descriptor (\"Vital Product Data\") in lpfc_fill_vpd()\n - nfp_net_fw_find() seems to construct a firmware filename from a model\n name coming from nfp_hwinfo_lookup(pf->hwinfo, \"nffw.partno\"), which I\n think parses some descriptor that was read from the device.\n (But this case likely isn't exploitable because the format string looks\n like \"netronome/nic_%s\", and there shouldn't be any *folders* starting\n with \"netronome/nic_\". The previous case was different because there,\n the \"%s\" is *at the start* of the format string.)\n - module_flash_fw_schedule() is reachable from the\n ETHTOOL_MSG_MODULE_FW_FLASH_ACT netlink command, which is marked as\n GENL_UNS_ADMIN_PERM (meaning CAP_NET_ADMIN inside a user namespace is\n enough to pass the privilege check), and takes a userspace-provided\n firmware name.\n (But I think to reach this case, you need to have CAP_NET_ADMIN over a\n network namespace that a special kind of ethernet device is mapped into,\n so I think this is not a viable attack path in practice.)\n\nFix it by rejecting any firmware names containing \"..\" path components.\n\nFor what it's worth, I went looking and haven't found any USB device\ndrivers that use the firmware loader dangerously.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:27:12.659Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/d1768e5535d3ded59f888637016e6f821f4e069f", }, { url: "https://git.kernel.org/stable/c/9b1ca33ebd05b3acef5b976c04e5e791af93ce1b", }, { url: "https://git.kernel.org/stable/c/c30558e6c5c9ad6c86459d9acce1520ceeab9ea6", }, { url: "https://git.kernel.org/stable/c/a77fc4acfd49fc6076e565445b2bc5fdc3244da4", }, { url: "https://git.kernel.org/stable/c/3d2411f4edcb649eaf232160db459bb4770b5251", }, { url: "https://git.kernel.org/stable/c/7420c1bf7fc784e587b87329cc6dfa3dca537aa4", }, { url: "https://git.kernel.org/stable/c/28f1cd94d3f1092728fb775a0fe26c5f1ac2ebeb", }, { url: "https://git.kernel.org/stable/c/6c4e13fdfcab34811c3143a0a03c05fec4e870ec", }, { url: "https://git.kernel.org/stable/c/f0e5311aa8022107d63c54e2f03684ec097d1394", }, ], title: "firmware_loader: Block path traversal", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-47742", datePublished: "2024-10-21T12:14:10.499Z", dateReserved: "2024-09-30T16:00:12.959Z", dateUpdated: "2024-12-19T09:27:12.659Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49872
Vulnerability from cvelistv5
Published
2024-10-21 18:01
Modified
2024-12-19 09:27
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/gup: fix memfd_pin_folios alloc race panic
If memfd_pin_folios tries to create a hugetlb page, but someone else
already did, then folio gets the value -EEXIST here:
folio = memfd_alloc_folio(memfd, start_idx);
if (IS_ERR(folio)) {
ret = PTR_ERR(folio);
if (ret != -EEXIST)
goto err;
then on the next trip through the "while start_idx" loop we panic here:
if (folio) {
folio_put(folio);
To fix, set the folio to NULL on error.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49872", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:46:48.511178Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:48:51.785Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "mm/gup.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "e28f39b359c0cfdcc011603e51187085a5f1e5e3", status: "affected", version: "89c1905d9c140372b7f50ef48f42378cf85d9bc5", versionType: "git", }, { lessThan: "ce645b9fdc78ec5d28067286e92871ddae6817d5", status: "affected", version: "89c1905d9c140372b7f50ef48f42378cf85d9bc5", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "mm/gup.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.11", }, { lessThan: "6.11", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/gup: fix memfd_pin_folios alloc race panic\n\nIf memfd_pin_folios tries to create a hugetlb page, but someone else\nalready did, then folio gets the value -EEXIST here:\n\n folio = memfd_alloc_folio(memfd, start_idx);\n if (IS_ERR(folio)) {\n ret = PTR_ERR(folio);\n if (ret != -EEXIST)\n goto err;\n\nthen on the next trip through the \"while start_idx\" loop we panic here:\n\n if (folio) {\n folio_put(folio);\n\nTo fix, set the folio to NULL on error.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:27:59.819Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/e28f39b359c0cfdcc011603e51187085a5f1e5e3", }, { url: "https://git.kernel.org/stable/c/ce645b9fdc78ec5d28067286e92871ddae6817d5", }, ], title: "mm/gup: fix memfd_pin_folios alloc race panic", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49872", datePublished: "2024-10-21T18:01:13.369Z", dateReserved: "2024-10-21T12:17:06.020Z", dateUpdated: "2024-12-19T09:27:59.819Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-48962
Vulnerability from cvelistv5
Published
2024-10-21 20:05
Modified
2024-12-19 08:11
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: hisilicon: Fix potential use-after-free in hisi_femac_rx()
The skb is delivered to napi_gro_receive() which may free it, after
calling this, dereferencing skb may trigger use-after-free.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 542ae60af24f02e130e62cb3b7c23163a2350056 Version: 542ae60af24f02e130e62cb3b7c23163a2350056 Version: 542ae60af24f02e130e62cb3b7c23163a2350056 Version: 542ae60af24f02e130e62cb3b7c23163a2350056 Version: 542ae60af24f02e130e62cb3b7c23163a2350056 Version: 542ae60af24f02e130e62cb3b7c23163a2350056 Version: 542ae60af24f02e130e62cb3b7c23163a2350056 Version: 542ae60af24f02e130e62cb3b7c23163a2350056 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-48962", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:20:14.894557Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:28:38.998Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/net/ethernet/hisilicon/hisi_femac.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "3501da8eb6d0f5f114a09ec953c54423f6f35885", status: "affected", version: "542ae60af24f02e130e62cb3b7c23163a2350056", versionType: "git", }, { lessThan: "196e12671cb629d9f3b77b4d8bec854fc445533a", status: "affected", version: "542ae60af24f02e130e62cb3b7c23163a2350056", versionType: "git", }, { lessThan: "aceec8ab752428d8e151321479e82cc1a40fee2e", status: "affected", version: "542ae60af24f02e130e62cb3b7c23163a2350056", versionType: "git", }, { lessThan: "e71a46cc8c9ad75f3bb0e4b361e81f79c0214cca", status: "affected", version: "542ae60af24f02e130e62cb3b7c23163a2350056", versionType: "git", }, { lessThan: "296a50aa8b2982117520713edc1375777a9f8506", status: "affected", version: "542ae60af24f02e130e62cb3b7c23163a2350056", versionType: "git", }, { lessThan: "6f4798ac9c9e98f41553c4f5e6c832c8860a6942", status: "affected", version: "542ae60af24f02e130e62cb3b7c23163a2350056", versionType: "git", }, { lessThan: "8595a2db8eb0ffcbb466eb9f4a7507a5ba06ebb9", status: "affected", version: "542ae60af24f02e130e62cb3b7c23163a2350056", versionType: "git", }, { lessThan: "4640177049549de1a43e9bc49265f0cdfce08cfd", status: "affected", version: "542ae60af24f02e130e62cb3b7c23163a2350056", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/net/ethernet/hisilicon/hisi_femac.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "4.8", }, { lessThan: "4.8", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.9.*", status: "unaffected", version: "4.9.336", versionType: "semver", }, { lessThanOrEqual: "4.14.*", status: "unaffected", version: "4.14.302", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.269", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.227", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.159", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.83", versionType: "semver", }, { lessThanOrEqual: "6.0.*", status: "unaffected", version: "6.0.13", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.1", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hisilicon: Fix potential use-after-free in hisi_femac_rx()\n\nThe skb is delivered to napi_gro_receive() which may free it, after\ncalling this, dereferencing skb may trigger use-after-free.", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:11:26.479Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/3501da8eb6d0f5f114a09ec953c54423f6f35885", }, { url: "https://git.kernel.org/stable/c/196e12671cb629d9f3b77b4d8bec854fc445533a", }, { url: "https://git.kernel.org/stable/c/aceec8ab752428d8e151321479e82cc1a40fee2e", }, { url: "https://git.kernel.org/stable/c/e71a46cc8c9ad75f3bb0e4b361e81f79c0214cca", }, { url: "https://git.kernel.org/stable/c/296a50aa8b2982117520713edc1375777a9f8506", }, { url: "https://git.kernel.org/stable/c/6f4798ac9c9e98f41553c4f5e6c832c8860a6942", }, { url: "https://git.kernel.org/stable/c/8595a2db8eb0ffcbb466eb9f4a7507a5ba06ebb9", }, { url: "https://git.kernel.org/stable/c/4640177049549de1a43e9bc49265f0cdfce08cfd", }, ], title: "net: hisilicon: Fix potential use-after-free in hisi_femac_rx()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-48962", datePublished: "2024-10-21T20:05:46.514Z", dateReserved: "2024-08-22T01:27:53.628Z", dateUpdated: "2024-12-19T08:11:26.479Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-50058
Vulnerability from cvelistv5
Published
2024-10-21 19:39
Modified
2024-12-19 09:32
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
serial: protect uart_port_dtr_rts() in uart_shutdown() too
Commit af224ca2df29 (serial: core: Prevent unsafe uart port access, part
3) added few uport == NULL checks. It added one to uart_shutdown(), so
the commit assumes, uport can be NULL in there. But right after that
protection, there is an unprotected "uart_port_dtr_rts(uport, false);"
call. That is invoked only if HUPCL is set, so I assume that is the
reason why we do not see lots of these reports.
Or it cannot be NULL at this point at all for some reason :P.
Until the above is investigated, stay on the safe side and move this
dereference to the if too.
I got this inconsistency from Coverity under CID 1585130. Thanks.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-50058", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:23:14.442818Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:28:42.567Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/tty/serial/serial_core.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "2fe399bb8efd0d325ab1138cf8e3ecf23a39e96d", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "399927f0f875b93f3d5a0336d382ba48b8671eb2", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "d7b5876a6e74cdf8468a478be6b23f2f5464ac7a", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "e418d91195d29d5f9c9685ff309b92b04b41dc40", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "76ed24a34223bb2c6b6162e1d8389ec4e602a290", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "602babaa84d627923713acaf5f7e9a4369e77473", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/tty/serial/serial_core.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.229", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.170", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.115", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.57", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.4", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: protect uart_port_dtr_rts() in uart_shutdown() too\n\nCommit af224ca2df29 (serial: core: Prevent unsafe uart port access, part\n3) added few uport == NULL checks. It added one to uart_shutdown(), so\nthe commit assumes, uport can be NULL in there. But right after that\nprotection, there is an unprotected \"uart_port_dtr_rts(uport, false);\"\ncall. That is invoked only if HUPCL is set, so I assume that is the\nreason why we do not see lots of these reports.\n\nOr it cannot be NULL at this point at all for some reason :P.\n\nUntil the above is investigated, stay on the safe side and move this\ndereference to the if too.\n\nI got this inconsistency from Coverity under CID 1585130. Thanks.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:32:11.004Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/2fe399bb8efd0d325ab1138cf8e3ecf23a39e96d", }, { url: "https://git.kernel.org/stable/c/399927f0f875b93f3d5a0336d382ba48b8671eb2", }, { url: "https://git.kernel.org/stable/c/d7b5876a6e74cdf8468a478be6b23f2f5464ac7a", }, { url: "https://git.kernel.org/stable/c/e418d91195d29d5f9c9685ff309b92b04b41dc40", }, { url: "https://git.kernel.org/stable/c/76ed24a34223bb2c6b6162e1d8389ec4e602a290", }, { url: "https://git.kernel.org/stable/c/602babaa84d627923713acaf5f7e9a4369e77473", }, ], title: "serial: protect uart_port_dtr_rts() in uart_shutdown() too", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-50058", datePublished: "2024-10-21T19:39:48.420Z", dateReserved: "2024-10-21T19:36:19.938Z", dateUpdated: "2024-12-19T09:32:11.004Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-50060
Vulnerability from cvelistv5
Published
2024-10-21 19:39
Modified
2024-12-19 09:32
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
io_uring: check if we need to reschedule during overflow flush
In terms of normal application usage, this list will always be empty.
And if an application does overflow a bit, it'll have a few entries.
However, nothing obviously prevents syzbot from running a test case
that generates a ton of overflow entries, and then flushing them can
take quite a while.
Check for needing to reschedule while flushing, and drop our locks and
do so if necessary. There's no state to maintain here as overflows
always prune from head-of-list, hence it's fine to drop and reacquire
the locks at the end of the loop.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-50060", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:22:59.693890Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:28:42.337Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "io_uring/io_uring.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "a2493904e95ce94bbec819d8f7f03b99976eb25c", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "f4ce3b5d26ce149e77e6b8e8f2058aa80e5b034e", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "c2eadeafce2d385b3f6d26a7f31fee5aba2bbbb0", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "eac2ca2d682f94f46b1973bdf5e77d85d77b8e53", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "io_uring/io_uring.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.57", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.4", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: check if we need to reschedule during overflow flush\n\nIn terms of normal application usage, this list will always be empty.\nAnd if an application does overflow a bit, it'll have a few entries.\nHowever, nothing obviously prevents syzbot from running a test case\nthat generates a ton of overflow entries, and then flushing them can\ntake quite a while.\n\nCheck for needing to reschedule while flushing, and drop our locks and\ndo so if necessary. There's no state to maintain here as overflows\nalways prune from head-of-list, hence it's fine to drop and reacquire\nthe locks at the end of the loop.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:32:13.329Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/a2493904e95ce94bbec819d8f7f03b99976eb25c", }, { url: "https://git.kernel.org/stable/c/f4ce3b5d26ce149e77e6b8e8f2058aa80e5b034e", }, { url: "https://git.kernel.org/stable/c/c2eadeafce2d385b3f6d26a7f31fee5aba2bbbb0", }, { url: "https://git.kernel.org/stable/c/eac2ca2d682f94f46b1973bdf5e77d85d77b8e53", }, ], title: "io_uring: check if we need to reschedule during overflow flush", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-50060", datePublished: "2024-10-21T19:39:49.737Z", dateReserved: "2024-10-21T19:36:19.939Z", dateUpdated: "2024-12-19T09:32:13.329Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49894
Vulnerability from cvelistv5
Published
2024-10-21 18:01
Modified
2024-12-19 09:28
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Fix index out of bounds in degamma hardware format translation
Fixes index out of bounds issue in
`cm_helper_translate_curve_to_degamma_hw_format` function. The issue
could occur when the index 'i' exceeds the number of transfer function
points (TRANSFER_FUNC_POINTS).
The fix adds a check to ensure 'i' is within bounds before accessing the
transfer function points. If 'i' is out of bounds the function returns
false to indicate an error.
Reported by smatch:
drivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:594 cm_helper_translate_curve_to_degamma_hw_format() error: buffer overflow 'output_tf->tf_pts.red' 1025 <= s32max
drivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:595 cm_helper_translate_curve_to_degamma_hw_format() error: buffer overflow 'output_tf->tf_pts.green' 1025 <= s32max
drivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:596 cm_helper_translate_curve_to_degamma_hw_format() error: buffer overflow 'output_tf->tf_pts.blue' 1025 <= s32max
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49894", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:43:53.969023Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:48:48.651Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "b3dfa878257a7e98830b3009ca5831a01d8f85fc", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "f5f6d90087131812c1e4b9d3103f400f1624396d", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "c130a3c09e3746c1a09ce26c20d21d449d039b1d", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "c6979719012a90e5b8e3bc31725fbfdd0b9b2b79", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "2495c8e272d84685403506833a664fad932e453a", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "122e3a7a8c7bcbe3aacddd6103f67f9f36bed473", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "2f5da549535be8ccd2ab7c9abac8562ad370b181", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "07078fa5d589a7fbce8f81ea8acf7aa0021ab38e", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "b7e99058eb2e86aabd7a10761e76cae33d22b49f", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.323", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.285", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix index out of bounds in degamma hardware format translation\n\nFixes index out of bounds issue in\n`cm_helper_translate_curve_to_degamma_hw_format` function. The issue\ncould occur when the index 'i' exceeds the number of transfer function\npoints (TRANSFER_FUNC_POINTS).\n\nThe fix adds a check to ensure 'i' is within bounds before accessing the\ntransfer function points. If 'i' is out of bounds the function returns\nfalse to indicate an error.\n\nReported by smatch:\ndrivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:594 cm_helper_translate_curve_to_degamma_hw_format() error: buffer overflow 'output_tf->tf_pts.red' 1025 <= s32max\ndrivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:595 cm_helper_translate_curve_to_degamma_hw_format() error: buffer overflow 'output_tf->tf_pts.green' 1025 <= s32max\ndrivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:596 cm_helper_translate_curve_to_degamma_hw_format() error: buffer overflow 'output_tf->tf_pts.blue' 1025 <= s32max", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:28:32.334Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/b3dfa878257a7e98830b3009ca5831a01d8f85fc", }, { url: "https://git.kernel.org/stable/c/f5f6d90087131812c1e4b9d3103f400f1624396d", }, { url: "https://git.kernel.org/stable/c/c130a3c09e3746c1a09ce26c20d21d449d039b1d", }, { url: "https://git.kernel.org/stable/c/c6979719012a90e5b8e3bc31725fbfdd0b9b2b79", }, { url: "https://git.kernel.org/stable/c/2495c8e272d84685403506833a664fad932e453a", }, { url: "https://git.kernel.org/stable/c/122e3a7a8c7bcbe3aacddd6103f67f9f36bed473", }, { url: "https://git.kernel.org/stable/c/2f5da549535be8ccd2ab7c9abac8562ad370b181", }, { url: "https://git.kernel.org/stable/c/07078fa5d589a7fbce8f81ea8acf7aa0021ab38e", }, { url: "https://git.kernel.org/stable/c/b7e99058eb2e86aabd7a10761e76cae33d22b49f", }, ], title: "drm/amd/display: Fix index out of bounds in degamma hardware format translation", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49894", datePublished: "2024-10-21T18:01:28.360Z", dateReserved: "2024-10-21T12:17:06.025Z", dateUpdated: "2024-12-19T09:28:32.334Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49989
Vulnerability from cvelistv5
Published
2024-10-21 18:02
Modified
2024-12-19 09:30
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: fix double free issue during amdgpu module unload
Flexible endpoints use DIGs from available inflexible endpoints,
so only the encoders of inflexible links need to be freed.
Otherwise, a double free issue may occur when unloading the
amdgpu module.
[ 279.190523] RIP: 0010:__slab_free+0x152/0x2f0
[ 279.190577] Call Trace:
[ 279.190580] <TASK>
[ 279.190582] ? show_regs+0x69/0x80
[ 279.190590] ? die+0x3b/0x90
[ 279.190595] ? do_trap+0xc8/0xe0
[ 279.190601] ? do_error_trap+0x73/0xa0
[ 279.190605] ? __slab_free+0x152/0x2f0
[ 279.190609] ? exc_invalid_op+0x56/0x70
[ 279.190616] ? __slab_free+0x152/0x2f0
[ 279.190642] ? asm_exc_invalid_op+0x1f/0x30
[ 279.190648] ? dcn10_link_encoder_destroy+0x19/0x30 [amdgpu]
[ 279.191096] ? __slab_free+0x152/0x2f0
[ 279.191102] ? dcn10_link_encoder_destroy+0x19/0x30 [amdgpu]
[ 279.191469] kfree+0x260/0x2b0
[ 279.191474] dcn10_link_encoder_destroy+0x19/0x30 [amdgpu]
[ 279.191821] link_destroy+0xd7/0x130 [amdgpu]
[ 279.192248] dc_destruct+0x90/0x270 [amdgpu]
[ 279.192666] dc_destroy+0x19/0x40 [amdgpu]
[ 279.193020] amdgpu_dm_fini+0x16e/0x200 [amdgpu]
[ 279.193432] dm_hw_fini+0x26/0x40 [amdgpu]
[ 279.193795] amdgpu_device_fini_hw+0x24c/0x400 [amdgpu]
[ 279.194108] amdgpu_driver_unload_kms+0x4f/0x70 [amdgpu]
[ 279.194436] amdgpu_pci_remove+0x40/0x80 [amdgpu]
[ 279.194632] pci_device_remove+0x3a/0xa0
[ 279.194638] device_remove+0x40/0x70
[ 279.194642] device_release_driver_internal+0x1ad/0x210
[ 279.194647] driver_detach+0x4e/0xa0
[ 279.194650] bus_remove_driver+0x6f/0xf0
[ 279.194653] driver_unregister+0x33/0x60
[ 279.194657] pci_unregister_driver+0x44/0x90
[ 279.194662] amdgpu_exit+0x19/0x1f0 [amdgpu]
[ 279.194939] __do_sys_delete_module.isra.0+0x198/0x2f0
[ 279.194946] __x64_sys_delete_module+0x16/0x20
[ 279.194950] do_syscall_64+0x58/0x120
[ 279.194954] entry_SYSCALL_64_after_hwframe+0x6e/0x76
[ 279.194980] </TASK>
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49989", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:31:29.374759Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:38:43.110Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/gpu/drm/amd/display/dc/link/link_factory.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "cf6f3ebd6312d465fee096d1f58089b177c7c67f", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "7af9e6fa63dbd43a61d4ecc8f59426596a75e507", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "3c0ff4de45ce2c5f7997a1ffa6eefee4b79e6b58", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "20b5a8f9f4670a8503aa9fa95ca632e77c6bf55d", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/gpu/drm/amd/display/dc/link/link_factory.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: fix double free issue during amdgpu module unload\n\nFlexible endpoints use DIGs from available inflexible endpoints,\nso only the encoders of inflexible links need to be freed.\nOtherwise, a double free issue may occur when unloading the\namdgpu module.\n\n[ 279.190523] RIP: 0010:__slab_free+0x152/0x2f0\n[ 279.190577] Call Trace:\n[ 279.190580] <TASK>\n[ 279.190582] ? show_regs+0x69/0x80\n[ 279.190590] ? die+0x3b/0x90\n[ 279.190595] ? do_trap+0xc8/0xe0\n[ 279.190601] ? do_error_trap+0x73/0xa0\n[ 279.190605] ? __slab_free+0x152/0x2f0\n[ 279.190609] ? exc_invalid_op+0x56/0x70\n[ 279.190616] ? __slab_free+0x152/0x2f0\n[ 279.190642] ? asm_exc_invalid_op+0x1f/0x30\n[ 279.190648] ? dcn10_link_encoder_destroy+0x19/0x30 [amdgpu]\n[ 279.191096] ? __slab_free+0x152/0x2f0\n[ 279.191102] ? dcn10_link_encoder_destroy+0x19/0x30 [amdgpu]\n[ 279.191469] kfree+0x260/0x2b0\n[ 279.191474] dcn10_link_encoder_destroy+0x19/0x30 [amdgpu]\n[ 279.191821] link_destroy+0xd7/0x130 [amdgpu]\n[ 279.192248] dc_destruct+0x90/0x270 [amdgpu]\n[ 279.192666] dc_destroy+0x19/0x40 [amdgpu]\n[ 279.193020] amdgpu_dm_fini+0x16e/0x200 [amdgpu]\n[ 279.193432] dm_hw_fini+0x26/0x40 [amdgpu]\n[ 279.193795] amdgpu_device_fini_hw+0x24c/0x400 [amdgpu]\n[ 279.194108] amdgpu_driver_unload_kms+0x4f/0x70 [amdgpu]\n[ 279.194436] amdgpu_pci_remove+0x40/0x80 [amdgpu]\n[ 279.194632] pci_device_remove+0x3a/0xa0\n[ 279.194638] device_remove+0x40/0x70\n[ 279.194642] device_release_driver_internal+0x1ad/0x210\n[ 279.194647] driver_detach+0x4e/0xa0\n[ 279.194650] bus_remove_driver+0x6f/0xf0\n[ 279.194653] driver_unregister+0x33/0x60\n[ 279.194657] pci_unregister_driver+0x44/0x90\n[ 279.194662] amdgpu_exit+0x19/0x1f0 [amdgpu]\n[ 279.194939] __do_sys_delete_module.isra.0+0x198/0x2f0\n[ 279.194946] __x64_sys_delete_module+0x16/0x20\n[ 279.194950] do_syscall_64+0x58/0x120\n[ 279.194954] entry_SYSCALL_64_after_hwframe+0x6e/0x76\n[ 279.194980] </TASK>", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:30:48.250Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/cf6f3ebd6312d465fee096d1f58089b177c7c67f", }, { url: "https://git.kernel.org/stable/c/7af9e6fa63dbd43a61d4ecc8f59426596a75e507", }, { url: "https://git.kernel.org/stable/c/3c0ff4de45ce2c5f7997a1ffa6eefee4b79e6b58", }, { url: "https://git.kernel.org/stable/c/20b5a8f9f4670a8503aa9fa95ca632e77c6bf55d", }, ], title: "drm/amd/display: fix double free issue during amdgpu module unload", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49989", datePublished: "2024-10-21T18:02:32.507Z", dateReserved: "2024-10-21T12:17:06.054Z", dateUpdated: "2024-12-19T09:30:48.250Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49921
Vulnerability from cvelistv5
Published
2024-10-21 18:01
Modified
2024-12-19 09:29
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Check null pointers before used
[WHAT & HOW]
Poniters, such as dc->clk_mgr, are null checked previously in the same
function, so Coverity warns "implies that "dc->clk_mgr" might be null".
As a result, these pointers need to be checked when used again.
This fixes 10 FORWARD_NULL issues reported by Coverity.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49921", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:40:21.671812Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:48:44.609Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/gpu/drm/amd/display/dc/clk_mgr/dce110/dce110_clk_mgr.c", "drivers/gpu/drm/amd/display/dc/hubp/dcn10/dcn10_hubp.c", "drivers/gpu/drm/amd/display/dc/hubp/dcn20/dcn20_hubp.c", "drivers/gpu/drm/amd/display/dc/hwss/dce110/dce110_hwseq.c", "drivers/gpu/drm/amd/display/dc/hwss/dcn10/dcn10_hwseq.c", "drivers/gpu/drm/amd/display/dc/hwss/dcn31/dcn31_hwseq.c", "drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.c", "drivers/gpu/drm/amd/display/dc/link/protocols/link_dp_capability.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "5b35bf1a82eb29841b67ff5643ba83762250fc24", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "be1fb44389ca3038ad2430dac4234669bc177ee3", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/gpu/drm/amd/display/dc/clk_mgr/dce110/dce110_clk_mgr.c", "drivers/gpu/drm/amd/display/dc/hubp/dcn10/dcn10_hubp.c", "drivers/gpu/drm/amd/display/dc/hubp/dcn20/dcn20_hubp.c", "drivers/gpu/drm/amd/display/dc/hwss/dce110/dce110_hwseq.c", "drivers/gpu/drm/amd/display/dc/hwss/dcn10/dcn10_hwseq.c", "drivers/gpu/drm/amd/display/dc/hwss/dcn31/dcn31_hwseq.c", "drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.c", "drivers/gpu/drm/amd/display/dc/link/protocols/link_dp_capability.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Check null pointers before used\n\n[WHAT & HOW]\nPoniters, such as dc->clk_mgr, are null checked previously in the same\nfunction, so Coverity warns \"implies that \"dc->clk_mgr\" might be null\".\nAs a result, these pointers need to be checked when used again.\n\nThis fixes 10 FORWARD_NULL issues reported by Coverity.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:29:05.228Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/5b35bf1a82eb29841b67ff5643ba83762250fc24", }, { url: "https://git.kernel.org/stable/c/be1fb44389ca3038ad2430dac4234669bc177ee3", }, ], title: "drm/amd/display: Check null pointers before used", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49921", datePublished: "2024-10-21T18:01:47.112Z", dateReserved: "2024-10-21T12:17:06.035Z", dateUpdated: "2024-12-19T09:29:05.228Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-47692
Vulnerability from cvelistv5
Published
2024-10-21 11:53
Modified
2024-12-19 09:26
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
nfsd: return -EINVAL when namelen is 0
When we have a corrupted main.sqlite in /var/lib/nfs/nfsdcld/, it may
result in namelen being 0, which will cause memdup_user() to return
ZERO_SIZE_PTR.
When we access the name.data that has been assigned the value of
ZERO_SIZE_PTR in nfs4_client_to_reclaim(), null pointer dereference is
triggered.
[ T1205] ==================================================================
[ T1205] BUG: KASAN: null-ptr-deref in nfs4_client_to_reclaim+0xe9/0x260
[ T1205] Read of size 1 at addr 0000000000000010 by task nfsdcld/1205
[ T1205]
[ T1205] CPU: 11 PID: 1205 Comm: nfsdcld Not tainted 5.10.0-00003-g2c1423731b8d #406
[ T1205] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_073836-buildvm-ppc64le-16.ppc.fedoraproject.org-3.fc31 04/01/2014
[ T1205] Call Trace:
[ T1205] dump_stack+0x9a/0xd0
[ T1205] ? nfs4_client_to_reclaim+0xe9/0x260
[ T1205] __kasan_report.cold+0x34/0x84
[ T1205] ? nfs4_client_to_reclaim+0xe9/0x260
[ T1205] kasan_report+0x3a/0x50
[ T1205] nfs4_client_to_reclaim+0xe9/0x260
[ T1205] ? nfsd4_release_lockowner+0x410/0x410
[ T1205] cld_pipe_downcall+0x5ca/0x760
[ T1205] ? nfsd4_cld_tracking_exit+0x1d0/0x1d0
[ T1205] ? down_write_killable_nested+0x170/0x170
[ T1205] ? avc_policy_seqno+0x28/0x40
[ T1205] ? selinux_file_permission+0x1b4/0x1e0
[ T1205] rpc_pipe_write+0x84/0xb0
[ T1205] vfs_write+0x143/0x520
[ T1205] ksys_write+0xc9/0x170
[ T1205] ? __ia32_sys_read+0x50/0x50
[ T1205] ? ktime_get_coarse_real_ts64+0xfe/0x110
[ T1205] ? ktime_get_coarse_real_ts64+0xa2/0x110
[ T1205] do_syscall_64+0x33/0x40
[ T1205] entry_SYSCALL_64_after_hwframe+0x67/0xd1
[ T1205] RIP: 0033:0x7fdbdb761bc7
[ T1205] Code: 0f 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 514
[ T1205] RSP: 002b:00007fff8c4b7248 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[ T1205] RAX: ffffffffffffffda RBX: 000000000000042b RCX: 00007fdbdb761bc7
[ T1205] RDX: 000000000000042b RSI: 00007fff8c4b75f0 RDI: 0000000000000008
[ T1205] RBP: 00007fdbdb761bb0 R08: 0000000000000000 R09: 0000000000000001
[ T1205] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000042b
[ T1205] R13: 0000000000000008 R14: 00007fff8c4b75f0 R15: 0000000000000000
[ T1205] ==================================================================
Fix it by checking namelen.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 74725959c33c14114fdce1e36e3504d106584d53 Version: 74725959c33c14114fdce1e36e3504d106584d53 Version: 74725959c33c14114fdce1e36e3504d106584d53 Version: 74725959c33c14114fdce1e36e3504d106584d53 Version: 74725959c33c14114fdce1e36e3504d106584d53 Version: 74725959c33c14114fdce1e36e3504d106584d53 Version: 74725959c33c14114fdce1e36e3504d106584d53 Version: 74725959c33c14114fdce1e36e3504d106584d53 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-47692", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T13:05:46.297189Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T13:14:14.991Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "fs/nfsd/nfs4recover.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "6d07040ae5c2214e39c7444d898039c9e655a79a", status: "affected", version: "74725959c33c14114fdce1e36e3504d106584d53", versionType: "git", }, { lessThan: "0f1d007bbea38a61cf9c5392708dc70ae9d84a3d", status: "affected", version: "74725959c33c14114fdce1e36e3504d106584d53", versionType: "git", }, { lessThan: "b7b7a8df41ef18862dd6b22289fb46c2c12398af", status: "affected", version: "74725959c33c14114fdce1e36e3504d106584d53", versionType: "git", }, { lessThan: "84a563d136faf514fdad1ade28d7a142fd313cb8", status: "affected", version: "74725959c33c14114fdce1e36e3504d106584d53", versionType: "git", }, { lessThan: "318f70857caab3da9a6ada9bc8c1f4f7591b695e", status: "affected", version: "74725959c33c14114fdce1e36e3504d106584d53", versionType: "git", }, { lessThan: "766d5fbd78f7a52b3888449a0358760477b74602", status: "affected", version: "74725959c33c14114fdce1e36e3504d106584d53", versionType: "git", }, { lessThan: "1ff8be8d008b9ddc8e7043fbddd37d5d451b271b", status: "affected", version: "74725959c33c14114fdce1e36e3504d106584d53", versionType: "git", }, { lessThan: "22451a16b7ab7debefce660672566be887db1637", status: "affected", version: "74725959c33c14114fdce1e36e3504d106584d53", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "fs/nfsd/nfs4recover.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.2", }, { lessThan: "5.2", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.285", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.54", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.13", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.2", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: return -EINVAL when namelen is 0\n\nWhen we have a corrupted main.sqlite in /var/lib/nfs/nfsdcld/, it may\nresult in namelen being 0, which will cause memdup_user() to return\nZERO_SIZE_PTR.\nWhen we access the name.data that has been assigned the value of\nZERO_SIZE_PTR in nfs4_client_to_reclaim(), null pointer dereference is\ntriggered.\n\n[ T1205] ==================================================================\n[ T1205] BUG: KASAN: null-ptr-deref in nfs4_client_to_reclaim+0xe9/0x260\n[ T1205] Read of size 1 at addr 0000000000000010 by task nfsdcld/1205\n[ T1205]\n[ T1205] CPU: 11 PID: 1205 Comm: nfsdcld Not tainted 5.10.0-00003-g2c1423731b8d #406\n[ T1205] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_073836-buildvm-ppc64le-16.ppc.fedoraproject.org-3.fc31 04/01/2014\n[ T1205] Call Trace:\n[ T1205] dump_stack+0x9a/0xd0\n[ T1205] ? nfs4_client_to_reclaim+0xe9/0x260\n[ T1205] __kasan_report.cold+0x34/0x84\n[ T1205] ? nfs4_client_to_reclaim+0xe9/0x260\n[ T1205] kasan_report+0x3a/0x50\n[ T1205] nfs4_client_to_reclaim+0xe9/0x260\n[ T1205] ? nfsd4_release_lockowner+0x410/0x410\n[ T1205] cld_pipe_downcall+0x5ca/0x760\n[ T1205] ? nfsd4_cld_tracking_exit+0x1d0/0x1d0\n[ T1205] ? down_write_killable_nested+0x170/0x170\n[ T1205] ? avc_policy_seqno+0x28/0x40\n[ T1205] ? selinux_file_permission+0x1b4/0x1e0\n[ T1205] rpc_pipe_write+0x84/0xb0\n[ T1205] vfs_write+0x143/0x520\n[ T1205] ksys_write+0xc9/0x170\n[ T1205] ? __ia32_sys_read+0x50/0x50\n[ T1205] ? ktime_get_coarse_real_ts64+0xfe/0x110\n[ T1205] ? ktime_get_coarse_real_ts64+0xa2/0x110\n[ T1205] do_syscall_64+0x33/0x40\n[ T1205] entry_SYSCALL_64_after_hwframe+0x67/0xd1\n[ T1205] RIP: 0033:0x7fdbdb761bc7\n[ T1205] Code: 0f 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 514\n[ T1205] RSP: 002b:00007fff8c4b7248 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\n[ T1205] RAX: ffffffffffffffda RBX: 000000000000042b RCX: 00007fdbdb761bc7\n[ T1205] RDX: 000000000000042b RSI: 00007fff8c4b75f0 RDI: 0000000000000008\n[ T1205] RBP: 00007fdbdb761bb0 R08: 0000000000000000 R09: 0000000000000001\n[ T1205] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000042b\n[ T1205] R13: 0000000000000008 R14: 00007fff8c4b75f0 R15: 0000000000000000\n[ T1205] ==================================================================\n\nFix it by checking namelen.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:26:11.994Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/6d07040ae5c2214e39c7444d898039c9e655a79a", }, { url: "https://git.kernel.org/stable/c/0f1d007bbea38a61cf9c5392708dc70ae9d84a3d", }, { url: "https://git.kernel.org/stable/c/b7b7a8df41ef18862dd6b22289fb46c2c12398af", }, { url: "https://git.kernel.org/stable/c/84a563d136faf514fdad1ade28d7a142fd313cb8", }, { url: "https://git.kernel.org/stable/c/318f70857caab3da9a6ada9bc8c1f4f7591b695e", }, { url: "https://git.kernel.org/stable/c/766d5fbd78f7a52b3888449a0358760477b74602", }, { url: "https://git.kernel.org/stable/c/1ff8be8d008b9ddc8e7043fbddd37d5d451b271b", }, { url: "https://git.kernel.org/stable/c/22451a16b7ab7debefce660672566be887db1637", }, ], title: "nfsd: return -EINVAL when namelen is 0", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-47692", datePublished: "2024-10-21T11:53:31.238Z", dateReserved: "2024-09-30T16:00:12.942Z", dateUpdated: "2024-12-19T09:26:11.994Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49850
Vulnerability from cvelistv5
Published
2024-10-21 12:18
Modified
2024-12-19 09:27
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: correctly handle malformed BPF_CORE_TYPE_ID_LOCAL relos
In case of malformed relocation record of kind BPF_CORE_TYPE_ID_LOCAL
referencing a non-existing BTF type, function bpf_core_calc_relo_insn
would cause a null pointer deference.
Fix this by adding a proper check upper in call stack, as malformed
relocation records could be passed from user space.
Simplest reproducer is a program:
r0 = 0
exit
With a single relocation record:
.insn_off = 0, /* patch first instruction */
.type_id = 100500, /* this type id does not exist */
.access_str_off = 6, /* offset of string "0" */
.kind = BPF_CORE_TYPE_ID_LOCAL,
See the link for original reproducer or next commit for a test case.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 74753e1462e77349525daf9eb60ea21ed92d3a97 Version: 74753e1462e77349525daf9eb60ea21ed92d3a97 Version: 74753e1462e77349525daf9eb60ea21ed92d3a97 Version: 74753e1462e77349525daf9eb60ea21ed92d3a97 Version: 74753e1462e77349525daf9eb60ea21ed92d3a97 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49850", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T12:57:02.749584Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T13:04:12.027Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "kernel/bpf/btf.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "dc7ce14f00bcd50641f2110b7a32aa6552e0780f", status: "affected", version: "74753e1462e77349525daf9eb60ea21ed92d3a97", versionType: "git", }, { lessThan: "2288b54b96dcb55bedebcef3572bb8821fc5e708", status: "affected", version: "74753e1462e77349525daf9eb60ea21ed92d3a97", versionType: "git", }, { lessThan: "584cd3ff792e1edbea20b2a7df55897159b0be3e", status: "affected", version: "74753e1462e77349525daf9eb60ea21ed92d3a97", versionType: "git", }, { lessThan: "e7e9c5b2dda29067332df2a85b0141a92b41f218", status: "affected", version: "74753e1462e77349525daf9eb60ea21ed92d3a97", versionType: "git", }, { lessThan: "3d2786d65aaa954ebd3fcc033ada433e10da21c4", status: "affected", version: "74753e1462e77349525daf9eb60ea21ed92d3a97", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "kernel/bpf/btf.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.17", }, { lessThan: "5.17", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.54", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.13", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.2", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: correctly handle malformed BPF_CORE_TYPE_ID_LOCAL relos\n\nIn case of malformed relocation record of kind BPF_CORE_TYPE_ID_LOCAL\nreferencing a non-existing BTF type, function bpf_core_calc_relo_insn\nwould cause a null pointer deference.\n\nFix this by adding a proper check upper in call stack, as malformed\nrelocation records could be passed from user space.\n\nSimplest reproducer is a program:\n\n r0 = 0\n exit\n\nWith a single relocation record:\n\n .insn_off = 0, /* patch first instruction */\n .type_id = 100500, /* this type id does not exist */\n .access_str_off = 6, /* offset of string \"0\" */\n .kind = BPF_CORE_TYPE_ID_LOCAL,\n\nSee the link for original reproducer or next commit for a test case.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:27:31.769Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/dc7ce14f00bcd50641f2110b7a32aa6552e0780f", }, { url: "https://git.kernel.org/stable/c/2288b54b96dcb55bedebcef3572bb8821fc5e708", }, { url: "https://git.kernel.org/stable/c/584cd3ff792e1edbea20b2a7df55897159b0be3e", }, { url: "https://git.kernel.org/stable/c/e7e9c5b2dda29067332df2a85b0141a92b41f218", }, { url: "https://git.kernel.org/stable/c/3d2786d65aaa954ebd3fcc033ada433e10da21c4", }, ], title: "bpf: correctly handle malformed BPF_CORE_TYPE_ID_LOCAL relos", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49850", datePublished: "2024-10-21T12:18:44.098Z", dateReserved: "2024-10-21T12:17:06.015Z", dateUpdated: "2024-12-19T09:27:31.769Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49878
Vulnerability from cvelistv5
Published
2024-10-21 18:01
Modified
2024-12-19 09:28
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
resource: fix region_intersects() vs add_memory_driver_managed()
On a system with CXL memory, the resource tree (/proc/iomem) related to
CXL memory may look like something as follows.
490000000-50fffffff : CXL Window 0
490000000-50fffffff : region0
490000000-50fffffff : dax0.0
490000000-50fffffff : System RAM (kmem)
Because drivers/dax/kmem.c calls add_memory_driver_managed() during
onlining CXL memory, which makes "System RAM (kmem)" a descendant of "CXL
Window X". This confuses region_intersects(), which expects all "System
RAM" resources to be at the top level of iomem_resource. This can lead to
bugs.
For example, when the following command line is executed to write some
memory in CXL memory range via /dev/mem,
$ dd if=data of=/dev/mem bs=$((1 << 10)) seek=$((0x490000000 >> 10)) count=1
dd: error writing '/dev/mem': Bad address
1+0 records in
0+0 records out
0 bytes copied, 0.0283507 s, 0.0 kB/s
the command fails as expected. However, the error code is wrong. It
should be "Operation not permitted" instead of "Bad address". More
seriously, the /dev/mem permission checking in devmem_is_allowed() passes
incorrectly. Although the accessing is prevented later because ioremap()
isn't allowed to map system RAM, it is a potential security issue. During
command executing, the following warning is reported in the kernel log for
calling ioremap() on system RAM.
ioremap on RAM at 0x0000000490000000 - 0x0000000490000fff
WARNING: CPU: 2 PID: 416 at arch/x86/mm/ioremap.c:216 __ioremap_caller.constprop.0+0x131/0x35d
Call Trace:
memremap+0xcb/0x184
xlate_dev_mem_ptr+0x25/0x2f
write_mem+0x94/0xfb
vfs_write+0x128/0x26d
ksys_write+0xac/0xfe
do_syscall_64+0x9a/0xfd
entry_SYSCALL_64_after_hwframe+0x4b/0x53
The details of command execution process are as follows. In the above
resource tree, "System RAM" is a descendant of "CXL Window 0" instead of a
top level resource. So, region_intersects() will report no System RAM
resources in the CXL memory region incorrectly, because it only checks the
top level resources. Consequently, devmem_is_allowed() will return 1
(allow access via /dev/mem) for CXL memory region incorrectly.
Fortunately, ioremap() doesn't allow to map System RAM and reject the
access.
So, region_intersects() needs to be fixed to work correctly with the
resource tree with "System RAM" not at top level as above. To fix it, if
we found a unmatched resource in the top level, we will continue to search
matched resources in its descendant resources. So, we will not miss any
matched resources in resource tree anymore.
In the new implementation, an example resource tree
|------------- "CXL Window 0" ------------|
|-- "System RAM" --|
will behave similar as the following fake resource tree for
region_intersects(, IORESOURCE_SYSTEM_RAM, ),
|-- "System RAM" --||-- "CXL Window 0a" --|
Where "CXL Window 0a" is part of the original "CXL Window 0" that
isn't covered by "System RAM".
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: c221c0b0308fd01d9fb33a16f64d2fd95f8830a4 Version: c221c0b0308fd01d9fb33a16f64d2fd95f8830a4 Version: c221c0b0308fd01d9fb33a16f64d2fd95f8830a4 Version: c221c0b0308fd01d9fb33a16f64d2fd95f8830a4 Version: c221c0b0308fd01d9fb33a16f64d2fd95f8830a4 Version: c221c0b0308fd01d9fb33a16f64d2fd95f8830a4 Version: c221c0b0308fd01d9fb33a16f64d2fd95f8830a4 Version: c221c0b0308fd01d9fb33a16f64d2fd95f8830a4 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49878", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:46:02.318749Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:48:50.934Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "kernel/resource.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "333fbaf6864a4ca031367eb947961a1f3484d337", status: "affected", version: "c221c0b0308fd01d9fb33a16f64d2fd95f8830a4", versionType: "git", }, { lessThan: "1d5f85f1b7db79c75c9e07d6571ce2a7bdf725c4", status: "affected", version: "c221c0b0308fd01d9fb33a16f64d2fd95f8830a4", versionType: "git", }, { lessThan: "8a6fef7d22a1d952aed68584d3fcc0d018d2bdc3", status: "affected", version: "c221c0b0308fd01d9fb33a16f64d2fd95f8830a4", versionType: "git", }, { lessThan: "4b90d2eb451b357681063ba4552b10b39d7ad885", status: "affected", version: "c221c0b0308fd01d9fb33a16f64d2fd95f8830a4", versionType: "git", }, { lessThan: "393331e16ce205e036e58b3d8ca4ee2e635f21d9", status: "affected", version: "c221c0b0308fd01d9fb33a16f64d2fd95f8830a4", versionType: "git", }, { lessThan: "06ff97a20b8c9e9d256b0d2c3e87f78f8ccea3de", status: "affected", version: "c221c0b0308fd01d9fb33a16f64d2fd95f8830a4", versionType: "git", }, { lessThan: "927abc5b7d6d2c2e936bec5a2f71d9512c5e72f7", status: "affected", version: "c221c0b0308fd01d9fb33a16f64d2fd95f8830a4", versionType: "git", }, { lessThan: "b4afe4183ec77f230851ea139d91e5cf2644c68b", status: "affected", version: "c221c0b0308fd01d9fb33a16f64d2fd95f8830a4", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "kernel/resource.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.1", }, { lessThan: "5.1", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.285", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nresource: fix region_intersects() vs add_memory_driver_managed()\n\nOn a system with CXL memory, the resource tree (/proc/iomem) related to\nCXL memory may look like something as follows.\n\n490000000-50fffffff : CXL Window 0\n 490000000-50fffffff : region0\n 490000000-50fffffff : dax0.0\n 490000000-50fffffff : System RAM (kmem)\n\nBecause drivers/dax/kmem.c calls add_memory_driver_managed() during\nonlining CXL memory, which makes \"System RAM (kmem)\" a descendant of \"CXL\nWindow X\". This confuses region_intersects(), which expects all \"System\nRAM\" resources to be at the top level of iomem_resource. This can lead to\nbugs.\n\nFor example, when the following command line is executed to write some\nmemory in CXL memory range via /dev/mem,\n\n $ dd if=data of=/dev/mem bs=$((1 << 10)) seek=$((0x490000000 >> 10)) count=1\n dd: error writing '/dev/mem': Bad address\n 1+0 records in\n 0+0 records out\n 0 bytes copied, 0.0283507 s, 0.0 kB/s\n\nthe command fails as expected. However, the error code is wrong. It\nshould be \"Operation not permitted\" instead of \"Bad address\". More\nseriously, the /dev/mem permission checking in devmem_is_allowed() passes\nincorrectly. Although the accessing is prevented later because ioremap()\nisn't allowed to map system RAM, it is a potential security issue. During\ncommand executing, the following warning is reported in the kernel log for\ncalling ioremap() on system RAM.\n\n ioremap on RAM at 0x0000000490000000 - 0x0000000490000fff\n WARNING: CPU: 2 PID: 416 at arch/x86/mm/ioremap.c:216 __ioremap_caller.constprop.0+0x131/0x35d\n Call Trace:\n memremap+0xcb/0x184\n xlate_dev_mem_ptr+0x25/0x2f\n write_mem+0x94/0xfb\n vfs_write+0x128/0x26d\n ksys_write+0xac/0xfe\n do_syscall_64+0x9a/0xfd\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n\nThe details of command execution process are as follows. In the above\nresource tree, \"System RAM\" is a descendant of \"CXL Window 0\" instead of a\ntop level resource. So, region_intersects() will report no System RAM\nresources in the CXL memory region incorrectly, because it only checks the\ntop level resources. Consequently, devmem_is_allowed() will return 1\n(allow access via /dev/mem) for CXL memory region incorrectly. \nFortunately, ioremap() doesn't allow to map System RAM and reject the\naccess.\n\nSo, region_intersects() needs to be fixed to work correctly with the\nresource tree with \"System RAM\" not at top level as above. To fix it, if\nwe found a unmatched resource in the top level, we will continue to search\nmatched resources in its descendant resources. So, we will not miss any\nmatched resources in resource tree anymore.\n\nIn the new implementation, an example resource tree\n\n|------------- \"CXL Window 0\" ------------|\n|-- \"System RAM\" --|\n\nwill behave similar as the following fake resource tree for\nregion_intersects(, IORESOURCE_SYSTEM_RAM, ),\n\n|-- \"System RAM\" --||-- \"CXL Window 0a\" --|\n\nWhere \"CXL Window 0a\" is part of the original \"CXL Window 0\" that\nisn't covered by \"System RAM\".", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:28:12.751Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/333fbaf6864a4ca031367eb947961a1f3484d337", }, { url: "https://git.kernel.org/stable/c/1d5f85f1b7db79c75c9e07d6571ce2a7bdf725c4", }, { url: "https://git.kernel.org/stable/c/8a6fef7d22a1d952aed68584d3fcc0d018d2bdc3", }, { url: "https://git.kernel.org/stable/c/4b90d2eb451b357681063ba4552b10b39d7ad885", }, { url: "https://git.kernel.org/stable/c/393331e16ce205e036e58b3d8ca4ee2e635f21d9", }, { url: "https://git.kernel.org/stable/c/06ff97a20b8c9e9d256b0d2c3e87f78f8ccea3de", }, { url: "https://git.kernel.org/stable/c/927abc5b7d6d2c2e936bec5a2f71d9512c5e72f7", }, { url: "https://git.kernel.org/stable/c/b4afe4183ec77f230851ea139d91e5cf2644c68b", }, ], title: "resource: fix region_intersects() vs add_memory_driver_managed()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49878", datePublished: "2024-10-21T18:01:17.468Z", dateReserved: "2024-10-21T12:17:06.021Z", dateUpdated: "2024-12-19T09:28:12.751Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-47732
Vulnerability from cvelistv5
Published
2024-10-21 12:14
Modified
2024-12-19 09:26
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: iaa - Fix potential use after free bug
The free_device_compression_mode(iaa_device, device_mode) function frees
"device_mode" but it iss passed to iaa_compression_modes[i]->free() a few
lines later resulting in a use after free.
The good news is that, so far as I can tell, nothing implements the
->free() function and the use after free happens in dead code. But, with
this fix, when something does implement it, we'll be ready. :)
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-47732", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T13:00:23.321924Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T13:04:15.743Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/crypto/intel/iaa/iaa_crypto_main.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "b5d534b473e2c8d3e4560be2dd6c12a8eb9d61e9", status: "affected", version: "b190447e0fa3ef7355480d641d078962e03768b4", versionType: "git", }, { lessThan: "c66f0be993ba52410edab06124c54ecf143b05c1", status: "affected", version: "b190447e0fa3ef7355480d641d078962e03768b4", versionType: "git", }, { lessThan: "e0d3b845a1b10b7b5abdad7ecc69d45b2aab3209", status: "affected", version: "b190447e0fa3ef7355480d641d078962e03768b4", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/crypto/intel/iaa/iaa_crypto_main.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.8", }, { lessThan: "6.8", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.13", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.2", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: iaa - Fix potential use after free bug\n\nThe free_device_compression_mode(iaa_device, device_mode) function frees\n\"device_mode\" but it iss passed to iaa_compression_modes[i]->free() a few\nlines later resulting in a use after free.\n\nThe good news is that, so far as I can tell, nothing implements the\n->free() function and the use after free happens in dead code. But, with\nthis fix, when something does implement it, we'll be ready. :)", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:26:59.484Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/b5d534b473e2c8d3e4560be2dd6c12a8eb9d61e9", }, { url: "https://git.kernel.org/stable/c/c66f0be993ba52410edab06124c54ecf143b05c1", }, { url: "https://git.kernel.org/stable/c/e0d3b845a1b10b7b5abdad7ecc69d45b2aab3209", }, ], title: "crypto: iaa - Fix potential use after free bug", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-47732", datePublished: "2024-10-21T12:14:03.863Z", dateReserved: "2024-09-30T16:00:12.958Z", dateUpdated: "2024-12-19T09:26:59.484Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49884
Vulnerability from cvelistv5
Published
2024-10-21 18:01
Modified
2025-02-02 10:14
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix slab-use-after-free in ext4_split_extent_at()
We hit the following use-after-free:
==================================================================
BUG: KASAN: slab-use-after-free in ext4_split_extent_at+0xba8/0xcc0
Read of size 2 at addr ffff88810548ed08 by task kworker/u20:0/40
CPU: 0 PID: 40 Comm: kworker/u20:0 Not tainted 6.9.0-dirty #724
Call Trace:
<TASK>
kasan_report+0x93/0xc0
ext4_split_extent_at+0xba8/0xcc0
ext4_split_extent.isra.0+0x18f/0x500
ext4_split_convert_extents+0x275/0x750
ext4_ext_handle_unwritten_extents+0x73e/0x1580
ext4_ext_map_blocks+0xe20/0x2dc0
ext4_map_blocks+0x724/0x1700
ext4_do_writepages+0x12d6/0x2a70
[...]
Allocated by task 40:
__kmalloc_noprof+0x1ac/0x480
ext4_find_extent+0xf3b/0x1e70
ext4_ext_map_blocks+0x188/0x2dc0
ext4_map_blocks+0x724/0x1700
ext4_do_writepages+0x12d6/0x2a70
[...]
Freed by task 40:
kfree+0xf1/0x2b0
ext4_find_extent+0xa71/0x1e70
ext4_ext_insert_extent+0xa22/0x3260
ext4_split_extent_at+0x3ef/0xcc0
ext4_split_extent.isra.0+0x18f/0x500
ext4_split_convert_extents+0x275/0x750
ext4_ext_handle_unwritten_extents+0x73e/0x1580
ext4_ext_map_blocks+0xe20/0x2dc0
ext4_map_blocks+0x724/0x1700
ext4_do_writepages+0x12d6/0x2a70
[...]
==================================================================
The flow of issue triggering is as follows:
ext4_split_extent_at
path = *ppath
ext4_ext_insert_extent(ppath)
ext4_ext_create_new_leaf(ppath)
ext4_find_extent(orig_path)
path = *orig_path
read_extent_tree_block
// return -ENOMEM or -EIO
ext4_free_ext_path(path)
kfree(path)
*orig_path = NULL
a. If err is -ENOMEM:
ext4_ext_dirty(path + path->p_depth)
// path use-after-free !!!
b. If err is -EIO and we have EXT_DEBUG defined:
ext4_ext_show_leaf(path)
eh = path[depth].p_hdr
// path also use-after-free !!!
So when trying to zeroout or fix the extent length, call ext4_find_extent()
to update the path.
In addition we use *ppath directly as an ext4_ext_show_leaf() input to
avoid possible use-after-free when EXT_DEBUG is defined, and to avoid
unnecessary path updates.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: dfe5080939ea4686b3414b5d970a9b26733c57a4 Version: dfe5080939ea4686b3414b5d970a9b26733c57a4 Version: dfe5080939ea4686b3414b5d970a9b26733c57a4 Version: dfe5080939ea4686b3414b5d970a9b26733c57a4 Version: dfe5080939ea4686b3414b5d970a9b26733c57a4 Version: dfe5080939ea4686b3414b5d970a9b26733c57a4 Version: dfe5080939ea4686b3414b5d970a9b26733c57a4 Version: dfe5080939ea4686b3414b5d970a9b26733c57a4 Version: dfe5080939ea4686b3414b5d970a9b26733c57a4 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49884", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:45:15.776351Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:48:50.117Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "fs/ext4/extents.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "393a46f60ea4f249dc9d496d4eb2d542f5e11ade", status: "affected", version: "dfe5080939ea4686b3414b5d970a9b26733c57a4", versionType: "git", }, { lessThan: "448100a29395b0c8b4c42967155849fe0fbe808f", status: "affected", version: "dfe5080939ea4686b3414b5d970a9b26733c57a4", versionType: "git", }, { lessThan: "e52f933598b781d291b9297e39c463536da0e185", status: "affected", version: "dfe5080939ea4686b3414b5d970a9b26733c57a4", versionType: "git", }, { lessThan: "cafcc1bd62934547c76abf46c6d0d54f135006fe", status: "affected", version: "dfe5080939ea4686b3414b5d970a9b26733c57a4", versionType: "git", }, { lessThan: "a5401d4c3e2a3d25643c567d26e6de327774a2c9", status: "affected", version: "dfe5080939ea4686b3414b5d970a9b26733c57a4", versionType: "git", }, { lessThan: "8fe117790b37c84c651e2bad9efc0e7fda73c0e3", status: "affected", version: "dfe5080939ea4686b3414b5d970a9b26733c57a4", versionType: "git", }, { lessThan: "5d949ea75bb529ea6342e83465938a3b0ac51238", status: "affected", version: "dfe5080939ea4686b3414b5d970a9b26733c57a4", versionType: "git", }, { lessThan: "915ac3630488af0ca194dc63b86d99802b4f6e18", status: "affected", version: "dfe5080939ea4686b3414b5d970a9b26733c57a4", versionType: "git", }, { lessThan: "c26ab35702f8cd0cdc78f96aa5856bfb77be798f", status: "affected", version: "dfe5080939ea4686b3414b5d970a9b26733c57a4", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "fs/ext4/extents.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "3.18", }, { lessThan: "3.18", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.323", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.290", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix slab-use-after-free in ext4_split_extent_at()\n\nWe hit the following use-after-free:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in ext4_split_extent_at+0xba8/0xcc0\nRead of size 2 at addr ffff88810548ed08 by task kworker/u20:0/40\nCPU: 0 PID: 40 Comm: kworker/u20:0 Not tainted 6.9.0-dirty #724\nCall Trace:\n <TASK>\n kasan_report+0x93/0xc0\n ext4_split_extent_at+0xba8/0xcc0\n ext4_split_extent.isra.0+0x18f/0x500\n ext4_split_convert_extents+0x275/0x750\n ext4_ext_handle_unwritten_extents+0x73e/0x1580\n ext4_ext_map_blocks+0xe20/0x2dc0\n ext4_map_blocks+0x724/0x1700\n ext4_do_writepages+0x12d6/0x2a70\n[...]\n\nAllocated by task 40:\n __kmalloc_noprof+0x1ac/0x480\n ext4_find_extent+0xf3b/0x1e70\n ext4_ext_map_blocks+0x188/0x2dc0\n ext4_map_blocks+0x724/0x1700\n ext4_do_writepages+0x12d6/0x2a70\n[...]\n\nFreed by task 40:\n kfree+0xf1/0x2b0\n ext4_find_extent+0xa71/0x1e70\n ext4_ext_insert_extent+0xa22/0x3260\n ext4_split_extent_at+0x3ef/0xcc0\n ext4_split_extent.isra.0+0x18f/0x500\n ext4_split_convert_extents+0x275/0x750\n ext4_ext_handle_unwritten_extents+0x73e/0x1580\n ext4_ext_map_blocks+0xe20/0x2dc0\n ext4_map_blocks+0x724/0x1700\n ext4_do_writepages+0x12d6/0x2a70\n[...]\n==================================================================\n\nThe flow of issue triggering is as follows:\n\next4_split_extent_at\n path = *ppath\n ext4_ext_insert_extent(ppath)\n ext4_ext_create_new_leaf(ppath)\n ext4_find_extent(orig_path)\n path = *orig_path\n read_extent_tree_block\n // return -ENOMEM or -EIO\n ext4_free_ext_path(path)\n kfree(path)\n *orig_path = NULL\n a. If err is -ENOMEM:\n ext4_ext_dirty(path + path->p_depth)\n // path use-after-free !!!\n b. If err is -EIO and we have EXT_DEBUG defined:\n ext4_ext_show_leaf(path)\n eh = path[depth].p_hdr\n // path also use-after-free !!!\n\nSo when trying to zeroout or fix the extent length, call ext4_find_extent()\nto update the path.\n\nIn addition we use *ppath directly as an ext4_ext_show_leaf() input to\navoid possible use-after-free when EXT_DEBUG is defined, and to avoid\nunnecessary path updates.", }, ], providerMetadata: { dateUpdated: "2025-02-02T10:14:42.912Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/393a46f60ea4f249dc9d496d4eb2d542f5e11ade", }, { url: "https://git.kernel.org/stable/c/448100a29395b0c8b4c42967155849fe0fbe808f", }, { url: "https://git.kernel.org/stable/c/e52f933598b781d291b9297e39c463536da0e185", }, { url: "https://git.kernel.org/stable/c/cafcc1bd62934547c76abf46c6d0d54f135006fe", }, { url: "https://git.kernel.org/stable/c/a5401d4c3e2a3d25643c567d26e6de327774a2c9", }, { url: "https://git.kernel.org/stable/c/8fe117790b37c84c651e2bad9efc0e7fda73c0e3", }, { url: "https://git.kernel.org/stable/c/5d949ea75bb529ea6342e83465938a3b0ac51238", }, { url: "https://git.kernel.org/stable/c/915ac3630488af0ca194dc63b86d99802b4f6e18", }, { url: "https://git.kernel.org/stable/c/c26ab35702f8cd0cdc78f96aa5856bfb77be798f", }, ], title: "ext4: fix slab-use-after-free in ext4_split_extent_at()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49884", datePublished: "2024-10-21T18:01:21.517Z", dateReserved: "2024-10-21T12:17:06.022Z", dateUpdated: "2025-02-02T10:14:42.912Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-50011
Vulnerability from cvelistv5
Published
2024-10-21 18:54
Modified
2024-12-19 09:31
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: Intel: soc-acpi-intel-rpl-match: add missing empty item
There is no links_num in struct snd_soc_acpi_mach {}, and we test
!link->num_adr as a condition to end the loop in hda_sdw_machine_select().
So an empty item in struct snd_soc_acpi_link_adr array is required.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-50011", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:28:38.116679Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:38:39.666Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "sound/soc/intel/common/soc-acpi-intel-rpl-match.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "aa3109ee91fe09e696274e6ac44813df8d13678f", status: "affected", version: "65ab45b90656e9b7ed51bce27ab7d83618167e76", versionType: "git", }, { lessThan: "5afc29ba44fdd1bcbad4e07246c395d946301580", status: "affected", version: "65ab45b90656e9b7ed51bce27ab7d83618167e76", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "sound/soc/intel/common/soc-acpi-intel-rpl-match.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.11", }, { lessThan: "6.11", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: Intel: soc-acpi-intel-rpl-match: add missing empty item\n\nThere is no links_num in struct snd_soc_acpi_mach {}, and we test\n!link->num_adr as a condition to end the loop in hda_sdw_machine_select().\nSo an empty item in struct snd_soc_acpi_link_adr array is required.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:31:15.073Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/aa3109ee91fe09e696274e6ac44813df8d13678f", }, { url: "https://git.kernel.org/stable/c/5afc29ba44fdd1bcbad4e07246c395d946301580", }, ], title: "ASoC: Intel: soc-acpi-intel-rpl-match: add missing empty item", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-50011", datePublished: "2024-10-21T18:54:03.683Z", dateReserved: "2024-10-21T12:17:06.061Z", dateUpdated: "2024-12-19T09:31:15.073Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-48966
Vulnerability from cvelistv5
Published
2024-10-21 20:05
Modified
2024-12-19 08:11
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: mvneta: Prevent out of bounds read in mvneta_config_rss()
The pp->indir[0] value comes from the user. It is passed to:
if (cpu_online(pp->rxq_def))
inside the mvneta_percpu_elect() function. It needs bounds checkeding
to ensure that it is not beyond the end of the cpu bitmap.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: cad5d847a093077b499a8b0bbfe6804b9226c03e Version: cad5d847a093077b499a8b0bbfe6804b9226c03e Version: cad5d847a093077b499a8b0bbfe6804b9226c03e Version: cad5d847a093077b499a8b0bbfe6804b9226c03e Version: cad5d847a093077b499a8b0bbfe6804b9226c03e Version: cad5d847a093077b499a8b0bbfe6804b9226c03e Version: cad5d847a093077b499a8b0bbfe6804b9226c03e Version: cad5d847a093077b499a8b0bbfe6804b9226c03e |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-48966", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:19:44.933611Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:28:38.488Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/net/ethernet/marvell/mvneta.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "3ceffb8f410b93553fb16fe7e84aa0d35b3ba79b", status: "affected", version: "cad5d847a093077b499a8b0bbfe6804b9226c03e", versionType: "git", }, { lessThan: "47a1a2f6cd5ec3a4f8a2d9bfa1e0605347cdb92c", status: "affected", version: "cad5d847a093077b499a8b0bbfe6804b9226c03e", versionType: "git", }, { lessThan: "5a142486a0db6b0b85031f22d69acd0cdcf8f72b", status: "affected", version: "cad5d847a093077b499a8b0bbfe6804b9226c03e", versionType: "git", }, { lessThan: "eec1fc21edc2bb99c9e66cf66f0b5d4d643fbb50", status: "affected", version: "cad5d847a093077b499a8b0bbfe6804b9226c03e", versionType: "git", }, { lessThan: "146ebee8fcdb349d7ec0e49915e6cdafb92544ae", status: "affected", version: "cad5d847a093077b499a8b0bbfe6804b9226c03e", versionType: "git", }, { lessThan: "a6b30598fec84f8809f5417cde73071ca43e8471", status: "affected", version: "cad5d847a093077b499a8b0bbfe6804b9226c03e", versionType: "git", }, { lessThan: "6ca0a506dddc3e1d636935eef339576b263bf3d8", status: "affected", version: "cad5d847a093077b499a8b0bbfe6804b9226c03e", versionType: "git", }, { lessThan: "e8b4fc13900b8e8be48debffd0dfd391772501f7", status: "affected", version: "cad5d847a093077b499a8b0bbfe6804b9226c03e", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/net/ethernet/marvell/mvneta.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "4.5", }, { lessThan: "4.5", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.9.*", status: "unaffected", version: "4.9.336", versionType: "semver", }, { lessThanOrEqual: "4.14.*", status: "unaffected", version: "4.14.302", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.269", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.227", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.159", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.83", versionType: "semver", }, { lessThanOrEqual: "6.0.*", status: "unaffected", version: "6.0.13", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.1", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mvneta: Prevent out of bounds read in mvneta_config_rss()\n\nThe pp->indir[0] value comes from the user. It is passed to:\n\n\tif (cpu_online(pp->rxq_def))\n\ninside the mvneta_percpu_elect() function. It needs bounds checkeding\nto ensure that it is not beyond the end of the cpu bitmap.", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:11:31.364Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/3ceffb8f410b93553fb16fe7e84aa0d35b3ba79b", }, { url: "https://git.kernel.org/stable/c/47a1a2f6cd5ec3a4f8a2d9bfa1e0605347cdb92c", }, { url: "https://git.kernel.org/stable/c/5a142486a0db6b0b85031f22d69acd0cdcf8f72b", }, { url: "https://git.kernel.org/stable/c/eec1fc21edc2bb99c9e66cf66f0b5d4d643fbb50", }, { url: "https://git.kernel.org/stable/c/146ebee8fcdb349d7ec0e49915e6cdafb92544ae", }, { url: "https://git.kernel.org/stable/c/a6b30598fec84f8809f5417cde73071ca43e8471", }, { url: "https://git.kernel.org/stable/c/6ca0a506dddc3e1d636935eef339576b263bf3d8", }, { url: "https://git.kernel.org/stable/c/e8b4fc13900b8e8be48debffd0dfd391772501f7", }, ], title: "net: mvneta: Prevent out of bounds read in mvneta_config_rss()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-48966", datePublished: "2024-10-21T20:05:49.126Z", dateReserved: "2024-08-22T01:27:53.628Z", dateUpdated: "2024-12-19T08:11:31.364Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-49024
Vulnerability from cvelistv5
Published
2024-10-21 20:06
Modified
2024-12-19 08:12
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
can: m_can: pci: add missing m_can_class_free_dev() in probe/remove methods
In m_can_pci_remove() and error handling path of m_can_pci_probe(),
m_can_class_free_dev() should be called to free resource allocated by
m_can_class_allocate_dev(), otherwise there will be memleak.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-49024", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:12:11.525912Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:18:36.721Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/net/can/m_can/m_can_pci.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "ea8dc27bb044e19868155e500ce397007be98656", status: "affected", version: "cab7ffc0324f053c8fb56c821cdd63dc0383270d", versionType: "git", }, { lessThan: "0bbb88651ef6b7fbb1bf75ec7ba69add632e834b", status: "affected", version: "cab7ffc0324f053c8fb56c821cdd63dc0383270d", versionType: "git", }, { lessThan: "1eca1d4cc21b6d0fc5f9a390339804c0afce9439", status: "affected", version: "cab7ffc0324f053c8fb56c821cdd63dc0383270d", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/net/can/m_can/m_can_pci.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.11", }, { lessThan: "5.11", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.82", versionType: "semver", }, { lessThanOrEqual: "6.0.*", status: "unaffected", version: "6.0.12", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.1", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: m_can: pci: add missing m_can_class_free_dev() in probe/remove methods\n\nIn m_can_pci_remove() and error handling path of m_can_pci_probe(),\nm_can_class_free_dev() should be called to free resource allocated by\nm_can_class_allocate_dev(), otherwise there will be memleak.", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:12:39.329Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/ea8dc27bb044e19868155e500ce397007be98656", }, { url: "https://git.kernel.org/stable/c/0bbb88651ef6b7fbb1bf75ec7ba69add632e834b", }, { url: "https://git.kernel.org/stable/c/1eca1d4cc21b6d0fc5f9a390339804c0afce9439", }, ], title: "can: m_can: pci: add missing m_can_class_free_dev() in probe/remove methods", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-49024", datePublished: "2024-10-21T20:06:30.544Z", dateReserved: "2024-08-22T01:27:53.650Z", dateUpdated: "2024-12-19T08:12:39.329Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-47750
Vulnerability from cvelistv5
Published
2024-10-21 12:14
Modified
2024-12-19 09:27
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/hns: Fix Use-After-Free of rsv_qp on HIP08
Currently rsv_qp is freed before ib_unregister_device() is called
on HIP08. During the time interval, users can still dereg MR and
rsv_qp will be used in this process, leading to a UAF. Move the
release of rsv_qp after calling ib_unregister_device() to fix it.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 70f92521584f1d1e8268311ee84413307b0fdea8 Version: 70f92521584f1d1e8268311ee84413307b0fdea8 Version: 70f92521584f1d1e8268311ee84413307b0fdea8 Version: 70f92521584f1d1e8268311ee84413307b0fdea8 Version: 70f92521584f1d1e8268311ee84413307b0fdea8 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-47750", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T12:58:02.690049Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T13:04:13.178Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/infiniband/hw/hns/hns_roce_hw_v2.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "2ccf1c75d39949d8ea043d04a2e92d7100ea723d", status: "affected", version: "70f92521584f1d1e8268311ee84413307b0fdea8", versionType: "git", }, { lessThan: "d2d9c5127122745da6e887f451dd248cfeffca33", status: "affected", version: "70f92521584f1d1e8268311ee84413307b0fdea8", versionType: "git", }, { lessThan: "dac2723d8bfa9cf5333f477741e6e5fa1ed34645", status: "affected", version: "70f92521584f1d1e8268311ee84413307b0fdea8", versionType: "git", }, { lessThan: "60595923371c2ebe7faf82536c47eb0c967e3425", status: "affected", version: "70f92521584f1d1e8268311ee84413307b0fdea8", versionType: "git", }, { lessThan: "fd8489294dd2beefb70f12ec4f6132aeec61a4d0", status: "affected", version: "70f92521584f1d1e8268311ee84413307b0fdea8", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/infiniband/hw/hns/hns_roce_hw_v2.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.18", }, { lessThan: "5.18", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.54", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.13", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.2", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/hns: Fix Use-After-Free of rsv_qp on HIP08\n\nCurrently rsv_qp is freed before ib_unregister_device() is called\non HIP08. During the time interval, users can still dereg MR and\nrsv_qp will be used in this process, leading to a UAF. Move the\nrelease of rsv_qp after calling ib_unregister_device() to fix it.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:27:22.984Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/2ccf1c75d39949d8ea043d04a2e92d7100ea723d", }, { url: "https://git.kernel.org/stable/c/d2d9c5127122745da6e887f451dd248cfeffca33", }, { url: "https://git.kernel.org/stable/c/dac2723d8bfa9cf5333f477741e6e5fa1ed34645", }, { url: "https://git.kernel.org/stable/c/60595923371c2ebe7faf82536c47eb0c967e3425", }, { url: "https://git.kernel.org/stable/c/fd8489294dd2beefb70f12ec4f6132aeec61a4d0", }, ], title: "RDMA/hns: Fix Use-After-Free of rsv_qp on HIP08", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-47750", datePublished: "2024-10-21T12:14:15.786Z", dateReserved: "2024-09-30T16:00:12.961Z", dateUpdated: "2024-12-19T09:27:22.984Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49879
Vulnerability from cvelistv5
Published
2024-10-21 18:01
Modified
2024-12-19 09:28
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm: omapdrm: Add missing check for alloc_ordered_workqueue
As it may return NULL pointer and cause NULL pointer dereference. Add check
for the return value of alloc_ordered_workqueue.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 2f95bc6d324a93b2411bcc5defe4d4414c45f325 Version: 2f95bc6d324a93b2411bcc5defe4d4414c45f325 Version: 2f95bc6d324a93b2411bcc5defe4d4414c45f325 Version: 2f95bc6d324a93b2411bcc5defe4d4414c45f325 Version: 2f95bc6d324a93b2411bcc5defe4d4414c45f325 Version: 2f95bc6d324a93b2411bcc5defe4d4414c45f325 Version: 2f95bc6d324a93b2411bcc5defe4d4414c45f325 Version: 2f95bc6d324a93b2411bcc5defe4d4414c45f325 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49879", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:45:54.796805Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:48:50.809Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/gpu/drm/omapdrm/omap_drv.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "c17a4f52fa3c3dac2dd6a3c38f2de7342d97d74c", status: "affected", version: "2f95bc6d324a93b2411bcc5defe4d4414c45f325", versionType: "git", }, { lessThan: "2bda89735199683b03f55b807bd1e31a3857520b", status: "affected", version: "2f95bc6d324a93b2411bcc5defe4d4414c45f325", versionType: "git", }, { lessThan: "e60b0d3b5aa2e8d934deca9e11215af84e632bc9", status: "affected", version: "2f95bc6d324a93b2411bcc5defe4d4414c45f325", versionType: "git", }, { lessThan: "f37a1d9e5e22d5489309c3cd2db476dcdcc6530c", status: "affected", version: "2f95bc6d324a93b2411bcc5defe4d4414c45f325", versionType: "git", }, { lessThan: "b57b53e8ffcdfda87d954fc4187426a54fe75a3d", status: "affected", version: "2f95bc6d324a93b2411bcc5defe4d4414c45f325", versionType: "git", }, { lessThan: "0d71916694aceb207fefecf62dfa811ec1108bbd", status: "affected", version: "2f95bc6d324a93b2411bcc5defe4d4414c45f325", versionType: "git", }, { lessThan: "334de68eda2b99892ba869c15cb59bc956fd9f42", status: "affected", version: "2f95bc6d324a93b2411bcc5defe4d4414c45f325", versionType: "git", }, { lessThan: "e794b7b9b92977365c693760a259f8eef940c536", status: "affected", version: "2f95bc6d324a93b2411bcc5defe4d4414c45f325", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/gpu/drm/omapdrm/omap_drv.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "4.11", }, { lessThan: "4.11", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.285", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm: omapdrm: Add missing check for alloc_ordered_workqueue\n\nAs it may return NULL pointer and cause NULL pointer dereference. Add check\nfor the return value of alloc_ordered_workqueue.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:28:13.953Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/c17a4f52fa3c3dac2dd6a3c38f2de7342d97d74c", }, { url: "https://git.kernel.org/stable/c/2bda89735199683b03f55b807bd1e31a3857520b", }, { url: "https://git.kernel.org/stable/c/e60b0d3b5aa2e8d934deca9e11215af84e632bc9", }, { url: "https://git.kernel.org/stable/c/f37a1d9e5e22d5489309c3cd2db476dcdcc6530c", }, { url: "https://git.kernel.org/stable/c/b57b53e8ffcdfda87d954fc4187426a54fe75a3d", }, { url: "https://git.kernel.org/stable/c/0d71916694aceb207fefecf62dfa811ec1108bbd", }, { url: "https://git.kernel.org/stable/c/334de68eda2b99892ba869c15cb59bc956fd9f42", }, { url: "https://git.kernel.org/stable/c/e794b7b9b92977365c693760a259f8eef940c536", }, ], title: "drm: omapdrm: Add missing check for alloc_ordered_workqueue", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49879", datePublished: "2024-10-21T18:01:18.132Z", dateReserved: "2024-10-21T12:17:06.021Z", dateUpdated: "2024-12-19T09:28:13.953Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-50012
Vulnerability from cvelistv5
Published
2024-10-21 18:54
Modified
2024-12-19 09:31
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
cpufreq: Avoid a bad reference count on CPU node
In the parse_perf_domain function, if the call to
of_parse_phandle_with_args returns an error, then the reference to the
CPU device node that was acquired at the start of the function would not
be properly decremented.
Address this by declaring the variable with the __free(device_node)
cleanup attribute.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-50012", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:28:30.584566Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:28:48.565Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "include/linux/cpufreq.h", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "6c3d8387839252f1a0fc6367f314446e4a2ebd0b", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "0f41f383b5a61a2bf6429a449ebba7fb08179d81", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "77f88b17387a017416babf1e6488fa17682287e2", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "47cb1d9278f179df8250304ec41009e3e836a926", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "c0f02536fffbbec71aced36d52a765f8c4493dc2", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "include/linux/cpufreq.h", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.116", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ncpufreq: Avoid a bad reference count on CPU node\n\nIn the parse_perf_domain function, if the call to\nof_parse_phandle_with_args returns an error, then the reference to the\nCPU device node that was acquired at the start of the function would not\nbe properly decremented.\n\nAddress this by declaring the variable with the __free(device_node)\ncleanup attribute.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:31:16.263Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/6c3d8387839252f1a0fc6367f314446e4a2ebd0b", }, { url: "https://git.kernel.org/stable/c/0f41f383b5a61a2bf6429a449ebba7fb08179d81", }, { url: "https://git.kernel.org/stable/c/77f88b17387a017416babf1e6488fa17682287e2", }, { url: "https://git.kernel.org/stable/c/47cb1d9278f179df8250304ec41009e3e836a926", }, { url: "https://git.kernel.org/stable/c/c0f02536fffbbec71aced36d52a765f8c4493dc2", }, ], title: "cpufreq: Avoid a bad reference count on CPU node", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-50012", datePublished: "2024-10-21T18:54:04.377Z", dateReserved: "2024-10-21T12:17:06.061Z", dateUpdated: "2024-12-19T09:31:16.263Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-48971
Vulnerability from cvelistv5
Published
2024-10-21 20:05
Modified
2024-12-19 08:11
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: Fix not cleanup led when bt_init fails
bt_init() calls bt_leds_init() to register led, but if it fails later,
bt_leds_cleanup() is not called to unregister it.
This can cause panic if the argument "bluetooth-power" in text is freed
and then another led_trigger_register() tries to access it:
BUG: unable to handle page fault for address: ffffffffc06d3bc0
RIP: 0010:strcmp+0xc/0x30
Call Trace:
<TASK>
led_trigger_register+0x10d/0x4f0
led_trigger_register_simple+0x7d/0x100
bt_init+0x39/0xf7 [bluetooth]
do_one_initcall+0xd0/0x4e0
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: e64c97b53bc6727aa4385535166aaa047281e02d Version: e64c97b53bc6727aa4385535166aaa047281e02d Version: e64c97b53bc6727aa4385535166aaa047281e02d Version: e64c97b53bc6727aa4385535166aaa047281e02d Version: e64c97b53bc6727aa4385535166aaa047281e02d Version: e64c97b53bc6727aa4385535166aaa047281e02d |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-48971", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:19:08.445851Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:28:37.798Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "net/bluetooth/af_bluetooth.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "8a66c3a94285552f6a8e45d73b34ebbad11d388b", status: "affected", version: "e64c97b53bc6727aa4385535166aaa047281e02d", versionType: "git", }, { lessThan: "2c6cf0afc3856359e620e96edd952457d258e16c", status: "affected", version: "e64c97b53bc6727aa4385535166aaa047281e02d", versionType: "git", }, { lessThan: "e7b950458156d410509a08c41930b75e72985938", status: "affected", version: "e64c97b53bc6727aa4385535166aaa047281e02d", versionType: "git", }, { lessThan: "edf7284a98296369dd0891a0457eec37df244873", status: "affected", version: "e64c97b53bc6727aa4385535166aaa047281e02d", versionType: "git", }, { lessThan: "5ecf7cd6fde5e72c87122084cf00d63e35d8dd9f", status: "affected", version: "e64c97b53bc6727aa4385535166aaa047281e02d", versionType: "git", }, { lessThan: "2f3957c7eb4e07df944169a3e50a4d6790e1c744", status: "affected", version: "e64c97b53bc6727aa4385535166aaa047281e02d", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "net/bluetooth/af_bluetooth.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "4.9", }, { lessThan: "4.9", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.269", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.227", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.159", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.83", versionType: "semver", }, { lessThanOrEqual: "6.0.*", status: "unaffected", version: "6.0.13", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.1", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: Fix not cleanup led when bt_init fails\n\nbt_init() calls bt_leds_init() to register led, but if it fails later,\nbt_leds_cleanup() is not called to unregister it.\n\nThis can cause panic if the argument \"bluetooth-power\" in text is freed\nand then another led_trigger_register() tries to access it:\n\nBUG: unable to handle page fault for address: ffffffffc06d3bc0\nRIP: 0010:strcmp+0xc/0x30\n Call Trace:\n <TASK>\n led_trigger_register+0x10d/0x4f0\n led_trigger_register_simple+0x7d/0x100\n bt_init+0x39/0xf7 [bluetooth]\n do_one_initcall+0xd0/0x4e0", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:11:37.839Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/8a66c3a94285552f6a8e45d73b34ebbad11d388b", }, { url: "https://git.kernel.org/stable/c/2c6cf0afc3856359e620e96edd952457d258e16c", }, { url: "https://git.kernel.org/stable/c/e7b950458156d410509a08c41930b75e72985938", }, { url: "https://git.kernel.org/stable/c/edf7284a98296369dd0891a0457eec37df244873", }, { url: "https://git.kernel.org/stable/c/5ecf7cd6fde5e72c87122084cf00d63e35d8dd9f", }, { url: "https://git.kernel.org/stable/c/2f3957c7eb4e07df944169a3e50a4d6790e1c744", }, ], title: "Bluetooth: Fix not cleanup led when bt_init fails", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-48971", datePublished: "2024-10-21T20:05:52.363Z", dateReserved: "2024-08-22T01:27:53.629Z", dateUpdated: "2024-12-19T08:11:37.839Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-49021
Vulnerability from cvelistv5
Published
2024-10-21 20:06
Modified
2024-12-19 08:12
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: phy: fix null-ptr-deref while probe() failed
I got a null-ptr-deref report as following when doing fault injection test:
BUG: kernel NULL pointer dereference, address: 0000000000000058
Oops: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 1 PID: 253 Comm: 507-spi-dm9051 Tainted: G B N 6.1.0-rc3+
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
RIP: 0010:klist_put+0x2d/0xd0
Call Trace:
<TASK>
klist_remove+0xf1/0x1c0
device_release_driver_internal+0x23e/0x2d0
bus_remove_device+0x1bd/0x240
device_del+0x357/0x770
phy_device_remove+0x11/0x30
mdiobus_unregister+0xa5/0x140
release_nodes+0x6a/0xa0
devres_release_all+0xf8/0x150
device_unbind_cleanup+0x19/0xd0
//probe path:
phy_device_register()
device_add()
phy_connect
phy_attach_direct() //set device driver
probe() //it's failed, driver is not bound
device_bind_driver() // probe failed, it's not called
//remove path:
phy_device_remove()
device_del()
device_release_driver_internal()
__device_release_driver() //dev->drv is not NULL
klist_remove() <- knode_driver is not added yet, cause null-ptr-deref
In phy_attach_direct(), after setting the 'dev->driver', probe() fails,
device_bind_driver() is not called, so the knode_driver->n_klist is not
set, then it causes null-ptr-deref in __device_release_driver() while
deleting device. Fix this by setting dev->driver to NULL in the error
path in phy_attach_direct().
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: e13934563db047043ccead26412f552375cea90c Version: e13934563db047043ccead26412f552375cea90c Version: e13934563db047043ccead26412f552375cea90c Version: e13934563db047043ccead26412f552375cea90c Version: e13934563db047043ccead26412f552375cea90c Version: e13934563db047043ccead26412f552375cea90c Version: e13934563db047043ccead26412f552375cea90c Version: e13934563db047043ccead26412f552375cea90c |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-49021", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:12:34.199961Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:18:37.179Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/net/phy/phy_device.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "8aaafe0f71314f46a066382a047ba8bb3840d273", status: "affected", version: "e13934563db047043ccead26412f552375cea90c", versionType: "git", }, { lessThan: "51d7f6b20fae8bae64ad1136f1e30d1fd5ba78f7", status: "affected", version: "e13934563db047043ccead26412f552375cea90c", versionType: "git", }, { lessThan: "0744c7be4de564db03e24527b2e096b7e0e20972", status: "affected", version: "e13934563db047043ccead26412f552375cea90c", versionType: "git", }, { lessThan: "3e21f85d87c836462bb52ef2078ea561260935c1", status: "affected", version: "e13934563db047043ccead26412f552375cea90c", versionType: "git", }, { lessThan: "fe6bc99c27c21348f548966118867ed26a9a372c", status: "affected", version: "e13934563db047043ccead26412f552375cea90c", versionType: "git", }, { lessThan: "7730904f50c7187dd16c76949efb56b5fb55cd57", status: "affected", version: "e13934563db047043ccead26412f552375cea90c", versionType: "git", }, { lessThan: "eaa5722549ac2604ffa56c2e946acc83226f130c", status: "affected", version: "e13934563db047043ccead26412f552375cea90c", versionType: "git", }, { lessThan: "369eb2c9f1f72adbe91e0ea8efb130f0a2ba11a6", status: "affected", version: "e13934563db047043ccead26412f552375cea90c", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/net/phy/phy_device.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "2.6.14", }, { lessThan: "2.6.14", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.9.*", status: "unaffected", version: "4.9.335", versionType: "semver", }, { lessThanOrEqual: "4.14.*", status: "unaffected", version: "4.14.301", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.268", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.226", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.158", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.82", versionType: "semver", }, { lessThanOrEqual: "6.0.*", status: "unaffected", version: "6.0.12", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.1", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: phy: fix null-ptr-deref while probe() failed\n\nI got a null-ptr-deref report as following when doing fault injection test:\n\nBUG: kernel NULL pointer dereference, address: 0000000000000058\nOops: 0000 [#1] PREEMPT SMP KASAN PTI\nCPU: 1 PID: 253 Comm: 507-spi-dm9051 Tainted: G B N 6.1.0-rc3+\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014\nRIP: 0010:klist_put+0x2d/0xd0\nCall Trace:\n <TASK>\n klist_remove+0xf1/0x1c0\n device_release_driver_internal+0x23e/0x2d0\n bus_remove_device+0x1bd/0x240\n device_del+0x357/0x770\n phy_device_remove+0x11/0x30\n mdiobus_unregister+0xa5/0x140\n release_nodes+0x6a/0xa0\n devres_release_all+0xf8/0x150\n device_unbind_cleanup+0x19/0xd0\n\n//probe path:\nphy_device_register()\n device_add()\n\nphy_connect\n phy_attach_direct() //set device driver\n probe() //it's failed, driver is not bound\n device_bind_driver() // probe failed, it's not called\n\n//remove path:\nphy_device_remove()\n device_del()\n device_release_driver_internal()\n __device_release_driver() //dev->drv is not NULL\n klist_remove() <- knode_driver is not added yet, cause null-ptr-deref\n\nIn phy_attach_direct(), after setting the 'dev->driver', probe() fails,\ndevice_bind_driver() is not called, so the knode_driver->n_klist is not\nset, then it causes null-ptr-deref in __device_release_driver() while\ndeleting device. Fix this by setting dev->driver to NULL in the error\npath in phy_attach_direct().", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:12:35.902Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/8aaafe0f71314f46a066382a047ba8bb3840d273", }, { url: "https://git.kernel.org/stable/c/51d7f6b20fae8bae64ad1136f1e30d1fd5ba78f7", }, { url: "https://git.kernel.org/stable/c/0744c7be4de564db03e24527b2e096b7e0e20972", }, { url: "https://git.kernel.org/stable/c/3e21f85d87c836462bb52ef2078ea561260935c1", }, { url: "https://git.kernel.org/stable/c/fe6bc99c27c21348f548966118867ed26a9a372c", }, { url: "https://git.kernel.org/stable/c/7730904f50c7187dd16c76949efb56b5fb55cd57", }, { url: "https://git.kernel.org/stable/c/eaa5722549ac2604ffa56c2e946acc83226f130c", }, { url: "https://git.kernel.org/stable/c/369eb2c9f1f72adbe91e0ea8efb130f0a2ba11a6", }, ], title: "net: phy: fix null-ptr-deref while probe() failed", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-49021", datePublished: "2024-10-21T20:06:28.608Z", dateReserved: "2024-08-22T01:27:53.649Z", dateUpdated: "2024-12-19T08:12:35.902Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49940
Vulnerability from cvelistv5
Published
2024-10-21 18:01
Modified
2024-12-19 09:29
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
l2tp: prevent possible tunnel refcount underflow
When a session is created, it sets a backpointer to its tunnel. When
the session refcount drops to 0, l2tp_session_free drops the tunnel
refcount if session->tunnel is non-NULL. However, session->tunnel is
set in l2tp_session_create, before the tunnel refcount is incremented
by l2tp_session_register, which leaves a small window where
session->tunnel is non-NULL when the tunnel refcount hasn't been
bumped.
Moving the assignment to l2tp_session_register is trivial but
l2tp_session_create calls l2tp_session_set_header_len which uses
session->tunnel to get the tunnel's encap. Add an encap arg to
l2tp_session_set_header_len to avoid using session->tunnel.
If l2tpv3 sessions have colliding IDs, it is possible for
l2tp_v3_session_get to race with l2tp_session_register and fetch a
session which doesn't yet have session->tunnel set. Add a check for
this case.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49940", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:37:52.827630Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:38:50.656Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "net/l2tp/l2tp_core.c", "net/l2tp/l2tp_core.h", "net/l2tp/l2tp_netlink.c", "net/l2tp/l2tp_ppp.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "f7415e60c25a6108cd7955a20b2e66b6251ffe02", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "24256415d18695b46da06c93135f5b51c548b950", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "net/l2tp/l2tp_core.c", "net/l2tp/l2tp_core.h", "net/l2tp/l2tp_netlink.c", "net/l2tp/l2tp_ppp.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nl2tp: prevent possible tunnel refcount underflow\n\nWhen a session is created, it sets a backpointer to its tunnel. When\nthe session refcount drops to 0, l2tp_session_free drops the tunnel\nrefcount if session->tunnel is non-NULL. However, session->tunnel is\nset in l2tp_session_create, before the tunnel refcount is incremented\nby l2tp_session_register, which leaves a small window where\nsession->tunnel is non-NULL when the tunnel refcount hasn't been\nbumped.\n\nMoving the assignment to l2tp_session_register is trivial but\nl2tp_session_create calls l2tp_session_set_header_len which uses\nsession->tunnel to get the tunnel's encap. Add an encap arg to\nl2tp_session_set_header_len to avoid using session->tunnel.\n\nIf l2tpv3 sessions have colliding IDs, it is possible for\nl2tp_v3_session_get to race with l2tp_session_register and fetch a\nsession which doesn't yet have session->tunnel set. Add a check for\nthis case.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:29:37.918Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/f7415e60c25a6108cd7955a20b2e66b6251ffe02", }, { url: "https://git.kernel.org/stable/c/24256415d18695b46da06c93135f5b51c548b950", }, ], title: "l2tp: prevent possible tunnel refcount underflow", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49940", datePublished: "2024-10-21T18:01:59.668Z", dateReserved: "2024-10-21T12:17:06.043Z", dateUpdated: "2024-12-19T09:29:37.918Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-47753
Vulnerability from cvelistv5
Published
2024-10-21 12:14
Modified
2024-12-19 09:27
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: mediatek: vcodec: Fix VP8 stateless decoder smatch warning
Fix a smatch static checker warning on vdec_vp8_req_if.c.
Which leads to a kernel crash when fb is NULL.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-47753", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T12:57:40.138660Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T13:04:12.715Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/media/platform/mediatek/vcodec/decoder/vdec/vdec_vp8_req_if.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "dbe5b7373801c261f3ea118145fbb2caac5f9324", status: "affected", version: "7a7ae26fd458397d04421756dd19e5b8cf29a08f", versionType: "git", }, { lessThan: "35cc704622b3a9bc02a4755d5ba80238eee3cdc2", status: "affected", version: "7a7ae26fd458397d04421756dd19e5b8cf29a08f", versionType: "git", }, { lessThan: "3167aa42941b68405a092df114453ef0f1b09c2c", status: "affected", version: "7a7ae26fd458397d04421756dd19e5b8cf29a08f", versionType: "git", }, { lessThan: "b113bc7c0e83b32f4dd2d291a2b6c4803e0a2c44", status: "affected", version: "7a7ae26fd458397d04421756dd19e5b8cf29a08f", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/media/platform/mediatek/vcodec/decoder/vdec/vdec_vp8_req_if.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.19", }, { lessThan: "5.19", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.54", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.13", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.2", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: mediatek: vcodec: Fix VP8 stateless decoder smatch warning\n\nFix a smatch static checker warning on vdec_vp8_req_if.c.\nWhich leads to a kernel crash when fb is NULL.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:27:26.864Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/dbe5b7373801c261f3ea118145fbb2caac5f9324", }, { url: "https://git.kernel.org/stable/c/35cc704622b3a9bc02a4755d5ba80238eee3cdc2", }, { url: "https://git.kernel.org/stable/c/3167aa42941b68405a092df114453ef0f1b09c2c", }, { url: "https://git.kernel.org/stable/c/b113bc7c0e83b32f4dd2d291a2b6c4803e0a2c44", }, ], title: "media: mediatek: vcodec: Fix VP8 stateless decoder smatch warning", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-47753", datePublished: "2024-10-21T12:14:17.776Z", dateReserved: "2024-09-30T16:00:12.961Z", dateUpdated: "2024-12-19T09:27:26.864Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49969
Vulnerability from cvelistv5
Published
2024-10-21 18:02
Modified
2024-12-19 09:30
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Fix index out of bounds in DCN30 color transformation
This commit addresses a potential index out of bounds issue in the
`cm3_helper_translate_curve_to_hw_format` function in the DCN30 color
management module. The issue could occur when the index 'i' exceeds the
number of transfer function points (TRANSFER_FUNC_POINTS).
The fix adds a check to ensure 'i' is within bounds before accessing the
transfer function points. If 'i' is out of bounds, the function returns
false to indicate an error.
drivers/gpu/drm/amd/amdgpu/../display/dc/dcn30/dcn30_cm_common.c:180 cm3_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.red' 1025 <= s32max
drivers/gpu/drm/amd/amdgpu/../display/dc/dcn30/dcn30_cm_common.c:181 cm3_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.green' 1025 <= s32max
drivers/gpu/drm/amd/amdgpu/../display/dc/dcn30/dcn30_cm_common.c:182 cm3_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.blue' 1025 <= s32max
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49969", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:34:03.408240Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:38:46.509Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/gpu/drm/amd/display/dc/dcn30/dcn30_cm_common.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "7ab69af56a23859b647dee69fa1052c689343621", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "c13f9c62015c56a938304cef6d507227ea3e0039", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "0f1e222a4b41d77c442901d166fbdca967af0d86", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "929506d5671419cffd8d01e9a7f5eae53682a838", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "578422ddae3d13362b64e77ef9bab98780641631", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "b9d8b94ec7e67f0cae228c054f77b73967c389a3", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "d81873f9e715b72d4f8d391c8eb243946f784dfc", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/gpu/drm/amd/display/dc/dcn30/dcn30_cm_common.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix index out of bounds in DCN30 color transformation\n\nThis commit addresses a potential index out of bounds issue in the\n`cm3_helper_translate_curve_to_hw_format` function in the DCN30 color\nmanagement module. The issue could occur when the index 'i' exceeds the\nnumber of transfer function points (TRANSFER_FUNC_POINTS).\n\nThe fix adds a check to ensure 'i' is within bounds before accessing the\ntransfer function points. If 'i' is out of bounds, the function returns\nfalse to indicate an error.\n\ndrivers/gpu/drm/amd/amdgpu/../display/dc/dcn30/dcn30_cm_common.c:180 cm3_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.red' 1025 <= s32max\ndrivers/gpu/drm/amd/amdgpu/../display/dc/dcn30/dcn30_cm_common.c:181 cm3_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.green' 1025 <= s32max\ndrivers/gpu/drm/amd/amdgpu/../display/dc/dcn30/dcn30_cm_common.c:182 cm3_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.blue' 1025 <= s32max", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:30:23.440Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/7ab69af56a23859b647dee69fa1052c689343621", }, { url: "https://git.kernel.org/stable/c/c13f9c62015c56a938304cef6d507227ea3e0039", }, { url: "https://git.kernel.org/stable/c/0f1e222a4b41d77c442901d166fbdca967af0d86", }, { url: "https://git.kernel.org/stable/c/929506d5671419cffd8d01e9a7f5eae53682a838", }, { url: "https://git.kernel.org/stable/c/578422ddae3d13362b64e77ef9bab98780641631", }, { url: "https://git.kernel.org/stable/c/b9d8b94ec7e67f0cae228c054f77b73967c389a3", }, { url: "https://git.kernel.org/stable/c/d81873f9e715b72d4f8d391c8eb243946f784dfc", }, ], title: "drm/amd/display: Fix index out of bounds in DCN30 color transformation", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49969", datePublished: "2024-10-21T18:02:19.044Z", dateReserved: "2024-10-21T12:17:06.051Z", dateUpdated: "2024-12-19T09:30:23.440Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-48981
Vulnerability from cvelistv5
Published
2024-10-21 20:05
Modified
2024-12-19 08:11
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/shmem-helper: Remove errant put in error path
drm_gem_shmem_mmap() doesn't own this reference, resulting in the GEM
object getting prematurely freed leading to a later use-after-free.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 2194a63a818db71065ebe09c8104f5f021ca4e7b Version: 2194a63a818db71065ebe09c8104f5f021ca4e7b Version: 2194a63a818db71065ebe09c8104f5f021ca4e7b Version: 2194a63a818db71065ebe09c8104f5f021ca4e7b Version: 2194a63a818db71065ebe09c8104f5f021ca4e7b |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-48981", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:17:51.238868Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:18:43.723Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/gpu/drm/drm_gem_shmem_helper.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "585a07b820059462e0c93b76c7de2cd946b26b40", status: "affected", version: "2194a63a818db71065ebe09c8104f5f021ca4e7b", versionType: "git", }, { lessThan: "6a4da05acd062ae7774b6b19cef2b7d922902d36", status: "affected", version: "2194a63a818db71065ebe09c8104f5f021ca4e7b", versionType: "git", }, { lessThan: "83e3da8bb92fcfa7a1d232cf55f9e6c49bb84942", status: "affected", version: "2194a63a818db71065ebe09c8104f5f021ca4e7b", versionType: "git", }, { lessThan: "586847b98e20ab02212ca5c1fc46680384e68a28", status: "affected", version: "2194a63a818db71065ebe09c8104f5f021ca4e7b", versionType: "git", }, { lessThan: "24013314be6ee4ee456114a671e9fa3461323de8", status: "affected", version: "2194a63a818db71065ebe09c8104f5f021ca4e7b", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/gpu/drm/drm_gem_shmem_helper.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.2", }, { lessThan: "5.2", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.227", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.159", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.83", versionType: "semver", }, { lessThanOrEqual: "6.0.*", status: "unaffected", version: "6.0.13", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.1", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/shmem-helper: Remove errant put in error path\n\ndrm_gem_shmem_mmap() doesn't own this reference, resulting in the GEM\nobject getting prematurely freed leading to a later use-after-free.", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:11:50.837Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/585a07b820059462e0c93b76c7de2cd946b26b40", }, { url: "https://git.kernel.org/stable/c/6a4da05acd062ae7774b6b19cef2b7d922902d36", }, { url: "https://git.kernel.org/stable/c/83e3da8bb92fcfa7a1d232cf55f9e6c49bb84942", }, { url: "https://git.kernel.org/stable/c/586847b98e20ab02212ca5c1fc46680384e68a28", }, { url: "https://git.kernel.org/stable/c/24013314be6ee4ee456114a671e9fa3461323de8", }, ], title: "drm/shmem-helper: Remove errant put in error path", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-48981", datePublished: "2024-10-21T20:05:59.043Z", dateReserved: "2024-08-22T01:27:53.633Z", dateUpdated: "2024-12-19T08:11:50.837Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-47705
Vulnerability from cvelistv5
Published
2024-10-21 11:53
Modified
2024-12-19 09:26
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
block: fix potential invalid pointer dereference in blk_add_partition
The blk_add_partition() function initially used a single if-condition
(IS_ERR(part)) to check for errors when adding a partition. This was
modified to handle the specific case of -ENXIO separately, allowing the
function to proceed without logging the error in this case. However,
this change unintentionally left a path where md_autodetect_dev()
could be called without confirming that part is a valid pointer.
This commit separates the error handling logic by splitting the
initial if-condition, improving code readability and handling specific
error scenarios explicitly. The function now distinguishes the general
error case from -ENXIO without altering the existing behavior of
md_autodetect_dev() calls.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: b72053072c0bbe9f1cdfe2ffa3c201c185da2201 Version: b72053072c0bbe9f1cdfe2ffa3c201c185da2201 Version: b72053072c0bbe9f1cdfe2ffa3c201c185da2201 Version: b72053072c0bbe9f1cdfe2ffa3c201c185da2201 Version: b72053072c0bbe9f1cdfe2ffa3c201c185da2201 Version: b72053072c0bbe9f1cdfe2ffa3c201c185da2201 Version: b72053072c0bbe9f1cdfe2ffa3c201c185da2201 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-47705", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T13:04:01.361907Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T13:04:19.823Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "block/partitions/core.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "4bc4272e2506941c3f3d4fb8b0c659ee814dcf6f", status: "affected", version: "b72053072c0bbe9f1cdfe2ffa3c201c185da2201", versionType: "git", }, { lessThan: "cc4d21d9492db4e534d3e01253cf885c90dd2a8b", status: "affected", version: "b72053072c0bbe9f1cdfe2ffa3c201c185da2201", versionType: "git", }, { lessThan: "64cf2a39202ca2d9df5ee70eb310b6141ce2b8ed", status: "affected", version: "b72053072c0bbe9f1cdfe2ffa3c201c185da2201", versionType: "git", }, { lessThan: "80f5bfbb80ea1615290dbc24f49d3d8c86db58fe", status: "affected", version: "b72053072c0bbe9f1cdfe2ffa3c201c185da2201", versionType: "git", }, { lessThan: "652039ba477c9a4ab43740cf2cb0d068d53508c2", status: "affected", version: "b72053072c0bbe9f1cdfe2ffa3c201c185da2201", versionType: "git", }, { lessThan: "afe53ea9b378c376101d99d216f13b6256f75189", status: "affected", version: "b72053072c0bbe9f1cdfe2ffa3c201c185da2201", versionType: "git", }, { lessThan: "26e197b7f9240a4ac301dd0ad520c0c697c2ea7d", status: "affected", version: "b72053072c0bbe9f1cdfe2ffa3c201c185da2201", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "block/partitions/core.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.5", }, { lessThan: "5.5", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.54", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.13", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.2", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: fix potential invalid pointer dereference in blk_add_partition\n\nThe blk_add_partition() function initially used a single if-condition\n(IS_ERR(part)) to check for errors when adding a partition. This was\nmodified to handle the specific case of -ENXIO separately, allowing the\nfunction to proceed without logging the error in this case. However,\nthis change unintentionally left a path where md_autodetect_dev()\ncould be called without confirming that part is a valid pointer.\n\nThis commit separates the error handling logic by splitting the\ninitial if-condition, improving code readability and handling specific\nerror scenarios explicitly. The function now distinguishes the general\nerror case from -ENXIO without altering the existing behavior of\nmd_autodetect_dev() calls.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:26:28.188Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/4bc4272e2506941c3f3d4fb8b0c659ee814dcf6f", }, { url: "https://git.kernel.org/stable/c/cc4d21d9492db4e534d3e01253cf885c90dd2a8b", }, { url: "https://git.kernel.org/stable/c/64cf2a39202ca2d9df5ee70eb310b6141ce2b8ed", }, { url: "https://git.kernel.org/stable/c/80f5bfbb80ea1615290dbc24f49d3d8c86db58fe", }, { url: "https://git.kernel.org/stable/c/652039ba477c9a4ab43740cf2cb0d068d53508c2", }, { url: "https://git.kernel.org/stable/c/afe53ea9b378c376101d99d216f13b6256f75189", }, { url: "https://git.kernel.org/stable/c/26e197b7f9240a4ac301dd0ad520c0c697c2ea7d", }, ], title: "block: fix potential invalid pointer dereference in blk_add_partition", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-47705", datePublished: "2024-10-21T11:53:40.071Z", dateReserved: "2024-09-30T16:00:12.946Z", dateUpdated: "2024-12-19T09:26:28.188Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49903
Vulnerability from cvelistv5
Published
2024-10-21 18:01
Modified
2024-12-19 09:28
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
jfs: Fix uaf in dbFreeBits
[syzbot reported]
==================================================================
BUG: KASAN: slab-use-after-free in __mutex_lock_common kernel/locking/mutex.c:587 [inline]
BUG: KASAN: slab-use-after-free in __mutex_lock+0xfe/0xd70 kernel/locking/mutex.c:752
Read of size 8 at addr ffff8880229254b0 by task syz-executor357/5216
CPU: 0 UID: 0 PID: 5216 Comm: syz-executor357 Not tainted 6.11.0-rc3-syzkaller-00156-gd7a5aa4b3c00 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:93 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
__mutex_lock_common kernel/locking/mutex.c:587 [inline]
__mutex_lock+0xfe/0xd70 kernel/locking/mutex.c:752
dbFreeBits+0x7ea/0xd90 fs/jfs/jfs_dmap.c:2390
dbFreeDmap fs/jfs/jfs_dmap.c:2089 [inline]
dbFree+0x35b/0x680 fs/jfs/jfs_dmap.c:409
dbDiscardAG+0x8a9/0xa20 fs/jfs/jfs_dmap.c:1650
jfs_ioc_trim+0x433/0x670 fs/jfs/jfs_discard.c:100
jfs_ioctl+0x2d0/0x3e0 fs/jfs/ioctl.c:131
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
Freed by task 5218:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579
poison_slab_object+0xe0/0x150 mm/kasan/common.c:240
__kasan_slab_free+0x37/0x60 mm/kasan/common.c:256
kasan_slab_free include/linux/kasan.h:184 [inline]
slab_free_hook mm/slub.c:2252 [inline]
slab_free mm/slub.c:4473 [inline]
kfree+0x149/0x360 mm/slub.c:4594
dbUnmount+0x11d/0x190 fs/jfs/jfs_dmap.c:278
jfs_mount_rw+0x4ac/0x6a0 fs/jfs/jfs_mount.c:247
jfs_remount+0x3d1/0x6b0 fs/jfs/super.c:454
reconfigure_super+0x445/0x880 fs/super.c:1083
vfs_cmd_reconfigure fs/fsopen.c:263 [inline]
vfs_fsconfig_locked fs/fsopen.c:292 [inline]
__do_sys_fsconfig fs/fsopen.c:473 [inline]
__se_sys_fsconfig+0xb6e/0xf80 fs/fsopen.c:345
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
[Analysis]
There are two paths (dbUnmount and jfs_ioc_trim) that generate race
condition when accessing bmap, which leads to the occurrence of uaf.
Use the lock s_umount to synchronize them, in order to avoid uaf caused
by race condition.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49903", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:42:37.771677Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:48:47.346Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "fs/jfs/jfs_discard.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "4ac58f7734937f3249da734ede946dfb3b1af5e4", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "3126ccde51f51b0648c8cdccaf916e8bd062e972", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "fd026b6b6758d5569705c02540b40f3bbf822b9a", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "e7ae14f7ee76c6ef5a48aebab1a278ad78f42619", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "0c238da83f56bb895cab1e5851d034ac45b158d1", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "4218b31ecc7af7e191768d32e32ed4386d8f9b76", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "a9603a6f75df2fd8125cd208c98cfaa0fe3f7505", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "95accb7183badca387f7a8d19a2475cf3089f148", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "d6c1b3599b2feb5c7291f5ac3a36e5fa7cedb234", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "fs/jfs/jfs_discard.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.323", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.285", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: Fix uaf in dbFreeBits\n\n[syzbot reported]\n==================================================================\nBUG: KASAN: slab-use-after-free in __mutex_lock_common kernel/locking/mutex.c:587 [inline]\nBUG: KASAN: slab-use-after-free in __mutex_lock+0xfe/0xd70 kernel/locking/mutex.c:752\nRead of size 8 at addr ffff8880229254b0 by task syz-executor357/5216\n\nCPU: 0 UID: 0 PID: 5216 Comm: syz-executor357 Not tainted 6.11.0-rc3-syzkaller-00156-gd7a5aa4b3c00 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:93 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:488\n kasan_report+0x143/0x180 mm/kasan/report.c:601\n __mutex_lock_common kernel/locking/mutex.c:587 [inline]\n __mutex_lock+0xfe/0xd70 kernel/locking/mutex.c:752\n dbFreeBits+0x7ea/0xd90 fs/jfs/jfs_dmap.c:2390\n dbFreeDmap fs/jfs/jfs_dmap.c:2089 [inline]\n dbFree+0x35b/0x680 fs/jfs/jfs_dmap.c:409\n dbDiscardAG+0x8a9/0xa20 fs/jfs/jfs_dmap.c:1650\n jfs_ioc_trim+0x433/0x670 fs/jfs/jfs_discard.c:100\n jfs_ioctl+0x2d0/0x3e0 fs/jfs/ioctl.c:131\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:907 [inline]\n __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n\nFreed by task 5218:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579\n poison_slab_object+0xe0/0x150 mm/kasan/common.c:240\n __kasan_slab_free+0x37/0x60 mm/kasan/common.c:256\n kasan_slab_free include/linux/kasan.h:184 [inline]\n slab_free_hook mm/slub.c:2252 [inline]\n slab_free mm/slub.c:4473 [inline]\n kfree+0x149/0x360 mm/slub.c:4594\n dbUnmount+0x11d/0x190 fs/jfs/jfs_dmap.c:278\n jfs_mount_rw+0x4ac/0x6a0 fs/jfs/jfs_mount.c:247\n jfs_remount+0x3d1/0x6b0 fs/jfs/super.c:454\n reconfigure_super+0x445/0x880 fs/super.c:1083\n vfs_cmd_reconfigure fs/fsopen.c:263 [inline]\n vfs_fsconfig_locked fs/fsopen.c:292 [inline]\n __do_sys_fsconfig fs/fsopen.c:473 [inline]\n __se_sys_fsconfig+0xb6e/0xf80 fs/fsopen.c:345\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\n[Analysis]\nThere are two paths (dbUnmount and jfs_ioc_trim) that generate race\ncondition when accessing bmap, which leads to the occurrence of uaf.\n\nUse the lock s_umount to synchronize them, in order to avoid uaf caused\nby race condition.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:28:43.160Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/4ac58f7734937f3249da734ede946dfb3b1af5e4", }, { url: "https://git.kernel.org/stable/c/3126ccde51f51b0648c8cdccaf916e8bd062e972", }, { url: "https://git.kernel.org/stable/c/fd026b6b6758d5569705c02540b40f3bbf822b9a", }, { url: "https://git.kernel.org/stable/c/e7ae14f7ee76c6ef5a48aebab1a278ad78f42619", }, { url: "https://git.kernel.org/stable/c/0c238da83f56bb895cab1e5851d034ac45b158d1", }, { url: "https://git.kernel.org/stable/c/4218b31ecc7af7e191768d32e32ed4386d8f9b76", }, { url: "https://git.kernel.org/stable/c/a9603a6f75df2fd8125cd208c98cfaa0fe3f7505", }, { url: "https://git.kernel.org/stable/c/95accb7183badca387f7a8d19a2475cf3089f148", }, { url: "https://git.kernel.org/stable/c/d6c1b3599b2feb5c7291f5ac3a36e5fa7cedb234", }, ], title: "jfs: Fix uaf in dbFreeBits", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49903", datePublished: "2024-10-21T18:01:34.603Z", dateReserved: "2024-10-21T12:17:06.027Z", dateUpdated: "2024-12-19T09:28:43.160Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49863
Vulnerability from cvelistv5
Published
2024-10-21 18:01
Modified
2024-12-19 09:27
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
vhost/scsi: null-ptr-dereference in vhost_scsi_get_req()
Since commit 3f8ca2e115e5 ("vhost/scsi: Extract common handling code
from control queue handler") a null pointer dereference bug can be
triggered when guest sends an SCSI AN request.
In vhost_scsi_ctl_handle_vq(), `vc.target` is assigned with
`&v_req.tmf.lun[1]` within a switch-case block and is then passed to
vhost_scsi_get_req() which extracts `vc->req` and `tpg`. However, for
a `VIRTIO_SCSI_T_AN_*` request, tpg is not required, so `vc.target` is
set to NULL in this branch. Later, in vhost_scsi_get_req(),
`vc->target` is dereferenced without being checked, leading to a null
pointer dereference bug. This bug can be triggered from guest.
When this bug occurs, the vhost_worker process is killed while holding
`vq->mutex` and the corresponding tpg will remain occupied
indefinitely.
Below is the KASAN report:
Oops: general protection fault, probably for non-canonical address
0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 1 PID: 840 Comm: poc Not tainted 6.10.0+ #1
Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS
1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:vhost_scsi_get_req+0x165/0x3a0
Code: 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 2b 02 00 00
48 b8 00 00 00 00 00 fc ff df 4d 8b 65 30 4c 89 e2 48 c1 ea 03 <0f> b6
04 02 4c 89 e2 83 e2 07 38 d0 7f 08 84 c0 0f 85 be 01 00 00
RSP: 0018:ffff888017affb50 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: ffff88801b000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff888017affcb8
RBP: ffff888017affb80 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: ffff888017affc88 R14: ffff888017affd1c R15: ffff888017993000
FS: 000055556e076500(0000) GS:ffff88806b100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000200027c0 CR3: 0000000010ed0004 CR4: 0000000000370ef0
Call Trace:
<TASK>
? show_regs+0x86/0xa0
? die_addr+0x4b/0xd0
? exc_general_protection+0x163/0x260
? asm_exc_general_protection+0x27/0x30
? vhost_scsi_get_req+0x165/0x3a0
vhost_scsi_ctl_handle_vq+0x2a4/0xca0
? __pfx_vhost_scsi_ctl_handle_vq+0x10/0x10
? __switch_to+0x721/0xeb0
? __schedule+0xda5/0x5710
? __kasan_check_write+0x14/0x30
? _raw_spin_lock+0x82/0xf0
vhost_scsi_ctl_handle_kick+0x52/0x90
vhost_run_work_list+0x134/0x1b0
vhost_task_fn+0x121/0x350
...
</TASK>
---[ end trace 0000000000000000 ]---
Let's add a check in vhost_scsi_get_req.
[whitespace fixes]
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 3f8ca2e115e55af4c15d97dda635e948d2e380be Version: 3f8ca2e115e55af4c15d97dda635e948d2e380be Version: 3f8ca2e115e55af4c15d97dda635e948d2e380be Version: 3f8ca2e115e55af4c15d97dda635e948d2e380be Version: 3f8ca2e115e55af4c15d97dda635e948d2e380be Version: 3f8ca2e115e55af4c15d97dda635e948d2e380be Version: 3f8ca2e115e55af4c15d97dda635e948d2e380be |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49863", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:48:01.572962Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:48:53.080Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/vhost/scsi.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "6592347f06e2b19a624270a85ad4b3ae48c3b241", status: "affected", version: "3f8ca2e115e55af4c15d97dda635e948d2e380be", versionType: "git", }, { lessThan: "46128370a72c431df733af5ebb065c4d48c9ad39", status: "affected", version: "3f8ca2e115e55af4c15d97dda635e948d2e380be", versionType: "git", }, { lessThan: "ace9c778a214da9c98d7b69d904d1b0816f4f681", status: "affected", version: "3f8ca2e115e55af4c15d97dda635e948d2e380be", versionType: "git", }, { lessThan: "25613e6d9841a1f9fb985be90df921fa99f800de", status: "affected", version: "3f8ca2e115e55af4c15d97dda635e948d2e380be", versionType: "git", }, { lessThan: "00fb5b23e1c9cdbe496f5cd6b40367cb895f6c93", status: "affected", version: "3f8ca2e115e55af4c15d97dda635e948d2e380be", versionType: "git", }, { lessThan: "61517f33e76d2c5247c1e61e668693afe5b67e6f", status: "affected", version: "3f8ca2e115e55af4c15d97dda635e948d2e380be", versionType: "git", }, { lessThan: "221af82f606d928ccef19a16d35633c63026f1be", status: "affected", version: "3f8ca2e115e55af4c15d97dda635e948d2e380be", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/vhost/scsi.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "4.20", }, { lessThan: "4.20", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nvhost/scsi: null-ptr-dereference in vhost_scsi_get_req()\n\nSince commit 3f8ca2e115e5 (\"vhost/scsi: Extract common handling code\nfrom control queue handler\") a null pointer dereference bug can be\ntriggered when guest sends an SCSI AN request.\n\nIn vhost_scsi_ctl_handle_vq(), `vc.target` is assigned with\n`&v_req.tmf.lun[1]` within a switch-case block and is then passed to\nvhost_scsi_get_req() which extracts `vc->req` and `tpg`. However, for\na `VIRTIO_SCSI_T_AN_*` request, tpg is not required, so `vc.target` is\nset to NULL in this branch. Later, in vhost_scsi_get_req(),\n`vc->target` is dereferenced without being checked, leading to a null\npointer dereference bug. This bug can be triggered from guest.\n\nWhen this bug occurs, the vhost_worker process is killed while holding\n`vq->mutex` and the corresponding tpg will remain occupied\nindefinitely.\n\nBelow is the KASAN report:\nOops: general protection fault, probably for non-canonical address\n0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\nCPU: 1 PID: 840 Comm: poc Not tainted 6.10.0+ #1\nHardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS\n1.16.3-debian-1.16.3-2 04/01/2014\nRIP: 0010:vhost_scsi_get_req+0x165/0x3a0\nCode: 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 2b 02 00 00\n48 b8 00 00 00 00 00 fc ff df 4d 8b 65 30 4c 89 e2 48 c1 ea 03 <0f> b6\n04 02 4c 89 e2 83 e2 07 38 d0 7f 08 84 c0 0f 85 be 01 00 00\nRSP: 0018:ffff888017affb50 EFLAGS: 00010246\nRAX: dffffc0000000000 RBX: ffff88801b000000 RCX: 0000000000000000\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff888017affcb8\nRBP: ffff888017affb80 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\nR13: ffff888017affc88 R14: ffff888017affd1c R15: ffff888017993000\nFS: 000055556e076500(0000) GS:ffff88806b100000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00000000200027c0 CR3: 0000000010ed0004 CR4: 0000000000370ef0\nCall Trace:\n <TASK>\n ? show_regs+0x86/0xa0\n ? die_addr+0x4b/0xd0\n ? exc_general_protection+0x163/0x260\n ? asm_exc_general_protection+0x27/0x30\n ? vhost_scsi_get_req+0x165/0x3a0\n vhost_scsi_ctl_handle_vq+0x2a4/0xca0\n ? __pfx_vhost_scsi_ctl_handle_vq+0x10/0x10\n ? __switch_to+0x721/0xeb0\n ? __schedule+0xda5/0x5710\n ? __kasan_check_write+0x14/0x30\n ? _raw_spin_lock+0x82/0xf0\n vhost_scsi_ctl_handle_kick+0x52/0x90\n vhost_run_work_list+0x134/0x1b0\n vhost_task_fn+0x121/0x350\n...\n </TASK>\n---[ end trace 0000000000000000 ]---\n\nLet's add a check in vhost_scsi_get_req.\n\n[whitespace fixes]", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:27:48.286Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/6592347f06e2b19a624270a85ad4b3ae48c3b241", }, { url: "https://git.kernel.org/stable/c/46128370a72c431df733af5ebb065c4d48c9ad39", }, { url: "https://git.kernel.org/stable/c/ace9c778a214da9c98d7b69d904d1b0816f4f681", }, { url: "https://git.kernel.org/stable/c/25613e6d9841a1f9fb985be90df921fa99f800de", }, { url: "https://git.kernel.org/stable/c/00fb5b23e1c9cdbe496f5cd6b40367cb895f6c93", }, { url: "https://git.kernel.org/stable/c/61517f33e76d2c5247c1e61e668693afe5b67e6f", }, { url: "https://git.kernel.org/stable/c/221af82f606d928ccef19a16d35633c63026f1be", }, ], title: "vhost/scsi: null-ptr-dereference in vhost_scsi_get_req()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49863", datePublished: "2024-10-21T18:01:07.166Z", dateReserved: "2024-10-21T12:17:06.017Z", dateUpdated: "2024-12-19T09:27:48.286Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49933
Vulnerability from cvelistv5
Published
2024-10-21 18:01
Modified
2024-12-19 09:29
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
blk_iocost: fix more out of bound shifts
Recently running UBSAN caught few out of bound shifts in the
ioc_forgive_debts() function:
UBSAN: shift-out-of-bounds in block/blk-iocost.c:2142:38
shift exponent 80 is too large for 64-bit type 'u64' (aka 'unsigned long
long')
...
UBSAN: shift-out-of-bounds in block/blk-iocost.c:2144:30
shift exponent 80 is too large for 64-bit type 'u64' (aka 'unsigned long
long')
...
Call Trace:
<IRQ>
dump_stack_lvl+0xca/0x130
__ubsan_handle_shift_out_of_bounds+0x22c/0x280
? __lock_acquire+0x6441/0x7c10
ioc_timer_fn+0x6cec/0x7750
? blk_iocost_init+0x720/0x720
? call_timer_fn+0x5d/0x470
call_timer_fn+0xfa/0x470
? blk_iocost_init+0x720/0x720
__run_timer_base+0x519/0x700
...
Actual impact of this issue was not identified but I propose to fix the
undefined behaviour.
The proposed fix to prevent those out of bound shifts consist of
precalculating exponent before using it the shift operations by taking
min value from the actual exponent and maximum possible number of bits.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 7caa47151ab2e644dd221f741ec7578d9532c9a3 Version: 7caa47151ab2e644dd221f741ec7578d9532c9a3 Version: 7caa47151ab2e644dd221f741ec7578d9532c9a3 Version: 7caa47151ab2e644dd221f741ec7578d9532c9a3 Version: 7caa47151ab2e644dd221f741ec7578d9532c9a3 Version: 7caa47151ab2e644dd221f741ec7578d9532c9a3 Version: 7caa47151ab2e644dd221f741ec7578d9532c9a3 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49933", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:38:48.082140Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:48:42.880Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "block/blk-iocost.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "1f61d509257d6a05763d05bf37943b35306522b1", status: "affected", version: "7caa47151ab2e644dd221f741ec7578d9532c9a3", versionType: "git", }, { lessThan: "f4ef9bef023d5c543cb0f3194ecacfd47ef590ec", status: "affected", version: "7caa47151ab2e644dd221f741ec7578d9532c9a3", versionType: "git", }, { lessThan: "59121bb38fdc01434ea3fe361ee02b59f036227f", status: "affected", version: "7caa47151ab2e644dd221f741ec7578d9532c9a3", versionType: "git", }, { lessThan: "1ab2cfe19700fb3dde4c7dfec392acff34db3120", status: "affected", version: "7caa47151ab2e644dd221f741ec7578d9532c9a3", versionType: "git", }, { lessThan: "1b120f151871eb47ce9f283c007af3f8ae1d990e", status: "affected", version: "7caa47151ab2e644dd221f741ec7578d9532c9a3", versionType: "git", }, { lessThan: "364022095bdd4108efdaaa68576afa4712a5d085", status: "affected", version: "7caa47151ab2e644dd221f741ec7578d9532c9a3", versionType: "git", }, { lessThan: "9bce8005ec0dcb23a58300e8522fe4a31da606fa", status: "affected", version: "7caa47151ab2e644dd221f741ec7578d9532c9a3", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "block/blk-iocost.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.4", }, { lessThan: "5.4", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nblk_iocost: fix more out of bound shifts\n\nRecently running UBSAN caught few out of bound shifts in the\nioc_forgive_debts() function:\n\nUBSAN: shift-out-of-bounds in block/blk-iocost.c:2142:38\nshift exponent 80 is too large for 64-bit type 'u64' (aka 'unsigned long\nlong')\n...\nUBSAN: shift-out-of-bounds in block/blk-iocost.c:2144:30\nshift exponent 80 is too large for 64-bit type 'u64' (aka 'unsigned long\nlong')\n...\nCall Trace:\n<IRQ>\ndump_stack_lvl+0xca/0x130\n__ubsan_handle_shift_out_of_bounds+0x22c/0x280\n? __lock_acquire+0x6441/0x7c10\nioc_timer_fn+0x6cec/0x7750\n? blk_iocost_init+0x720/0x720\n? call_timer_fn+0x5d/0x470\ncall_timer_fn+0xfa/0x470\n? blk_iocost_init+0x720/0x720\n__run_timer_base+0x519/0x700\n...\n\nActual impact of this issue was not identified but I propose to fix the\nundefined behaviour.\nThe proposed fix to prevent those out of bound shifts consist of\nprecalculating exponent before using it the shift operations by taking\nmin value from the actual exponent and maximum possible number of bits.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:29:19.552Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/1f61d509257d6a05763d05bf37943b35306522b1", }, { url: "https://git.kernel.org/stable/c/f4ef9bef023d5c543cb0f3194ecacfd47ef590ec", }, { url: "https://git.kernel.org/stable/c/59121bb38fdc01434ea3fe361ee02b59f036227f", }, { url: "https://git.kernel.org/stable/c/1ab2cfe19700fb3dde4c7dfec392acff34db3120", }, { url: "https://git.kernel.org/stable/c/1b120f151871eb47ce9f283c007af3f8ae1d990e", }, { url: "https://git.kernel.org/stable/c/364022095bdd4108efdaaa68576afa4712a5d085", }, { url: "https://git.kernel.org/stable/c/9bce8005ec0dcb23a58300e8522fe4a31da606fa", }, ], title: "blk_iocost: fix more out of bound shifts", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49933", datePublished: "2024-10-21T18:01:55.087Z", dateReserved: "2024-10-21T12:17:06.040Z", dateUpdated: "2024-12-19T09:29:19.552Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49944
Vulnerability from cvelistv5
Published
2024-10-21 18:02
Modified
2024-12-19 09:29
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
sctp: set sk_state back to CLOSED if autobind fails in sctp_listen_start
In sctp_listen_start() invoked by sctp_inet_listen(), it should set the
sk_state back to CLOSED if sctp_autobind() fails due to whatever reason.
Otherwise, next time when calling sctp_inet_listen(), if sctp_sk(sk)->reuse
is already set via setsockopt(SCTP_REUSE_PORT), sctp_sk(sk)->bind_hash will
be dereferenced as sk_state is LISTENING, which causes a crash as bind_hash
is NULL.
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
RIP: 0010:sctp_inet_listen+0x7f0/0xa20 net/sctp/socket.c:8617
Call Trace:
<TASK>
__sys_listen_socket net/socket.c:1883 [inline]
__sys_listen+0x1b7/0x230 net/socket.c:1894
__do_sys_listen net/socket.c:1902 [inline]
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 5e8f3f703ae4e4af65e2695e486b3cd198328863 Version: 5e8f3f703ae4e4af65e2695e486b3cd198328863 Version: 5e8f3f703ae4e4af65e2695e486b3cd198328863 Version: 5e8f3f703ae4e4af65e2695e486b3cd198328863 Version: 5e8f3f703ae4e4af65e2695e486b3cd198328863 Version: 5e8f3f703ae4e4af65e2695e486b3cd198328863 Version: 5e8f3f703ae4e4af65e2695e486b3cd198328863 Version: 5e8f3f703ae4e4af65e2695e486b3cd198328863 Version: 5e8f3f703ae4e4af65e2695e486b3cd198328863 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49944", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:37:19.751679Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:38:50.139Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "net/sctp/socket.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "89bbead9d897c77d0b566349c8643030ff2abeba", status: "affected", version: "5e8f3f703ae4e4af65e2695e486b3cd198328863", versionType: "git", }, { lessThan: "0e4e2e60556c6ed00e8450b720f106a268d23062", status: "affected", version: "5e8f3f703ae4e4af65e2695e486b3cd198328863", versionType: "git", }, { lessThan: "dd70c8a89ef99c3d53127fe19e51ef47c3f860fa", status: "affected", version: "5e8f3f703ae4e4af65e2695e486b3cd198328863", versionType: "git", }, { lessThan: "e7a8442195e8ebd97df467ce4742980ab57edcce", status: "affected", version: "5e8f3f703ae4e4af65e2695e486b3cd198328863", versionType: "git", }, { lessThan: "9230a59eda0878d7ecaa901d876aec76f57bd455", status: "affected", version: "5e8f3f703ae4e4af65e2695e486b3cd198328863", versionType: "git", }, { lessThan: "7f64cb5b4d8c872296eda0fdce3bcf099eec7aa7", status: "affected", version: "5e8f3f703ae4e4af65e2695e486b3cd198328863", versionType: "git", }, { lessThan: "f032e1dac30b3376c7d6026fb01a8c403c47a80d", status: "affected", version: "5e8f3f703ae4e4af65e2695e486b3cd198328863", versionType: "git", }, { lessThan: "e914bf68dab88815a7ae7b7a3a5e8913c8ff14a5", status: "affected", version: "5e8f3f703ae4e4af65e2695e486b3cd198328863", versionType: "git", }, { lessThan: "8beee4d8dee76b67c75dc91fd8185d91e845c160", status: "affected", version: "5e8f3f703ae4e4af65e2695e486b3cd198328863", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "net/sctp/socket.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "2.6.30", }, { lessThan: "2.6.30", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.323", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.285", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: set sk_state back to CLOSED if autobind fails in sctp_listen_start\n\nIn sctp_listen_start() invoked by sctp_inet_listen(), it should set the\nsk_state back to CLOSED if sctp_autobind() fails due to whatever reason.\n\nOtherwise, next time when calling sctp_inet_listen(), if sctp_sk(sk)->reuse\nis already set via setsockopt(SCTP_REUSE_PORT), sctp_sk(sk)->bind_hash will\nbe dereferenced as sk_state is LISTENING, which causes a crash as bind_hash\nis NULL.\n\n KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\n RIP: 0010:sctp_inet_listen+0x7f0/0xa20 net/sctp/socket.c:8617\n Call Trace:\n <TASK>\n __sys_listen_socket net/socket.c:1883 [inline]\n __sys_listen+0x1b7/0x230 net/socket.c:1894\n __do_sys_listen net/socket.c:1902 [inline]", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:29:50.478Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/89bbead9d897c77d0b566349c8643030ff2abeba", }, { url: "https://git.kernel.org/stable/c/0e4e2e60556c6ed00e8450b720f106a268d23062", }, { url: "https://git.kernel.org/stable/c/dd70c8a89ef99c3d53127fe19e51ef47c3f860fa", }, { url: "https://git.kernel.org/stable/c/e7a8442195e8ebd97df467ce4742980ab57edcce", }, { url: "https://git.kernel.org/stable/c/9230a59eda0878d7ecaa901d876aec76f57bd455", }, { url: "https://git.kernel.org/stable/c/7f64cb5b4d8c872296eda0fdce3bcf099eec7aa7", }, { url: "https://git.kernel.org/stable/c/f032e1dac30b3376c7d6026fb01a8c403c47a80d", }, { url: "https://git.kernel.org/stable/c/e914bf68dab88815a7ae7b7a3a5e8913c8ff14a5", }, { url: "https://git.kernel.org/stable/c/8beee4d8dee76b67c75dc91fd8185d91e845c160", }, ], title: "sctp: set sk_state back to CLOSED if autobind fails in sctp_listen_start", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49944", datePublished: "2024-10-21T18:02:02.457Z", dateReserved: "2024-10-21T12:17:06.044Z", dateUpdated: "2024-12-19T09:29:50.478Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-50023
Vulnerability from cvelistv5
Published
2024-10-21 19:39
Modified
2024-12-19 09:31
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: phy: Remove LED entry from LEDs list on unregister
Commit c938ab4da0eb ("net: phy: Manual remove LEDs to ensure correct
ordering") correctly fixed a problem with using devm_ but missed
removing the LED entry from the LEDs list.
This cause kernel panic on specific scenario where the port for the PHY
is torn down and up and the kmod for the PHY is removed.
On setting the port down the first time, the assosiacted LEDs are
correctly unregistered. The associated kmod for the PHY is now removed.
The kmod is now added again and the port is now put up, the associated LED
are registered again.
On putting the port down again for the second time after these step, the
LED list now have 4 elements. With the first 2 already unregistered
previously and the 2 new one registered again.
This cause a kernel panic as the first 2 element should have been
removed.
Fix this by correctly removing the element when LED is unregistered.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-50023", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:27:08.188732Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:28:46.985Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/net/phy/phy_device.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "143ffa7878e2d9d9c3836ee8304ce4930f7852a3", status: "affected", version: "c938ab4da0eb1620ae3243b0b24c572ddfc318fc", versionType: "git", }, { lessThan: "fba363f4d244269a0ba7abb8df953a244c6749af", status: "affected", version: "c938ab4da0eb1620ae3243b0b24c572ddfc318fc", versionType: "git", }, { lessThan: "f50b5d74c68e551667e265123659b187a30fe3a5", status: "affected", version: "c938ab4da0eb1620ae3243b0b24c572ddfc318fc", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/net/phy/phy_device.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.4", }, { lessThan: "6.4", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.57", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.4", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: phy: Remove LED entry from LEDs list on unregister\n\nCommit c938ab4da0eb (\"net: phy: Manual remove LEDs to ensure correct\nordering\") correctly fixed a problem with using devm_ but missed\nremoving the LED entry from the LEDs list.\n\nThis cause kernel panic on specific scenario where the port for the PHY\nis torn down and up and the kmod for the PHY is removed.\n\nOn setting the port down the first time, the assosiacted LEDs are\ncorrectly unregistered. The associated kmod for the PHY is now removed.\nThe kmod is now added again and the port is now put up, the associated LED\nare registered again.\nOn putting the port down again for the second time after these step, the\nLED list now have 4 elements. With the first 2 already unregistered\npreviously and the 2 new one registered again.\n\nThis cause a kernel panic as the first 2 element should have been\nremoved.\n\nFix this by correctly removing the element when LED is unregistered.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:31:33.521Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/143ffa7878e2d9d9c3836ee8304ce4930f7852a3", }, { url: "https://git.kernel.org/stable/c/fba363f4d244269a0ba7abb8df953a244c6749af", }, { url: "https://git.kernel.org/stable/c/f50b5d74c68e551667e265123659b187a30fe3a5", }, ], title: "net: phy: Remove LED entry from LEDs list on unregister", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-50023", datePublished: "2024-10-21T19:39:28.524Z", dateReserved: "2024-10-21T12:17:06.065Z", dateUpdated: "2024-12-19T09:31:33.521Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-50057
Vulnerability from cvelistv5
Published
2024-10-21 19:39
Modified
2024-12-19 09:32
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: typec: tipd: Free IRQ only if it was requested before
In polling mode, if no IRQ was requested there is no need to free it.
Call devm_free_irq() only if client->irq is set. This fixes the warning
caused by the tps6598x module removal:
WARNING: CPU: 2 PID: 333 at kernel/irq/devres.c:144 devm_free_irq+0x80/0x8c
...
...
Call trace:
devm_free_irq+0x80/0x8c
tps6598x_remove+0x28/0x88 [tps6598x]
i2c_device_remove+0x2c/0x9c
device_remove+0x4c/0x80
device_release_driver_internal+0x1cc/0x228
driver_detach+0x50/0x98
bus_remove_driver+0x6c/0xbc
driver_unregister+0x30/0x60
i2c_del_driver+0x54/0x64
tps6598x_i2c_driver_exit+0x18/0xc3c [tps6598x]
__arm64_sys_delete_module+0x184/0x264
invoke_syscall+0x48/0x110
el0_svc_common.constprop.0+0xc8/0xe8
do_el0_svc+0x20/0x2c
el0_svc+0x28/0x98
el0t_64_sync_handler+0x13c/0x158
el0t_64_sync+0x190/0x194
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-50057", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:23:21.818153Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:28:42.696Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/usb/typec/tipd/core.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "b72bf5cade51ba4055c8a8998d275e72e6b521ce", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "4d4b23c119542fbaed2a16794d3801cb4806ea02", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "db63d9868f7f310de44ba7bea584e2454f8b4ed0", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/usb/typec/tipd/core.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.57", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.4", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: tipd: Free IRQ only if it was requested before\n\nIn polling mode, if no IRQ was requested there is no need to free it.\nCall devm_free_irq() only if client->irq is set. This fixes the warning\ncaused by the tps6598x module removal:\n\nWARNING: CPU: 2 PID: 333 at kernel/irq/devres.c:144 devm_free_irq+0x80/0x8c\n...\n...\nCall trace:\n devm_free_irq+0x80/0x8c\n tps6598x_remove+0x28/0x88 [tps6598x]\n i2c_device_remove+0x2c/0x9c\n device_remove+0x4c/0x80\n device_release_driver_internal+0x1cc/0x228\n driver_detach+0x50/0x98\n bus_remove_driver+0x6c/0xbc\n driver_unregister+0x30/0x60\n i2c_del_driver+0x54/0x64\n tps6598x_i2c_driver_exit+0x18/0xc3c [tps6598x]\n __arm64_sys_delete_module+0x184/0x264\n invoke_syscall+0x48/0x110\n el0_svc_common.constprop.0+0xc8/0xe8\n do_el0_svc+0x20/0x2c\n el0_svc+0x28/0x98\n el0t_64_sync_handler+0x13c/0x158\n el0t_64_sync+0x190/0x194", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:32:09.677Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/b72bf5cade51ba4055c8a8998d275e72e6b521ce", }, { url: "https://git.kernel.org/stable/c/4d4b23c119542fbaed2a16794d3801cb4806ea02", }, { url: "https://git.kernel.org/stable/c/db63d9868f7f310de44ba7bea584e2454f8b4ed0", }, ], title: "usb: typec: tipd: Free IRQ only if it was requested before", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-50057", datePublished: "2024-10-21T19:39:47.768Z", dateReserved: "2024-10-21T19:36:19.938Z", dateUpdated: "2024-12-19T09:32:09.677Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-47741
Vulnerability from cvelistv5
Published
2024-10-21 12:14
Modified
2024-12-19 09:27
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix race setting file private on concurrent lseek using same fd
When doing concurrent lseek(2) system calls against the same file
descriptor, using multiple threads belonging to the same process, we have
a short time window where a race happens and can result in a memory leak.
The race happens like this:
1) A program opens a file descriptor for a file and then spawns two
threads (with the pthreads library for example), lets call them
task A and task B;
2) Task A calls lseek with SEEK_DATA or SEEK_HOLE and ends up at
file.c:find_desired_extent() while holding a read lock on the inode;
3) At the start of find_desired_extent(), it extracts the file's
private_data pointer into a local variable named 'private', which has
a value of NULL;
4) Task B also calls lseek with SEEK_DATA or SEEK_HOLE, locks the inode
in shared mode and enters file.c:find_desired_extent(), where it also
extracts file->private_data into its local variable 'private', which
has a NULL value;
5) Because it saw a NULL file private, task A allocates a private
structure and assigns to the file structure;
6) Task B also saw a NULL file private so it also allocates its own file
private and then assigns it to the same file structure, since both
tasks are using the same file descriptor.
At this point we leak the private structure allocated by task A.
Besides the memory leak, there's also the detail that both tasks end up
using the same cached state record in the private structure (struct
btrfs_file_private::llseek_cached_state), which can result in a
use-after-free problem since one task can free it while the other is
still using it (only one task took a reference count on it). Also, sharing
the cached state is not a good idea since it could result in incorrect
results in the future - right now it should not be a problem because it
end ups being used only in extent-io-tree.c:count_range_bits() where we do
range validation before using the cached state.
Fix this by protecting the private assignment and check of a file while
holding the inode's spinlock and keep track of the task that allocated
the private, so that it's used only by that task in order to prevent
user-after-free issues with the cached state record as well as potentially
using it incorrectly in the future.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-47741", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T12:59:11.632637Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T13:04:14.475Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "fs/btrfs/btrfs_inode.h", "fs/btrfs/ctree.h", "fs/btrfs/file.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "f56a6d9c267ec7fa558ede7755551c047b1034cd", status: "affected", version: "3c32c7212f1639471ec0197ff1179b8ef2e0f3d3", versionType: "git", }, { lessThan: "a412ca489ac27b9d0e603499315b7139c948130d", status: "affected", version: "3c32c7212f1639471ec0197ff1179b8ef2e0f3d3", versionType: "git", }, { lessThan: "33d1310d4496e904123dab9c28b2d8d2c1800f97", status: "affected", version: "3c32c7212f1639471ec0197ff1179b8ef2e0f3d3", versionType: "git", }, { lessThan: "7ee85f5515e86a4e2a2f51969795920733912bad", status: "affected", version: "3c32c7212f1639471ec0197ff1179b8ef2e0f3d3", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "fs/btrfs/btrfs_inode.h", "fs/btrfs/ctree.h", "fs/btrfs/file.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.2", }, { lessThan: "6.2", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.54", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.13", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.2", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix race setting file private on concurrent lseek using same fd\n\nWhen doing concurrent lseek(2) system calls against the same file\ndescriptor, using multiple threads belonging to the same process, we have\na short time window where a race happens and can result in a memory leak.\n\nThe race happens like this:\n\n1) A program opens a file descriptor for a file and then spawns two\n threads (with the pthreads library for example), lets call them\n task A and task B;\n\n2) Task A calls lseek with SEEK_DATA or SEEK_HOLE and ends up at\n file.c:find_desired_extent() while holding a read lock on the inode;\n\n3) At the start of find_desired_extent(), it extracts the file's\n private_data pointer into a local variable named 'private', which has\n a value of NULL;\n\n4) Task B also calls lseek with SEEK_DATA or SEEK_HOLE, locks the inode\n in shared mode and enters file.c:find_desired_extent(), where it also\n extracts file->private_data into its local variable 'private', which\n has a NULL value;\n\n5) Because it saw a NULL file private, task A allocates a private\n structure and assigns to the file structure;\n\n6) Task B also saw a NULL file private so it also allocates its own file\n private and then assigns it to the same file structure, since both\n tasks are using the same file descriptor.\n\n At this point we leak the private structure allocated by task A.\n\nBesides the memory leak, there's also the detail that both tasks end up\nusing the same cached state record in the private structure (struct\nbtrfs_file_private::llseek_cached_state), which can result in a\nuse-after-free problem since one task can free it while the other is\nstill using it (only one task took a reference count on it). Also, sharing\nthe cached state is not a good idea since it could result in incorrect\nresults in the future - right now it should not be a problem because it\nend ups being used only in extent-io-tree.c:count_range_bits() where we do\nrange validation before using the cached state.\n\nFix this by protecting the private assignment and check of a file while\nholding the inode's spinlock and keep track of the task that allocated\nthe private, so that it's used only by that task in order to prevent\nuser-after-free issues with the cached state record as well as potentially\nusing it incorrectly in the future.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:27:11.384Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/f56a6d9c267ec7fa558ede7755551c047b1034cd", }, { url: "https://git.kernel.org/stable/c/a412ca489ac27b9d0e603499315b7139c948130d", }, { url: "https://git.kernel.org/stable/c/33d1310d4496e904123dab9c28b2d8d2c1800f97", }, { url: "https://git.kernel.org/stable/c/7ee85f5515e86a4e2a2f51969795920733912bad", }, ], title: "btrfs: fix race setting file private on concurrent lseek using same fd", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-47741", datePublished: "2024-10-21T12:14:09.836Z", dateReserved: "2024-09-30T16:00:12.959Z", dateUpdated: "2024-12-19T09:27:11.384Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49914
Vulnerability from cvelistv5
Published
2024-10-21 18:01
Modified
2024-12-19 09:28
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Add null check for pipe_ctx->plane_state in dcn20_program_pipe
This commit addresses a null pointer dereference issue in the
`dcn20_program_pipe` function. The issue could occur when
`pipe_ctx->plane_state` is null.
The fix adds a check to ensure `pipe_ctx->plane_state` is not null
before accessing. This prevents a null pointer dereference.
Reported by smatch:
drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn20/dcn20_hwseq.c:1925 dcn20_program_pipe() error: we previously assumed 'pipe_ctx->plane_state' could be null (see line 1877)
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49914", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:41:14.762720Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:48:45.690Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/gpu/drm/amd/display/dc/hwss/dcn20/dcn20_hwseq.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "68f75e6f08aad66069a629db8d7840919156c761", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "65a6fee22d5cfa645cb05489892dc9cd3d142fc2", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "8e4ed3cf1642df0c4456443d865cff61a9598aa8", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/gpu/drm/amd/display/dc/hwss/dcn20/dcn20_hwseq.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.64", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add null check for pipe_ctx->plane_state in dcn20_program_pipe\n\nThis commit addresses a null pointer dereference issue in the\n`dcn20_program_pipe` function. The issue could occur when\n`pipe_ctx->plane_state` is null.\n\nThe fix adds a check to ensure `pipe_ctx->plane_state` is not null\nbefore accessing. This prevents a null pointer dereference.\n\nReported by smatch:\ndrivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn20/dcn20_hwseq.c:1925 dcn20_program_pipe() error: we previously assumed 'pipe_ctx->plane_state' could be null (see line 1877)", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:28:56.271Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/68f75e6f08aad66069a629db8d7840919156c761", }, { url: "https://git.kernel.org/stable/c/65a6fee22d5cfa645cb05489892dc9cd3d142fc2", }, { url: "https://git.kernel.org/stable/c/8e4ed3cf1642df0c4456443d865cff61a9598aa8", }, ], title: "drm/amd/display: Add null check for pipe_ctx->plane_state in dcn20_program_pipe", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49914", datePublished: "2024-10-21T18:01:42.215Z", dateReserved: "2024-10-21T12:17:06.028Z", dateUpdated: "2024-12-19T09:28:56.271Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-47754
Vulnerability from cvelistv5
Published
2024-10-21 12:14
Modified
2024-12-19 09:27
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: mediatek: vcodec: Fix H264 multi stateless decoder smatch warning
Fix a smatch static checker warning on vdec_h264_req_multi_if.c.
Which leads to a kernel crash when fb is NULL.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-47754", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T12:57:32.730350Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T13:04:12.576Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/media/platform/mediatek/vcodec/decoder/vdec/vdec_h264_req_multi_if.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "588bcce9e64cc5138858ab562268eb3943c5b06c", status: "affected", version: "397edc703a10f670a2692e492a245f6be1fe279a", versionType: "git", }, { lessThan: "47b3b97930913ca74a595cc12bdbb650259afc6e", status: "affected", version: "397edc703a10f670a2692e492a245f6be1fe279a", versionType: "git", }, { lessThan: "301f7778263116388c20521a1a641067647ab31c", status: "affected", version: "397edc703a10f670a2692e492a245f6be1fe279a", versionType: "git", }, { lessThan: "9be85491619f1953b8a29590ca630be571941ffa", status: "affected", version: "397edc703a10f670a2692e492a245f6be1fe279a", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/media/platform/mediatek/vcodec/decoder/vdec/vdec_h264_req_multi_if.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.19", }, { lessThan: "5.19", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.54", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.13", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.2", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: mediatek: vcodec: Fix H264 multi stateless decoder smatch warning\n\nFix a smatch static checker warning on vdec_h264_req_multi_if.c.\nWhich leads to a kernel crash when fb is NULL.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:27:28.075Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/588bcce9e64cc5138858ab562268eb3943c5b06c", }, { url: "https://git.kernel.org/stable/c/47b3b97930913ca74a595cc12bdbb650259afc6e", }, { url: "https://git.kernel.org/stable/c/301f7778263116388c20521a1a641067647ab31c", }, { url: "https://git.kernel.org/stable/c/9be85491619f1953b8a29590ca630be571941ffa", }, ], title: "media: mediatek: vcodec: Fix H264 multi stateless decoder smatch warning", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-47754", datePublished: "2024-10-21T12:14:18.427Z", dateReserved: "2024-09-30T16:00:12.961Z", dateUpdated: "2024-12-19T09:27:28.075Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49911
Vulnerability from cvelistv5
Published
2024-10-21 18:01
Modified
2024-12-19 09:28
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Add NULL check for function pointer in dcn20_set_output_transfer_func
This commit adds a null check for the set_output_gamma function pointer
in the dcn20_set_output_transfer_func function. Previously,
set_output_gamma was being checked for null at line 1030, but then it
was being dereferenced without any null check at line 1048. This could
potentially lead to a null pointer dereference error if set_output_gamma
is null.
To fix this, we now ensure that set_output_gamma is not null before
dereferencing it. We do this by adding a null check for set_output_gamma
before the call to set_output_gamma at line 1048.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49911", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:41:37.002386Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:48:46.128Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/gpu/drm/amd/display/dc/hwss/dcn20/dcn20_hwseq.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "e8a24767899c86f4c5f1e4d3b2608942d054900f", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "8c854138b593efbbd8fa46a25f3288c121c1d1a1", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "02411e9359297512946705b1cd8cf5e6b0806fa0", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "827380b114f83c30b3e56d1a675980b6d65f7c88", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "62ed6f0f198da04e884062264df308277628004f", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/gpu/drm/amd/display/dc/hwss/dcn20/dcn20_hwseq.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.120", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.64", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add NULL check for function pointer in dcn20_set_output_transfer_func\n\nThis commit adds a null check for the set_output_gamma function pointer\nin the dcn20_set_output_transfer_func function. Previously,\nset_output_gamma was being checked for null at line 1030, but then it\nwas being dereferenced without any null check at line 1048. This could\npotentially lead to a null pointer dereference error if set_output_gamma\nis null.\n\nTo fix this, we now ensure that set_output_gamma is not null before\ndereferencing it. We do this by adding a null check for set_output_gamma\nbefore the call to set_output_gamma at line 1048.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:28:52.690Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/e8a24767899c86f4c5f1e4d3b2608942d054900f", }, { url: "https://git.kernel.org/stable/c/8c854138b593efbbd8fa46a25f3288c121c1d1a1", }, { url: "https://git.kernel.org/stable/c/02411e9359297512946705b1cd8cf5e6b0806fa0", }, { url: "https://git.kernel.org/stable/c/827380b114f83c30b3e56d1a675980b6d65f7c88", }, { url: "https://git.kernel.org/stable/c/62ed6f0f198da04e884062264df308277628004f", }, ], title: "drm/amd/display: Add NULL check for function pointer in dcn20_set_output_transfer_func", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49911", datePublished: "2024-10-21T18:01:40.200Z", dateReserved: "2024-10-21T12:17:06.028Z", dateUpdated: "2024-12-19T09:28:52.690Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-50042
Vulnerability from cvelistv5
Published
2024-10-21 19:39
Modified
2024-12-19 09:31
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ice: Fix increasing MSI-X on VF
Increasing MSI-X value on a VF leads to invalid memory operations. This
is caused by not reallocating some arrays.
Reproducer:
modprobe ice
echo 0 > /sys/bus/pci/devices/$PF_PCI/sriov_drivers_autoprobe
echo 1 > /sys/bus/pci/devices/$PF_PCI/sriov_numvfs
echo 17 > /sys/bus/pci/devices/$VF0_PCI/sriov_vf_msix_count
Default MSI-X is 16, so 17 and above triggers this issue.
KASAN reports:
BUG: KASAN: slab-out-of-bounds in ice_vsi_alloc_ring_stats+0x38d/0x4b0 [ice]
Read of size 8 at addr ffff8888b937d180 by task bash/28433
(...)
Call Trace:
(...)
? ice_vsi_alloc_ring_stats+0x38d/0x4b0 [ice]
kasan_report+0xed/0x120
? ice_vsi_alloc_ring_stats+0x38d/0x4b0 [ice]
ice_vsi_alloc_ring_stats+0x38d/0x4b0 [ice]
ice_vsi_cfg_def+0x3360/0x4770 [ice]
? mutex_unlock+0x83/0xd0
? __pfx_ice_vsi_cfg_def+0x10/0x10 [ice]
? __pfx_ice_remove_vsi_lkup_fltr+0x10/0x10 [ice]
ice_vsi_cfg+0x7f/0x3b0 [ice]
ice_vf_reconfig_vsi+0x114/0x210 [ice]
ice_sriov_set_msix_vec_count+0x3d0/0x960 [ice]
sriov_vf_msix_count_store+0x21c/0x300
(...)
Allocated by task 28201:
(...)
ice_vsi_cfg_def+0x1c8e/0x4770 [ice]
ice_vsi_cfg+0x7f/0x3b0 [ice]
ice_vsi_setup+0x179/0xa30 [ice]
ice_sriov_configure+0xcaa/0x1520 [ice]
sriov_numvfs_store+0x212/0x390
(...)
To fix it, use ice_vsi_rebuild() instead of ice_vf_reconfig_vsi(). This
causes the required arrays to be reallocated taking the new queue count
into account (ice_vsi_realloc_stat_arrays()). Set req_txq and req_rxq
before ice_vsi_rebuild(), so that realloc uses the newly set queue
count.
Additionally, ice_vsi_rebuild() does not remove VSI filters
(ice_fltr_remove_all()), so ice_vf_init_host_cfg() is no longer
necessary.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-50042", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:24:38.498470Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:28:44.110Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/net/ethernet/intel/ice/ice_sriov.c", "drivers/net/ethernet/intel/ice/ice_vf_lib.c", "drivers/net/ethernet/intel/ice/ice_vf_lib_private.h", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "cbda6197929418fabf0e45ecf9b7a76360944c70", status: "affected", version: "2a2cb4c6c18130e9f14d2e39deb75590744d98ef", versionType: "git", }, { lessThan: "bce9af1b030bf59d51bbabf909a3ef164787e44e", status: "affected", version: "2a2cb4c6c18130e9f14d2e39deb75590744d98ef", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/net/ethernet/intel/ice/ice_sriov.c", "drivers/net/ethernet/intel/ice/ice_vf_lib.c", "drivers/net/ethernet/intel/ice/ice_vf_lib_private.h", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.8", }, { lessThan: "6.8", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.4", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nice: Fix increasing MSI-X on VF\n\nIncreasing MSI-X value on a VF leads to invalid memory operations. This\nis caused by not reallocating some arrays.\n\nReproducer:\n modprobe ice\n echo 0 > /sys/bus/pci/devices/$PF_PCI/sriov_drivers_autoprobe\n echo 1 > /sys/bus/pci/devices/$PF_PCI/sriov_numvfs\n echo 17 > /sys/bus/pci/devices/$VF0_PCI/sriov_vf_msix_count\n\nDefault MSI-X is 16, so 17 and above triggers this issue.\n\nKASAN reports:\n\n BUG: KASAN: slab-out-of-bounds in ice_vsi_alloc_ring_stats+0x38d/0x4b0 [ice]\n Read of size 8 at addr ffff8888b937d180 by task bash/28433\n (...)\n\n Call Trace:\n (...)\n ? ice_vsi_alloc_ring_stats+0x38d/0x4b0 [ice]\n kasan_report+0xed/0x120\n ? ice_vsi_alloc_ring_stats+0x38d/0x4b0 [ice]\n ice_vsi_alloc_ring_stats+0x38d/0x4b0 [ice]\n ice_vsi_cfg_def+0x3360/0x4770 [ice]\n ? mutex_unlock+0x83/0xd0\n ? __pfx_ice_vsi_cfg_def+0x10/0x10 [ice]\n ? __pfx_ice_remove_vsi_lkup_fltr+0x10/0x10 [ice]\n ice_vsi_cfg+0x7f/0x3b0 [ice]\n ice_vf_reconfig_vsi+0x114/0x210 [ice]\n ice_sriov_set_msix_vec_count+0x3d0/0x960 [ice]\n sriov_vf_msix_count_store+0x21c/0x300\n (...)\n\n Allocated by task 28201:\n (...)\n ice_vsi_cfg_def+0x1c8e/0x4770 [ice]\n ice_vsi_cfg+0x7f/0x3b0 [ice]\n ice_vsi_setup+0x179/0xa30 [ice]\n ice_sriov_configure+0xcaa/0x1520 [ice]\n sriov_numvfs_store+0x212/0x390\n (...)\n\nTo fix it, use ice_vsi_rebuild() instead of ice_vf_reconfig_vsi(). This\ncauses the required arrays to be reallocated taking the new queue count\ninto account (ice_vsi_realloc_stat_arrays()). Set req_txq and req_rxq\nbefore ice_vsi_rebuild(), so that realloc uses the newly set queue\ncount.\n\nAdditionally, ice_vsi_rebuild() does not remove VSI filters\n(ice_fltr_remove_all()), so ice_vf_init_host_cfg() is no longer\nnecessary.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:31:57.509Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/cbda6197929418fabf0e45ecf9b7a76360944c70", }, { url: "https://git.kernel.org/stable/c/bce9af1b030bf59d51bbabf909a3ef164787e44e", }, ], title: "ice: Fix increasing MSI-X on VF", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-50042", datePublished: "2024-10-21T19:39:41.084Z", dateReserved: "2024-10-21T12:17:06.071Z", dateUpdated: "2024-12-19T09:31:57.509Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-50041
Vulnerability from cvelistv5
Published
2024-10-21 19:39
Modified
2024-12-19 09:31
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
i40e: Fix macvlan leak by synchronizing access to mac_filter_hash
This patch addresses a macvlan leak issue in the i40e driver caused by
concurrent access to vsi->mac_filter_hash. The leak occurs when multiple
threads attempt to modify the mac_filter_hash simultaneously, leading to
inconsistent state and potential memory leaks.
To fix this, we now wrap the calls to i40e_del_mac_filter() and zeroing
vf->default_lan_addr.addr with spin_lock/unlock_bh(&vsi->mac_filter_hash_lock),
ensuring atomic operations and preventing concurrent access.
Additionally, we add lockdep_assert_held(&vsi->mac_filter_hash_lock) in
i40e_add_mac_filter() to help catch similar issues in the future.
Reproduction steps:
1. Spawn VFs and configure port vlan on them.
2. Trigger concurrent macvlan operations (e.g., adding and deleting
portvlan and/or mac filters).
3. Observe the potential memory leak and inconsistent state in the
mac_filter_hash.
This synchronization ensures the integrity of the mac_filter_hash and prevents
the described leak.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: ddec6cbbe22781d17965f1e6386e5a6363c058d2 Version: fed0d9f13266a22ce1fc9a97521ef9cdc6271a23 Version: fed0d9f13266a22ce1fc9a97521ef9cdc6271a23 Version: fed0d9f13266a22ce1fc9a97521ef9cdc6271a23 Version: fed0d9f13266a22ce1fc9a97521ef9cdc6271a23 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-50041", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:24:46.896116Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:28:44.245Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/net/ethernet/intel/i40e/i40e_main.c", "drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "9db6ce9e2738b05a3672aff4d42169cf3bb5a3e3", status: "affected", version: "ddec6cbbe22781d17965f1e6386e5a6363c058d2", versionType: "git", }, { lessThan: "9a9747288ba0a9ad4f5c9877f18dd245770ad64e", status: "affected", version: "fed0d9f13266a22ce1fc9a97521ef9cdc6271a23", versionType: "git", }, { lessThan: "703c4d820b31bcadf465288d5746c53445f02a55", status: "affected", version: "fed0d9f13266a22ce1fc9a97521ef9cdc6271a23", versionType: "git", }, { lessThan: "8831abff1bd5b6bc8224f0c0671f46fbd702b5b2", status: "affected", version: "fed0d9f13266a22ce1fc9a97521ef9cdc6271a23", versionType: "git", }, { lessThan: "dac6c7b3d33756d6ce09f00a96ea2ecd79fae9fb", status: "affected", version: "fed0d9f13266a22ce1fc9a97521ef9cdc6271a23", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/net/ethernet/intel/i40e/i40e_main.c", "drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.19", }, { lessThan: "5.19", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.57", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.4", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: Fix macvlan leak by synchronizing access to mac_filter_hash\n\nThis patch addresses a macvlan leak issue in the i40e driver caused by\nconcurrent access to vsi->mac_filter_hash. The leak occurs when multiple\nthreads attempt to modify the mac_filter_hash simultaneously, leading to\ninconsistent state and potential memory leaks.\n\nTo fix this, we now wrap the calls to i40e_del_mac_filter() and zeroing\nvf->default_lan_addr.addr with spin_lock/unlock_bh(&vsi->mac_filter_hash_lock),\nensuring atomic operations and preventing concurrent access.\n\nAdditionally, we add lockdep_assert_held(&vsi->mac_filter_hash_lock) in\ni40e_add_mac_filter() to help catch similar issues in the future.\n\nReproduction steps:\n1. Spawn VFs and configure port vlan on them.\n2. Trigger concurrent macvlan operations (e.g., adding and deleting\n\tportvlan and/or mac filters).\n3. Observe the potential memory leak and inconsistent state in the\n\tmac_filter_hash.\n\nThis synchronization ensures the integrity of the mac_filter_hash and prevents\nthe described leak.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:31:56.282Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/9db6ce9e2738b05a3672aff4d42169cf3bb5a3e3", }, { url: "https://git.kernel.org/stable/c/9a9747288ba0a9ad4f5c9877f18dd245770ad64e", }, { url: "https://git.kernel.org/stable/c/703c4d820b31bcadf465288d5746c53445f02a55", }, { url: "https://git.kernel.org/stable/c/8831abff1bd5b6bc8224f0c0671f46fbd702b5b2", }, { url: "https://git.kernel.org/stable/c/dac6c7b3d33756d6ce09f00a96ea2ecd79fae9fb", }, ], title: "i40e: Fix macvlan leak by synchronizing access to mac_filter_hash", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-50041", datePublished: "2024-10-21T19:39:40.435Z", dateReserved: "2024-10-21T12:17:06.071Z", dateUpdated: "2024-12-19T09:31:56.282Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-48997
Vulnerability from cvelistv5
Published
2024-10-21 20:06
Modified
2024-12-19 08:12
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
char: tpm: Protect tpm_pm_suspend with locks
Currently tpm transactions are executed unconditionally in
tpm_pm_suspend() function, which may lead to races with other tpm
accessors in the system.
Specifically, the hw_random tpm driver makes use of tpm_get_random(),
and this function is called in a loop from a kthread, which means it's
not frozen alongside userspace, and so can race with the work done
during system suspend:
tpm tpm0: tpm_transmit: tpm_recv: error -52
tpm tpm0: invalid TPM_STS.x 0xff, dumping stack for forensics
CPU: 0 PID: 1 Comm: init Not tainted 6.1.0-rc5+ #135
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-20220807_005459-localhost 04/01/2014
Call Trace:
tpm_tis_status.cold+0x19/0x20
tpm_transmit+0x13b/0x390
tpm_transmit_cmd+0x20/0x80
tpm1_pm_suspend+0xa6/0x110
tpm_pm_suspend+0x53/0x80
__pnp_bus_suspend+0x35/0xe0
__device_suspend+0x10f/0x350
Fix this by calling tpm_try_get_ops(), which itself is a wrapper around
tpm_chip_start(), but takes the appropriate mutex.
[Jason: reworked commit message, added metadata]
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: e891db1a18bf11e02533ec2386b796cfd8d60666 Version: e891db1a18bf11e02533ec2386b796cfd8d60666 Version: e891db1a18bf11e02533ec2386b796cfd8d60666 Version: e891db1a18bf11e02533ec2386b796cfd8d60666 Version: e891db1a18bf11e02533ec2386b796cfd8d60666 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-48997", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:15:42.230328Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:18:41.257Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/char/tpm/tpm-interface.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "d699373ac5f3545243d3c73a1ccab77fdef8cec6", status: "affected", version: "e891db1a18bf11e02533ec2386b796cfd8d60666", versionType: "git", }, { lessThan: "4e0d6c687c925e27fd4bc78a2721d10acf5614d6", status: "affected", version: "e891db1a18bf11e02533ec2386b796cfd8d60666", versionType: "git", }, { lessThan: "571b6bbbf54d835ea6120f65575cb55cd767e603", status: "affected", version: "e891db1a18bf11e02533ec2386b796cfd8d60666", versionType: "git", }, { lessThan: "25b78bf98b07ff5aceb9b1e24f72ec0236c5c053", status: "affected", version: "e891db1a18bf11e02533ec2386b796cfd8d60666", versionType: "git", }, { lessThan: "23393c6461422df5bf8084a086ada9a7e17dc2ba", status: "affected", version: "e891db1a18bf11e02533ec2386b796cfd8d60666", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/char/tpm/tpm-interface.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.1", }, { lessThan: "5.1", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.226", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.158", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.82", versionType: "semver", }, { lessThanOrEqual: "6.0.*", status: "unaffected", version: "6.0.12", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.1", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nchar: tpm: Protect tpm_pm_suspend with locks\n\nCurrently tpm transactions are executed unconditionally in\ntpm_pm_suspend() function, which may lead to races with other tpm\naccessors in the system.\n\nSpecifically, the hw_random tpm driver makes use of tpm_get_random(),\nand this function is called in a loop from a kthread, which means it's\nnot frozen alongside userspace, and so can race with the work done\nduring system suspend:\n\n tpm tpm0: tpm_transmit: tpm_recv: error -52\n tpm tpm0: invalid TPM_STS.x 0xff, dumping stack for forensics\n CPU: 0 PID: 1 Comm: init Not tainted 6.1.0-rc5+ #135\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-20220807_005459-localhost 04/01/2014\n Call Trace:\n tpm_tis_status.cold+0x19/0x20\n tpm_transmit+0x13b/0x390\n tpm_transmit_cmd+0x20/0x80\n tpm1_pm_suspend+0xa6/0x110\n tpm_pm_suspend+0x53/0x80\n __pnp_bus_suspend+0x35/0xe0\n __device_suspend+0x10f/0x350\n\nFix this by calling tpm_try_get_ops(), which itself is a wrapper around\ntpm_chip_start(), but takes the appropriate mutex.\n\n[Jason: reworked commit message, added metadata]", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:12:08.317Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/d699373ac5f3545243d3c73a1ccab77fdef8cec6", }, { url: "https://git.kernel.org/stable/c/4e0d6c687c925e27fd4bc78a2721d10acf5614d6", }, { url: "https://git.kernel.org/stable/c/571b6bbbf54d835ea6120f65575cb55cd767e603", }, { url: "https://git.kernel.org/stable/c/25b78bf98b07ff5aceb9b1e24f72ec0236c5c053", }, { url: "https://git.kernel.org/stable/c/23393c6461422df5bf8084a086ada9a7e17dc2ba", }, ], title: "char: tpm: Protect tpm_pm_suspend with locks", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-48997", datePublished: "2024-10-21T20:06:12.787Z", dateReserved: "2024-08-22T01:27:53.637Z", dateUpdated: "2024-12-19T08:12:08.317Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-50036
Vulnerability from cvelistv5
Published
2024-10-21 19:39
Modified
2024-12-19 09:31
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: do not delay dst_entries_add() in dst_release()
dst_entries_add() uses per-cpu data that might be freed at netns
dismantle from ip6_route_net_exit() calling dst_entries_destroy()
Before ip6_route_net_exit() can be called, we release all
the dsts associated with this netns, via calls to dst_release(),
which waits an rcu grace period before calling dst_destroy()
dst_entries_add() use in dst_destroy() is racy, because
dst_entries_destroy() could have been called already.
Decrementing the number of dsts must happen sooner.
Notes:
1) in CONFIG_XFRM case, dst_destroy() can call
dst_release_immediate(child), this might also cause UAF
if the child does not have DST_NOCOUNT set.
IPSEC maintainers might take a look and see how to address this.
2) There is also discussion about removing this count of dst,
which might happen in future kernels.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: f88649721268999bdff09777847080a52004f691 Version: f88649721268999bdff09777847080a52004f691 Version: f88649721268999bdff09777847080a52004f691 Version: f88649721268999bdff09777847080a52004f691 Version: f88649721268999bdff09777847080a52004f691 Version: f88649721268999bdff09777847080a52004f691 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-50036", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:25:25.259782Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:28:44.921Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "net/core/dst.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "547087307bc19417b4f2bc85ba9664a3e8db5a6a", status: "affected", version: "f88649721268999bdff09777847080a52004f691", versionType: "git", }, { lessThan: "e3915f028b1f1c37e87542e5aadd33728c259d96", status: "affected", version: "f88649721268999bdff09777847080a52004f691", versionType: "git", }, { lessThan: "a60db84f772fc3a906c6c4072f9207579c41166f", status: "affected", version: "f88649721268999bdff09777847080a52004f691", versionType: "git", }, { lessThan: "eae7435b48ffc8e9be0ff9cfeae40af479a609dd", status: "affected", version: "f88649721268999bdff09777847080a52004f691", versionType: "git", }, { lessThan: "3c7c918ec0aa3555372c5a57f18780b7a96c5cfc", status: "affected", version: "f88649721268999bdff09777847080a52004f691", versionType: "git", }, { lessThan: "ac888d58869bb99753e7652be19a151df9ecb35d", status: "affected", version: "f88649721268999bdff09777847080a52004f691", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "net/core/dst.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "3.16", }, { lessThan: "3.16", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.230", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.172", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.117", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.57", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.4", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: do not delay dst_entries_add() in dst_release()\n\ndst_entries_add() uses per-cpu data that might be freed at netns\ndismantle from ip6_route_net_exit() calling dst_entries_destroy()\n\nBefore ip6_route_net_exit() can be called, we release all\nthe dsts associated with this netns, via calls to dst_release(),\nwhich waits an rcu grace period before calling dst_destroy()\n\ndst_entries_add() use in dst_destroy() is racy, because\ndst_entries_destroy() could have been called already.\n\nDecrementing the number of dsts must happen sooner.\n\nNotes:\n\n1) in CONFIG_XFRM case, dst_destroy() can call\n dst_release_immediate(child), this might also cause UAF\n if the child does not have DST_NOCOUNT set.\n IPSEC maintainers might take a look and see how to address this.\n\n2) There is also discussion about removing this count of dst,\n which might happen in future kernels.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:31:49.981Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/547087307bc19417b4f2bc85ba9664a3e8db5a6a", }, { url: "https://git.kernel.org/stable/c/e3915f028b1f1c37e87542e5aadd33728c259d96", }, { url: "https://git.kernel.org/stable/c/a60db84f772fc3a906c6c4072f9207579c41166f", }, { url: "https://git.kernel.org/stable/c/eae7435b48ffc8e9be0ff9cfeae40af479a609dd", }, { url: "https://git.kernel.org/stable/c/3c7c918ec0aa3555372c5a57f18780b7a96c5cfc", }, { url: "https://git.kernel.org/stable/c/ac888d58869bb99753e7652be19a151df9ecb35d", }, ], title: "net: do not delay dst_entries_add() in dst_release()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-50036", datePublished: "2024-10-21T19:39:37.135Z", dateReserved: "2024-10-21T12:17:06.070Z", dateUpdated: "2024-12-19T09:31:49.981Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-49032
Vulnerability from cvelistv5
Published
2024-10-21 20:06
Modified
2024-12-19 08:12
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
iio: health: afe4404: Fix oob read in afe4404_[read|write]_raw
KASAN report out-of-bounds read as follows:
BUG: KASAN: global-out-of-bounds in afe4404_read_raw+0x2ce/0x380
Read of size 4 at addr ffffffffc00e4658 by task cat/278
Call Trace:
afe4404_read_raw
iio_read_channel_info
dev_attr_show
The buggy address belongs to the variable:
afe4404_channel_leds+0x18/0xffffffffffffe9c0
This issue can be reproduce by singe command:
$ cat /sys/bus/i2c/devices/0-0058/iio\:device0/in_intensity6_raw
The array size of afe4404_channel_leds and afe4404_channel_offdacs
are less than channels, so access with chan->address cause OOB read
in afe4404_[read|write]_raw. Fix it by moving access before use them.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: b36e8257641a043764c62240316610c81e36376c Version: b36e8257641a043764c62240316610c81e36376c Version: b36e8257641a043764c62240316610c81e36376c Version: b36e8257641a043764c62240316610c81e36376c Version: b36e8257641a043764c62240316610c81e36376c Version: b36e8257641a043764c62240316610c81e36376c Version: b36e8257641a043764c62240316610c81e36376c Version: b36e8257641a043764c62240316610c81e36376c |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-49032", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:11:06.095851Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:18:35.607Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/iio/health/afe4404.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "68de7da092f38395dde523f2e5db26eba6c23e28", status: "affected", version: "b36e8257641a043764c62240316610c81e36376c", versionType: "git", }, { lessThan: "113c08030a89aaf406f8a1d4549d758a67c2afba", status: "affected", version: "b36e8257641a043764c62240316610c81e36376c", versionType: "git", }, { lessThan: "f5575041ec15310bdc50c42b8b22118cc900226e", status: "affected", version: "b36e8257641a043764c62240316610c81e36376c", versionType: "git", }, { lessThan: "3f566b626029ca8598d48e5074e56bb37399ca1b", status: "affected", version: "b36e8257641a043764c62240316610c81e36376c", versionType: "git", }, { lessThan: "5eb114f55b37dbc0487aa9c1913b81bb7837f1c4", status: "affected", version: "b36e8257641a043764c62240316610c81e36376c", versionType: "git", }, { lessThan: "f7419fc42afc035f6b29ce713e17dcd2000c833f", status: "affected", version: "b36e8257641a043764c62240316610c81e36376c", versionType: "git", }, { lessThan: "d45d9f45e7b1365fd0d9bf14680d6d5082a590d1", status: "affected", version: "b36e8257641a043764c62240316610c81e36376c", versionType: "git", }, { lessThan: "fc92d9e3de0b2d30a3ccc08048a5fad533e4672b", status: "affected", version: "b36e8257641a043764c62240316610c81e36376c", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/iio/health/afe4404.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "4.8", }, { lessThan: "4.8", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.9.*", status: "unaffected", version: "4.9.335", versionType: "semver", }, { lessThanOrEqual: "4.14.*", status: "unaffected", version: "4.14.301", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.268", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.226", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.158", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.82", versionType: "semver", }, { lessThanOrEqual: "6.0.*", status: "unaffected", version: "6.0.12", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.1", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\niio: health: afe4404: Fix oob read in afe4404_[read|write]_raw\n\nKASAN report out-of-bounds read as follows:\n\nBUG: KASAN: global-out-of-bounds in afe4404_read_raw+0x2ce/0x380\nRead of size 4 at addr ffffffffc00e4658 by task cat/278\n\nCall Trace:\n afe4404_read_raw\n iio_read_channel_info\n dev_attr_show\n\nThe buggy address belongs to the variable:\n afe4404_channel_leds+0x18/0xffffffffffffe9c0\n\nThis issue can be reproduce by singe command:\n\n $ cat /sys/bus/i2c/devices/0-0058/iio\\:device0/in_intensity6_raw\n\nThe array size of afe4404_channel_leds and afe4404_channel_offdacs\nare less than channels, so access with chan->address cause OOB read\nin afe4404_[read|write]_raw. Fix it by moving access before use them.", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:12:48.808Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/68de7da092f38395dde523f2e5db26eba6c23e28", }, { url: "https://git.kernel.org/stable/c/113c08030a89aaf406f8a1d4549d758a67c2afba", }, { url: "https://git.kernel.org/stable/c/f5575041ec15310bdc50c42b8b22118cc900226e", }, { url: "https://git.kernel.org/stable/c/3f566b626029ca8598d48e5074e56bb37399ca1b", }, { url: "https://git.kernel.org/stable/c/5eb114f55b37dbc0487aa9c1913b81bb7837f1c4", }, { url: "https://git.kernel.org/stable/c/f7419fc42afc035f6b29ce713e17dcd2000c833f", }, { url: "https://git.kernel.org/stable/c/d45d9f45e7b1365fd0d9bf14680d6d5082a590d1", }, { url: "https://git.kernel.org/stable/c/fc92d9e3de0b2d30a3ccc08048a5fad533e4672b", }, ], title: "iio: health: afe4404: Fix oob read in afe4404_[read|write]_raw", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-49032", datePublished: "2024-10-21T20:06:35.864Z", dateReserved: "2024-08-22T01:27:53.652Z", dateUpdated: "2024-12-19T08:12:48.808Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-48995
Vulnerability from cvelistv5
Published
2024-10-21 20:06
Modified
2024-12-19 08:12
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Input: raydium_ts_i2c - fix memory leak in raydium_i2c_send()
There is a kmemleak when test the raydium_i2c_ts with bpf mock device:
unreferenced object 0xffff88812d3675a0 (size 8):
comm "python3", pid 349, jiffies 4294741067 (age 95.695s)
hex dump (first 8 bytes):
11 0e 10 c0 01 00 04 00 ........
backtrace:
[<0000000068427125>] __kmalloc+0x46/0x1b0
[<0000000090180f91>] raydium_i2c_send+0xd4/0x2bf [raydium_i2c_ts]
[<000000006e631aee>] raydium_i2c_initialize.cold+0xbc/0x3e4 [raydium_i2c_ts]
[<00000000dc6fcf38>] raydium_i2c_probe+0x3cd/0x6bc [raydium_i2c_ts]
[<00000000a310de16>] i2c_device_probe+0x651/0x680
[<00000000f5a96bf3>] really_probe+0x17c/0x3f0
[<00000000096ba499>] __driver_probe_device+0xe3/0x170
[<00000000c5acb4d9>] driver_probe_device+0x49/0x120
[<00000000264fe082>] __device_attach_driver+0xf7/0x150
[<00000000f919423c>] bus_for_each_drv+0x114/0x180
[<00000000e067feca>] __device_attach+0x1e5/0x2d0
[<0000000054301fc2>] bus_probe_device+0x126/0x140
[<00000000aad93b22>] device_add+0x810/0x1130
[<00000000c086a53f>] i2c_new_client_device+0x352/0x4e0
[<000000003c2c248c>] of_i2c_register_device+0xf1/0x110
[<00000000ffec4177>] of_i2c_notify+0x100/0x160
unreferenced object 0xffff88812d3675c8 (size 8):
comm "python3", pid 349, jiffies 4294741070 (age 95.692s)
hex dump (first 8 bytes):
22 00 36 2d 81 88 ff ff ".6-....
backtrace:
[<0000000068427125>] __kmalloc+0x46/0x1b0
[<0000000090180f91>] raydium_i2c_send+0xd4/0x2bf [raydium_i2c_ts]
[<000000001d5c9620>] raydium_i2c_initialize.cold+0x223/0x3e4 [raydium_i2c_ts]
[<00000000dc6fcf38>] raydium_i2c_probe+0x3cd/0x6bc [raydium_i2c_ts]
[<00000000a310de16>] i2c_device_probe+0x651/0x680
[<00000000f5a96bf3>] really_probe+0x17c/0x3f0
[<00000000096ba499>] __driver_probe_device+0xe3/0x170
[<00000000c5acb4d9>] driver_probe_device+0x49/0x120
[<00000000264fe082>] __device_attach_driver+0xf7/0x150
[<00000000f919423c>] bus_for_each_drv+0x114/0x180
[<00000000e067feca>] __device_attach+0x1e5/0x2d0
[<0000000054301fc2>] bus_probe_device+0x126/0x140
[<00000000aad93b22>] device_add+0x810/0x1130
[<00000000c086a53f>] i2c_new_client_device+0x352/0x4e0
[<000000003c2c248c>] of_i2c_register_device+0xf1/0x110
[<00000000ffec4177>] of_i2c_notify+0x100/0x160
After BANK_SWITCH command from i2c BUS, no matter success or error
happened, the tx_buf should be freed.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-48995", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:15:57.179359Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:18:41.559Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/input/touchscreen/raydium_i2c_ts.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "a82869ac52f3d9db4b2cf8fd41edc2dee7a75a61", status: "affected", version: "3b384bd6c3f2d6d3526c77bfb264dfbaf737bc2a", versionType: "git", }, { lessThan: "53b9b1201e34ccc895971218559123625c56fbcd", status: "affected", version: "3b384bd6c3f2d6d3526c77bfb264dfbaf737bc2a", versionType: "git", }, { lessThan: "097c1c7a28e3da8f2811ba532be6e81faab15aab", status: "affected", version: "3b384bd6c3f2d6d3526c77bfb264dfbaf737bc2a", versionType: "git", }, { lessThan: "8c9a59939deb4bfafdc451100c03d1e848b4169b", status: "affected", version: "3b384bd6c3f2d6d3526c77bfb264dfbaf737bc2a", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/input/touchscreen/raydium_i2c_ts.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.10", }, { lessThan: "5.10", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.158", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.82", versionType: "semver", }, { lessThanOrEqual: "6.0.*", status: "unaffected", version: "6.0.12", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.1", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: raydium_ts_i2c - fix memory leak in raydium_i2c_send()\n\nThere is a kmemleak when test the raydium_i2c_ts with bpf mock device:\n\n unreferenced object 0xffff88812d3675a0 (size 8):\n comm \"python3\", pid 349, jiffies 4294741067 (age 95.695s)\n hex dump (first 8 bytes):\n 11 0e 10 c0 01 00 04 00 ........\n backtrace:\n [<0000000068427125>] __kmalloc+0x46/0x1b0\n [<0000000090180f91>] raydium_i2c_send+0xd4/0x2bf [raydium_i2c_ts]\n [<000000006e631aee>] raydium_i2c_initialize.cold+0xbc/0x3e4 [raydium_i2c_ts]\n [<00000000dc6fcf38>] raydium_i2c_probe+0x3cd/0x6bc [raydium_i2c_ts]\n [<00000000a310de16>] i2c_device_probe+0x651/0x680\n [<00000000f5a96bf3>] really_probe+0x17c/0x3f0\n [<00000000096ba499>] __driver_probe_device+0xe3/0x170\n [<00000000c5acb4d9>] driver_probe_device+0x49/0x120\n [<00000000264fe082>] __device_attach_driver+0xf7/0x150\n [<00000000f919423c>] bus_for_each_drv+0x114/0x180\n [<00000000e067feca>] __device_attach+0x1e5/0x2d0\n [<0000000054301fc2>] bus_probe_device+0x126/0x140\n [<00000000aad93b22>] device_add+0x810/0x1130\n [<00000000c086a53f>] i2c_new_client_device+0x352/0x4e0\n [<000000003c2c248c>] of_i2c_register_device+0xf1/0x110\n [<00000000ffec4177>] of_i2c_notify+0x100/0x160\n unreferenced object 0xffff88812d3675c8 (size 8):\n comm \"python3\", pid 349, jiffies 4294741070 (age 95.692s)\n hex dump (first 8 bytes):\n 22 00 36 2d 81 88 ff ff \".6-....\n backtrace:\n [<0000000068427125>] __kmalloc+0x46/0x1b0\n [<0000000090180f91>] raydium_i2c_send+0xd4/0x2bf [raydium_i2c_ts]\n [<000000001d5c9620>] raydium_i2c_initialize.cold+0x223/0x3e4 [raydium_i2c_ts]\n [<00000000dc6fcf38>] raydium_i2c_probe+0x3cd/0x6bc [raydium_i2c_ts]\n [<00000000a310de16>] i2c_device_probe+0x651/0x680\n [<00000000f5a96bf3>] really_probe+0x17c/0x3f0\n [<00000000096ba499>] __driver_probe_device+0xe3/0x170\n [<00000000c5acb4d9>] driver_probe_device+0x49/0x120\n [<00000000264fe082>] __device_attach_driver+0xf7/0x150\n [<00000000f919423c>] bus_for_each_drv+0x114/0x180\n [<00000000e067feca>] __device_attach+0x1e5/0x2d0\n [<0000000054301fc2>] bus_probe_device+0x126/0x140\n [<00000000aad93b22>] device_add+0x810/0x1130\n [<00000000c086a53f>] i2c_new_client_device+0x352/0x4e0\n [<000000003c2c248c>] of_i2c_register_device+0xf1/0x110\n [<00000000ffec4177>] of_i2c_notify+0x100/0x160\n\nAfter BANK_SWITCH command from i2c BUS, no matter success or error\nhappened, the tx_buf should be freed.", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:12:06.025Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/a82869ac52f3d9db4b2cf8fd41edc2dee7a75a61", }, { url: "https://git.kernel.org/stable/c/53b9b1201e34ccc895971218559123625c56fbcd", }, { url: "https://git.kernel.org/stable/c/097c1c7a28e3da8f2811ba532be6e81faab15aab", }, { url: "https://git.kernel.org/stable/c/8c9a59939deb4bfafdc451100c03d1e848b4169b", }, ], title: "Input: raydium_ts_i2c - fix memory leak in raydium_i2c_send()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-48995", datePublished: "2024-10-21T20:06:11.482Z", dateReserved: "2024-08-22T01:27:53.637Z", dateUpdated: "2024-12-19T08:12:06.025Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-47676
Vulnerability from cvelistv5
Published
2024-10-21 11:53
Modified
2024-12-19 09:25
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/hugetlb.c: fix UAF of vma in hugetlb fault pathway
Syzbot reports a UAF in hugetlb_fault(). This happens because
vmf_anon_prepare() could drop the per-VMA lock and allow the current VMA
to be freed before hugetlb_vma_unlock_read() is called.
We can fix this by using a modified version of vmf_anon_prepare() that
doesn't release the VMA lock on failure, and then release it ourselves
after hugetlb_vma_unlock_read().
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-47676", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T13:07:59.972172Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T13:14:17.370Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "mm/hugetlb.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "e897d184a8dd4a4e1f39c8c495598e4d9472776c", status: "affected", version: "9acad7ba3e25d11f4c96df1b7312ae89e6faca5c", versionType: "git", }, { lessThan: "d59ebc99dee0a2687a26df94b901eb8216dbf876", status: "affected", version: "9acad7ba3e25d11f4c96df1b7312ae89e6faca5c", versionType: "git", }, { lessThan: "98b74bb4d7e96b4da5ef3126511febe55b76b807", status: "affected", version: "9acad7ba3e25d11f4c96df1b7312ae89e6faca5c", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "mm/hugetlb.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.9", }, { lessThan: "6.9", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.13", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.2", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/hugetlb.c: fix UAF of vma in hugetlb fault pathway\n\nSyzbot reports a UAF in hugetlb_fault(). This happens because\nvmf_anon_prepare() could drop the per-VMA lock and allow the current VMA\nto be freed before hugetlb_vma_unlock_read() is called.\n\nWe can fix this by using a modified version of vmf_anon_prepare() that\ndoesn't release the VMA lock on failure, and then release it ourselves\nafter hugetlb_vma_unlock_read().", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:25:36.643Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/e897d184a8dd4a4e1f39c8c495598e4d9472776c", }, { url: "https://git.kernel.org/stable/c/d59ebc99dee0a2687a26df94b901eb8216dbf876", }, { url: "https://git.kernel.org/stable/c/98b74bb4d7e96b4da5ef3126511febe55b76b807", }, ], title: "mm/hugetlb.c: fix UAF of vma in hugetlb fault pathway", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-47676", datePublished: "2024-10-21T11:53:20.482Z", dateReserved: "2024-09-30T16:00:12.938Z", dateUpdated: "2024-12-19T09:25:36.643Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-50014
Vulnerability from cvelistv5
Published
2024-10-21 18:54
Modified
2025-02-02 10:14
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix access to uninitialised lock in fc replay path
The following kernel trace can be triggered with fstest generic/629 when
executed against a filesystem with fast-commit feature enabled:
INFO: trying to register non-static key.
The code is fine but needs lockdep annotation, or maybe
you didn't initialize this object before use?
turning off the locking correctness validator.
CPU: 0 PID: 866 Comm: mount Not tainted 6.10.0+ #11
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-3-gd478f380-prebuilt.qemu.org 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x66/0x90
register_lock_class+0x759/0x7d0
__lock_acquire+0x85/0x2630
? __find_get_block+0xb4/0x380
lock_acquire+0xd1/0x2d0
? __ext4_journal_get_write_access+0xd5/0x160
_raw_spin_lock+0x33/0x40
? __ext4_journal_get_write_access+0xd5/0x160
__ext4_journal_get_write_access+0xd5/0x160
ext4_reserve_inode_write+0x61/0xb0
__ext4_mark_inode_dirty+0x79/0x270
? ext4_ext_replay_set_iblocks+0x2f8/0x450
ext4_ext_replay_set_iblocks+0x330/0x450
ext4_fc_replay+0x14c8/0x1540
? jread+0x88/0x2e0
? rcu_is_watching+0x11/0x40
do_one_pass+0x447/0xd00
jbd2_journal_recover+0x139/0x1b0
jbd2_journal_load+0x96/0x390
ext4_load_and_init_journal+0x253/0xd40
ext4_fill_super+0x2cc6/0x3180
...
In the replay path there's an attempt to lock sbi->s_bdev_wb_lock in
function ext4_check_bdev_write_error(). Unfortunately, at this point this
spinlock has not been initialized yet. Moving it's initialization to an
earlier point in __ext4_fill_super() fixes this splat.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-50014", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:28:16.018937Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:28:48.311Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "fs/ext4/super.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "13ea9547763a0488a90ff37cdf52ec85e36ea344", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "6e35f560daebe40264c95e9a1ab03110d4997df6", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "d157fc20ca5239fd56965a5a8aa1a0e25919891a", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "b002031d585a14eed511117dda8c6452a804d508", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "23dfdb56581ad92a9967bcd720c8c23356af74c1", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "fs/ext4/super.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.128", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.75", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix access to uninitialised lock in fc replay path\n\nThe following kernel trace can be triggered with fstest generic/629 when\nexecuted against a filesystem with fast-commit feature enabled:\n\nINFO: trying to register non-static key.\nThe code is fine but needs lockdep annotation, or maybe\nyou didn't initialize this object before use?\nturning off the locking correctness validator.\nCPU: 0 PID: 866 Comm: mount Not tainted 6.10.0+ #11\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-3-gd478f380-prebuilt.qemu.org 04/01/2014\nCall Trace:\n <TASK>\n dump_stack_lvl+0x66/0x90\n register_lock_class+0x759/0x7d0\n __lock_acquire+0x85/0x2630\n ? __find_get_block+0xb4/0x380\n lock_acquire+0xd1/0x2d0\n ? __ext4_journal_get_write_access+0xd5/0x160\n _raw_spin_lock+0x33/0x40\n ? __ext4_journal_get_write_access+0xd5/0x160\n __ext4_journal_get_write_access+0xd5/0x160\n ext4_reserve_inode_write+0x61/0xb0\n __ext4_mark_inode_dirty+0x79/0x270\n ? ext4_ext_replay_set_iblocks+0x2f8/0x450\n ext4_ext_replay_set_iblocks+0x330/0x450\n ext4_fc_replay+0x14c8/0x1540\n ? jread+0x88/0x2e0\n ? rcu_is_watching+0x11/0x40\n do_one_pass+0x447/0xd00\n jbd2_journal_recover+0x139/0x1b0\n jbd2_journal_load+0x96/0x390\n ext4_load_and_init_journal+0x253/0xd40\n ext4_fill_super+0x2cc6/0x3180\n...\n\nIn the replay path there's an attempt to lock sbi->s_bdev_wb_lock in\nfunction ext4_check_bdev_write_error(). Unfortunately, at this point this\nspinlock has not been initialized yet. Moving it's initialization to an\nearlier point in __ext4_fill_super() fixes this splat.", }, ], providerMetadata: { dateUpdated: "2025-02-02T10:14:57.813Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/13ea9547763a0488a90ff37cdf52ec85e36ea344", }, { url: "https://git.kernel.org/stable/c/6e35f560daebe40264c95e9a1ab03110d4997df6", }, { url: "https://git.kernel.org/stable/c/d157fc20ca5239fd56965a5a8aa1a0e25919891a", }, { url: "https://git.kernel.org/stable/c/b002031d585a14eed511117dda8c6452a804d508", }, { url: "https://git.kernel.org/stable/c/23dfdb56581ad92a9967bcd720c8c23356af74c1", }, ], title: "ext4: fix access to uninitialised lock in fc replay path", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-50014", datePublished: "2024-10-21T18:54:05.764Z", dateReserved: "2024-10-21T12:17:06.062Z", dateUpdated: "2025-02-02T10:14:57.813Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49896
Vulnerability from cvelistv5
Published
2024-10-21 18:01
Modified
2024-12-19 09:28
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Check stream before comparing them
[WHAT & HOW]
amdgpu_dm can pass a null stream to dc_is_stream_unchanged. It is
necessary to check for null before dereferencing them.
This fixes 1 FORWARD_NULL issue reported by Coverity.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49896", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:43:34.031832Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:48:48.361Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/gpu/drm/amd/display/dc/core/dc_resource.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "3944d226f55235a960d8f1135927f95e9801be12", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "471c53350ab83e47a2a117c2738ce0363785976e", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "0167d570f6a0b38689c4a0e50bf79c518d827500", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "14db8692afe1aa2143b673856bb603713d8ea93f", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "e8da54b7f8a17e44e67ea6d1037f35450af28115", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "42d31a33643813cce55ee1ebbad3a2d0d24a08e0", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "5b4b13e678b15975055f4ff1ce4cf0ce4c19b6c4", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "e41a291e1bef1153bba091b6580ecc7affc53c82", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "35ff747c86767937ee1e0ca987545b7eed7a0810", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/gpu/drm/amd/display/dc/core/dc_resource.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.323", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.285", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Check stream before comparing them\n\n[WHAT & HOW]\namdgpu_dm can pass a null stream to dc_is_stream_unchanged. It is\nnecessary to check for null before dereferencing them.\n\nThis fixes 1 FORWARD_NULL issue reported by Coverity.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:28:34.694Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/3944d226f55235a960d8f1135927f95e9801be12", }, { url: "https://git.kernel.org/stable/c/471c53350ab83e47a2a117c2738ce0363785976e", }, { url: "https://git.kernel.org/stable/c/0167d570f6a0b38689c4a0e50bf79c518d827500", }, { url: "https://git.kernel.org/stable/c/14db8692afe1aa2143b673856bb603713d8ea93f", }, { url: "https://git.kernel.org/stable/c/e8da54b7f8a17e44e67ea6d1037f35450af28115", }, { url: "https://git.kernel.org/stable/c/42d31a33643813cce55ee1ebbad3a2d0d24a08e0", }, { url: "https://git.kernel.org/stable/c/5b4b13e678b15975055f4ff1ce4cf0ce4c19b6c4", }, { url: "https://git.kernel.org/stable/c/e41a291e1bef1153bba091b6580ecc7affc53c82", }, { url: "https://git.kernel.org/stable/c/35ff747c86767937ee1e0ca987545b7eed7a0810", }, ], title: "drm/amd/display: Check stream before comparing them", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49896", datePublished: "2024-10-21T18:01:29.700Z", dateReserved: "2024-10-21T12:17:06.026Z", dateUpdated: "2024-12-19T09:28:34.694Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-47691
Vulnerability from cvelistv5
Published
2024-10-21 11:53
Modified
2024-12-19 09:26
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
f2fs: fix to avoid use-after-free in f2fs_stop_gc_thread()
syzbot reports a f2fs bug as below:
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
print_report+0xe8/0x550 mm/kasan/report.c:491
kasan_report+0x143/0x180 mm/kasan/report.c:601
kasan_check_range+0x282/0x290 mm/kasan/generic.c:189
instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:252 [inline]
__refcount_add include/linux/refcount.h:184 [inline]
__refcount_inc include/linux/refcount.h:241 [inline]
refcount_inc include/linux/refcount.h:258 [inline]
get_task_struct include/linux/sched/task.h:118 [inline]
kthread_stop+0xca/0x630 kernel/kthread.c:704
f2fs_stop_gc_thread+0x65/0xb0 fs/f2fs/gc.c:210
f2fs_do_shutdown+0x192/0x540 fs/f2fs/file.c:2283
f2fs_ioc_shutdown fs/f2fs/file.c:2325 [inline]
__f2fs_ioctl+0x443a/0xbe60 fs/f2fs/file.c:4325
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The root cause is below race condition, it may cause use-after-free
issue in sbi->gc_th pointer.
- remount
- f2fs_remount
- f2fs_stop_gc_thread
- kfree(gc_th)
- f2fs_ioc_shutdown
- f2fs_do_shutdown
- f2fs_stop_gc_thread
- kthread_stop(gc_th->f2fs_gc_task)
: sbi->gc_thread = NULL;
We will call f2fs_do_shutdown() in two paths:
- for f2fs_ioc_shutdown() path, we should grab sb->s_umount semaphore
for fixing.
- for f2fs_shutdown() path, it's safe since caller has already grabbed
sb->s_umount semaphore.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-47691", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T13:05:54.447851Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T13:14:15.179Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "fs/f2fs/f2fs.h", "fs/f2fs/file.c", "fs/f2fs/super.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "fc18e655b62ac6bc9f12f5de0d749b4a3fe1e812", status: "affected", version: "7950e9ac638e84518fbdd5c930939ad46a1068c5", versionType: "git", }, { lessThan: "7c339dee7eb0f8e4cadc317c595f898ef04dae30", status: "affected", version: "7950e9ac638e84518fbdd5c930939ad46a1068c5", versionType: "git", }, { lessThan: "d79343cd66343709e409d96b2abb139a0a55ce34", status: "affected", version: "7950e9ac638e84518fbdd5c930939ad46a1068c5", versionType: "git", }, { lessThan: "c7f114d864ac91515bb07ac271e9824a20f5ed95", status: "affected", version: "7950e9ac638e84518fbdd5c930939ad46a1068c5", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "fs/f2fs/f2fs.h", "fs/f2fs/file.c", "fs/f2fs/super.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "4.16", }, { lessThan: "4.16", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.54", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.13", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.2", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to avoid use-after-free in f2fs_stop_gc_thread()\n\nsyzbot reports a f2fs bug as below:\n\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114\n print_report+0xe8/0x550 mm/kasan/report.c:491\n kasan_report+0x143/0x180 mm/kasan/report.c:601\n kasan_check_range+0x282/0x290 mm/kasan/generic.c:189\n instrument_atomic_read_write include/linux/instrumented.h:96 [inline]\n atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:252 [inline]\n __refcount_add include/linux/refcount.h:184 [inline]\n __refcount_inc include/linux/refcount.h:241 [inline]\n refcount_inc include/linux/refcount.h:258 [inline]\n get_task_struct include/linux/sched/task.h:118 [inline]\n kthread_stop+0xca/0x630 kernel/kthread.c:704\n f2fs_stop_gc_thread+0x65/0xb0 fs/f2fs/gc.c:210\n f2fs_do_shutdown+0x192/0x540 fs/f2fs/file.c:2283\n f2fs_ioc_shutdown fs/f2fs/file.c:2325 [inline]\n __f2fs_ioctl+0x443a/0xbe60 fs/f2fs/file.c:4325\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:907 [inline]\n __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nThe root cause is below race condition, it may cause use-after-free\nissue in sbi->gc_th pointer.\n\n- remount\n - f2fs_remount\n - f2fs_stop_gc_thread\n - kfree(gc_th)\n\t\t\t\t- f2fs_ioc_shutdown\n\t\t\t\t - f2fs_do_shutdown\n\t\t\t\t - f2fs_stop_gc_thread\n\t\t\t\t - kthread_stop(gc_th->f2fs_gc_task)\n : sbi->gc_thread = NULL;\n\nWe will call f2fs_do_shutdown() in two paths:\n- for f2fs_ioc_shutdown() path, we should grab sb->s_umount semaphore\nfor fixing.\n- for f2fs_shutdown() path, it's safe since caller has already grabbed\nsb->s_umount semaphore.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:26:10.810Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/fc18e655b62ac6bc9f12f5de0d749b4a3fe1e812", }, { url: "https://git.kernel.org/stable/c/7c339dee7eb0f8e4cadc317c595f898ef04dae30", }, { url: "https://git.kernel.org/stable/c/d79343cd66343709e409d96b2abb139a0a55ce34", }, { url: "https://git.kernel.org/stable/c/c7f114d864ac91515bb07ac271e9824a20f5ed95", }, ], title: "f2fs: fix to avoid use-after-free in f2fs_stop_gc_thread()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-47691", datePublished: "2024-10-21T11:53:30.555Z", dateReserved: "2024-09-30T16:00:12.942Z", dateUpdated: "2024-12-19T09:26:10.810Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-47689
Vulnerability from cvelistv5
Published
2024-10-21 11:53
Modified
2024-12-19 09:26
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
f2fs: fix to don't set SB_RDONLY in f2fs_handle_critical_error()
syzbot reports a f2fs bug as below:
------------[ cut here ]------------
WARNING: CPU: 1 PID: 58 at kernel/rcu/sync.c:177 rcu_sync_dtor+0xcd/0x180 kernel/rcu/sync.c:177
CPU: 1 UID: 0 PID: 58 Comm: kworker/1:2 Not tainted 6.10.0-syzkaller-12562-g1722389b0d86 #0
Workqueue: events destroy_super_work
RIP: 0010:rcu_sync_dtor+0xcd/0x180 kernel/rcu/sync.c:177
Call Trace:
percpu_free_rwsem+0x41/0x80 kernel/locking/percpu-rwsem.c:42
destroy_super_work+0xec/0x130 fs/super.c:282
process_one_work kernel/workqueue.c:3231 [inline]
process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3312
worker_thread+0x86d/0xd40 kernel/workqueue.c:3390
kthread+0x2f0/0x390 kernel/kthread.c:389
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
As Christian Brauner pointed out [1]: the root cause is f2fs sets
SB_RDONLY flag in internal function, rather than setting the flag
covered w/ sb->s_umount semaphore via remount procedure, then below
race condition causes this bug:
- freeze_super()
- sb_wait_write(sb, SB_FREEZE_WRITE)
- sb_wait_write(sb, SB_FREEZE_PAGEFAULT)
- sb_wait_write(sb, SB_FREEZE_FS)
- f2fs_handle_critical_error
- sb->s_flags |= SB_RDONLY
- thaw_super
- thaw_super_locked
- sb_rdonly() is true, so it skips
sb_freeze_unlock(sb, SB_FREEZE_FS)
- deactivate_locked_super
Since f2fs has almost the same logic as ext4 [2] when handling critical
error in filesystem if it mounts w/ errors=remount-ro option:
- set CP_ERROR_FLAG flag which indicates filesystem is stopped
- record errors to superblock
- set SB_RDONLY falg
Once we set CP_ERROR_FLAG flag, all writable interfaces can detect the
flag and stop any further updates on filesystem. So, it is safe to not
set SB_RDONLY flag, let's remove the logic and keep in line w/ ext4 [3].
[1] https://lore.kernel.org/all/20240729-himbeeren-funknetz-96e62f9c7aee@brauner
[2] https://lore.kernel.org/all/20240729132721.hxih6ehigadqf7wx@quack3
[3] https://lore.kernel.org/linux-ext4/20240805201241.27286-1-jack@suse.cz
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-47689", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T13:06:11.931921Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T13:14:15.437Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "fs/f2fs/super.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "649ec8b30df113042588bd3d3cd4e98bcb1091e0", status: "affected", version: "b62e71be2110d8b52bf5faf3c3ed7ca1a0c113a5", versionType: "git", }, { lessThan: "de43021c72993877a8f86f9fddfa0687609da5a4", status: "affected", version: "b62e71be2110d8b52bf5faf3c3ed7ca1a0c113a5", versionType: "git", }, { lessThan: "1f63f405c1a1a64b9c310388aad7055fb86b245c", status: "affected", version: "b62e71be2110d8b52bf5faf3c3ed7ca1a0c113a5", versionType: "git", }, { lessThan: "930c6ab93492c4b15436524e704950b364b2930c", status: "affected", version: "b62e71be2110d8b52bf5faf3c3ed7ca1a0c113a5", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "fs/f2fs/super.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.5", }, { lessThan: "6.5", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.54", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.13", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.2", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to don't set SB_RDONLY in f2fs_handle_critical_error()\n\nsyzbot reports a f2fs bug as below:\n\n------------[ cut here ]------------\nWARNING: CPU: 1 PID: 58 at kernel/rcu/sync.c:177 rcu_sync_dtor+0xcd/0x180 kernel/rcu/sync.c:177\nCPU: 1 UID: 0 PID: 58 Comm: kworker/1:2 Not tainted 6.10.0-syzkaller-12562-g1722389b0d86 #0\nWorkqueue: events destroy_super_work\nRIP: 0010:rcu_sync_dtor+0xcd/0x180 kernel/rcu/sync.c:177\nCall Trace:\n percpu_free_rwsem+0x41/0x80 kernel/locking/percpu-rwsem.c:42\n destroy_super_work+0xec/0x130 fs/super.c:282\n process_one_work kernel/workqueue.c:3231 [inline]\n process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3312\n worker_thread+0x86d/0xd40 kernel/workqueue.c:3390\n kthread+0x2f0/0x390 kernel/kthread.c:389\n ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n\nAs Christian Brauner pointed out [1]: the root cause is f2fs sets\nSB_RDONLY flag in internal function, rather than setting the flag\ncovered w/ sb->s_umount semaphore via remount procedure, then below\nrace condition causes this bug:\n\n- freeze_super()\n - sb_wait_write(sb, SB_FREEZE_WRITE)\n - sb_wait_write(sb, SB_FREEZE_PAGEFAULT)\n - sb_wait_write(sb, SB_FREEZE_FS)\n\t\t\t\t\t- f2fs_handle_critical_error\n\t\t\t\t\t - sb->s_flags |= SB_RDONLY\n- thaw_super\n - thaw_super_locked\n - sb_rdonly() is true, so it skips\n sb_freeze_unlock(sb, SB_FREEZE_FS)\n - deactivate_locked_super\n\nSince f2fs has almost the same logic as ext4 [2] when handling critical\nerror in filesystem if it mounts w/ errors=remount-ro option:\n- set CP_ERROR_FLAG flag which indicates filesystem is stopped\n- record errors to superblock\n- set SB_RDONLY falg\nOnce we set CP_ERROR_FLAG flag, all writable interfaces can detect the\nflag and stop any further updates on filesystem. So, it is safe to not\nset SB_RDONLY flag, let's remove the logic and keep in line w/ ext4 [3].\n\n[1] https://lore.kernel.org/all/20240729-himbeeren-funknetz-96e62f9c7aee@brauner\n[2] https://lore.kernel.org/all/20240729132721.hxih6ehigadqf7wx@quack3\n[3] https://lore.kernel.org/linux-ext4/20240805201241.27286-1-jack@suse.cz", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:26:08.341Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/649ec8b30df113042588bd3d3cd4e98bcb1091e0", }, { url: "https://git.kernel.org/stable/c/de43021c72993877a8f86f9fddfa0687609da5a4", }, { url: "https://git.kernel.org/stable/c/1f63f405c1a1a64b9c310388aad7055fb86b245c", }, { url: "https://git.kernel.org/stable/c/930c6ab93492c4b15436524e704950b364b2930c", }, ], title: "f2fs: fix to don't set SB_RDONLY in f2fs_handle_critical_error()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-47689", datePublished: "2024-10-21T11:53:29.185Z", dateReserved: "2024-09-30T16:00:12.941Z", dateUpdated: "2024-12-19T09:26:08.341Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49880
Vulnerability from cvelistv5
Published
2024-10-21 18:01
Modified
2024-12-19 09:28
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix off by one issue in alloc_flex_gd()
Wesley reported an issue:
==================================================================
EXT4-fs (dm-5): resizing filesystem from 7168 to 786432 blocks
------------[ cut here ]------------
kernel BUG at fs/ext4/resize.c:324!
CPU: 9 UID: 0 PID: 3576 Comm: resize2fs Not tainted 6.11.0+ #27
RIP: 0010:ext4_resize_fs+0x1212/0x12d0
Call Trace:
__ext4_ioctl+0x4e0/0x1800
ext4_ioctl+0x12/0x20
__x64_sys_ioctl+0x99/0xd0
x64_sys_call+0x1206/0x20d0
do_syscall_64+0x72/0x110
entry_SYSCALL_64_after_hwframe+0x76/0x7e
==================================================================
While reviewing the patch, Honza found that when adjusting resize_bg in
alloc_flex_gd(), it was possible for flex_gd->resize_bg to be bigger than
flexbg_size.
The reproduction of the problem requires the following:
o_group = flexbg_size * 2 * n;
o_size = (o_group + 1) * group_size;
n_group: [o_group + flexbg_size, o_group + flexbg_size * 2)
o_size = (n_group + 1) * group_size;
Take n=0,flexbg_size=16 as an example:
last:15
|o---------------|--------------n-|
o_group:0 resize to n_group:30
The corresponding reproducer is:
img=test.img
rm -f $img
truncate -s 600M $img
mkfs.ext4 -F $img -b 1024 -G 16 8M
dev=`losetup -f --show $img`
mkdir -p /tmp/test
mount $dev /tmp/test
resize2fs $dev 248M
Delete the problematic plus 1 to fix the issue, and add a WARN_ON_ONCE()
to prevent the issue from happening again.
[ Note: another reproucer which this commit fixes is:
img=test.img
rm -f $img
truncate -s 25MiB $img
mkfs.ext4 -b 4096 -E nodiscard,lazy_itable_init=0,lazy_journal_init=0 $img
truncate -s 3GiB $img
dev=`losetup -f --show $img`
mkdir -p /tmp/test
mount $dev /tmp/test
resize2fs $dev 3G
umount $dev
losetup -d $dev
-- TYT ]
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49880", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:45:46.406029Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:48:50.680Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "fs/ext4/resize.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "0d80d2b8bf613398baf7185009e35f9d0459ecb0", status: "affected", version: "665d3e0af4d35acf9a5f58dfd471bc27dbf55880", versionType: "git", }, { lessThan: "acb559d6826116cc113598640d105094620c2526", status: "affected", version: "665d3e0af4d35acf9a5f58dfd471bc27dbf55880", versionType: "git", }, { lessThan: "6121258c2b33ceac3d21f6a221452692c465df88", status: "affected", version: "665d3e0af4d35acf9a5f58dfd471bc27dbf55880", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "fs/ext4/resize.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.8", }, { lessThan: "6.8", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix off by one issue in alloc_flex_gd()\n\nWesley reported an issue:\n\n==================================================================\nEXT4-fs (dm-5): resizing filesystem from 7168 to 786432 blocks\n------------[ cut here ]------------\nkernel BUG at fs/ext4/resize.c:324!\nCPU: 9 UID: 0 PID: 3576 Comm: resize2fs Not tainted 6.11.0+ #27\nRIP: 0010:ext4_resize_fs+0x1212/0x12d0\nCall Trace:\n __ext4_ioctl+0x4e0/0x1800\n ext4_ioctl+0x12/0x20\n __x64_sys_ioctl+0x99/0xd0\n x64_sys_call+0x1206/0x20d0\n do_syscall_64+0x72/0x110\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n==================================================================\n\nWhile reviewing the patch, Honza found that when adjusting resize_bg in\nalloc_flex_gd(), it was possible for flex_gd->resize_bg to be bigger than\nflexbg_size.\n\nThe reproduction of the problem requires the following:\n\n o_group = flexbg_size * 2 * n;\n o_size = (o_group + 1) * group_size;\n n_group: [o_group + flexbg_size, o_group + flexbg_size * 2)\n o_size = (n_group + 1) * group_size;\n\nTake n=0,flexbg_size=16 as an example:\n\n last:15\n|o---------------|--------------n-|\no_group:0 resize to n_group:30\n\nThe corresponding reproducer is:\n\nimg=test.img\nrm -f $img\ntruncate -s 600M $img\nmkfs.ext4 -F $img -b 1024 -G 16 8M\ndev=`losetup -f --show $img`\nmkdir -p /tmp/test\nmount $dev /tmp/test\nresize2fs $dev 248M\n\nDelete the problematic plus 1 to fix the issue, and add a WARN_ON_ONCE()\nto prevent the issue from happening again.\n\n[ Note: another reproucer which this commit fixes is:\n\n img=test.img\n rm -f $img\n truncate -s 25MiB $img\n mkfs.ext4 -b 4096 -E nodiscard,lazy_itable_init=0,lazy_journal_init=0 $img\n truncate -s 3GiB $img\n dev=`losetup -f --show $img`\n mkdir -p /tmp/test\n mount $dev /tmp/test\n resize2fs $dev 3G\n umount $dev\n losetup -d $dev\n\n -- TYT ]", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:28:15.214Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/0d80d2b8bf613398baf7185009e35f9d0459ecb0", }, { url: "https://git.kernel.org/stable/c/acb559d6826116cc113598640d105094620c2526", }, { url: "https://git.kernel.org/stable/c/6121258c2b33ceac3d21f6a221452692c465df88", }, ], title: "ext4: fix off by one issue in alloc_flex_gd()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49880", datePublished: "2024-10-21T18:01:18.790Z", dateReserved: "2024-10-21T12:17:06.021Z", dateUpdated: "2024-12-19T09:28:15.214Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-52918
Vulnerability from cvelistv5
Published
2024-10-22 07:37
Modified
2024-12-19 08:28
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: pci: cx23885: check cx23885_vdev_init() return
cx23885_vdev_init() can return a NULL pointer, but that pointer
is used in the next line without a check.
Add a NULL pointer check and go to the error unwind if it is NULL.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2023-52918", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:10:51.331784Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:18:35.304Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/media/pci/cx23885/cx23885-video.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "8e31b096e2e1949bc8f0be019c9ae70d414404c6", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "199a42fc4c45e8b7f19efeb15dbc36889a599ac2", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "e7385510e2550a9f8b6f3d5f33c5b894ab9ba976", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "a5f1d30c51c485cec7a7de60205667c3ff86c303", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "06ee04a907d64ee3910fecedd05d7f1be4b1b70e", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "b1397fb4a779fca560c43d2acf6702d41b4a495b", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "15126b916e39b0cb67026b0af3c014bfeb1f76b3", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/media/pci/cx23885/cx23885-video.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.321", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.283", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.225", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.166", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.107", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.48", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.9", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: pci: cx23885: check cx23885_vdev_init() return\n\ncx23885_vdev_init() can return a NULL pointer, but that pointer\nis used in the next line without a check.\n\nAdd a NULL pointer check and go to the error unwind if it is NULL.", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:28:32.489Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/8e31b096e2e1949bc8f0be019c9ae70d414404c6", }, { url: "https://git.kernel.org/stable/c/199a42fc4c45e8b7f19efeb15dbc36889a599ac2", }, { url: "https://git.kernel.org/stable/c/e7385510e2550a9f8b6f3d5f33c5b894ab9ba976", }, { url: "https://git.kernel.org/stable/c/a5f1d30c51c485cec7a7de60205667c3ff86c303", }, { url: "https://git.kernel.org/stable/c/06ee04a907d64ee3910fecedd05d7f1be4b1b70e", }, { url: "https://git.kernel.org/stable/c/b1397fb4a779fca560c43d2acf6702d41b4a495b", }, { url: "https://git.kernel.org/stable/c/15126b916e39b0cb67026b0af3c014bfeb1f76b3", }, ], title: "media: pci: cx23885: check cx23885_vdev_init() return", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2023-52918", datePublished: "2024-10-22T07:37:27.390Z", dateReserved: "2024-08-21T06:07:11.017Z", dateUpdated: "2024-12-19T08:28:32.489Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-50056
Vulnerability from cvelistv5
Published
2024-10-21 19:39
Modified
2024-12-19 09:32
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: gadget: uvc: Fix ERR_PTR dereference in uvc_v4l2.c
Fix potential dereferencing of ERR_PTR() in find_format_by_pix()
and uvc_v4l2_enum_format().
Fix the following smatch errors:
drivers/usb/gadget/function/uvc_v4l2.c:124 find_format_by_pix()
error: 'fmtdesc' dereferencing possible ERR_PTR()
drivers/usb/gadget/function/uvc_v4l2.c:392 uvc_v4l2_enum_format()
error: 'fmtdesc' dereferencing possible ERR_PTR()
Also, fix similar issue in uvc_v4l2_try_format() for potential
dereferencing of ERR_PTR().
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-50056", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:23:29.014877Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:28:42.896Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/usb/gadget/function/uvc_v4l2.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "cedeb36c3ff4acd0f3d09918dfd8ed1df05efdd6", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "a7bb96b18864225a694e3887ac2733159489e4b0", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/usb/gadget/function/uvc_v4l2.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.4", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: uvc: Fix ERR_PTR dereference in uvc_v4l2.c\n\nFix potential dereferencing of ERR_PTR() in find_format_by_pix()\nand uvc_v4l2_enum_format().\n\nFix the following smatch errors:\n\ndrivers/usb/gadget/function/uvc_v4l2.c:124 find_format_by_pix()\nerror: 'fmtdesc' dereferencing possible ERR_PTR()\n\ndrivers/usb/gadget/function/uvc_v4l2.c:392 uvc_v4l2_enum_format()\nerror: 'fmtdesc' dereferencing possible ERR_PTR()\n\nAlso, fix similar issue in uvc_v4l2_try_format() for potential\ndereferencing of ERR_PTR().", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:32:08.427Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/cedeb36c3ff4acd0f3d09918dfd8ed1df05efdd6", }, { url: "https://git.kernel.org/stable/c/a7bb96b18864225a694e3887ac2733159489e4b0", }, ], title: "usb: gadget: uvc: Fix ERR_PTR dereference in uvc_v4l2.c", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-50056", datePublished: "2024-10-21T19:39:47.131Z", dateReserved: "2024-10-21T19:36:19.938Z", dateUpdated: "2024-12-19T09:32:08.427Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-48984
Vulnerability from cvelistv5
Published
2024-10-21 20:06
Modified
2024-12-19 08:11
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
can: slcan: fix freed work crash
The LTP test pty03 is causing a crash in slcan:
BUG: kernel NULL pointer dereference, address: 0000000000000008
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: 0000 [#1] PREEMPT SMP NOPTI
CPU: 0 PID: 348 Comm: kworker/0:3 Not tainted 6.0.8-1-default #1 openSUSE Tumbleweed 9d20364b934f5aab0a9bdf84e8f45cfdfae39dab
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b-rebuilt.opensuse.org 04/01/2014
Workqueue: 0x0 (events)
RIP: 0010:process_one_work (/home/rich/kernel/linux/kernel/workqueue.c:706 /home/rich/kernel/linux/kernel/workqueue.c:2185)
Code: 49 89 ff 41 56 41 55 41 54 55 53 48 89 f3 48 83 ec 10 48 8b 06 48 8b 6f 48 49 89 c4 45 30 e4 a8 04 b8 00 00 00 00 4c 0f 44 e0 <49> 8b 44 24 08 44 8b a8 00 01 00 00 41 83 e5 20 f6 45 10 04 75 0e
RSP: 0018:ffffaf7b40f47e98 EFLAGS: 00010046
RAX: 0000000000000000 RBX: ffff9d644e1b8b48 RCX: ffff9d649e439968
RDX: 00000000ffff8455 RSI: ffff9d644e1b8b48 RDI: ffff9d64764aa6c0
RBP: ffff9d649e4335c0 R08: 0000000000000c00 R09: ffff9d64764aa734
R10: 0000000000000007 R11: 0000000000000001 R12: 0000000000000000
R13: ffff9d649e4335e8 R14: ffff9d64490da780 R15: ffff9d64764aa6c0
FS: 0000000000000000(0000) GS:ffff9d649e400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000008 CR3: 0000000036424000 CR4: 00000000000006f0
Call Trace:
<TASK>
worker_thread (/home/rich/kernel/linux/kernel/workqueue.c:2436)
kthread (/home/rich/kernel/linux/kernel/kthread.c:376)
ret_from_fork (/home/rich/kernel/linux/arch/x86/entry/entry_64.S:312)
Apparently, the slcan's tx_work is freed while being scheduled. While
slcan_netdev_close() (netdev side) calls flush_work(&sl->tx_work),
slcan_close() (tty side) does not. So when the netdev is never set UP,
but the tty is stuffed with bytes and forced to wakeup write, the work
is scheduled, but never flushed.
So add an additional flush_work() to slcan_close() to be sure the work
is flushed under all circumstances.
The Fixes commit below moved flush_work() from slcan_close() to
slcan_netdev_close(). What was the rationale behind it? Maybe we can
drop the one in slcan_netdev_close()?
I see the same pattern in can327. So it perhaps needs the very same fix.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-48984", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:17:27.753178Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:18:43.273Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/net/can/slcan/slcan-core.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "9e2709d58a14a10eb00d919acd7dec071c33f8c8", status: "affected", version: "cfcb4465e9923bb9ac168abcea84e880633f9cef", versionType: "git", }, { lessThan: "fb855e9f3b6b42c72af3f1eb0b288998fe0d5ebb", status: "affected", version: "cfcb4465e9923bb9ac168abcea84e880633f9cef", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/net/can/slcan/slcan-core.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.0", }, { lessThan: "6.0", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.0.*", status: "unaffected", version: "6.0.13", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.1", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: slcan: fix freed work crash\n\nThe LTP test pty03 is causing a crash in slcan:\n BUG: kernel NULL pointer dereference, address: 0000000000000008\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: 0000 [#1] PREEMPT SMP NOPTI\n CPU: 0 PID: 348 Comm: kworker/0:3 Not tainted 6.0.8-1-default #1 openSUSE Tumbleweed 9d20364b934f5aab0a9bdf84e8f45cfdfae39dab\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b-rebuilt.opensuse.org 04/01/2014\n Workqueue: 0x0 (events)\n RIP: 0010:process_one_work (/home/rich/kernel/linux/kernel/workqueue.c:706 /home/rich/kernel/linux/kernel/workqueue.c:2185)\n Code: 49 89 ff 41 56 41 55 41 54 55 53 48 89 f3 48 83 ec 10 48 8b 06 48 8b 6f 48 49 89 c4 45 30 e4 a8 04 b8 00 00 00 00 4c 0f 44 e0 <49> 8b 44 24 08 44 8b a8 00 01 00 00 41 83 e5 20 f6 45 10 04 75 0e\n RSP: 0018:ffffaf7b40f47e98 EFLAGS: 00010046\n RAX: 0000000000000000 RBX: ffff9d644e1b8b48 RCX: ffff9d649e439968\n RDX: 00000000ffff8455 RSI: ffff9d644e1b8b48 RDI: ffff9d64764aa6c0\n RBP: ffff9d649e4335c0 R08: 0000000000000c00 R09: ffff9d64764aa734\n R10: 0000000000000007 R11: 0000000000000001 R12: 0000000000000000\n R13: ffff9d649e4335e8 R14: ffff9d64490da780 R15: ffff9d64764aa6c0\n FS: 0000000000000000(0000) GS:ffff9d649e400000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000008 CR3: 0000000036424000 CR4: 00000000000006f0\n Call Trace:\n <TASK>\n worker_thread (/home/rich/kernel/linux/kernel/workqueue.c:2436)\n kthread (/home/rich/kernel/linux/kernel/kthread.c:376)\n ret_from_fork (/home/rich/kernel/linux/arch/x86/entry/entry_64.S:312)\n\nApparently, the slcan's tx_work is freed while being scheduled. While\nslcan_netdev_close() (netdev side) calls flush_work(&sl->tx_work),\nslcan_close() (tty side) does not. So when the netdev is never set UP,\nbut the tty is stuffed with bytes and forced to wakeup write, the work\nis scheduled, but never flushed.\n\nSo add an additional flush_work() to slcan_close() to be sure the work\nis flushed under all circumstances.\n\nThe Fixes commit below moved flush_work() from slcan_close() to\nslcan_netdev_close(). What was the rationale behind it? Maybe we can\ndrop the one in slcan_netdev_close()?\n\nI see the same pattern in can327. So it perhaps needs the very same fix.", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:11:54.332Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/9e2709d58a14a10eb00d919acd7dec071c33f8c8", }, { url: "https://git.kernel.org/stable/c/fb855e9f3b6b42c72af3f1eb0b288998fe0d5ebb", }, ], title: "can: slcan: fix freed work crash", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-48984", datePublished: "2024-10-21T20:06:01.083Z", dateReserved: "2024-08-22T01:27:53.633Z", dateUpdated: "2024-12-19T08:11:54.332Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-50024
Vulnerability from cvelistv5
Published
2024-10-21 19:39
Modified
2024-12-19 09:31
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: Fix an unsafe loop on the list
The kernel may crash when deleting a genetlink family if there are still
listeners for that family:
Oops: Kernel access of bad area, sig: 11 [#1]
...
NIP [c000000000c080bc] netlink_update_socket_mc+0x3c/0xc0
LR [c000000000c0f764] __netlink_clear_multicast_users+0x74/0xc0
Call Trace:
__netlink_clear_multicast_users+0x74/0xc0
genl_unregister_family+0xd4/0x2d0
Change the unsafe loop on the list to a safe one, because inside the
loop there is an element removal from this list.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: b8273570f802a7658827dcb077b0b517ba75a289 Version: b8273570f802a7658827dcb077b0b517ba75a289 Version: b8273570f802a7658827dcb077b0b517ba75a289 Version: b8273570f802a7658827dcb077b0b517ba75a289 Version: b8273570f802a7658827dcb077b0b517ba75a289 Version: b8273570f802a7658827dcb077b0b517ba75a289 Version: b8273570f802a7658827dcb077b0b517ba75a289 Version: b8273570f802a7658827dcb077b0b517ba75a289 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-50024", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:27:00.388543Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:28:46.817Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "include/net/sock.h", "net/netlink/af_netlink.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "464801a0f6ccb52b21faa33bac6014fd74cc5e10", status: "affected", version: "b8273570f802a7658827dcb077b0b517ba75a289", versionType: "git", }, { lessThan: "8e0766fcf37ad8eed289dd3853628dd9b01b58b0", status: "affected", version: "b8273570f802a7658827dcb077b0b517ba75a289", versionType: "git", }, { lessThan: "68ad5da6ca630a276f0a5c924179e57724d00013", status: "affected", version: "b8273570f802a7658827dcb077b0b517ba75a289", versionType: "git", }, { lessThan: "1cdec792b2450105b1314c5123a9a0452cb2c2f0", status: "affected", version: "b8273570f802a7658827dcb077b0b517ba75a289", versionType: "git", }, { lessThan: "5f03a7f601f33cda1f710611625235dc86fd8a9e", status: "affected", version: "b8273570f802a7658827dcb077b0b517ba75a289", versionType: "git", }, { lessThan: "3be342e0332a7c83eb26fbb22bf156fdca467a5d", status: "affected", version: "b8273570f802a7658827dcb077b0b517ba75a289", versionType: "git", }, { lessThan: "49f9b726bf2bf3dd2caf0d27cadf4bc1ccf7a7dd", status: "affected", version: "b8273570f802a7658827dcb077b0b517ba75a289", versionType: "git", }, { lessThan: "1dae9f1187189bc09ff6d25ca97ead711f7e26f9", status: "affected", version: "b8273570f802a7658827dcb077b0b517ba75a289", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "include/net/sock.h", "net/netlink/af_netlink.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "2.6.32", }, { lessThan: "2.6.32", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.323", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.285", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.57", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.4", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: Fix an unsafe loop on the list\n\nThe kernel may crash when deleting a genetlink family if there are still\nlisteners for that family:\n\nOops: Kernel access of bad area, sig: 11 [#1]\n ...\n NIP [c000000000c080bc] netlink_update_socket_mc+0x3c/0xc0\n LR [c000000000c0f764] __netlink_clear_multicast_users+0x74/0xc0\n Call Trace:\n__netlink_clear_multicast_users+0x74/0xc0\ngenl_unregister_family+0xd4/0x2d0\n\nChange the unsafe loop on the list to a safe one, because inside the\nloop there is an element removal from this list.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:31:34.752Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/464801a0f6ccb52b21faa33bac6014fd74cc5e10", }, { url: "https://git.kernel.org/stable/c/8e0766fcf37ad8eed289dd3853628dd9b01b58b0", }, { url: "https://git.kernel.org/stable/c/68ad5da6ca630a276f0a5c924179e57724d00013", }, { url: "https://git.kernel.org/stable/c/1cdec792b2450105b1314c5123a9a0452cb2c2f0", }, { url: "https://git.kernel.org/stable/c/5f03a7f601f33cda1f710611625235dc86fd8a9e", }, { url: "https://git.kernel.org/stable/c/3be342e0332a7c83eb26fbb22bf156fdca467a5d", }, { url: "https://git.kernel.org/stable/c/49f9b726bf2bf3dd2caf0d27cadf4bc1ccf7a7dd", }, { url: "https://git.kernel.org/stable/c/1dae9f1187189bc09ff6d25ca97ead711f7e26f9", }, ], title: "net: Fix an unsafe loop on the list", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-50024", datePublished: "2024-10-21T19:39:29.203Z", dateReserved: "2024-10-21T12:17:06.065Z", dateUpdated: "2024-12-19T09:31:34.752Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49902
Vulnerability from cvelistv5
Published
2024-10-21 18:01
Modified
2024-12-19 09:28
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
jfs: check if leafidx greater than num leaves per dmap tree
syzbot report a out of bounds in dbSplit, it because dmt_leafidx greater
than num leaves per dmap tree, add a checking for dmt_leafidx in dbFindLeaf.
Shaggy:
Modified sanity check to apply to control pages as well as leaf pages.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49902", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:42:45.718739Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:48:47.475Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "fs/jfs/jfs_dmap.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "d76b9a4c283c7535ae7c7c9b14984e75402951e1", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "35b91f15f44ce3c01eba058ccb864bb04743e792", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "2451e5917c56be45d4add786e2a059dd9c2c37c4", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "25d2a3ff02f22e215ce53355619df10cc5faa7ab", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "058aa89b3318be3d66a103ba7c68d717561e1dc6", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "7fff9a9f866e99931cf6fa260288e55d01626582", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "cb0eb10558802764f07de1dc439c4609e27cb4f0", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "4a7bf6a01fb441009a6698179a739957efd88e38", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "d64ff0d2306713ff084d4b09f84ed1a8c75ecc32", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "fs/jfs/jfs_dmap.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.323", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.285", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: check if leafidx greater than num leaves per dmap tree\n\nsyzbot report a out of bounds in dbSplit, it because dmt_leafidx greater\nthan num leaves per dmap tree, add a checking for dmt_leafidx in dbFindLeaf.\n\nShaggy:\nModified sanity check to apply to control pages as well as leaf pages.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:28:41.874Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/d76b9a4c283c7535ae7c7c9b14984e75402951e1", }, { url: "https://git.kernel.org/stable/c/35b91f15f44ce3c01eba058ccb864bb04743e792", }, { url: "https://git.kernel.org/stable/c/2451e5917c56be45d4add786e2a059dd9c2c37c4", }, { url: "https://git.kernel.org/stable/c/25d2a3ff02f22e215ce53355619df10cc5faa7ab", }, { url: "https://git.kernel.org/stable/c/058aa89b3318be3d66a103ba7c68d717561e1dc6", }, { url: "https://git.kernel.org/stable/c/7fff9a9f866e99931cf6fa260288e55d01626582", }, { url: "https://git.kernel.org/stable/c/cb0eb10558802764f07de1dc439c4609e27cb4f0", }, { url: "https://git.kernel.org/stable/c/4a7bf6a01fb441009a6698179a739957efd88e38", }, { url: "https://git.kernel.org/stable/c/d64ff0d2306713ff084d4b09f84ed1a8c75ecc32", }, ], title: "jfs: check if leafidx greater than num leaves per dmap tree", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49902", datePublished: "2024-10-21T18:01:33.936Z", dateReserved: "2024-10-21T12:17:06.027Z", dateUpdated: "2024-12-19T09:28:41.874Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-48973
Vulnerability from cvelistv5
Published
2024-10-21 20:05
Modified
2024-12-19 08:11
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
gpio: amd8111: Fix PCI device reference count leak
for_each_pci_dev() is implemented by pci_get_device(). The comment of
pci_get_device() says that it will increase the reference count for the
returned pci_dev and also decrease the reference count for the input
pci_dev @from if it is not NULL.
If we break for_each_pci_dev() loop with pdev not NULL, we need to call
pci_dev_put() to decrease the reference count. Add the missing
pci_dev_put() after the 'out' label. Since pci_dev_put() can handle NULL
input parameter, there is no problem for the 'Device not found' branch.
For the normal path, add pci_dev_put() in amd_gpio_exit().
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: f942a7de047d8c599cc1a9a26293c8c7400450ea Version: f942a7de047d8c599cc1a9a26293c8c7400450ea Version: f942a7de047d8c599cc1a9a26293c8c7400450ea Version: f942a7de047d8c599cc1a9a26293c8c7400450ea Version: f942a7de047d8c599cc1a9a26293c8c7400450ea Version: f942a7de047d8c599cc1a9a26293c8c7400450ea Version: f942a7de047d8c599cc1a9a26293c8c7400450ea Version: f942a7de047d8c599cc1a9a26293c8c7400450ea |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-48973", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:18:53.419831Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:28:37.476Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/gpio/gpio-amd8111.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "4749c5cc147c9860b96db1e71cc36d1de1bd3f59", status: "affected", version: "f942a7de047d8c599cc1a9a26293c8c7400450ea", versionType: "git", }, { lessThan: "71d591ef873f9ebb86cd8d053b3caee785b2de6a", status: "affected", version: "f942a7de047d8c599cc1a9a26293c8c7400450ea", versionType: "git", }, { lessThan: "b2bc053ebbba57a06fa655db5ea796de2edce445", status: "affected", version: "f942a7de047d8c599cc1a9a26293c8c7400450ea", versionType: "git", }, { lessThan: "48bd5d3801f6b67cc144449d434abbd5043a6d37", status: "affected", version: "f942a7de047d8c599cc1a9a26293c8c7400450ea", versionType: "git", }, { lessThan: "5ee6413d3dd972930af787b2c0c7aaeb379fa521", status: "affected", version: "f942a7de047d8c599cc1a9a26293c8c7400450ea", versionType: "git", }, { lessThan: "4271515f189bd5fe2ec86b4089dab7cb804625d2", status: "affected", version: "f942a7de047d8c599cc1a9a26293c8c7400450ea", versionType: "git", }, { lessThan: "e364ce04d8f840478b09eee57b614de7cf1e743e", status: "affected", version: "f942a7de047d8c599cc1a9a26293c8c7400450ea", versionType: "git", }, { lessThan: "45fecdb9f658d9c82960c98240bc0770ade19aca", status: "affected", version: "f942a7de047d8c599cc1a9a26293c8c7400450ea", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/gpio/gpio-amd8111.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "3.6", }, { lessThan: "3.6", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.9.*", status: "unaffected", version: "4.9.336", versionType: "semver", }, { lessThanOrEqual: "4.14.*", status: "unaffected", version: "4.14.302", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.269", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.227", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.159", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.83", versionType: "semver", }, { lessThanOrEqual: "6.0.*", status: "unaffected", version: "6.0.13", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.1", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ngpio: amd8111: Fix PCI device reference count leak\n\nfor_each_pci_dev() is implemented by pci_get_device(). The comment of\npci_get_device() says that it will increase the reference count for the\nreturned pci_dev and also decrease the reference count for the input\npci_dev @from if it is not NULL.\n\nIf we break for_each_pci_dev() loop with pdev not NULL, we need to call\npci_dev_put() to decrease the reference count. Add the missing\npci_dev_put() after the 'out' label. Since pci_dev_put() can handle NULL\ninput parameter, there is no problem for the 'Device not found' branch.\nFor the normal path, add pci_dev_put() in amd_gpio_exit().", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:11:40.772Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/4749c5cc147c9860b96db1e71cc36d1de1bd3f59", }, { url: "https://git.kernel.org/stable/c/71d591ef873f9ebb86cd8d053b3caee785b2de6a", }, { url: "https://git.kernel.org/stable/c/b2bc053ebbba57a06fa655db5ea796de2edce445", }, { url: "https://git.kernel.org/stable/c/48bd5d3801f6b67cc144449d434abbd5043a6d37", }, { url: "https://git.kernel.org/stable/c/5ee6413d3dd972930af787b2c0c7aaeb379fa521", }, { url: "https://git.kernel.org/stable/c/4271515f189bd5fe2ec86b4089dab7cb804625d2", }, { url: "https://git.kernel.org/stable/c/e364ce04d8f840478b09eee57b614de7cf1e743e", }, { url: "https://git.kernel.org/stable/c/45fecdb9f658d9c82960c98240bc0770ade19aca", }, ], title: "gpio: amd8111: Fix PCI device reference count leak", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-48973", datePublished: "2024-10-21T20:05:53.769Z", dateReserved: "2024-08-22T01:27:53.631Z", dateUpdated: "2024-12-19T08:11:40.772Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-50032
Vulnerability from cvelistv5
Published
2024-10-21 19:39
Modified
2024-12-19 09:31
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
rcu/nocb: Fix rcuog wake-up from offline softirq
After a CPU has set itself offline and before it eventually calls
rcutree_report_cpu_dead(), there are still opportunities for callbacks
to be enqueued, for example from a softirq. When that happens on NOCB,
the rcuog wake-up is deferred through an IPI to an online CPU in order
not to call into the scheduler and risk arming the RT-bandwidth after
hrtimers have been migrated out and disabled.
But performing a synchronized IPI from a softirq is buggy as reported in
the following scenario:
WARNING: CPU: 1 PID: 26 at kernel/smp.c:633 smp_call_function_single
Modules linked in: rcutorture torture
CPU: 1 UID: 0 PID: 26 Comm: migration/1 Not tainted 6.11.0-rc1-00012-g9139f93209d1 #1
Stopper: multi_cpu_stop+0x0/0x320 <- __stop_cpus+0xd0/0x120
RIP: 0010:smp_call_function_single
<IRQ>
swake_up_one_online
__call_rcu_nocb_wake
__call_rcu_common
? rcu_torture_one_read
call_timer_fn
__run_timers
run_timer_softirq
handle_softirqs
irq_exit_rcu
? tick_handle_periodic
sysvec_apic_timer_interrupt
</IRQ>
Fix this with forcing deferred rcuog wake up through the NOCB timer when
the CPU is offline. The actual wake up will happen from
rcutree_report_cpu_dead().
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-50032", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:25:57.159032Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:28:45.623Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "kernel/rcu/tree_nocb.h", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "84a5feebba10354c683983f5f1372a144225e4c2", status: "affected", version: "9b52ee18f6d2f0e845b0dd5ba35edc02ba318827", versionType: "git", }, { lessThan: "e66b1e01f2eb3209d08122572f41f7838b79540d", status: "affected", version: "00a611229bfad075660181c53e054ff544d3ac34", versionType: "git", }, { lessThan: "f7345ccc62a4b880cf76458db5f320725f28e400", status: "affected", version: "9139f93209d1ffd7f489ab19dee01b7c3a1a43d2", versionType: "git", }, ], }, { defaultStatus: "unaffected", product: "Linux", programFiles: [ "kernel/rcu/tree_nocb.h", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "6.6.57", status: "affected", version: "6.6.54", versionType: "semver", }, { lessThan: "6.11.4", status: "affected", version: "6.11.2", versionType: "semver", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nrcu/nocb: Fix rcuog wake-up from offline softirq\n\nAfter a CPU has set itself offline and before it eventually calls\nrcutree_report_cpu_dead(), there are still opportunities for callbacks\nto be enqueued, for example from a softirq. When that happens on NOCB,\nthe rcuog wake-up is deferred through an IPI to an online CPU in order\nnot to call into the scheduler and risk arming the RT-bandwidth after\nhrtimers have been migrated out and disabled.\n\nBut performing a synchronized IPI from a softirq is buggy as reported in\nthe following scenario:\n\n WARNING: CPU: 1 PID: 26 at kernel/smp.c:633 smp_call_function_single\n Modules linked in: rcutorture torture\n CPU: 1 UID: 0 PID: 26 Comm: migration/1 Not tainted 6.11.0-rc1-00012-g9139f93209d1 #1\n Stopper: multi_cpu_stop+0x0/0x320 <- __stop_cpus+0xd0/0x120\n RIP: 0010:smp_call_function_single\n <IRQ>\n swake_up_one_online\n __call_rcu_nocb_wake\n __call_rcu_common\n ? rcu_torture_one_read\n call_timer_fn\n __run_timers\n run_timer_softirq\n handle_softirqs\n irq_exit_rcu\n ? tick_handle_periodic\n sysvec_apic_timer_interrupt\n </IRQ>\n\nFix this with forcing deferred rcuog wake up through the NOCB timer when\nthe CPU is offline. The actual wake up will happen from\nrcutree_report_cpu_dead().", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:31:44.634Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/84a5feebba10354c683983f5f1372a144225e4c2", }, { url: "https://git.kernel.org/stable/c/e66b1e01f2eb3209d08122572f41f7838b79540d", }, { url: "https://git.kernel.org/stable/c/f7345ccc62a4b880cf76458db5f320725f28e400", }, ], title: "rcu/nocb: Fix rcuog wake-up from offline softirq", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-50032", datePublished: "2024-10-21T19:39:34.435Z", dateReserved: "2024-10-21T12:17:06.069Z", dateUpdated: "2024-12-19T09:31:44.634Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49912
Vulnerability from cvelistv5
Published
2024-10-21 18:01
Modified
2024-12-19 09:28
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Handle null 'stream_status' in 'planes_changed_for_existing_stream'
This commit adds a null check for 'stream_status' in the function
'planes_changed_for_existing_stream'. Previously, the code assumed
'stream_status' could be null, but did not handle the case where it was
actually null. This could lead to a null pointer dereference.
Reported by smatch:
drivers/gpu/drm/amd/amdgpu/../display/dc/core/dc_resource.c:3784 planes_changed_for_existing_stream() error: we previously assumed 'stream_status' could be null (see line 3774)
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49912", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:41:29.526275Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:48:45.981Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/gpu/drm/amd/display/dc/core/dc_resource.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "c4b699b93496c423b0e5b584d4eb4ab849313bcf", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "4778982c73d6c9f3fdbdbc6b6c8aa18df98251af", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "ec6c32b58e6c4e87760e797c525e99a460c82bcb", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "0ffd9fb03bbc99ed1eb5dc989d5c7da2faac0659", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "8141f21b941710ecebe49220b69822cab3abd23d", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/gpu/drm/amd/display/dc/core/dc_resource.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Handle null 'stream_status' in 'planes_changed_for_existing_stream'\n\nThis commit adds a null check for 'stream_status' in the function\n'planes_changed_for_existing_stream'. Previously, the code assumed\n'stream_status' could be null, but did not handle the case where it was\nactually null. This could lead to a null pointer dereference.\n\nReported by smatch:\ndrivers/gpu/drm/amd/amdgpu/../display/dc/core/dc_resource.c:3784 planes_changed_for_existing_stream() error: we previously assumed 'stream_status' could be null (see line 3774)", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:28:53.821Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/c4b699b93496c423b0e5b584d4eb4ab849313bcf", }, { url: "https://git.kernel.org/stable/c/4778982c73d6c9f3fdbdbc6b6c8aa18df98251af", }, { url: "https://git.kernel.org/stable/c/ec6c32b58e6c4e87760e797c525e99a460c82bcb", }, { url: "https://git.kernel.org/stable/c/0ffd9fb03bbc99ed1eb5dc989d5c7da2faac0659", }, { url: "https://git.kernel.org/stable/c/8141f21b941710ecebe49220b69822cab3abd23d", }, ], title: "drm/amd/display: Handle null 'stream_status' in 'planes_changed_for_existing_stream'", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49912", datePublished: "2024-10-21T18:01:40.870Z", dateReserved: "2024-10-21T12:17:06.028Z", dateUpdated: "2024-12-19T09:28:53.821Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-47734
Vulnerability from cvelistv5
Published
2024-10-21 12:14
Modified
2024-12-19 09:27
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bonding: Fix unnecessary warnings and logs from bond_xdp_get_xmit_slave()
syzbot reported a WARNING in bond_xdp_get_xmit_slave. To reproduce
this[1], one bond device (bond1) has xdpdrv, which increases
bpf_master_redirect_enabled_key. Another bond device (bond0) which is
unsupported by XDP but its slave (veth3) has xdpgeneric that returns
XDP_TX. This triggers WARN_ON_ONCE() from the xdp_master_redirect().
To reduce unnecessary warnings and improve log management, we need to
delete the WARN_ON_ONCE() and add ratelimit to the netdev_err().
[1] Steps to reproduce:
# Needs tx_xdp with return XDP_TX;
ip l add veth0 type veth peer veth1
ip l add veth3 type veth peer veth4
ip l add bond0 type bond mode 6 # BOND_MODE_ALB, unsupported by XDP
ip l add bond1 type bond # BOND_MODE_ROUNDROBIN by default
ip l set veth0 master bond1
ip l set bond1 up
# Increases bpf_master_redirect_enabled_key
ip l set dev bond1 xdpdrv object tx_xdp.o section xdp_tx
ip l set veth3 master bond0
ip l set bond0 up
ip l set veth4 up
# Triggers WARN_ON_ONCE() from the xdp_master_redirect()
ip l set veth3 xdpgeneric object tx_xdp.o section xdp_tx
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 9e2ee5c7e7c35d195e2aa0692a7241d47a433d1e Version: 9e2ee5c7e7c35d195e2aa0692a7241d47a433d1e Version: 9e2ee5c7e7c35d195e2aa0692a7241d47a433d1e Version: 9e2ee5c7e7c35d195e2aa0692a7241d47a433d1e Version: 9e2ee5c7e7c35d195e2aa0692a7241d47a433d1e Version: 9e2ee5c7e7c35d195e2aa0692a7241d47a433d1e |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-47734", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T13:00:06.990289Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T13:04:15.499Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/net/bonding/bond_main.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "c1be35e774f8ed415e01209fddd963c5a74e8e9f", status: "affected", version: "9e2ee5c7e7c35d195e2aa0692a7241d47a433d1e", versionType: "git", }, { lessThan: "6b64197b4bf1a5703a8b105367baf20f1e627a75", status: "affected", version: "9e2ee5c7e7c35d195e2aa0692a7241d47a433d1e", versionType: "git", }, { lessThan: "ccd3e6ff05e5236d1b9535f23f3e6622e0bb32b8", status: "affected", version: "9e2ee5c7e7c35d195e2aa0692a7241d47a433d1e", versionType: "git", }, { lessThan: "72e2c0825a480e19ee999cee9d018850d38c82b9", status: "affected", version: "9e2ee5c7e7c35d195e2aa0692a7241d47a433d1e", versionType: "git", }, { lessThan: "57b5fba55c6f8b1d83312a34bd656166fcd95658", status: "affected", version: "9e2ee5c7e7c35d195e2aa0692a7241d47a433d1e", versionType: "git", }, { lessThan: "0cbfd45fbcf0cb26d85c981b91c62fe73cdee01c", status: "affected", version: "9e2ee5c7e7c35d195e2aa0692a7241d47a433d1e", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/net/bonding/bond_main.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.15", }, { lessThan: "5.15", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.54", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.13", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.2", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nbonding: Fix unnecessary warnings and logs from bond_xdp_get_xmit_slave()\n\nsyzbot reported a WARNING in bond_xdp_get_xmit_slave. To reproduce\nthis[1], one bond device (bond1) has xdpdrv, which increases\nbpf_master_redirect_enabled_key. Another bond device (bond0) which is\nunsupported by XDP but its slave (veth3) has xdpgeneric that returns\nXDP_TX. This triggers WARN_ON_ONCE() from the xdp_master_redirect().\nTo reduce unnecessary warnings and improve log management, we need to\ndelete the WARN_ON_ONCE() and add ratelimit to the netdev_err().\n\n[1] Steps to reproduce:\n # Needs tx_xdp with return XDP_TX;\n ip l add veth0 type veth peer veth1\n ip l add veth3 type veth peer veth4\n ip l add bond0 type bond mode 6 # BOND_MODE_ALB, unsupported by XDP\n ip l add bond1 type bond # BOND_MODE_ROUNDROBIN by default\n ip l set veth0 master bond1\n ip l set bond1 up\n # Increases bpf_master_redirect_enabled_key\n ip l set dev bond1 xdpdrv object tx_xdp.o section xdp_tx\n ip l set veth3 master bond0\n ip l set bond0 up\n ip l set veth4 up\n # Triggers WARN_ON_ONCE() from the xdp_master_redirect()\n ip l set veth3 xdpgeneric object tx_xdp.o section xdp_tx", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:27:02.617Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/c1be35e774f8ed415e01209fddd963c5a74e8e9f", }, { url: "https://git.kernel.org/stable/c/6b64197b4bf1a5703a8b105367baf20f1e627a75", }, { url: "https://git.kernel.org/stable/c/ccd3e6ff05e5236d1b9535f23f3e6622e0bb32b8", }, { url: "https://git.kernel.org/stable/c/72e2c0825a480e19ee999cee9d018850d38c82b9", }, { url: "https://git.kernel.org/stable/c/57b5fba55c6f8b1d83312a34bd656166fcd95658", }, { url: "https://git.kernel.org/stable/c/0cbfd45fbcf0cb26d85c981b91c62fe73cdee01c", }, ], title: "bonding: Fix unnecessary warnings and logs from bond_xdp_get_xmit_slave()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-47734", datePublished: "2024-10-21T12:14:05.195Z", dateReserved: "2024-09-30T16:00:12.958Z", dateUpdated: "2024-12-19T09:27:02.617Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49858
Vulnerability from cvelistv5
Published
2024-10-21 12:27
Modified
2024-12-19 09:27
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
efistub/tpm: Use ACPI reclaim memory for event log to avoid corruption
The TPM event log table is a Linux specific construct, where the data
produced by the GetEventLog() boot service is cached in memory, and
passed on to the OS using an EFI configuration table.
The use of EFI_LOADER_DATA here results in the region being left
unreserved in the E820 memory map constructed by the EFI stub, and this
is the memory description that is passed on to the incoming kernel by
kexec, which is therefore unaware that the region should be reserved.
Even though the utility of the TPM2 event log after a kexec is
questionable, any corruption might send the parsing code off into the
weeds and crash the kernel. So let's use EFI_ACPI_RECLAIM_MEMORY
instead, which is always treated as reserved by the E820 conversion
logic.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49858", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T12:56:02.250795Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T13:04:10.785Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/firmware/efi/libstub/tpm.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "f76b69ab9cf04358266e3cea5748c0c2791fbb08", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "11690d7e76842f29b60fbb5b35bc97d206ea0e83", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "5b22c038fb2757c652642933de5664da471f8cb7", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "19fd2f2c5fb36b61506d3208474bfd8fdf1cada3", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "38d9b07d99b789efb6d8dda21f1aaad636c38993", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "2e6871a632a99d9b9e2ce3a7847acabe99e5a26e", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "77d48d39e99170b528e4f2e9fc5d1d64cdedd386", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/firmware/efi/libstub/tpm.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.54", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.13", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.2", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nefistub/tpm: Use ACPI reclaim memory for event log to avoid corruption\n\nThe TPM event log table is a Linux specific construct, where the data\nproduced by the GetEventLog() boot service is cached in memory, and\npassed on to the OS using an EFI configuration table.\n\nThe use of EFI_LOADER_DATA here results in the region being left\nunreserved in the E820 memory map constructed by the EFI stub, and this\nis the memory description that is passed on to the incoming kernel by\nkexec, which is therefore unaware that the region should be reserved.\n\nEven though the utility of the TPM2 event log after a kexec is\nquestionable, any corruption might send the parsing code off into the\nweeds and crash the kernel. So let's use EFI_ACPI_RECLAIM_MEMORY\ninstead, which is always treated as reserved by the E820 conversion\nlogic.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:27:42.011Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/f76b69ab9cf04358266e3cea5748c0c2791fbb08", }, { url: "https://git.kernel.org/stable/c/11690d7e76842f29b60fbb5b35bc97d206ea0e83", }, { url: "https://git.kernel.org/stable/c/5b22c038fb2757c652642933de5664da471f8cb7", }, { url: "https://git.kernel.org/stable/c/19fd2f2c5fb36b61506d3208474bfd8fdf1cada3", }, { url: "https://git.kernel.org/stable/c/38d9b07d99b789efb6d8dda21f1aaad636c38993", }, { url: "https://git.kernel.org/stable/c/2e6871a632a99d9b9e2ce3a7847acabe99e5a26e", }, { url: "https://git.kernel.org/stable/c/77d48d39e99170b528e4f2e9fc5d1d64cdedd386", }, ], title: "efistub/tpm: Use ACPI reclaim memory for event log to avoid corruption", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49858", datePublished: "2024-10-21T12:27:17.308Z", dateReserved: "2024-10-21T12:17:06.016Z", dateUpdated: "2024-12-19T09:27:42.011Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-47706
Vulnerability from cvelistv5
Published
2024-10-21 11:53
Modified
2024-12-19 09:26
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
block, bfq: fix possible UAF for bfqq->bic with merge chain
1) initial state, three tasks:
Process 1 Process 2 Process 3
(BIC1) (BIC2) (BIC3)
| Λ | Λ | Λ
| | | | | |
V | V | V |
bfqq1 bfqq2 bfqq3
process ref: 1 1 1
2) bfqq1 merged to bfqq2:
Process 1 Process 2 Process 3
(BIC1) (BIC2) (BIC3)
| | | Λ
\--------------\| | |
V V |
bfqq1--------->bfqq2 bfqq3
process ref: 0 2 1
3) bfqq2 merged to bfqq3:
Process 1 Process 2 Process 3
(BIC1) (BIC2) (BIC3)
here -> Λ | |
\--------------\ \-------------\|
V V
bfqq1--------->bfqq2---------->bfqq3
process ref: 0 1 3
In this case, IO from Process 1 will get bfqq2 from BIC1 first, and then
get bfqq3 through merge chain, and finially handle IO by bfqq3.
Howerver, current code will think bfqq2 is owned by BIC1, like initial
state, and set bfqq2->bic to BIC1.
bfq_insert_request
-> by Process 1
bfqq = bfq_init_rq(rq)
bfqq = bfq_get_bfqq_handle_split
bfqq = bic_to_bfqq
-> get bfqq2 from BIC1
bfqq->ref++
rq->elv.priv[0] = bic
rq->elv.priv[1] = bfqq
if (bfqq_process_refs(bfqq) == 1)
bfqq->bic = bic
-> record BIC1 to bfqq2
__bfq_insert_request
new_bfqq = bfq_setup_cooperator
-> get bfqq3 from bfqq2->new_bfqq
bfqq_request_freed(bfqq)
new_bfqq->ref++
rq->elv.priv[1] = new_bfqq
-> handle IO by bfqq3
Fix the problem by checking bfqq is from merge chain fist. And this
might fix a following problem reported by our syzkaller(unreproducible):
==================================================================
BUG: KASAN: slab-use-after-free in bfq_do_early_stable_merge block/bfq-iosched.c:5692 [inline]
BUG: KASAN: slab-use-after-free in bfq_do_or_sched_stable_merge block/bfq-iosched.c:5805 [inline]
BUG: KASAN: slab-use-after-free in bfq_get_queue+0x25b0/0x2610 block/bfq-iosched.c:5889
Write of size 1 at addr ffff888123839eb8 by task kworker/0:1H/18595
CPU: 0 PID: 18595 Comm: kworker/0:1H Tainted: G L 6.6.0-07439-gba2303cacfda #6
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
Workqueue: kblockd blk_mq_requeue_work
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x91/0xf0 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:364 [inline]
print_report+0x10d/0x610 mm/kasan/report.c:475
kasan_report+0x8e/0xc0 mm/kasan/report.c:588
bfq_do_early_stable_merge block/bfq-iosched.c:5692 [inline]
bfq_do_or_sched_stable_merge block/bfq-iosched.c:5805 [inline]
bfq_get_queue+0x25b0/0x2610 block/bfq-iosched.c:5889
bfq_get_bfqq_handle_split+0x169/0x5d0 block/bfq-iosched.c:6757
bfq_init_rq block/bfq-iosched.c:6876 [inline]
bfq_insert_request block/bfq-iosched.c:6254 [inline]
bfq_insert_requests+0x1112/0x5cf0 block/bfq-iosched.c:6304
blk_mq_insert_request+0x290/0x8d0 block/blk-mq.c:2593
blk_mq_requeue_work+0x6bc/0xa70 block/blk-mq.c:1502
process_one_work kernel/workqueue.c:2627 [inline]
process_scheduled_works+0x432/0x13f0 kernel/workqueue.c:2700
worker_thread+0x6f2/0x1160 kernel/workqueue.c:2781
kthread+0x33c/0x440 kernel/kthread.c:388
ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:305
</TASK>
Allocated by task 20776:
kasan_save_stack+0x20/0x40 mm/kasan/common.c:45
kasan_set_track+0x25/0x30 mm/kasan/common.c:52
__kasan_slab_alloc+0x87/0x90 mm/kasan/common.c:328
kasan_slab_alloc include/linux/kasan.h:188 [inline]
slab_post_alloc_hook mm/slab.h:763 [inline]
slab_alloc_node mm/slub.c:3458 [inline]
kmem_cache_alloc_node+0x1a4/0x6f0 mm/slub.c:3503
ioc_create_icq block/blk-ioc.c:370 [inline]
---truncated---
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 36eca894832351feed9072d0f97eb06fc9482ca4 Version: 36eca894832351feed9072d0f97eb06fc9482ca4 Version: 36eca894832351feed9072d0f97eb06fc9482ca4 Version: 36eca894832351feed9072d0f97eb06fc9482ca4 Version: 36eca894832351feed9072d0f97eb06fc9482ca4 Version: 36eca894832351feed9072d0f97eb06fc9482ca4 Version: 36eca894832351feed9072d0f97eb06fc9482ca4 Version: 36eca894832351feed9072d0f97eb06fc9482ca4 Version: 36eca894832351feed9072d0f97eb06fc9482ca4 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-47706", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T13:03:53.838190Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T13:04:19.673Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "block/bfq-iosched.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "a9bdd5b36887d2bacb8bc777fd18317c99fc2587", status: "affected", version: "36eca894832351feed9072d0f97eb06fc9482ca4", versionType: "git", }, { lessThan: "bc2140534b2aae752e4f7cb4489642dbb5ec4777", status: "affected", version: "36eca894832351feed9072d0f97eb06fc9482ca4", versionType: "git", }, { lessThan: "e1277ae780cca4e69ef5468d4582dfd48f0b8320", status: "affected", version: "36eca894832351feed9072d0f97eb06fc9482ca4", versionType: "git", }, { lessThan: "8aa9de02a4be2e7006e636816ce19b0d667ceaa3", status: "affected", version: "36eca894832351feed9072d0f97eb06fc9482ca4", versionType: "git", }, { lessThan: "ddbdaad123254fb53e32480cb74a486a6868b1e0", status: "affected", version: "36eca894832351feed9072d0f97eb06fc9482ca4", versionType: "git", }, { lessThan: "7faed2896d78e48ec96229e73b30b0af6c00a9aa", status: "affected", version: "36eca894832351feed9072d0f97eb06fc9482ca4", versionType: "git", }, { lessThan: "880692ee233ba63808182705b3333403413b58f5", status: "affected", version: "36eca894832351feed9072d0f97eb06fc9482ca4", versionType: "git", }, { lessThan: "6d130db286ad0ea392c96ebb2551acf0d7308048", status: "affected", version: "36eca894832351feed9072d0f97eb06fc9482ca4", versionType: "git", }, { lessThan: "18ad4df091dd5d067d2faa8fce1180b79f7041a7", status: "affected", version: "36eca894832351feed9072d0f97eb06fc9482ca4", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "block/bfq-iosched.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "4.12", }, { lessThan: "4.12", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.323", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.285", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.54", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.13", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.2", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nblock, bfq: fix possible UAF for bfqq->bic with merge chain\n\n1) initial state, three tasks:\n\n\t\tProcess 1 Process 2\tProcess 3\n\t\t (BIC1) (BIC2)\t\t (BIC3)\n\t\t | Λ | Λ\t\t | Λ\n\t\t | | | |\t\t | |\n\t\t V | V |\t\t V |\n\t\t bfqq1 bfqq2\t\t bfqq3\nprocess ref:\t 1\t\t 1\t\t 1\n\n2) bfqq1 merged to bfqq2:\n\n\t\tProcess 1 Process 2\tProcess 3\n\t\t (BIC1) (BIC2)\t\t (BIC3)\n\t\t | |\t\t | Λ\n\t\t \\--------------\\|\t\t | |\n\t\t V\t\t V |\n\t\t bfqq1--------->bfqq2\t\t bfqq3\nprocess ref:\t 0\t\t 2\t\t 1\n\n3) bfqq2 merged to bfqq3:\n\n\t\tProcess 1 Process 2\tProcess 3\n\t\t (BIC1) (BIC2)\t\t (BIC3)\n\t here -> Λ |\t\t |\n\t\t \\--------------\\ \\-------------\\|\n\t\t V\t\t V\n\t\t bfqq1--------->bfqq2---------->bfqq3\nprocess ref:\t 0\t\t 1\t\t 3\n\nIn this case, IO from Process 1 will get bfqq2 from BIC1 first, and then\nget bfqq3 through merge chain, and finially handle IO by bfqq3.\nHowerver, current code will think bfqq2 is owned by BIC1, like initial\nstate, and set bfqq2->bic to BIC1.\n\nbfq_insert_request\n-> by Process 1\n bfqq = bfq_init_rq(rq)\n bfqq = bfq_get_bfqq_handle_split\n bfqq = bic_to_bfqq\n -> get bfqq2 from BIC1\n bfqq->ref++\n rq->elv.priv[0] = bic\n rq->elv.priv[1] = bfqq\n if (bfqq_process_refs(bfqq) == 1)\n bfqq->bic = bic\n -> record BIC1 to bfqq2\n\n __bfq_insert_request\n new_bfqq = bfq_setup_cooperator\n -> get bfqq3 from bfqq2->new_bfqq\n bfqq_request_freed(bfqq)\n new_bfqq->ref++\n rq->elv.priv[1] = new_bfqq\n -> handle IO by bfqq3\n\nFix the problem by checking bfqq is from merge chain fist. And this\nmight fix a following problem reported by our syzkaller(unreproducible):\n\n==================================================================\nBUG: KASAN: slab-use-after-free in bfq_do_early_stable_merge block/bfq-iosched.c:5692 [inline]\nBUG: KASAN: slab-use-after-free in bfq_do_or_sched_stable_merge block/bfq-iosched.c:5805 [inline]\nBUG: KASAN: slab-use-after-free in bfq_get_queue+0x25b0/0x2610 block/bfq-iosched.c:5889\nWrite of size 1 at addr ffff888123839eb8 by task kworker/0:1H/18595\n\nCPU: 0 PID: 18595 Comm: kworker/0:1H Tainted: G L 6.6.0-07439-gba2303cacfda #6\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\nWorkqueue: kblockd blk_mq_requeue_work\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x91/0xf0 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:364 [inline]\n print_report+0x10d/0x610 mm/kasan/report.c:475\n kasan_report+0x8e/0xc0 mm/kasan/report.c:588\n bfq_do_early_stable_merge block/bfq-iosched.c:5692 [inline]\n bfq_do_or_sched_stable_merge block/bfq-iosched.c:5805 [inline]\n bfq_get_queue+0x25b0/0x2610 block/bfq-iosched.c:5889\n bfq_get_bfqq_handle_split+0x169/0x5d0 block/bfq-iosched.c:6757\n bfq_init_rq block/bfq-iosched.c:6876 [inline]\n bfq_insert_request block/bfq-iosched.c:6254 [inline]\n bfq_insert_requests+0x1112/0x5cf0 block/bfq-iosched.c:6304\n blk_mq_insert_request+0x290/0x8d0 block/blk-mq.c:2593\n blk_mq_requeue_work+0x6bc/0xa70 block/blk-mq.c:1502\n process_one_work kernel/workqueue.c:2627 [inline]\n process_scheduled_works+0x432/0x13f0 kernel/workqueue.c:2700\n worker_thread+0x6f2/0x1160 kernel/workqueue.c:2781\n kthread+0x33c/0x440 kernel/kthread.c:388\n ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:305\n </TASK>\n\nAllocated by task 20776:\n kasan_save_stack+0x20/0x40 mm/kasan/common.c:45\n kasan_set_track+0x25/0x30 mm/kasan/common.c:52\n __kasan_slab_alloc+0x87/0x90 mm/kasan/common.c:328\n kasan_slab_alloc include/linux/kasan.h:188 [inline]\n slab_post_alloc_hook mm/slab.h:763 [inline]\n slab_alloc_node mm/slub.c:3458 [inline]\n kmem_cache_alloc_node+0x1a4/0x6f0 mm/slub.c:3503\n ioc_create_icq block/blk-ioc.c:370 [inline]\n---truncated---", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:26:29.411Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/a9bdd5b36887d2bacb8bc777fd18317c99fc2587", }, { url: "https://git.kernel.org/stable/c/bc2140534b2aae752e4f7cb4489642dbb5ec4777", }, { url: "https://git.kernel.org/stable/c/e1277ae780cca4e69ef5468d4582dfd48f0b8320", }, { url: "https://git.kernel.org/stable/c/8aa9de02a4be2e7006e636816ce19b0d667ceaa3", }, { url: "https://git.kernel.org/stable/c/ddbdaad123254fb53e32480cb74a486a6868b1e0", }, { url: "https://git.kernel.org/stable/c/7faed2896d78e48ec96229e73b30b0af6c00a9aa", }, { url: "https://git.kernel.org/stable/c/880692ee233ba63808182705b3333403413b58f5", }, { url: "https://git.kernel.org/stable/c/6d130db286ad0ea392c96ebb2551acf0d7308048", }, { url: "https://git.kernel.org/stable/c/18ad4df091dd5d067d2faa8fce1180b79f7041a7", }, ], title: "block, bfq: fix possible UAF for bfqq->bic with merge chain", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-47706", datePublished: "2024-10-21T11:53:40.759Z", dateReserved: "2024-09-30T16:00:12.946Z", dateUpdated: "2024-12-19T09:26:29.411Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-47683
Vulnerability from cvelistv5
Published
2024-10-21 11:53
Modified
2025-01-24 16:01
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Skip Recompute DSC Params if no Stream on Link
[why]
Encounter NULL pointer dereference uner mst + dsc setup.
BUG: kernel NULL pointer dereference, address: 0000000000000008
PGD 0 P4D 0
Oops: 0000 [#1] PREEMPT SMP NOPTI
CPU: 4 PID: 917 Comm: sway Not tainted 6.3.9-arch1-1 #1 124dc55df4f5272ccb409f39ef4872fc2b3376a2
Hardware name: LENOVO 20NKS01Y00/20NKS01Y00, BIOS R12ET61W(1.31 ) 07/28/2022
RIP: 0010:drm_dp_atomic_find_time_slots+0x5e/0x260 [drm_display_helper]
Code: 01 00 00 48 8b 85 60 05 00 00 48 63 80 88 00 00 00 3b 43 28 0f 8d 2e 01 00 00 48 8b 53 30 48 8d 04 80 48 8d 04 c2 48 8b 40 18 <48> 8>
RSP: 0018:ffff960cc2df77d8 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffff8afb87e81280 RCX: 0000000000000224
RDX: ffff8afb9ee37c00 RSI: ffff8afb8da1a578 RDI: ffff8afb87e81280
RBP: ffff8afb83d67000 R08: 0000000000000001 R09: ffff8afb9652f850
R10: ffff960cc2df7908 R11: 0000000000000002 R12: 0000000000000000
R13: ffff8afb8d7688a0 R14: ffff8afb8da1a578 R15: 0000000000000224
FS: 00007f4dac35ce00(0000) GS:ffff8afe30b00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000008 CR3: 000000010ddc6000 CR4: 00000000003506e0
Call Trace:
<TASK>
? __die+0x23/0x70
? page_fault_oops+0x171/0x4e0
? plist_add+0xbe/0x100
? exc_page_fault+0x7c/0x180
? asm_exc_page_fault+0x26/0x30
? drm_dp_atomic_find_time_slots+0x5e/0x260 [drm_display_helper 0e67723696438d8e02b741593dd50d80b44c2026]
? drm_dp_atomic_find_time_slots+0x28/0x260 [drm_display_helper 0e67723696438d8e02b741593dd50d80b44c2026]
compute_mst_dsc_configs_for_link+0x2ff/0xa40 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]
? fill_plane_buffer_attributes+0x419/0x510 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]
compute_mst_dsc_configs_for_state+0x1e1/0x250 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]
amdgpu_dm_atomic_check+0xecd/0x1190 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]
drm_atomic_check_only+0x5c5/0xa40
drm_mode_atomic_ioctl+0x76e/0xbc0
[how]
dsc recompute should be skipped if no mode change detected on the new
request. If detected, keep checking whether the stream is already on
current state or not.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-47683", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T13:07:01.706488Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T13:14:16.363Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "7c887efda1201110211fed8921a92a713e0b6bcd", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "8151a6c13111b465dbabe07c19f572f7cbd16fef", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Skip Recompute DSC Params if no Stream on Link\n\n[why]\nEncounter NULL pointer dereference uner mst + dsc setup.\n\nBUG: kernel NULL pointer dereference, address: 0000000000000008\n PGD 0 P4D 0\n Oops: 0000 [#1] PREEMPT SMP NOPTI\n CPU: 4 PID: 917 Comm: sway Not tainted 6.3.9-arch1-1 #1 124dc55df4f5272ccb409f39ef4872fc2b3376a2\n Hardware name: LENOVO 20NKS01Y00/20NKS01Y00, BIOS R12ET61W(1.31 ) 07/28/2022\n RIP: 0010:drm_dp_atomic_find_time_slots+0x5e/0x260 [drm_display_helper]\n Code: 01 00 00 48 8b 85 60 05 00 00 48 63 80 88 00 00 00 3b 43 28 0f 8d 2e 01 00 00 48 8b 53 30 48 8d 04 80 48 8d 04 c2 48 8b 40 18 <48> 8>\n RSP: 0018:ffff960cc2df77d8 EFLAGS: 00010293\n RAX: 0000000000000000 RBX: ffff8afb87e81280 RCX: 0000000000000224\n RDX: ffff8afb9ee37c00 RSI: ffff8afb8da1a578 RDI: ffff8afb87e81280\n RBP: ffff8afb83d67000 R08: 0000000000000001 R09: ffff8afb9652f850\n R10: ffff960cc2df7908 R11: 0000000000000002 R12: 0000000000000000\n R13: ffff8afb8d7688a0 R14: ffff8afb8da1a578 R15: 0000000000000224\n FS: 00007f4dac35ce00(0000) GS:ffff8afe30b00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000008 CR3: 000000010ddc6000 CR4: 00000000003506e0\n Call Trace:\n<TASK>\n ? __die+0x23/0x70\n ? page_fault_oops+0x171/0x4e0\n ? plist_add+0xbe/0x100\n ? exc_page_fault+0x7c/0x180\n ? asm_exc_page_fault+0x26/0x30\n ? drm_dp_atomic_find_time_slots+0x5e/0x260 [drm_display_helper 0e67723696438d8e02b741593dd50d80b44c2026]\n ? drm_dp_atomic_find_time_slots+0x28/0x260 [drm_display_helper 0e67723696438d8e02b741593dd50d80b44c2026]\n compute_mst_dsc_configs_for_link+0x2ff/0xa40 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]\n ? fill_plane_buffer_attributes+0x419/0x510 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]\n compute_mst_dsc_configs_for_state+0x1e1/0x250 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]\n amdgpu_dm_atomic_check+0xecd/0x1190 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]\n drm_atomic_check_only+0x5c5/0xa40\n drm_mode_atomic_ioctl+0x76e/0xbc0\n\n[how]\ndsc recompute should be skipped if no mode change detected on the new\nrequest. If detected, keep checking whether the stream is already on\ncurrent state or not.", }, ], providerMetadata: { dateUpdated: "2025-01-24T16:01:32.213Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/7c887efda1201110211fed8921a92a713e0b6bcd", }, { url: "https://git.kernel.org/stable/c/8151a6c13111b465dbabe07c19f572f7cbd16fef", }, ], title: "drm/amd/display: Skip Recompute DSC Params if no Stream on Link", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-47683", datePublished: "2024-10-21T11:53:25.118Z", dateReserved: "2024-09-30T16:00:12.941Z", dateUpdated: "2025-01-24T16:01:32.213Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-47746
Vulnerability from cvelistv5
Published
2024-10-21 12:14
Modified
2024-12-19 09:27
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
fuse: use exclusive lock when FUSE_I_CACHE_IO_MODE is set
This may be a typo. The comment has said shared locks are
not allowed when this bit is set. If using shared lock, the
wait in `fuse_file_cached_io_open` may be forever.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-47746", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T12:58:33.762845Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T13:04:13.772Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "fs/fuse/file.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "fa4890bd8237e5a1e7428acd7328729db2703b23", status: "affected", version: "205c1d8026835746d8597e1aa70c370e014e83fa", versionType: "git", }, { lessThan: "4e181761ffec67307157a7e8a78d58ee4130cf00", status: "affected", version: "205c1d8026835746d8597e1aa70c370e014e83fa", versionType: "git", }, { lessThan: "2f3d8ff457982f4055fe8f7bf19d3821ba22c376", status: "affected", version: "205c1d8026835746d8597e1aa70c370e014e83fa", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "fs/fuse/file.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.9", }, { lessThan: "6.9", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.13", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.2", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nfuse: use exclusive lock when FUSE_I_CACHE_IO_MODE is set\n\nThis may be a typo. The comment has said shared locks are\nnot allowed when this bit is set. If using shared lock, the\nwait in `fuse_file_cached_io_open` may be forever.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:27:17.828Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/fa4890bd8237e5a1e7428acd7328729db2703b23", }, { url: "https://git.kernel.org/stable/c/4e181761ffec67307157a7e8a78d58ee4130cf00", }, { url: "https://git.kernel.org/stable/c/2f3d8ff457982f4055fe8f7bf19d3821ba22c376", }, ], title: "fuse: use exclusive lock when FUSE_I_CACHE_IO_MODE is set", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-47746", datePublished: "2024-10-21T12:14:13.133Z", dateReserved: "2024-09-30T16:00:12.960Z", dateUpdated: "2024-12-19T09:27:17.828Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-49031
Vulnerability from cvelistv5
Published
2024-10-21 20:06
Modified
2024-12-19 08:12
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
iio: health: afe4403: Fix oob read in afe4403_read_raw
KASAN report out-of-bounds read as follows:
BUG: KASAN: global-out-of-bounds in afe4403_read_raw+0x42e/0x4c0
Read of size 4 at addr ffffffffc02ac638 by task cat/279
Call Trace:
afe4403_read_raw
iio_read_channel_info
dev_attr_show
The buggy address belongs to the variable:
afe4403_channel_leds+0x18/0xffffffffffffe9e0
This issue can be reproduced by singe command:
$ cat /sys/bus/spi/devices/spi0.0/iio\:device0/in_intensity6_raw
The array size of afe4403_channel_leds is less than channels, so access
with chan->address cause OOB read in afe4403_read_raw. Fix it by moving
access before use it.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: b36e8257641a043764c62240316610c81e36376c Version: b36e8257641a043764c62240316610c81e36376c Version: b36e8257641a043764c62240316610c81e36376c Version: b36e8257641a043764c62240316610c81e36376c Version: b36e8257641a043764c62240316610c81e36376c Version: b36e8257641a043764c62240316610c81e36376c Version: b36e8257641a043764c62240316610c81e36376c Version: b36e8257641a043764c62240316610c81e36376c |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-49031", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:11:13.693004Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:18:35.737Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/iio/health/afe4403.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "98afcb5f3be645d330c74c5194ba0d80e26f95e0", status: "affected", version: "b36e8257641a043764c62240316610c81e36376c", versionType: "git", }, { lessThan: "c9268df36818ee4eaaaeadc80009b442a5ca69c9", status: "affected", version: "b36e8257641a043764c62240316610c81e36376c", versionType: "git", }, { lessThan: "726fa3e4ab97dcff1c745bdc4fb137366cb8d3df", status: "affected", version: "b36e8257641a043764c62240316610c81e36376c", versionType: "git", }, { lessThan: "2d6a437064ffbe685c67ddb16dfc0946074c6c3f", status: "affected", version: "b36e8257641a043764c62240316610c81e36376c", versionType: "git", }, { lessThan: "b1756af172fb80a3edc143772d49e166ec691b6c", status: "affected", version: "b36e8257641a043764c62240316610c81e36376c", versionType: "git", }, { lessThan: "e7e76a77aabef8989cbc0a8417af1aa040620867", status: "affected", version: "b36e8257641a043764c62240316610c81e36376c", versionType: "git", }, { lessThan: "06c6ce21cec77dfa860d57e7a006000a57812efb", status: "affected", version: "b36e8257641a043764c62240316610c81e36376c", versionType: "git", }, { lessThan: "58143c1ed5882c138a3cd2251a336fc8755f23d9", status: "affected", version: "b36e8257641a043764c62240316610c81e36376c", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/iio/health/afe4403.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "4.8", }, { lessThan: "4.8", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.9.*", status: "unaffected", version: "4.9.335", versionType: "semver", }, { lessThanOrEqual: "4.14.*", status: "unaffected", version: "4.14.301", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.268", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.226", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.158", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.82", versionType: "semver", }, { lessThanOrEqual: "6.0.*", status: "unaffected", version: "6.0.12", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.1", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\niio: health: afe4403: Fix oob read in afe4403_read_raw\n\nKASAN report out-of-bounds read as follows:\n\nBUG: KASAN: global-out-of-bounds in afe4403_read_raw+0x42e/0x4c0\nRead of size 4 at addr ffffffffc02ac638 by task cat/279\n\nCall Trace:\n afe4403_read_raw\n iio_read_channel_info\n dev_attr_show\n\nThe buggy address belongs to the variable:\n afe4403_channel_leds+0x18/0xffffffffffffe9e0\n\nThis issue can be reproduced by singe command:\n\n $ cat /sys/bus/spi/devices/spi0.0/iio\\:device0/in_intensity6_raw\n\nThe array size of afe4403_channel_leds is less than channels, so access\nwith chan->address cause OOB read in afe4403_read_raw. Fix it by moving\naccess before use it.", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:12:47.533Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/98afcb5f3be645d330c74c5194ba0d80e26f95e0", }, { url: "https://git.kernel.org/stable/c/c9268df36818ee4eaaaeadc80009b442a5ca69c9", }, { url: "https://git.kernel.org/stable/c/726fa3e4ab97dcff1c745bdc4fb137366cb8d3df", }, { url: "https://git.kernel.org/stable/c/2d6a437064ffbe685c67ddb16dfc0946074c6c3f", }, { url: "https://git.kernel.org/stable/c/b1756af172fb80a3edc143772d49e166ec691b6c", }, { url: "https://git.kernel.org/stable/c/e7e76a77aabef8989cbc0a8417af1aa040620867", }, { url: "https://git.kernel.org/stable/c/06c6ce21cec77dfa860d57e7a006000a57812efb", }, { url: "https://git.kernel.org/stable/c/58143c1ed5882c138a3cd2251a336fc8755f23d9", }, ], title: "iio: health: afe4403: Fix oob read in afe4403_read_raw", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-49031", datePublished: "2024-10-21T20:06:35.214Z", dateReserved: "2024-08-22T01:27:53.652Z", dateUpdated: "2024-12-19T08:12:47.533Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-49020
Vulnerability from cvelistv5
Published
2024-10-21 20:06
Modified
2024-12-19 08:12
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/9p: Fix a potential socket leak in p9_socket_open
Both p9_fd_create_tcp() and p9_fd_create_unix() will call
p9_socket_open(). If the creation of p9_trans_fd fails,
p9_fd_create_tcp() and p9_fd_create_unix() will return an
error directly instead of releasing the cscoket, which will
result in a socket leak.
This patch adds sock_release() to fix the leak issue.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 6b18662e239a032f908b7f6e164bdf7e2e0a32c9 Version: 6b18662e239a032f908b7f6e164bdf7e2e0a32c9 Version: 6b18662e239a032f908b7f6e164bdf7e2e0a32c9 Version: 6b18662e239a032f908b7f6e164bdf7e2e0a32c9 Version: 6b18662e239a032f908b7f6e164bdf7e2e0a32c9 Version: 6b18662e239a032f908b7f6e164bdf7e2e0a32c9 Version: 6b18662e239a032f908b7f6e164bdf7e2e0a32c9 Version: 6b18662e239a032f908b7f6e164bdf7e2e0a32c9 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-49020", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:12:42.990180Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:18:37.309Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "net/9p/trans_fd.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "0396227f4daf4792a6a8aaa3b7771dc25c4cd443", status: "affected", version: "6b18662e239a032f908b7f6e164bdf7e2e0a32c9", versionType: "git", }, { lessThan: "ded893965b895b2dccd3d1436d8d3daffa23ea64", status: "affected", version: "6b18662e239a032f908b7f6e164bdf7e2e0a32c9", versionType: "git", }, { lessThan: "8b14bd0b500aec1458b51cb621c8e5fab3304260", status: "affected", version: "6b18662e239a032f908b7f6e164bdf7e2e0a32c9", versionType: "git", }, { lessThan: "2d24d91b9f44620824fc37b766f7cae00ca32748", status: "affected", version: "6b18662e239a032f908b7f6e164bdf7e2e0a32c9", versionType: "git", }, { lessThan: "e01c1542379fb395e7da53706df598f38905dfbf", status: "affected", version: "6b18662e239a032f908b7f6e164bdf7e2e0a32c9", versionType: "git", }, { lessThan: "8782b32ef867de7981bbe9e86ecb90e92e8780bd", status: "affected", version: "6b18662e239a032f908b7f6e164bdf7e2e0a32c9", versionType: "git", }, { lessThan: "aa08323fe18cb7cf95317ffa2d54ca1de8e74ebd", status: "affected", version: "6b18662e239a032f908b7f6e164bdf7e2e0a32c9", versionType: "git", }, { lessThan: "dcc14cfd7debe11b825cb077e75d91d2575b4cb8", status: "affected", version: "6b18662e239a032f908b7f6e164bdf7e2e0a32c9", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "net/9p/trans_fd.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "2.6.33", }, { lessThan: "2.6.33", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.9.*", status: "unaffected", version: "4.9.335", versionType: "semver", }, { lessThanOrEqual: "4.14.*", status: "unaffected", version: "4.14.301", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.268", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.226", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.158", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.82", versionType: "semver", }, { lessThanOrEqual: "6.0.*", status: "unaffected", version: "6.0.12", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.1", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/9p: Fix a potential socket leak in p9_socket_open\n\nBoth p9_fd_create_tcp() and p9_fd_create_unix() will call\np9_socket_open(). If the creation of p9_trans_fd fails,\np9_fd_create_tcp() and p9_fd_create_unix() will return an\nerror directly instead of releasing the cscoket, which will\nresult in a socket leak.\n\nThis patch adds sock_release() to fix the leak issue.", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:12:34.777Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/0396227f4daf4792a6a8aaa3b7771dc25c4cd443", }, { url: "https://git.kernel.org/stable/c/ded893965b895b2dccd3d1436d8d3daffa23ea64", }, { url: "https://git.kernel.org/stable/c/8b14bd0b500aec1458b51cb621c8e5fab3304260", }, { url: "https://git.kernel.org/stable/c/2d24d91b9f44620824fc37b766f7cae00ca32748", }, { url: "https://git.kernel.org/stable/c/e01c1542379fb395e7da53706df598f38905dfbf", }, { url: "https://git.kernel.org/stable/c/8782b32ef867de7981bbe9e86ecb90e92e8780bd", }, { url: "https://git.kernel.org/stable/c/aa08323fe18cb7cf95317ffa2d54ca1de8e74ebd", }, { url: "https://git.kernel.org/stable/c/dcc14cfd7debe11b825cb077e75d91d2575b4cb8", }, ], title: "net/9p: Fix a potential socket leak in p9_socket_open", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-49020", datePublished: "2024-10-21T20:06:27.976Z", dateReserved: "2024-08-22T01:27:53.649Z", dateUpdated: "2024-12-19T08:12:34.777Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-50048
Vulnerability from cvelistv5
Published
2024-10-21 19:39
Modified
2024-12-19 09:32
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
fbcon: Fix a NULL pointer dereference issue in fbcon_putcs
syzbot has found a NULL pointer dereference bug in fbcon.
Here is the simplified C reproducer:
struct param {
uint8_t type;
struct tiocl_selection ts;
};
int main()
{
struct fb_con2fbmap con2fb;
struct param param;
int fd = open("/dev/fb1", 0, 0);
con2fb.console = 0x19;
con2fb.framebuffer = 0;
ioctl(fd, FBIOPUT_CON2FBMAP, &con2fb);
param.type = 2;
param.ts.xs = 0; param.ts.ys = 0;
param.ts.xe = 0; param.ts.ye = 0;
param.ts.sel_mode = 0;
int fd1 = open("/dev/tty1", O_RDWR, 0);
ioctl(fd1, TIOCLINUX, ¶m);
con2fb.console = 1;
con2fb.framebuffer = 0;
ioctl(fd, FBIOPUT_CON2FBMAP, &con2fb);
return 0;
}
After calling ioctl(fd1, TIOCLINUX, ¶m), the subsequent ioctl(fd, FBIOPUT_CON2FBMAP, &con2fb)
causes the kernel to follow a different execution path:
set_con2fb_map
-> con2fb_init_display
-> fbcon_set_disp
-> redraw_screen
-> hide_cursor
-> clear_selection
-> highlight
-> invert_screen
-> do_update_region
-> fbcon_putcs
-> ops->putcs
Since ops->putcs is a NULL pointer, this leads to a kernel panic.
To prevent this, we need to call set_blitting_type() within set_con2fb_map()
to properly initialize ops->putcs.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-50048", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:23:51.940299Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:28:43.347Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/video/fbdev/core/fbcon.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "8266ae6eafdcd5a3136592445ff4038bbc7ee80e", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "f7fb5dda555344529ce584ff7a28b109528d2f1b", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "e5c2dba62996a3a6eeb34bd248b90fc69c5a6a1b", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "5b97eebcce1b4f3f07a71f635d6aa3af96c236e7", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/video/fbdev/core/fbcon.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.57", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.4", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nfbcon: Fix a NULL pointer dereference issue in fbcon_putcs\n\nsyzbot has found a NULL pointer dereference bug in fbcon.\nHere is the simplified C reproducer:\n\nstruct param {\n\tuint8_t type;\n\tstruct tiocl_selection ts;\n};\n\nint main()\n{\n\tstruct fb_con2fbmap con2fb;\n\tstruct param param;\n\n\tint fd = open(\"/dev/fb1\", 0, 0);\n\n\tcon2fb.console = 0x19;\n\tcon2fb.framebuffer = 0;\n\tioctl(fd, FBIOPUT_CON2FBMAP, &con2fb);\n\n\tparam.type = 2;\n\tparam.ts.xs = 0; param.ts.ys = 0;\n\tparam.ts.xe = 0; param.ts.ye = 0;\n\tparam.ts.sel_mode = 0;\n\n\tint fd1 = open(\"/dev/tty1\", O_RDWR, 0);\n\tioctl(fd1, TIOCLINUX, ¶m);\n\n\tcon2fb.console = 1;\n\tcon2fb.framebuffer = 0;\n\tioctl(fd, FBIOPUT_CON2FBMAP, &con2fb);\n\n\treturn 0;\n}\n\nAfter calling ioctl(fd1, TIOCLINUX, ¶m), the subsequent ioctl(fd, FBIOPUT_CON2FBMAP, &con2fb)\ncauses the kernel to follow a different execution path:\n\n set_con2fb_map\n -> con2fb_init_display\n -> fbcon_set_disp\n -> redraw_screen\n -> hide_cursor\n -> clear_selection\n -> highlight\n -> invert_screen\n -> do_update_region\n -> fbcon_putcs\n -> ops->putcs\n\nSince ops->putcs is a NULL pointer, this leads to a kernel panic.\nTo prevent this, we need to call set_blitting_type() within set_con2fb_map()\nto properly initialize ops->putcs.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:32:04.833Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/8266ae6eafdcd5a3136592445ff4038bbc7ee80e", }, { url: "https://git.kernel.org/stable/c/f7fb5dda555344529ce584ff7a28b109528d2f1b", }, { url: "https://git.kernel.org/stable/c/e5c2dba62996a3a6eeb34bd248b90fc69c5a6a1b", }, { url: "https://git.kernel.org/stable/c/5b97eebcce1b4f3f07a71f635d6aa3af96c236e7", }, ], title: "fbcon: Fix a NULL pointer dereference issue in fbcon_putcs", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-50048", datePublished: "2024-10-21T19:39:45.146Z", dateReserved: "2024-10-21T12:17:06.072Z", dateUpdated: "2024-12-19T09:32:04.833Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49898
Vulnerability from cvelistv5
Published
2024-10-21 18:01
Modified
2024-12-19 09:28
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Check null-initialized variables
[WHAT & HOW]
drr_timing and subvp_pipe are initialized to null and they are not
always assigned new values. It is necessary to check for null before
dereferencing.
This fixes 2 FORWARD_NULL issues reported by Coverity.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49898", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:43:17.555791Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:48:47.972Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/gpu/drm/amd/display/dc/dml/dcn32/dcn32_fpu.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "26d262b79a3587aaa84368586a55e9026c67841b", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "c3a3b6d9a9383e3c1a4a08878ba5046e68647595", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "3fc70ae048fe0936761b73b50700a810ff61e853", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "115b1a3b0944b4d8ef0b4b0c5a625bdd9474131f", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "367cd9ceba1933b63bc1d87d967baf6d9fd241d2", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/gpu/drm/amd/display/dc/dml/dcn32/dcn32_fpu.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.120", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.64", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Check null-initialized variables\n\n[WHAT & HOW]\ndrr_timing and subvp_pipe are initialized to null and they are not\nalways assigned new values. It is necessary to check for null before\ndereferencing.\n\nThis fixes 2 FORWARD_NULL issues reported by Coverity.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:28:37.172Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/26d262b79a3587aaa84368586a55e9026c67841b", }, { url: "https://git.kernel.org/stable/c/c3a3b6d9a9383e3c1a4a08878ba5046e68647595", }, { url: "https://git.kernel.org/stable/c/3fc70ae048fe0936761b73b50700a810ff61e853", }, { url: "https://git.kernel.org/stable/c/115b1a3b0944b4d8ef0b4b0c5a625bdd9474131f", }, { url: "https://git.kernel.org/stable/c/367cd9ceba1933b63bc1d87d967baf6d9fd241d2", }, ], title: "drm/amd/display: Check null-initialized variables", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49898", datePublished: "2024-10-21T18:01:31.212Z", dateReserved: "2024-10-21T12:17:06.026Z", dateUpdated: "2024-12-19T09:28:37.172Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-47733
Vulnerability from cvelistv5
Published
2024-10-21 12:14
Modified
2024-12-19 09:27
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfs: Delete subtree of 'fs/netfs' when netfs module exits
In netfs_init() or fscache_proc_init(), we create dentry under 'fs/netfs',
but in netfs_exit(), we only delete the proc entry of 'fs/netfs' without
deleting its subtree. This triggers the following WARNING:
==================================================================
remove_proc_entry: removing non-empty directory 'fs/netfs', leaking at least 'requests'
WARNING: CPU: 4 PID: 566 at fs/proc/generic.c:717 remove_proc_entry+0x160/0x1c0
Modules linked in: netfs(-)
CPU: 4 UID: 0 PID: 566 Comm: rmmod Not tainted 6.11.0-rc3 #860
RIP: 0010:remove_proc_entry+0x160/0x1c0
Call Trace:
<TASK>
netfs_exit+0x12/0x620 [netfs]
__do_sys_delete_module.isra.0+0x14c/0x2e0
do_syscall_64+0x4b/0x110
entry_SYSCALL_64_after_hwframe+0x76/0x7e
==================================================================
Therefore use remove_proc_subtree() instead of remove_proc_entry() to
fix the above problem.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-47733", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T13:00:15.346668Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T13:04:15.617Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "fs/netfs/main.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "603f95cefbee06a31b03137b777f03e3c2163d72", status: "affected", version: "7eb5b3e3a0a55f2d166ca949ef47ca6e0c704aab", versionType: "git", }, { lessThan: "7a9eaf97d56625e55b31a7beb558e1ee185ca461", status: "affected", version: "7eb5b3e3a0a55f2d166ca949ef47ca6e0c704aab", versionType: "git", }, { lessThan: "3c58a9575e02c2b90a3180007d57105ceaa7c246", status: "affected", version: "7eb5b3e3a0a55f2d166ca949ef47ca6e0c704aab", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "fs/netfs/main.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.8", }, { lessThan: "6.8", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.13", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.2", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfs: Delete subtree of 'fs/netfs' when netfs module exits\n\nIn netfs_init() or fscache_proc_init(), we create dentry under 'fs/netfs',\nbut in netfs_exit(), we only delete the proc entry of 'fs/netfs' without\ndeleting its subtree. This triggers the following WARNING:\n\n==================================================================\nremove_proc_entry: removing non-empty directory 'fs/netfs', leaking at least 'requests'\nWARNING: CPU: 4 PID: 566 at fs/proc/generic.c:717 remove_proc_entry+0x160/0x1c0\nModules linked in: netfs(-)\nCPU: 4 UID: 0 PID: 566 Comm: rmmod Not tainted 6.11.0-rc3 #860\nRIP: 0010:remove_proc_entry+0x160/0x1c0\nCall Trace:\n <TASK>\n netfs_exit+0x12/0x620 [netfs]\n __do_sys_delete_module.isra.0+0x14c/0x2e0\n do_syscall_64+0x4b/0x110\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n==================================================================\n\nTherefore use remove_proc_subtree() instead of remove_proc_entry() to\nfix the above problem.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:27:00.983Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/603f95cefbee06a31b03137b777f03e3c2163d72", }, { url: "https://git.kernel.org/stable/c/7a9eaf97d56625e55b31a7beb558e1ee185ca461", }, { url: "https://git.kernel.org/stable/c/3c58a9575e02c2b90a3180007d57105ceaa7c246", }, ], title: "netfs: Delete subtree of 'fs/netfs' when netfs module exits", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-47733", datePublished: "2024-10-21T12:14:04.544Z", dateReserved: "2024-09-30T16:00:12.958Z", dateUpdated: "2024-12-19T09:27:00.983Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-48991
Vulnerability from cvelistv5
Published
2024-10-21 20:06
Modified
2024-12-19 08:12
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/khugepaged: invoke MMU notifiers in shmem/file collapse paths
Any codepath that zaps page table entries must invoke MMU notifiers to
ensure that secondary MMUs (like KVM) don't keep accessing pages which
aren't mapped anymore. Secondary MMUs don't hold their own references to
pages that are mirrored over, so failing to notify them can lead to page
use-after-free.
I'm marking this as addressing an issue introduced in commit f3f0e1d2150b
("khugepaged: add support of collapse for tmpfs/shmem pages"), but most of
the security impact of this only came in commit 27e1f8273113 ("khugepaged:
enable collapse pmd for pte-mapped THP"), which actually omitted flushes
for the removal of present PTEs, not just for the removal of empty page
tables.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: f3f0e1d2150b2b99da2cbdfaad000089efe9bf30 Version: f3f0e1d2150b2b99da2cbdfaad000089efe9bf30 Version: f3f0e1d2150b2b99da2cbdfaad000089efe9bf30 Version: f3f0e1d2150b2b99da2cbdfaad000089efe9bf30 Version: f3f0e1d2150b2b99da2cbdfaad000089efe9bf30 Version: f3f0e1d2150b2b99da2cbdfaad000089efe9bf30 Version: f3f0e1d2150b2b99da2cbdfaad000089efe9bf30 Version: f3f0e1d2150b2b99da2cbdfaad000089efe9bf30 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-48991", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:16:32.481668Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:18:42.186Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "mm/khugepaged.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "275c626c131cfe141beeb6c575e31fa53d32da19", status: "affected", version: "f3f0e1d2150b2b99da2cbdfaad000089efe9bf30", versionType: "git", }, { lessThan: "c23105673228c349739e958fa33955ed8faddcaf", status: "affected", version: "f3f0e1d2150b2b99da2cbdfaad000089efe9bf30", versionType: "git", }, { lessThan: "ff2a1a6f869650aec99e9d070b5ab625bfbc5bc3", status: "affected", version: "f3f0e1d2150b2b99da2cbdfaad000089efe9bf30", versionType: "git", }, { lessThan: "5ffc2a75534d9d74d49760f983f8eb675fa63d69", status: "affected", version: "f3f0e1d2150b2b99da2cbdfaad000089efe9bf30", versionType: "git", }, { lessThan: "7f445ca2e0e59c7971d0b7b853465e50844ab596", status: "affected", version: "f3f0e1d2150b2b99da2cbdfaad000089efe9bf30", versionType: "git", }, { lessThan: "1a3f8c6cd29d9078cc81b29d39d0e9ae1d6a03c3", status: "affected", version: "f3f0e1d2150b2b99da2cbdfaad000089efe9bf30", versionType: "git", }, { lessThan: "5450535901d89a5dcca5fbbc59a24fe89caeb465", status: "affected", version: "f3f0e1d2150b2b99da2cbdfaad000089efe9bf30", versionType: "git", }, { lessThan: "f268f6cf875f3220afc77bdd0bf1bb136eb54db9", status: "affected", version: "f3f0e1d2150b2b99da2cbdfaad000089efe9bf30", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "mm/khugepaged.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "4.8", }, { lessThan: "4.8", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.9.*", status: "unaffected", version: "4.9.337", versionType: "semver", }, { lessThanOrEqual: "4.14.*", status: "unaffected", version: "4.14.303", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.270", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.227", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.159", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.83", versionType: "semver", }, { lessThanOrEqual: "6.0.*", status: "unaffected", version: "6.0.13", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.1", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/khugepaged: invoke MMU notifiers in shmem/file collapse paths\n\nAny codepath that zaps page table entries must invoke MMU notifiers to\nensure that secondary MMUs (like KVM) don't keep accessing pages which\naren't mapped anymore. Secondary MMUs don't hold their own references to\npages that are mirrored over, so failing to notify them can lead to page\nuse-after-free.\n\nI'm marking this as addressing an issue introduced in commit f3f0e1d2150b\n(\"khugepaged: add support of collapse for tmpfs/shmem pages\"), but most of\nthe security impact of this only came in commit 27e1f8273113 (\"khugepaged:\nenable collapse pmd for pte-mapped THP\"), which actually omitted flushes\nfor the removal of present PTEs, not just for the removal of empty page\ntables.", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:12:02.610Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/275c626c131cfe141beeb6c575e31fa53d32da19", }, { url: "https://git.kernel.org/stable/c/c23105673228c349739e958fa33955ed8faddcaf", }, { url: "https://git.kernel.org/stable/c/ff2a1a6f869650aec99e9d070b5ab625bfbc5bc3", }, { url: "https://git.kernel.org/stable/c/5ffc2a75534d9d74d49760f983f8eb675fa63d69", }, { url: "https://git.kernel.org/stable/c/7f445ca2e0e59c7971d0b7b853465e50844ab596", }, { url: "https://git.kernel.org/stable/c/1a3f8c6cd29d9078cc81b29d39d0e9ae1d6a03c3", }, { url: "https://git.kernel.org/stable/c/5450535901d89a5dcca5fbbc59a24fe89caeb465", }, { url: "https://git.kernel.org/stable/c/f268f6cf875f3220afc77bdd0bf1bb136eb54db9", }, ], title: "mm/khugepaged: invoke MMU notifiers in shmem/file collapse paths", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-48991", datePublished: "2024-10-21T20:06:08.312Z", dateReserved: "2024-08-22T01:27:53.636Z", dateUpdated: "2024-12-19T08:12:02.610Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49876
Vulnerability from cvelistv5
Published
2024-10-21 18:01
Modified
2024-12-19 09:28
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/xe: fix UAF around queue destruction
We currently do stuff like queuing the final destruction step on a
random system wq, which will outlive the driver instance. With bad
timing we can teardown the driver with one or more work workqueue still
being alive leading to various UAF splats. Add a fini step to ensure
user queues are properly torn down. At this point GuC should already be
nuked so queue itself should no longer be referenced from hw pov.
v2 (Matt B)
- Looks much safer to use a waitqueue and then just wait for the
xa_array to become empty before triggering the drain.
(cherry picked from commit 861108666cc0e999cffeab6aff17b662e68774e3)
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49876", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:46:17.394123Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:48:51.208Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/gpu/drm/xe/xe_device.c", "drivers/gpu/drm/xe/xe_device_types.h", "drivers/gpu/drm/xe/xe_guc_submit.c", "drivers/gpu/drm/xe/xe_guc_types.h", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "272b0e78874586d6ccae04079d75b27b47705544", status: "affected", version: "dd08ebf6c3525a7ea2186e636df064ea47281987", versionType: "git", }, { lessThan: "421c74670b0f9d5c007f1276d3647aa58f407fde", status: "affected", version: "dd08ebf6c3525a7ea2186e636df064ea47281987", versionType: "git", }, { lessThan: "2d2be279f1ca9e7288282d4214f16eea8a727cdb", status: "affected", version: "dd08ebf6c3525a7ea2186e636df064ea47281987", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/gpu/drm/xe/xe_device.c", "drivers/gpu/drm/xe/xe_device_types.h", "drivers/gpu/drm/xe/xe_guc_submit.c", "drivers/gpu/drm/xe/xe_guc_types.h", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.8", }, { lessThan: "6.8", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: fix UAF around queue destruction\n\nWe currently do stuff like queuing the final destruction step on a\nrandom system wq, which will outlive the driver instance. With bad\ntiming we can teardown the driver with one or more work workqueue still\nbeing alive leading to various UAF splats. Add a fini step to ensure\nuser queues are properly torn down. At this point GuC should already be\nnuked so queue itself should no longer be referenced from hw pov.\n\nv2 (Matt B)\n - Looks much safer to use a waitqueue and then just wait for the\n xa_array to become empty before triggering the drain.\n\n(cherry picked from commit 861108666cc0e999cffeab6aff17b662e68774e3)", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:28:05.335Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/272b0e78874586d6ccae04079d75b27b47705544", }, { url: "https://git.kernel.org/stable/c/421c74670b0f9d5c007f1276d3647aa58f407fde", }, { url: "https://git.kernel.org/stable/c/2d2be279f1ca9e7288282d4214f16eea8a727cdb", }, ], title: "drm/xe: fix UAF around queue destruction", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49876", datePublished: "2024-10-21T18:01:16.098Z", dateReserved: "2024-10-21T12:17:06.020Z", dateUpdated: "2024-12-19T09:28:05.335Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49881
Vulnerability from cvelistv5
Published
2024-10-21 18:01
Modified
2024-12-19 09:28
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: update orig_path in ext4_find_extent()
In ext4_find_extent(), if the path is not big enough, we free it and set
*orig_path to NULL. But after reallocating and successfully initializing
the path, we don't update *orig_path, in which case the caller gets a
valid path but a NULL ppath, and this may cause a NULL pointer dereference
or a path memory leak. For example:
ext4_split_extent
path = *ppath = 2000
ext4_find_extent
if (depth > path[0].p_maxdepth)
kfree(path = 2000);
*orig_path = path = NULL;
path = kcalloc() = 3000
ext4_split_extent_at(*ppath = NULL)
path = *ppath;
ex = path[depth].p_ext;
// NULL pointer dereference!
==================================================================
BUG: kernel NULL pointer dereference, address: 0000000000000010
CPU: 6 UID: 0 PID: 576 Comm: fsstress Not tainted 6.11.0-rc2-dirty #847
RIP: 0010:ext4_split_extent_at+0x6d/0x560
Call Trace:
<TASK>
ext4_split_extent.isra.0+0xcb/0x1b0
ext4_ext_convert_to_initialized+0x168/0x6c0
ext4_ext_handle_unwritten_extents+0x325/0x4d0
ext4_ext_map_blocks+0x520/0xdb0
ext4_map_blocks+0x2b0/0x690
ext4_iomap_begin+0x20e/0x2c0
[...]
==================================================================
Therefore, *orig_path is updated when the extent lookup succeeds, so that
the caller can safely use path or *ppath.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 10809df84a4d868db61af621bae3658494165279 Version: 10809df84a4d868db61af621bae3658494165279 Version: 10809df84a4d868db61af621bae3658494165279 Version: 10809df84a4d868db61af621bae3658494165279 Version: 10809df84a4d868db61af621bae3658494165279 Version: 10809df84a4d868db61af621bae3658494165279 Version: 10809df84a4d868db61af621bae3658494165279 Version: 10809df84a4d868db61af621bae3658494165279 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49881", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:45:38.096654Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:48:50.544Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "fs/ext4/extents.c", "fs/ext4/move_extent.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "ec0c0beb9b777cdd1edd7df9b36e0f3e67e2bdff", status: "affected", version: "10809df84a4d868db61af621bae3658494165279", versionType: "git", }, { lessThan: "6766937d0327000ac1b87c97bbecdd28b0dd6599", status: "affected", version: "10809df84a4d868db61af621bae3658494165279", versionType: "git", }, { lessThan: "a9fcb1717d75061d3653ed69365c8d45331815cd", status: "affected", version: "10809df84a4d868db61af621bae3658494165279", versionType: "git", }, { lessThan: "6801ed1298204d16a38571091e31178bfdc3c679", status: "affected", version: "10809df84a4d868db61af621bae3658494165279", versionType: "git", }, { lessThan: "f55ecc58d07a6c1f6d6d5b5af125c25f8da0bda2", status: "affected", version: "10809df84a4d868db61af621bae3658494165279", versionType: "git", }, { lessThan: "b63481b3a388ee2df9e295f97273226140422a42", status: "affected", version: "10809df84a4d868db61af621bae3658494165279", versionType: "git", }, { lessThan: "11b230100d6801c014fab2afabc8bdea304c1b96", status: "affected", version: "10809df84a4d868db61af621bae3658494165279", versionType: "git", }, { lessThan: "5b4b2dcace35f618fe361a87bae6f0d13af31bc1", status: "affected", version: "10809df84a4d868db61af621bae3658494165279", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "fs/ext4/extents.c", "fs/ext4/move_extent.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "3.18", }, { lessThan: "3.18", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.323", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\next4: update orig_path in ext4_find_extent()\n\nIn ext4_find_extent(), if the path is not big enough, we free it and set\n*orig_path to NULL. But after reallocating and successfully initializing\nthe path, we don't update *orig_path, in which case the caller gets a\nvalid path but a NULL ppath, and this may cause a NULL pointer dereference\nor a path memory leak. For example:\n\next4_split_extent\n path = *ppath = 2000\n ext4_find_extent\n if (depth > path[0].p_maxdepth)\n kfree(path = 2000);\n *orig_path = path = NULL;\n path = kcalloc() = 3000\n ext4_split_extent_at(*ppath = NULL)\n path = *ppath;\n ex = path[depth].p_ext;\n // NULL pointer dereference!\n\n==================================================================\nBUG: kernel NULL pointer dereference, address: 0000000000000010\nCPU: 6 UID: 0 PID: 576 Comm: fsstress Not tainted 6.11.0-rc2-dirty #847\nRIP: 0010:ext4_split_extent_at+0x6d/0x560\nCall Trace:\n <TASK>\n ext4_split_extent.isra.0+0xcb/0x1b0\n ext4_ext_convert_to_initialized+0x168/0x6c0\n ext4_ext_handle_unwritten_extents+0x325/0x4d0\n ext4_ext_map_blocks+0x520/0xdb0\n ext4_map_blocks+0x2b0/0x690\n ext4_iomap_begin+0x20e/0x2c0\n[...]\n==================================================================\n\nTherefore, *orig_path is updated when the extent lookup succeeds, so that\nthe caller can safely use path or *ppath.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:28:16.400Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/ec0c0beb9b777cdd1edd7df9b36e0f3e67e2bdff", }, { url: "https://git.kernel.org/stable/c/6766937d0327000ac1b87c97bbecdd28b0dd6599", }, { url: "https://git.kernel.org/stable/c/a9fcb1717d75061d3653ed69365c8d45331815cd", }, { url: "https://git.kernel.org/stable/c/6801ed1298204d16a38571091e31178bfdc3c679", }, { url: "https://git.kernel.org/stable/c/f55ecc58d07a6c1f6d6d5b5af125c25f8da0bda2", }, { url: "https://git.kernel.org/stable/c/b63481b3a388ee2df9e295f97273226140422a42", }, { url: "https://git.kernel.org/stable/c/11b230100d6801c014fab2afabc8bdea304c1b96", }, { url: "https://git.kernel.org/stable/c/5b4b2dcace35f618fe361a87bae6f0d13af31bc1", }, ], title: "ext4: update orig_path in ext4_find_extent()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49881", datePublished: "2024-10-21T18:01:19.478Z", dateReserved: "2024-10-21T12:17:06.021Z", dateUpdated: "2024-12-19T09:28:16.400Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-50018
Vulnerability from cvelistv5
This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Show details on NVD website{ containers: { cna: { providerMetadata: { dateUpdated: "2024-12-12T15:17:12.818Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, rejectedReasons: [ { lang: "en", value: "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", }, ], }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-50018", datePublished: "2024-10-21T18:54:08.468Z", dateRejected: "2024-12-12T15:17:12.818Z", dateReserved: "2024-10-21T12:17:06.063Z", dateUpdated: "2024-12-12T15:17:12.818Z", state: "REJECTED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-47752
Vulnerability from cvelistv5
Published
2024-10-21 12:14
Modified
2024-12-19 09:27
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: mediatek: vcodec: Fix H264 stateless decoder smatch warning
Fix a smatch static checker warning on vdec_h264_req_if.c.
Which leads to a kernel crash when fb is NULL.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-47752", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T12:57:47.458380Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T13:04:12.844Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/media/platform/mediatek/vcodec/decoder/vdec/vdec_h264_req_if.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "c6b9f971b43980de8893610f606d751131fb5d86", status: "affected", version: "06fa5f757dc5a5687e1cdd13097c3265735f60bf", versionType: "git", }, { lessThan: "18181b0c1c5bd43846e5e0ae3d61a4a1adceab03", status: "affected", version: "06fa5f757dc5a5687e1cdd13097c3265735f60bf", versionType: "git", }, { lessThan: "790d1848fac5ac3b1c474f66162598ab07a20c21", status: "affected", version: "06fa5f757dc5a5687e1cdd13097c3265735f60bf", versionType: "git", }, { lessThan: "7878d3a385efab560dce793b595447867fb163f2", status: "affected", version: "06fa5f757dc5a5687e1cdd13097c3265735f60bf", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/media/platform/mediatek/vcodec/decoder/vdec/vdec_h264_req_if.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.16", }, { lessThan: "5.16", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.54", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.13", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.2", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: mediatek: vcodec: Fix H264 stateless decoder smatch warning\n\nFix a smatch static checker warning on vdec_h264_req_if.c.\nWhich leads to a kernel crash when fb is NULL.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:27:25.584Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/c6b9f971b43980de8893610f606d751131fb5d86", }, { url: "https://git.kernel.org/stable/c/18181b0c1c5bd43846e5e0ae3d61a4a1adceab03", }, { url: "https://git.kernel.org/stable/c/790d1848fac5ac3b1c474f66162598ab07a20c21", }, { url: "https://git.kernel.org/stable/c/7878d3a385efab560dce793b595447867fb163f2", }, ], title: "media: mediatek: vcodec: Fix H264 stateless decoder smatch warning", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-47752", datePublished: "2024-10-21T12:14:17.097Z", dateReserved: "2024-09-30T16:00:12.961Z", dateUpdated: "2024-12-19T09:27:25.584Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-49013
Vulnerability from cvelistv5
Published
2024-10-21 20:06
Modified
2024-12-19 08:12
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
sctp: fix memory leak in sctp_stream_outq_migrate()
When sctp_stream_outq_migrate() is called to release stream out resources,
the memory pointed to by prio_head in stream out is not released.
The memory leak information is as follows:
unreferenced object 0xffff88801fe79f80 (size 64):
comm "sctp_repo", pid 7957, jiffies 4294951704 (age 36.480s)
hex dump (first 32 bytes):
80 9f e7 1f 80 88 ff ff 80 9f e7 1f 80 88 ff ff ................
90 9f e7 1f 80 88 ff ff 90 9f e7 1f 80 88 ff ff ................
backtrace:
[<ffffffff81b215c6>] kmalloc_trace+0x26/0x60
[<ffffffff88ae517c>] sctp_sched_prio_set+0x4cc/0x770
[<ffffffff88ad64f2>] sctp_stream_init_ext+0xd2/0x1b0
[<ffffffff88aa2604>] sctp_sendmsg_to_asoc+0x1614/0x1a30
[<ffffffff88ab7ff1>] sctp_sendmsg+0xda1/0x1ef0
[<ffffffff87f765ed>] inet_sendmsg+0x9d/0xe0
[<ffffffff8754b5b3>] sock_sendmsg+0xd3/0x120
[<ffffffff8755446a>] __sys_sendto+0x23a/0x340
[<ffffffff87554651>] __x64_sys_sendto+0xe1/0x1b0
[<ffffffff89978b49>] do_syscall_64+0x39/0xb0
[<ffffffff89a0008b>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 637784ade221a3c8a7ecd0f583eddd95d6276b9a Version: 637784ade221a3c8a7ecd0f583eddd95d6276b9a Version: 637784ade221a3c8a7ecd0f583eddd95d6276b9a Version: 637784ade221a3c8a7ecd0f583eddd95d6276b9a Version: 637784ade221a3c8a7ecd0f583eddd95d6276b9a |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-49013", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:13:36.395283Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:18:38.448Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "include/net/sctp/stream_sched.h", "net/sctp/stream.c", "net/sctp/stream_sched.c", "net/sctp/stream_sched_prio.c", "net/sctp/stream_sched_rr.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "a7555681e50bdebed2c40ff7404ee73c2e932993", status: "affected", version: "637784ade221a3c8a7ecd0f583eddd95d6276b9a", versionType: "git", }, { lessThan: "176ee6c673ccd118e9392fd2dbb165423bdb99ca", status: "affected", version: "637784ade221a3c8a7ecd0f583eddd95d6276b9a", versionType: "git", }, { lessThan: "0dfb9a566327182387c90100ea54d8426cee8c67", status: "affected", version: "637784ade221a3c8a7ecd0f583eddd95d6276b9a", versionType: "git", }, { lessThan: "fa20f88271259d42ebe66f0a8c4c20199e888c99", status: "affected", version: "637784ade221a3c8a7ecd0f583eddd95d6276b9a", versionType: "git", }, { lessThan: "9ed7bfc79542119ac0a9e1ce8a2a5285e43433e9", status: "affected", version: "637784ade221a3c8a7ecd0f583eddd95d6276b9a", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "include/net/sctp/stream_sched.h", "net/sctp/stream.c", "net/sctp/stream_sched.c", "net/sctp/stream_sched_prio.c", "net/sctp/stream_sched_rr.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "4.15", }, { lessThan: "4.15", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.226", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.158", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.82", versionType: "semver", }, { lessThanOrEqual: "6.0.*", status: "unaffected", version: "6.0.12", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.1", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: fix memory leak in sctp_stream_outq_migrate()\n\nWhen sctp_stream_outq_migrate() is called to release stream out resources,\nthe memory pointed to by prio_head in stream out is not released.\n\nThe memory leak information is as follows:\n unreferenced object 0xffff88801fe79f80 (size 64):\n comm \"sctp_repo\", pid 7957, jiffies 4294951704 (age 36.480s)\n hex dump (first 32 bytes):\n 80 9f e7 1f 80 88 ff ff 80 9f e7 1f 80 88 ff ff ................\n 90 9f e7 1f 80 88 ff ff 90 9f e7 1f 80 88 ff ff ................\n backtrace:\n [<ffffffff81b215c6>] kmalloc_trace+0x26/0x60\n [<ffffffff88ae517c>] sctp_sched_prio_set+0x4cc/0x770\n [<ffffffff88ad64f2>] sctp_stream_init_ext+0xd2/0x1b0\n [<ffffffff88aa2604>] sctp_sendmsg_to_asoc+0x1614/0x1a30\n [<ffffffff88ab7ff1>] sctp_sendmsg+0xda1/0x1ef0\n [<ffffffff87f765ed>] inet_sendmsg+0x9d/0xe0\n [<ffffffff8754b5b3>] sock_sendmsg+0xd3/0x120\n [<ffffffff8755446a>] __sys_sendto+0x23a/0x340\n [<ffffffff87554651>] __x64_sys_sendto+0xe1/0x1b0\n [<ffffffff89978b49>] do_syscall_64+0x39/0xb0\n [<ffffffff89a0008b>] entry_SYSCALL_64_after_hwframe+0x63/0xcd", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:12:26.697Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/a7555681e50bdebed2c40ff7404ee73c2e932993", }, { url: "https://git.kernel.org/stable/c/176ee6c673ccd118e9392fd2dbb165423bdb99ca", }, { url: "https://git.kernel.org/stable/c/0dfb9a566327182387c90100ea54d8426cee8c67", }, { url: "https://git.kernel.org/stable/c/fa20f88271259d42ebe66f0a8c4c20199e888c99", }, { url: "https://git.kernel.org/stable/c/9ed7bfc79542119ac0a9e1ce8a2a5285e43433e9", }, ], title: "sctp: fix memory leak in sctp_stream_outq_migrate()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-49013", datePublished: "2024-10-21T20:06:23.375Z", dateReserved: "2024-08-22T01:27:53.644Z", dateUpdated: "2024-12-19T08:12:26.697Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-47747
Vulnerability from cvelistv5
Published
2024-10-21 12:14
Modified
2024-12-19 09:27
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: seeq: Fix use after free vulnerability in ether3 Driver Due to Race Condition
In the ether3_probe function, a timer is initialized with a callback
function ether3_ledoff, bound to &prev(dev)->timer. Once the timer is
started, there is a risk of a race condition if the module or device
is removed, triggering the ether3_remove function to perform cleanup.
The sequence of operations that may lead to a UAF bug is as follows:
CPU0 CPU1
| ether3_ledoff
ether3_remove |
free_netdev(dev); |
put_devic |
kfree(dev); |
| ether3_outw(priv(dev)->regs.config2 |= CFG2_CTRLO, REG_CONFIG2);
| // use dev
Fix it by ensuring that the timer is canceled before proceeding with
the cleanup in ether3_remove.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 6fd9c53f71862a4797b7ed8a5de80e2c64829f56 Version: 6fd9c53f71862a4797b7ed8a5de80e2c64829f56 Version: 6fd9c53f71862a4797b7ed8a5de80e2c64829f56 Version: 6fd9c53f71862a4797b7ed8a5de80e2c64829f56 Version: 6fd9c53f71862a4797b7ed8a5de80e2c64829f56 Version: 6fd9c53f71862a4797b7ed8a5de80e2c64829f56 Version: 6fd9c53f71862a4797b7ed8a5de80e2c64829f56 Version: 6fd9c53f71862a4797b7ed8a5de80e2c64829f56 Version: 6fd9c53f71862a4797b7ed8a5de80e2c64829f56 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-47747", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T12:58:25.330423Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T13:04:13.623Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/net/ethernet/seeq/ether3.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "25d559ed2beec9b34045886100dac46d1ad92eba", status: "affected", version: "6fd9c53f71862a4797b7ed8a5de80e2c64829f56", versionType: "git", }, { lessThan: "b5a84b6c772564c8359a9a0fbaeb2a2944aa1ee9", status: "affected", version: "6fd9c53f71862a4797b7ed8a5de80e2c64829f56", versionType: "git", }, { lessThan: "338a0582b28e69460df03af50e938b86b4206353", status: "affected", version: "6fd9c53f71862a4797b7ed8a5de80e2c64829f56", versionType: "git", }, { lessThan: "822c7bb1f6f8b0331e8d1927151faf8db3b33afd", status: "affected", version: "6fd9c53f71862a4797b7ed8a5de80e2c64829f56", versionType: "git", }, { lessThan: "1c57d61a43293252ad732007c7070fdb112545fd", status: "affected", version: "6fd9c53f71862a4797b7ed8a5de80e2c64829f56", versionType: "git", }, { lessThan: "d2abc379071881798d20e2ac1d332ad855ae22f3", status: "affected", version: "6fd9c53f71862a4797b7ed8a5de80e2c64829f56", versionType: "git", }, { lessThan: "516dbc6d16637430808c39568cbb6b841d32b55b", status: "affected", version: "6fd9c53f71862a4797b7ed8a5de80e2c64829f56", versionType: "git", }, { lessThan: "77a77331cef0a219b8dd91361435eeef04cb741c", status: "affected", version: "6fd9c53f71862a4797b7ed8a5de80e2c64829f56", versionType: "git", }, { lessThan: "b5109b60ee4fcb2f2bb24f589575e10cc5283ad4", status: "affected", version: "6fd9c53f71862a4797b7ed8a5de80e2c64829f56", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/net/ethernet/seeq/ether3.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "4.15", }, { lessThan: "4.15", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.323", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.285", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.54", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.13", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.2", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: seeq: Fix use after free vulnerability in ether3 Driver Due to Race Condition\n\nIn the ether3_probe function, a timer is initialized with a callback\nfunction ether3_ledoff, bound to &prev(dev)->timer. Once the timer is\nstarted, there is a risk of a race condition if the module or device\nis removed, triggering the ether3_remove function to perform cleanup.\nThe sequence of operations that may lead to a UAF bug is as follows:\n\nCPU0 CPU1\n\n | ether3_ledoff\nether3_remove |\n free_netdev(dev); |\n put_devic |\n kfree(dev); |\n | ether3_outw(priv(dev)->regs.config2 |= CFG2_CTRLO, REG_CONFIG2);\n | // use dev\n\nFix it by ensuring that the timer is canceled before proceeding with\nthe cleanup in ether3_remove.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:27:19.272Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/25d559ed2beec9b34045886100dac46d1ad92eba", }, { url: "https://git.kernel.org/stable/c/b5a84b6c772564c8359a9a0fbaeb2a2944aa1ee9", }, { url: "https://git.kernel.org/stable/c/338a0582b28e69460df03af50e938b86b4206353", }, { url: "https://git.kernel.org/stable/c/822c7bb1f6f8b0331e8d1927151faf8db3b33afd", }, { url: "https://git.kernel.org/stable/c/1c57d61a43293252ad732007c7070fdb112545fd", }, { url: "https://git.kernel.org/stable/c/d2abc379071881798d20e2ac1d332ad855ae22f3", }, { url: "https://git.kernel.org/stable/c/516dbc6d16637430808c39568cbb6b841d32b55b", }, { url: "https://git.kernel.org/stable/c/77a77331cef0a219b8dd91361435eeef04cb741c", }, { url: "https://git.kernel.org/stable/c/b5109b60ee4fcb2f2bb24f589575e10cc5283ad4", }, ], title: "net: seeq: Fix use after free vulnerability in ether3 Driver Due to Race Condition", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-47747", datePublished: "2024-10-21T12:14:13.783Z", dateReserved: "2024-09-30T16:00:12.960Z", dateUpdated: "2024-12-19T09:27:19.272Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-49029
Vulnerability from cvelistv5
Published
2024-10-21 20:06
Modified
2024-12-19 08:12
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
hwmon: (ibmpex) Fix possible UAF when ibmpex_register_bmc() fails
Smatch report warning as follows:
drivers/hwmon/ibmpex.c:509 ibmpex_register_bmc() warn:
'&data->list' not removed from list
If ibmpex_find_sensors() fails in ibmpex_register_bmc(), data will
be freed, but data->list will not be removed from driver_data.bmc_data,
then list traversal may cause UAF.
Fix by removeing it from driver_data.bmc_data before free().
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 57c7c3a0fdea95eddcaeba31e7ca7dfc917682ab Version: 57c7c3a0fdea95eddcaeba31e7ca7dfc917682ab Version: 57c7c3a0fdea95eddcaeba31e7ca7dfc917682ab Version: 57c7c3a0fdea95eddcaeba31e7ca7dfc917682ab Version: 57c7c3a0fdea95eddcaeba31e7ca7dfc917682ab Version: 57c7c3a0fdea95eddcaeba31e7ca7dfc917682ab Version: 57c7c3a0fdea95eddcaeba31e7ca7dfc917682ab Version: 57c7c3a0fdea95eddcaeba31e7ca7dfc917682ab |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-49029", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:11:29.003244Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:18:36.071Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/hwmon/ibmpex.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "f2a13196ad41c6c2ab058279dffe6c97292e753a", status: "affected", version: "57c7c3a0fdea95eddcaeba31e7ca7dfc917682ab", versionType: "git", }, { lessThan: "798198273bf86673b970b51acdb35e57f42b3fcb", status: "affected", version: "57c7c3a0fdea95eddcaeba31e7ca7dfc917682ab", versionType: "git", }, { lessThan: "24b9633f7db7f4809be7053df1d2e117e7c2de10", status: "affected", version: "57c7c3a0fdea95eddcaeba31e7ca7dfc917682ab", versionType: "git", }, { lessThan: "7b2b67fe1339389e0bf3c37c7a677a004ac0e4e3", status: "affected", version: "57c7c3a0fdea95eddcaeba31e7ca7dfc917682ab", versionType: "git", }, { lessThan: "90907cd4d11351ff76c9a447bcb5db0e264c47cd", status: "affected", version: "57c7c3a0fdea95eddcaeba31e7ca7dfc917682ab", versionType: "git", }, { lessThan: "45f6e81863747c0d7bc6a95ec51129900e71467a", status: "affected", version: "57c7c3a0fdea95eddcaeba31e7ca7dfc917682ab", versionType: "git", }, { lessThan: "e65cfd1f9cd27d9c27ee5cb88128a9f79f25d863", status: "affected", version: "57c7c3a0fdea95eddcaeba31e7ca7dfc917682ab", versionType: "git", }, { lessThan: "e2a87785aab0dac190ac89be6a9ba955e2c634f2", status: "affected", version: "57c7c3a0fdea95eddcaeba31e7ca7dfc917682ab", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/hwmon/ibmpex.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "2.6.24", }, { lessThan: "2.6.24", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.9.*", status: "unaffected", version: "4.9.335", versionType: "semver", }, { lessThanOrEqual: "4.14.*", status: "unaffected", version: "4.14.301", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.268", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.226", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.158", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.82", versionType: "semver", }, { lessThanOrEqual: "6.0.*", status: "unaffected", version: "6.0.12", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.1", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nhwmon: (ibmpex) Fix possible UAF when ibmpex_register_bmc() fails\n\nSmatch report warning as follows:\n\ndrivers/hwmon/ibmpex.c:509 ibmpex_register_bmc() warn:\n '&data->list' not removed from list\n\nIf ibmpex_find_sensors() fails in ibmpex_register_bmc(), data will\nbe freed, but data->list will not be removed from driver_data.bmc_data,\nthen list traversal may cause UAF.\n\nFix by removeing it from driver_data.bmc_data before free().", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:12:45.279Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/f2a13196ad41c6c2ab058279dffe6c97292e753a", }, { url: "https://git.kernel.org/stable/c/798198273bf86673b970b51acdb35e57f42b3fcb", }, { url: "https://git.kernel.org/stable/c/24b9633f7db7f4809be7053df1d2e117e7c2de10", }, { url: "https://git.kernel.org/stable/c/7b2b67fe1339389e0bf3c37c7a677a004ac0e4e3", }, { url: "https://git.kernel.org/stable/c/90907cd4d11351ff76c9a447bcb5db0e264c47cd", }, { url: "https://git.kernel.org/stable/c/45f6e81863747c0d7bc6a95ec51129900e71467a", }, { url: "https://git.kernel.org/stable/c/e65cfd1f9cd27d9c27ee5cb88128a9f79f25d863", }, { url: "https://git.kernel.org/stable/c/e2a87785aab0dac190ac89be6a9ba955e2c634f2", }, ], title: "hwmon: (ibmpex) Fix possible UAF when ibmpex_register_bmc() fails", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-49029", datePublished: "2024-10-21T20:06:33.918Z", dateReserved: "2024-08-22T01:27:53.651Z", dateUpdated: "2024-12-19T08:12:45.279Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49868
Vulnerability from cvelistv5
Published
2024-10-21 18:01
Modified
2024-12-19 09:27
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix a NULL pointer dereference when failed to start a new trasacntion
[BUG]
Syzbot reported a NULL pointer dereference with the following crash:
FAULT_INJECTION: forcing a failure.
start_transaction+0x830/0x1670 fs/btrfs/transaction.c:676
prepare_to_relocate+0x31f/0x4c0 fs/btrfs/relocation.c:3642
relocate_block_group+0x169/0xd20 fs/btrfs/relocation.c:3678
...
BTRFS info (device loop0): balance: ended with status: -12
Oops: general protection fault, probably for non-canonical address 0xdffffc00000000cc: 0000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000660-0x0000000000000667]
RIP: 0010:btrfs_update_reloc_root+0x362/0xa80 fs/btrfs/relocation.c:926
Call Trace:
<TASK>
commit_fs_roots+0x2ee/0x720 fs/btrfs/transaction.c:1496
btrfs_commit_transaction+0xfaf/0x3740 fs/btrfs/transaction.c:2430
del_balance_item fs/btrfs/volumes.c:3678 [inline]
reset_balance_state+0x25e/0x3c0 fs/btrfs/volumes.c:3742
btrfs_balance+0xead/0x10c0 fs/btrfs/volumes.c:4574
btrfs_ioctl_balance+0x493/0x7c0 fs/btrfs/ioctl.c:3673
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
[CAUSE]
The allocation failure happens at the start_transaction() inside
prepare_to_relocate(), and during the error handling we call
unset_reloc_control(), which makes fs_info->balance_ctl to be NULL.
Then we continue the error path cleanup in btrfs_balance() by calling
reset_balance_state() which will call del_balance_item() to fully delete
the balance item in the root tree.
However during the small window between set_reloc_contrl() and
unset_reloc_control(), we can have a subvolume tree update and created a
reloc_root for that subvolume.
Then we go into the final btrfs_commit_transaction() of
del_balance_item(), and into btrfs_update_reloc_root() inside
commit_fs_roots().
That function checks if fs_info->reloc_ctl is in the merge_reloc_tree
stage, but since fs_info->reloc_ctl is NULL, it results a NULL pointer
dereference.
[FIX]
Just add extra check on fs_info->reloc_ctl inside
btrfs_update_reloc_root(), before checking
fs_info->reloc_ctl->merge_reloc_tree.
That DEAD_RELOC_TREE handling is to prevent further modification to the
reloc tree during merge stage, but since there is no reloc_ctl at all,
we do not need to bother that.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49868", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:47:20.255256Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:48:52.367Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "fs/btrfs/relocation.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "1282f001cbf56e5dd6e90a18e205a566793f4be0", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "d73d48acf36f57362df7e4f9d76568168bf5e944", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "37fee9c220b92c3b7bf22b51c51dde5364e7590b", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "d13249c0df7aab885acb149695f82c54c0822a70", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "7ad0c5868f2f0418619089513d95230c66cb7eb4", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "dc02c1440705e3451abd1c2c8114a5c1bb188e9f", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "39356ec0e319ed07627b3a0f402d0608546509e6", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "c3b47f49e83197e8dffd023ec568403bcdbb774b", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "fs/btrfs/relocation.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.285", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix a NULL pointer dereference when failed to start a new trasacntion\n\n[BUG]\nSyzbot reported a NULL pointer dereference with the following crash:\n\n FAULT_INJECTION: forcing a failure.\n start_transaction+0x830/0x1670 fs/btrfs/transaction.c:676\n prepare_to_relocate+0x31f/0x4c0 fs/btrfs/relocation.c:3642\n relocate_block_group+0x169/0xd20 fs/btrfs/relocation.c:3678\n ...\n BTRFS info (device loop0): balance: ended with status: -12\n Oops: general protection fault, probably for non-canonical address 0xdffffc00000000cc: 0000 [#1] PREEMPT SMP KASAN NOPTI\n KASAN: null-ptr-deref in range [0x0000000000000660-0x0000000000000667]\n RIP: 0010:btrfs_update_reloc_root+0x362/0xa80 fs/btrfs/relocation.c:926\n Call Trace:\n <TASK>\n commit_fs_roots+0x2ee/0x720 fs/btrfs/transaction.c:1496\n btrfs_commit_transaction+0xfaf/0x3740 fs/btrfs/transaction.c:2430\n del_balance_item fs/btrfs/volumes.c:3678 [inline]\n reset_balance_state+0x25e/0x3c0 fs/btrfs/volumes.c:3742\n btrfs_balance+0xead/0x10c0 fs/btrfs/volumes.c:4574\n btrfs_ioctl_balance+0x493/0x7c0 fs/btrfs/ioctl.c:3673\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:907 [inline]\n __se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\n[CAUSE]\nThe allocation failure happens at the start_transaction() inside\nprepare_to_relocate(), and during the error handling we call\nunset_reloc_control(), which makes fs_info->balance_ctl to be NULL.\n\nThen we continue the error path cleanup in btrfs_balance() by calling\nreset_balance_state() which will call del_balance_item() to fully delete\nthe balance item in the root tree.\n\nHowever during the small window between set_reloc_contrl() and\nunset_reloc_control(), we can have a subvolume tree update and created a\nreloc_root for that subvolume.\n\nThen we go into the final btrfs_commit_transaction() of\ndel_balance_item(), and into btrfs_update_reloc_root() inside\ncommit_fs_roots().\n\nThat function checks if fs_info->reloc_ctl is in the merge_reloc_tree\nstage, but since fs_info->reloc_ctl is NULL, it results a NULL pointer\ndereference.\n\n[FIX]\nJust add extra check on fs_info->reloc_ctl inside\nbtrfs_update_reloc_root(), before checking\nfs_info->reloc_ctl->merge_reloc_tree.\n\nThat DEAD_RELOC_TREE handling is to prevent further modification to the\nreloc tree during merge stage, but since there is no reloc_ctl at all,\nwe do not need to bother that.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:27:54.412Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/1282f001cbf56e5dd6e90a18e205a566793f4be0", }, { url: "https://git.kernel.org/stable/c/d73d48acf36f57362df7e4f9d76568168bf5e944", }, { url: "https://git.kernel.org/stable/c/37fee9c220b92c3b7bf22b51c51dde5364e7590b", }, { url: "https://git.kernel.org/stable/c/d13249c0df7aab885acb149695f82c54c0822a70", }, { url: "https://git.kernel.org/stable/c/7ad0c5868f2f0418619089513d95230c66cb7eb4", }, { url: "https://git.kernel.org/stable/c/dc02c1440705e3451abd1c2c8114a5c1bb188e9f", }, { url: "https://git.kernel.org/stable/c/39356ec0e319ed07627b3a0f402d0608546509e6", }, { url: "https://git.kernel.org/stable/c/c3b47f49e83197e8dffd023ec568403bcdbb774b", }, ], title: "btrfs: fix a NULL pointer dereference when failed to start a new trasacntion", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49868", datePublished: "2024-10-21T18:01:10.722Z", dateReserved: "2024-10-21T12:17:06.019Z", dateUpdated: "2024-12-19T09:27:54.412Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-47675
Vulnerability from cvelistv5
Published
2024-10-21 11:53
Modified
2024-12-19 09:25
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix use-after-free in bpf_uprobe_multi_link_attach()
If bpf_link_prime() fails, bpf_uprobe_multi_link_attach() goes to the
error_free label and frees the array of bpf_uprobe's without calling
bpf_uprobe_unregister().
This leaks bpf_uprobe->uprobe and worse, this frees bpf_uprobe->consumer
without removing it from the uprobe->consumers list.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-47675", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T13:08:07.484678Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T13:14:17.530Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "kernel/trace/bpf_trace.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "790c630ab0e7d7aba6d186581d4627c09fce60f3", status: "affected", version: "89ae89f53d201143560f1e9ed4bfa62eee34f88e", versionType: "git", }, { lessThan: "7c1d782e5afbf7c50ba74ecc4ddc18a05d63e5ee", status: "affected", version: "89ae89f53d201143560f1e9ed4bfa62eee34f88e", versionType: "git", }, { lessThan: "cdf27834c3dd5d9abf7eb8e4ee87ee9e307eb25c", status: "affected", version: "89ae89f53d201143560f1e9ed4bfa62eee34f88e", versionType: "git", }, { lessThan: "5fe6e308abaea082c20fbf2aa5df8e14495622cf", status: "affected", version: "89ae89f53d201143560f1e9ed4bfa62eee34f88e", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "kernel/trace/bpf_trace.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.6", }, { lessThan: "6.6", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.54", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.13", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.2", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix use-after-free in bpf_uprobe_multi_link_attach()\n\nIf bpf_link_prime() fails, bpf_uprobe_multi_link_attach() goes to the\nerror_free label and frees the array of bpf_uprobe's without calling\nbpf_uprobe_unregister().\n\nThis leaks bpf_uprobe->uprobe and worse, this frees bpf_uprobe->consumer\nwithout removing it from the uprobe->consumers list.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:25:35.421Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/790c630ab0e7d7aba6d186581d4627c09fce60f3", }, { url: "https://git.kernel.org/stable/c/7c1d782e5afbf7c50ba74ecc4ddc18a05d63e5ee", }, { url: "https://git.kernel.org/stable/c/cdf27834c3dd5d9abf7eb8e4ee87ee9e307eb25c", }, { url: "https://git.kernel.org/stable/c/5fe6e308abaea082c20fbf2aa5df8e14495622cf", }, ], title: "bpf: Fix use-after-free in bpf_uprobe_multi_link_attach()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-47675", datePublished: "2024-10-21T11:53:19.762Z", dateReserved: "2024-09-30T16:00:12.937Z", dateUpdated: "2024-12-19T09:25:35.421Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49913
Vulnerability from cvelistv5
Published
2024-10-21 18:01
Modified
2024-12-19 09:28
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Add null check for top_pipe_to_program in commit_planes_for_stream
This commit addresses a null pointer dereference issue in the
`commit_planes_for_stream` function at line 4140. The issue could occur
when `top_pipe_to_program` is null.
The fix adds a check to ensure `top_pipe_to_program` is not null before
accessing its stream_res. This prevents a null pointer dereference.
Reported by smatch:
drivers/gpu/drm/amd/amdgpu/../display/dc/core/dc.c:4140 commit_planes_for_stream() error: we previously assumed 'top_pipe_to_program' could be null (see line 3906)
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49913", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:41:22.307822Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:48:45.831Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/gpu/drm/amd/display/dc/core/dc.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "1ebfa6663807c144be8c8b6727375012409d2356", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "8ab59527852a6f7780aad6185729550ca0569122", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "40193ff73630adf76bc0d82398f7d90fb576dba4", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "e47e563c6f0db7d792a559301862c19ead0dfc2f", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "3929e382e4758aff42da0102a60d13337c99d3b8", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "73efd2a611b62fee71a7b7f27d9d08bb60da8a72", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "66d71a72539e173a9b00ca0b1852cbaa5f5bf1ad", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/gpu/drm/amd/display/dc/core/dc.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add null check for top_pipe_to_program in commit_planes_for_stream\n\nThis commit addresses a null pointer dereference issue in the\n`commit_planes_for_stream` function at line 4140. The issue could occur\nwhen `top_pipe_to_program` is null.\n\nThe fix adds a check to ensure `top_pipe_to_program` is not null before\naccessing its stream_res. This prevents a null pointer dereference.\n\nReported by smatch:\ndrivers/gpu/drm/amd/amdgpu/../display/dc/core/dc.c:4140 commit_planes_for_stream() error: we previously assumed 'top_pipe_to_program' could be null (see line 3906)", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:28:55.028Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/1ebfa6663807c144be8c8b6727375012409d2356", }, { url: "https://git.kernel.org/stable/c/8ab59527852a6f7780aad6185729550ca0569122", }, { url: "https://git.kernel.org/stable/c/40193ff73630adf76bc0d82398f7d90fb576dba4", }, { url: "https://git.kernel.org/stable/c/e47e563c6f0db7d792a559301862c19ead0dfc2f", }, { url: "https://git.kernel.org/stable/c/3929e382e4758aff42da0102a60d13337c99d3b8", }, { url: "https://git.kernel.org/stable/c/73efd2a611b62fee71a7b7f27d9d08bb60da8a72", }, { url: "https://git.kernel.org/stable/c/66d71a72539e173a9b00ca0b1852cbaa5f5bf1ad", }, ], title: "drm/amd/display: Add null check for top_pipe_to_program in commit_planes_for_stream", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49913", datePublished: "2024-10-21T18:01:41.551Z", dateReserved: "2024-10-21T12:17:06.028Z", dateUpdated: "2024-12-19T09:28:55.028Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-48964
Vulnerability from cvelistv5
Published
2024-10-21 20:05
Modified
2024-12-19 08:11
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ravb: Fix potential use-after-free in ravb_rx_gbeth()
The skb is delivered to napi_gro_receive() which may free it, after calling this,
dereferencing skb may trigger use-after-free.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-48964", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:19:59.511376Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:28:38.732Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/net/ethernet/renesas/ravb_main.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "e63c681494dcc0527c625a0a4f59bf10259f5ee0", status: "affected", version: "1c59eb678cbd8d322d06d3a5514d36e8e1a4e84c", versionType: "git", }, { lessThan: "5a5a3e564de6a8db987410c5c2f4748d50ea82b8", status: "affected", version: "1c59eb678cbd8d322d06d3a5514d36e8e1a4e84c", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/net/ethernet/renesas/ravb_main.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.16", }, { lessThan: "5.16", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.0.*", status: "unaffected", version: "6.0.13", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.1", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nravb: Fix potential use-after-free in ravb_rx_gbeth()\n\nThe skb is delivered to napi_gro_receive() which may free it, after calling this,\ndereferencing skb may trigger use-after-free.", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:11:28.992Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/e63c681494dcc0527c625a0a4f59bf10259f5ee0", }, { url: "https://git.kernel.org/stable/c/5a5a3e564de6a8db987410c5c2f4748d50ea82b8", }, ], title: "ravb: Fix potential use-after-free in ravb_rx_gbeth()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-48964", datePublished: "2024-10-21T20:05:47.835Z", dateReserved: "2024-08-22T01:27:53.628Z", dateUpdated: "2024-12-19T08:11:28.992Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-50002
Vulnerability from cvelistv5
Published
2024-10-21 18:02
Modified
2024-12-19 09:31
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
static_call: Handle module init failure correctly in static_call_del_module()
Module insertion invokes static_call_add_module() to initialize the static
calls in a module. static_call_add_module() invokes __static_call_init(),
which allocates a struct static_call_mod to either encapsulate the built-in
static call sites of the associated key into it so further modules can be
added or to append the module to the module chain.
If that allocation fails the function returns with an error code and the
module core invokes static_call_del_module() to clean up eventually added
static_call_mod entries.
This works correctly, when all keys used by the module were converted over
to a module chain before the failure. If not then static_call_del_module()
causes a #GP as it blindly assumes that key::mods points to a valid struct
static_call_mod.
The problem is that key::mods is not a individual struct member of struct
static_call_key, it's part of a union to save space:
union {
/* bit 0: 0 = mods, 1 = sites */
unsigned long type;
struct static_call_mod *mods;
struct static_call_site *sites;
};
key::sites is a pointer to the list of built-in usage sites of the static
call. The type of the pointer is differentiated by bit 0. A mods pointer
has the bit clear, the sites pointer has the bit set.
As static_call_del_module() blidly assumes that the pointer is a valid
static_call_mod type, it fails to check for this failure case and
dereferences the pointer to the list of built-in call sites, which is
obviously bogus.
Cure it by checking whether the key has a sites or a mods pointer.
If it's a sites pointer then the key is not to be touched. As the sites are
walked in the same order as in __static_call_init() the site walk can be
terminated because all subsequent sites have not been touched by the init
code due to the error exit.
If it was converted before the allocation fail, then the inner loop which
searches for a module match will find nothing.
A fail in the second allocation in __static_call_init() is harmless and
does not require special treatment. The first allocation succeeded and
converted the key to a module chain. That first entry has mod::mod == NULL
and mod::next == NULL, so the inner loop of static_call_del_module() will
neither find a module match nor a module chain. The next site in the walk
was either already converted, but can't match the module, or it will exit
the outer loop because it has a static_call_site pointer and not a
static_call_mod pointer.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 9183c3f9ed710a8edf1a61e8a96d497258d26e08 Version: 9183c3f9ed710a8edf1a61e8a96d497258d26e08 Version: 9183c3f9ed710a8edf1a61e8a96d497258d26e08 Version: 9183c3f9ed710a8edf1a61e8a96d497258d26e08 Version: 9183c3f9ed710a8edf1a61e8a96d497258d26e08 Version: 9183c3f9ed710a8edf1a61e8a96d497258d26e08 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-50002", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:29:50.299737Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:38:40.988Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "kernel/static_call_inline.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "ed4c8ce0f307f2ab8778aeb40a8866d171e8f128", status: "affected", version: "9183c3f9ed710a8edf1a61e8a96d497258d26e08", versionType: "git", }, { lessThan: "b566c7d8a2de403ccc9d8a06195e19bbb386d0e4", status: "affected", version: "9183c3f9ed710a8edf1a61e8a96d497258d26e08", versionType: "git", }, { lessThan: "c0abbbe8c98c077292221ec7e2baa667c9f0974c", status: "affected", version: "9183c3f9ed710a8edf1a61e8a96d497258d26e08", versionType: "git", }, { lessThan: "2b494471797bff3d257e99dc0a7abb0c5ff3b4cd", status: "affected", version: "9183c3f9ed710a8edf1a61e8a96d497258d26e08", versionType: "git", }, { lessThan: "9c48c2b53191bf991361998f5bb97b8f2fc5a89c", status: "affected", version: "9183c3f9ed710a8edf1a61e8a96d497258d26e08", versionType: "git", }, { lessThan: "4b30051c4864234ec57290c3d142db7c88f10d8a", status: "affected", version: "9183c3f9ed710a8edf1a61e8a96d497258d26e08", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "kernel/static_call_inline.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.10", }, { lessThan: "5.10", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nstatic_call: Handle module init failure correctly in static_call_del_module()\n\nModule insertion invokes static_call_add_module() to initialize the static\ncalls in a module. static_call_add_module() invokes __static_call_init(),\nwhich allocates a struct static_call_mod to either encapsulate the built-in\nstatic call sites of the associated key into it so further modules can be\nadded or to append the module to the module chain.\n\nIf that allocation fails the function returns with an error code and the\nmodule core invokes static_call_del_module() to clean up eventually added\nstatic_call_mod entries.\n\nThis works correctly, when all keys used by the module were converted over\nto a module chain before the failure. If not then static_call_del_module()\ncauses a #GP as it blindly assumes that key::mods points to a valid struct\nstatic_call_mod.\n\nThe problem is that key::mods is not a individual struct member of struct\nstatic_call_key, it's part of a union to save space:\n\n union {\n /* bit 0: 0 = mods, 1 = sites */\n unsigned long type;\n struct static_call_mod *mods;\n struct static_call_site *sites;\n\t};\n\nkey::sites is a pointer to the list of built-in usage sites of the static\ncall. The type of the pointer is differentiated by bit 0. A mods pointer\nhas the bit clear, the sites pointer has the bit set.\n\nAs static_call_del_module() blidly assumes that the pointer is a valid\nstatic_call_mod type, it fails to check for this failure case and\ndereferences the pointer to the list of built-in call sites, which is\nobviously bogus.\n\nCure it by checking whether the key has a sites or a mods pointer.\n\nIf it's a sites pointer then the key is not to be touched. As the sites are\nwalked in the same order as in __static_call_init() the site walk can be\nterminated because all subsequent sites have not been touched by the init\ncode due to the error exit.\n\nIf it was converted before the allocation fail, then the inner loop which\nsearches for a module match will find nothing.\n\nA fail in the second allocation in __static_call_init() is harmless and\ndoes not require special treatment. The first allocation succeeded and\nconverted the key to a module chain. That first entry has mod::mod == NULL\nand mod::next == NULL, so the inner loop of static_call_del_module() will\nneither find a module match nor a module chain. The next site in the walk\nwas either already converted, but can't match the module, or it will exit\nthe outer loop because it has a static_call_site pointer and not a\nstatic_call_mod pointer.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:31:03.847Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/ed4c8ce0f307f2ab8778aeb40a8866d171e8f128", }, { url: "https://git.kernel.org/stable/c/b566c7d8a2de403ccc9d8a06195e19bbb386d0e4", }, { url: "https://git.kernel.org/stable/c/c0abbbe8c98c077292221ec7e2baa667c9f0974c", }, { url: "https://git.kernel.org/stable/c/2b494471797bff3d257e99dc0a7abb0c5ff3b4cd", }, { url: "https://git.kernel.org/stable/c/9c48c2b53191bf991361998f5bb97b8f2fc5a89c", }, { url: "https://git.kernel.org/stable/c/4b30051c4864234ec57290c3d142db7c88f10d8a", }, ], title: "static_call: Handle module init failure correctly in static_call_del_module()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-50002", datePublished: "2024-10-21T18:02:40.908Z", dateReserved: "2024-10-21T12:17:06.059Z", dateUpdated: "2024-12-19T09:31:03.847Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49916
Vulnerability from cvelistv5
Published
2024-10-21 18:01
Modified
2024-12-19 09:28
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Add NULL check for clk_mgr and clk_mgr->funcs in dcn401_init_hw
This commit addresses a potential null pointer dereference issue in the
`dcn401_init_hw` function. The issue could occur when `dc->clk_mgr` or
`dc->clk_mgr->funcs` is null.
The fix adds a check to ensure `dc->clk_mgr` and `dc->clk_mgr->funcs` is
not null before accessing its functions. This prevents a potential null
pointer dereference.
Reported by smatch:
drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn401/dcn401_hwseq.c:416 dcn401_init_hw() error: we previously assumed 'dc->clk_mgr' could be null (see line 225)
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49916", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:40:59.452092Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:48:45.411Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/gpu/drm/amd/display/dc/hwss/dcn401/dcn401_hwseq.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "ac1c41e318074d8a9ea925787e366be15d7645e8", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "4b6377f0e96085cbec96eb7f0b282430ccdd3d75", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/gpu/drm/amd/display/dc/hwss/dcn401/dcn401_hwseq.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add NULL check for clk_mgr and clk_mgr->funcs in dcn401_init_hw\n\nThis commit addresses a potential null pointer dereference issue in the\n`dcn401_init_hw` function. The issue could occur when `dc->clk_mgr` or\n`dc->clk_mgr->funcs` is null.\n\nThe fix adds a check to ensure `dc->clk_mgr` and `dc->clk_mgr->funcs` is\nnot null before accessing its functions. This prevents a potential null\npointer dereference.\n\nReported by smatch:\ndrivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn401/dcn401_hwseq.c:416 dcn401_init_hw() error: we previously assumed 'dc->clk_mgr' could be null (see line 225)", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:28:58.890Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/ac1c41e318074d8a9ea925787e366be15d7645e8", }, { url: "https://git.kernel.org/stable/c/4b6377f0e96085cbec96eb7f0b282430ccdd3d75", }, ], title: "drm/amd/display: Add NULL check for clk_mgr and clk_mgr->funcs in dcn401_init_hw", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49916", datePublished: "2024-10-21T18:01:43.547Z", dateReserved: "2024-10-21T12:17:06.033Z", dateUpdated: "2024-12-19T09:28:58.890Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49862
Vulnerability from cvelistv5
Published
2024-10-21 12:27
Modified
2024-12-19 09:27
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
powercap: intel_rapl: Fix off by one in get_rpi()
The rp->priv->rpi array is either rpi_msr or rpi_tpmi which have
NR_RAPL_PRIMITIVES number of elements. Thus the > needs to be >=
to prevent an off by one access.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49862", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T12:54:50.217091Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T12:55:35.960Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/powercap/intel_rapl_common.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "288cbc505e2046638c615c36357cb78bc9fee1e0", status: "affected", version: "98ff639a7289067247b3ef9dd5d1e922361e7365", versionType: "git", }, { lessThan: "851e7f7f14a15f4e47b7d0f70d5c4a2b95b824d6", status: "affected", version: "98ff639a7289067247b3ef9dd5d1e922361e7365", versionType: "git", }, { lessThan: "6a34f3b0d7f11fb6ed72da315fd2360abd9c0737", status: "affected", version: "98ff639a7289067247b3ef9dd5d1e922361e7365", versionType: "git", }, { lessThan: "95f6580352a7225e619551febb83595bcb77ab17", status: "affected", version: "98ff639a7289067247b3ef9dd5d1e922361e7365", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/powercap/intel_rapl_common.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.5", }, { lessThan: "6.5", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.54", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.13", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.2", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\npowercap: intel_rapl: Fix off by one in get_rpi()\n\nThe rp->priv->rpi array is either rpi_msr or rpi_tpmi which have\nNR_RAPL_PRIMITIVES number of elements. Thus the > needs to be >=\nto prevent an off by one access.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:27:47.031Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/288cbc505e2046638c615c36357cb78bc9fee1e0", }, { url: "https://git.kernel.org/stable/c/851e7f7f14a15f4e47b7d0f70d5c4a2b95b824d6", }, { url: "https://git.kernel.org/stable/c/6a34f3b0d7f11fb6ed72da315fd2360abd9c0737", }, { url: "https://git.kernel.org/stable/c/95f6580352a7225e619551febb83595bcb77ab17", }, ], title: "powercap: intel_rapl: Fix off by one in get_rpi()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49862", datePublished: "2024-10-21T12:27:19.981Z", dateReserved: "2024-10-21T12:17:06.017Z", dateUpdated: "2024-12-19T09:27:47.031Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-48953
Vulnerability from cvelistv5
Published
2024-10-21 20:05
Modified
2024-12-19 08:11
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
rtc: cmos: Fix event handler registration ordering issue
Because acpi_install_fixed_event_handler() enables the event
automatically on success, it is incorrect to call it before the
handler routine passed to it is ready to handle events.
Unfortunately, the rtc-cmos driver does exactly the incorrect thing
by calling cmos_wake_setup(), which passes rtc_handler() to
acpi_install_fixed_event_handler(), before cmos_do_probe(), because
rtc_handler() uses dev_get_drvdata() to get to the cmos object
pointer and the driver data pointer is only populated in
cmos_do_probe().
This leads to a NULL pointer dereference in rtc_handler() on boot
if the RTC fixed event happens to be active at the init time.
To address this issue, change the initialization ordering of the
driver so that cmos_wake_setup() is always called after a successful
cmos_do_probe() call.
While at it, change cmos_pnp_probe() to call cmos_do_probe() after
the initial if () statement used for computing the IRQ argument to
be passed to cmos_do_probe() which is cleaner than calling it in
each branch of that if () (local variable "irq" can be of type int,
because it is passed to that function as an argument of type int).
Note that commit 6492fed7d8c9 ("rtc: rtc-cmos: Do not check
ACPI_FADT_LOW_POWER_S0") caused this issue to affect a larger number
of systems, because previously it only affected systems with
ACPI_FADT_LOW_POWER_S0 set, but it is present regardless of that
commit.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-48953", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:21:22.806157Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:28:40.357Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/rtc/rtc-cmos.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "0bcfccb48696aba475f046c2021f0733659ce0ef", status: "affected", version: "a474aaedac99ba86e28ef6c912a7647c482db6dd", versionType: "git", }, { lessThan: "60c6e563a843032cf6ff84b2fb732cd8754fc10d", status: "affected", version: "a474aaedac99ba86e28ef6c912a7647c482db6dd", versionType: "git", }, { lessThan: "1ba745fce13d19775100eece30b0bfb8b8b10ea6", status: "affected", version: "a474aaedac99ba86e28ef6c912a7647c482db6dd", versionType: "git", }, { lessThan: "4919d3eb2ec0ee364f7e3cf2d99646c1b224fae8", status: "affected", version: "a474aaedac99ba86e28ef6c912a7647c482db6dd", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/rtc/rtc-cmos.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "2.6.28", }, { lessThan: "2.6.28", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.163", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.86", versionType: "semver", }, { lessThanOrEqual: "6.0.*", status: "unaffected", version: "6.0.14", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.1", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nrtc: cmos: Fix event handler registration ordering issue\n\nBecause acpi_install_fixed_event_handler() enables the event\nautomatically on success, it is incorrect to call it before the\nhandler routine passed to it is ready to handle events.\n\nUnfortunately, the rtc-cmos driver does exactly the incorrect thing\nby calling cmos_wake_setup(), which passes rtc_handler() to\nacpi_install_fixed_event_handler(), before cmos_do_probe(), because\nrtc_handler() uses dev_get_drvdata() to get to the cmos object\npointer and the driver data pointer is only populated in\ncmos_do_probe().\n\nThis leads to a NULL pointer dereference in rtc_handler() on boot\nif the RTC fixed event happens to be active at the init time.\n\nTo address this issue, change the initialization ordering of the\ndriver so that cmos_wake_setup() is always called after a successful\ncmos_do_probe() call.\n\nWhile at it, change cmos_pnp_probe() to call cmos_do_probe() after\nthe initial if () statement used for computing the IRQ argument to\nbe passed to cmos_do_probe() which is cleaner than calling it in\neach branch of that if () (local variable \"irq\" can be of type int,\nbecause it is passed to that function as an argument of type int).\n\nNote that commit 6492fed7d8c9 (\"rtc: rtc-cmos: Do not check\nACPI_FADT_LOW_POWER_S0\") caused this issue to affect a larger number\nof systems, because previously it only affected systems with\nACPI_FADT_LOW_POWER_S0 set, but it is present regardless of that\ncommit.", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:11:10.484Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/0bcfccb48696aba475f046c2021f0733659ce0ef", }, { url: "https://git.kernel.org/stable/c/60c6e563a843032cf6ff84b2fb732cd8754fc10d", }, { url: "https://git.kernel.org/stable/c/1ba745fce13d19775100eece30b0bfb8b8b10ea6", }, { url: "https://git.kernel.org/stable/c/4919d3eb2ec0ee364f7e3cf2d99646c1b224fae8", }, ], title: "rtc: cmos: Fix event handler registration ordering issue", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-48953", datePublished: "2024-10-21T20:05:40.399Z", dateReserved: "2024-08-22T01:27:53.626Z", dateUpdated: "2024-12-19T08:11:10.484Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49918
Vulnerability from cvelistv5
Published
2024-10-21 18:01
Modified
2024-12-19 09:29
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Add null check for head_pipe in dcn32_acquire_idle_pipe_for_head_pipe_in_layer
This commit addresses a potential null pointer dereference issue in the
`dcn32_acquire_idle_pipe_for_head_pipe_in_layer` function. The issue
could occur when `head_pipe` is null.
The fix adds a check to ensure `head_pipe` is not null before asserting
it. If `head_pipe` is null, the function returns NULL to prevent a
potential null pointer dereference.
Reported by smatch:
drivers/gpu/drm/amd/amdgpu/../display/dc/resource/dcn32/dcn32_resource.c:2690 dcn32_acquire_idle_pipe_for_head_pipe_in_layer() error: we previously assumed 'head_pipe' could be null (see line 2681)
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49918", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:40:44.529990Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:48:44.993Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/gpu/drm/amd/display/dc/resource/dcn32/dcn32_resource.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "4f47292f488fa7041284dca1f1244116c18721f1", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "96d4c2ee18d732a248d053aae8c4a27cb1d68d1c", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "ac2140449184a26eac99585b7f69814bd3ba8f2d", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/gpu/drm/amd/display/dc/resource/dcn32/dcn32_resource.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add null check for head_pipe in dcn32_acquire_idle_pipe_for_head_pipe_in_layer\n\nThis commit addresses a potential null pointer dereference issue in the\n`dcn32_acquire_idle_pipe_for_head_pipe_in_layer` function. The issue\ncould occur when `head_pipe` is null.\n\nThe fix adds a check to ensure `head_pipe` is not null before asserting\nit. If `head_pipe` is null, the function returns NULL to prevent a\npotential null pointer dereference.\n\nReported by smatch:\ndrivers/gpu/drm/amd/amdgpu/../display/dc/resource/dcn32/dcn32_resource.c:2690 dcn32_acquire_idle_pipe_for_head_pipe_in_layer() error: we previously assumed 'head_pipe' could be null (see line 2681)", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:29:01.637Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/4f47292f488fa7041284dca1f1244116c18721f1", }, { url: "https://git.kernel.org/stable/c/96d4c2ee18d732a248d053aae8c4a27cb1d68d1c", }, { url: "https://git.kernel.org/stable/c/ac2140449184a26eac99585b7f69814bd3ba8f2d", }, ], title: "drm/amd/display: Add null check for head_pipe in dcn32_acquire_idle_pipe_for_head_pipe_in_layer", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49918", datePublished: "2024-10-21T18:01:45.036Z", dateReserved: "2024-10-21T12:17:06.034Z", dateUpdated: "2024-12-19T09:29:01.637Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-50049
Vulnerability from cvelistv5
Published
2024-10-21 19:39
Modified
2024-12-19 09:32
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Check null pointer before dereferencing se
[WHAT & HOW]
se is null checked previously in the same function, indicating
it might be null; therefore, it must be checked when used again.
This fixes 1 FORWARD_NULL issue reported by Coverity.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-50049", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:23:44.501100Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:28:43.206Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/gpu/drm/amd/display/dc/core/dc.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "f4149eec960110ffd5bcb161075dd9f1d7773075", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "c643ef59390e49f1dfab35e8ea65f5db5e527d64", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "97a79933fb08a002ba9400d1a7a5df707ecdb896", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "65b2d49e55fe13ae56da3a7685bdccadca31134a", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "a9b4fd1946678fa0e069e442f3c5a7d3fa446fac", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "ff599ef6970ee000fa5bc38d02fa5ff5f3fc7575", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/gpu/drm/amd/display/dc/core/dc.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.57", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.4", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Check null pointer before dereferencing se\n\n[WHAT & HOW]\nse is null checked previously in the same function, indicating\nit might be null; therefore, it must be checked when used again.\n\nThis fixes 1 FORWARD_NULL issue reported by Coverity.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:32:06.052Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/f4149eec960110ffd5bcb161075dd9f1d7773075", }, { url: "https://git.kernel.org/stable/c/c643ef59390e49f1dfab35e8ea65f5db5e527d64", }, { url: "https://git.kernel.org/stable/c/97a79933fb08a002ba9400d1a7a5df707ecdb896", }, { url: "https://git.kernel.org/stable/c/65b2d49e55fe13ae56da3a7685bdccadca31134a", }, { url: "https://git.kernel.org/stable/c/a9b4fd1946678fa0e069e442f3c5a7d3fa446fac", }, { url: "https://git.kernel.org/stable/c/ff599ef6970ee000fa5bc38d02fa5ff5f3fc7575", }, ], title: "drm/amd/display: Check null pointer before dereferencing se", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-50049", datePublished: "2024-10-21T19:39:45.821Z", dateReserved: "2024-10-21T12:17:06.072Z", dateUpdated: "2024-12-19T09:32:06.052Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-49017
Vulnerability from cvelistv5
Published
2024-10-21 20:06
Modified
2024-12-19 08:12
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tipc: re-fetch skb cb after tipc_msg_validate
As the call trace shows, the original skb was freed in tipc_msg_validate(),
and dereferencing the old skb cb would cause an use-after-free crash.
BUG: KASAN: use-after-free in tipc_crypto_rcv_complete+0x1835/0x2240 [tipc]
Call Trace:
<IRQ>
tipc_crypto_rcv_complete+0x1835/0x2240 [tipc]
tipc_crypto_rcv+0xd32/0x1ec0 [tipc]
tipc_rcv+0x744/0x1150 [tipc]
...
Allocated by task 47078:
kmem_cache_alloc_node+0x158/0x4d0
__alloc_skb+0x1c1/0x270
tipc_buf_acquire+0x1e/0xe0 [tipc]
tipc_msg_create+0x33/0x1c0 [tipc]
tipc_link_build_proto_msg+0x38a/0x2100 [tipc]
tipc_link_timeout+0x8b8/0xef0 [tipc]
tipc_node_timeout+0x2a1/0x960 [tipc]
call_timer_fn+0x2d/0x1c0
...
Freed by task 47078:
tipc_msg_validate+0x7b/0x440 [tipc]
tipc_crypto_rcv_complete+0x4b5/0x2240 [tipc]
tipc_crypto_rcv+0xd32/0x1ec0 [tipc]
tipc_rcv+0x744/0x1150 [tipc]
This patch fixes it by re-fetching the skb cb from the new allocated skb
after calling tipc_msg_validate().
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-49017", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:13:05.882492Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:18:37.715Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "net/tipc/crypto.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "a1ba595e35aa3afbe417ff0af353afb9f65559c0", status: "affected", version: "fc1b6d6de2208774efd2a20bf0daddb02d18b1e0", versionType: "git", }, { lessThan: "1daec0815655e110c6f206c5e777a4af8168ff58", status: "affected", version: "fc1b6d6de2208774efd2a20bf0daddb02d18b1e0", versionType: "git", }, { lessThan: "e128190adb2edfd5042105b5d1ed4553f295f5ef", status: "affected", version: "fc1b6d6de2208774efd2a20bf0daddb02d18b1e0", versionType: "git", }, { lessThan: "3067bc61fcfe3081bf4807ce65560f499e895e77", status: "affected", version: "fc1b6d6de2208774efd2a20bf0daddb02d18b1e0", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "net/tipc/crypto.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.5", }, { lessThan: "5.5", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.158", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.82", versionType: "semver", }, { lessThanOrEqual: "6.0.*", status: "unaffected", version: "6.0.12", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.1", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: re-fetch skb cb after tipc_msg_validate\n\nAs the call trace shows, the original skb was freed in tipc_msg_validate(),\nand dereferencing the old skb cb would cause an use-after-free crash.\n\n BUG: KASAN: use-after-free in tipc_crypto_rcv_complete+0x1835/0x2240 [tipc]\n Call Trace:\n <IRQ>\n tipc_crypto_rcv_complete+0x1835/0x2240 [tipc]\n tipc_crypto_rcv+0xd32/0x1ec0 [tipc]\n tipc_rcv+0x744/0x1150 [tipc]\n ...\n Allocated by task 47078:\n kmem_cache_alloc_node+0x158/0x4d0\n __alloc_skb+0x1c1/0x270\n tipc_buf_acquire+0x1e/0xe0 [tipc]\n tipc_msg_create+0x33/0x1c0 [tipc]\n tipc_link_build_proto_msg+0x38a/0x2100 [tipc]\n tipc_link_timeout+0x8b8/0xef0 [tipc]\n tipc_node_timeout+0x2a1/0x960 [tipc]\n call_timer_fn+0x2d/0x1c0\n ...\n Freed by task 47078:\n tipc_msg_validate+0x7b/0x440 [tipc]\n tipc_crypto_rcv_complete+0x4b5/0x2240 [tipc]\n tipc_crypto_rcv+0xd32/0x1ec0 [tipc]\n tipc_rcv+0x744/0x1150 [tipc]\n\nThis patch fixes it by re-fetching the skb cb from the new allocated skb\nafter calling tipc_msg_validate().", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:12:31.241Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/a1ba595e35aa3afbe417ff0af353afb9f65559c0", }, { url: "https://git.kernel.org/stable/c/1daec0815655e110c6f206c5e777a4af8168ff58", }, { url: "https://git.kernel.org/stable/c/e128190adb2edfd5042105b5d1ed4553f295f5ef", }, { url: "https://git.kernel.org/stable/c/3067bc61fcfe3081bf4807ce65560f499e895e77", }, ], title: "tipc: re-fetch skb cb after tipc_msg_validate", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-49017", datePublished: "2024-10-21T20:06:25.971Z", dateReserved: "2024-08-22T01:27:53.646Z", dateUpdated: "2024-12-19T08:12:31.241Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49999
Vulnerability from cvelistv5
Published
2024-10-21 18:02
Modified
2024-12-19 09:30
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
afs: Fix the setting of the server responding flag
In afs_wait_for_operation(), we set transcribe the call responded flag to
the server record that we used after doing the fileserver iteration loop -
but it's possible to exit the loop having had a response from the server
that we've discarded (e.g. it returned an abort or we started receiving
data, but the call didn't complete).
This means that op->server might be NULL, but we don't check that before
attempting to set the server flag.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49999", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:30:13.693852Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:38:41.400Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "fs/afs/fs_operation.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "3d51ab44123f35dd1d646d99a15ebef10f55e263", status: "affected", version: "98f9fda2057ba34b720c4d353351024d6dcee90f", versionType: "git", }, { lessThan: "97c953572d98080c5f1486155350bb688041747a", status: "affected", version: "98f9fda2057ba34b720c4d353351024d6dcee90f", versionType: "git", }, { lessThan: "ff98751bae40faed1ba9c6a7287e84430f7dec64", status: "affected", version: "98f9fda2057ba34b720c4d353351024d6dcee90f", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "fs/afs/fs_operation.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.8", }, { lessThan: "6.8", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nafs: Fix the setting of the server responding flag\n\nIn afs_wait_for_operation(), we set transcribe the call responded flag to\nthe server record that we used after doing the fileserver iteration loop -\nbut it's possible to exit the loop having had a response from the server\nthat we've discarded (e.g. it returned an abort or we started receiving\ndata, but the call didn't complete).\n\nThis means that op->server might be NULL, but we don't check that before\nattempting to set the server flag.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:30:59.994Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/3d51ab44123f35dd1d646d99a15ebef10f55e263", }, { url: "https://git.kernel.org/stable/c/97c953572d98080c5f1486155350bb688041747a", }, { url: "https://git.kernel.org/stable/c/ff98751bae40faed1ba9c6a7287e84430f7dec64", }, ], title: "afs: Fix the setting of the server responding flag", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49999", datePublished: "2024-10-21T18:02:38.958Z", dateReserved: "2024-10-21T12:17:06.057Z", dateUpdated: "2024-12-19T09:30:59.994Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49966
Vulnerability from cvelistv5
Published
2024-10-21 18:02
Modified
2024-12-19 09:30
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ocfs2: cancel dqi_sync_work before freeing oinfo
ocfs2_global_read_info() will initialize and schedule dqi_sync_work at the
end, if error occurs after successfully reading global quota, it will
trigger the following warning with CONFIG_DEBUG_OBJECTS_* enabled:
ODEBUG: free active (active state 0) object: 00000000d8b0ce28 object type: timer_list hint: qsync_work_fn+0x0/0x16c
This reports that there is an active delayed work when freeing oinfo in
error handling, so cancel dqi_sync_work first. BTW, return status instead
of -1 when .read_file_info fails.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 171bf93ce11f4c9929fdce6ce63df8da2f3c4475 Version: 171bf93ce11f4c9929fdce6ce63df8da2f3c4475 Version: 171bf93ce11f4c9929fdce6ce63df8da2f3c4475 Version: 171bf93ce11f4c9929fdce6ce63df8da2f3c4475 Version: 171bf93ce11f4c9929fdce6ce63df8da2f3c4475 Version: 171bf93ce11f4c9929fdce6ce63df8da2f3c4475 Version: 171bf93ce11f4c9929fdce6ce63df8da2f3c4475 Version: 171bf93ce11f4c9929fdce6ce63df8da2f3c4475 Version: 171bf93ce11f4c9929fdce6ce63df8da2f3c4475 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49966", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:34:26.104655Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:38:46.962Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "fs/ocfs2/quota_local.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "fc5cc716dfbdc5fd5f373ff3b51358174cf88bfc", status: "affected", version: "171bf93ce11f4c9929fdce6ce63df8da2f3c4475", versionType: "git", }, { lessThan: "89043e7ed63c7fc141e68ea5a79758ed24b6c699", status: "affected", version: "171bf93ce11f4c9929fdce6ce63df8da2f3c4475", versionType: "git", }, { lessThan: "14114d8148db07e7946fb06b56a50cfa425e26c7", status: "affected", version: "171bf93ce11f4c9929fdce6ce63df8da2f3c4475", versionType: "git", }, { lessThan: "4173d1277c00baeedaaca76783e98b8fd0e3c08d", status: "affected", version: "171bf93ce11f4c9929fdce6ce63df8da2f3c4475", versionType: "git", }, { lessThan: "bbf41277df8b33fbedf4750a9300c147e8f104eb", status: "affected", version: "171bf93ce11f4c9929fdce6ce63df8da2f3c4475", versionType: "git", }, { lessThan: "ef768020366f47d23f39c4f57bcb03af6d1e24b3", status: "affected", version: "171bf93ce11f4c9929fdce6ce63df8da2f3c4475", versionType: "git", }, { lessThan: "a4346c04d055bf7e184c18a73dbd23b6a9811118", status: "affected", version: "171bf93ce11f4c9929fdce6ce63df8da2f3c4475", versionType: "git", }, { lessThan: "0d707a33c84b371cb66120e198eed3374726ddd8", status: "affected", version: "171bf93ce11f4c9929fdce6ce63df8da2f3c4475", versionType: "git", }, { lessThan: "35fccce29feb3706f649726d410122dd81b92c18", status: "affected", version: "171bf93ce11f4c9929fdce6ce63df8da2f3c4475", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "fs/ocfs2/quota_local.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "2.6.29", }, { lessThan: "2.6.29", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.323", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.285", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: cancel dqi_sync_work before freeing oinfo\n\nocfs2_global_read_info() will initialize and schedule dqi_sync_work at the\nend, if error occurs after successfully reading global quota, it will\ntrigger the following warning with CONFIG_DEBUG_OBJECTS_* enabled:\n\nODEBUG: free active (active state 0) object: 00000000d8b0ce28 object type: timer_list hint: qsync_work_fn+0x0/0x16c\n\nThis reports that there is an active delayed work when freeing oinfo in\nerror handling, so cancel dqi_sync_work first. BTW, return status instead\nof -1 when .read_file_info fails.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:30:19.862Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/fc5cc716dfbdc5fd5f373ff3b51358174cf88bfc", }, { url: "https://git.kernel.org/stable/c/89043e7ed63c7fc141e68ea5a79758ed24b6c699", }, { url: "https://git.kernel.org/stable/c/14114d8148db07e7946fb06b56a50cfa425e26c7", }, { url: "https://git.kernel.org/stable/c/4173d1277c00baeedaaca76783e98b8fd0e3c08d", }, { url: "https://git.kernel.org/stable/c/bbf41277df8b33fbedf4750a9300c147e8f104eb", }, { url: "https://git.kernel.org/stable/c/ef768020366f47d23f39c4f57bcb03af6d1e24b3", }, { url: "https://git.kernel.org/stable/c/a4346c04d055bf7e184c18a73dbd23b6a9811118", }, { url: "https://git.kernel.org/stable/c/0d707a33c84b371cb66120e198eed3374726ddd8", }, { url: "https://git.kernel.org/stable/c/35fccce29feb3706f649726d410122dd81b92c18", }, ], title: "ocfs2: cancel dqi_sync_work before freeing oinfo", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49966", datePublished: "2024-10-21T18:02:17.076Z", dateReserved: "2024-10-21T12:17:06.050Z", dateUpdated: "2024-12-19T09:30:19.862Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-47739
Vulnerability from cvelistv5
Published
2024-10-21 12:14
Modified
2024-12-19 09:27
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
padata: use integer wrap around to prevent deadlock on seq_nr overflow
When submitting more than 2^32 padata objects to padata_do_serial, the
current sorting implementation incorrectly sorts padata objects with
overflowed seq_nr, causing them to be placed before existing objects in
the reorder list. This leads to a deadlock in the serialization process
as padata_find_next cannot match padata->seq_nr and pd->processed
because the padata instance with overflowed seq_nr will be selected
next.
To fix this, we use an unsigned integer wrap around to correctly sort
padata objects in scenarios with integer overflow.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: bfde23ce200e6d33291d29b9b8b60cc2f30f0805 Version: bfde23ce200e6d33291d29b9b8b60cc2f30f0805 Version: bfde23ce200e6d33291d29b9b8b60cc2f30f0805 Version: bfde23ce200e6d33291d29b9b8b60cc2f30f0805 Version: bfde23ce200e6d33291d29b9b8b60cc2f30f0805 Version: bfde23ce200e6d33291d29b9b8b60cc2f30f0805 Version: bfde23ce200e6d33291d29b9b8b60cc2f30f0805 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-47739", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T12:59:27.799629Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T13:04:14.713Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "kernel/padata.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "46c4079460f4dcaf445860679558eedef4e1bc91", status: "affected", version: "bfde23ce200e6d33291d29b9b8b60cc2f30f0805", versionType: "git", }, { lessThan: "72164d5b648951684b1a593996b37a6083c61d7d", status: "affected", version: "bfde23ce200e6d33291d29b9b8b60cc2f30f0805", versionType: "git", }, { lessThan: "ab205e1c3846326f162180e56825b4ba38ce9c30", status: "affected", version: "bfde23ce200e6d33291d29b9b8b60cc2f30f0805", versionType: "git", }, { lessThan: "1b8cf11b3ca593a8802a51802cd0c28c38501428", status: "affected", version: "bfde23ce200e6d33291d29b9b8b60cc2f30f0805", versionType: "git", }, { lessThan: "9e279e6c1f012b82628b89e1b9c65dbefa8ca25a", status: "affected", version: "bfde23ce200e6d33291d29b9b8b60cc2f30f0805", versionType: "git", }, { lessThan: "1bd712de96ad7167fe0d608e706cd60587579f16", status: "affected", version: "bfde23ce200e6d33291d29b9b8b60cc2f30f0805", versionType: "git", }, { lessThan: "9a22b2812393d93d84358a760c347c21939029a6", status: "affected", version: "bfde23ce200e6d33291d29b9b8b60cc2f30f0805", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "kernel/padata.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.4", }, { lessThan: "5.4", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.54", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.13", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.2", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\npadata: use integer wrap around to prevent deadlock on seq_nr overflow\n\nWhen submitting more than 2^32 padata objects to padata_do_serial, the\ncurrent sorting implementation incorrectly sorts padata objects with\noverflowed seq_nr, causing them to be placed before existing objects in\nthe reorder list. This leads to a deadlock in the serialization process\nas padata_find_next cannot match padata->seq_nr and pd->processed\nbecause the padata instance with overflowed seq_nr will be selected\nnext.\n\nTo fix this, we use an unsigned integer wrap around to correctly sort\npadata objects in scenarios with integer overflow.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:27:08.914Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/46c4079460f4dcaf445860679558eedef4e1bc91", }, { url: "https://git.kernel.org/stable/c/72164d5b648951684b1a593996b37a6083c61d7d", }, { url: "https://git.kernel.org/stable/c/ab205e1c3846326f162180e56825b4ba38ce9c30", }, { url: "https://git.kernel.org/stable/c/1b8cf11b3ca593a8802a51802cd0c28c38501428", }, { url: "https://git.kernel.org/stable/c/9e279e6c1f012b82628b89e1b9c65dbefa8ca25a", }, { url: "https://git.kernel.org/stable/c/1bd712de96ad7167fe0d608e706cd60587579f16", }, { url: "https://git.kernel.org/stable/c/9a22b2812393d93d84358a760c347c21939029a6", }, ], title: "padata: use integer wrap around to prevent deadlock on seq_nr overflow", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-47739", datePublished: "2024-10-21T12:14:08.495Z", dateReserved: "2024-09-30T16:00:12.959Z", dateUpdated: "2024-12-19T09:27:08.914Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49951
Vulnerability from cvelistv5
Published
2024-10-21 18:02
Modified
2024-12-19 09:29
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: MGMT: Fix possible crash on mgmt_index_removed
If mgmt_index_removed is called while there are commands queued on
cmd_sync it could lead to crashes like the bellow trace:
0x0000053D: __list_del_entry_valid_or_report+0x98/0xdc
0x0000053D: mgmt_pending_remove+0x18/0x58 [bluetooth]
0x0000053E: mgmt_remove_adv_monitor_complete+0x80/0x108 [bluetooth]
0x0000053E: hci_cmd_sync_work+0xbc/0x164 [bluetooth]
So while handling mgmt_index_removed this attempts to dequeue
commands passed as user_data to cmd_sync.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 7cf5c2978f23fdbb2dd7b4e8b07e362ae2d8211c Version: 7cf5c2978f23fdbb2dd7b4e8b07e362ae2d8211c Version: 7cf5c2978f23fdbb2dd7b4e8b07e362ae2d8211c Version: 7cf5c2978f23fdbb2dd7b4e8b07e362ae2d8211c Version: 7cf5c2978f23fdbb2dd7b4e8b07e362ae2d8211c |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49951", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:36:23.779720Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:38:49.118Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "net/bluetooth/mgmt.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "19b40ca62607cef78369549d1af091f2fd558931", status: "affected", version: "7cf5c2978f23fdbb2dd7b4e8b07e362ae2d8211c", versionType: "git", }, { lessThan: "4883296505aa7e4863c6869b689afb6005633b23", status: "affected", version: "7cf5c2978f23fdbb2dd7b4e8b07e362ae2d8211c", versionType: "git", }, { lessThan: "0cc47233af35fb5f10b5e6a027cb4ccd480caf9a", status: "affected", version: "7cf5c2978f23fdbb2dd7b4e8b07e362ae2d8211c", versionType: "git", }, { lessThan: "8c3f7943a29145d8a2d8e24893762f7673323eae", status: "affected", version: "7cf5c2978f23fdbb2dd7b4e8b07e362ae2d8211c", versionType: "git", }, { lessThan: "f53e1c9c726d83092167f2226f32bd3b73f26c21", status: "affected", version: "7cf5c2978f23fdbb2dd7b4e8b07e362ae2d8211c", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "net/bluetooth/mgmt.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.0", }, { lessThan: "6.0", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.120", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: MGMT: Fix possible crash on mgmt_index_removed\n\nIf mgmt_index_removed is called while there are commands queued on\ncmd_sync it could lead to crashes like the bellow trace:\n\n0x0000053D: __list_del_entry_valid_or_report+0x98/0xdc\n0x0000053D: mgmt_pending_remove+0x18/0x58 [bluetooth]\n0x0000053E: mgmt_remove_adv_monitor_complete+0x80/0x108 [bluetooth]\n0x0000053E: hci_cmd_sync_work+0xbc/0x164 [bluetooth]\n\nSo while handling mgmt_index_removed this attempts to dequeue\ncommands passed as user_data to cmd_sync.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:29:59.321Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/19b40ca62607cef78369549d1af091f2fd558931", }, { url: "https://git.kernel.org/stable/c/4883296505aa7e4863c6869b689afb6005633b23", }, { url: "https://git.kernel.org/stable/c/0cc47233af35fb5f10b5e6a027cb4ccd480caf9a", }, { url: "https://git.kernel.org/stable/c/8c3f7943a29145d8a2d8e24893762f7673323eae", }, { url: "https://git.kernel.org/stable/c/f53e1c9c726d83092167f2226f32bd3b73f26c21", }, ], title: "Bluetooth: MGMT: Fix possible crash on mgmt_index_removed", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49951", datePublished: "2024-10-21T18:02:07.055Z", dateReserved: "2024-10-21T12:17:06.046Z", dateUpdated: "2024-12-19T09:29:59.321Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49891
Vulnerability from cvelistv5
Published
2024-10-21 18:01
Modified
2024-12-19 09:28
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: lpfc: Validate hdwq pointers before dereferencing in reset/errata paths
When the HBA is undergoing a reset or is handling an errata event, NULL ptr
dereference crashes may occur in routines such as
lpfc_sli_flush_io_rings(), lpfc_dev_loss_tmo_callbk(), or
lpfc_abort_handler().
Add NULL ptr checks before dereferencing hdwq pointers that may have been
freed due to operations colliding with a reset or errata event handler.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49891", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:44:17.771940Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:48:49.078Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/scsi/lpfc/lpfc_hbadisc.c", "drivers/scsi/lpfc/lpfc_scsi.c", "drivers/scsi/lpfc/lpfc_sli.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "5873aa7f814754085d418848b2089ef406a02dd0", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "232a138bd843d48cb2368f604646d990db7640f3", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "99a801e2fca39a6f31e543fc3383058a8955896f", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "fd665c8dbdb19548965b0ae80c490de00e906366", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "2be1d4f11944cd6283cb97268b3e17c4424945ca", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/scsi/lpfc/lpfc_hbadisc.c", "drivers/scsi/lpfc/lpfc_scsi.c", "drivers/scsi/lpfc/lpfc_sli.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.120", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.64", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Validate hdwq pointers before dereferencing in reset/errata paths\n\nWhen the HBA is undergoing a reset or is handling an errata event, NULL ptr\ndereference crashes may occur in routines such as\nlpfc_sli_flush_io_rings(), lpfc_dev_loss_tmo_callbk(), or\nlpfc_abort_handler().\n\nAdd NULL ptr checks before dereferencing hdwq pointers that may have been\nfreed due to operations colliding with a reset or errata event handler.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:28:28.712Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/5873aa7f814754085d418848b2089ef406a02dd0", }, { url: "https://git.kernel.org/stable/c/232a138bd843d48cb2368f604646d990db7640f3", }, { url: "https://git.kernel.org/stable/c/99a801e2fca39a6f31e543fc3383058a8955896f", }, { url: "https://git.kernel.org/stable/c/fd665c8dbdb19548965b0ae80c490de00e906366", }, { url: "https://git.kernel.org/stable/c/2be1d4f11944cd6283cb97268b3e17c4424945ca", }, ], title: "scsi: lpfc: Validate hdwq pointers before dereferencing in reset/errata paths", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49891", datePublished: "2024-10-21T18:01:26.314Z", dateReserved: "2024-10-21T12:17:06.025Z", dateUpdated: "2024-12-19T09:28:28.712Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-49033
Vulnerability from cvelistv5
Published
2024-10-21 20:06
Modified
2024-12-19 08:12
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: qgroup: fix sleep from invalid context bug in btrfs_qgroup_inherit()
Syzkaller reported BUG as follows:
BUG: sleeping function called from invalid context at
include/linux/sched/mm.h:274
Call Trace:
<TASK>
dump_stack_lvl+0xcd/0x134
__might_resched.cold+0x222/0x26b
kmem_cache_alloc+0x2e7/0x3c0
update_qgroup_limit_item+0xe1/0x390
btrfs_qgroup_inherit+0x147b/0x1ee0
create_subvol+0x4eb/0x1710
btrfs_mksubvol+0xfe5/0x13f0
__btrfs_ioctl_snap_create+0x2b0/0x430
btrfs_ioctl_snap_create_v2+0x25a/0x520
btrfs_ioctl+0x2a1c/0x5ce0
__x64_sys_ioctl+0x193/0x200
do_syscall_64+0x35/0x80
Fix this by calling qgroup_dirty() on @dstqgroup, and update limit item in
btrfs_run_qgroups() later outside of the spinlock context.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-49033", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:10:58.830375Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:18:35.433Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "fs/btrfs/qgroup.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "89840b12c8fad7200eb6478525c13261512c01be", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "3c98e91be6aea4c7acf09da6eb0c107ea9186bb5", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "f4b930a1602b05e77fee31f9616599b25e910a86", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "8eb912af525042a7365295eb62f6d5270c2a6462", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "01d7c41eac9129fba80d8aed0060caab4a7dbe09", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "044da1a371a0da579e805e89c96865f62d8f6f69", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "588ae4fdd8b11788a797776b10d6c44ae12bc133", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "f7e942b5bb35d8e3af54053d19a6bf04143a3955", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "fs/btrfs/qgroup.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "4.9.*", status: "unaffected", version: "4.9.335", versionType: "semver", }, { lessThanOrEqual: "4.14.*", status: "unaffected", version: "4.14.301", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.268", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.226", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.158", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.82", versionType: "semver", }, { lessThanOrEqual: "6.0.*", status: "unaffected", version: "6.0.12", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.1", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: qgroup: fix sleep from invalid context bug in btrfs_qgroup_inherit()\n\nSyzkaller reported BUG as follows:\n\n BUG: sleeping function called from invalid context at\n include/linux/sched/mm.h:274\n Call Trace:\n <TASK>\n dump_stack_lvl+0xcd/0x134\n __might_resched.cold+0x222/0x26b\n kmem_cache_alloc+0x2e7/0x3c0\n update_qgroup_limit_item+0xe1/0x390\n btrfs_qgroup_inherit+0x147b/0x1ee0\n create_subvol+0x4eb/0x1710\n btrfs_mksubvol+0xfe5/0x13f0\n __btrfs_ioctl_snap_create+0x2b0/0x430\n btrfs_ioctl_snap_create_v2+0x25a/0x520\n btrfs_ioctl+0x2a1c/0x5ce0\n __x64_sys_ioctl+0x193/0x200\n do_syscall_64+0x35/0x80\n\nFix this by calling qgroup_dirty() on @dstqgroup, and update limit item in\nbtrfs_run_qgroups() later outside of the spinlock context.", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:12:49.932Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/89840b12c8fad7200eb6478525c13261512c01be", }, { url: "https://git.kernel.org/stable/c/3c98e91be6aea4c7acf09da6eb0c107ea9186bb5", }, { url: "https://git.kernel.org/stable/c/f4b930a1602b05e77fee31f9616599b25e910a86", }, { url: "https://git.kernel.org/stable/c/8eb912af525042a7365295eb62f6d5270c2a6462", }, { url: "https://git.kernel.org/stable/c/01d7c41eac9129fba80d8aed0060caab4a7dbe09", }, { url: "https://git.kernel.org/stable/c/044da1a371a0da579e805e89c96865f62d8f6f69", }, { url: "https://git.kernel.org/stable/c/588ae4fdd8b11788a797776b10d6c44ae12bc133", }, { url: "https://git.kernel.org/stable/c/f7e942b5bb35d8e3af54053d19a6bf04143a3955", }, ], title: "btrfs: qgroup: fix sleep from invalid context bug in btrfs_qgroup_inherit()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-49033", datePublished: "2024-10-21T20:06:36.566Z", dateReserved: "2024-08-22T01:27:53.653Z", dateUpdated: "2024-12-19T08:12:49.932Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-52917
Vulnerability from cvelistv5
Published
2024-10-21 12:13
Modified
2024-12-19 08:28
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ntb: intel: Fix the NULL vs IS_ERR() bug for debugfs_create_dir()
The debugfs_create_dir() function returns error pointers.
It never returns NULL. So use IS_ERR() to check it.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: e26a5843f7f5014ae4460030ca4de029a3ac35d3 Version: e26a5843f7f5014ae4460030ca4de029a3ac35d3 Version: e26a5843f7f5014ae4460030ca4de029a3ac35d3 Version: e26a5843f7f5014ae4460030ca4de029a3ac35d3 Version: e26a5843f7f5014ae4460030ca4de029a3ac35d3 Version: e26a5843f7f5014ae4460030ca4de029a3ac35d3 Version: e26a5843f7f5014ae4460030ca4de029a3ac35d3 Version: e26a5843f7f5014ae4460030ca4de029a3ac35d3 Version: e26a5843f7f5014ae4460030ca4de029a3ac35d3 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2023-52917", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T13:01:52.905632Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T13:04:17.343Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/ntb/hw/intel/ntb_hw_gen1.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "20cbc281033ef5324f67f2d54bc539968f937255", status: "affected", version: "e26a5843f7f5014ae4460030ca4de029a3ac35d3", versionType: "git", }, { lessThan: "4b2fbba4e44630a59b09d32627b63c4ffdf70f78", status: "affected", version: "e26a5843f7f5014ae4460030ca4de029a3ac35d3", versionType: "git", }, { lessThan: "ef7e34237e2612b116a84c9640628a6f7a0d693e", status: "affected", version: "e26a5843f7f5014ae4460030ca4de029a3ac35d3", versionType: "git", }, { lessThan: "a429158f2e0a7a03eb67fd5e204e1f6735c725aa", status: "affected", version: "e26a5843f7f5014ae4460030ca4de029a3ac35d3", versionType: "git", }, { lessThan: "7cbd6d7fb9ba2be03978809c848e2e50eaeead2c", status: "affected", version: "e26a5843f7f5014ae4460030ca4de029a3ac35d3", versionType: "git", }, { lessThan: "16e5bed6c1883b19f9fcbdff996aa3381954d5f3", status: "affected", version: "e26a5843f7f5014ae4460030ca4de029a3ac35d3", versionType: "git", }, { lessThan: "b66bf833e72a1e23d7ccafc0f8f74e80f8c357b5", status: "affected", version: "e26a5843f7f5014ae4460030ca4de029a3ac35d3", versionType: "git", }, { lessThan: "babba8595d1e5d57313a6187f3e51aceacc6881a", status: "affected", version: "e26a5843f7f5014ae4460030ca4de029a3ac35d3", versionType: "git", }, { lessThan: "e229897d373a87ee09ec5cc4ecd4bb2f895fc16b", status: "affected", version: "e26a5843f7f5014ae4460030ca4de029a3ac35d3", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/ntb/hw/intel/ntb_hw_gen1.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "4.2", }, { lessThan: "4.2", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.323", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.285", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.54", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.13", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.2", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nntb: intel: Fix the NULL vs IS_ERR() bug for debugfs_create_dir()\n\nThe debugfs_create_dir() function returns error pointers.\nIt never returns NULL. So use IS_ERR() to check it.", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:28:31.352Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/20cbc281033ef5324f67f2d54bc539968f937255", }, { url: "https://git.kernel.org/stable/c/4b2fbba4e44630a59b09d32627b63c4ffdf70f78", }, { url: "https://git.kernel.org/stable/c/ef7e34237e2612b116a84c9640628a6f7a0d693e", }, { url: "https://git.kernel.org/stable/c/a429158f2e0a7a03eb67fd5e204e1f6735c725aa", }, { url: "https://git.kernel.org/stable/c/7cbd6d7fb9ba2be03978809c848e2e50eaeead2c", }, { url: "https://git.kernel.org/stable/c/16e5bed6c1883b19f9fcbdff996aa3381954d5f3", }, { url: "https://git.kernel.org/stable/c/b66bf833e72a1e23d7ccafc0f8f74e80f8c357b5", }, { url: "https://git.kernel.org/stable/c/babba8595d1e5d57313a6187f3e51aceacc6881a", }, { url: "https://git.kernel.org/stable/c/e229897d373a87ee09ec5cc4ecd4bb2f895fc16b", }, ], title: "ntb: intel: Fix the NULL vs IS_ERR() bug for debugfs_create_dir()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2023-52917", datePublished: "2024-10-21T12:13:56.253Z", dateReserved: "2024-08-21T06:07:11.017Z", dateUpdated: "2024-12-19T08:28:31.352Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-50037
Vulnerability from cvelistv5
Published
2024-10-21 19:39
Modified
2024-12-19 09:31
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/fbdev-dma: Only cleanup deferred I/O if necessary
Commit 5a498d4d06d6 ("drm/fbdev-dma: Only install deferred I/O if
necessary") initializes deferred I/O only if it is used.
drm_fbdev_dma_fb_destroy() however calls fb_deferred_io_cleanup()
unconditionally with struct fb_info.fbdefio == NULL. KASAN with the
out-of-tree Apple silicon display driver posts following warning from
__flush_work() of a random struct work_struct instead of the expected
NULL pointer derefs.
[ 22.053799] ------------[ cut here ]------------
[ 22.054832] WARNING: CPU: 2 PID: 1 at kernel/workqueue.c:4177 __flush_work+0x4d8/0x580
[ 22.056597] Modules linked in: uhid bnep uinput nls_ascii ip6_tables ip_tables i2c_dev loop fuse dm_multipath nfnetlink zram hid_magicmouse btrfs xor xor_neon brcmfmac_wcc raid6_pq hci_bcm4377 bluetooth brcmfmac hid_apple brcmutil nvmem_spmi_mfd simple_mfd_spmi dockchannel_hid cfg80211 joydev regmap_spmi nvme_apple ecdh_generic ecc macsmc_hid rfkill dwc3 appledrm snd_soc_macaudio macsmc_power nvme_core apple_isp phy_apple_atc apple_sart apple_rtkit_helper apple_dockchannel tps6598x macsmc_hwmon snd_soc_cs42l84 videobuf2_v4l2 spmi_apple_controller nvmem_apple_efuses videobuf2_dma_sg apple_z2 videobuf2_memops spi_nor panel_summit videobuf2_common asahi videodev pwm_apple apple_dcp snd_soc_apple_mca apple_admac spi_apple clk_apple_nco i2c_pasemi_platform snd_pcm_dmaengine mc i2c_pasemi_core mux_core ofpart adpdrm drm_dma_helper apple_dart apple_soc_cpufreq leds_pwm phram
[ 22.073768] CPU: 2 UID: 0 PID: 1 Comm: systemd-shutdow Not tainted 6.11.2-asahi+ #asahi-dev
[ 22.075612] Hardware name: Apple MacBook Pro (13-inch, M2, 2022) (DT)
[ 22.077032] pstate: 01400005 (nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
[ 22.078567] pc : __flush_work+0x4d8/0x580
[ 22.079471] lr : __flush_work+0x54/0x580
[ 22.080345] sp : ffffc000836ef820
[ 22.081089] x29: ffffc000836ef880 x28: 0000000000000000 x27: ffff80002ddb7128
[ 22.082678] x26: dfffc00000000000 x25: 1ffff000096f0c57 x24: ffffc00082d3e358
[ 22.084263] x23: ffff80004b7862b8 x22: dfffc00000000000 x21: ffff80005aa1d470
[ 22.085855] x20: ffff80004b786000 x19: ffff80004b7862a0 x18: 0000000000000000
[ 22.087439] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000005
[ 22.089030] x14: 1ffff800106ddf0a x13: 0000000000000000 x12: 0000000000000000
[ 22.090618] x11: ffffb800106ddf0f x10: dfffc00000000000 x9 : 1ffff800106ddf0e
[ 22.092206] x8 : 0000000000000000 x7 : aaaaaaaaaaaaaaaa x6 : 0000000000000001
[ 22.093790] x5 : ffffc000836ef728 x4 : 0000000000000000 x3 : 0000000000000020
[ 22.095368] x2 : 0000000000000008 x1 : 00000000000000aa x0 : 0000000000000000
[ 22.096955] Call trace:
[ 22.097505] __flush_work+0x4d8/0x580
[ 22.098330] flush_delayed_work+0x80/0xb8
[ 22.099231] fb_deferred_io_cleanup+0x3c/0x130
[ 22.100217] drm_fbdev_dma_fb_destroy+0x6c/0xe0 [drm_dma_helper]
[ 22.101559] unregister_framebuffer+0x210/0x2f0
[ 22.102575] drm_fb_helper_unregister_info+0x48/0x60
[ 22.103683] drm_fbdev_dma_client_unregister+0x4c/0x80 [drm_dma_helper]
[ 22.105147] drm_client_dev_unregister+0x1cc/0x230
[ 22.106217] drm_dev_unregister+0x58/0x570
[ 22.107125] apple_drm_unbind+0x50/0x98 [appledrm]
[ 22.108199] component_del+0x1f8/0x3a8
[ 22.109042] dcp_platform_shutdown+0x24/0x38 [apple_dcp]
[ 22.110357] platform_shutdown+0x70/0x90
[ 22.111219] device_shutdown+0x368/0x4d8
[ 22.112095] kernel_restart+0x6c/0x1d0
[ 22.112946] __arm64_sys_reboot+0x1c8/0x328
[ 22.113868] invoke_syscall+0x78/0x1a8
[ 22.114703] do_el0_svc+0x124/0x1a0
[ 22.115498] el0_svc+0x3c/0xe0
[ 22.116181] el0t_64_sync_handler+0x70/0xc0
[ 22.117110] el0t_64_sync+0x190/0x198
[ 22.117931] ---[ end trace 0000000000000000 ]---
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-50037", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:25:17.714484Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:28:44.766Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/gpu/drm/drm_fbdev_dma.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "5a4a8ea14c54c651ec532a480bd560d0c6e52f3d", status: "affected", version: "5a498d4d06d6d9bad76d8a50a7f8fe01670ad46f", versionType: "git", }, { lessThan: "fcddc71ec7ecf15b4df3c41288c9cf0b8e886111", status: "affected", version: "5a498d4d06d6d9bad76d8a50a7f8fe01670ad46f", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/gpu/drm/drm_fbdev_dma.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.11", }, { lessThan: "6.11", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.4", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/fbdev-dma: Only cleanup deferred I/O if necessary\n\nCommit 5a498d4d06d6 (\"drm/fbdev-dma: Only install deferred I/O if\nnecessary\") initializes deferred I/O only if it is used.\ndrm_fbdev_dma_fb_destroy() however calls fb_deferred_io_cleanup()\nunconditionally with struct fb_info.fbdefio == NULL. KASAN with the\nout-of-tree Apple silicon display driver posts following warning from\n__flush_work() of a random struct work_struct instead of the expected\nNULL pointer derefs.\n\n[ 22.053799] ------------[ cut here ]------------\n[ 22.054832] WARNING: CPU: 2 PID: 1 at kernel/workqueue.c:4177 __flush_work+0x4d8/0x580\n[ 22.056597] Modules linked in: uhid bnep uinput nls_ascii ip6_tables ip_tables i2c_dev loop fuse dm_multipath nfnetlink zram hid_magicmouse btrfs xor xor_neon brcmfmac_wcc raid6_pq hci_bcm4377 bluetooth brcmfmac hid_apple brcmutil nvmem_spmi_mfd simple_mfd_spmi dockchannel_hid cfg80211 joydev regmap_spmi nvme_apple ecdh_generic ecc macsmc_hid rfkill dwc3 appledrm snd_soc_macaudio macsmc_power nvme_core apple_isp phy_apple_atc apple_sart apple_rtkit_helper apple_dockchannel tps6598x macsmc_hwmon snd_soc_cs42l84 videobuf2_v4l2 spmi_apple_controller nvmem_apple_efuses videobuf2_dma_sg apple_z2 videobuf2_memops spi_nor panel_summit videobuf2_common asahi videodev pwm_apple apple_dcp snd_soc_apple_mca apple_admac spi_apple clk_apple_nco i2c_pasemi_platform snd_pcm_dmaengine mc i2c_pasemi_core mux_core ofpart adpdrm drm_dma_helper apple_dart apple_soc_cpufreq leds_pwm phram\n[ 22.073768] CPU: 2 UID: 0 PID: 1 Comm: systemd-shutdow Not tainted 6.11.2-asahi+ #asahi-dev\n[ 22.075612] Hardware name: Apple MacBook Pro (13-inch, M2, 2022) (DT)\n[ 22.077032] pstate: 01400005 (nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\n[ 22.078567] pc : __flush_work+0x4d8/0x580\n[ 22.079471] lr : __flush_work+0x54/0x580\n[ 22.080345] sp : ffffc000836ef820\n[ 22.081089] x29: ffffc000836ef880 x28: 0000000000000000 x27: ffff80002ddb7128\n[ 22.082678] x26: dfffc00000000000 x25: 1ffff000096f0c57 x24: ffffc00082d3e358\n[ 22.084263] x23: ffff80004b7862b8 x22: dfffc00000000000 x21: ffff80005aa1d470\n[ 22.085855] x20: ffff80004b786000 x19: ffff80004b7862a0 x18: 0000000000000000\n[ 22.087439] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000005\n[ 22.089030] x14: 1ffff800106ddf0a x13: 0000000000000000 x12: 0000000000000000\n[ 22.090618] x11: ffffb800106ddf0f x10: dfffc00000000000 x9 : 1ffff800106ddf0e\n[ 22.092206] x8 : 0000000000000000 x7 : aaaaaaaaaaaaaaaa x6 : 0000000000000001\n[ 22.093790] x5 : ffffc000836ef728 x4 : 0000000000000000 x3 : 0000000000000020\n[ 22.095368] x2 : 0000000000000008 x1 : 00000000000000aa x0 : 0000000000000000\n[ 22.096955] Call trace:\n[ 22.097505] __flush_work+0x4d8/0x580\n[ 22.098330] flush_delayed_work+0x80/0xb8\n[ 22.099231] fb_deferred_io_cleanup+0x3c/0x130\n[ 22.100217] drm_fbdev_dma_fb_destroy+0x6c/0xe0 [drm_dma_helper]\n[ 22.101559] unregister_framebuffer+0x210/0x2f0\n[ 22.102575] drm_fb_helper_unregister_info+0x48/0x60\n[ 22.103683] drm_fbdev_dma_client_unregister+0x4c/0x80 [drm_dma_helper]\n[ 22.105147] drm_client_dev_unregister+0x1cc/0x230\n[ 22.106217] drm_dev_unregister+0x58/0x570\n[ 22.107125] apple_drm_unbind+0x50/0x98 [appledrm]\n[ 22.108199] component_del+0x1f8/0x3a8\n[ 22.109042] dcp_platform_shutdown+0x24/0x38 [apple_dcp]\n[ 22.110357] platform_shutdown+0x70/0x90\n[ 22.111219] device_shutdown+0x368/0x4d8\n[ 22.112095] kernel_restart+0x6c/0x1d0\n[ 22.112946] __arm64_sys_reboot+0x1c8/0x328\n[ 22.113868] invoke_syscall+0x78/0x1a8\n[ 22.114703] do_el0_svc+0x124/0x1a0\n[ 22.115498] el0_svc+0x3c/0xe0\n[ 22.116181] el0t_64_sync_handler+0x70/0xc0\n[ 22.117110] el0t_64_sync+0x190/0x198\n[ 22.117931] ---[ end trace 0000000000000000 ]---", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:31:51.157Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/5a4a8ea14c54c651ec532a480bd560d0c6e52f3d", }, { url: "https://git.kernel.org/stable/c/fcddc71ec7ecf15b4df3c41288c9cf0b8e886111", }, ], title: "drm/fbdev-dma: Only cleanup deferred I/O if necessary", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-50037", datePublished: "2024-10-21T19:39:37.787Z", dateReserved: "2024-10-21T12:17:06.070Z", dateUpdated: "2024-12-19T09:31:51.157Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-48961
Vulnerability from cvelistv5
Published
2024-10-21 20:05
Modified
2024-12-19 08:11
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: mdio: fix unbalanced fwnode reference count in mdio_device_release()
There is warning report about of_node refcount leak
while probing mdio device:
OF: ERROR: memory leak, expected refcount 1 instead of 2,
of_node_get()/of_node_put() unbalanced - destroy cset entry:
attach overlay node /spi/soc@0/mdio@710700c0/ethernet@4
In of_mdiobus_register_device(), we increase fwnode refcount
by fwnode_handle_get() before associating the of_node with
mdio device, but it has never been decreased in normal path.
Since that, in mdio_device_release(), it needs to call
fwnode_handle_put() in addition instead of calling kfree()
directly.
After above, just calling mdio_device_free() in the error handle
path of of_mdiobus_register_device() is enough to keep the
refcount balanced.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-48961", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:20:22.871299Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:28:39.139Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/net/mdio/of_mdio.c", "drivers/net/phy/mdio_device.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "16854177745a5648f8ec322353b432e18460f43a", status: "affected", version: "a9049e0c513c4521dbfaa302af8ed08b3366b41f", versionType: "git", }, { lessThan: "a5c6de1a6656b8cc6bce7cb3d9874dd7df4968c3", status: "affected", version: "a9049e0c513c4521dbfaa302af8ed08b3366b41f", versionType: "git", }, { lessThan: "cb37617687f2bfa5b675df7779f869147c9002bd", status: "affected", version: "a9049e0c513c4521dbfaa302af8ed08b3366b41f", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/net/mdio/of_mdio.c", "drivers/net/phy/mdio_device.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "4.5", }, { lessThan: "4.5", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.83", versionType: "semver", }, { lessThanOrEqual: "6.0.*", status: "unaffected", version: "6.0.13", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.1", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mdio: fix unbalanced fwnode reference count in mdio_device_release()\n\nThere is warning report about of_node refcount leak\nwhile probing mdio device:\n\nOF: ERROR: memory leak, expected refcount 1 instead of 2,\nof_node_get()/of_node_put() unbalanced - destroy cset entry:\nattach overlay node /spi/soc@0/mdio@710700c0/ethernet@4\n\nIn of_mdiobus_register_device(), we increase fwnode refcount\nby fwnode_handle_get() before associating the of_node with\nmdio device, but it has never been decreased in normal path.\nSince that, in mdio_device_release(), it needs to call\nfwnode_handle_put() in addition instead of calling kfree()\ndirectly.\n\nAfter above, just calling mdio_device_free() in the error handle\npath of of_mdiobus_register_device() is enough to keep the\nrefcount balanced.", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:11:25.152Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/16854177745a5648f8ec322353b432e18460f43a", }, { url: "https://git.kernel.org/stable/c/a5c6de1a6656b8cc6bce7cb3d9874dd7df4968c3", }, { url: "https://git.kernel.org/stable/c/cb37617687f2bfa5b675df7779f869147c9002bd", }, ], title: "net: mdio: fix unbalanced fwnode reference count in mdio_device_release()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-48961", datePublished: "2024-10-21T20:05:45.849Z", dateReserved: "2024-08-22T01:27:53.628Z", dateUpdated: "2024-12-19T08:11:25.152Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-49016
Vulnerability from cvelistv5
Published
2024-10-21 20:06
Modified
2024-12-19 08:12
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: mdiobus: fix unbalanced node reference count
I got the following report while doing device(mscc-miim) load test
with CONFIG_OF_UNITTEST and CONFIG_OF_DYNAMIC enabled:
OF: ERROR: memory leak, expected refcount 1 instead of 2,
of_node_get()/of_node_put() unbalanced - destroy cset entry:
attach overlay node /spi/soc@0/mdio@7107009c/ethernet-phy@0
If the 'fwnode' is not an acpi node, the refcount is get in
fwnode_mdiobus_phy_device_register(), but it has never been
put when the device is freed in the normal path. So call
fwnode_handle_put() in phy_device_release() to avoid leak.
If it's an acpi node, it has never been get, but it's put
in the error path, so call fwnode_handle_get() before
phy_device_register() to keep get/put operation balanced.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-49016", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:13:13.450914Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:18:37.857Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/net/mdio/fwnode_mdio.c", "drivers/net/phy/phy_device.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "543d917f691ab06885ee779c862065899eaa4251", status: "affected", version: "bc1bee3b87ee48bd97ef7fd306445132ba2041b0", versionType: "git", }, { lessThan: "2708b357440427d6a9fee667eb7b8307f4625adc", status: "affected", version: "bc1bee3b87ee48bd97ef7fd306445132ba2041b0", versionType: "git", }, { lessThan: "cdde1560118f82498fc9e9a7c1ef7f0ef7755891", status: "affected", version: "bc1bee3b87ee48bd97ef7fd306445132ba2041b0", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/net/mdio/fwnode_mdio.c", "drivers/net/phy/phy_device.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.14", }, { lessThan: "5.14", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.82", versionType: "semver", }, { lessThanOrEqual: "6.0.*", status: "unaffected", version: "6.0.12", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.1", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mdiobus: fix unbalanced node reference count\n\nI got the following report while doing device(mscc-miim) load test\nwith CONFIG_OF_UNITTEST and CONFIG_OF_DYNAMIC enabled:\n\n OF: ERROR: memory leak, expected refcount 1 instead of 2,\n of_node_get()/of_node_put() unbalanced - destroy cset entry:\n attach overlay node /spi/soc@0/mdio@7107009c/ethernet-phy@0\n\nIf the 'fwnode' is not an acpi node, the refcount is get in\nfwnode_mdiobus_phy_device_register(), but it has never been\nput when the device is freed in the normal path. So call\nfwnode_handle_put() in phy_device_release() to avoid leak.\n\nIf it's an acpi node, it has never been get, but it's put\nin the error path, so call fwnode_handle_get() before\nphy_device_register() to keep get/put operation balanced.", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:12:30.056Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/543d917f691ab06885ee779c862065899eaa4251", }, { url: "https://git.kernel.org/stable/c/2708b357440427d6a9fee667eb7b8307f4625adc", }, { url: "https://git.kernel.org/stable/c/cdde1560118f82498fc9e9a7c1ef7f0ef7755891", }, ], title: "net: mdiobus: fix unbalanced node reference count", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-49016", datePublished: "2024-10-21T20:06:25.294Z", dateReserved: "2024-08-22T01:27:53.645Z", dateUpdated: "2024-12-19T08:12:30.056Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49974
Vulnerability from cvelistv5
Published
2024-10-21 18:02
Modified
2024-12-19 09:30
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
NFSD: Limit the number of concurrent async COPY operations
Nothing appears to limit the number of concurrent async COPY
operations that clients can start. In addition, AFAICT each async
COPY can copy an unlimited number of 4MB chunks, so can run for a
long time. Thus IMO async COPY can become a DoS vector.
Add a restriction mechanism that bounds the number of concurrent
background COPY operations. Start simple and try to be fair -- this
patch implements a per-namespace limit.
An async COPY request that occurs while this limit is exceeded gets
NFS4ERR_DELAY. The requesting client can choose to send the request
again after a delay or fall back to a traditional read/write style
copy.
If there is need to make the mechanism more sophisticated, we can
visit that in future patches.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49974", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:33:23.238318Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:38:45.719Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "fs/nfsd/netns.h", "fs/nfsd/nfs4proc.c", "fs/nfsd/nfs4state.c", "fs/nfsd/xdr4.h", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "9e52ff544e0bfa09ee339fd7b0937ee3c080c24e", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "43e46ee5efc03990b223f7aa8b77aa9c3d3acfdf", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "7ea9260874b779637aff6d24c344b8ef4ac862a0", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "ae267989b7b7933dfedcd26468d0a88fc3a9da9e", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "b4e21431a0db4854b5023cd5af001be557e6c3db", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "6a488ad7745b8f64625c6d3a24ce7e448e83f11b", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "aadc3bbea163b6caaaebfdd2b6c4667fbc726752", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "fs/nfsd/netns.h", "fs/nfsd/nfs4proc.c", "fs/nfsd/nfs4state.c", "fs/nfsd/xdr4.h", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.231", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.174", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.119", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.63", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: Limit the number of concurrent async COPY operations\n\nNothing appears to limit the number of concurrent async COPY\noperations that clients can start. In addition, AFAICT each async\nCOPY can copy an unlimited number of 4MB chunks, so can run for a\nlong time. Thus IMO async COPY can become a DoS vector.\n\nAdd a restriction mechanism that bounds the number of concurrent\nbackground COPY operations. Start simple and try to be fair -- this\npatch implements a per-namespace limit.\n\nAn async COPY request that occurs while this limit is exceeded gets\nNFS4ERR_DELAY. The requesting client can choose to send the request\nagain after a delay or fall back to a traditional read/write style\ncopy.\n\nIf there is need to make the mechanism more sophisticated, we can\nvisit that in future patches.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:30:29.485Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/9e52ff544e0bfa09ee339fd7b0937ee3c080c24e", }, { url: "https://git.kernel.org/stable/c/43e46ee5efc03990b223f7aa8b77aa9c3d3acfdf", }, { url: "https://git.kernel.org/stable/c/7ea9260874b779637aff6d24c344b8ef4ac862a0", }, { url: "https://git.kernel.org/stable/c/ae267989b7b7933dfedcd26468d0a88fc3a9da9e", }, { url: "https://git.kernel.org/stable/c/b4e21431a0db4854b5023cd5af001be557e6c3db", }, { url: "https://git.kernel.org/stable/c/6a488ad7745b8f64625c6d3a24ce7e448e83f11b", }, { url: "https://git.kernel.org/stable/c/aadc3bbea163b6caaaebfdd2b6c4667fbc726752", }, ], title: "NFSD: Limit the number of concurrent async COPY operations", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49974", datePublished: "2024-10-21T18:02:22.392Z", dateReserved: "2024-10-21T12:17:06.052Z", dateUpdated: "2024-12-19T09:30:29.485Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-48950
Vulnerability from cvelistv5
Published
2024-10-21 20:05
Modified
2024-12-19 08:11
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
perf: Fix perf_pending_task() UaF
Per syzbot it is possible for perf_pending_task() to run after the
event is free()'d. There are two related but distinct cases:
- the task_work was already queued before destroying the event;
- destroying the event itself queues the task_work.
The first cannot be solved using task_work_cancel() since
perf_release() itself might be called from a task_work (____fput),
which means the current->task_works list is already empty and
task_work_cancel() won't be able to find the perf_pending_task()
entry.
The simplest alternative is extending the perf_event lifetime to cover
the task_work.
The second is just silly, queueing a task_work while you know the
event is going away makes no sense and is easily avoided by
re-arranging how the event is marked STATE_DEAD and ensuring it goes
through STATE_OFF on the way down.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-48950", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:21:45.788376Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:28:40.788Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "kernel/events/core.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "8bffa95ac19ff27c8261904f89d36c7fcf215d59", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "78e1317a174edbfd1182599bf76c092a2877672c", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "517e6a301f34613bff24a8e35b5455884f2d83d8", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "kernel/events/core.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.84", versionType: "semver", }, { lessThanOrEqual: "6.0.*", status: "unaffected", version: "6.0.14", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.1", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nperf: Fix perf_pending_task() UaF\n\nPer syzbot it is possible for perf_pending_task() to run after the\nevent is free()'d. There are two related but distinct cases:\n\n - the task_work was already queued before destroying the event;\n - destroying the event itself queues the task_work.\n\nThe first cannot be solved using task_work_cancel() since\nperf_release() itself might be called from a task_work (____fput),\nwhich means the current->task_works list is already empty and\ntask_work_cancel() won't be able to find the perf_pending_task()\nentry.\n\nThe simplest alternative is extending the perf_event lifetime to cover\nthe task_work.\n\nThe second is just silly, queueing a task_work while you know the\nevent is going away makes no sense and is easily avoided by\nre-arranging how the event is marked STATE_DEAD and ensuring it goes\nthrough STATE_OFF on the way down.", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:11:06.968Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/8bffa95ac19ff27c8261904f89d36c7fcf215d59", }, { url: "https://git.kernel.org/stable/c/78e1317a174edbfd1182599bf76c092a2877672c", }, { url: "https://git.kernel.org/stable/c/517e6a301f34613bff24a8e35b5455884f2d83d8", }, ], title: "perf: Fix perf_pending_task() UaF", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-48950", datePublished: "2024-10-21T20:05:38.440Z", dateReserved: "2024-08-22T01:27:53.625Z", dateUpdated: "2024-12-19T08:11:06.968Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49984
Vulnerability from cvelistv5
Published
2024-10-21 18:02
Modified
2024-12-27 12:17
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/v3d: Prevent out of bounds access in performance query extensions
Check that the number of perfmons userspace is passing in the copy and
reset extensions is not greater than the internal kernel storage where
the ids will be copied into.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49984", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:32:07.530054Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:38:43.870Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/gpu/drm/v3d/v3d_submit.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "3e50d72abe50204c7b19784a66e86da29dde32c2", status: "affected", version: "bae7cb5d68001a8d4ceec5964dda74bb9aab7220", versionType: "git", }, { lessThan: "d9536f16be3970c170571efa707c13cd089c774e", status: "affected", version: "bae7cb5d68001a8d4ceec5964dda74bb9aab7220", versionType: "git", }, { lessThan: "f32b5128d2c440368b5bf3a7a356823e235caabb", status: "affected", version: "bae7cb5d68001a8d4ceec5964dda74bb9aab7220", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/gpu/drm/v3d/v3d_submit.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.8", }, { lessThan: "6.8", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/v3d: Prevent out of bounds access in performance query extensions\n\nCheck that the number of perfmons userspace is passing in the copy and\nreset extensions is not greater than the internal kernel storage where\nthe ids will be copied into.", }, ], providerMetadata: { dateUpdated: "2024-12-27T12:17:04.986Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/3e50d72abe50204c7b19784a66e86da29dde32c2", }, { url: "https://git.kernel.org/stable/c/d9536f16be3970c170571efa707c13cd089c774e", }, { url: "https://git.kernel.org/stable/c/f32b5128d2c440368b5bf3a7a356823e235caabb", }, ], title: "drm/v3d: Prevent out of bounds access in performance query extensions", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49984", datePublished: "2024-10-21T18:02:29.151Z", dateReserved: "2024-10-21T12:17:06.054Z", dateUpdated: "2024-12-27T12:17:04.986Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-47743
Vulnerability from cvelistv5
Published
2024-10-21 12:14
Modified
2024-12-19 09:27
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
KEYS: prevent NULL pointer dereference in find_asymmetric_key()
In find_asymmetric_key(), if all NULLs are passed in the id_{0,1,2}
arguments, the kernel will first emit WARN but then have an oops
because id_2 gets dereferenced anyway.
Add the missing id_2 check and move WARN_ON() to the final else branch
to avoid duplicate NULL checks.
Found by Linux Verification Center (linuxtesting.org) with Svace static
analysis tool.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 7d30198ee24f2ddcc4fefcd38a9b76bd8ab31360 Version: 7d30198ee24f2ddcc4fefcd38a9b76bd8ab31360 Version: 7d30198ee24f2ddcc4fefcd38a9b76bd8ab31360 Version: 7d30198ee24f2ddcc4fefcd38a9b76bd8ab31360 Version: 7d30198ee24f2ddcc4fefcd38a9b76bd8ab31360 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-47743", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T12:58:56.209063Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T13:04:14.224Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "crypto/asymmetric_keys/asymmetric_type.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "3322fa8f2aa40b0b3651034cd541647a600cc6c0", status: "affected", version: "7d30198ee24f2ddcc4fefcd38a9b76bd8ab31360", versionType: "git", }, { lessThan: "a3765b497a4f5224cb2f7a6a2d3357d3066214ee", status: "affected", version: "7d30198ee24f2ddcc4fefcd38a9b76bd8ab31360", versionType: "git", }, { lessThan: "13b5b401ead95b5d8266f64904086c55b6024900", status: "affected", version: "7d30198ee24f2ddcc4fefcd38a9b76bd8ab31360", versionType: "git", }, { lessThan: "0d3b0706ada15c333e6f9faf19590ff715e45d1e", status: "affected", version: "7d30198ee24f2ddcc4fefcd38a9b76bd8ab31360", versionType: "git", }, { lessThan: "70fd1966c93bf3bfe3fe6d753eb3d83a76597eef", status: "affected", version: "7d30198ee24f2ddcc4fefcd38a9b76bd8ab31360", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "crypto/asymmetric_keys/asymmetric_type.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.17", }, { lessThan: "5.17", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.54", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.13", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.2", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nKEYS: prevent NULL pointer dereference in find_asymmetric_key()\n\nIn find_asymmetric_key(), if all NULLs are passed in the id_{0,1,2}\narguments, the kernel will first emit WARN but then have an oops\nbecause id_2 gets dereferenced anyway.\n\nAdd the missing id_2 check and move WARN_ON() to the final else branch\nto avoid duplicate NULL checks.\n\nFound by Linux Verification Center (linuxtesting.org) with Svace static\nanalysis tool.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:27:13.873Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/3322fa8f2aa40b0b3651034cd541647a600cc6c0", }, { url: "https://git.kernel.org/stable/c/a3765b497a4f5224cb2f7a6a2d3357d3066214ee", }, { url: "https://git.kernel.org/stable/c/13b5b401ead95b5d8266f64904086c55b6024900", }, { url: "https://git.kernel.org/stable/c/0d3b0706ada15c333e6f9faf19590ff715e45d1e", }, { url: "https://git.kernel.org/stable/c/70fd1966c93bf3bfe3fe6d753eb3d83a76597eef", }, ], title: "KEYS: prevent NULL pointer dereference in find_asymmetric_key()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-47743", datePublished: "2024-10-21T12:14:11.173Z", dateReserved: "2024-09-30T16:00:12.960Z", dateUpdated: "2024-12-19T09:27:13.873Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49885
Vulnerability from cvelistv5
Published
2024-10-21 18:01
Modified
2024-12-19 09:28
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm, slub: avoid zeroing kmalloc redzone
Since commit 946fa0dbf2d8 ("mm/slub: extend redzone check to extra
allocated kmalloc space than requested"), setting orig_size treats
the wasted space (object_size - orig_size) as a redzone. However with
init_on_free=1 we clear the full object->size, including the redzone.
Additionally we clear the object metadata, including the stored orig_size,
making it zero, which makes check_object() treat the whole object as a
redzone.
These issues lead to the following BUG report with "slub_debug=FUZ
init_on_free=1":
[ 0.000000] =============================================================================
[ 0.000000] BUG kmalloc-8 (Not tainted): kmalloc Redzone overwritten
[ 0.000000] -----------------------------------------------------------------------------
[ 0.000000]
[ 0.000000] 0xffff000010032858-0xffff00001003285f @offset=2136. First byte 0x0 instead of 0xcc
[ 0.000000] FIX kmalloc-8: Restoring kmalloc Redzone 0xffff000010032858-0xffff00001003285f=0xcc
[ 0.000000] Slab 0xfffffdffc0400c80 objects=36 used=23 fp=0xffff000010032a18 flags=0x3fffe0000000200(workingset|node=0|zone=0|lastcpupid=0x1ffff)
[ 0.000000] Object 0xffff000010032858 @offset=2136 fp=0xffff0000100328c8
[ 0.000000]
[ 0.000000] Redzone ffff000010032850: cc cc cc cc cc cc cc cc ........
[ 0.000000] Object ffff000010032858: cc cc cc cc cc cc cc cc ........
[ 0.000000] Redzone ffff000010032860: cc cc cc cc cc cc cc cc ........
[ 0.000000] Padding ffff0000100328b4: 00 00 00 00 00 00 00 00 00 00 00 00 ............
[ 0.000000] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.11.0-rc3-next-20240814-00004-g61844c55c3f4 #144
[ 0.000000] Hardware name: NXP i.MX95 19X19 board (DT)
[ 0.000000] Call trace:
[ 0.000000] dump_backtrace+0x90/0xe8
[ 0.000000] show_stack+0x18/0x24
[ 0.000000] dump_stack_lvl+0x74/0x8c
[ 0.000000] dump_stack+0x18/0x24
[ 0.000000] print_trailer+0x150/0x218
[ 0.000000] check_object+0xe4/0x454
[ 0.000000] free_to_partial_list+0x2f8/0x5ec
To address the issue, use orig_size to clear the used area. And restore
the value of orig_size after clear the remaining area.
When CONFIG_SLUB_DEBUG not defined, (get_orig_size()' directly returns
s->object_size. So when using memset to init the area, the size can simply
be orig_size, as orig_size returns object_size when CONFIG_SLUB_DEBUG not
enabled. And orig_size can never be bigger than object_size.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49885", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:45:07.682094Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:48:49.969Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "mm/slub.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "7a2e823a19746d54052c625faecf0d2d6c52ee0a", status: "affected", version: "946fa0dbf2d8923a587f7348adf16563d59f1b3d", versionType: "git", }, { lessThan: "83f0440b2f92227fcce9898118ca7fe7e0d64b1f", status: "affected", version: "946fa0dbf2d8923a587f7348adf16563d59f1b3d", versionType: "git", }, { lessThan: "59090e479ac78ae18facd4c58eb332562a23020e", status: "affected", version: "946fa0dbf2d8923a587f7348adf16563d59f1b3d", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "mm/slub.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.2", }, { lessThan: "6.2", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nmm, slub: avoid zeroing kmalloc redzone\n\nSince commit 946fa0dbf2d8 (\"mm/slub: extend redzone check to extra\nallocated kmalloc space than requested\"), setting orig_size treats\nthe wasted space (object_size - orig_size) as a redzone. However with\ninit_on_free=1 we clear the full object->size, including the redzone.\n\nAdditionally we clear the object metadata, including the stored orig_size,\nmaking it zero, which makes check_object() treat the whole object as a\nredzone.\n\nThese issues lead to the following BUG report with \"slub_debug=FUZ\ninit_on_free=1\":\n\n[ 0.000000] =============================================================================\n[ 0.000000] BUG kmalloc-8 (Not tainted): kmalloc Redzone overwritten\n[ 0.000000] -----------------------------------------------------------------------------\n[ 0.000000]\n[ 0.000000] 0xffff000010032858-0xffff00001003285f @offset=2136. First byte 0x0 instead of 0xcc\n[ 0.000000] FIX kmalloc-8: Restoring kmalloc Redzone 0xffff000010032858-0xffff00001003285f=0xcc\n[ 0.000000] Slab 0xfffffdffc0400c80 objects=36 used=23 fp=0xffff000010032a18 flags=0x3fffe0000000200(workingset|node=0|zone=0|lastcpupid=0x1ffff)\n[ 0.000000] Object 0xffff000010032858 @offset=2136 fp=0xffff0000100328c8\n[ 0.000000]\n[ 0.000000] Redzone ffff000010032850: cc cc cc cc cc cc cc cc ........\n[ 0.000000] Object ffff000010032858: cc cc cc cc cc cc cc cc ........\n[ 0.000000] Redzone ffff000010032860: cc cc cc cc cc cc cc cc ........\n[ 0.000000] Padding ffff0000100328b4: 00 00 00 00 00 00 00 00 00 00 00 00 ............\n[ 0.000000] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.11.0-rc3-next-20240814-00004-g61844c55c3f4 #144\n[ 0.000000] Hardware name: NXP i.MX95 19X19 board (DT)\n[ 0.000000] Call trace:\n[ 0.000000] dump_backtrace+0x90/0xe8\n[ 0.000000] show_stack+0x18/0x24\n[ 0.000000] dump_stack_lvl+0x74/0x8c\n[ 0.000000] dump_stack+0x18/0x24\n[ 0.000000] print_trailer+0x150/0x218\n[ 0.000000] check_object+0xe4/0x454\n[ 0.000000] free_to_partial_list+0x2f8/0x5ec\n\nTo address the issue, use orig_size to clear the used area. And restore\nthe value of orig_size after clear the remaining area.\n\nWhen CONFIG_SLUB_DEBUG not defined, (get_orig_size()' directly returns\ns->object_size. So when using memset to init the area, the size can simply\nbe orig_size, as orig_size returns object_size when CONFIG_SLUB_DEBUG not\nenabled. And orig_size can never be bigger than object_size.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:28:21.307Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/7a2e823a19746d54052c625faecf0d2d6c52ee0a", }, { url: "https://git.kernel.org/stable/c/83f0440b2f92227fcce9898118ca7fe7e0d64b1f", }, { url: "https://git.kernel.org/stable/c/59090e479ac78ae18facd4c58eb332562a23020e", }, ], title: "mm, slub: avoid zeroing kmalloc redzone", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49885", datePublished: "2024-10-21T18:01:22.186Z", dateReserved: "2024-10-21T12:17:06.022Z", dateUpdated: "2024-12-19T09:28:21.307Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-48978
Vulnerability from cvelistv5
Published
2024-10-21 20:05
Modified
2024-12-19 08:11
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
HID: core: fix shift-out-of-bounds in hid_report_raw_event
Syzbot reported shift-out-of-bounds in hid_report_raw_event.
microsoft 0003:045E:07DA.0001: hid_field_extract() called with n (128) >
32! (swapper/0)
======================================================================
UBSAN: shift-out-of-bounds in drivers/hid/hid-core.c:1323:20
shift exponent 127 is too large for 32-bit type 'int'
CPU: 0 PID: 0 Comm: swapper/0 Not tainted
6.1.0-rc4-syzkaller-00159-g4bbf3422df78 #0
Hardware name: Google Compute Engine/Google Compute Engine, BIOS
Google 10/26/2022
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
ubsan_epilogue lib/ubsan.c:151 [inline]
__ubsan_handle_shift_out_of_bounds+0x3a6/0x420 lib/ubsan.c:322
snto32 drivers/hid/hid-core.c:1323 [inline]
hid_input_fetch_field drivers/hid/hid-core.c:1572 [inline]
hid_process_report drivers/hid/hid-core.c:1665 [inline]
hid_report_raw_event+0xd56/0x18b0 drivers/hid/hid-core.c:1998
hid_input_report+0x408/0x4f0 drivers/hid/hid-core.c:2066
hid_irq_in+0x459/0x690 drivers/hid/usbhid/hid-core.c:284
__usb_hcd_giveback_urb+0x369/0x530 drivers/usb/core/hcd.c:1671
dummy_timer+0x86b/0x3110 drivers/usb/gadget/udc/dummy_hcd.c:1988
call_timer_fn+0xf5/0x210 kernel/time/timer.c:1474
expire_timers kernel/time/timer.c:1519 [inline]
__run_timers+0x76a/0x980 kernel/time/timer.c:1790
run_timer_softirq+0x63/0xf0 kernel/time/timer.c:1803
__do_softirq+0x277/0x75b kernel/softirq.c:571
__irq_exit_rcu+0xec/0x170 kernel/softirq.c:650
irq_exit_rcu+0x5/0x20 kernel/softirq.c:662
sysvec_apic_timer_interrupt+0x91/0xb0 arch/x86/kernel/apic/apic.c:1107
======================================================================
If the size of the integer (unsigned n) is bigger than 32 in snto32(),
shift exponent will be too large for 32-bit type 'int', resulting in a
shift-out-of-bounds bug.
Fix this by adding a check on the size of the integer (unsigned n) in
snto32(). To add support for n greater than 32 bits, set n to 32, if n
is greater than 32.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: dde5845a529ff753364a6d1aea61180946270bfa Version: dde5845a529ff753364a6d1aea61180946270bfa Version: dde5845a529ff753364a6d1aea61180946270bfa Version: dde5845a529ff753364a6d1aea61180946270bfa Version: dde5845a529ff753364a6d1aea61180946270bfa Version: dde5845a529ff753364a6d1aea61180946270bfa Version: dde5845a529ff753364a6d1aea61180946270bfa Version: dde5845a529ff753364a6d1aea61180946270bfa |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-48978", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:18:13.670064Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:18:44.244Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/hid/hid-core.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "151493fe5a6ed1a88decc929a7368a3f2a246914", status: "affected", version: "dde5845a529ff753364a6d1aea61180946270bfa", versionType: "git", }, { lessThan: "809783f8b4b600c7fb3bccb10fefef822601ea3b", status: "affected", version: "dde5845a529ff753364a6d1aea61180946270bfa", versionType: "git", }, { lessThan: "8e14f20e12224ee2429f75a5c9418a700e26a8d3", status: "affected", version: "dde5845a529ff753364a6d1aea61180946270bfa", versionType: "git", }, { lessThan: "db1ed1b3fb4ec0d19080a102956255769bc45c79", status: "affected", version: "dde5845a529ff753364a6d1aea61180946270bfa", versionType: "git", }, { lessThan: "bc03f809da78fc79e4aee132d4e5c6a2b3aeec73", status: "affected", version: "dde5845a529ff753364a6d1aea61180946270bfa", versionType: "git", }, { lessThan: "f755d11c55b29049b77da5cd9ab2faae96eb33c3", status: "affected", version: "dde5845a529ff753364a6d1aea61180946270bfa", versionType: "git", }, { lessThan: "2b3b4d7aadaa1b6b58d0f34823bf86cfe8a31b4d", status: "affected", version: "dde5845a529ff753364a6d1aea61180946270bfa", versionType: "git", }, { lessThan: "ec61b41918587be530398b0d1c9a0d16619397e5", status: "affected", version: "dde5845a529ff753364a6d1aea61180946270bfa", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/hid/hid-core.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "2.6.20", }, { lessThan: "2.6.20", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.9.*", status: "unaffected", version: "4.9.336", versionType: "semver", }, { lessThanOrEqual: "4.14.*", status: "unaffected", version: "4.14.302", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.269", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.227", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.159", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.83", versionType: "semver", }, { lessThanOrEqual: "6.0.*", status: "unaffected", version: "6.0.13", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.1", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: core: fix shift-out-of-bounds in hid_report_raw_event\n\nSyzbot reported shift-out-of-bounds in hid_report_raw_event.\n\nmicrosoft 0003:045E:07DA.0001: hid_field_extract() called with n (128) >\n32! (swapper/0)\n======================================================================\nUBSAN: shift-out-of-bounds in drivers/hid/hid-core.c:1323:20\nshift exponent 127 is too large for 32-bit type 'int'\nCPU: 0 PID: 0 Comm: swapper/0 Not tainted\n6.1.0-rc4-syzkaller-00159-g4bbf3422df78 #0\nHardware name: Google Compute Engine/Google Compute Engine, BIOS\nGoogle 10/26/2022\nCall Trace:\n <IRQ>\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106\n ubsan_epilogue lib/ubsan.c:151 [inline]\n __ubsan_handle_shift_out_of_bounds+0x3a6/0x420 lib/ubsan.c:322\n snto32 drivers/hid/hid-core.c:1323 [inline]\n hid_input_fetch_field drivers/hid/hid-core.c:1572 [inline]\n hid_process_report drivers/hid/hid-core.c:1665 [inline]\n hid_report_raw_event+0xd56/0x18b0 drivers/hid/hid-core.c:1998\n hid_input_report+0x408/0x4f0 drivers/hid/hid-core.c:2066\n hid_irq_in+0x459/0x690 drivers/hid/usbhid/hid-core.c:284\n __usb_hcd_giveback_urb+0x369/0x530 drivers/usb/core/hcd.c:1671\n dummy_timer+0x86b/0x3110 drivers/usb/gadget/udc/dummy_hcd.c:1988\n call_timer_fn+0xf5/0x210 kernel/time/timer.c:1474\n expire_timers kernel/time/timer.c:1519 [inline]\n __run_timers+0x76a/0x980 kernel/time/timer.c:1790\n run_timer_softirq+0x63/0xf0 kernel/time/timer.c:1803\n __do_softirq+0x277/0x75b kernel/softirq.c:571\n __irq_exit_rcu+0xec/0x170 kernel/softirq.c:650\n irq_exit_rcu+0x5/0x20 kernel/softirq.c:662\n sysvec_apic_timer_interrupt+0x91/0xb0 arch/x86/kernel/apic/apic.c:1107\n======================================================================\n\nIf the size of the integer (unsigned n) is bigger than 32 in snto32(),\nshift exponent will be too large for 32-bit type 'int', resulting in a\nshift-out-of-bounds bug.\nFix this by adding a check on the size of the integer (unsigned n) in\nsnto32(). To add support for n greater than 32 bits, set n to 32, if n\nis greater than 32.", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:11:47.423Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/151493fe5a6ed1a88decc929a7368a3f2a246914", }, { url: "https://git.kernel.org/stable/c/809783f8b4b600c7fb3bccb10fefef822601ea3b", }, { url: "https://git.kernel.org/stable/c/8e14f20e12224ee2429f75a5c9418a700e26a8d3", }, { url: "https://git.kernel.org/stable/c/db1ed1b3fb4ec0d19080a102956255769bc45c79", }, { url: "https://git.kernel.org/stable/c/bc03f809da78fc79e4aee132d4e5c6a2b3aeec73", }, { url: "https://git.kernel.org/stable/c/f755d11c55b29049b77da5cd9ab2faae96eb33c3", }, { url: "https://git.kernel.org/stable/c/2b3b4d7aadaa1b6b58d0f34823bf86cfe8a31b4d", }, { url: "https://git.kernel.org/stable/c/ec61b41918587be530398b0d1c9a0d16619397e5", }, ], title: "HID: core: fix shift-out-of-bounds in hid_report_raw_event", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-48978", datePublished: "2024-10-21T20:05:57.079Z", dateReserved: "2024-08-22T01:27:53.632Z", dateUpdated: "2024-12-19T08:11:47.423Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49973
Vulnerability from cvelistv5
Published
2024-10-21 18:02
Modified
2024-12-19 09:30
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
r8169: add tally counter fields added with RTL8125
RTL8125 added fields to the tally counter, what may result in the chip
dma'ing these new fields to unallocated memory. Therefore make sure
that the allocated memory area is big enough to hold all of the
tally counter values, even if we use only parts of it.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: f1bce4ad2f1cee6759711904b9fffe4a3dd8af87 Version: f1bce4ad2f1cee6759711904b9fffe4a3dd8af87 Version: f1bce4ad2f1cee6759711904b9fffe4a3dd8af87 Version: f1bce4ad2f1cee6759711904b9fffe4a3dd8af87 Version: f1bce4ad2f1cee6759711904b9fffe4a3dd8af87 Version: f1bce4ad2f1cee6759711904b9fffe4a3dd8af87 Version: f1bce4ad2f1cee6759711904b9fffe4a3dd8af87 Version: f1bce4ad2f1cee6759711904b9fffe4a3dd8af87 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49973", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:33:30.477812Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:38:45.854Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/net/ethernet/realtek/r8169_main.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "64648ae8c97ec5a3165021627f5a1658ebe081ca", status: "affected", version: "f1bce4ad2f1cee6759711904b9fffe4a3dd8af87", versionType: "git", }, { lessThan: "991e8b0bab669b7d06927c3e442b3352532e8581", status: "affected", version: "f1bce4ad2f1cee6759711904b9fffe4a3dd8af87", versionType: "git", }, { lessThan: "21950321ad33d7613b1453f4c503d7b1871deb61", status: "affected", version: "f1bce4ad2f1cee6759711904b9fffe4a3dd8af87", versionType: "git", }, { lessThan: "fe44b3bfbf0c74df5712f44458689d0eccccf47d", status: "affected", version: "f1bce4ad2f1cee6759711904b9fffe4a3dd8af87", versionType: "git", }, { lessThan: "1c723d785adb711496bc64c24240f952f4faaabf", status: "affected", version: "f1bce4ad2f1cee6759711904b9fffe4a3dd8af87", versionType: "git", }, { lessThan: "92bc8647b4d65f4d4bf8afdb206321c1bc55a486", status: "affected", version: "f1bce4ad2f1cee6759711904b9fffe4a3dd8af87", versionType: "git", }, { lessThan: "585c048d15ed559f20cb94c8fa2f30077efa4fbc", status: "affected", version: "f1bce4ad2f1cee6759711904b9fffe4a3dd8af87", versionType: "git", }, { lessThan: "ced8e8b8f40accfcce4a2bbd8b150aa76d5eff9a", status: "affected", version: "f1bce4ad2f1cee6759711904b9fffe4a3dd8af87", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/net/ethernet/realtek/r8169_main.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.4", }, { lessThan: "5.4", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.285", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nr8169: add tally counter fields added with RTL8125\n\nRTL8125 added fields to the tally counter, what may result in the chip\ndma'ing these new fields to unallocated memory. Therefore make sure\nthat the allocated memory area is big enough to hold all of the\ntally counter values, even if we use only parts of it.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:30:28.300Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/64648ae8c97ec5a3165021627f5a1658ebe081ca", }, { url: "https://git.kernel.org/stable/c/991e8b0bab669b7d06927c3e442b3352532e8581", }, { url: "https://git.kernel.org/stable/c/21950321ad33d7613b1453f4c503d7b1871deb61", }, { url: "https://git.kernel.org/stable/c/fe44b3bfbf0c74df5712f44458689d0eccccf47d", }, { url: "https://git.kernel.org/stable/c/1c723d785adb711496bc64c24240f952f4faaabf", }, { url: "https://git.kernel.org/stable/c/92bc8647b4d65f4d4bf8afdb206321c1bc55a486", }, { url: "https://git.kernel.org/stable/c/585c048d15ed559f20cb94c8fa2f30077efa4fbc", }, { url: "https://git.kernel.org/stable/c/ced8e8b8f40accfcce4a2bbd8b150aa76d5eff9a", }, ], title: "r8169: add tally counter fields added with RTL8125", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49973", datePublished: "2024-10-21T18:02:21.696Z", dateReserved: "2024-10-21T12:17:06.051Z", dateUpdated: "2024-12-19T09:30:28.300Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-48958
Vulnerability from cvelistv5
Published
2024-10-21 20:05
Modified
2024-12-19 08:11
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ethernet: aeroflex: fix potential skb leak in greth_init_rings()
The greth_init_rings() function won't free the newly allocated skb when
dma_mapping_error() returns error, so add dev_kfree_skb() to fix it.
Compile tested only.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: d4c41139df6e74c6fff0cbac43e51cab782133be Version: d4c41139df6e74c6fff0cbac43e51cab782133be Version: d4c41139df6e74c6fff0cbac43e51cab782133be Version: d4c41139df6e74c6fff0cbac43e51cab782133be Version: d4c41139df6e74c6fff0cbac43e51cab782133be Version: d4c41139df6e74c6fff0cbac43e51cab782133be Version: d4c41139df6e74c6fff0cbac43e51cab782133be Version: d4c41139df6e74c6fff0cbac43e51cab782133be |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-48958", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:20:45.568548Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:28:39.583Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/net/ethernet/aeroflex/greth.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "223654e2e2c8d05347cd8e300f8d1ec6023103dd", status: "affected", version: "d4c41139df6e74c6fff0cbac43e51cab782133be", versionType: "git", }, { lessThan: "cb1e293f858e5e1152b8791047ed4bdaaf392189", status: "affected", version: "d4c41139df6e74c6fff0cbac43e51cab782133be", versionType: "git", }, { lessThan: "bfaa8f6c5b84b295dd73b0138b57c5555ca12b1c", status: "affected", version: "d4c41139df6e74c6fff0cbac43e51cab782133be", versionType: "git", }, { lessThan: "99669d94ce145389f1d6f197e6e18ed50d43fb76", status: "affected", version: "d4c41139df6e74c6fff0cbac43e51cab782133be", versionType: "git", }, { lessThan: "87277bdf2c370ab2d07cfe77dfa9b37f82bbe1e5", status: "affected", version: "d4c41139df6e74c6fff0cbac43e51cab782133be", versionType: "git", }, { lessThan: "c7adcbd0fd3fde1b19150c3e955fb4a30c5bd9b7", status: "affected", version: "d4c41139df6e74c6fff0cbac43e51cab782133be", versionType: "git", }, { lessThan: "dd62867a6383f78f75f07039394aac25924a3307", status: "affected", version: "d4c41139df6e74c6fff0cbac43e51cab782133be", versionType: "git", }, { lessThan: "063a932b64db3317ec020c94466fe52923a15f60", status: "affected", version: "d4c41139df6e74c6fff0cbac43e51cab782133be", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/net/ethernet/aeroflex/greth.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "2.6.34", }, { lessThan: "2.6.34", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.9.*", status: "unaffected", version: "4.9.336", versionType: "semver", }, { lessThanOrEqual: "4.14.*", status: "unaffected", version: "4.14.302", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.269", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.227", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.159", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.83", versionType: "semver", }, { lessThanOrEqual: "6.0.*", status: "unaffected", version: "6.0.13", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.1", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nethernet: aeroflex: fix potential skb leak in greth_init_rings()\n\nThe greth_init_rings() function won't free the newly allocated skb when\ndma_mapping_error() returns error, so add dev_kfree_skb() to fix it.\n\nCompile tested only.", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:11:21.345Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/223654e2e2c8d05347cd8e300f8d1ec6023103dd", }, { url: "https://git.kernel.org/stable/c/cb1e293f858e5e1152b8791047ed4bdaaf392189", }, { url: "https://git.kernel.org/stable/c/bfaa8f6c5b84b295dd73b0138b57c5555ca12b1c", }, { url: "https://git.kernel.org/stable/c/99669d94ce145389f1d6f197e6e18ed50d43fb76", }, { url: "https://git.kernel.org/stable/c/87277bdf2c370ab2d07cfe77dfa9b37f82bbe1e5", }, { url: "https://git.kernel.org/stable/c/c7adcbd0fd3fde1b19150c3e955fb4a30c5bd9b7", }, { url: "https://git.kernel.org/stable/c/dd62867a6383f78f75f07039394aac25924a3307", }, { url: "https://git.kernel.org/stable/c/063a932b64db3317ec020c94466fe52923a15f60", }, ], title: "ethernet: aeroflex: fix potential skb leak in greth_init_rings()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-48958", datePublished: "2024-10-21T20:05:43.778Z", dateReserved: "2024-08-22T01:27:53.627Z", dateUpdated: "2024-12-19T08:11:21.345Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-48965
Vulnerability from cvelistv5
Published
2024-10-21 20:05
Modified
2024-12-19 08:11
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
gpio/rockchip: fix refcount leak in rockchip_gpiolib_register()
The node returned by of_get_parent() with refcount incremented,
of_node_put() needs be called when finish using it. So add it in the
end of of_pinctrl_get().
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-48965", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:19:52.282183Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:28:38.602Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/gpio/gpio-rockchip.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "5cb8f1a784fd6115be58282fe15105572319d8be", status: "affected", version: "936ee2675eee1faca0dcdfa79165c7990422e0fc", versionType: "git", }, { lessThan: "033c79b7ee8a7bf1c1a13ac3addc91184425cbae", status: "affected", version: "936ee2675eee1faca0dcdfa79165c7990422e0fc", versionType: "git", }, { lessThan: "63ff545af73f759d1bd04198af8ed8577fb739fc", status: "affected", version: "936ee2675eee1faca0dcdfa79165c7990422e0fc", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/gpio/gpio-rockchip.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.15", }, { lessThan: "5.15", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.83", versionType: "semver", }, { lessThanOrEqual: "6.0.*", status: "unaffected", version: "6.0.13", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.1", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ngpio/rockchip: fix refcount leak in rockchip_gpiolib_register()\n\nThe node returned by of_get_parent() with refcount incremented,\nof_node_put() needs be called when finish using it. So add it in the\nend of of_pinctrl_get().", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:11:30.197Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/5cb8f1a784fd6115be58282fe15105572319d8be", }, { url: "https://git.kernel.org/stable/c/033c79b7ee8a7bf1c1a13ac3addc91184425cbae", }, { url: "https://git.kernel.org/stable/c/63ff545af73f759d1bd04198af8ed8577fb739fc", }, ], title: "gpio/rockchip: fix refcount leak in rockchip_gpiolib_register()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-48965", datePublished: "2024-10-21T20:05:48.483Z", dateReserved: "2024-08-22T01:27:53.628Z", dateUpdated: "2024-12-19T08:11:30.197Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-47698
Vulnerability from cvelistv5
Published
2024-10-21 11:53
Modified
2024-12-19 09:26
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drivers: media: dvb-frontends/rtl2832: fix an out-of-bounds write error
Ensure index in rtl2832_pid_filter does not exceed 31 to prevent
out-of-bounds access.
dev->filters is a 32-bit value, so set_bit and clear_bit functions should
only operate on indices from 0 to 31. If index is 32, it will attempt to
access a non-existent 33rd bit, leading to out-of-bounds access.
Change the boundary check from index > 32 to index >= 32 to resolve this
issue.
[hverkuil: added fixes tag, rtl2830_pid_filter -> rtl2832_pid_filter in logmsg]
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 4b01e01a81b6629878344430531ced347cc2ed5b Version: 4b01e01a81b6629878344430531ced347cc2ed5b Version: 4b01e01a81b6629878344430531ced347cc2ed5b Version: 4b01e01a81b6629878344430531ced347cc2ed5b Version: 4b01e01a81b6629878344430531ced347cc2ed5b Version: 4b01e01a81b6629878344430531ced347cc2ed5b Version: 4b01e01a81b6629878344430531ced347cc2ed5b Version: 4b01e01a81b6629878344430531ced347cc2ed5b Version: 4b01e01a81b6629878344430531ced347cc2ed5b |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-47698", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T13:04:57.159768Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T13:14:14.071Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/media/dvb-frontends/rtl2832.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "7065c05c6d58b9b9a98127aa14e9a5ec68173918", status: "affected", version: "4b01e01a81b6629878344430531ced347cc2ed5b", versionType: "git", }, { lessThan: "49b33c38d202d3327dcfd058e27f541dcc308b92", status: "affected", version: "4b01e01a81b6629878344430531ced347cc2ed5b", versionType: "git", }, { lessThan: "6ae3b9aee42616ee93c4585174f40c767828006d", status: "affected", version: "4b01e01a81b6629878344430531ced347cc2ed5b", versionType: "git", }, { lessThan: "a879b6cdd48134a3d58949ea4f075c75fa2d7d71", status: "affected", version: "4b01e01a81b6629878344430531ced347cc2ed5b", versionType: "git", }, { lessThan: "15bea004e939d938a6771dfcf2a26cc899ffd20a", status: "affected", version: "4b01e01a81b6629878344430531ced347cc2ed5b", versionType: "git", }, { lessThan: "527ab3eb3b0b4a6ee00e183c1de6a730239e2835", status: "affected", version: "4b01e01a81b6629878344430531ced347cc2ed5b", versionType: "git", }, { lessThan: "66dbe0df6eccc7ee53a2c35016ce81e13b3ff447", status: "affected", version: "4b01e01a81b6629878344430531ced347cc2ed5b", versionType: "git", }, { lessThan: "bedd42e07988dbdd124b23e758ffef7a681b9c60", status: "affected", version: "4b01e01a81b6629878344430531ced347cc2ed5b", versionType: "git", }, { lessThan: "8ae06f360cfaca2b88b98ca89144548b3186aab1", status: "affected", version: "4b01e01a81b6629878344430531ced347cc2ed5b", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/media/dvb-frontends/rtl2832.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "4.0", }, { lessThan: "4.0", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.323", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.285", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.54", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.13", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.2", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ndrivers: media: dvb-frontends/rtl2832: fix an out-of-bounds write error\n\nEnsure index in rtl2832_pid_filter does not exceed 31 to prevent\nout-of-bounds access.\n\ndev->filters is a 32-bit value, so set_bit and clear_bit functions should\nonly operate on indices from 0 to 31. If index is 32, it will attempt to\naccess a non-existent 33rd bit, leading to out-of-bounds access.\nChange the boundary check from index > 32 to index >= 32 to resolve this\nissue.\n\n[hverkuil: added fixes tag, rtl2830_pid_filter -> rtl2832_pid_filter in logmsg]", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:26:19.312Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/7065c05c6d58b9b9a98127aa14e9a5ec68173918", }, { url: "https://git.kernel.org/stable/c/49b33c38d202d3327dcfd058e27f541dcc308b92", }, { url: "https://git.kernel.org/stable/c/6ae3b9aee42616ee93c4585174f40c767828006d", }, { url: "https://git.kernel.org/stable/c/a879b6cdd48134a3d58949ea4f075c75fa2d7d71", }, { url: "https://git.kernel.org/stable/c/15bea004e939d938a6771dfcf2a26cc899ffd20a", }, { url: "https://git.kernel.org/stable/c/527ab3eb3b0b4a6ee00e183c1de6a730239e2835", }, { url: "https://git.kernel.org/stable/c/66dbe0df6eccc7ee53a2c35016ce81e13b3ff447", }, { url: "https://git.kernel.org/stable/c/bedd42e07988dbdd124b23e758ffef7a681b9c60", }, { url: "https://git.kernel.org/stable/c/8ae06f360cfaca2b88b98ca89144548b3186aab1", }, ], title: "drivers: media: dvb-frontends/rtl2832: fix an out-of-bounds write error", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-47698", datePublished: "2024-10-21T11:53:35.311Z", dateReserved: "2024-09-30T16:00:12.944Z", dateUpdated: "2024-12-19T09:26:19.312Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49982
Vulnerability from cvelistv5
Published
2024-10-21 18:02
Modified
2024-12-19 09:30
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
aoe: fix the potential use-after-free problem in more places
For fixing CVE-2023-6270, f98364e92662 ("aoe: fix the potential
use-after-free problem in aoecmd_cfg_pkts") makes tx() calling dev_put()
instead of doing in aoecmd_cfg_pkts(). It avoids that the tx() runs
into use-after-free.
Then Nicolai Stange found more places in aoe have potential use-after-free
problem with tx(). e.g. revalidate(), aoecmd_ata_rw(), resend(), probe()
and aoecmd_cfg_rsp(). Those functions also use aoenet_xmit() to push
packet to tx queue. So they should also use dev_hold() to increase the
refcnt of skb->dev.
On the other hand, moving dev_put() to tx() causes that the refcnt of
skb->dev be reduced to a negative value, because corresponding
dev_hold() are not called in revalidate(), aoecmd_ata_rw(), resend(),
probe(), and aoecmd_cfg_rsp(). This patch fixed this issue.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: ad80c34944d7175fa1f5c7a55066020002921a99 Version: 1a54aa506b3b2f31496731039e49778f54eee881 Version: faf0b4c5e00bb680e8e43ac936df24d3f48c8e65 Version: 7dd09fa80b0765ce68bfae92f4e2f395ccf0fba4 Version: 74ca3ef68d2f449bc848c0a814cefc487bf755fa Version: eb48680b0255a9e8a9bdc93d6a55b11c31262e62 Version: f98364e926626c678fb4b9004b75cacf92ff0662 Version: f98364e926626c678fb4b9004b75cacf92ff0662 Version: f98364e926626c678fb4b9004b75cacf92ff0662 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49982", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:32:22.974285Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:38:44.189Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/block/aoe/aoecmd.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "12f7b89dd72b25da4eeaa22097877963cad6418e", status: "affected", version: "ad80c34944d7175fa1f5c7a55066020002921a99", versionType: "git", }, { lessThan: "a786265aecf39015418e4f930cc1c14603a01490", status: "affected", version: "1a54aa506b3b2f31496731039e49778f54eee881", versionType: "git", }, { lessThan: "f63461af2c1a86af4217910e47a5c46e3372e645", status: "affected", version: "faf0b4c5e00bb680e8e43ac936df24d3f48c8e65", versionType: "git", }, { lessThan: "07b418d50ccbbca7e5d87a3a0d41d436cefebf79", status: "affected", version: "7dd09fa80b0765ce68bfae92f4e2f395ccf0fba4", versionType: "git", }, { lessThan: "bc2cbf7525ac288e07d465f5a1d8cb8fb9599254", status: "affected", version: "74ca3ef68d2f449bc848c0a814cefc487bf755fa", versionType: "git", }, { lessThan: "acc5103a0a8c200a52af7d732c36a8477436a3d3", status: "affected", version: "eb48680b0255a9e8a9bdc93d6a55b11c31262e62", versionType: "git", }, { lessThan: "89d9a69ae0c667e4d9d028028e2dcc837bae626f", status: "affected", version: "f98364e926626c678fb4b9004b75cacf92ff0662", versionType: "git", }, { lessThan: "8253a60c89ec35c8f36fb2cc08cdf854c7a3eb58", status: "affected", version: "f98364e926626c678fb4b9004b75cacf92ff0662", versionType: "git", }, { lessThan: "6d6e54fc71ad1ab0a87047fd9c211e75d86084a3", status: "affected", version: "f98364e926626c678fb4b9004b75cacf92ff0662", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/block/aoe/aoecmd.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.9", }, { lessThan: "6.9", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.323", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.285", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\naoe: fix the potential use-after-free problem in more places\n\nFor fixing CVE-2023-6270, f98364e92662 (\"aoe: fix the potential\nuse-after-free problem in aoecmd_cfg_pkts\") makes tx() calling dev_put()\ninstead of doing in aoecmd_cfg_pkts(). It avoids that the tx() runs\ninto use-after-free.\n\nThen Nicolai Stange found more places in aoe have potential use-after-free\nproblem with tx(). e.g. revalidate(), aoecmd_ata_rw(), resend(), probe()\nand aoecmd_cfg_rsp(). Those functions also use aoenet_xmit() to push\npacket to tx queue. So they should also use dev_hold() to increase the\nrefcnt of skb->dev.\n\nOn the other hand, moving dev_put() to tx() causes that the refcnt of\nskb->dev be reduced to a negative value, because corresponding\ndev_hold() are not called in revalidate(), aoecmd_ata_rw(), resend(),\nprobe(), and aoecmd_cfg_rsp(). This patch fixed this issue.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:30:39.439Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/12f7b89dd72b25da4eeaa22097877963cad6418e", }, { url: "https://git.kernel.org/stable/c/a786265aecf39015418e4f930cc1c14603a01490", }, { url: "https://git.kernel.org/stable/c/f63461af2c1a86af4217910e47a5c46e3372e645", }, { url: "https://git.kernel.org/stable/c/07b418d50ccbbca7e5d87a3a0d41d436cefebf79", }, { url: "https://git.kernel.org/stable/c/bc2cbf7525ac288e07d465f5a1d8cb8fb9599254", }, { url: "https://git.kernel.org/stable/c/acc5103a0a8c200a52af7d732c36a8477436a3d3", }, { url: "https://git.kernel.org/stable/c/89d9a69ae0c667e4d9d028028e2dcc837bae626f", }, { url: "https://git.kernel.org/stable/c/8253a60c89ec35c8f36fb2cc08cdf854c7a3eb58", }, { url: "https://git.kernel.org/stable/c/6d6e54fc71ad1ab0a87047fd9c211e75d86084a3", }, ], title: "aoe: fix the potential use-after-free problem in more places", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49982", datePublished: "2024-10-21T18:02:27.820Z", dateReserved: "2024-10-21T12:17:06.052Z", dateUpdated: "2024-12-19T09:30:39.439Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-47748
Vulnerability from cvelistv5
Published
2024-10-21 12:14
Modified
2024-12-19 09:27
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
vhost_vdpa: assign irq bypass producer token correctly
We used to call irq_bypass_unregister_producer() in
vhost_vdpa_setup_vq_irq() which is problematic as we don't know if the
token pointer is still valid or not.
Actually, we use the eventfd_ctx as the token so the life cycle of the
token should be bound to the VHOST_SET_VRING_CALL instead of
vhost_vdpa_setup_vq_irq() which could be called by set_status().
Fixing this by setting up irq bypass producer's token when handling
VHOST_SET_VRING_CALL and un-registering the producer before calling
vhost_vring_ioctl() to prevent a possible use after free as eventfd
could have been released in vhost_vring_ioctl(). And such registering
and unregistering will only be done if DRIVER_OK is set.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 2cf1ba9a4d15cb78b96ea97f727b93382c3f9a60 Version: 2cf1ba9a4d15cb78b96ea97f727b93382c3f9a60 Version: 2cf1ba9a4d15cb78b96ea97f727b93382c3f9a60 Version: 2cf1ba9a4d15cb78b96ea97f727b93382c3f9a60 Version: 2cf1ba9a4d15cb78b96ea97f727b93382c3f9a60 Version: 2cf1ba9a4d15cb78b96ea97f727b93382c3f9a60 Version: 2cf1ba9a4d15cb78b96ea97f727b93382c3f9a60 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-47748", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T12:58:17.248658Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T13:04:13.447Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/vhost/vdpa.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "0c170b1e918b9afac25e2bbd01eaa2bfc0ece8c0", status: "affected", version: "2cf1ba9a4d15cb78b96ea97f727b93382c3f9a60", versionType: "git", }, { lessThan: "927a2580208e0f9b0b47b08f1c802b7233a7ba3c", status: "affected", version: "2cf1ba9a4d15cb78b96ea97f727b93382c3f9a60", versionType: "git", }, { lessThan: "ec5f1b54ceb23475049ada6e7a43452cf4df88d1", status: "affected", version: "2cf1ba9a4d15cb78b96ea97f727b93382c3f9a60", versionType: "git", }, { lessThan: "ca64edd7ae93402af2596a952e0d94d545e2b9c0", status: "affected", version: "2cf1ba9a4d15cb78b96ea97f727b93382c3f9a60", versionType: "git", }, { lessThan: "fae9b1776f53aab93ab345bdbf653b991aed717d", status: "affected", version: "2cf1ba9a4d15cb78b96ea97f727b93382c3f9a60", versionType: "git", }, { lessThan: "7cf2fb51175cafe01df8c43fa15a06194a59c6e2", status: "affected", version: "2cf1ba9a4d15cb78b96ea97f727b93382c3f9a60", versionType: "git", }, { lessThan: "02e9e9366fefe461719da5d173385b6685f70319", status: "affected", version: "2cf1ba9a4d15cb78b96ea97f727b93382c3f9a60", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/vhost/vdpa.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.9", }, { lessThan: "5.9", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.54", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.13", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.2", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nvhost_vdpa: assign irq bypass producer token correctly\n\nWe used to call irq_bypass_unregister_producer() in\nvhost_vdpa_setup_vq_irq() which is problematic as we don't know if the\ntoken pointer is still valid or not.\n\nActually, we use the eventfd_ctx as the token so the life cycle of the\ntoken should be bound to the VHOST_SET_VRING_CALL instead of\nvhost_vdpa_setup_vq_irq() which could be called by set_status().\n\nFixing this by setting up irq bypass producer's token when handling\nVHOST_SET_VRING_CALL and un-registering the producer before calling\nvhost_vring_ioctl() to prevent a possible use after free as eventfd\ncould have been released in vhost_vring_ioctl(). And such registering\nand unregistering will only be done if DRIVER_OK is set.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:27:20.480Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/0c170b1e918b9afac25e2bbd01eaa2bfc0ece8c0", }, { url: "https://git.kernel.org/stable/c/927a2580208e0f9b0b47b08f1c802b7233a7ba3c", }, { url: "https://git.kernel.org/stable/c/ec5f1b54ceb23475049ada6e7a43452cf4df88d1", }, { url: "https://git.kernel.org/stable/c/ca64edd7ae93402af2596a952e0d94d545e2b9c0", }, { url: "https://git.kernel.org/stable/c/fae9b1776f53aab93ab345bdbf653b991aed717d", }, { url: "https://git.kernel.org/stable/c/7cf2fb51175cafe01df8c43fa15a06194a59c6e2", }, { url: "https://git.kernel.org/stable/c/02e9e9366fefe461719da5d173385b6685f70319", }, ], title: "vhost_vdpa: assign irq bypass producer token correctly", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-47748", datePublished: "2024-10-21T12:14:14.448Z", dateReserved: "2024-09-30T16:00:12.960Z", dateUpdated: "2024-12-19T09:27:20.480Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-47755
Vulnerability from cvelistv5
This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Show details on NVD website{ containers: { cna: { providerMetadata: { dateUpdated: "2024-10-23T06:08:20.948Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, rejectedReasons: [ { lang: "en", value: "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", }, ], }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-47755", datePublished: "2024-10-21T12:14:19.107Z", dateRejected: "2024-10-23T06:08:20.948Z", dateReserved: "2024-09-30T16:00:12.962Z", dateUpdated: "2024-10-23T06:08:20.948Z", state: "REJECTED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49869
Vulnerability from cvelistv5
Published
2024-10-21 18:01
Modified
2024-12-19 09:27
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: send: fix buffer overflow detection when copying path to cache entry
Starting with commit c0247d289e73 ("btrfs: send: annotate struct
name_cache_entry with __counted_by()") we annotated the variable length
array "name" from the name_cache_entry structure with __counted_by() to
improve overflow detection. However that alone was not correct, because
the length of that array does not match the "name_len" field - it matches
that plus 1 to include the NUL string terminator, so that makes a
fortified kernel think there's an overflow and report a splat like this:
strcpy: detected buffer overflow: 20 byte write of buffer size 19
WARNING: CPU: 3 PID: 3310 at __fortify_report+0x45/0x50
CPU: 3 UID: 0 PID: 3310 Comm: btrfs Not tainted 6.11.0-prnet #1
Hardware name: CompuLab Ltd. sbc-ihsw/Intense-PC2 (IPC2), BIOS IPC2_3.330.7 X64 03/15/2018
RIP: 0010:__fortify_report+0x45/0x50
Code: 48 8b 34 (...)
RSP: 0018:ffff97ebc0d6f650 EFLAGS: 00010246
RAX: 7749924ef60fa600 RBX: ffff8bf5446a521a RCX: 0000000000000027
RDX: 00000000ffffdfff RSI: ffff97ebc0d6f548 RDI: ffff8bf84e7a1cc8
RBP: ffff8bf548574080 R08: ffffffffa8c40e10 R09: 0000000000005ffd
R10: 0000000000000004 R11: ffffffffa8c70e10 R12: ffff8bf551eef400
R13: 0000000000000000 R14: 0000000000000013 R15: 00000000000003a8
FS: 00007fae144de8c0(0000) GS:ffff8bf84e780000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fae14691690 CR3: 00000001027a2003 CR4: 00000000001706f0
Call Trace:
<TASK>
? __warn+0x12a/0x1d0
? __fortify_report+0x45/0x50
? report_bug+0x154/0x1c0
? handle_bug+0x42/0x70
? exc_invalid_op+0x1a/0x50
? asm_exc_invalid_op+0x1a/0x20
? __fortify_report+0x45/0x50
__fortify_panic+0x9/0x10
__get_cur_name_and_parent+0x3bc/0x3c0
get_cur_path+0x207/0x3b0
send_extent_data+0x709/0x10d0
? find_parent_nodes+0x22df/0x25d0
? mas_nomem+0x13/0x90
? mtree_insert_range+0xa5/0x110
? btrfs_lru_cache_store+0x5f/0x1e0
? iterate_extent_inodes+0x52d/0x5a0
process_extent+0xa96/0x11a0
? __pfx_lookup_backref_cache+0x10/0x10
? __pfx_store_backref_cache+0x10/0x10
? __pfx_iterate_backrefs+0x10/0x10
? __pfx_check_extent_item+0x10/0x10
changed_cb+0x6fa/0x930
? tree_advance+0x362/0x390
? memcmp_extent_buffer+0xd7/0x160
send_subvol+0xf0a/0x1520
btrfs_ioctl_send+0x106b/0x11d0
? __pfx___clone_root_cmp_sort+0x10/0x10
_btrfs_ioctl_send+0x1ac/0x240
btrfs_ioctl+0x75b/0x850
__se_sys_ioctl+0xca/0x150
do_syscall_64+0x85/0x160
? __count_memcg_events+0x69/0x100
? handle_mm_fault+0x1327/0x15c0
? __se_sys_rt_sigprocmask+0xf1/0x180
? syscall_exit_to_user_mode+0x75/0xa0
? do_syscall_64+0x91/0x160
? do_user_addr_fault+0x21d/0x630
entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x7fae145eeb4f
Code: 00 48 89 (...)
RSP: 002b:00007ffdf1cb09b0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007fae145eeb4f
RDX: 00007ffdf1cb0ad0 RSI: 0000000040489426 RDI: 0000000000000004
RBP: 00000000000078fe R08: 00007fae144006c0 R09: 00007ffdf1cb0927
R10: 0000000000000008 R11: 0000000000000246 R12: 00007ffdf1cb1ce8
R13: 0000000000000003 R14: 000055c499fab2e0 R15: 0000000000000004
</TASK>
Fix this by not storing the NUL string terminator since we don't actually
need it for name cache entries, this way "name_len" corresponds to the
actual size of the "name" array. This requires marking the "name" array
field with __nonstring and using memcpy() instead of strcpy() as
recommended by the guidelines at:
https://github.com/KSPP/linux/issues/90
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49869", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:47:11.699189Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:48:52.211Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "fs/btrfs/send.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "843738ede6cb8b959fb22591fcbabe8b456d7216", status: "affected", version: "c0247d289e73e18f6ddb0895de30c09770fbed95", versionType: "git", }, { lessThan: "96c6ca71572a3556ed0c37237305657ff47174b7", status: "affected", version: "c0247d289e73e18f6ddb0895de30c09770fbed95", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "fs/btrfs/send.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.11", }, { lessThan: "6.11", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: send: fix buffer overflow detection when copying path to cache entry\n\nStarting with commit c0247d289e73 (\"btrfs: send: annotate struct\nname_cache_entry with __counted_by()\") we annotated the variable length\narray \"name\" from the name_cache_entry structure with __counted_by() to\nimprove overflow detection. However that alone was not correct, because\nthe length of that array does not match the \"name_len\" field - it matches\nthat plus 1 to include the NUL string terminator, so that makes a\nfortified kernel think there's an overflow and report a splat like this:\n\n strcpy: detected buffer overflow: 20 byte write of buffer size 19\n WARNING: CPU: 3 PID: 3310 at __fortify_report+0x45/0x50\n CPU: 3 UID: 0 PID: 3310 Comm: btrfs Not tainted 6.11.0-prnet #1\n Hardware name: CompuLab Ltd. sbc-ihsw/Intense-PC2 (IPC2), BIOS IPC2_3.330.7 X64 03/15/2018\n RIP: 0010:__fortify_report+0x45/0x50\n Code: 48 8b 34 (...)\n RSP: 0018:ffff97ebc0d6f650 EFLAGS: 00010246\n RAX: 7749924ef60fa600 RBX: ffff8bf5446a521a RCX: 0000000000000027\n RDX: 00000000ffffdfff RSI: ffff97ebc0d6f548 RDI: ffff8bf84e7a1cc8\n RBP: ffff8bf548574080 R08: ffffffffa8c40e10 R09: 0000000000005ffd\n R10: 0000000000000004 R11: ffffffffa8c70e10 R12: ffff8bf551eef400\n R13: 0000000000000000 R14: 0000000000000013 R15: 00000000000003a8\n FS: 00007fae144de8c0(0000) GS:ffff8bf84e780000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007fae14691690 CR3: 00000001027a2003 CR4: 00000000001706f0\n Call Trace:\n <TASK>\n ? __warn+0x12a/0x1d0\n ? __fortify_report+0x45/0x50\n ? report_bug+0x154/0x1c0\n ? handle_bug+0x42/0x70\n ? exc_invalid_op+0x1a/0x50\n ? asm_exc_invalid_op+0x1a/0x20\n ? __fortify_report+0x45/0x50\n __fortify_panic+0x9/0x10\n __get_cur_name_and_parent+0x3bc/0x3c0\n get_cur_path+0x207/0x3b0\n send_extent_data+0x709/0x10d0\n ? find_parent_nodes+0x22df/0x25d0\n ? mas_nomem+0x13/0x90\n ? mtree_insert_range+0xa5/0x110\n ? btrfs_lru_cache_store+0x5f/0x1e0\n ? iterate_extent_inodes+0x52d/0x5a0\n process_extent+0xa96/0x11a0\n ? __pfx_lookup_backref_cache+0x10/0x10\n ? __pfx_store_backref_cache+0x10/0x10\n ? __pfx_iterate_backrefs+0x10/0x10\n ? __pfx_check_extent_item+0x10/0x10\n changed_cb+0x6fa/0x930\n ? tree_advance+0x362/0x390\n ? memcmp_extent_buffer+0xd7/0x160\n send_subvol+0xf0a/0x1520\n btrfs_ioctl_send+0x106b/0x11d0\n ? __pfx___clone_root_cmp_sort+0x10/0x10\n _btrfs_ioctl_send+0x1ac/0x240\n btrfs_ioctl+0x75b/0x850\n __se_sys_ioctl+0xca/0x150\n do_syscall_64+0x85/0x160\n ? __count_memcg_events+0x69/0x100\n ? handle_mm_fault+0x1327/0x15c0\n ? __se_sys_rt_sigprocmask+0xf1/0x180\n ? syscall_exit_to_user_mode+0x75/0xa0\n ? do_syscall_64+0x91/0x160\n ? do_user_addr_fault+0x21d/0x630\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n RIP: 0033:0x7fae145eeb4f\n Code: 00 48 89 (...)\n RSP: 002b:00007ffdf1cb09b0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\n RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007fae145eeb4f\n RDX: 00007ffdf1cb0ad0 RSI: 0000000040489426 RDI: 0000000000000004\n RBP: 00000000000078fe R08: 00007fae144006c0 R09: 00007ffdf1cb0927\n R10: 0000000000000008 R11: 0000000000000246 R12: 00007ffdf1cb1ce8\n R13: 0000000000000003 R14: 000055c499fab2e0 R15: 0000000000000004\n </TASK>\n\nFix this by not storing the NUL string terminator since we don't actually\nneed it for name cache entries, this way \"name_len\" corresponds to the\nactual size of the \"name\" array. This requires marking the \"name\" array\nfield with __nonstring and using memcpy() instead of strcpy() as\nrecommended by the guidelines at:\n\n https://github.com/KSPP/linux/issues/90", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:27:56.055Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/843738ede6cb8b959fb22591fcbabe8b456d7216", }, { url: "https://git.kernel.org/stable/c/96c6ca71572a3556ed0c37237305657ff47174b7", }, ], title: "btrfs: send: fix buffer overflow detection when copying path to cache entry", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49869", datePublished: "2024-10-21T18:01:11.389Z", dateReserved: "2024-10-21T12:17:06.019Z", dateUpdated: "2024-12-19T09:27:56.055Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49932
Vulnerability from cvelistv5
Published
2024-10-21 18:01
Modified
2024-12-19 09:29
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: don't readahead the relocation inode on RST
On relocation we're doing readahead on the relocation inode, but if the
filesystem is backed by a RAID stripe tree we can get ENOENT (e.g. due to
preallocated extents not being mapped in the RST) from the lookup.
But readahead doesn't handle the error and submits invalid reads to the
device, causing an assertion in the scatter-gather list code:
BTRFS info (device nvme1n1): balance: start -d -m -s
BTRFS info (device nvme1n1): relocating block group 6480920576 flags data|raid0
BTRFS error (device nvme1n1): cannot find raid-stripe for logical [6481928192, 6481969152] devid 2, profile raid0
------------[ cut here ]------------
kernel BUG at include/linux/scatterlist.h:115!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP PTI
CPU: 0 PID: 1012 Comm: btrfs Not tainted 6.10.0-rc7+ #567
RIP: 0010:__blk_rq_map_sg+0x339/0x4a0
RSP: 0018:ffffc90001a43820 EFLAGS: 00010202
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffea00045d4802
RDX: 0000000117520000 RSI: 0000000000000000 RDI: ffff8881027d1000
RBP: 0000000000003000 R08: ffffea00045d4902 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000001000 R12: ffff8881003d10b8
R13: ffffc90001a438f0 R14: 0000000000000000 R15: 0000000000003000
FS: 00007fcc048a6900(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000002cd11000 CR3: 00000001109ea001 CR4: 0000000000370eb0
Call Trace:
<TASK>
? __die_body.cold+0x14/0x25
? die+0x2e/0x50
? do_trap+0xca/0x110
? do_error_trap+0x65/0x80
? __blk_rq_map_sg+0x339/0x4a0
? exc_invalid_op+0x50/0x70
? __blk_rq_map_sg+0x339/0x4a0
? asm_exc_invalid_op+0x1a/0x20
? __blk_rq_map_sg+0x339/0x4a0
nvme_prep_rq.part.0+0x9d/0x770
nvme_queue_rq+0x7d/0x1e0
__blk_mq_issue_directly+0x2a/0x90
? blk_mq_get_budget_and_tag+0x61/0x90
blk_mq_try_issue_list_directly+0x56/0xf0
blk_mq_flush_plug_list.part.0+0x52b/0x5d0
__blk_flush_plug+0xc6/0x110
blk_finish_plug+0x28/0x40
read_pages+0x160/0x1c0
page_cache_ra_unbounded+0x109/0x180
relocate_file_extent_cluster+0x611/0x6a0
? btrfs_search_slot+0xba4/0xd20
? balance_dirty_pages_ratelimited_flags+0x26/0xb00
relocate_data_extent.constprop.0+0x134/0x160
relocate_block_group+0x3f2/0x500
btrfs_relocate_block_group+0x250/0x430
btrfs_relocate_chunk+0x3f/0x130
btrfs_balance+0x71b/0xef0
? kmalloc_trace_noprof+0x13b/0x280
btrfs_ioctl+0x2c2e/0x3030
? kvfree_call_rcu+0x1e6/0x340
? list_lru_add_obj+0x66/0x80
? mntput_no_expire+0x3a/0x220
__x64_sys_ioctl+0x96/0xc0
do_syscall_64+0x54/0x110
entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x7fcc04514f9b
Code: Unable to access opcode bytes at 0x7fcc04514f71.
RSP: 002b:00007ffeba923370 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fcc04514f9b
RDX: 00007ffeba923460 RSI: 00000000c4009420 RDI: 0000000000000003
RBP: 0000000000000000 R08: 0000000000000013 R09: 0000000000000001
R10: 00007fcc043fbba8 R11: 0000000000000246 R12: 00007ffeba924fc5
R13: 00007ffeba923460 R14: 0000000000000002 R15: 00000000004d4bb0
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__blk_rq_map_sg+0x339/0x4a0
RSP: 0018:ffffc90001a43820 EFLAGS: 00010202
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffea00045d4802
RDX: 0000000117520000 RSI: 0000000000000000 RDI: ffff8881027d1000
RBP: 0000000000003000 R08: ffffea00045d4902 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000001000 R12: ffff8881003d10b8
R13: ffffc90001a438f0 R14: 0000000000000000 R15: 0000000000003000
FS: 00007fcc048a6900(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fcc04514f71 CR3: 00000001109ea001 CR4: 0000000000370eb0
Kernel p
---truncated---
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49932", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:38:55.739615Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:48:43.075Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "fs/btrfs/relocation.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "f7a1218a983ab98aba140dc20b25f60b39ee4033", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "04915240e2c3a018e4c7f23418478d27226c8957", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "fs/btrfs/relocation.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: don't readahead the relocation inode on RST\n\nOn relocation we're doing readahead on the relocation inode, but if the\nfilesystem is backed by a RAID stripe tree we can get ENOENT (e.g. due to\npreallocated extents not being mapped in the RST) from the lookup.\n\nBut readahead doesn't handle the error and submits invalid reads to the\ndevice, causing an assertion in the scatter-gather list code:\n\n BTRFS info (device nvme1n1): balance: start -d -m -s\n BTRFS info (device nvme1n1): relocating block group 6480920576 flags data|raid0\n BTRFS error (device nvme1n1): cannot find raid-stripe for logical [6481928192, 6481969152] devid 2, profile raid0\n ------------[ cut here ]------------\n kernel BUG at include/linux/scatterlist.h:115!\n Oops: invalid opcode: 0000 [#1] PREEMPT SMP PTI\n CPU: 0 PID: 1012 Comm: btrfs Not tainted 6.10.0-rc7+ #567\n RIP: 0010:__blk_rq_map_sg+0x339/0x4a0\n RSP: 0018:ffffc90001a43820 EFLAGS: 00010202\n RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffea00045d4802\n RDX: 0000000117520000 RSI: 0000000000000000 RDI: ffff8881027d1000\n RBP: 0000000000003000 R08: ffffea00045d4902 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000001000 R12: ffff8881003d10b8\n R13: ffffc90001a438f0 R14: 0000000000000000 R15: 0000000000003000\n FS: 00007fcc048a6900(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 000000002cd11000 CR3: 00000001109ea001 CR4: 0000000000370eb0\n Call Trace:\n <TASK>\n ? __die_body.cold+0x14/0x25\n ? die+0x2e/0x50\n ? do_trap+0xca/0x110\n ? do_error_trap+0x65/0x80\n ? __blk_rq_map_sg+0x339/0x4a0\n ? exc_invalid_op+0x50/0x70\n ? __blk_rq_map_sg+0x339/0x4a0\n ? asm_exc_invalid_op+0x1a/0x20\n ? __blk_rq_map_sg+0x339/0x4a0\n nvme_prep_rq.part.0+0x9d/0x770\n nvme_queue_rq+0x7d/0x1e0\n __blk_mq_issue_directly+0x2a/0x90\n ? blk_mq_get_budget_and_tag+0x61/0x90\n blk_mq_try_issue_list_directly+0x56/0xf0\n blk_mq_flush_plug_list.part.0+0x52b/0x5d0\n __blk_flush_plug+0xc6/0x110\n blk_finish_plug+0x28/0x40\n read_pages+0x160/0x1c0\n page_cache_ra_unbounded+0x109/0x180\n relocate_file_extent_cluster+0x611/0x6a0\n ? btrfs_search_slot+0xba4/0xd20\n ? balance_dirty_pages_ratelimited_flags+0x26/0xb00\n relocate_data_extent.constprop.0+0x134/0x160\n relocate_block_group+0x3f2/0x500\n btrfs_relocate_block_group+0x250/0x430\n btrfs_relocate_chunk+0x3f/0x130\n btrfs_balance+0x71b/0xef0\n ? kmalloc_trace_noprof+0x13b/0x280\n btrfs_ioctl+0x2c2e/0x3030\n ? kvfree_call_rcu+0x1e6/0x340\n ? list_lru_add_obj+0x66/0x80\n ? mntput_no_expire+0x3a/0x220\n __x64_sys_ioctl+0x96/0xc0\n do_syscall_64+0x54/0x110\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n RIP: 0033:0x7fcc04514f9b\n Code: Unable to access opcode bytes at 0x7fcc04514f71.\n RSP: 002b:00007ffeba923370 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\n RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fcc04514f9b\n RDX: 00007ffeba923460 RSI: 00000000c4009420 RDI: 0000000000000003\n RBP: 0000000000000000 R08: 0000000000000013 R09: 0000000000000001\n R10: 00007fcc043fbba8 R11: 0000000000000246 R12: 00007ffeba924fc5\n R13: 00007ffeba923460 R14: 0000000000000002 R15: 00000000004d4bb0\n </TASK>\n Modules linked in:\n ---[ end trace 0000000000000000 ]---\n RIP: 0010:__blk_rq_map_sg+0x339/0x4a0\n RSP: 0018:ffffc90001a43820 EFLAGS: 00010202\n RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffea00045d4802\n RDX: 0000000117520000 RSI: 0000000000000000 RDI: ffff8881027d1000\n RBP: 0000000000003000 R08: ffffea00045d4902 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000001000 R12: ffff8881003d10b8\n R13: ffffc90001a438f0 R14: 0000000000000000 R15: 0000000000003000\n FS: 00007fcc048a6900(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007fcc04514f71 CR3: 00000001109ea001 CR4: 0000000000370eb0\n Kernel p\n---truncated---", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:29:18.386Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/f7a1218a983ab98aba140dc20b25f60b39ee4033", }, { url: "https://git.kernel.org/stable/c/04915240e2c3a018e4c7f23418478d27226c8957", }, ], title: "btrfs: don't readahead the relocation inode on RST", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49932", datePublished: "2024-10-21T18:01:54.410Z", dateReserved: "2024-10-21T12:17:06.040Z", dateUpdated: "2024-12-19T09:29:18.386Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-47702
Vulnerability from cvelistv5
Published
2024-10-21 11:53
Modified
2024-12-19 09:26
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Fail verification for sign-extension of packet data/data_end/data_meta
syzbot reported a kernel crash due to
commit 1f1e864b6555 ("bpf: Handle sign-extenstin ctx member accesses").
The reason is due to sign-extension of 32-bit load for
packet data/data_end/data_meta uapi field.
The original code looks like:
r2 = *(s32 *)(r1 + 76) /* load __sk_buff->data */
r3 = *(u32 *)(r1 + 80) /* load __sk_buff->data_end */
r0 = r2
r0 += 8
if r3 > r0 goto +1
...
Note that __sk_buff->data load has 32-bit sign extension.
After verification and convert_ctx_accesses(), the final asm code looks like:
r2 = *(u64 *)(r1 +208)
r2 = (s32)r2
r3 = *(u64 *)(r1 +80)
r0 = r2
r0 += 8
if r3 > r0 goto pc+1
...
Note that 'r2 = (s32)r2' may make the kernel __sk_buff->data address invalid
which may cause runtime failure.
Currently, in C code, typically we have
void *data = (void *)(long)skb->data;
void *data_end = (void *)(long)skb->data_end;
...
and it will generate
r2 = *(u64 *)(r1 +208)
r3 = *(u64 *)(r1 +80)
r0 = r2
r0 += 8
if r3 > r0 goto pc+1
If we allow sign-extension,
void *data = (void *)(long)(int)skb->data;
void *data_end = (void *)(long)skb->data_end;
...
the generated code looks like
r2 = *(u64 *)(r1 +208)
r2 <<= 32
r2 s>>= 32
r3 = *(u64 *)(r1 +80)
r0 = r2
r0 += 8
if r3 > r0 goto pc+1
and this will cause verification failure since "r2 <<= 32" is not allowed
as "r2" is a packet pointer.
To fix this issue for case
r2 = *(s32 *)(r1 + 76) /* load __sk_buff->data */
this patch added additional checking in is_valid_access() callback
function for packet data/data_end/data_meta access. If those accesses
are with sign-extenstion, the verification will fail.
[1] https://lore.kernel.org/bpf/000000000000c90eee061d236d37@google.com/
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-47702", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T13:04:24.861686Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T13:14:13.443Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "include/linux/bpf.h", "kernel/bpf/verifier.c", "net/core/filter.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "f1620c93a1ec950d87ef327a565d3907736d3340", status: "affected", version: "1f1e864b65554e33fe74e3377e58b12f4302f2eb", versionType: "git", }, { lessThan: "f09757fe97a225ae505886eac572e4cbfba96537", status: "affected", version: "1f1e864b65554e33fe74e3377e58b12f4302f2eb", versionType: "git", }, { lessThan: "92de36080c93296ef9005690705cba260b9bd68a", status: "affected", version: "1f1e864b65554e33fe74e3377e58b12f4302f2eb", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "include/linux/bpf.h", "kernel/bpf/verifier.c", "net/core/filter.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.6", }, { lessThan: "6.6", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.13", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.2", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fail verification for sign-extension of packet data/data_end/data_meta\n\nsyzbot reported a kernel crash due to\n commit 1f1e864b6555 (\"bpf: Handle sign-extenstin ctx member accesses\").\nThe reason is due to sign-extension of 32-bit load for\npacket data/data_end/data_meta uapi field.\n\nThe original code looks like:\n r2 = *(s32 *)(r1 + 76) /* load __sk_buff->data */\n r3 = *(u32 *)(r1 + 80) /* load __sk_buff->data_end */\n r0 = r2\n r0 += 8\n if r3 > r0 goto +1\n ...\nNote that __sk_buff->data load has 32-bit sign extension.\n\nAfter verification and convert_ctx_accesses(), the final asm code looks like:\n r2 = *(u64 *)(r1 +208)\n r2 = (s32)r2\n r3 = *(u64 *)(r1 +80)\n r0 = r2\n r0 += 8\n if r3 > r0 goto pc+1\n ...\nNote that 'r2 = (s32)r2' may make the kernel __sk_buff->data address invalid\nwhich may cause runtime failure.\n\nCurrently, in C code, typically we have\n void *data = (void *)(long)skb->data;\n void *data_end = (void *)(long)skb->data_end;\n ...\nand it will generate\n r2 = *(u64 *)(r1 +208)\n r3 = *(u64 *)(r1 +80)\n r0 = r2\n r0 += 8\n if r3 > r0 goto pc+1\n\nIf we allow sign-extension,\n void *data = (void *)(long)(int)skb->data;\n void *data_end = (void *)(long)skb->data_end;\n ...\nthe generated code looks like\n r2 = *(u64 *)(r1 +208)\n r2 <<= 32\n r2 s>>= 32\n r3 = *(u64 *)(r1 +80)\n r0 = r2\n r0 += 8\n if r3 > r0 goto pc+1\nand this will cause verification failure since \"r2 <<= 32\" is not allowed\nas \"r2\" is a packet pointer.\n\nTo fix this issue for case\n r2 = *(s32 *)(r1 + 76) /* load __sk_buff->data */\nthis patch added additional checking in is_valid_access() callback\nfunction for packet data/data_end/data_meta access. If those accesses\nare with sign-extenstion, the verification will fail.\n\n [1] https://lore.kernel.org/bpf/000000000000c90eee061d236d37@google.com/", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:26:24.243Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/f1620c93a1ec950d87ef327a565d3907736d3340", }, { url: "https://git.kernel.org/stable/c/f09757fe97a225ae505886eac572e4cbfba96537", }, { url: "https://git.kernel.org/stable/c/92de36080c93296ef9005690705cba260b9bd68a", }, ], title: "bpf: Fail verification for sign-extension of packet data/data_end/data_meta", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-47702", datePublished: "2024-10-21T11:53:37.958Z", dateReserved: "2024-09-30T16:00:12.945Z", dateUpdated: "2024-12-19T09:26:24.243Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49929
Vulnerability from cvelistv5
Published
2024-10-21 18:01
Modified
2024-12-19 09:29
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: iwlwifi: mvm: avoid NULL pointer dereference
iwl_mvm_tx_skb_sta() and iwl_mvm_tx_mpdu() verify that the mvmvsta
pointer is not NULL.
It retrieves this pointer using iwl_mvm_sta_from_mac80211, which is
dereferencing the ieee80211_sta pointer.
If sta is NULL, iwl_mvm_sta_from_mac80211 will dereference a NULL
pointer.
Fix this by checking the sta pointer before retrieving the mvmsta
from it. If sta is not NULL, then mvmsta isn't either.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49929", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:39:18.933944Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:48:43.528Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/net/wireless/intel/iwlwifi/mvm/tx.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "cbc6fc9cfcde151ff5eadaefdc6155f99579384f", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "6dcadb2ed3b76623ab96e3e7fbeda1a374d01c28", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "cdbf51bfa4b0411820806777da36d93d49bc49a1", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "c0b4f5d94934c290479180868a32c15ba36a6d9e", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "557a6cd847645e667f3b362560bd7e7c09aac284", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/net/wireless/intel/iwlwifi/mvm/tx.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.120", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: mvm: avoid NULL pointer dereference\n\niwl_mvm_tx_skb_sta() and iwl_mvm_tx_mpdu() verify that the mvmvsta\npointer is not NULL.\nIt retrieves this pointer using iwl_mvm_sta_from_mac80211, which is\ndereferencing the ieee80211_sta pointer.\nIf sta is NULL, iwl_mvm_sta_from_mac80211 will dereference a NULL\npointer.\nFix this by checking the sta pointer before retrieving the mvmsta\nfrom it. If sta is not NULL, then mvmsta isn't either.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:29:14.775Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/cbc6fc9cfcde151ff5eadaefdc6155f99579384f", }, { url: "https://git.kernel.org/stable/c/6dcadb2ed3b76623ab96e3e7fbeda1a374d01c28", }, { url: "https://git.kernel.org/stable/c/cdbf51bfa4b0411820806777da36d93d49bc49a1", }, { url: "https://git.kernel.org/stable/c/c0b4f5d94934c290479180868a32c15ba36a6d9e", }, { url: "https://git.kernel.org/stable/c/557a6cd847645e667f3b362560bd7e7c09aac284", }, ], title: "wifi: iwlwifi: mvm: avoid NULL pointer dereference", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49929", datePublished: "2024-10-21T18:01:52.450Z", dateReserved: "2024-10-21T12:17:06.039Z", dateUpdated: "2024-12-19T09:29:14.775Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49854
Vulnerability from cvelistv5
Published
2024-10-21 12:18
Modified
2024-12-19 09:27
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
block, bfq: fix uaf for accessing waker_bfqq after splitting
After commit 42c306ed7233 ("block, bfq: don't break merge chain in
bfq_split_bfqq()"), if the current procress is the last holder of bfqq,
the bfqq can be freed after bfq_split_bfqq(). Hence recored the bfqq and
then access bfqq->waker_bfqq may trigger UAF. What's more, the waker_bfqq
may in the merge chain of bfqq, hence just recored waker_bfqq is still
not safe.
Fix the problem by adding a helper bfq_waker_bfqq() to check if
bfqq->waker_bfqq is in the merge chain, and current procress is the only
holder.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: e0c20d88b7dce85d2703bb6ba77bf359959675cd Version: de6c5e3a456019d2182e345730e59721714fa0b5 Version: 19f3bec2ac4be329b9bd12b18a989b867618d2d8 Version: 13b3d0e8cb121f99b11918a0d4bcc1ce4647d352 Version: 4780f50ea50cfe8e89fc3747bf3dd155488433bb Version: 42c306ed723321af4003b2a41bb73728cab54f85 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49854", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T12:56:32.405058Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T13:04:11.371Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "block/bfq-iosched.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "63a07379fdb6c72450cb05294461c6016b8b7726", status: "affected", version: "e0c20d88b7dce85d2703bb6ba77bf359959675cd", versionType: "git", }, { lessThan: "de0456460f2abf921e356ed2bd8da87a376680bd", status: "affected", version: "de6c5e3a456019d2182e345730e59721714fa0b5", versionType: "git", }, { lessThan: "0780451f03bf518bc032a7c584de8f92e2d39d7f", status: "affected", version: "19f3bec2ac4be329b9bd12b18a989b867618d2d8", versionType: "git", }, { lessThan: "0b8bda0ff17156cd3f60944527c9d8c9f99f1583", status: "affected", version: "13b3d0e8cb121f99b11918a0d4bcc1ce4647d352", versionType: "git", }, { lessThan: "cae58d19121a70329cf971359e2518c93fec04fe", status: "affected", version: "4780f50ea50cfe8e89fc3747bf3dd155488433bb", versionType: "git", }, { lessThan: "1ba0403ac6447f2d63914fb760c44a3b19c44eaf", status: "affected", version: "42c306ed723321af4003b2a41bb73728cab54f85", versionType: "git", }, ], }, { defaultStatus: "unaffected", product: "Linux", programFiles: [ "block/bfq-iosched.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nblock, bfq: fix uaf for accessing waker_bfqq after splitting\n\nAfter commit 42c306ed7233 (\"block, bfq: don't break merge chain in\nbfq_split_bfqq()\"), if the current procress is the last holder of bfqq,\nthe bfqq can be freed after bfq_split_bfqq(). Hence recored the bfqq and\nthen access bfqq->waker_bfqq may trigger UAF. What's more, the waker_bfqq\nmay in the merge chain of bfqq, hence just recored waker_bfqq is still\nnot safe.\n\nFix the problem by adding a helper bfq_waker_bfqq() to check if\nbfqq->waker_bfqq is in the merge chain, and current procress is the only\nholder.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:27:36.671Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/63a07379fdb6c72450cb05294461c6016b8b7726", }, { url: "https://git.kernel.org/stable/c/de0456460f2abf921e356ed2bd8da87a376680bd", }, { url: "https://git.kernel.org/stable/c/0780451f03bf518bc032a7c584de8f92e2d39d7f", }, { url: "https://git.kernel.org/stable/c/0b8bda0ff17156cd3f60944527c9d8c9f99f1583", }, { url: "https://git.kernel.org/stable/c/cae58d19121a70329cf971359e2518c93fec04fe", }, { url: "https://git.kernel.org/stable/c/1ba0403ac6447f2d63914fb760c44a3b19c44eaf", }, ], title: "block, bfq: fix uaf for accessing waker_bfqq after splitting", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49854", datePublished: "2024-10-21T12:18:46.723Z", dateReserved: "2024-10-21T12:17:06.016Z", dateUpdated: "2024-12-19T09:27:36.671Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49987
Vulnerability from cvelistv5
Published
2024-10-21 18:02
Modified
2024-12-19 09:30
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpftool: Fix undefined behavior in qsort(NULL, 0, ...)
When netfilter has no entry to display, qsort is called with
qsort(NULL, 0, ...). This results in undefined behavior, as UBSan
reports:
net.c:827:2: runtime error: null pointer passed as argument 1, which is declared to never be null
Although the C standard does not explicitly state whether calling qsort
with a NULL pointer when the size is 0 constitutes undefined behavior,
Section 7.1.4 of the C standard (Use of library functions) mentions:
"Each of the following statements applies unless explicitly stated
otherwise in the detailed descriptions that follow: If an argument to a
function has an invalid value (such as a value outside the domain of
the function, or a pointer outside the address space of the program, or
a null pointer, or a pointer to non-modifiable storage when the
corresponding parameter is not const-qualified) or a type (after
promotion) not expected by a function with variable number of
arguments, the behavior is undefined."
To avoid this, add an early return when nf_link_info is NULL to prevent
calling qsort with a NULL pointer.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49987", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:31:44.384847Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:38:43.446Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "tools/bpf/bpftool/net.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "c2d9f9a7837ab29ccae0c42252f17d436bf0a501", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "2e0f6f33f2aa87493b365a38a8fd87b8854b7734", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "c208b02827eb642758cef65641995fd3f38c89af", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "f04e2ad394e2755d0bb2d858ecb5598718bf00d5", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "tools/bpf/bpftool/net.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nbpftool: Fix undefined behavior in qsort(NULL, 0, ...)\n\nWhen netfilter has no entry to display, qsort is called with\nqsort(NULL, 0, ...). This results in undefined behavior, as UBSan\nreports:\n\nnet.c:827:2: runtime error: null pointer passed as argument 1, which is declared to never be null\n\nAlthough the C standard does not explicitly state whether calling qsort\nwith a NULL pointer when the size is 0 constitutes undefined behavior,\nSection 7.1.4 of the C standard (Use of library functions) mentions:\n\n\"Each of the following statements applies unless explicitly stated\notherwise in the detailed descriptions that follow: If an argument to a\nfunction has an invalid value (such as a value outside the domain of\nthe function, or a pointer outside the address space of the program, or\na null pointer, or a pointer to non-modifiable storage when the\ncorresponding parameter is not const-qualified) or a type (after\npromotion) not expected by a function with variable number of\narguments, the behavior is undefined.\"\n\nTo avoid this, add an early return when nf_link_info is NULL to prevent\ncalling qsort with a NULL pointer.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:30:45.735Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/c2d9f9a7837ab29ccae0c42252f17d436bf0a501", }, { url: "https://git.kernel.org/stable/c/2e0f6f33f2aa87493b365a38a8fd87b8854b7734", }, { url: "https://git.kernel.org/stable/c/c208b02827eb642758cef65641995fd3f38c89af", }, { url: "https://git.kernel.org/stable/c/f04e2ad394e2755d0bb2d858ecb5598718bf00d5", }, ], title: "bpftool: Fix undefined behavior in qsort(NULL, 0, ...)", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49987", datePublished: "2024-10-21T18:02:31.209Z", dateReserved: "2024-10-21T12:17:06.054Z", dateUpdated: "2024-12-19T09:30:45.735Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-47701
Vulnerability from cvelistv5
Published
2024-10-21 11:53
Modified
2024-12-19 09:26
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: avoid OOB when system.data xattr changes underneath the filesystem
When looking up for an entry in an inlined directory, if e_value_offs is
changed underneath the filesystem by some change in the block device, it
will lead to an out-of-bounds access that KASAN detects as an UAF.
EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: none.
loop0: detected capacity change from 2048 to 2047
==================================================================
BUG: KASAN: use-after-free in ext4_search_dir+0xf2/0x1c0 fs/ext4/namei.c:1500
Read of size 1 at addr ffff88803e91130f by task syz-executor269/5103
CPU: 0 UID: 0 PID: 5103 Comm: syz-executor269 Not tainted 6.11.0-rc4-syzkaller #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:93 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
ext4_search_dir+0xf2/0x1c0 fs/ext4/namei.c:1500
ext4_find_inline_entry+0x4be/0x5e0 fs/ext4/inline.c:1697
__ext4_find_entry+0x2b4/0x1b30 fs/ext4/namei.c:1573
ext4_lookup_entry fs/ext4/namei.c:1727 [inline]
ext4_lookup+0x15f/0x750 fs/ext4/namei.c:1795
lookup_one_qstr_excl+0x11f/0x260 fs/namei.c:1633
filename_create+0x297/0x540 fs/namei.c:3980
do_symlinkat+0xf9/0x3a0 fs/namei.c:4587
__do_sys_symlinkat fs/namei.c:4610 [inline]
__se_sys_symlinkat fs/namei.c:4607 [inline]
__x64_sys_symlinkat+0x95/0xb0 fs/namei.c:4607
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f3e73ced469
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 21 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff4d40c258 EFLAGS: 00000246 ORIG_RAX: 000000000000010a
RAX: ffffffffffffffda RBX: 0032656c69662f2e RCX: 00007f3e73ced469
RDX: 0000000020000200 RSI: 00000000ffffff9c RDI: 00000000200001c0
RBP: 0000000000000000 R08: 00007fff4d40c290 R09: 00007fff4d40c290
R10: 0023706f6f6c2f76 R11: 0000000000000246 R12: 00007fff4d40c27c
R13: 0000000000000003 R14: 431bde82d7b634db R15: 00007fff4d40c2b0
</TASK>
Calling ext4_xattr_ibody_find right after reading the inode with
ext4_get_inode_loc will lead to a check of the validity of the xattrs,
avoiding this problem.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: e8e948e7802a2ab05c146d3e72a39b93b5718236 Version: e8e948e7802a2ab05c146d3e72a39b93b5718236 Version: e8e948e7802a2ab05c146d3e72a39b93b5718236 Version: e8e948e7802a2ab05c146d3e72a39b93b5718236 Version: e8e948e7802a2ab05c146d3e72a39b93b5718236 Version: e8e948e7802a2ab05c146d3e72a39b93b5718236 Version: e8e948e7802a2ab05c146d3e72a39b93b5718236 Version: e8e948e7802a2ab05c146d3e72a39b93b5718236 Version: e8e948e7802a2ab05c146d3e72a39b93b5718236 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-47701", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T13:04:32.824362Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T13:14:13.562Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "fs/ext4/inline.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "5b076d37e8d99918e9294bd6b35a8bbb436819b0", status: "affected", version: "e8e948e7802a2ab05c146d3e72a39b93b5718236", versionType: "git", }, { lessThan: "8adf0eb4e361a9e060d54f4bd0ac9c5d85277d20", status: "affected", version: "e8e948e7802a2ab05c146d3e72a39b93b5718236", versionType: "git", }, { lessThan: "7fc22c3b3ffc0e952f5e0062dd11aa6ae76affba", status: "affected", version: "e8e948e7802a2ab05c146d3e72a39b93b5718236", versionType: "git", }, { lessThan: "be2e9b111e2790962cc66a177869b4e9717b4e29", status: "affected", version: "e8e948e7802a2ab05c146d3e72a39b93b5718236", versionType: "git", }, { lessThan: "ea32883e4a03ed575a2eb7a66542022312bde477", status: "affected", version: "e8e948e7802a2ab05c146d3e72a39b93b5718236", versionType: "git", }, { lessThan: "2a6579ef5f2576a940125729f7409cc182f1c8df", status: "affected", version: "e8e948e7802a2ab05c146d3e72a39b93b5718236", versionType: "git", }, { lessThan: "371d0bacecd529f887ea2547333d9173e7bcdc0a", status: "affected", version: "e8e948e7802a2ab05c146d3e72a39b93b5718236", versionType: "git", }, { lessThan: "ccb8c18076e2e630fea23fbec583cdad61787fc5", status: "affected", version: "e8e948e7802a2ab05c146d3e72a39b93b5718236", versionType: "git", }, { lessThan: "c6b72f5d82b1017bad80f9ebf502832fc321d796", status: "affected", version: "e8e948e7802a2ab05c146d3e72a39b93b5718236", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "fs/ext4/inline.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "3.8", }, { lessThan: "3.8", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.323", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.285", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.54", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.13", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.2", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\next4: avoid OOB when system.data xattr changes underneath the filesystem\n\nWhen looking up for an entry in an inlined directory, if e_value_offs is\nchanged underneath the filesystem by some change in the block device, it\nwill lead to an out-of-bounds access that KASAN detects as an UAF.\n\nEXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: none.\nloop0: detected capacity change from 2048 to 2047\n==================================================================\nBUG: KASAN: use-after-free in ext4_search_dir+0xf2/0x1c0 fs/ext4/namei.c:1500\nRead of size 1 at addr ffff88803e91130f by task syz-executor269/5103\n\nCPU: 0 UID: 0 PID: 5103 Comm: syz-executor269 Not tainted 6.11.0-rc4-syzkaller #0\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:93 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:488\n kasan_report+0x143/0x180 mm/kasan/report.c:601\n ext4_search_dir+0xf2/0x1c0 fs/ext4/namei.c:1500\n ext4_find_inline_entry+0x4be/0x5e0 fs/ext4/inline.c:1697\n __ext4_find_entry+0x2b4/0x1b30 fs/ext4/namei.c:1573\n ext4_lookup_entry fs/ext4/namei.c:1727 [inline]\n ext4_lookup+0x15f/0x750 fs/ext4/namei.c:1795\n lookup_one_qstr_excl+0x11f/0x260 fs/namei.c:1633\n filename_create+0x297/0x540 fs/namei.c:3980\n do_symlinkat+0xf9/0x3a0 fs/namei.c:4587\n __do_sys_symlinkat fs/namei.c:4610 [inline]\n __se_sys_symlinkat fs/namei.c:4607 [inline]\n __x64_sys_symlinkat+0x95/0xb0 fs/namei.c:4607\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f3e73ced469\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 21 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fff4d40c258 EFLAGS: 00000246 ORIG_RAX: 000000000000010a\nRAX: ffffffffffffffda RBX: 0032656c69662f2e RCX: 00007f3e73ced469\nRDX: 0000000020000200 RSI: 00000000ffffff9c RDI: 00000000200001c0\nRBP: 0000000000000000 R08: 00007fff4d40c290 R09: 00007fff4d40c290\nR10: 0023706f6f6c2f76 R11: 0000000000000246 R12: 00007fff4d40c27c\nR13: 0000000000000003 R14: 431bde82d7b634db R15: 00007fff4d40c2b0\n </TASK>\n\nCalling ext4_xattr_ibody_find right after reading the inode with\next4_get_inode_loc will lead to a check of the validity of the xattrs,\navoiding this problem.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:26:22.988Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/5b076d37e8d99918e9294bd6b35a8bbb436819b0", }, { url: "https://git.kernel.org/stable/c/8adf0eb4e361a9e060d54f4bd0ac9c5d85277d20", }, { url: "https://git.kernel.org/stable/c/7fc22c3b3ffc0e952f5e0062dd11aa6ae76affba", }, { url: "https://git.kernel.org/stable/c/be2e9b111e2790962cc66a177869b4e9717b4e29", }, { url: "https://git.kernel.org/stable/c/ea32883e4a03ed575a2eb7a66542022312bde477", }, { url: "https://git.kernel.org/stable/c/2a6579ef5f2576a940125729f7409cc182f1c8df", }, { url: "https://git.kernel.org/stable/c/371d0bacecd529f887ea2547333d9173e7bcdc0a", }, { url: "https://git.kernel.org/stable/c/ccb8c18076e2e630fea23fbec583cdad61787fc5", }, { url: "https://git.kernel.org/stable/c/c6b72f5d82b1017bad80f9ebf502832fc321d796", }, ], title: "ext4: avoid OOB when system.data xattr changes underneath the filesystem", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-47701", datePublished: "2024-10-21T11:53:37.276Z", dateReserved: "2024-09-30T16:00:12.945Z", dateUpdated: "2024-12-19T09:26:22.988Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49954
Vulnerability from cvelistv5
Published
2024-10-21 18:02
Modified
2024-12-19 09:30
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
static_call: Replace pointless WARN_ON() in static_call_module_notify()
static_call_module_notify() triggers a WARN_ON(), when memory allocation
fails in __static_call_add_module().
That's not really justified, because the failure case must be correctly
handled by the well known call chain and the error code is passed
through to the initiating userspace application.
A memory allocation fail is not a fatal problem, but the WARN_ON() takes
the machine out when panic_on_warn is set.
Replace it with a pr_warn().
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 9183c3f9ed710a8edf1a61e8a96d497258d26e08 Version: 9183c3f9ed710a8edf1a61e8a96d497258d26e08 Version: 9183c3f9ed710a8edf1a61e8a96d497258d26e08 Version: 9183c3f9ed710a8edf1a61e8a96d497258d26e08 Version: 9183c3f9ed710a8edf1a61e8a96d497258d26e08 Version: 9183c3f9ed710a8edf1a61e8a96d497258d26e08 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49954", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:35:58.998155Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:38:48.704Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "kernel/static_call_inline.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "bc9356513d56b688775497b7ac6f2b967f46a80c", status: "affected", version: "9183c3f9ed710a8edf1a61e8a96d497258d26e08", versionType: "git", }, { lessThan: "ea2cdf4da093d0482f0ef36ba971e2e0c7673425", status: "affected", version: "9183c3f9ed710a8edf1a61e8a96d497258d26e08", versionType: "git", }, { lessThan: "e67534bd31d79952b50e791e92adf0b3e6c13b8c", status: "affected", version: "9183c3f9ed710a8edf1a61e8a96d497258d26e08", versionType: "git", }, { lessThan: "85a104aaef1f56623acc10ba4c42d5f046ba65b7", status: "affected", version: "9183c3f9ed710a8edf1a61e8a96d497258d26e08", versionType: "git", }, { lessThan: "b83bef74c121a3311240fc4002d23486b85355e4", status: "affected", version: "9183c3f9ed710a8edf1a61e8a96d497258d26e08", versionType: "git", }, { lessThan: "fe513c2ef0a172a58f158e2e70465c4317f0a9a2", status: "affected", version: "9183c3f9ed710a8edf1a61e8a96d497258d26e08", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "kernel/static_call_inline.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.10", }, { lessThan: "5.10", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nstatic_call: Replace pointless WARN_ON() in static_call_module_notify()\n\nstatic_call_module_notify() triggers a WARN_ON(), when memory allocation\nfails in __static_call_add_module().\n\nThat's not really justified, because the failure case must be correctly\nhandled by the well known call chain and the error code is passed\nthrough to the initiating userspace application.\n\nA memory allocation fail is not a fatal problem, but the WARN_ON() takes\nthe machine out when panic_on_warn is set.\n\nReplace it with a pr_warn().", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:30:04.936Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/bc9356513d56b688775497b7ac6f2b967f46a80c", }, { url: "https://git.kernel.org/stable/c/ea2cdf4da093d0482f0ef36ba971e2e0c7673425", }, { url: "https://git.kernel.org/stable/c/e67534bd31d79952b50e791e92adf0b3e6c13b8c", }, { url: "https://git.kernel.org/stable/c/85a104aaef1f56623acc10ba4c42d5f046ba65b7", }, { url: "https://git.kernel.org/stable/c/b83bef74c121a3311240fc4002d23486b85355e4", }, { url: "https://git.kernel.org/stable/c/fe513c2ef0a172a58f158e2e70465c4317f0a9a2", }, ], title: "static_call: Replace pointless WARN_ON() in static_call_module_notify()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49954", datePublished: "2024-10-21T18:02:09.064Z", dateReserved: "2024-10-21T12:17:06.047Z", dateUpdated: "2024-12-19T09:30:04.936Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-50017
Vulnerability from cvelistv5
Published
2024-10-21 18:54
Modified
2025-02-17 11:47
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
x86/mm/ident_map: Use gbpages only where full GB page should be mapped.
When ident_pud_init() uses only GB pages to create identity maps, large
ranges of addresses not actually requested can be included in the resulting
table; a 4K request will map a full GB. This can include a lot of extra
address space past that requested, including areas marked reserved by the
BIOS. That allows processor speculation into reserved regions, that on UV
systems can cause system halts.
Only use GB pages when map creation requests include the full GB page of
space. Fall back to using smaller 2M pages when only portions of a GB page
are included in the request.
No attempt is made to coalesce mapping requests. If a request requires a
map entry at the 2M (pmd) level, subsequent mapping requests within the
same 1G region will also be at the pmd level, even if adjacent or
overlapping such requests could have been combined to map a full GB page.
Existing usage starts with larger regions and then adds smaller regions, so
this should not have any great consequence.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-50017", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:27:53.496416Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:28:47.817Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "arch/x86/mm/ident_map.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "d113f9723f2bfd9c6feeb899b8ddbee6b8a6e01f", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "d80a99892f7a992d103138fa4636b2c33abd6740", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "a23823098ab2c277c14fc110b97d8d5c83597195", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "cc31744a294584a36bf764a0ffa3255a8e69f036", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "arch/x86/mm/ident_map.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.78", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/mm/ident_map: Use gbpages only where full GB page should be mapped.\n\nWhen ident_pud_init() uses only GB pages to create identity maps, large\nranges of addresses not actually requested can be included in the resulting\ntable; a 4K request will map a full GB. This can include a lot of extra\naddress space past that requested, including areas marked reserved by the\nBIOS. That allows processor speculation into reserved regions, that on UV\nsystems can cause system halts.\n\nOnly use GB pages when map creation requests include the full GB page of\nspace. Fall back to using smaller 2M pages when only portions of a GB page\nare included in the request.\n\nNo attempt is made to coalesce mapping requests. If a request requires a\nmap entry at the 2M (pmd) level, subsequent mapping requests within the\nsame 1G region will also be at the pmd level, even if adjacent or\noverlapping such requests could have been combined to map a full GB page.\nExisting usage starts with larger regions and then adds smaller regions, so\nthis should not have any great consequence.", }, ], providerMetadata: { dateUpdated: "2025-02-17T11:47:03.237Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/d113f9723f2bfd9c6feeb899b8ddbee6b8a6e01f", }, { url: "https://git.kernel.org/stable/c/d80a99892f7a992d103138fa4636b2c33abd6740", }, { url: "https://git.kernel.org/stable/c/a23823098ab2c277c14fc110b97d8d5c83597195", }, { url: "https://git.kernel.org/stable/c/cc31744a294584a36bf764a0ffa3255a8e69f036", }, ], title: "x86/mm/ident_map: Use gbpages only where full GB page should be mapped.", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-50017", datePublished: "2024-10-21T18:54:07.811Z", dateReserved: "2024-10-21T12:17:06.063Z", dateUpdated: "2025-02-17T11:47:03.237Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49922
Vulnerability from cvelistv5
Published
2024-10-21 18:01
Modified
2024-12-19 09:29
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Check null pointers before using them
[WHAT & HOW]
These pointers are null checked previously in the same function,
indicating they might be null as reported by Coverity. As a result,
they need to be checked when used again.
This fixes 3 FORWARD_NULL issue reported by Coverity.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49922", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:40:13.536076Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:48:44.467Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "65e1d2c291553ef3f433a0b7109cc3002a5f40ae", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "5e9386baa3033c369564d55de4bab62423e8a1d3", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "1ff12bcd7deaeed25efb5120433c6a45dd5504a8", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Check null pointers before using them\n\n[WHAT & HOW]\nThese pointers are null checked previously in the same function,\nindicating they might be null as reported by Coverity. As a result,\nthey need to be checked when used again.\n\nThis fixes 3 FORWARD_NULL issue reported by Coverity.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:29:06.403Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/65e1d2c291553ef3f433a0b7109cc3002a5f40ae", }, { url: "https://git.kernel.org/stable/c/5e9386baa3033c369564d55de4bab62423e8a1d3", }, { url: "https://git.kernel.org/stable/c/1ff12bcd7deaeed25efb5120433c6a45dd5504a8", }, ], title: "drm/amd/display: Check null pointers before using them", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49922", datePublished: "2024-10-21T18:01:47.751Z", dateReserved: "2024-10-21T12:17:06.035Z", dateUpdated: "2024-12-19T09:29:06.403Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-48956
Vulnerability from cvelistv5
Published
2024-10-21 20:05
Modified
2024-12-19 08:11
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipv6: avoid use-after-free in ip6_fragment()
Blamed commit claimed rcu_read_lock() was held by ip6_fragment() callers.
It seems to not be always true, at least for UDP stack.
syzbot reported:
BUG: KASAN: use-after-free in ip6_dst_idev include/net/ip6_fib.h:245 [inline]
BUG: KASAN: use-after-free in ip6_fragment+0x2724/0x2770 net/ipv6/ip6_output.c:951
Read of size 8 at addr ffff88801d403e80 by task syz-executor.3/7618
CPU: 1 PID: 7618 Comm: syz-executor.3 Not tainted 6.1.0-rc6-syzkaller-00012-g4312098baf37 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:284 [inline]
print_report+0x15e/0x45d mm/kasan/report.c:395
kasan_report+0xbf/0x1f0 mm/kasan/report.c:495
ip6_dst_idev include/net/ip6_fib.h:245 [inline]
ip6_fragment+0x2724/0x2770 net/ipv6/ip6_output.c:951
__ip6_finish_output net/ipv6/ip6_output.c:193 [inline]
ip6_finish_output+0x9a3/0x1170 net/ipv6/ip6_output.c:206
NF_HOOK_COND include/linux/netfilter.h:291 [inline]
ip6_output+0x1f1/0x540 net/ipv6/ip6_output.c:227
dst_output include/net/dst.h:445 [inline]
ip6_local_out+0xb3/0x1a0 net/ipv6/output_core.c:161
ip6_send_skb+0xbb/0x340 net/ipv6/ip6_output.c:1966
udp_v6_send_skb+0x82a/0x18a0 net/ipv6/udp.c:1286
udp_v6_push_pending_frames+0x140/0x200 net/ipv6/udp.c:1313
udpv6_sendmsg+0x18da/0x2c80 net/ipv6/udp.c:1606
inet6_sendmsg+0x9d/0xe0 net/ipv6/af_inet6.c:665
sock_sendmsg_nosec net/socket.c:714 [inline]
sock_sendmsg+0xd3/0x120 net/socket.c:734
sock_write_iter+0x295/0x3d0 net/socket.c:1108
call_write_iter include/linux/fs.h:2191 [inline]
new_sync_write fs/read_write.c:491 [inline]
vfs_write+0x9ed/0xdd0 fs/read_write.c:584
ksys_write+0x1ec/0x250 fs/read_write.c:637
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fde3588c0d9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fde365b6168 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007fde359ac050 RCX: 00007fde3588c0d9
RDX: 000000000000ffdc RSI: 00000000200000c0 RDI: 000000000000000a
RBP: 00007fde358e7ae9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fde35acfb1f R14: 00007fde365b6300 R15: 0000000000022000
</TASK>
Allocated by task 7618:
kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
kasan_set_track+0x25/0x30 mm/kasan/common.c:52
__kasan_slab_alloc+0x82/0x90 mm/kasan/common.c:325
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook mm/slab.h:737 [inline]
slab_alloc_node mm/slub.c:3398 [inline]
slab_alloc mm/slub.c:3406 [inline]
__kmem_cache_alloc_lru mm/slub.c:3413 [inline]
kmem_cache_alloc+0x2b4/0x3d0 mm/slub.c:3422
dst_alloc+0x14a/0x1f0 net/core/dst.c:92
ip6_dst_alloc+0x32/0xa0 net/ipv6/route.c:344
ip6_rt_pcpu_alloc net/ipv6/route.c:1369 [inline]
rt6_make_pcpu_route net/ipv6/route.c:1417 [inline]
ip6_pol_route+0x901/0x1190 net/ipv6/route.c:2254
pol_lookup_func include/net/ip6_fib.h:582 [inline]
fib6_rule_lookup+0x52e/0x6f0 net/ipv6/fib6_rules.c:121
ip6_route_output_flags_noref+0x2e6/0x380 net/ipv6/route.c:2625
ip6_route_output_flags+0x76/0x320 net/ipv6/route.c:2638
ip6_route_output include/net/ip6_route.h:98 [inline]
ip6_dst_lookup_tail+0x5ab/0x1620 net/ipv6/ip6_output.c:1092
ip6_dst_lookup_flow+0x90/0x1d0 net/ipv6/ip6_output.c:1222
ip6_sk_dst_lookup_flow+0x553/0x980 net/ipv6/ip6_output.c:1260
udpv6_sendmsg+0x151d/0x2c80 net/ipv6/udp.c:1554
inet6_sendmsg+0x9d/0xe0 net/ipv6/af_inet6.c:665
sock_sendmsg_nosec n
---truncated---
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1758fd4688eb92c796e75bdb1d256dc558ef9581 Version: 1758fd4688eb92c796e75bdb1d256dc558ef9581 Version: 1758fd4688eb92c796e75bdb1d256dc558ef9581 Version: 1758fd4688eb92c796e75bdb1d256dc558ef9581 Version: 1758fd4688eb92c796e75bdb1d256dc558ef9581 Version: 1758fd4688eb92c796e75bdb1d256dc558ef9581 Version: 1758fd4688eb92c796e75bdb1d256dc558ef9581 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-48956", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:21:00.418896Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:28:39.848Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "net/ipv6/ip6_output.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "b3d7ff8c04a83279fb7641fc4d5aa82a602df7c0", status: "affected", version: "1758fd4688eb92c796e75bdb1d256dc558ef9581", versionType: "git", }, { lessThan: "7e0dcd5f3ade221a6126278aca60c8ab4cc3bce9", status: "affected", version: "1758fd4688eb92c796e75bdb1d256dc558ef9581", versionType: "git", }, { lessThan: "6b6d3be3661bff2746cab26147bd629aa034e094", status: "affected", version: "1758fd4688eb92c796e75bdb1d256dc558ef9581", versionType: "git", }, { lessThan: "8208d7e56b1e579320b9ff3712739ad2e63e1f86", status: "affected", version: "1758fd4688eb92c796e75bdb1d256dc558ef9581", versionType: "git", }, { lessThan: "7390c70bd431cbfa6951477e2c80a301643e284b", status: "affected", version: "1758fd4688eb92c796e75bdb1d256dc558ef9581", versionType: "git", }, { lessThan: "9b1a468a455d8319041528778d0e684a4c062792", status: "affected", version: "1758fd4688eb92c796e75bdb1d256dc558ef9581", versionType: "git", }, { lessThan: "803e84867de59a1e5d126666d25eb4860cfd2ebe", status: "affected", version: "1758fd4688eb92c796e75bdb1d256dc558ef9581", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "net/ipv6/ip6_output.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "4.13", }, { lessThan: "4.13", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.14.*", status: "unaffected", version: "4.14.302", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.269", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.227", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.159", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.83", versionType: "semver", }, { lessThanOrEqual: "6.0.*", status: "unaffected", version: "6.0.13", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.1", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: avoid use-after-free in ip6_fragment()\n\nBlamed commit claimed rcu_read_lock() was held by ip6_fragment() callers.\n\nIt seems to not be always true, at least for UDP stack.\n\nsyzbot reported:\n\nBUG: KASAN: use-after-free in ip6_dst_idev include/net/ip6_fib.h:245 [inline]\nBUG: KASAN: use-after-free in ip6_fragment+0x2724/0x2770 net/ipv6/ip6_output.c:951\nRead of size 8 at addr ffff88801d403e80 by task syz-executor.3/7618\n\nCPU: 1 PID: 7618 Comm: syz-executor.3 Not tainted 6.1.0-rc6-syzkaller-00012-g4312098baf37 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:284 [inline]\n print_report+0x15e/0x45d mm/kasan/report.c:395\n kasan_report+0xbf/0x1f0 mm/kasan/report.c:495\n ip6_dst_idev include/net/ip6_fib.h:245 [inline]\n ip6_fragment+0x2724/0x2770 net/ipv6/ip6_output.c:951\n __ip6_finish_output net/ipv6/ip6_output.c:193 [inline]\n ip6_finish_output+0x9a3/0x1170 net/ipv6/ip6_output.c:206\n NF_HOOK_COND include/linux/netfilter.h:291 [inline]\n ip6_output+0x1f1/0x540 net/ipv6/ip6_output.c:227\n dst_output include/net/dst.h:445 [inline]\n ip6_local_out+0xb3/0x1a0 net/ipv6/output_core.c:161\n ip6_send_skb+0xbb/0x340 net/ipv6/ip6_output.c:1966\n udp_v6_send_skb+0x82a/0x18a0 net/ipv6/udp.c:1286\n udp_v6_push_pending_frames+0x140/0x200 net/ipv6/udp.c:1313\n udpv6_sendmsg+0x18da/0x2c80 net/ipv6/udp.c:1606\n inet6_sendmsg+0x9d/0xe0 net/ipv6/af_inet6.c:665\n sock_sendmsg_nosec net/socket.c:714 [inline]\n sock_sendmsg+0xd3/0x120 net/socket.c:734\n sock_write_iter+0x295/0x3d0 net/socket.c:1108\n call_write_iter include/linux/fs.h:2191 [inline]\n new_sync_write fs/read_write.c:491 [inline]\n vfs_write+0x9ed/0xdd0 fs/read_write.c:584\n ksys_write+0x1ec/0x250 fs/read_write.c:637\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\nRIP: 0033:0x7fde3588c0d9\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fde365b6168 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\nRAX: ffffffffffffffda RBX: 00007fde359ac050 RCX: 00007fde3588c0d9\nRDX: 000000000000ffdc RSI: 00000000200000c0 RDI: 000000000000000a\nRBP: 00007fde358e7ae9 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 00007fde35acfb1f R14: 00007fde365b6300 R15: 0000000000022000\n </TASK>\n\nAllocated by task 7618:\n kasan_save_stack+0x22/0x40 mm/kasan/common.c:45\n kasan_set_track+0x25/0x30 mm/kasan/common.c:52\n __kasan_slab_alloc+0x82/0x90 mm/kasan/common.c:325\n kasan_slab_alloc include/linux/kasan.h:201 [inline]\n slab_post_alloc_hook mm/slab.h:737 [inline]\n slab_alloc_node mm/slub.c:3398 [inline]\n slab_alloc mm/slub.c:3406 [inline]\n __kmem_cache_alloc_lru mm/slub.c:3413 [inline]\n kmem_cache_alloc+0x2b4/0x3d0 mm/slub.c:3422\n dst_alloc+0x14a/0x1f0 net/core/dst.c:92\n ip6_dst_alloc+0x32/0xa0 net/ipv6/route.c:344\n ip6_rt_pcpu_alloc net/ipv6/route.c:1369 [inline]\n rt6_make_pcpu_route net/ipv6/route.c:1417 [inline]\n ip6_pol_route+0x901/0x1190 net/ipv6/route.c:2254\n pol_lookup_func include/net/ip6_fib.h:582 [inline]\n fib6_rule_lookup+0x52e/0x6f0 net/ipv6/fib6_rules.c:121\n ip6_route_output_flags_noref+0x2e6/0x380 net/ipv6/route.c:2625\n ip6_route_output_flags+0x76/0x320 net/ipv6/route.c:2638\n ip6_route_output include/net/ip6_route.h:98 [inline]\n ip6_dst_lookup_tail+0x5ab/0x1620 net/ipv6/ip6_output.c:1092\n ip6_dst_lookup_flow+0x90/0x1d0 net/ipv6/ip6_output.c:1222\n ip6_sk_dst_lookup_flow+0x553/0x980 net/ipv6/ip6_output.c:1260\n udpv6_sendmsg+0x151d/0x2c80 net/ipv6/udp.c:1554\n inet6_sendmsg+0x9d/0xe0 net/ipv6/af_inet6.c:665\n sock_sendmsg_nosec n\n---truncated---", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:11:13.964Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/b3d7ff8c04a83279fb7641fc4d5aa82a602df7c0", }, { url: "https://git.kernel.org/stable/c/7e0dcd5f3ade221a6126278aca60c8ab4cc3bce9", }, { url: "https://git.kernel.org/stable/c/6b6d3be3661bff2746cab26147bd629aa034e094", }, { url: "https://git.kernel.org/stable/c/8208d7e56b1e579320b9ff3712739ad2e63e1f86", }, { url: "https://git.kernel.org/stable/c/7390c70bd431cbfa6951477e2c80a301643e284b", }, { url: "https://git.kernel.org/stable/c/9b1a468a455d8319041528778d0e684a4c062792", }, { url: "https://git.kernel.org/stable/c/803e84867de59a1e5d126666d25eb4860cfd2ebe", }, ], title: "ipv6: avoid use-after-free in ip6_fragment()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-48956", datePublished: "2024-10-21T20:05:42.379Z", dateReserved: "2024-08-22T01:27:53.627Z", dateUpdated: "2024-12-19T08:11:13.964Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49873
Vulnerability from cvelistv5
Published
2024-10-21 18:01
Modified
2024-12-19 09:28
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/filemap: fix filemap_get_folios_contig THP panic
Patch series "memfd-pin huge page fixes".
Fix multiple bugs that occur when using memfd_pin_folios with hugetlb
pages and THP. The hugetlb bugs only bite when the page is not yet
faulted in when memfd_pin_folios is called. The THP bug bites when the
starting offset passed to memfd_pin_folios is not huge page aligned. See
the commit messages for details.
This patch (of 5):
memfd_pin_folios on memory backed by THP panics if the requested start
offset is not huge page aligned:
BUG: kernel NULL pointer dereference, address: 0000000000000036
RIP: 0010:filemap_get_folios_contig+0xdf/0x290
RSP: 0018:ffffc9002092fbe8 EFLAGS: 00010202
RAX: 0000000000000002 RBX: 0000000000000002 RCX: 0000000000000002
The fault occurs here, because xas_load returns a folio with value 2:
filemap_get_folios_contig()
for (folio = xas_load(&xas); folio && xas.xa_index <= end;
folio = xas_next(&xas)) {
...
if (!folio_try_get(folio)) <-- BOOM
"2" is an xarray sibling entry. We get it because memfd_pin_folios does
not round the indices passed to filemap_get_folios_contig to huge page
boundaries for THP, so we load from the middle of a huge page range see a
sibling. (It does round for hugetlbfs, at the is_file_hugepages test).
To fix, if the folio is a sibling, then return the next index as the
starting point for the next call to filemap_get_folios_contig.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49873", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:46:41.000217Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:48:51.674Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "mm/filemap.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "570dd14bfecf281fa467c80f8ec92b26370ee36a", status: "affected", version: "89c1905d9c140372b7f50ef48f42378cf85d9bc5", versionType: "git", }, { lessThan: "c225c4f6056b46a8a5bf2ed35abf17a2d6887691", status: "affected", version: "89c1905d9c140372b7f50ef48f42378cf85d9bc5", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "mm/filemap.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.11", }, { lessThan: "6.11", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/filemap: fix filemap_get_folios_contig THP panic\n\nPatch series \"memfd-pin huge page fixes\".\n\nFix multiple bugs that occur when using memfd_pin_folios with hugetlb\npages and THP. The hugetlb bugs only bite when the page is not yet\nfaulted in when memfd_pin_folios is called. The THP bug bites when the\nstarting offset passed to memfd_pin_folios is not huge page aligned. See\nthe commit messages for details.\n\n\nThis patch (of 5):\n\nmemfd_pin_folios on memory backed by THP panics if the requested start\noffset is not huge page aligned:\n\nBUG: kernel NULL pointer dereference, address: 0000000000000036\nRIP: 0010:filemap_get_folios_contig+0xdf/0x290\nRSP: 0018:ffffc9002092fbe8 EFLAGS: 00010202\nRAX: 0000000000000002 RBX: 0000000000000002 RCX: 0000000000000002\n\nThe fault occurs here, because xas_load returns a folio with value 2:\n\n filemap_get_folios_contig()\n for (folio = xas_load(&xas); folio && xas.xa_index <= end;\n folio = xas_next(&xas)) {\n ...\n if (!folio_try_get(folio)) <-- BOOM\n\n\"2\" is an xarray sibling entry. We get it because memfd_pin_folios does\nnot round the indices passed to filemap_get_folios_contig to huge page\nboundaries for THP, so we load from the middle of a huge page range see a\nsibling. (It does round for hugetlbfs, at the is_file_hugepages test).\n\nTo fix, if the folio is a sibling, then return the next index as the\nstarting point for the next call to filemap_get_folios_contig.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:28:01.445Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/570dd14bfecf281fa467c80f8ec92b26370ee36a", }, { url: "https://git.kernel.org/stable/c/c225c4f6056b46a8a5bf2ed35abf17a2d6887691", }, ], title: "mm/filemap: fix filemap_get_folios_contig THP panic", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49873", datePublished: "2024-10-21T18:01:14.108Z", dateReserved: "2024-10-21T12:17:06.020Z", dateUpdated: "2024-12-19T09:28:01.445Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-47697
Vulnerability from cvelistv5
Published
2024-10-21 11:53
Modified
2024-12-19 09:26
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drivers: media: dvb-frontends/rtl2830: fix an out-of-bounds write error
Ensure index in rtl2830_pid_filter does not exceed 31 to prevent
out-of-bounds access.
dev->filters is a 32-bit value, so set_bit and clear_bit functions should
only operate on indices from 0 to 31. If index is 32, it will attempt to
access a non-existent 33rd bit, leading to out-of-bounds access.
Change the boundary check from index > 32 to index >= 32 to resolve this
issue.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: df70ddad81b47c57bcccffc805fbd75f2f1b2dc6 Version: df70ddad81b47c57bcccffc805fbd75f2f1b2dc6 Version: df70ddad81b47c57bcccffc805fbd75f2f1b2dc6 Version: df70ddad81b47c57bcccffc805fbd75f2f1b2dc6 Version: df70ddad81b47c57bcccffc805fbd75f2f1b2dc6 Version: df70ddad81b47c57bcccffc805fbd75f2f1b2dc6 Version: df70ddad81b47c57bcccffc805fbd75f2f1b2dc6 Version: df70ddad81b47c57bcccffc805fbd75f2f1b2dc6 Version: df70ddad81b47c57bcccffc805fbd75f2f1b2dc6 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-47697", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T13:05:04.931797Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T13:14:14.204Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/media/dvb-frontends/rtl2830.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "8ffbe7d07b8e76193b151107878ddc1ccc94deb5", status: "affected", version: "df70ddad81b47c57bcccffc805fbd75f2f1b2dc6", versionType: "git", }, { lessThan: "883f794c6e498ae24680aead55c16f66b06cfc30", status: "affected", version: "df70ddad81b47c57bcccffc805fbd75f2f1b2dc6", versionType: "git", }, { lessThan: "badbd736e6649c4e6d7b4ff7e2b9857acfa9ea94", status: "affected", version: "df70ddad81b47c57bcccffc805fbd75f2f1b2dc6", versionType: "git", }, { lessThan: "86d920d2600c3a48efc2775c1666c1017eec6956", status: "affected", version: "df70ddad81b47c57bcccffc805fbd75f2f1b2dc6", versionType: "git", }, { lessThan: "3dba83d3c81de1368d15a39f22df7b53e306052f", status: "affected", version: "df70ddad81b47c57bcccffc805fbd75f2f1b2dc6", versionType: "git", }, { lessThan: "58f31be7dfbc0c84a6497ad51924949cf64b86a2", status: "affected", version: "df70ddad81b47c57bcccffc805fbd75f2f1b2dc6", versionType: "git", }, { lessThan: "7fd6aae7e53b94f4035b1bfce28b8dfa0d0ae470", status: "affected", version: "df70ddad81b47c57bcccffc805fbd75f2f1b2dc6", versionType: "git", }, { lessThan: "042b101d7bf70616c4967c286ffa6fcca65babfb", status: "affected", version: "df70ddad81b47c57bcccffc805fbd75f2f1b2dc6", versionType: "git", }, { lessThan: "46d7ebfe6a75a454a5fa28604f0ef1491f9d8d14", status: "affected", version: "df70ddad81b47c57bcccffc805fbd75f2f1b2dc6", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/media/dvb-frontends/rtl2830.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "4.0", }, { lessThan: "4.0", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.323", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.285", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.54", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.13", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.2", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ndrivers: media: dvb-frontends/rtl2830: fix an out-of-bounds write error\n\nEnsure index in rtl2830_pid_filter does not exceed 31 to prevent\nout-of-bounds access.\n\ndev->filters is a 32-bit value, so set_bit and clear_bit functions should\nonly operate on indices from 0 to 31. If index is 32, it will attempt to\naccess a non-existent 33rd bit, leading to out-of-bounds access.\nChange the boundary check from index > 32 to index >= 32 to resolve this\nissue.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:26:18.037Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/8ffbe7d07b8e76193b151107878ddc1ccc94deb5", }, { url: "https://git.kernel.org/stable/c/883f794c6e498ae24680aead55c16f66b06cfc30", }, { url: "https://git.kernel.org/stable/c/badbd736e6649c4e6d7b4ff7e2b9857acfa9ea94", }, { url: "https://git.kernel.org/stable/c/86d920d2600c3a48efc2775c1666c1017eec6956", }, { url: "https://git.kernel.org/stable/c/3dba83d3c81de1368d15a39f22df7b53e306052f", }, { url: "https://git.kernel.org/stable/c/58f31be7dfbc0c84a6497ad51924949cf64b86a2", }, { url: "https://git.kernel.org/stable/c/7fd6aae7e53b94f4035b1bfce28b8dfa0d0ae470", }, { url: "https://git.kernel.org/stable/c/042b101d7bf70616c4967c286ffa6fcca65babfb", }, { url: "https://git.kernel.org/stable/c/46d7ebfe6a75a454a5fa28604f0ef1491f9d8d14", }, ], title: "drivers: media: dvb-frontends/rtl2830: fix an out-of-bounds write error", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-47697", datePublished: "2024-10-21T11:53:34.630Z", dateReserved: "2024-09-30T16:00:12.942Z", dateUpdated: "2024-12-19T09:26:18.037Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-47696
Vulnerability from cvelistv5
Published
2024-10-21 11:53
Modified
2024-12-19 09:26
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/iwcm: Fix WARNING:at_kernel/workqueue.c:#check_flush_dependency
In the commit aee2424246f9 ("RDMA/iwcm: Fix a use-after-free related to
destroying CM IDs"), the function flush_workqueue is invoked to flush the
work queue iwcm_wq.
But at that time, the work queue iwcm_wq was created via the function
alloc_ordered_workqueue without the flag WQ_MEM_RECLAIM.
Because the current process is trying to flush the whole iwcm_wq, if
iwcm_wq doesn't have the flag WQ_MEM_RECLAIM, verify that the current
process is not reclaiming memory or running on a workqueue which doesn't
have the flag WQ_MEM_RECLAIM as that can break forward-progress guarantee
leading to a deadlock.
The call trace is as below:
[ 125.350876][ T1430] Call Trace:
[ 125.356281][ T1430] <TASK>
[ 125.361285][ T1430] ? __warn (kernel/panic.c:693)
[ 125.367640][ T1430] ? check_flush_dependency (kernel/workqueue.c:3706 (discriminator 9))
[ 125.375689][ T1430] ? report_bug (lib/bug.c:180 lib/bug.c:219)
[ 125.382505][ T1430] ? handle_bug (arch/x86/kernel/traps.c:239)
[ 125.388987][ T1430] ? exc_invalid_op (arch/x86/kernel/traps.c:260 (discriminator 1))
[ 125.395831][ T1430] ? asm_exc_invalid_op (arch/x86/include/asm/idtentry.h:621)
[ 125.403125][ T1430] ? check_flush_dependency (kernel/workqueue.c:3706 (discriminator 9))
[ 125.410984][ T1430] ? check_flush_dependency (kernel/workqueue.c:3706 (discriminator 9))
[ 125.418764][ T1430] __flush_workqueue (kernel/workqueue.c:3970)
[ 125.426021][ T1430] ? __pfx___might_resched (kernel/sched/core.c:10151)
[ 125.433431][ T1430] ? destroy_cm_id (drivers/infiniband/core/iwcm.c:375) iw_cm
[ 125.441209][ T1430] ? __pfx___flush_workqueue (kernel/workqueue.c:3910)
[ 125.473900][ T1430] ? _raw_spin_lock_irqsave (arch/x86/include/asm/atomic.h:107 include/linux/atomic/atomic-arch-fallback.h:2170 include/linux/atomic/atomic-instrumented.h:1302 include/asm-generic/qspinlock.h:111 include/linux/spinlock.h:187 include/linux/spinlock_api_smp.h:111 kernel/locking/spinlock.c:162)
[ 125.473909][ T1430] ? __pfx__raw_spin_lock_irqsave (kernel/locking/spinlock.c:161)
[ 125.482537][ T1430] _destroy_id (drivers/infiniband/core/cma.c:2044) rdma_cm
[ 125.495072][ T1430] nvme_rdma_free_queue (drivers/nvme/host/rdma.c:656 drivers/nvme/host/rdma.c:650) nvme_rdma
[ 125.505827][ T1430] nvme_rdma_reset_ctrl_work (drivers/nvme/host/rdma.c:2180) nvme_rdma
[ 125.505831][ T1430] process_one_work (kernel/workqueue.c:3231)
[ 125.515122][ T1430] worker_thread (kernel/workqueue.c:3306 kernel/workqueue.c:3393)
[ 125.515127][ T1430] ? __pfx_worker_thread (kernel/workqueue.c:3339)
[ 125.531837][ T1430] kthread (kernel/kthread.c:389)
[ 125.539864][ T1430] ? __pfx_kthread (kernel/kthread.c:342)
[ 125.550628][ T1430] ret_from_fork (arch/x86/kernel/process.c:147)
[ 125.558840][ T1430] ? __pfx_kthread (kernel/kthread.c:342)
[ 125.558844][ T1430] ret_from_fork_asm (arch/x86/entry/entry_64.S:257)
[ 125.566487][ T1430] </TASK>
[ 125.566488][ T1430] ---[ end trace 0000000000000000 ]---
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: d91d253c87fd1efece521ff2612078a35af673c6 Version: 7f25f296fc9bd0435be14e89bf657cd615a23574 Version: 94ee7ff99b87435ec63211f632918dc7f44dac79 Version: 557d035fe88d78dd51664f4dc0e1896c04c97cf6 Version: dc8074b8901caabb97c2d353abd6b4e7fa5a59a5 Version: ff5bbbdee08287d75d72e65b72a2b76d9637892a Version: ee39384ee787e86e9db4efb843818ef0ea9cb8ae Version: aee2424246f9f1dadc33faa78990c1e2eb7826e4 Version: aee2424246f9f1dadc33faa78990c1e2eb7826e4 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-47696", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T13:05:12.849051Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T13:14:14.398Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/infiniband/core/iwcm.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "da2708a19f45b4a7278adf523837c8db21d1e2b5", status: "affected", version: "d91d253c87fd1efece521ff2612078a35af673c6", versionType: "git", }, { lessThan: "29b3bbd912b8db86df7a3c180b910ccb621f5635", status: "affected", version: "7f25f296fc9bd0435be14e89bf657cd615a23574", versionType: "git", }, { lessThan: "2efe8da2ddbf873385b4bc55366d09350b408df6", status: "affected", version: "94ee7ff99b87435ec63211f632918dc7f44dac79", versionType: "git", }, { lessThan: "da0392698c62397c19deb1b9e9bdf2fbb5a9420e", status: "affected", version: "557d035fe88d78dd51664f4dc0e1896c04c97cf6", versionType: "git", }, { lessThan: "a64f30db12bdc937c5108158d98c8eab1925c548", status: "affected", version: "dc8074b8901caabb97c2d353abd6b4e7fa5a59a5", versionType: "git", }, { lessThan: "8b7df76356d098f85f3bd2c7cf6fb43f531893d7", status: "affected", version: "ff5bbbdee08287d75d72e65b72a2b76d9637892a", versionType: "git", }, { lessThan: "c8b18a75282cfd27822a8cc3c1f005c1ac8d1a58", status: "affected", version: "ee39384ee787e86e9db4efb843818ef0ea9cb8ae", versionType: "git", }, { lessThan: "a09dc967b3c58899e259c0aea092f421d22a0b04", status: "affected", version: "aee2424246f9f1dadc33faa78990c1e2eb7826e4", versionType: "git", }, { lessThan: "86dfdd8288907f03c18b7fb462e0e232c4f98d89", status: "affected", version: "aee2424246f9f1dadc33faa78990c1e2eb7826e4", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/infiniband/core/iwcm.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.11", }, { lessThan: "6.11", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.323", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.285", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.54", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.13", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.2", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/iwcm: Fix WARNING:at_kernel/workqueue.c:#check_flush_dependency\n\nIn the commit aee2424246f9 (\"RDMA/iwcm: Fix a use-after-free related to\ndestroying CM IDs\"), the function flush_workqueue is invoked to flush the\nwork queue iwcm_wq.\n\nBut at that time, the work queue iwcm_wq was created via the function\nalloc_ordered_workqueue without the flag WQ_MEM_RECLAIM.\n\nBecause the current process is trying to flush the whole iwcm_wq, if\niwcm_wq doesn't have the flag WQ_MEM_RECLAIM, verify that the current\nprocess is not reclaiming memory or running on a workqueue which doesn't\nhave the flag WQ_MEM_RECLAIM as that can break forward-progress guarantee\nleading to a deadlock.\n\nThe call trace is as below:\n\n[ 125.350876][ T1430] Call Trace:\n[ 125.356281][ T1430] <TASK>\n[ 125.361285][ T1430] ? __warn (kernel/panic.c:693)\n[ 125.367640][ T1430] ? check_flush_dependency (kernel/workqueue.c:3706 (discriminator 9))\n[ 125.375689][ T1430] ? report_bug (lib/bug.c:180 lib/bug.c:219)\n[ 125.382505][ T1430] ? handle_bug (arch/x86/kernel/traps.c:239)\n[ 125.388987][ T1430] ? exc_invalid_op (arch/x86/kernel/traps.c:260 (discriminator 1))\n[ 125.395831][ T1430] ? asm_exc_invalid_op (arch/x86/include/asm/idtentry.h:621)\n[ 125.403125][ T1430] ? check_flush_dependency (kernel/workqueue.c:3706 (discriminator 9))\n[ 125.410984][ T1430] ? check_flush_dependency (kernel/workqueue.c:3706 (discriminator 9))\n[ 125.418764][ T1430] __flush_workqueue (kernel/workqueue.c:3970)\n[ 125.426021][ T1430] ? __pfx___might_resched (kernel/sched/core.c:10151)\n[ 125.433431][ T1430] ? destroy_cm_id (drivers/infiniband/core/iwcm.c:375) iw_cm\n[ 125.441209][ T1430] ? __pfx___flush_workqueue (kernel/workqueue.c:3910)\n[ 125.473900][ T1430] ? _raw_spin_lock_irqsave (arch/x86/include/asm/atomic.h:107 include/linux/atomic/atomic-arch-fallback.h:2170 include/linux/atomic/atomic-instrumented.h:1302 include/asm-generic/qspinlock.h:111 include/linux/spinlock.h:187 include/linux/spinlock_api_smp.h:111 kernel/locking/spinlock.c:162)\n[ 125.473909][ T1430] ? __pfx__raw_spin_lock_irqsave (kernel/locking/spinlock.c:161)\n[ 125.482537][ T1430] _destroy_id (drivers/infiniband/core/cma.c:2044) rdma_cm\n[ 125.495072][ T1430] nvme_rdma_free_queue (drivers/nvme/host/rdma.c:656 drivers/nvme/host/rdma.c:650) nvme_rdma\n[ 125.505827][ T1430] nvme_rdma_reset_ctrl_work (drivers/nvme/host/rdma.c:2180) nvme_rdma\n[ 125.505831][ T1430] process_one_work (kernel/workqueue.c:3231)\n[ 125.515122][ T1430] worker_thread (kernel/workqueue.c:3306 kernel/workqueue.c:3393)\n[ 125.515127][ T1430] ? __pfx_worker_thread (kernel/workqueue.c:3339)\n[ 125.531837][ T1430] kthread (kernel/kthread.c:389)\n[ 125.539864][ T1430] ? __pfx_kthread (kernel/kthread.c:342)\n[ 125.550628][ T1430] ret_from_fork (arch/x86/kernel/process.c:147)\n[ 125.558840][ T1430] ? __pfx_kthread (kernel/kthread.c:342)\n[ 125.558844][ T1430] ret_from_fork_asm (arch/x86/entry/entry_64.S:257)\n[ 125.566487][ T1430] </TASK>\n[ 125.566488][ T1430] ---[ end trace 0000000000000000 ]---", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:26:16.864Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/da2708a19f45b4a7278adf523837c8db21d1e2b5", }, { url: "https://git.kernel.org/stable/c/29b3bbd912b8db86df7a3c180b910ccb621f5635", }, { url: "https://git.kernel.org/stable/c/2efe8da2ddbf873385b4bc55366d09350b408df6", }, { url: "https://git.kernel.org/stable/c/da0392698c62397c19deb1b9e9bdf2fbb5a9420e", }, { url: "https://git.kernel.org/stable/c/a64f30db12bdc937c5108158d98c8eab1925c548", }, { url: "https://git.kernel.org/stable/c/8b7df76356d098f85f3bd2c7cf6fb43f531893d7", }, { url: "https://git.kernel.org/stable/c/c8b18a75282cfd27822a8cc3c1f005c1ac8d1a58", }, { url: "https://git.kernel.org/stable/c/a09dc967b3c58899e259c0aea092f421d22a0b04", }, { url: "https://git.kernel.org/stable/c/86dfdd8288907f03c18b7fb462e0e232c4f98d89", }, ], title: "RDMA/iwcm: Fix WARNING:at_kernel/workqueue.c:#check_flush_dependency", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-47696", datePublished: "2024-10-21T11:53:33.950Z", dateReserved: "2024-09-30T16:00:12.942Z", dateUpdated: "2024-12-19T09:26:16.864Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49865
Vulnerability from cvelistv5
Published
2024-10-21 18:01
Modified
2024-12-19 09:27
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/xe/vm: move xa_alloc to prevent UAF
Evil user can guess the next id of the vm before the ioctl completes and
then call vm destroy ioctl to trigger UAF since create ioctl is still
referencing the same vm. Move the xa_alloc all the way to the end to
prevent this.
v2:
- Rebase
(cherry picked from commit dcfd3971327f3ee92765154baebbaece833d3ca9)
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49865", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:47:46.140074Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:48:52.775Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/gpu/drm/xe/xe_vm.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "09cf8901fc0225898311b375cfcc67bae37ed5da", status: "affected", version: "dd08ebf6c3525a7ea2186e636df064ea47281987", versionType: "git", }, { lessThan: "74231870cf4976f69e83aa24f48edb16619f652f", status: "affected", version: "dd08ebf6c3525a7ea2186e636df064ea47281987", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/gpu/drm/xe/xe_vm.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.8", }, { lessThan: "6.8", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/vm: move xa_alloc to prevent UAF\n\nEvil user can guess the next id of the vm before the ioctl completes and\nthen call vm destroy ioctl to trigger UAF since create ioctl is still\nreferencing the same vm. Move the xa_alloc all the way to the end to\nprevent this.\n\nv2:\n - Rebase\n\n(cherry picked from commit dcfd3971327f3ee92765154baebbaece833d3ca9)", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:27:50.840Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/09cf8901fc0225898311b375cfcc67bae37ed5da", }, { url: "https://git.kernel.org/stable/c/74231870cf4976f69e83aa24f48edb16619f652f", }, ], title: "drm/xe/vm: move xa_alloc to prevent UAF", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49865", datePublished: "2024-10-21T18:01:08.620Z", dateReserved: "2024-10-21T12:17:06.017Z", dateUpdated: "2024-12-19T09:27:50.840Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2016-10044
Vulnerability from cvelistv5
Published
2017-02-07 07:02
Modified
2024-10-21 13:14
Severity ?
EPSS score ?
Summary
The aio_mount function in fs/aio.c in the Linux kernel before 4.7.7 does not properly restrict execute access, which makes it easier for local users to bypass intended SELinux W^X policy restrictions, and consequently gain privileges, via an io_setup system call.
References
▼ | URL | Tags |
---|---|---|
http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.7.7 | x_refsource_CONFIRM | |
http://www.securitytracker.com/id/1037798 | vdb-entry, x_refsource_SECTRACK | |
http://source.android.com/security/bulletin/2017-02-01.html | x_refsource_CONFIRM | |
https://github.com/torvalds/linux/commit/22f6b4d34fcf039c63a94e7670e0da24f8575a5a | x_refsource_CONFIRM | |
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=22f6b4d34fcf039c63a94e7670e0da24f8575a5a | x_refsource_CONFIRM | |
http://www.securityfocus.com/bid/96122 | vdb-entry, x_refsource_BID |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-06T03:07:32.042Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.7.7", }, { name: "1037798", tags: [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred", ], url: "http://www.securitytracker.com/id/1037798", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://source.android.com/security/bulletin/2017-02-01.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/torvalds/linux/commit/22f6b4d34fcf039c63a94e7670e0da24f8575a5a", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=22f6b4d34fcf039c63a94e7670e0da24f8575a5a", }, { name: "96122", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/96122", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2016-10044", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T13:08:15.380102Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T13:14:17.686Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2016-04-27T00:00:00", descriptions: [ { lang: "en", value: "The aio_mount function in fs/aio.c in the Linux kernel before 4.7.7 does not properly restrict execute access, which makes it easier for local users to bypass intended SELinux W^X policy restrictions, and consequently gain privileges, via an io_setup system call.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2017-07-24T12:57:01", orgId: "baff130e-b8d5-4e15-b3d3-c3cf5d5545c6", shortName: "google_android", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.7.7", }, { name: "1037798", tags: [ "vdb-entry", "x_refsource_SECTRACK", ], url: "http://www.securitytracker.com/id/1037798", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://source.android.com/security/bulletin/2017-02-01.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/torvalds/linux/commit/22f6b4d34fcf039c63a94e7670e0da24f8575a5a", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=22f6b4d34fcf039c63a94e7670e0da24f8575a5a", }, { name: "96122", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/96122", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security@android.com", ID: "CVE-2016-10044", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "The aio_mount function in fs/aio.c in the Linux kernel before 4.7.7 does not properly restrict execute access, which makes it easier for local users to bypass intended SELinux W^X policy restrictions, and consequently gain privileges, via an io_setup system call.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.7.7", refsource: "CONFIRM", url: "http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.7.7", }, { name: "1037798", refsource: "SECTRACK", url: "http://www.securitytracker.com/id/1037798", }, { name: "http://source.android.com/security/bulletin/2017-02-01.html", refsource: "CONFIRM", url: "http://source.android.com/security/bulletin/2017-02-01.html", }, { name: "https://github.com/torvalds/linux/commit/22f6b4d34fcf039c63a94e7670e0da24f8575a5a", refsource: "CONFIRM", url: "https://github.com/torvalds/linux/commit/22f6b4d34fcf039c63a94e7670e0da24f8575a5a", }, { name: "http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=22f6b4d34fcf039c63a94e7670e0da24f8575a5a", refsource: "CONFIRM", url: "http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=22f6b4d34fcf039c63a94e7670e0da24f8575a5a", }, { name: "96122", refsource: "BID", url: "http://www.securityfocus.com/bid/96122", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "baff130e-b8d5-4e15-b3d3-c3cf5d5545c6", assignerShortName: "google_android", cveId: "CVE-2016-10044", datePublished: "2017-02-07T07:02:00", dateReserved: "2016-12-26T00:00:00", dateUpdated: "2024-10-21T13:14:17.686Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49892
Vulnerability from cvelistv5
Published
2024-10-21 18:01
Modified
2024-12-19 09:28
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Initialize get_bytes_per_element's default to 1
Variables, used as denominators and maybe not assigned to other values,
should not be 0. bytes_per_element_y & bytes_per_element_c are
initialized by get_bytes_per_element() which should never return 0.
This fixes 10 DIVIDE_BY_ZERO issues reported by Coverity.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49892", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:44:09.911849Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:48:48.952Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/gpu/drm/amd/display/dc/dml/dcn20/display_rq_dlg_calc_20v2.c", "drivers/gpu/drm/amd/display/dc/dml/dcn21/display_rq_dlg_calc_21.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "8f0abb39c16e719129de10596b3ae3363fa178b4", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "f921335123f6620c3dce5c96fbb95f18524a021c", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "1f9f8186e239222f1c8d3dd73bf3bc6ae86c5e76", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "a23d6029e730f8a151b1a34afb169baac1274583", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "c7630935d9a4986e8c0ed91658a781b7a77d73f7", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "bc00d211da4ffad5314a2043b50bdc8ff8a33724", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "3334ab72cbba55a632f24579cd47c4a4e5e69cda", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "4067f4fa0423a89fb19a30b57231b384d77d2610", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/gpu/drm/amd/display/dc/dml/dcn20/display_rq_dlg_calc_20v2.c", "drivers/gpu/drm/amd/display/dc/dml/dcn21/display_rq_dlg_calc_21.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.285", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Initialize get_bytes_per_element's default to 1\n\nVariables, used as denominators and maybe not assigned to other values,\nshould not be 0. bytes_per_element_y & bytes_per_element_c are\ninitialized by get_bytes_per_element() which should never return 0.\n\nThis fixes 10 DIVIDE_BY_ZERO issues reported by Coverity.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:28:29.857Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/8f0abb39c16e719129de10596b3ae3363fa178b4", }, { url: "https://git.kernel.org/stable/c/f921335123f6620c3dce5c96fbb95f18524a021c", }, { url: "https://git.kernel.org/stable/c/1f9f8186e239222f1c8d3dd73bf3bc6ae86c5e76", }, { url: "https://git.kernel.org/stable/c/a23d6029e730f8a151b1a34afb169baac1274583", }, { url: "https://git.kernel.org/stable/c/c7630935d9a4986e8c0ed91658a781b7a77d73f7", }, { url: "https://git.kernel.org/stable/c/bc00d211da4ffad5314a2043b50bdc8ff8a33724", }, { url: "https://git.kernel.org/stable/c/3334ab72cbba55a632f24579cd47c4a4e5e69cda", }, { url: "https://git.kernel.org/stable/c/4067f4fa0423a89fb19a30b57231b384d77d2610", }, ], title: "drm/amd/display: Initialize get_bytes_per_element's default to 1", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49892", datePublished: "2024-10-21T18:01:27.004Z", dateReserved: "2024-10-21T12:17:06.025Z", dateUpdated: "2024-12-19T09:28:29.857Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49856
Vulnerability from cvelistv5
Published
2024-10-21 12:18
Modified
2024-12-19 09:27
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
x86/sgx: Fix deadlock in SGX NUMA node search
When the current node doesn't have an EPC section configured by firmware
and all other EPC sections are used up, CPU can get stuck inside the
while loop that looks for an available EPC page from remote nodes
indefinitely, leading to a soft lockup. Note how nid_of_current will
never be equal to nid in that while loop because nid_of_current is not
set in sgx_numa_mask.
Also worth mentioning is that it's perfectly fine for the firmware not
to setup an EPC section on a node. While setting up an EPC section on
each node can enhance performance, it is not a requirement for
functionality.
Rework the loop to start and end on *a* node that has SGX memory. This
avoids the deadlock looking for the current SGX-lacking node to show up
in the loop when it never will.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 901ddbb9ecf5425183ea0c09d10c2fd7868dce54 Version: 901ddbb9ecf5425183ea0c09d10c2fd7868dce54 Version: 901ddbb9ecf5425183ea0c09d10c2fd7868dce54 Version: 901ddbb9ecf5425183ea0c09d10c2fd7868dce54 Version: 901ddbb9ecf5425183ea0c09d10c2fd7868dce54 Version: 901ddbb9ecf5425183ea0c09d10c2fd7868dce54 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49856", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T12:56:17.015207Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T13:04:11.066Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "arch/x86/kernel/cpu/sgx/main.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "40fb64257dab507d86b5f1f2a62f3669ef0c91a8", status: "affected", version: "901ddbb9ecf5425183ea0c09d10c2fd7868dce54", versionType: "git", }, { lessThan: "20c96d0aaabfe361fc2a11c173968dc67feadbbf", status: "affected", version: "901ddbb9ecf5425183ea0c09d10c2fd7868dce54", versionType: "git", }, { lessThan: "fb2d057539eda67ec7cfc369bf587e6518a9b99d", status: "affected", version: "901ddbb9ecf5425183ea0c09d10c2fd7868dce54", versionType: "git", }, { lessThan: "0f89fb4042c08fd143bfc28af08bf6c8a0197eea", status: "affected", version: "901ddbb9ecf5425183ea0c09d10c2fd7868dce54", versionType: "git", }, { lessThan: "8132510c915815e6b537ab937d94ed66893bc7b8", status: "affected", version: "901ddbb9ecf5425183ea0c09d10c2fd7868dce54", versionType: "git", }, { lessThan: "9c936844010466535bd46ea4ce4656ef17653644", status: "affected", version: "901ddbb9ecf5425183ea0c09d10c2fd7868dce54", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "arch/x86/kernel/cpu/sgx/main.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.13", }, { lessThan: "5.13", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.54", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.13", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.2", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/sgx: Fix deadlock in SGX NUMA node search\n\nWhen the current node doesn't have an EPC section configured by firmware\nand all other EPC sections are used up, CPU can get stuck inside the\nwhile loop that looks for an available EPC page from remote nodes\nindefinitely, leading to a soft lockup. Note how nid_of_current will\nnever be equal to nid in that while loop because nid_of_current is not\nset in sgx_numa_mask.\n\nAlso worth mentioning is that it's perfectly fine for the firmware not\nto setup an EPC section on a node. While setting up an EPC section on\neach node can enhance performance, it is not a requirement for\nfunctionality.\n\nRework the loop to start and end on *a* node that has SGX memory. This\navoids the deadlock looking for the current SGX-lacking node to show up\nin the loop when it never will.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:27:39.313Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/40fb64257dab507d86b5f1f2a62f3669ef0c91a8", }, { url: "https://git.kernel.org/stable/c/20c96d0aaabfe361fc2a11c173968dc67feadbbf", }, { url: "https://git.kernel.org/stable/c/fb2d057539eda67ec7cfc369bf587e6518a9b99d", }, { url: "https://git.kernel.org/stable/c/0f89fb4042c08fd143bfc28af08bf6c8a0197eea", }, { url: "https://git.kernel.org/stable/c/8132510c915815e6b537ab937d94ed66893bc7b8", }, { url: "https://git.kernel.org/stable/c/9c936844010466535bd46ea4ce4656ef17653644", }, ], title: "x86/sgx: Fix deadlock in SGX NUMA node search", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49856", datePublished: "2024-10-21T12:18:48.123Z", dateReserved: "2024-10-21T12:17:06.016Z", dateUpdated: "2024-12-19T09:27:39.313Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-48963
Vulnerability from cvelistv5
Published
2024-10-21 20:05
Modified
2024-12-19 08:11
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: wwan: iosm: fix memory leak in ipc_mux_init()
When failed to alloc ipc_mux->ul_adb.pp_qlt in ipc_mux_init(), ipc_mux
is not released.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-48963", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:20:06.922110Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:28:38.847Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/net/wwan/iosm/iosm_ipc_mux.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "e21478d0054f63eec7ce833296cf9788764a0ec7", status: "affected", version: "1f52d7b622854b8bd7a1be3de095ca2e1f77098e", versionType: "git", }, { lessThan: "23353efc26e98b61b925274ecbb8f0610f69a8aa", status: "affected", version: "1f52d7b622854b8bd7a1be3de095ca2e1f77098e", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/net/wwan/iosm/iosm_ipc_mux.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.18", }, { lessThan: "5.18", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.0.*", status: "unaffected", version: "6.0.13", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.1", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: wwan: iosm: fix memory leak in ipc_mux_init()\n\nWhen failed to alloc ipc_mux->ul_adb.pp_qlt in ipc_mux_init(), ipc_mux\nis not released.", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:11:27.731Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/e21478d0054f63eec7ce833296cf9788764a0ec7", }, { url: "https://git.kernel.org/stable/c/23353efc26e98b61b925274ecbb8f0610f69a8aa", }, ], title: "net: wwan: iosm: fix memory leak in ipc_mux_init()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-48963", datePublished: "2024-10-21T20:05:47.161Z", dateReserved: "2024-08-22T01:27:53.628Z", dateUpdated: "2024-12-19T08:11:27.731Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49960
Vulnerability from cvelistv5
Published
2024-10-21 18:02
Modified
2024-12-19 09:30
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix timer use-after-free on failed mount
Syzbot has found an ODEBUG bug in ext4_fill_super
The del_timer_sync function cancels the s_err_report timer,
which reminds about filesystem errors daily. We should
guarantee the timer is no longer active before kfree(sbi).
When filesystem mounting fails, the flow goes to failed_mount3,
where an error occurs when ext4_stop_mmpd is called, causing
a read I/O failure. This triggers the ext4_handle_error function
that ultimately re-arms the timer,
leaving the s_err_report timer active before kfree(sbi) is called.
Fix the issue by canceling the s_err_report timer after calling ext4_stop_mmpd.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49960", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:35:13.994206Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:38:47.803Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "fs/ext4/super.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "cf3196e5e2f36cd80dab91ffae402e13935724bc", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "9203817ba46ebba7c865c8de2aba399537b6e891", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "fa78fb51d396f4f2f80f8e96a3b1516f394258be", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "b85569585d0154d4db1e4f9e3e6a4731d407feb0", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "0ce160c5bdb67081a62293028dc85758a8efb22a", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "fs/ext4/super.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.118", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix timer use-after-free on failed mount\n\nSyzbot has found an ODEBUG bug in ext4_fill_super\n\nThe del_timer_sync function cancels the s_err_report timer,\nwhich reminds about filesystem errors daily. We should\nguarantee the timer is no longer active before kfree(sbi).\n\nWhen filesystem mounting fails, the flow goes to failed_mount3,\nwhere an error occurs when ext4_stop_mmpd is called, causing\na read I/O failure. This triggers the ext4_handle_error function\nthat ultimately re-arms the timer,\nleaving the s_err_report timer active before kfree(sbi) is called.\n\nFix the issue by canceling the s_err_report timer after calling ext4_stop_mmpd.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:30:12.383Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/cf3196e5e2f36cd80dab91ffae402e13935724bc", }, { url: "https://git.kernel.org/stable/c/9203817ba46ebba7c865c8de2aba399537b6e891", }, { url: "https://git.kernel.org/stable/c/fa78fb51d396f4f2f80f8e96a3b1516f394258be", }, { url: "https://git.kernel.org/stable/c/b85569585d0154d4db1e4f9e3e6a4731d407feb0", }, { url: "https://git.kernel.org/stable/c/0ce160c5bdb67081a62293028dc85758a8efb22a", }, ], title: "ext4: fix timer use-after-free on failed mount", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49960", datePublished: "2024-10-21T18:02:13.119Z", dateReserved: "2024-10-21T12:17:06.049Z", dateUpdated: "2024-12-19T09:30:12.383Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-47731
Vulnerability from cvelistv5
Published
2024-10-21 12:14
Modified
2024-12-19 09:26
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drivers/perf: Fix ali_drw_pmu driver interrupt status clearing
The alibaba_uncore_pmu driver forgot to clear all interrupt status
in the interrupt processing function. After the PMU counter overflow
interrupt occurred, an interrupt storm occurred, causing the system
to hang.
Therefore, clear the correct interrupt status in the interrupt handling
function to fix it.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: cf7b61073e4526caa247616f6fbb174cbd2a5366 Version: cf7b61073e4526caa247616f6fbb174cbd2a5366 Version: cf7b61073e4526caa247616f6fbb174cbd2a5366 Version: cf7b61073e4526caa247616f6fbb174cbd2a5366 Version: cf7b61073e4526caa247616f6fbb174cbd2a5366 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-47731", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T13:00:30.719959Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T13:04:15.861Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/perf/alibaba_uncore_drw_pmu.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "24f30b34ff76648d26872dd4eaa002f074225058", status: "affected", version: "cf7b61073e4526caa247616f6fbb174cbd2a5366", versionType: "git", }, { lessThan: "3b839d4619042b02eecdfc986484ac6e6be6acbf", status: "affected", version: "cf7b61073e4526caa247616f6fbb174cbd2a5366", versionType: "git", }, { lessThan: "062b7176e484678b2c9072d28fbecea47846b274", status: "affected", version: "cf7b61073e4526caa247616f6fbb174cbd2a5366", versionType: "git", }, { lessThan: "85702fddba70d2b63f5646793d77de2ad4fc3784", status: "affected", version: "cf7b61073e4526caa247616f6fbb174cbd2a5366", versionType: "git", }, { lessThan: "a3dd920977dccc453c550260c4b7605b280b79c3", status: "affected", version: "cf7b61073e4526caa247616f6fbb174cbd2a5366", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/perf/alibaba_uncore_drw_pmu.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.1", }, { lessThan: "6.1", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.54", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.13", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.2", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ndrivers/perf: Fix ali_drw_pmu driver interrupt status clearing\n\nThe alibaba_uncore_pmu driver forgot to clear all interrupt status\nin the interrupt processing function. After the PMU counter overflow\ninterrupt occurred, an interrupt storm occurred, causing the system\nto hang.\n\nTherefore, clear the correct interrupt status in the interrupt handling\nfunction to fix it.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:26:58.290Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/24f30b34ff76648d26872dd4eaa002f074225058", }, { url: "https://git.kernel.org/stable/c/3b839d4619042b02eecdfc986484ac6e6be6acbf", }, { url: "https://git.kernel.org/stable/c/062b7176e484678b2c9072d28fbecea47846b274", }, { url: "https://git.kernel.org/stable/c/85702fddba70d2b63f5646793d77de2ad4fc3784", }, { url: "https://git.kernel.org/stable/c/a3dd920977dccc453c550260c4b7605b280b79c3", }, ], title: "drivers/perf: Fix ali_drw_pmu driver interrupt status clearing", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-47731", datePublished: "2024-10-21T12:14:03.184Z", dateReserved: "2024-09-30T16:00:12.957Z", dateUpdated: "2024-12-19T09:26:58.290Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-50034
Vulnerability from cvelistv5
Published
2024-10-21 19:39
Modified
2024-12-19 09:31
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/smc: fix lacks of icsk_syn_mss with IPPROTO_SMC
Eric report a panic on IPPROTO_SMC, and give the facts
that when INET_PROTOSW_ICSK was set, icsk->icsk_sync_mss must be set too.
Bug: Unable to handle kernel NULL pointer dereference at virtual address
0000000000000000
Mem abort info:
ESR = 0x0000000086000005
EC = 0x21: IABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x05: level 1 translation fault
user pgtable: 4k pages, 48-bit VAs, pgdp=00000001195d1000
[0000000000000000] pgd=0800000109c46003, p4d=0800000109c46003,
pud=0000000000000000
Internal error: Oops: 0000000086000005 [#1] PREEMPT SMP
Modules linked in:
CPU: 1 UID: 0 PID: 8037 Comm: syz.3.265 Not tainted
6.11.0-rc7-syzkaller-g5f5673607153 #0
Hardware name: Google Google Compute Engine/Google Compute Engine,
BIOS Google 08/06/2024
pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : 0x0
lr : cipso_v4_sock_setattr+0x2a8/0x3c0 net/ipv4/cipso_ipv4.c:1910
sp : ffff80009b887a90
x29: ffff80009b887aa0 x28: ffff80008db94050 x27: 0000000000000000
x26: 1fffe0001aa6f5b3 x25: dfff800000000000 x24: ffff0000db75da00
x23: 0000000000000000 x22: ffff0000d8b78518 x21: 0000000000000000
x20: ffff0000d537ad80 x19: ffff0000d8b78000 x18: 1fffe000366d79ee
x17: ffff8000800614a8 x16: ffff800080569b84 x15: 0000000000000001
x14: 000000008b336894 x13: 00000000cd96feaa x12: 0000000000000003
x11: 0000000000040000 x10: 00000000000020a3 x9 : 1fffe0001b16f0f1
x8 : 0000000000000000 x7 : 0000000000000000 x6 : 000000000000003f
x5 : 0000000000000040 x4 : 0000000000000001 x3 : 0000000000000000
x2 : 0000000000000002 x1 : 0000000000000000 x0 : ffff0000d8b78000
Call trace:
0x0
netlbl_sock_setattr+0x2e4/0x338 net/netlabel/netlabel_kapi.c:1000
smack_netlbl_add+0xa4/0x154 security/smack/smack_lsm.c:2593
smack_socket_post_create+0xa8/0x14c security/smack/smack_lsm.c:2973
security_socket_post_create+0x94/0xd4 security/security.c:4425
__sock_create+0x4c8/0x884 net/socket.c:1587
sock_create net/socket.c:1622 [inline]
__sys_socket_create net/socket.c:1659 [inline]
__sys_socket+0x134/0x340 net/socket.c:1706
__do_sys_socket net/socket.c:1720 [inline]
__se_sys_socket net/socket.c:1718 [inline]
__arm64_sys_socket+0x7c/0x94 net/socket.c:1718
__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:712
el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730
el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598
Code: ???????? ???????? ???????? ???????? (????????)
---[ end trace 0000000000000000 ]---
This patch add a toy implementation that performs a simple return to
prevent such panic. This is because MSS can be set in sock_create_kern
or smc_setsockopt, similar to how it's done in AF_SMC. However, for
AF_SMC, there is currently no way to synchronize MSS within
__sys_connect_file. This toy implementation lays the groundwork for us
to support such feature for IPPROTO_SMC in the future.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-50034", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:25:41.741757Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:28:45.301Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "net/smc/smc_inet.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "44dc50df15f5bd4221d8f708885a9d49cda7f57e", status: "affected", version: "d25a92ccae6bed02327b63d138e12e7806830f78", versionType: "git", }, { lessThan: "6fd27ea183c208e478129a85e11d880fc70040f2", status: "affected", version: "d25a92ccae6bed02327b63d138e12e7806830f78", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "net/smc/smc_inet.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.11", }, { lessThan: "6.11", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.4", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: fix lacks of icsk_syn_mss with IPPROTO_SMC\n\nEric report a panic on IPPROTO_SMC, and give the facts\nthat when INET_PROTOSW_ICSK was set, icsk->icsk_sync_mss must be set too.\n\nBug: Unable to handle kernel NULL pointer dereference at virtual address\n0000000000000000\nMem abort info:\nESR = 0x0000000086000005\nEC = 0x21: IABT (current EL), IL = 32 bits\nSET = 0, FnV = 0\nEA = 0, S1PTW = 0\nFSC = 0x05: level 1 translation fault\nuser pgtable: 4k pages, 48-bit VAs, pgdp=00000001195d1000\n[0000000000000000] pgd=0800000109c46003, p4d=0800000109c46003,\npud=0000000000000000\nInternal error: Oops: 0000000086000005 [#1] PREEMPT SMP\nModules linked in:\nCPU: 1 UID: 0 PID: 8037 Comm: syz.3.265 Not tainted\n6.11.0-rc7-syzkaller-g5f5673607153 #0\nHardware name: Google Google Compute Engine/Google Compute Engine,\nBIOS Google 08/06/2024\npstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : 0x0\nlr : cipso_v4_sock_setattr+0x2a8/0x3c0 net/ipv4/cipso_ipv4.c:1910\nsp : ffff80009b887a90\nx29: ffff80009b887aa0 x28: ffff80008db94050 x27: 0000000000000000\nx26: 1fffe0001aa6f5b3 x25: dfff800000000000 x24: ffff0000db75da00\nx23: 0000000000000000 x22: ffff0000d8b78518 x21: 0000000000000000\nx20: ffff0000d537ad80 x19: ffff0000d8b78000 x18: 1fffe000366d79ee\nx17: ffff8000800614a8 x16: ffff800080569b84 x15: 0000000000000001\nx14: 000000008b336894 x13: 00000000cd96feaa x12: 0000000000000003\nx11: 0000000000040000 x10: 00000000000020a3 x9 : 1fffe0001b16f0f1\nx8 : 0000000000000000 x7 : 0000000000000000 x6 : 000000000000003f\nx5 : 0000000000000040 x4 : 0000000000000001 x3 : 0000000000000000\nx2 : 0000000000000002 x1 : 0000000000000000 x0 : ffff0000d8b78000\nCall trace:\n0x0\nnetlbl_sock_setattr+0x2e4/0x338 net/netlabel/netlabel_kapi.c:1000\nsmack_netlbl_add+0xa4/0x154 security/smack/smack_lsm.c:2593\nsmack_socket_post_create+0xa8/0x14c security/smack/smack_lsm.c:2973\nsecurity_socket_post_create+0x94/0xd4 security/security.c:4425\n__sock_create+0x4c8/0x884 net/socket.c:1587\nsock_create net/socket.c:1622 [inline]\n__sys_socket_create net/socket.c:1659 [inline]\n__sys_socket+0x134/0x340 net/socket.c:1706\n__do_sys_socket net/socket.c:1720 [inline]\n__se_sys_socket net/socket.c:1718 [inline]\n__arm64_sys_socket+0x7c/0x94 net/socket.c:1718\n__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]\ninvoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49\nel0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132\ndo_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151\nel0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:712\nel0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730\nel0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598\nCode: ???????? ???????? ???????? ???????? (????????)\n---[ end trace 0000000000000000 ]---\n\nThis patch add a toy implementation that performs a simple return to\nprevent such panic. This is because MSS can be set in sock_create_kern\nor smc_setsockopt, similar to how it's done in AF_SMC. However, for\nAF_SMC, there is currently no way to synchronize MSS within\n__sys_connect_file. This toy implementation lays the groundwork for us\nto support such feature for IPPROTO_SMC in the future.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:31:47.311Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/44dc50df15f5bd4221d8f708885a9d49cda7f57e", }, { url: "https://git.kernel.org/stable/c/6fd27ea183c208e478129a85e11d880fc70040f2", }, ], title: "net/smc: fix lacks of icsk_syn_mss with IPPROTO_SMC", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-50034", datePublished: "2024-10-21T19:39:35.785Z", dateReserved: "2024-10-21T12:17:06.070Z", dateUpdated: "2024-12-19T09:31:47.311Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-50004
Vulnerability from cvelistv5
Published
2024-10-21 18:53
Modified
2025-01-16 11:53
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: update DML2 policy EnhancedPrefetchScheduleAccelerationFinal DCN35
[WHY & HOW]
Mismatch in DCN35 DML2 cause bw validation failed to acquire unexpected DPP pipe to cause
grey screen and system hang. Remove EnhancedPrefetchScheduleAccelerationFinal value override
to match HW spec.
(cherry picked from commit 9dad21f910fcea2bdcff4af46159101d7f9cd8ba)
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-50004", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:29:33.584285Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:38:40.651Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/gpu/drm/amd/display/dc/dml2/dml2_policy.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "945dc25eda88b5d6e30c9686dc619ab981c22d0e", status: "affected", version: "7966f319c66d9468623c6a6a017ecbc0dd79be75", versionType: "git", }, { lessThan: "4010efc8516899981cc3b57be2d4a2d5d9e50228", status: "affected", version: "7966f319c66d9468623c6a6a017ecbc0dd79be75", versionType: "git", }, { lessThan: "0d5e5e8a0aa49ea2163abf128da3b509a6c58286", status: "affected", version: "7966f319c66d9468623c6a6a017ecbc0dd79be75", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/gpu/drm/amd/display/dc/dml2/dml2_policy.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.7", }, { lessThan: "6.7", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: update DML2 policy EnhancedPrefetchScheduleAccelerationFinal DCN35\n\n[WHY & HOW]\nMismatch in DCN35 DML2 cause bw validation failed to acquire unexpected DPP pipe to cause\ngrey screen and system hang. Remove EnhancedPrefetchScheduleAccelerationFinal value override\nto match HW spec.\n\n(cherry picked from commit 9dad21f910fcea2bdcff4af46159101d7f9cd8ba)", }, ], providerMetadata: { dateUpdated: "2025-01-16T11:53:25.998Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/945dc25eda88b5d6e30c9686dc619ab981c22d0e", }, { url: "https://git.kernel.org/stable/c/4010efc8516899981cc3b57be2d4a2d5d9e50228", }, { url: "https://git.kernel.org/stable/c/0d5e5e8a0aa49ea2163abf128da3b509a6c58286", }, ], title: "drm/amd/display: update DML2 policy EnhancedPrefetchScheduleAccelerationFinal DCN35", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-50004", datePublished: "2024-10-21T18:53:58.609Z", dateReserved: "2024-10-21T12:17:06.059Z", dateUpdated: "2025-01-16T11:53:25.998Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-49014
Vulnerability from cvelistv5
Published
2024-10-21 20:06
Modified
2024-12-19 08:12
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: tun: Fix use-after-free in tun_detach()
syzbot reported use-after-free in tun_detach() [1]. This causes call
trace like below:
==================================================================
BUG: KASAN: use-after-free in notifier_call_chain+0x1ee/0x200 kernel/notifier.c:75
Read of size 8 at addr ffff88807324e2a8 by task syz-executor.0/3673
CPU: 0 PID: 3673 Comm: syz-executor.0 Not tainted 6.1.0-rc5-syzkaller-00044-gcc675d22e422 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:284 [inline]
print_report+0x15e/0x461 mm/kasan/report.c:395
kasan_report+0xbf/0x1f0 mm/kasan/report.c:495
notifier_call_chain+0x1ee/0x200 kernel/notifier.c:75
call_netdevice_notifiers_info+0x86/0x130 net/core/dev.c:1942
call_netdevice_notifiers_extack net/core/dev.c:1983 [inline]
call_netdevice_notifiers net/core/dev.c:1997 [inline]
netdev_wait_allrefs_any net/core/dev.c:10237 [inline]
netdev_run_todo+0xbc6/0x1100 net/core/dev.c:10351
tun_detach drivers/net/tun.c:704 [inline]
tun_chr_close+0xe4/0x190 drivers/net/tun.c:3467
__fput+0x27c/0xa90 fs/file_table.c:320
task_work_run+0x16f/0x270 kernel/task_work.c:179
exit_task_work include/linux/task_work.h:38 [inline]
do_exit+0xb3d/0x2a30 kernel/exit.c:820
do_group_exit+0xd4/0x2a0 kernel/exit.c:950
get_signal+0x21b1/0x2440 kernel/signal.c:2858
arch_do_signal_or_restart+0x86/0x2300 arch/x86/kernel/signal.c:869
exit_to_user_mode_loop kernel/entry/common.c:168 [inline]
exit_to_user_mode_prepare+0x15f/0x250 kernel/entry/common.c:203
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:296
do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd
The cause of the issue is that sock_put() from __tun_detach() drops
last reference count for struct net, and then notifier_call_chain()
from netdev_state_change() accesses that struct net.
This patch fixes the issue by calling sock_put() from tun_detach()
after all necessary accesses for the struct net has done.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 83c1f36f9880814b24cdf6c2f91f66f61db65326 Version: 83c1f36f9880814b24cdf6c2f91f66f61db65326 Version: 83c1f36f9880814b24cdf6c2f91f66f61db65326 Version: 83c1f36f9880814b24cdf6c2f91f66f61db65326 Version: 83c1f36f9880814b24cdf6c2f91f66f61db65326 Version: 83c1f36f9880814b24cdf6c2f91f66f61db65326 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-49014", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:13:28.883740Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:18:38.243Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/net/tun.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "1f23f1890d91812c35d32eab1b49621b6d32dc7b", status: "affected", version: "83c1f36f9880814b24cdf6c2f91f66f61db65326", versionType: "git", }, { lessThan: "16c244bc65d1175775325ec0489a5a5c830e02c7", status: "affected", version: "83c1f36f9880814b24cdf6c2f91f66f61db65326", versionType: "git", }, { lessThan: "5f442e1d403e0496bacb74a58e2be7f500695e6f", status: "affected", version: "83c1f36f9880814b24cdf6c2f91f66f61db65326", versionType: "git", }, { lessThan: "04b995e963229501401810dab89dc73e7f12d054", status: "affected", version: "83c1f36f9880814b24cdf6c2f91f66f61db65326", versionType: "git", }, { lessThan: "4cde8da2d814a3b7b176db81922d4ddaad7c0f0e", status: "affected", version: "83c1f36f9880814b24cdf6c2f91f66f61db65326", versionType: "git", }, { lessThan: "5daadc86f27ea4d691e2131c04310d0418c6cd12", status: "affected", version: "83c1f36f9880814b24cdf6c2f91f66f61db65326", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/net/tun.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "4.17", }, { lessThan: "4.17", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.268", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.226", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.158", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.82", versionType: "semver", }, { lessThanOrEqual: "6.0.*", status: "unaffected", version: "6.0.12", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.1", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: tun: Fix use-after-free in tun_detach()\n\nsyzbot reported use-after-free in tun_detach() [1]. This causes call\ntrace like below:\n\n==================================================================\nBUG: KASAN: use-after-free in notifier_call_chain+0x1ee/0x200 kernel/notifier.c:75\nRead of size 8 at addr ffff88807324e2a8 by task syz-executor.0/3673\n\nCPU: 0 PID: 3673 Comm: syz-executor.0 Not tainted 6.1.0-rc5-syzkaller-00044-gcc675d22e422 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:284 [inline]\n print_report+0x15e/0x461 mm/kasan/report.c:395\n kasan_report+0xbf/0x1f0 mm/kasan/report.c:495\n notifier_call_chain+0x1ee/0x200 kernel/notifier.c:75\n call_netdevice_notifiers_info+0x86/0x130 net/core/dev.c:1942\n call_netdevice_notifiers_extack net/core/dev.c:1983 [inline]\n call_netdevice_notifiers net/core/dev.c:1997 [inline]\n netdev_wait_allrefs_any net/core/dev.c:10237 [inline]\n netdev_run_todo+0xbc6/0x1100 net/core/dev.c:10351\n tun_detach drivers/net/tun.c:704 [inline]\n tun_chr_close+0xe4/0x190 drivers/net/tun.c:3467\n __fput+0x27c/0xa90 fs/file_table.c:320\n task_work_run+0x16f/0x270 kernel/task_work.c:179\n exit_task_work include/linux/task_work.h:38 [inline]\n do_exit+0xb3d/0x2a30 kernel/exit.c:820\n do_group_exit+0xd4/0x2a0 kernel/exit.c:950\n get_signal+0x21b1/0x2440 kernel/signal.c:2858\n arch_do_signal_or_restart+0x86/0x2300 arch/x86/kernel/signal.c:869\n exit_to_user_mode_loop kernel/entry/common.c:168 [inline]\n exit_to_user_mode_prepare+0x15f/0x250 kernel/entry/common.c:203\n __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]\n syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:296\n do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nThe cause of the issue is that sock_put() from __tun_detach() drops\nlast reference count for struct net, and then notifier_call_chain()\nfrom netdev_state_change() accesses that struct net.\n\nThis patch fixes the issue by calling sock_put() from tun_detach()\nafter all necessary accesses for the struct net has done.", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:12:27.831Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/1f23f1890d91812c35d32eab1b49621b6d32dc7b", }, { url: "https://git.kernel.org/stable/c/16c244bc65d1175775325ec0489a5a5c830e02c7", }, { url: "https://git.kernel.org/stable/c/5f442e1d403e0496bacb74a58e2be7f500695e6f", }, { url: "https://git.kernel.org/stable/c/04b995e963229501401810dab89dc73e7f12d054", }, { url: "https://git.kernel.org/stable/c/4cde8da2d814a3b7b176db81922d4ddaad7c0f0e", }, { url: "https://git.kernel.org/stable/c/5daadc86f27ea4d691e2131c04310d0418c6cd12", }, ], title: "net: tun: Fix use-after-free in tun_detach()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-49014", datePublished: "2024-10-21T20:06:24.020Z", dateReserved: "2024-08-22T01:27:53.645Z", dateUpdated: "2024-12-19T08:12:27.831Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49950
Vulnerability from cvelistv5
Published
2024-10-21 18:02
Modified
2024-12-19 09:29
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: L2CAP: Fix uaf in l2cap_connect
[Syzbot reported]
BUG: KASAN: slab-use-after-free in l2cap_connect.constprop.0+0x10d8/0x1270 net/bluetooth/l2cap_core.c:3949
Read of size 8 at addr ffff8880241e9800 by task kworker/u9:0/54
CPU: 0 UID: 0 PID: 54 Comm: kworker/u9:0 Not tainted 6.11.0-rc6-syzkaller-00268-g788220eee30d #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
Workqueue: hci2 hci_rx_work
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:93 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:119
print_address_description mm/kasan/report.c:377 [inline]
print_report+0xc3/0x620 mm/kasan/report.c:488
kasan_report+0xd9/0x110 mm/kasan/report.c:601
l2cap_connect.constprop.0+0x10d8/0x1270 net/bluetooth/l2cap_core.c:3949
l2cap_connect_req net/bluetooth/l2cap_core.c:4080 [inline]
l2cap_bredr_sig_cmd net/bluetooth/l2cap_core.c:4772 [inline]
l2cap_sig_channel net/bluetooth/l2cap_core.c:5543 [inline]
l2cap_recv_frame+0xf0b/0x8eb0 net/bluetooth/l2cap_core.c:6825
l2cap_recv_acldata+0x9b4/0xb70 net/bluetooth/l2cap_core.c:7514
hci_acldata_packet net/bluetooth/hci_core.c:3791 [inline]
hci_rx_work+0xaab/0x1610 net/bluetooth/hci_core.c:4028
process_one_work+0x9c5/0x1b40 kernel/workqueue.c:3231
process_scheduled_works kernel/workqueue.c:3312 [inline]
worker_thread+0x6c8/0xed0 kernel/workqueue.c:3389
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
...
Freed by task 5245:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:579
poison_slab_object+0xf7/0x160 mm/kasan/common.c:240
__kasan_slab_free+0x32/0x50 mm/kasan/common.c:256
kasan_slab_free include/linux/kasan.h:184 [inline]
slab_free_hook mm/slub.c:2256 [inline]
slab_free mm/slub.c:4477 [inline]
kfree+0x12a/0x3b0 mm/slub.c:4598
l2cap_conn_free net/bluetooth/l2cap_core.c:1810 [inline]
kref_put include/linux/kref.h:65 [inline]
l2cap_conn_put net/bluetooth/l2cap_core.c:1822 [inline]
l2cap_conn_del+0x59d/0x730 net/bluetooth/l2cap_core.c:1802
l2cap_connect_cfm+0x9e6/0xf80 net/bluetooth/l2cap_core.c:7241
hci_connect_cfm include/net/bluetooth/hci_core.h:1960 [inline]
hci_conn_failed+0x1c3/0x370 net/bluetooth/hci_conn.c:1265
hci_abort_conn_sync+0x75a/0xb50 net/bluetooth/hci_sync.c:5583
abort_conn_sync+0x197/0x360 net/bluetooth/hci_conn.c:2917
hci_cmd_sync_work+0x1a4/0x410 net/bluetooth/hci_sync.c:328
process_one_work+0x9c5/0x1b40 kernel/workqueue.c:3231
process_scheduled_works kernel/workqueue.c:3312 [inline]
worker_thread+0x6c8/0xed0 kernel/workqueue.c:3389
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 7b064edae38d62d8587a8c574f93b53ce75ae749 Version: 7b064edae38d62d8587a8c574f93b53ce75ae749 Version: 7b064edae38d62d8587a8c574f93b53ce75ae749 Version: 7b064edae38d62d8587a8c574f93b53ce75ae749 Version: 7b064edae38d62d8587a8c574f93b53ce75ae749 Version: 7b064edae38d62d8587a8c574f93b53ce75ae749 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49950", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:36:31.459862Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:38:49.238Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "net/bluetooth/hci_core.c", "net/bluetooth/hci_event.c", "net/bluetooth/l2cap_core.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "686e05c9dbd68766c6bda5f31f7e077f36a7fb29", status: "affected", version: "7b064edae38d62d8587a8c574f93b53ce75ae749", versionType: "git", }, { lessThan: "b22346eec479a30bfa4a02ad2c551b54809694d0", status: "affected", version: "7b064edae38d62d8587a8c574f93b53ce75ae749", versionType: "git", }, { lessThan: "b90907696c30172b809aa3dd2f0caffae761e4c6", status: "affected", version: "7b064edae38d62d8587a8c574f93b53ce75ae749", versionType: "git", }, { lessThan: "78d30ce16fdf9c301bcd8b83ce613cea079cea83", status: "affected", version: "7b064edae38d62d8587a8c574f93b53ce75ae749", versionType: "git", }, { lessThan: "a1c6174e23df10b8e5770e82d63bc6e2118a3dc7", status: "affected", version: "7b064edae38d62d8587a8c574f93b53ce75ae749", versionType: "git", }, { lessThan: "333b4fd11e89b29c84c269123f871883a30be586", status: "affected", version: "7b064edae38d62d8587a8c574f93b53ce75ae749", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "net/bluetooth/hci_core.c", "net/bluetooth/hci_event.c", "net/bluetooth/l2cap_core.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "3.8", }, { lessThan: "3.8", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.174", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.118", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix uaf in l2cap_connect\n\n[Syzbot reported]\nBUG: KASAN: slab-use-after-free in l2cap_connect.constprop.0+0x10d8/0x1270 net/bluetooth/l2cap_core.c:3949\nRead of size 8 at addr ffff8880241e9800 by task kworker/u9:0/54\n\nCPU: 0 UID: 0 PID: 54 Comm: kworker/u9:0 Not tainted 6.11.0-rc6-syzkaller-00268-g788220eee30d #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024\nWorkqueue: hci2 hci_rx_work\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:93 [inline]\n dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:119\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0xc3/0x620 mm/kasan/report.c:488\n kasan_report+0xd9/0x110 mm/kasan/report.c:601\n l2cap_connect.constprop.0+0x10d8/0x1270 net/bluetooth/l2cap_core.c:3949\n l2cap_connect_req net/bluetooth/l2cap_core.c:4080 [inline]\n l2cap_bredr_sig_cmd net/bluetooth/l2cap_core.c:4772 [inline]\n l2cap_sig_channel net/bluetooth/l2cap_core.c:5543 [inline]\n l2cap_recv_frame+0xf0b/0x8eb0 net/bluetooth/l2cap_core.c:6825\n l2cap_recv_acldata+0x9b4/0xb70 net/bluetooth/l2cap_core.c:7514\n hci_acldata_packet net/bluetooth/hci_core.c:3791 [inline]\n hci_rx_work+0xaab/0x1610 net/bluetooth/hci_core.c:4028\n process_one_work+0x9c5/0x1b40 kernel/workqueue.c:3231\n process_scheduled_works kernel/workqueue.c:3312 [inline]\n worker_thread+0x6c8/0xed0 kernel/workqueue.c:3389\n kthread+0x2c1/0x3a0 kernel/kthread.c:389\n ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n...\n\nFreed by task 5245:\n kasan_save_stack+0x33/0x60 mm/kasan/common.c:47\n kasan_save_track+0x14/0x30 mm/kasan/common.c:68\n kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:579\n poison_slab_object+0xf7/0x160 mm/kasan/common.c:240\n __kasan_slab_free+0x32/0x50 mm/kasan/common.c:256\n kasan_slab_free include/linux/kasan.h:184 [inline]\n slab_free_hook mm/slub.c:2256 [inline]\n slab_free mm/slub.c:4477 [inline]\n kfree+0x12a/0x3b0 mm/slub.c:4598\n l2cap_conn_free net/bluetooth/l2cap_core.c:1810 [inline]\n kref_put include/linux/kref.h:65 [inline]\n l2cap_conn_put net/bluetooth/l2cap_core.c:1822 [inline]\n l2cap_conn_del+0x59d/0x730 net/bluetooth/l2cap_core.c:1802\n l2cap_connect_cfm+0x9e6/0xf80 net/bluetooth/l2cap_core.c:7241\n hci_connect_cfm include/net/bluetooth/hci_core.h:1960 [inline]\n hci_conn_failed+0x1c3/0x370 net/bluetooth/hci_conn.c:1265\n hci_abort_conn_sync+0x75a/0xb50 net/bluetooth/hci_sync.c:5583\n abort_conn_sync+0x197/0x360 net/bluetooth/hci_conn.c:2917\n hci_cmd_sync_work+0x1a4/0x410 net/bluetooth/hci_sync.c:328\n process_one_work+0x9c5/0x1b40 kernel/workqueue.c:3231\n process_scheduled_works kernel/workqueue.c:3312 [inline]\n worker_thread+0x6c8/0xed0 kernel/workqueue.c:3389\n kthread+0x2c1/0x3a0 kernel/kthread.c:389\n ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:29:58.045Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/686e05c9dbd68766c6bda5f31f7e077f36a7fb29", }, { url: "https://git.kernel.org/stable/c/b22346eec479a30bfa4a02ad2c551b54809694d0", }, { url: "https://git.kernel.org/stable/c/b90907696c30172b809aa3dd2f0caffae761e4c6", }, { url: "https://git.kernel.org/stable/c/78d30ce16fdf9c301bcd8b83ce613cea079cea83", }, { url: "https://git.kernel.org/stable/c/a1c6174e23df10b8e5770e82d63bc6e2118a3dc7", }, { url: "https://git.kernel.org/stable/c/333b4fd11e89b29c84c269123f871883a30be586", }, ], title: "Bluetooth: L2CAP: Fix uaf in l2cap_connect", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49950", datePublished: "2024-10-21T18:02:06.387Z", dateReserved: "2024-10-21T12:17:06.046Z", dateUpdated: "2024-12-19T09:29:58.045Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49972
Vulnerability from cvelistv5
Published
2024-10-21 18:02
Modified
2024-12-19 09:30
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Deallocate DML memory if allocation fails
[Why]
When DC state create DML memory allocation fails, memory is not
deallocated subsequently, resulting in uninitialized structure
that is not NULL.
[How]
Deallocate memory if DML memory allocation fails.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49972", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:33:39.314434Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:38:46.024Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/gpu/drm/amd/display/dc/core/dc_state.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "80345daa5746184195f2d383a2f1bad058f0f94c", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "892abca6877a96c9123bb1c010cafccdf8ca1b75", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/gpu/drm/amd/display/dc/core/dc_state.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Deallocate DML memory if allocation fails\n\n[Why]\nWhen DC state create DML memory allocation fails, memory is not\ndeallocated subsequently, resulting in uninitialized structure\nthat is not NULL.\n\n[How]\nDeallocate memory if DML memory allocation fails.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:30:27.080Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/80345daa5746184195f2d383a2f1bad058f0f94c", }, { url: "https://git.kernel.org/stable/c/892abca6877a96c9123bb1c010cafccdf8ca1b75", }, ], title: "drm/amd/display: Deallocate DML memory if allocation fails", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49972", datePublished: "2024-10-21T18:02:21.014Z", dateReserved: "2024-10-21T12:17:06.051Z", dateUpdated: "2024-12-19T09:30:27.080Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49923
Vulnerability from cvelistv5
Published
2024-10-21 18:01
Modified
2024-12-19 09:29
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Pass non-null to dcn20_validate_apply_pipe_split_flags
[WHAT & HOW]
"dcn20_validate_apply_pipe_split_flags" dereferences merge, and thus it
cannot be a null pointer. Let's pass a valid pointer to avoid null
dereference.
This fixes 2 FORWARD_NULL issues reported by Coverity.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49923", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:40:05.593718Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:48:44.332Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/gpu/drm/amd/display/dc/resource/dcn20/dcn20_resource.c", "drivers/gpu/drm/amd/display/dc/resource/dcn21/dcn21_resource.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "85aa996ecfaa95d1e922867390502d23ce21b905", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "9a05270869f40c89f8d184fe2d37cb86e0d7e5f5", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "5559598742fb4538e4c51c48ef70563c49c2af23", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/gpu/drm/amd/display/dc/resource/dcn20/dcn20_resource.c", "drivers/gpu/drm/amd/display/dc/resource/dcn21/dcn21_resource.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Pass non-null to dcn20_validate_apply_pipe_split_flags\n\n[WHAT & HOW]\n\"dcn20_validate_apply_pipe_split_flags\" dereferences merge, and thus it\ncannot be a null pointer. Let's pass a valid pointer to avoid null\ndereference.\n\nThis fixes 2 FORWARD_NULL issues reported by Coverity.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:29:07.553Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/85aa996ecfaa95d1e922867390502d23ce21b905", }, { url: "https://git.kernel.org/stable/c/9a05270869f40c89f8d184fe2d37cb86e0d7e5f5", }, { url: "https://git.kernel.org/stable/c/5559598742fb4538e4c51c48ef70563c49c2af23", }, ], title: "drm/amd/display: Pass non-null to dcn20_validate_apply_pipe_split_flags", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49923", datePublished: "2024-10-21T18:01:48.405Z", dateReserved: "2024-10-21T12:17:06.036Z", dateUpdated: "2024-12-19T09:29:07.553Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49968
Vulnerability from cvelistv5
Published
2024-10-21 18:02
Modified
2024-12-19 09:30
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: filesystems without casefold feature cannot be mounted with siphash
When mounting the ext4 filesystem, if the default hash version is set to
DX_HASH_SIPHASH but the casefold feature is not set, exit the mounting.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49968", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:34:11.259486Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:38:46.654Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "fs/ext4/super.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "e1373903db6c4ac994de0d18076280ad88e12dee", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "985b67cd86392310d9e9326de941c22fc9340eec", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "fs/ext4/super.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\next4: filesystems without casefold feature cannot be mounted with siphash\n\nWhen mounting the ext4 filesystem, if the default hash version is set to\nDX_HASH_SIPHASH but the casefold feature is not set, exit the mounting.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:30:22.266Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/e1373903db6c4ac994de0d18076280ad88e12dee", }, { url: "https://git.kernel.org/stable/c/985b67cd86392310d9e9326de941c22fc9340eec", }, ], title: "ext4: filesystems without casefold feature cannot be mounted with siphash", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49968", datePublished: "2024-10-21T18:02:18.369Z", dateReserved: "2024-10-21T12:17:06.051Z", dateUpdated: "2024-12-19T09:30:22.266Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-48969
Vulnerability from cvelistv5
Published
2024-10-21 20:05
Modified
2024-12-19 08:11
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
xen-netfront: Fix NULL sring after live migration
A NAPI is setup for each network sring to poll data to kernel
The sring with source host is destroyed before live migration and
new sring with target host is setup after live migration.
The NAPI for the old sring is not deleted until setup new sring
with target host after migration. With busy_poll/busy_read enabled,
the NAPI can be polled before got deleted when resume VM.
BUG: unable to handle kernel NULL pointer dereference at
0000000000000008
IP: xennet_poll+0xae/0xd20
PGD 0 P4D 0
Oops: 0000 [#1] SMP PTI
Call Trace:
finish_task_switch+0x71/0x230
timerqueue_del+0x1d/0x40
hrtimer_try_to_cancel+0xb5/0x110
xennet_alloc_rx_buffers+0x2a0/0x2a0
napi_busy_loop+0xdb/0x270
sock_poll+0x87/0x90
do_sys_poll+0x26f/0x580
tracing_map_insert+0x1d4/0x2f0
event_hist_trigger+0x14a/0x260
finish_task_switch+0x71/0x230
__schedule+0x256/0x890
recalc_sigpending+0x1b/0x50
xen_sched_clock+0x15/0x20
__rb_reserve_next+0x12d/0x140
ring_buffer_lock_reserve+0x123/0x3d0
event_triggers_call+0x87/0xb0
trace_event_buffer_commit+0x1c4/0x210
xen_clocksource_get_cycles+0x15/0x20
ktime_get_ts64+0x51/0xf0
SyS_ppoll+0x160/0x1a0
SyS_ppoll+0x160/0x1a0
do_syscall_64+0x73/0x130
entry_SYSCALL_64_after_hwframe+0x41/0xa6
...
RIP: xennet_poll+0xae/0xd20 RSP: ffffb4f041933900
CR2: 0000000000000008
---[ end trace f8601785b354351c ]---
xen frontend should remove the NAPIs for the old srings before live
migration as the bond srings are destroyed
There is a tiny window between the srings are set to NULL and
the NAPIs are disabled, It is safe as the NAPI threads are still
frozen at that time
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 4ec2411980d0fd2995e8dea8a06fe57aa47523cb Version: 4ec2411980d0fd2995e8dea8a06fe57aa47523cb Version: 4ec2411980d0fd2995e8dea8a06fe57aa47523cb Version: 4ec2411980d0fd2995e8dea8a06fe57aa47523cb Version: 4ec2411980d0fd2995e8dea8a06fe57aa47523cb Version: 4ec2411980d0fd2995e8dea8a06fe57aa47523cb |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-48969", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:19:22.834399Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:28:38.112Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/net/xen-netfront.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "99859947517e446058ad7243ee81d2f9801fa3dd", status: "affected", version: "4ec2411980d0fd2995e8dea8a06fe57aa47523cb", versionType: "git", }, { lessThan: "ed773dd798bf720756d20021b8d8a4a3d7184bda", status: "affected", version: "4ec2411980d0fd2995e8dea8a06fe57aa47523cb", versionType: "git", }, { lessThan: "e6860c889f4ad50b6ab696f5ea154295d72cf27a", status: "affected", version: "4ec2411980d0fd2995e8dea8a06fe57aa47523cb", versionType: "git", }, { lessThan: "e6e897d4fe2f89c0bd94600a40bedf5e6e75e050", status: "affected", version: "4ec2411980d0fd2995e8dea8a06fe57aa47523cb", versionType: "git", }, { lessThan: "f2dd60fd3fe98bd36a91b0c6e10bfe9d66258f84", status: "affected", version: "4ec2411980d0fd2995e8dea8a06fe57aa47523cb", versionType: "git", }, { lessThan: "d50b7914fae04d840ce36491d22133070b18cca9", status: "affected", version: "4ec2411980d0fd2995e8dea8a06fe57aa47523cb", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/net/xen-netfront.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "2.6.24", }, { lessThan: "2.6.24", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.269", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.227", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.159", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.83", versionType: "semver", }, { lessThanOrEqual: "6.0.*", status: "unaffected", version: "6.0.13", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.1", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nxen-netfront: Fix NULL sring after live migration\n\nA NAPI is setup for each network sring to poll data to kernel\nThe sring with source host is destroyed before live migration and\nnew sring with target host is setup after live migration.\nThe NAPI for the old sring is not deleted until setup new sring\nwith target host after migration. With busy_poll/busy_read enabled,\nthe NAPI can be polled before got deleted when resume VM.\n\nBUG: unable to handle kernel NULL pointer dereference at\n0000000000000008\nIP: xennet_poll+0xae/0xd20\nPGD 0 P4D 0\nOops: 0000 [#1] SMP PTI\nCall Trace:\n finish_task_switch+0x71/0x230\n timerqueue_del+0x1d/0x40\n hrtimer_try_to_cancel+0xb5/0x110\n xennet_alloc_rx_buffers+0x2a0/0x2a0\n napi_busy_loop+0xdb/0x270\n sock_poll+0x87/0x90\n do_sys_poll+0x26f/0x580\n tracing_map_insert+0x1d4/0x2f0\n event_hist_trigger+0x14a/0x260\n\n finish_task_switch+0x71/0x230\n __schedule+0x256/0x890\n recalc_sigpending+0x1b/0x50\n xen_sched_clock+0x15/0x20\n __rb_reserve_next+0x12d/0x140\n ring_buffer_lock_reserve+0x123/0x3d0\n event_triggers_call+0x87/0xb0\n trace_event_buffer_commit+0x1c4/0x210\n xen_clocksource_get_cycles+0x15/0x20\n ktime_get_ts64+0x51/0xf0\n SyS_ppoll+0x160/0x1a0\n SyS_ppoll+0x160/0x1a0\n do_syscall_64+0x73/0x130\n entry_SYSCALL_64_after_hwframe+0x41/0xa6\n...\nRIP: xennet_poll+0xae/0xd20 RSP: ffffb4f041933900\nCR2: 0000000000000008\n---[ end trace f8601785b354351c ]---\n\nxen frontend should remove the NAPIs for the old srings before live\nmigration as the bond srings are destroyed\n\nThere is a tiny window between the srings are set to NULL and\nthe NAPIs are disabled, It is safe as the NAPI threads are still\nfrozen at that time", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:11:35.395Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/99859947517e446058ad7243ee81d2f9801fa3dd", }, { url: "https://git.kernel.org/stable/c/ed773dd798bf720756d20021b8d8a4a3d7184bda", }, { url: "https://git.kernel.org/stable/c/e6860c889f4ad50b6ab696f5ea154295d72cf27a", }, { url: "https://git.kernel.org/stable/c/e6e897d4fe2f89c0bd94600a40bedf5e6e75e050", }, { url: "https://git.kernel.org/stable/c/f2dd60fd3fe98bd36a91b0c6e10bfe9d66258f84", }, { url: "https://git.kernel.org/stable/c/d50b7914fae04d840ce36491d22133070b18cca9", }, ], title: "xen-netfront: Fix NULL sring after live migration", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-48969", datePublished: "2024-10-21T20:05:51.051Z", dateReserved: "2024-08-22T01:27:53.629Z", dateUpdated: "2024-12-19T08:11:35.395Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-50033
Vulnerability from cvelistv5
Published
2024-10-21 19:39
Modified
2024-12-19 09:31
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
slip: make slhc_remember() more robust against malicious packets
syzbot found that slhc_remember() was missing checks against
malicious packets [1].
slhc_remember() only checked the size of the packet was at least 20,
which is not good enough.
We need to make sure the packet includes the IPv4 and TCP header
that are supposed to be carried.
Add iph and th pointers to make the code more readable.
[1]
BUG: KMSAN: uninit-value in slhc_remember+0x2e8/0x7b0 drivers/net/slip/slhc.c:666
slhc_remember+0x2e8/0x7b0 drivers/net/slip/slhc.c:666
ppp_receive_nonmp_frame+0xe45/0x35e0 drivers/net/ppp/ppp_generic.c:2455
ppp_receive_frame drivers/net/ppp/ppp_generic.c:2372 [inline]
ppp_do_recv+0x65f/0x40d0 drivers/net/ppp/ppp_generic.c:2212
ppp_input+0x7dc/0xe60 drivers/net/ppp/ppp_generic.c:2327
pppoe_rcv_core+0x1d3/0x720 drivers/net/ppp/pppoe.c:379
sk_backlog_rcv+0x13b/0x420 include/net/sock.h:1113
__release_sock+0x1da/0x330 net/core/sock.c:3072
release_sock+0x6b/0x250 net/core/sock.c:3626
pppoe_sendmsg+0x2b8/0xb90 drivers/net/ppp/pppoe.c:903
sock_sendmsg_nosec net/socket.c:729 [inline]
__sock_sendmsg+0x30f/0x380 net/socket.c:744
____sys_sendmsg+0x903/0xb60 net/socket.c:2602
___sys_sendmsg+0x28d/0x3c0 net/socket.c:2656
__sys_sendmmsg+0x3c1/0x960 net/socket.c:2742
__do_sys_sendmmsg net/socket.c:2771 [inline]
__se_sys_sendmmsg net/socket.c:2768 [inline]
__x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2768
x64_sys_call+0xb6e/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:308
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Uninit was created at:
slab_post_alloc_hook mm/slub.c:4091 [inline]
slab_alloc_node mm/slub.c:4134 [inline]
kmem_cache_alloc_node_noprof+0x6bf/0xb80 mm/slub.c:4186
kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:587
__alloc_skb+0x363/0x7b0 net/core/skbuff.c:678
alloc_skb include/linux/skbuff.h:1322 [inline]
sock_wmalloc+0xfe/0x1a0 net/core/sock.c:2732
pppoe_sendmsg+0x3a7/0xb90 drivers/net/ppp/pppoe.c:867
sock_sendmsg_nosec net/socket.c:729 [inline]
__sock_sendmsg+0x30f/0x380 net/socket.c:744
____sys_sendmsg+0x903/0xb60 net/socket.c:2602
___sys_sendmsg+0x28d/0x3c0 net/socket.c:2656
__sys_sendmmsg+0x3c1/0x960 net/socket.c:2742
__do_sys_sendmmsg net/socket.c:2771 [inline]
__se_sys_sendmmsg net/socket.c:2768 [inline]
__x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2768
x64_sys_call+0xb6e/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:308
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
CPU: 0 UID: 0 PID: 5460 Comm: syz.2.33 Not tainted 6.12.0-rc2-syzkaller-00006-g87d6aab2389e #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: b5451d783ade99308dfccdf5ca284ed07affa4ff Version: b5451d783ade99308dfccdf5ca284ed07affa4ff Version: b5451d783ade99308dfccdf5ca284ed07affa4ff Version: b5451d783ade99308dfccdf5ca284ed07affa4ff Version: b5451d783ade99308dfccdf5ca284ed07affa4ff Version: b5451d783ade99308dfccdf5ca284ed07affa4ff Version: b5451d783ade99308dfccdf5ca284ed07affa4ff |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-50033", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:25:49.586727Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:28:45.501Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/net/slip/slhc.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "ba6501ea06462d6404d57d5644cf2854db38e7d7", status: "affected", version: "b5451d783ade99308dfccdf5ca284ed07affa4ff", versionType: "git", }, { lessThan: "36b054324d18e51cf466134e13b6fbe3c91f52af", status: "affected", version: "b5451d783ade99308dfccdf5ca284ed07affa4ff", versionType: "git", }, { lessThan: "5e336384cc9b608e0551f99c3d87316ca3b0e51a", status: "affected", version: "b5451d783ade99308dfccdf5ca284ed07affa4ff", versionType: "git", }, { lessThan: "ff5e0f895315706e4ca5a19df15be6866cee4f5d", status: "affected", version: "b5451d783ade99308dfccdf5ca284ed07affa4ff", versionType: "git", }, { lessThan: "8bb79eb1db85a10865f0d4dd15b013def3f2d246", status: "affected", version: "b5451d783ade99308dfccdf5ca284ed07affa4ff", versionType: "git", }, { lessThan: "29e8d96d44f51cf89a62dd042be35d052833b95c", status: "affected", version: "b5451d783ade99308dfccdf5ca284ed07affa4ff", versionType: "git", }, { lessThan: "7d3fce8cbe3a70a1c7c06c9b53696be5d5d8dd5c", status: "affected", version: "b5451d783ade99308dfccdf5ca284ed07affa4ff", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/net/slip/slhc.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "3.2", }, { lessThan: "3.2", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.285", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.57", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.4", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nslip: make slhc_remember() more robust against malicious packets\n\nsyzbot found that slhc_remember() was missing checks against\nmalicious packets [1].\n\nslhc_remember() only checked the size of the packet was at least 20,\nwhich is not good enough.\n\nWe need to make sure the packet includes the IPv4 and TCP header\nthat are supposed to be carried.\n\nAdd iph and th pointers to make the code more readable.\n\n[1]\n\nBUG: KMSAN: uninit-value in slhc_remember+0x2e8/0x7b0 drivers/net/slip/slhc.c:666\n slhc_remember+0x2e8/0x7b0 drivers/net/slip/slhc.c:666\n ppp_receive_nonmp_frame+0xe45/0x35e0 drivers/net/ppp/ppp_generic.c:2455\n ppp_receive_frame drivers/net/ppp/ppp_generic.c:2372 [inline]\n ppp_do_recv+0x65f/0x40d0 drivers/net/ppp/ppp_generic.c:2212\n ppp_input+0x7dc/0xe60 drivers/net/ppp/ppp_generic.c:2327\n pppoe_rcv_core+0x1d3/0x720 drivers/net/ppp/pppoe.c:379\n sk_backlog_rcv+0x13b/0x420 include/net/sock.h:1113\n __release_sock+0x1da/0x330 net/core/sock.c:3072\n release_sock+0x6b/0x250 net/core/sock.c:3626\n pppoe_sendmsg+0x2b8/0xb90 drivers/net/ppp/pppoe.c:903\n sock_sendmsg_nosec net/socket.c:729 [inline]\n __sock_sendmsg+0x30f/0x380 net/socket.c:744\n ____sys_sendmsg+0x903/0xb60 net/socket.c:2602\n ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2656\n __sys_sendmmsg+0x3c1/0x960 net/socket.c:2742\n __do_sys_sendmmsg net/socket.c:2771 [inline]\n __se_sys_sendmmsg net/socket.c:2768 [inline]\n __x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2768\n x64_sys_call+0xb6e/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:308\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nUninit was created at:\n slab_post_alloc_hook mm/slub.c:4091 [inline]\n slab_alloc_node mm/slub.c:4134 [inline]\n kmem_cache_alloc_node_noprof+0x6bf/0xb80 mm/slub.c:4186\n kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:587\n __alloc_skb+0x363/0x7b0 net/core/skbuff.c:678\n alloc_skb include/linux/skbuff.h:1322 [inline]\n sock_wmalloc+0xfe/0x1a0 net/core/sock.c:2732\n pppoe_sendmsg+0x3a7/0xb90 drivers/net/ppp/pppoe.c:867\n sock_sendmsg_nosec net/socket.c:729 [inline]\n __sock_sendmsg+0x30f/0x380 net/socket.c:744\n ____sys_sendmsg+0x903/0xb60 net/socket.c:2602\n ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2656\n __sys_sendmmsg+0x3c1/0x960 net/socket.c:2742\n __do_sys_sendmmsg net/socket.c:2771 [inline]\n __se_sys_sendmmsg net/socket.c:2768 [inline]\n __x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2768\n x64_sys_call+0xb6e/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:308\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nCPU: 0 UID: 0 PID: 5460 Comm: syz.2.33 Not tainted 6.12.0-rc2-syzkaller-00006-g87d6aab2389e #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:31:46.060Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/ba6501ea06462d6404d57d5644cf2854db38e7d7", }, { url: "https://git.kernel.org/stable/c/36b054324d18e51cf466134e13b6fbe3c91f52af", }, { url: "https://git.kernel.org/stable/c/5e336384cc9b608e0551f99c3d87316ca3b0e51a", }, { url: "https://git.kernel.org/stable/c/ff5e0f895315706e4ca5a19df15be6866cee4f5d", }, { url: "https://git.kernel.org/stable/c/8bb79eb1db85a10865f0d4dd15b013def3f2d246", }, { url: "https://git.kernel.org/stable/c/29e8d96d44f51cf89a62dd042be35d052833b95c", }, { url: "https://git.kernel.org/stable/c/7d3fce8cbe3a70a1c7c06c9b53696be5d5d8dd5c", }, ], title: "slip: make slhc_remember() more robust against malicious packets", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-50033", datePublished: "2024-10-21T19:39:35.127Z", dateReserved: "2024-10-21T12:17:06.069Z", dateUpdated: "2024-12-19T09:31:46.060Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-50008
Vulnerability from cvelistv5
Published
2024-10-21 18:54
Modified
2024-12-19 09:31
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: mwifiex: Fix memcpy() field-spanning write warning in mwifiex_cmd_802_11_scan_ext()
Replace one-element array with a flexible-array member in
`struct host_cmd_ds_802_11_scan_ext`.
With this, fix the following warning:
elo 16 17:51:58 surfacebook kernel: ------------[ cut here ]------------
elo 16 17:51:58 surfacebook kernel: memcpy: detected field-spanning write (size 243) of single field "ext_scan->tlv_buffer" at drivers/net/wireless/marvell/mwifiex/scan.c:2239 (size 1)
elo 16 17:51:58 surfacebook kernel: WARNING: CPU: 0 PID: 498 at drivers/net/wireless/marvell/mwifiex/scan.c:2239 mwifiex_cmd_802_11_scan_ext+0x83/0x90 [mwifiex]
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-50008", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:29:03.899555Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:38:40.091Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/net/wireless/marvell/mwifiex/fw.h", "drivers/net/wireless/marvell/mwifiex/scan.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "b55c8848fdc81514ec047b2a0ec782ffe9ab5323", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "f9310a6704bf52e2493480edea896e1f9b795d40", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "1756918f51e9ab247a0f4782cc28853c2bb457c1", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "e59bdb1ba594104cd0ee0af3ee9e4435d842a8fe", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "17199b69a84798efffc475040fbef44374ef1de1", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "fef7b51f22cf2049b0ca6740adeb0ba6f2e671dc", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "71267bd4e8c752d7af6c6b96bb83984a6a95273d", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "a3a12c30f9510f3753286fadbc6cdb7dad78c1d5", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "498365e52bebcbc36a93279fe7e9d6aec8479cee", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/net/wireless/marvell/mwifiex/fw.h", "drivers/net/wireless/marvell/mwifiex/scan.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.323", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.285", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mwifiex: Fix memcpy() field-spanning write warning in mwifiex_cmd_802_11_scan_ext()\n\nReplace one-element array with a flexible-array member in\n`struct host_cmd_ds_802_11_scan_ext`.\n\nWith this, fix the following warning:\n\nelo 16 17:51:58 surfacebook kernel: ------------[ cut here ]------------\nelo 16 17:51:58 surfacebook kernel: memcpy: detected field-spanning write (size 243) of single field \"ext_scan->tlv_buffer\" at drivers/net/wireless/marvell/mwifiex/scan.c:2239 (size 1)\nelo 16 17:51:58 surfacebook kernel: WARNING: CPU: 0 PID: 498 at drivers/net/wireless/marvell/mwifiex/scan.c:2239 mwifiex_cmd_802_11_scan_ext+0x83/0x90 [mwifiex]", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:31:11.351Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/b55c8848fdc81514ec047b2a0ec782ffe9ab5323", }, { url: "https://git.kernel.org/stable/c/f9310a6704bf52e2493480edea896e1f9b795d40", }, { url: "https://git.kernel.org/stable/c/1756918f51e9ab247a0f4782cc28853c2bb457c1", }, { url: "https://git.kernel.org/stable/c/e59bdb1ba594104cd0ee0af3ee9e4435d842a8fe", }, { url: "https://git.kernel.org/stable/c/17199b69a84798efffc475040fbef44374ef1de1", }, { url: "https://git.kernel.org/stable/c/fef7b51f22cf2049b0ca6740adeb0ba6f2e671dc", }, { url: "https://git.kernel.org/stable/c/71267bd4e8c752d7af6c6b96bb83984a6a95273d", }, { url: "https://git.kernel.org/stable/c/a3a12c30f9510f3753286fadbc6cdb7dad78c1d5", }, { url: "https://git.kernel.org/stable/c/498365e52bebcbc36a93279fe7e9d6aec8479cee", }, ], title: "wifi: mwifiex: Fix memcpy() field-spanning write warning in mwifiex_cmd_802_11_scan_ext()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-50008", datePublished: "2024-10-21T18:54:01.348Z", dateReserved: "2024-10-21T12:17:06.060Z", dateUpdated: "2024-12-19T09:31:11.351Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-47737
Vulnerability from cvelistv5
Published
2024-10-21 12:14
Modified
2024-12-19 09:27
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
nfsd: call cache_put if xdr_reserve_space returns NULL
If not enough buffer space available, but idmap_lookup has triggered
lookup_fn which calls cache_get and returns successfully. Then we
missed to call cache_put here which pairs with cache_get.
Reviwed-by: Jeff Layton <jlayton@kernel.org>
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: ddd1ea56367202f6c99135cd59de7a97af4c4ffd Version: ddd1ea56367202f6c99135cd59de7a97af4c4ffd Version: ddd1ea56367202f6c99135cd59de7a97af4c4ffd Version: ddd1ea56367202f6c99135cd59de7a97af4c4ffd Version: ddd1ea56367202f6c99135cd59de7a97af4c4ffd Version: ddd1ea56367202f6c99135cd59de7a97af4c4ffd Version: ddd1ea56367202f6c99135cd59de7a97af4c4ffd Version: ddd1ea56367202f6c99135cd59de7a97af4c4ffd Version: ddd1ea56367202f6c99135cd59de7a97af4c4ffd |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-47737", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T12:59:42.866272Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T13:04:14.991Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "fs/nfsd/nfs4idmap.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "3e8081ebff12bec1347deaceb6bce0765cce54df", status: "affected", version: "ddd1ea56367202f6c99135cd59de7a97af4c4ffd", versionType: "git", }, { lessThan: "c6b16e700cf4d959af524bd9d3978407ff7ce462", status: "affected", version: "ddd1ea56367202f6c99135cd59de7a97af4c4ffd", versionType: "git", }, { lessThan: "9f03f0016ff797932551881c7e06ae50e9c39134", status: "affected", version: "ddd1ea56367202f6c99135cd59de7a97af4c4ffd", versionType: "git", }, { lessThan: "9803ab882d565a8fb2dde5999d98866d1c499dfd", status: "affected", version: "ddd1ea56367202f6c99135cd59de7a97af4c4ffd", versionType: "git", }, { lessThan: "81821617312988096f5deccf0f7da6f888e98056", status: "affected", version: "ddd1ea56367202f6c99135cd59de7a97af4c4ffd", versionType: "git", }, { lessThan: "a1afbbb5276f943ad7173d0b4c626b8c75a260da", status: "affected", version: "ddd1ea56367202f6c99135cd59de7a97af4c4ffd", versionType: "git", }, { lessThan: "e32ee6a61041925d1a05c14d10352dcfce9ef029", status: "affected", version: "ddd1ea56367202f6c99135cd59de7a97af4c4ffd", versionType: "git", }, { lessThan: "8d0765f86135e27f0bb5c950c136495719b4c834", status: "affected", version: "ddd1ea56367202f6c99135cd59de7a97af4c4ffd", versionType: "git", }, { lessThan: "d078cbf5c38de83bc31f83c47dcd2184c04a50c7", status: "affected", version: "ddd1ea56367202f6c99135cd59de7a97af4c4ffd", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "fs/nfsd/nfs4idmap.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "3.16", }, { lessThan: "3.16", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.323", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.285", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.54", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.13", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.2", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: call cache_put if xdr_reserve_space returns NULL\n\nIf not enough buffer space available, but idmap_lookup has triggered\nlookup_fn which calls cache_get and returns successfully. Then we\nmissed to call cache_put here which pairs with cache_get.\n\nReviwed-by: Jeff Layton <jlayton@kernel.org>", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:27:06.441Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/3e8081ebff12bec1347deaceb6bce0765cce54df", }, { url: "https://git.kernel.org/stable/c/c6b16e700cf4d959af524bd9d3978407ff7ce462", }, { url: "https://git.kernel.org/stable/c/9f03f0016ff797932551881c7e06ae50e9c39134", }, { url: "https://git.kernel.org/stable/c/9803ab882d565a8fb2dde5999d98866d1c499dfd", }, { url: "https://git.kernel.org/stable/c/81821617312988096f5deccf0f7da6f888e98056", }, { url: "https://git.kernel.org/stable/c/a1afbbb5276f943ad7173d0b4c626b8c75a260da", }, { url: "https://git.kernel.org/stable/c/e32ee6a61041925d1a05c14d10352dcfce9ef029", }, { url: "https://git.kernel.org/stable/c/8d0765f86135e27f0bb5c950c136495719b4c834", }, { url: "https://git.kernel.org/stable/c/d078cbf5c38de83bc31f83c47dcd2184c04a50c7", }, ], title: "nfsd: call cache_put if xdr_reserve_space returns NULL", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-47737", datePublished: "2024-10-21T12:14:07.168Z", dateReserved: "2024-09-30T16:00:12.959Z", dateUpdated: "2024-12-19T09:27:06.441Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49909
Vulnerability from cvelistv5
Published
2024-10-21 18:01
Modified
2024-12-19 09:28
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Add NULL check for function pointer in dcn32_set_output_transfer_func
This commit adds a null check for the set_output_gamma function pointer
in the dcn32_set_output_transfer_func function. Previously,
set_output_gamma was being checked for null, but then it was being
dereferenced without any null check. This could lead to a null pointer
dereference if set_output_gamma is null.
To fix this, we now ensure that set_output_gamma is not null before
dereferencing it. We do this by adding a null check for set_output_gamma
before the call to set_output_gamma.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49909", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:41:51.958050Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:48:46.409Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/gpu/drm/amd/display/dc/hwss/dcn32/dcn32_hwseq.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "e087c9738ee1cdeebde346f4dfc819e5f7057e90", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "f38b09ba6a335c511eb27920bb9bb4a1b2c20084", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "496486950c3d2aebf46a3be300296ac091da7a2d", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "5298270bdabe97be5b8236e544c9e936415fe1f2", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "28574b08c70e56d34d6f6379326a860b96749051", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/gpu/drm/amd/display/dc/hwss/dcn32/dcn32_hwseq.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.120", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.64", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add NULL check for function pointer in dcn32_set_output_transfer_func\n\nThis commit adds a null check for the set_output_gamma function pointer\nin the dcn32_set_output_transfer_func function. Previously,\nset_output_gamma was being checked for null, but then it was being\ndereferenced without any null check. This could lead to a null pointer\ndereference if set_output_gamma is null.\n\nTo fix this, we now ensure that set_output_gamma is not null before\ndereferencing it. We do this by adding a null check for set_output_gamma\nbefore the call to set_output_gamma.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:28:50.320Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/e087c9738ee1cdeebde346f4dfc819e5f7057e90", }, { url: "https://git.kernel.org/stable/c/f38b09ba6a335c511eb27920bb9bb4a1b2c20084", }, { url: "https://git.kernel.org/stable/c/496486950c3d2aebf46a3be300296ac091da7a2d", }, { url: "https://git.kernel.org/stable/c/5298270bdabe97be5b8236e544c9e936415fe1f2", }, { url: "https://git.kernel.org/stable/c/28574b08c70e56d34d6f6379326a860b96749051", }, ], title: "drm/amd/display: Add NULL check for function pointer in dcn32_set_output_transfer_func", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49909", datePublished: "2024-10-21T18:01:38.803Z", dateReserved: "2024-10-21T12:17:06.028Z", dateUpdated: "2024-12-19T09:28:50.320Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-50031
Vulnerability from cvelistv5
Published
2024-10-21 19:39
Modified
2024-12-19 09:31
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/v3d: Stop the active perfmon before being destroyed
When running `kmscube` with one or more performance monitors enabled
via `GALLIUM_HUD`, the following kernel panic can occur:
[ 55.008324] Unable to handle kernel paging request at virtual address 00000000052004a4
[ 55.008368] Mem abort info:
[ 55.008377] ESR = 0x0000000096000005
[ 55.008387] EC = 0x25: DABT (current EL), IL = 32 bits
[ 55.008402] SET = 0, FnV = 0
[ 55.008412] EA = 0, S1PTW = 0
[ 55.008421] FSC = 0x05: level 1 translation fault
[ 55.008434] Data abort info:
[ 55.008442] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000
[ 55.008455] CM = 0, WnR = 0, TnD = 0, TagAccess = 0
[ 55.008467] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[ 55.008481] user pgtable: 4k pages, 39-bit VAs, pgdp=00000001046c6000
[ 55.008497] [00000000052004a4] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000
[ 55.008525] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP
[ 55.008542] Modules linked in: rfcomm [...] vc4 v3d snd_soc_hdmi_codec drm_display_helper
gpu_sched drm_shmem_helper cec drm_dma_helper drm_kms_helper i2c_brcmstb
drm drm_panel_orientation_quirks snd_soc_core snd_compress snd_pcm_dmaengine snd_pcm snd_timer snd backlight
[ 55.008799] CPU: 2 PID: 166 Comm: v3d_bin Tainted: G C 6.6.47+rpt-rpi-v8 #1 Debian 1:6.6.47-1+rpt1
[ 55.008824] Hardware name: Raspberry Pi 4 Model B Rev 1.5 (DT)
[ 55.008838] pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ 55.008855] pc : __mutex_lock.constprop.0+0x90/0x608
[ 55.008879] lr : __mutex_lock.constprop.0+0x58/0x608
[ 55.008895] sp : ffffffc080673cf0
[ 55.008904] x29: ffffffc080673cf0 x28: 0000000000000000 x27: ffffff8106188a28
[ 55.008926] x26: ffffff8101e78040 x25: ffffff8101baa6c0 x24: ffffffd9d989f148
[ 55.008947] x23: ffffffda1c2a4008 x22: 0000000000000002 x21: ffffffc080673d38
[ 55.008968] x20: ffffff8101238000 x19: ffffff8104f83188 x18: 0000000000000000
[ 55.008988] x17: 0000000000000000 x16: ffffffda1bd04d18 x15: 00000055bb08bc90
[ 55.009715] x14: 0000000000000000 x13: 0000000000000000 x12: ffffffda1bd4cbb0
[ 55.010433] x11: 00000000fa83b2da x10: 0000000000001a40 x9 : ffffffda1bd04d04
[ 55.011162] x8 : ffffff8102097b80 x7 : 0000000000000000 x6 : 00000000030a5857
[ 55.011880] x5 : 00ffffffffffffff x4 : 0300000005200470 x3 : 0300000005200470
[ 55.012598] x2 : ffffff8101238000 x1 : 0000000000000021 x0 : 0300000005200470
[ 55.013292] Call trace:
[ 55.013959] __mutex_lock.constprop.0+0x90/0x608
[ 55.014646] __mutex_lock_slowpath+0x1c/0x30
[ 55.015317] mutex_lock+0x50/0x68
[ 55.015961] v3d_perfmon_stop+0x40/0xe0 [v3d]
[ 55.016627] v3d_bin_job_run+0x10c/0x2d8 [v3d]
[ 55.017282] drm_sched_main+0x178/0x3f8 [gpu_sched]
[ 55.017921] kthread+0x11c/0x128
[ 55.018554] ret_from_fork+0x10/0x20
[ 55.019168] Code: f9400260 f1001c1f 54001ea9 927df000 (b9403401)
[ 55.019776] ---[ end trace 0000000000000000 ]---
[ 55.020411] note: v3d_bin[166] exited with preempt_count 1
This issue arises because, upon closing the file descriptor (which happens
when we interrupt `kmscube`), the active performance monitor is not
stopped. Although all perfmons are destroyed in `v3d_perfmon_close_file()`,
the active performance monitor's pointer (`v3d->active_perfmon`) is still
retained.
If `kmscube` is run again, the driver will attempt to stop the active
performance monitor using the stale pointer in `v3d->active_perfmon`.
However, this pointer is no longer valid because the previous process has
already terminated, and all performance monitors associated with it have
been destroyed and freed.
To fix this, when the active performance monitor belongs to a given
process, explicitly stop it before destroying and freeing it.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 26a4dc29b74a137f45665089f6d3d633fcc9b662 Version: 26a4dc29b74a137f45665089f6d3d633fcc9b662 Version: 26a4dc29b74a137f45665089f6d3d633fcc9b662 Version: 26a4dc29b74a137f45665089f6d3d633fcc9b662 Version: 26a4dc29b74a137f45665089f6d3d633fcc9b662 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-50031", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:26:04.844363Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:28:45.758Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/gpu/drm/v3d/v3d_perfmon.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "24ab54a066d2ef671b03eb909ca2114c0c9ac1e7", status: "affected", version: "26a4dc29b74a137f45665089f6d3d633fcc9b662", versionType: "git", }, { lessThan: "0c9e9a3a4873705740b19300cadc6599170646ef", status: "affected", version: "26a4dc29b74a137f45665089f6d3d633fcc9b662", versionType: "git", }, { lessThan: "07c51108d9e278831c16191d1223ee49986e7890", status: "affected", version: "26a4dc29b74a137f45665089f6d3d633fcc9b662", versionType: "git", }, { lessThan: "333767cbce6ac20ec794c76eec82ed0ef55022db", status: "affected", version: "26a4dc29b74a137f45665089f6d3d633fcc9b662", versionType: "git", }, { lessThan: "7d1fd3638ee3a9f9bca4785fffb638ca19120718", status: "affected", version: "26a4dc29b74a137f45665089f6d3d633fcc9b662", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/gpu/drm/v3d/v3d_perfmon.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.15", }, { lessThan: "5.15", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.57", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.4", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/v3d: Stop the active perfmon before being destroyed\n\nWhen running `kmscube` with one or more performance monitors enabled\nvia `GALLIUM_HUD`, the following kernel panic can occur:\n\n[ 55.008324] Unable to handle kernel paging request at virtual address 00000000052004a4\n[ 55.008368] Mem abort info:\n[ 55.008377] ESR = 0x0000000096000005\n[ 55.008387] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 55.008402] SET = 0, FnV = 0\n[ 55.008412] EA = 0, S1PTW = 0\n[ 55.008421] FSC = 0x05: level 1 translation fault\n[ 55.008434] Data abort info:\n[ 55.008442] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000\n[ 55.008455] CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n[ 55.008467] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[ 55.008481] user pgtable: 4k pages, 39-bit VAs, pgdp=00000001046c6000\n[ 55.008497] [00000000052004a4] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000\n[ 55.008525] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP\n[ 55.008542] Modules linked in: rfcomm [...] vc4 v3d snd_soc_hdmi_codec drm_display_helper\ngpu_sched drm_shmem_helper cec drm_dma_helper drm_kms_helper i2c_brcmstb\ndrm drm_panel_orientation_quirks snd_soc_core snd_compress snd_pcm_dmaengine snd_pcm snd_timer snd backlight\n[ 55.008799] CPU: 2 PID: 166 Comm: v3d_bin Tainted: G C 6.6.47+rpt-rpi-v8 #1 Debian 1:6.6.47-1+rpt1\n[ 55.008824] Hardware name: Raspberry Pi 4 Model B Rev 1.5 (DT)\n[ 55.008838] pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 55.008855] pc : __mutex_lock.constprop.0+0x90/0x608\n[ 55.008879] lr : __mutex_lock.constprop.0+0x58/0x608\n[ 55.008895] sp : ffffffc080673cf0\n[ 55.008904] x29: ffffffc080673cf0 x28: 0000000000000000 x27: ffffff8106188a28\n[ 55.008926] x26: ffffff8101e78040 x25: ffffff8101baa6c0 x24: ffffffd9d989f148\n[ 55.008947] x23: ffffffda1c2a4008 x22: 0000000000000002 x21: ffffffc080673d38\n[ 55.008968] x20: ffffff8101238000 x19: ffffff8104f83188 x18: 0000000000000000\n[ 55.008988] x17: 0000000000000000 x16: ffffffda1bd04d18 x15: 00000055bb08bc90\n[ 55.009715] x14: 0000000000000000 x13: 0000000000000000 x12: ffffffda1bd4cbb0\n[ 55.010433] x11: 00000000fa83b2da x10: 0000000000001a40 x9 : ffffffda1bd04d04\n[ 55.011162] x8 : ffffff8102097b80 x7 : 0000000000000000 x6 : 00000000030a5857\n[ 55.011880] x5 : 00ffffffffffffff x4 : 0300000005200470 x3 : 0300000005200470\n[ 55.012598] x2 : ffffff8101238000 x1 : 0000000000000021 x0 : 0300000005200470\n[ 55.013292] Call trace:\n[ 55.013959] __mutex_lock.constprop.0+0x90/0x608\n[ 55.014646] __mutex_lock_slowpath+0x1c/0x30\n[ 55.015317] mutex_lock+0x50/0x68\n[ 55.015961] v3d_perfmon_stop+0x40/0xe0 [v3d]\n[ 55.016627] v3d_bin_job_run+0x10c/0x2d8 [v3d]\n[ 55.017282] drm_sched_main+0x178/0x3f8 [gpu_sched]\n[ 55.017921] kthread+0x11c/0x128\n[ 55.018554] ret_from_fork+0x10/0x20\n[ 55.019168] Code: f9400260 f1001c1f 54001ea9 927df000 (b9403401)\n[ 55.019776] ---[ end trace 0000000000000000 ]---\n[ 55.020411] note: v3d_bin[166] exited with preempt_count 1\n\nThis issue arises because, upon closing the file descriptor (which happens\nwhen we interrupt `kmscube`), the active performance monitor is not\nstopped. Although all perfmons are destroyed in `v3d_perfmon_close_file()`,\nthe active performance monitor's pointer (`v3d->active_perfmon`) is still\nretained.\n\nIf `kmscube` is run again, the driver will attempt to stop the active\nperformance monitor using the stale pointer in `v3d->active_perfmon`.\nHowever, this pointer is no longer valid because the previous process has\nalready terminated, and all performance monitors associated with it have\nbeen destroyed and freed.\n\nTo fix this, when the active performance monitor belongs to a given\nprocess, explicitly stop it before destroying and freeing it.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:31:43.422Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/24ab54a066d2ef671b03eb909ca2114c0c9ac1e7", }, { url: "https://git.kernel.org/stable/c/0c9e9a3a4873705740b19300cadc6599170646ef", }, { url: "https://git.kernel.org/stable/c/07c51108d9e278831c16191d1223ee49986e7890", }, { url: "https://git.kernel.org/stable/c/333767cbce6ac20ec794c76eec82ed0ef55022db", }, { url: "https://git.kernel.org/stable/c/7d1fd3638ee3a9f9bca4785fffb638ca19120718", }, ], title: "drm/v3d: Stop the active perfmon before being destroyed", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-50031", datePublished: "2024-10-21T19:39:33.795Z", dateReserved: "2024-10-21T12:17:06.069Z", dateUpdated: "2024-12-19T09:31:43.422Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-47711
Vulnerability from cvelistv5
Published
2024-10-21 11:53
Modified
2024-12-19 09:26
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
af_unix: Don't return OOB skb in manage_oob().
syzbot reported use-after-free in unix_stream_recv_urg(). [0]
The scenario is
1. send(MSG_OOB)
2. recv(MSG_OOB)
-> The consumed OOB remains in recv queue
3. send(MSG_OOB)
4. recv()
-> manage_oob() returns the next skb of the consumed OOB
-> This is also OOB, but unix_sk(sk)->oob_skb is not cleared
5. recv(MSG_OOB)
-> unix_sk(sk)->oob_skb is used but already freed
The recent commit 8594d9b85c07 ("af_unix: Don't call skb_get() for OOB
skb.") uncovered the issue.
If the OOB skb is consumed and the next skb is peeked in manage_oob(),
we still need to check if the skb is OOB.
Let's do so by falling back to the following checks in manage_oob()
and add the test case in selftest.
Note that we need to add a similar check for SIOCATMARK.
[0]:
BUG: KASAN: slab-use-after-free in unix_stream_read_actor+0xa6/0xb0 net/unix/af_unix.c:2959
Read of size 4 at addr ffff8880326abcc4 by task syz-executor178/5235
CPU: 0 UID: 0 PID: 5235 Comm: syz-executor178 Not tainted 6.11.0-rc5-syzkaller-00742-gfbdaffe41adc #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:93 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
unix_stream_read_actor+0xa6/0xb0 net/unix/af_unix.c:2959
unix_stream_recv_urg+0x1df/0x320 net/unix/af_unix.c:2640
unix_stream_read_generic+0x2456/0x2520 net/unix/af_unix.c:2778
unix_stream_recvmsg+0x22b/0x2c0 net/unix/af_unix.c:2996
sock_recvmsg_nosec net/socket.c:1046 [inline]
sock_recvmsg+0x22f/0x280 net/socket.c:1068
____sys_recvmsg+0x1db/0x470 net/socket.c:2816
___sys_recvmsg net/socket.c:2858 [inline]
__sys_recvmsg+0x2f0/0x3e0 net/socket.c:2888
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f5360d6b4e9
Code: 48 83 c4 28 c3 e8 37 17 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff29b3a458 EFLAGS: 00000246 ORIG_RAX: 000000000000002f
RAX: ffffffffffffffda RBX: 00007fff29b3a638 RCX: 00007f5360d6b4e9
RDX: 0000000000002001 RSI: 0000000020000640 RDI: 0000000000000003
RBP: 00007f5360dde610 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
R13: 00007fff29b3a628 R14: 0000000000000001 R15: 0000000000000001
</TASK>
Allocated by task 5235:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
unpoison_slab_object mm/kasan/common.c:312 [inline]
__kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:338
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook mm/slub.c:3988 [inline]
slab_alloc_node mm/slub.c:4037 [inline]
kmem_cache_alloc_node_noprof+0x16b/0x320 mm/slub.c:4080
__alloc_skb+0x1c3/0x440 net/core/skbuff.c:667
alloc_skb include/linux/skbuff.h:1320 [inline]
alloc_skb_with_frags+0xc3/0x770 net/core/skbuff.c:6528
sock_alloc_send_pskb+0x91a/0xa60 net/core/sock.c:2815
sock_alloc_send_skb include/net/sock.h:1778 [inline]
queue_oob+0x108/0x680 net/unix/af_unix.c:2198
unix_stream_sendmsg+0xd24/0xf80 net/unix/af_unix.c:2351
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg+0x221/0x270 net/socket.c:745
____sys_sendmsg+0x525/0x7d0 net/socket.c:2597
___sys_sendmsg net/socket.c:2651 [inline]
__sys_sendmsg+0x2b0/0x3a0 net/socket.c:2680
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 5235:
kasan_save_stack mm/kasan/common.c:47
---truncated---
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-47711", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T13:03:14.686039Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T13:04:18.955Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "net/unix/af_unix.c", "tools/testing/selftests/net/af_unix/msg_oob.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "4a7f9a2591a923bdde4bd7eac33490b6ae3b257c", status: "affected", version: "93c99f21db360957d49853e5666b5c147f593bda", versionType: "git", }, { lessThan: "5aa57d9f2d5311f19434d95b2a81610aa263e23b", status: "affected", version: "93c99f21db360957d49853e5666b5c147f593bda", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "net/unix/af_unix.c", "tools/testing/selftests/net/af_unix/msg_oob.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.10", }, { lessThan: "6.10", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.2", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Don't return OOB skb in manage_oob().\n\nsyzbot reported use-after-free in unix_stream_recv_urg(). [0]\n\nThe scenario is\n\n 1. send(MSG_OOB)\n 2. recv(MSG_OOB)\n -> The consumed OOB remains in recv queue\n 3. send(MSG_OOB)\n 4. recv()\n -> manage_oob() returns the next skb of the consumed OOB\n -> This is also OOB, but unix_sk(sk)->oob_skb is not cleared\n 5. recv(MSG_OOB)\n -> unix_sk(sk)->oob_skb is used but already freed\n\nThe recent commit 8594d9b85c07 (\"af_unix: Don't call skb_get() for OOB\nskb.\") uncovered the issue.\n\nIf the OOB skb is consumed and the next skb is peeked in manage_oob(),\nwe still need to check if the skb is OOB.\n\nLet's do so by falling back to the following checks in manage_oob()\nand add the test case in selftest.\n\nNote that we need to add a similar check for SIOCATMARK.\n\n[0]:\nBUG: KASAN: slab-use-after-free in unix_stream_read_actor+0xa6/0xb0 net/unix/af_unix.c:2959\nRead of size 4 at addr ffff8880326abcc4 by task syz-executor178/5235\n\nCPU: 0 UID: 0 PID: 5235 Comm: syz-executor178 Not tainted 6.11.0-rc5-syzkaller-00742-gfbdaffe41adc #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:93 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:488\n kasan_report+0x143/0x180 mm/kasan/report.c:601\n unix_stream_read_actor+0xa6/0xb0 net/unix/af_unix.c:2959\n unix_stream_recv_urg+0x1df/0x320 net/unix/af_unix.c:2640\n unix_stream_read_generic+0x2456/0x2520 net/unix/af_unix.c:2778\n unix_stream_recvmsg+0x22b/0x2c0 net/unix/af_unix.c:2996\n sock_recvmsg_nosec net/socket.c:1046 [inline]\n sock_recvmsg+0x22f/0x280 net/socket.c:1068\n ____sys_recvmsg+0x1db/0x470 net/socket.c:2816\n ___sys_recvmsg net/socket.c:2858 [inline]\n __sys_recvmsg+0x2f0/0x3e0 net/socket.c:2888\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f5360d6b4e9\nCode: 48 83 c4 28 c3 e8 37 17 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fff29b3a458 EFLAGS: 00000246 ORIG_RAX: 000000000000002f\nRAX: ffffffffffffffda RBX: 00007fff29b3a638 RCX: 00007f5360d6b4e9\nRDX: 0000000000002001 RSI: 0000000020000640 RDI: 0000000000000003\nRBP: 00007f5360dde610 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001\nR13: 00007fff29b3a628 R14: 0000000000000001 R15: 0000000000000001\n </TASK>\n\nAllocated by task 5235:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n unpoison_slab_object mm/kasan/common.c:312 [inline]\n __kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:338\n kasan_slab_alloc include/linux/kasan.h:201 [inline]\n slab_post_alloc_hook mm/slub.c:3988 [inline]\n slab_alloc_node mm/slub.c:4037 [inline]\n kmem_cache_alloc_node_noprof+0x16b/0x320 mm/slub.c:4080\n __alloc_skb+0x1c3/0x440 net/core/skbuff.c:667\n alloc_skb include/linux/skbuff.h:1320 [inline]\n alloc_skb_with_frags+0xc3/0x770 net/core/skbuff.c:6528\n sock_alloc_send_pskb+0x91a/0xa60 net/core/sock.c:2815\n sock_alloc_send_skb include/net/sock.h:1778 [inline]\n queue_oob+0x108/0x680 net/unix/af_unix.c:2198\n unix_stream_sendmsg+0xd24/0xf80 net/unix/af_unix.c:2351\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x221/0x270 net/socket.c:745\n ____sys_sendmsg+0x525/0x7d0 net/socket.c:2597\n ___sys_sendmsg net/socket.c:2651 [inline]\n __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2680\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nFreed by task 5235:\n kasan_save_stack mm/kasan/common.c:47\n---truncated---", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:26:35.711Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/4a7f9a2591a923bdde4bd7eac33490b6ae3b257c", }, { url: "https://git.kernel.org/stable/c/5aa57d9f2d5311f19434d95b2a81610aa263e23b", }, ], title: "af_unix: Don't return OOB skb in manage_oob().", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-47711", datePublished: "2024-10-21T11:53:44.102Z", dateReserved: "2024-09-30T16:00:12.948Z", dateUpdated: "2024-12-19T09:26:35.711Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49907
Vulnerability from cvelistv5
Published
2024-10-21 18:01
Modified
2024-12-19 09:28
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Check null pointers before using dc->clk_mgr
[WHY & HOW]
dc->clk_mgr is null checked previously in the same function, indicating
it might be null.
Passing "dc" to "dc->hwss.apply_idle_power_optimizations", which
dereferences null "dc->clk_mgr". (The function pointer resolves to
"dcn35_apply_idle_power_optimizations".)
This fixes 1 FORWARD_NULL issue reported by Coverity.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49907", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:42:07.340526Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:48:46.691Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/gpu/drm/amd/display/dc/core/dc.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "8d54001f8dccd56146973f23f3ab2ba037a21251", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "a545a9403e04c6e17fdc04a26a61d9feebbba106", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "a2773e0a4b79e7a6463abdffaf8cc4f24428ba18", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "9641bc4adf8446034e490ed543ae7e9833cfbdf5", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "3f7e533c10db3d0158709a99e2129ff63add6bcd", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "5ba3fbf75b243b2863a8be9e7c393e003d3b88f3", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "95d9e0803e51d5a24276b7643b244c7477daf463", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/gpu/drm/amd/display/dc/core/dc.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Check null pointers before using dc->clk_mgr\n\n[WHY & HOW]\ndc->clk_mgr is null checked previously in the same function, indicating\nit might be null.\n\nPassing \"dc\" to \"dc->hwss.apply_idle_power_optimizations\", which\ndereferences null \"dc->clk_mgr\". (The function pointer resolves to\n\"dcn35_apply_idle_power_optimizations\".)\n\nThis fixes 1 FORWARD_NULL issue reported by Coverity.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:28:47.975Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/8d54001f8dccd56146973f23f3ab2ba037a21251", }, { url: "https://git.kernel.org/stable/c/a545a9403e04c6e17fdc04a26a61d9feebbba106", }, { url: "https://git.kernel.org/stable/c/a2773e0a4b79e7a6463abdffaf8cc4f24428ba18", }, { url: "https://git.kernel.org/stable/c/9641bc4adf8446034e490ed543ae7e9833cfbdf5", }, { url: "https://git.kernel.org/stable/c/3f7e533c10db3d0158709a99e2129ff63add6bcd", }, { url: "https://git.kernel.org/stable/c/5ba3fbf75b243b2863a8be9e7c393e003d3b88f3", }, { url: "https://git.kernel.org/stable/c/95d9e0803e51d5a24276b7643b244c7477daf463", }, ], title: "drm/amd/display: Check null pointers before using dc->clk_mgr", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49907", datePublished: "2024-10-21T18:01:37.452Z", dateReserved: "2024-10-21T12:17:06.027Z", dateUpdated: "2024-12-19T09:28:47.975Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49978
Vulnerability from cvelistv5
Published
2024-10-21 18:02
Modified
2024-12-19 09:30
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
gso: fix udp gso fraglist segmentation after pull from frag_list
Detect gso fraglist skbs with corrupted geometry (see below) and
pass these to skb_segment instead of skb_segment_list, as the first
can segment them correctly.
Valid SKB_GSO_FRAGLIST skbs
- consist of two or more segments
- the head_skb holds the protocol headers plus first gso_size
- one or more frag_list skbs hold exactly one segment
- all but the last must be gso_size
Optional datapath hooks such as NAT and BPF (bpf_skb_pull_data) can
modify these skbs, breaking these invariants.
In extreme cases they pull all data into skb linear. For UDP, this
causes a NULL ptr deref in __udpv4_gso_segment_list_csum at
udp_hdr(seg->next)->dest.
Detect invalid geometry due to pull, by checking head_skb size.
Don't just drop, as this may blackhole a destination. Convert to be
able to pass to regular skb_segment.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 9fd1ff5d2ac7181844735806b0a703c942365291 Version: 9fd1ff5d2ac7181844735806b0a703c942365291 Version: 9fd1ff5d2ac7181844735806b0a703c942365291 Version: 9fd1ff5d2ac7181844735806b0a703c942365291 Version: 9fd1ff5d2ac7181844735806b0a703c942365291 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49978", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:32:53.403446Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:38:44.845Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "net/ipv4/udp_offload.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "080e6c9a3908de193a48f646c5ce1bfb15676ffc", status: "affected", version: "9fd1ff5d2ac7181844735806b0a703c942365291", versionType: "git", }, { lessThan: "af3122f5fdc0d00581d6e598a668df6bf54c9daa", status: "affected", version: "9fd1ff5d2ac7181844735806b0a703c942365291", versionType: "git", }, { lessThan: "33e28acf42ee863f332a958bfc2f1a284a3659df", status: "affected", version: "9fd1ff5d2ac7181844735806b0a703c942365291", versionType: "git", }, { lessThan: "3cd00d2e3655fad3bda96dc1ebf17b6495f86fea", status: "affected", version: "9fd1ff5d2ac7181844735806b0a703c942365291", versionType: "git", }, { lessThan: "a1e40ac5b5e9077fe1f7ae0eb88034db0f9ae1ab", status: "affected", version: "9fd1ff5d2ac7181844735806b0a703c942365291", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "net/ipv4/udp_offload.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.6", }, { lessThan: "5.6", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ngso: fix udp gso fraglist segmentation after pull from frag_list\n\nDetect gso fraglist skbs with corrupted geometry (see below) and\npass these to skb_segment instead of skb_segment_list, as the first\ncan segment them correctly.\n\nValid SKB_GSO_FRAGLIST skbs\n- consist of two or more segments\n- the head_skb holds the protocol headers plus first gso_size\n- one or more frag_list skbs hold exactly one segment\n- all but the last must be gso_size\n\nOptional datapath hooks such as NAT and BPF (bpf_skb_pull_data) can\nmodify these skbs, breaking these invariants.\n\nIn extreme cases they pull all data into skb linear. For UDP, this\ncauses a NULL ptr deref in __udpv4_gso_segment_list_csum at\nudp_hdr(seg->next)->dest.\n\nDetect invalid geometry due to pull, by checking head_skb size.\nDon't just drop, as this may blackhole a destination. Convert to be\nable to pass to regular skb_segment.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:30:34.378Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/080e6c9a3908de193a48f646c5ce1bfb15676ffc", }, { url: "https://git.kernel.org/stable/c/af3122f5fdc0d00581d6e598a668df6bf54c9daa", }, { url: "https://git.kernel.org/stable/c/33e28acf42ee863f332a958bfc2f1a284a3659df", }, { url: "https://git.kernel.org/stable/c/3cd00d2e3655fad3bda96dc1ebf17b6495f86fea", }, { url: "https://git.kernel.org/stable/c/a1e40ac5b5e9077fe1f7ae0eb88034db0f9ae1ab", }, ], title: "gso: fix udp gso fraglist segmentation after pull from frag_list", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49978", datePublished: "2024-10-21T18:02:25.151Z", dateReserved: "2024-10-21T12:17:06.052Z", dateUpdated: "2024-12-19T09:30:34.378Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-47756
Vulnerability from cvelistv5
Published
2024-10-21 12:14
Modified
2024-12-19 09:27
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
PCI: keystone: Fix if-statement expression in ks_pcie_quirk()
This code accidentally uses && where || was intended. It potentially
results in a NULL dereference.
Thus, fix the if-statement expression to use the correct condition.
[kwilczynski: commit log]
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: cfb006e185f64edbbdf7869eac352442bc76b8f6 Version: ebbdbbc580c1695dec283d0ba6448729dc993246 Version: 135843c351c08df72bdd4b4ebea53c8052a76881 Version: af218c803fe298ddf00abef331aa526b20d7ea61 Version: 576d0fb6f8d4bd4695e70eee173a1b9c7bae9572 Version: dd47051c76c8acd8cb983f01b4d1265da29cb66a Version: 86f271f22bbb6391410a07e08d6ca3757fda01fa Version: 86f271f22bbb6391410a07e08d6ca3757fda01fa |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-47756", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T12:57:17.860429Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T13:04:12.308Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/pci/controller/dwc/pci-keystone.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "9c9afc3e75069fcfb067727973242cfbf00dd7eb", status: "affected", version: "cfb006e185f64edbbdf7869eac352442bc76b8f6", versionType: "git", }, { lessThan: "c289903b7a216df5ea6e1850ddf1b958eea9921d", status: "affected", version: "ebbdbbc580c1695dec283d0ba6448729dc993246", versionType: "git", }, { lessThan: "dc5aeba07395c8dfa29bb878c8ce4d5180427221", status: "affected", version: "135843c351c08df72bdd4b4ebea53c8052a76881", versionType: "git", }, { lessThan: "23838bef2adb714ec37b2d6141dccf4a3a70bdef", status: "affected", version: "af218c803fe298ddf00abef331aa526b20d7ea61", versionType: "git", }, { lessThan: "e85ab507882db165c10a858d7f685a0a38f0312e", status: "affected", version: "576d0fb6f8d4bd4695e70eee173a1b9c7bae9572", versionType: "git", }, { lessThan: "72210e52e19a27f615e0b5273d2bf012d0dc318d", status: "affected", version: "dd47051c76c8acd8cb983f01b4d1265da29cb66a", versionType: "git", }, { lessThan: "2171c5cb2fbc3e03af7e8116cd58736c09328655", status: "affected", version: "86f271f22bbb6391410a07e08d6ca3757fda01fa", versionType: "git", }, { lessThan: "6188a1c762eb9bbd444f47696eda77a5eae6207a", status: "affected", version: "86f271f22bbb6391410a07e08d6ca3757fda01fa", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/pci/controller/dwc/pci-keystone.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.11", }, { lessThan: "6.11", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.285", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.54", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.13", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.2", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: keystone: Fix if-statement expression in ks_pcie_quirk()\n\nThis code accidentally uses && where || was intended. It potentially\nresults in a NULL dereference.\n\nThus, fix the if-statement expression to use the correct condition.\n\n[kwilczynski: commit log]", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:27:29.310Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/9c9afc3e75069fcfb067727973242cfbf00dd7eb", }, { url: "https://git.kernel.org/stable/c/c289903b7a216df5ea6e1850ddf1b958eea9921d", }, { url: "https://git.kernel.org/stable/c/dc5aeba07395c8dfa29bb878c8ce4d5180427221", }, { url: "https://git.kernel.org/stable/c/23838bef2adb714ec37b2d6141dccf4a3a70bdef", }, { url: "https://git.kernel.org/stable/c/e85ab507882db165c10a858d7f685a0a38f0312e", }, { url: "https://git.kernel.org/stable/c/72210e52e19a27f615e0b5273d2bf012d0dc318d", }, { url: "https://git.kernel.org/stable/c/2171c5cb2fbc3e03af7e8116cd58736c09328655", }, { url: "https://git.kernel.org/stable/c/6188a1c762eb9bbd444f47696eda77a5eae6207a", }, ], title: "PCI: keystone: Fix if-statement expression in ks_pcie_quirk()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-47756", datePublished: "2024-10-21T12:14:19.768Z", dateReserved: "2024-09-30T16:00:12.962Z", dateUpdated: "2024-12-19T09:27:29.310Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49965
Vulnerability from cvelistv5
Published
2024-10-21 18:02
Modified
2024-12-19 09:30
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ocfs2: remove unreasonable unlock in ocfs2_read_blocks
Patch series "Misc fixes for ocfs2_read_blocks", v5.
This series contains 2 fixes for ocfs2_read_blocks(). The first patch fix
the issue reported by syzbot, which detects bad unlock balance in
ocfs2_read_blocks(). The second patch fixes an issue reported by Heming
Zhao when reviewing above fix.
This patch (of 2):
There was a lock release before exiting, so remove the unreasonable unlock.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 6c150df9c2e80b5cf86f5a0d98beb7390ad63bfc Version: cf76c78595ca87548ca5e45c862ac9e0949c4687 Version: cf76c78595ca87548ca5e45c862ac9e0949c4687 Version: cf76c78595ca87548ca5e45c862ac9e0949c4687 Version: cf76c78595ca87548ca5e45c862ac9e0949c4687 Version: cf76c78595ca87548ca5e45c862ac9e0949c4687 Version: cf76c78595ca87548ca5e45c862ac9e0949c4687 Version: cf76c78595ca87548ca5e45c862ac9e0949c4687 Version: cf76c78595ca87548ca5e45c862ac9e0949c4687 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49965", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:34:35.371630Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:38:47.085Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "fs/ocfs2/buffer_head_io.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "5245f109b4afb6595360d4c180d483a6d2009a59", status: "affected", version: "6c150df9c2e80b5cf86f5a0d98beb7390ad63bfc", versionType: "git", }, { lessThan: "9753bcb17b36c9add9b32c61766ddf8d2d161911", status: "affected", version: "cf76c78595ca87548ca5e45c862ac9e0949c4687", versionType: "git", }, { lessThan: "3f1ca6ba5452d53c598a45d21267a2c0c221eef3", status: "affected", version: "cf76c78595ca87548ca5e45c862ac9e0949c4687", versionType: "git", }, { lessThan: "f55a33fe0fb5274ef185fd61947cf142138958af", status: "affected", version: "cf76c78595ca87548ca5e45c862ac9e0949c4687", versionType: "git", }, { lessThan: "81aba693b129e82e11bb54f569504d943d018de9", status: "affected", version: "cf76c78595ca87548ca5e45c862ac9e0949c4687", versionType: "git", }, { lessThan: "84543da867c967edffd5065fa910ebf56aaae49d", status: "affected", version: "cf76c78595ca87548ca5e45c862ac9e0949c4687", versionType: "git", }, { lessThan: "df4f20fc3673cee11abf2c571987a95733cb638d", status: "affected", version: "cf76c78595ca87548ca5e45c862ac9e0949c4687", versionType: "git", }, { lessThan: "39a88623af3f1c686bf6db1e677ed865ffe6fccc", status: "affected", version: "cf76c78595ca87548ca5e45c862ac9e0949c4687", versionType: "git", }, { lessThan: "c03a82b4a0c935774afa01fd6d128b444fd930a1", status: "affected", version: "cf76c78595ca87548ca5e45c862ac9e0949c4687", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "fs/ocfs2/buffer_head_io.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "4.20", }, { lessThan: "4.20", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.323", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.285", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: remove unreasonable unlock in ocfs2_read_blocks\n\nPatch series \"Misc fixes for ocfs2_read_blocks\", v5.\n\nThis series contains 2 fixes for ocfs2_read_blocks(). The first patch fix\nthe issue reported by syzbot, which detects bad unlock balance in\nocfs2_read_blocks(). The second patch fixes an issue reported by Heming\nZhao when reviewing above fix.\n\n\nThis patch (of 2):\n\nThere was a lock release before exiting, so remove the unreasonable unlock.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:30:18.683Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/5245f109b4afb6595360d4c180d483a6d2009a59", }, { url: "https://git.kernel.org/stable/c/9753bcb17b36c9add9b32c61766ddf8d2d161911", }, { url: "https://git.kernel.org/stable/c/3f1ca6ba5452d53c598a45d21267a2c0c221eef3", }, { url: "https://git.kernel.org/stable/c/f55a33fe0fb5274ef185fd61947cf142138958af", }, { url: "https://git.kernel.org/stable/c/81aba693b129e82e11bb54f569504d943d018de9", }, { url: "https://git.kernel.org/stable/c/84543da867c967edffd5065fa910ebf56aaae49d", }, { url: "https://git.kernel.org/stable/c/df4f20fc3673cee11abf2c571987a95733cb638d", }, { url: "https://git.kernel.org/stable/c/39a88623af3f1c686bf6db1e677ed865ffe6fccc", }, { url: "https://git.kernel.org/stable/c/c03a82b4a0c935774afa01fd6d128b444fd930a1", }, ], title: "ocfs2: remove unreasonable unlock in ocfs2_read_blocks", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49965", datePublished: "2024-10-21T18:02:16.407Z", dateReserved: "2024-10-21T12:17:06.050Z", dateUpdated: "2024-12-19T09:30:18.683Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49997
Vulnerability from cvelistv5
Published
2024-10-21 18:02
Modified
2024-12-19 09:30
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: ethernet: lantiq_etop: fix memory disclosure
When applying padding, the buffer is not zeroed, which results in memory
disclosure. The mentioned data is observed on the wire. This patch uses
skb_put_padto() to pad Ethernet frames properly. The mentioned function
zeroes the expanded buffer.
In case the packet cannot be padded it is silently dropped. Statistics
are also not incremented. This driver does not support statistics in the
old 32-bit format or the new 64-bit format. These will be added in the
future. In its current form, the patch should be easily backported to
stable versions.
Ethernet MACs on Amazon-SE and Danube cannot do padding of the packets
in hardware, so software padding must be applied.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 504d4721ee8e432af4b5f196a08af38bc4dac5fe Version: 504d4721ee8e432af4b5f196a08af38bc4dac5fe Version: 504d4721ee8e432af4b5f196a08af38bc4dac5fe Version: 504d4721ee8e432af4b5f196a08af38bc4dac5fe Version: 504d4721ee8e432af4b5f196a08af38bc4dac5fe Version: 504d4721ee8e432af4b5f196a08af38bc4dac5fe Version: 504d4721ee8e432af4b5f196a08af38bc4dac5fe Version: 504d4721ee8e432af4b5f196a08af38bc4dac5fe Version: 504d4721ee8e432af4b5f196a08af38bc4dac5fe |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49997", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:30:28.688552Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:38:41.677Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/net/ethernet/lantiq_etop.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "905f06a34f960676e7dc77bea00f2f8fe18177ad", status: "affected", version: "504d4721ee8e432af4b5f196a08af38bc4dac5fe", versionType: "git", }, { lessThan: "60c068444c20bf9a3e22b65b5f6f3d9edc852931", status: "affected", version: "504d4721ee8e432af4b5f196a08af38bc4dac5fe", versionType: "git", }, { lessThan: "185df159843d30fb71f821e7ea4368c2a3bfcd36", status: "affected", version: "504d4721ee8e432af4b5f196a08af38bc4dac5fe", versionType: "git", }, { lessThan: "469856f76f4802c5d7e3d20e343185188de1e2db", status: "affected", version: "504d4721ee8e432af4b5f196a08af38bc4dac5fe", versionType: "git", }, { lessThan: "2bf4c101d7c99483b8b15a0c8f881e3f399f7e18", status: "affected", version: "504d4721ee8e432af4b5f196a08af38bc4dac5fe", versionType: "git", }, { lessThan: "e66e38d07b31e177ca430758ed97fbc79f27d966", status: "affected", version: "504d4721ee8e432af4b5f196a08af38bc4dac5fe", versionType: "git", }, { lessThan: "1097bf16501ed5e35358d848b0a94ad2830b0f65", status: "affected", version: "504d4721ee8e432af4b5f196a08af38bc4dac5fe", versionType: "git", }, { lessThan: "431b122933b197820d319eb3987a67d04346ce9e", status: "affected", version: "504d4721ee8e432af4b5f196a08af38bc4dac5fe", versionType: "git", }, { lessThan: "45c0de18ff2dc9af01236380404bbd6a46502c69", status: "affected", version: "504d4721ee8e432af4b5f196a08af38bc4dac5fe", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/net/ethernet/lantiq_etop.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "3.0", }, { lessThan: "3.0", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.323", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.285", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ethernet: lantiq_etop: fix memory disclosure\n\nWhen applying padding, the buffer is not zeroed, which results in memory\ndisclosure. The mentioned data is observed on the wire. This patch uses\nskb_put_padto() to pad Ethernet frames properly. The mentioned function\nzeroes the expanded buffer.\n\nIn case the packet cannot be padded it is silently dropped. Statistics\nare also not incremented. This driver does not support statistics in the\nold 32-bit format or the new 64-bit format. These will be added in the\nfuture. In its current form, the patch should be easily backported to\nstable versions.\n\nEthernet MACs on Amazon-SE and Danube cannot do padding of the packets\nin hardware, so software padding must be applied.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:30:57.521Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/905f06a34f960676e7dc77bea00f2f8fe18177ad", }, { url: "https://git.kernel.org/stable/c/60c068444c20bf9a3e22b65b5f6f3d9edc852931", }, { url: "https://git.kernel.org/stable/c/185df159843d30fb71f821e7ea4368c2a3bfcd36", }, { url: "https://git.kernel.org/stable/c/469856f76f4802c5d7e3d20e343185188de1e2db", }, { url: "https://git.kernel.org/stable/c/2bf4c101d7c99483b8b15a0c8f881e3f399f7e18", }, { url: "https://git.kernel.org/stable/c/e66e38d07b31e177ca430758ed97fbc79f27d966", }, { url: "https://git.kernel.org/stable/c/1097bf16501ed5e35358d848b0a94ad2830b0f65", }, { url: "https://git.kernel.org/stable/c/431b122933b197820d319eb3987a67d04346ce9e", }, { url: "https://git.kernel.org/stable/c/45c0de18ff2dc9af01236380404bbd6a46502c69", }, ], title: "net: ethernet: lantiq_etop: fix memory disclosure", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49997", datePublished: "2024-10-21T18:02:37.681Z", dateReserved: "2024-10-21T12:17:06.056Z", dateUpdated: "2024-12-19T09:30:57.521Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49890
Vulnerability from cvelistv5
Published
2024-10-21 18:01
Modified
2024-12-19 09:28
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/pm: ensure the fw_info is not null before using it
This resolves the dereference null return value warning
reported by Coverity.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49890", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:44:27.910484Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:48:49.185Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/gpu/drm/amd/pm/powerplay/hwmgr/processpptables.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "29f388945770bd0a6c82711436b2bc98b0dfac92", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "9550d8d6f19fac7623f044ae8d9503825b325497", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "fd5f4ac1a986f0e7e9fa019201b5890554f87bcf", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "b511474f49588cdca355ebfce54e7eddbf7b75a5", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "8adf4408d482faa51b2c14e60bfd9946ec1911a4", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "016bf0294b401246471c6710c6bf9251616228b6", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "186fb12e7a7b038c2710ceb2fb74068f1b5d55a4", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/gpu/drm/amd/pm/powerplay/hwmgr/processpptables.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/pm: ensure the fw_info is not null before using it\n\nThis resolves the dereference null return value warning\nreported by Coverity.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:28:27.460Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/29f388945770bd0a6c82711436b2bc98b0dfac92", }, { url: "https://git.kernel.org/stable/c/9550d8d6f19fac7623f044ae8d9503825b325497", }, { url: "https://git.kernel.org/stable/c/fd5f4ac1a986f0e7e9fa019201b5890554f87bcf", }, { url: "https://git.kernel.org/stable/c/b511474f49588cdca355ebfce54e7eddbf7b75a5", }, { url: "https://git.kernel.org/stable/c/8adf4408d482faa51b2c14e60bfd9946ec1911a4", }, { url: "https://git.kernel.org/stable/c/016bf0294b401246471c6710c6bf9251616228b6", }, { url: "https://git.kernel.org/stable/c/186fb12e7a7b038c2710ceb2fb74068f1b5d55a4", }, ], title: "drm/amd/pm: ensure the fw_info is not null before using it", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49890", datePublished: "2024-10-21T18:01:25.634Z", dateReserved: "2024-10-21T12:17:06.025Z", dateUpdated: "2024-12-19T09:28:27.460Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-47700
Vulnerability from cvelistv5
Published
2024-10-21 11:53
Modified
2024-12-19 09:26
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: check stripe size compatibility on remount as well
We disable stripe size in __ext4_fill_super if it is not a multiple of
the cluster ratio however this check is missed when trying to remount.
This can leave us with cases where stripe < cluster_ratio after
remount:set making EXT4_B2C(sbi->s_stripe) become 0 that can cause some
unforeseen bugs like divide by 0.
Fix that by adding the check in remount path as well.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-47700", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T13:04:40.991783Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T13:14:13.688Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "fs/ext4/super.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "faeff8b1ee2eaa5969c8e994d66c3337298cefed", status: "affected", version: "c3defd99d58cbdd132bd197714e5523dac976b66", versionType: "git", }, { lessThan: "297615e992bbb30a55c158141086be6505d5d722", status: "affected", version: "c3defd99d58cbdd132bd197714e5523dac976b66", versionType: "git", }, { lessThan: "a31b712f75445d52fc0451dc54fd7b16a552cb7c", status: "affected", version: "c3defd99d58cbdd132bd197714e5523dac976b66", versionType: "git", }, { lessThan: "ee85e0938aa8f9846d21e4d302c3cf6a2a75110d", status: "affected", version: "c3defd99d58cbdd132bd197714e5523dac976b66", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "fs/ext4/super.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.5", }, { lessThan: "6.5", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.54", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.13", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.2", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\next4: check stripe size compatibility on remount as well\n\nWe disable stripe size in __ext4_fill_super if it is not a multiple of\nthe cluster ratio however this check is missed when trying to remount.\nThis can leave us with cases where stripe < cluster_ratio after\nremount:set making EXT4_B2C(sbi->s_stripe) become 0 that can cause some\nunforeseen bugs like divide by 0.\n\nFix that by adding the check in remount path as well.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:26:21.827Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/faeff8b1ee2eaa5969c8e994d66c3337298cefed", }, { url: "https://git.kernel.org/stable/c/297615e992bbb30a55c158141086be6505d5d722", }, { url: "https://git.kernel.org/stable/c/a31b712f75445d52fc0451dc54fd7b16a552cb7c", }, { url: "https://git.kernel.org/stable/c/ee85e0938aa8f9846d21e4d302c3cf6a2a75110d", }, ], title: "ext4: check stripe size compatibility on remount as well", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-47700", datePublished: "2024-10-21T11:53:36.611Z", dateReserved: "2024-09-30T16:00:12.945Z", dateUpdated: "2024-12-19T09:26:21.827Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-47713
Vulnerability from cvelistv5
Published
2024-10-21 11:53
Modified
2024-12-19 09:26
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: mac80211: use two-phase skb reclamation in ieee80211_do_stop()
Since '__dev_queue_xmit()' should be called with interrupts enabled,
the following backtrace:
ieee80211_do_stop()
...
spin_lock_irqsave(&local->queue_stop_reason_lock, flags)
...
ieee80211_free_txskb()
ieee80211_report_used_skb()
ieee80211_report_ack_skb()
cfg80211_mgmt_tx_status_ext()
nl80211_frame_tx_status()
genlmsg_multicast_netns()
genlmsg_multicast_netns_filtered()
nlmsg_multicast_filtered()
netlink_broadcast_filtered()
do_one_broadcast()
netlink_broadcast_deliver()
__netlink_sendskb()
netlink_deliver_tap()
__netlink_deliver_tap_skb()
dev_queue_xmit()
__dev_queue_xmit() ; with IRQS disabled
...
spin_unlock_irqrestore(&local->queue_stop_reason_lock, flags)
issues the warning (as reported by syzbot reproducer):
WARNING: CPU: 2 PID: 5128 at kernel/softirq.c:362 __local_bh_enable_ip+0xc3/0x120
Fix this by implementing a two-phase skb reclamation in
'ieee80211_do_stop()', where actual work is performed
outside of a section with interrupts disabled.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 5061b0c2b9066de426fbc63f1278d2210e789412 Version: 5061b0c2b9066de426fbc63f1278d2210e789412 Version: 5061b0c2b9066de426fbc63f1278d2210e789412 Version: 5061b0c2b9066de426fbc63f1278d2210e789412 Version: 5061b0c2b9066de426fbc63f1278d2210e789412 Version: 5061b0c2b9066de426fbc63f1278d2210e789412 Version: 5061b0c2b9066de426fbc63f1278d2210e789412 Version: 5061b0c2b9066de426fbc63f1278d2210e789412 Version: 5061b0c2b9066de426fbc63f1278d2210e789412 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-47713", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T13:02:59.793791Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T13:04:18.686Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "net/mac80211/iface.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "07eb0bd7b0a8abed9d45e0f567c9af1dc83e5268", status: "affected", version: "5061b0c2b9066de426fbc63f1278d2210e789412", versionType: "git", }, { lessThan: "04f75f5bae33349283d6886901d9acd2f110c024", status: "affected", version: "5061b0c2b9066de426fbc63f1278d2210e789412", versionType: "git", }, { lessThan: "f232916fab67ca1c3425926df4a866e59ff26908", status: "affected", version: "5061b0c2b9066de426fbc63f1278d2210e789412", versionType: "git", }, { lessThan: "acb53a716e492a02479345157c43f21edc8bc64b", status: "affected", version: "5061b0c2b9066de426fbc63f1278d2210e789412", versionType: "git", }, { lessThan: "db5ca4b42ccfa42d2af7b335ff12578e57775c02", status: "affected", version: "5061b0c2b9066de426fbc63f1278d2210e789412", versionType: "git", }, { lessThan: "058c9026ad79dc98572442fd4c7e9a36aba6f596", status: "affected", version: "5061b0c2b9066de426fbc63f1278d2210e789412", versionType: "git", }, { lessThan: "eab272972cffff9cd973b8e4055a8e81c64f7e6a", status: "affected", version: "5061b0c2b9066de426fbc63f1278d2210e789412", versionType: "git", }, { lessThan: "ad4b7068b101fbbb4a9ca4b99b25eb051a9482ec", status: "affected", version: "5061b0c2b9066de426fbc63f1278d2210e789412", versionType: "git", }, { lessThan: "9d301de12da6e1bb069a9835c38359b8e8135121", status: "affected", version: "5061b0c2b9066de426fbc63f1278d2210e789412", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "net/mac80211/iface.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "2.6.32", }, { lessThan: "2.6.32", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.323", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.285", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.54", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.13", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.2", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: use two-phase skb reclamation in ieee80211_do_stop()\n\nSince '__dev_queue_xmit()' should be called with interrupts enabled,\nthe following backtrace:\n\nieee80211_do_stop()\n ...\n spin_lock_irqsave(&local->queue_stop_reason_lock, flags)\n ...\n ieee80211_free_txskb()\n ieee80211_report_used_skb()\n ieee80211_report_ack_skb()\n cfg80211_mgmt_tx_status_ext()\n nl80211_frame_tx_status()\n genlmsg_multicast_netns()\n genlmsg_multicast_netns_filtered()\n nlmsg_multicast_filtered()\n\t netlink_broadcast_filtered()\n\t do_one_broadcast()\n\t netlink_broadcast_deliver()\n\t __netlink_sendskb()\n\t netlink_deliver_tap()\n\t __netlink_deliver_tap_skb()\n\t dev_queue_xmit()\n\t __dev_queue_xmit() ; with IRQS disabled\n ...\n spin_unlock_irqrestore(&local->queue_stop_reason_lock, flags)\n\nissues the warning (as reported by syzbot reproducer):\n\nWARNING: CPU: 2 PID: 5128 at kernel/softirq.c:362 __local_bh_enable_ip+0xc3/0x120\n\nFix this by implementing a two-phase skb reclamation in\n'ieee80211_do_stop()', where actual work is performed\noutside of a section with interrupts disabled.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:26:38.158Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/07eb0bd7b0a8abed9d45e0f567c9af1dc83e5268", }, { url: "https://git.kernel.org/stable/c/04f75f5bae33349283d6886901d9acd2f110c024", }, { url: "https://git.kernel.org/stable/c/f232916fab67ca1c3425926df4a866e59ff26908", }, { url: "https://git.kernel.org/stable/c/acb53a716e492a02479345157c43f21edc8bc64b", }, { url: "https://git.kernel.org/stable/c/db5ca4b42ccfa42d2af7b335ff12578e57775c02", }, { url: "https://git.kernel.org/stable/c/058c9026ad79dc98572442fd4c7e9a36aba6f596", }, { url: "https://git.kernel.org/stable/c/eab272972cffff9cd973b8e4055a8e81c64f7e6a", }, { url: "https://git.kernel.org/stable/c/ad4b7068b101fbbb4a9ca4b99b25eb051a9482ec", }, { url: "https://git.kernel.org/stable/c/9d301de12da6e1bb069a9835c38359b8e8135121", }, ], title: "wifi: mac80211: use two-phase skb reclamation in ieee80211_do_stop()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-47713", datePublished: "2024-10-21T11:53:45.433Z", dateReserved: "2024-09-30T16:00:12.948Z", dateUpdated: "2024-12-19T09:26:38.158Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-50059
Vulnerability from cvelistv5
Published
2024-10-21 19:39
Modified
2024-12-19 09:32
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ntb: ntb_hw_switchtec: Fix use after free vulnerability in switchtec_ntb_remove due to race condition
In the switchtec_ntb_add function, it can call switchtec_ntb_init_sndev
function, then &sndev->check_link_status_work is bound with
check_link_status_work. switchtec_ntb_link_notification may be called
to start the work.
If we remove the module which will call switchtec_ntb_remove to make
cleanup, it will free sndev through kfree(sndev), while the work
mentioned above will be used. The sequence of operations that may lead
to a UAF bug is as follows:
CPU0 CPU1
| check_link_status_work
switchtec_ntb_remove |
kfree(sndev); |
| if (sndev->link_force_down)
| // use sndev
Fix it by ensuring that the work is canceled before proceeding with
the cleanup in switchtec_ntb_remove.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-50059", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:23:07.094134Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:28:42.461Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/ntb/hw/mscc/ntb_hw_switchtec.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "5126d8f5567f49b52e21fca320eaa97977055099", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "b650189687822b705711f0567a65a164a314d8df", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "92728fceefdaa2a0a3aae675f86193b006eeaa43", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "3ae45be8492460a35b5aebf6acac1f1d32708946", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "fa840ba4bd9f3bad7f104e5b32028ee73af8b3dd", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "177925d9c8715a897bb79eca62628862213ba956", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "e51aded92d42784313ba16c12f4f88cc4f973bbb", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/ntb/hw/mscc/ntb_hw_switchtec.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.285", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.57", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.4", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nntb: ntb_hw_switchtec: Fix use after free vulnerability in switchtec_ntb_remove due to race condition\n\nIn the switchtec_ntb_add function, it can call switchtec_ntb_init_sndev\nfunction, then &sndev->check_link_status_work is bound with\ncheck_link_status_work. switchtec_ntb_link_notification may be called\nto start the work.\n\nIf we remove the module which will call switchtec_ntb_remove to make\ncleanup, it will free sndev through kfree(sndev), while the work\nmentioned above will be used. The sequence of operations that may lead\nto a UAF bug is as follows:\n\nCPU0 CPU1\n\n | check_link_status_work\nswitchtec_ntb_remove |\nkfree(sndev); |\n | if (sndev->link_force_down)\n | // use sndev\n\nFix it by ensuring that the work is canceled before proceeding with\nthe cleanup in switchtec_ntb_remove.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:32:12.192Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/5126d8f5567f49b52e21fca320eaa97977055099", }, { url: "https://git.kernel.org/stable/c/b650189687822b705711f0567a65a164a314d8df", }, { url: "https://git.kernel.org/stable/c/92728fceefdaa2a0a3aae675f86193b006eeaa43", }, { url: "https://git.kernel.org/stable/c/3ae45be8492460a35b5aebf6acac1f1d32708946", }, { url: "https://git.kernel.org/stable/c/fa840ba4bd9f3bad7f104e5b32028ee73af8b3dd", }, { url: "https://git.kernel.org/stable/c/177925d9c8715a897bb79eca62628862213ba956", }, { url: "https://git.kernel.org/stable/c/e51aded92d42784313ba16c12f4f88cc4f973bbb", }, ], title: "ntb: ntb_hw_switchtec: Fix use after free vulnerability in switchtec_ntb_remove due to race condition", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-50059", datePublished: "2024-10-21T19:39:49.079Z", dateReserved: "2024-10-21T19:36:19.939Z", dateUpdated: "2024-12-19T09:32:12.192Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-50006
Vulnerability from cvelistv5
Published
2024-10-21 18:53
Modified
2024-12-19 09:31
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix i_data_sem unlock order in ext4_ind_migrate()
Fuzzing reports a possible deadlock in jbd2_log_wait_commit.
This issue is triggered when an EXT4_IOC_MIGRATE ioctl is set to require
synchronous updates because the file descriptor is opened with O_SYNC.
This can lead to the jbd2_journal_stop() function calling
jbd2_might_wait_for_commit(), potentially causing a deadlock if the
EXT4_IOC_MIGRATE call races with a write(2) system call.
This problem only arises when CONFIG_PROVE_LOCKING is enabled. In this
case, the jbd2_might_wait_for_commit macro locks jbd2_handle in the
jbd2_journal_stop function while i_data_sem is locked. This triggers
lockdep because the jbd2_journal_start function might also lock the same
jbd2_handle simultaneously.
Found by Linux Verification Center (linuxtesting.org) with syzkaller.
Rule: add
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-50006", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:29:18.943550Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:38:40.371Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "fs/ext4/migrate.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "4192adefc9c570698821c5eb9873320eac2fcbf1", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "3c46d6060d3e38de22196c1fe7706c5a3c696285", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "53b1999cfd2c7addf2e581a32865fe8835467b44", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "ef05572da0c0eb89614ed01cc17d3c882bdbd1ff", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "9fedf51ab8cf7b69bff08f37fe0989fec7f5d870", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "d43776b907659affef1de888525847d64b244194", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "6252cb6bde7fc76cb8dcb49d1def7c326b190820", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "d58a00e981d3118b91d503da263e640b7cde6729", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "cc749e61c011c255d81b192a822db650c68b313f", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "fs/ext4/migrate.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.323", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.285", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix i_data_sem unlock order in ext4_ind_migrate()\n\nFuzzing reports a possible deadlock in jbd2_log_wait_commit.\n\nThis issue is triggered when an EXT4_IOC_MIGRATE ioctl is set to require\nsynchronous updates because the file descriptor is opened with O_SYNC.\nThis can lead to the jbd2_journal_stop() function calling\njbd2_might_wait_for_commit(), potentially causing a deadlock if the\nEXT4_IOC_MIGRATE call races with a write(2) system call.\n\nThis problem only arises when CONFIG_PROVE_LOCKING is enabled. In this\ncase, the jbd2_might_wait_for_commit macro locks jbd2_handle in the\njbd2_journal_stop function while i_data_sem is locked. This triggers\nlockdep because the jbd2_journal_start function might also lock the same\njbd2_handle simultaneously.\n\nFound by Linux Verification Center (linuxtesting.org) with syzkaller.\n\nRule: add", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:31:08.798Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/4192adefc9c570698821c5eb9873320eac2fcbf1", }, { url: "https://git.kernel.org/stable/c/3c46d6060d3e38de22196c1fe7706c5a3c696285", }, { url: "https://git.kernel.org/stable/c/53b1999cfd2c7addf2e581a32865fe8835467b44", }, { url: "https://git.kernel.org/stable/c/ef05572da0c0eb89614ed01cc17d3c882bdbd1ff", }, { url: "https://git.kernel.org/stable/c/9fedf51ab8cf7b69bff08f37fe0989fec7f5d870", }, { url: "https://git.kernel.org/stable/c/d43776b907659affef1de888525847d64b244194", }, { url: "https://git.kernel.org/stable/c/6252cb6bde7fc76cb8dcb49d1def7c326b190820", }, { url: "https://git.kernel.org/stable/c/d58a00e981d3118b91d503da263e640b7cde6729", }, { url: "https://git.kernel.org/stable/c/cc749e61c011c255d81b192a822db650c68b313f", }, ], title: "ext4: fix i_data_sem unlock order in ext4_ind_migrate()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-50006", datePublished: "2024-10-21T18:53:59.938Z", dateReserved: "2024-10-21T12:17:06.060Z", dateUpdated: "2024-12-19T09:31:08.798Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-49007
Vulnerability from cvelistv5
Published
2024-10-21 20:06
Modified
2024-12-19 08:12
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
nilfs2: fix NULL pointer dereference in nilfs_palloc_commit_free_entry()
Syzbot reported a null-ptr-deref bug:
NILFS (loop0): segctord starting. Construction interval = 5 seconds, CP
frequency < 30 seconds
general protection fault, probably for non-canonical address
0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]
CPU: 1 PID: 3603 Comm: segctord Not tainted
6.1.0-rc2-syzkaller-00105-gb229b6ca5abb #0
Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google
10/11/2022
RIP: 0010:nilfs_palloc_commit_free_entry+0xe5/0x6b0
fs/nilfs2/alloc.c:608
Code: 00 00 00 00 fc ff df 80 3c 02 00 0f 85 cd 05 00 00 48 b8 00 00 00
00 00 fc ff df 4c 8b 73 08 49 8d 7e 10 48 89 fa 48 c1 ea 03 <80> 3c 02
00 0f 85 26 05 00 00 49 8b 46 10 be a6 00 00 00 48 c7 c7
RSP: 0018:ffffc90003dff830 EFLAGS: 00010212
RAX: dffffc0000000000 RBX: ffff88802594e218 RCX: 000000000000000d
RDX: 0000000000000002 RSI: 0000000000002000 RDI: 0000000000000010
RBP: ffff888071880222 R08: 0000000000000005 R09: 000000000000003f
R10: 000000000000000d R11: 0000000000000000 R12: ffff888071880158
R13: ffff88802594e220 R14: 0000000000000000 R15: 0000000000000004
FS: 0000000000000000(0000) GS:ffff8880b9b00000(0000)
knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fb1c08316a8 CR3: 0000000018560000 CR4: 0000000000350ee0
Call Trace:
<TASK>
nilfs_dat_commit_free fs/nilfs2/dat.c:114 [inline]
nilfs_dat_commit_end+0x464/0x5f0 fs/nilfs2/dat.c:193
nilfs_dat_commit_update+0x26/0x40 fs/nilfs2/dat.c:236
nilfs_btree_commit_update_v+0x87/0x4a0 fs/nilfs2/btree.c:1940
nilfs_btree_commit_propagate_v fs/nilfs2/btree.c:2016 [inline]
nilfs_btree_propagate_v fs/nilfs2/btree.c:2046 [inline]
nilfs_btree_propagate+0xa00/0xd60 fs/nilfs2/btree.c:2088
nilfs_bmap_propagate+0x73/0x170 fs/nilfs2/bmap.c:337
nilfs_collect_file_data+0x45/0xd0 fs/nilfs2/segment.c:568
nilfs_segctor_apply_buffers+0x14a/0x470 fs/nilfs2/segment.c:1018
nilfs_segctor_scan_file+0x3f4/0x6f0 fs/nilfs2/segment.c:1067
nilfs_segctor_collect_blocks fs/nilfs2/segment.c:1197 [inline]
nilfs_segctor_collect fs/nilfs2/segment.c:1503 [inline]
nilfs_segctor_do_construct+0x12fc/0x6af0 fs/nilfs2/segment.c:2045
nilfs_segctor_construct+0x8e3/0xb30 fs/nilfs2/segment.c:2379
nilfs_segctor_thread_construct fs/nilfs2/segment.c:2487 [inline]
nilfs_segctor_thread+0x3c3/0xf30 fs/nilfs2/segment.c:2570
kthread+0x2e4/0x3a0 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
</TASK>
...
If DAT metadata file is corrupted on disk, there is a case where
req->pr_desc_bh is NULL and blocknr is 0 at nilfs_dat_commit_end() during
a b-tree operation that cascadingly updates ancestor nodes of the b-tree,
because nilfs_dat_commit_alloc() for a lower level block can initialize
the blocknr on the same DAT entry between nilfs_dat_prepare_end() and
nilfs_dat_commit_end().
If this happens, nilfs_dat_commit_end() calls nilfs_dat_commit_free()
without valid buffer heads in req->pr_desc_bh and req->pr_bitmap_bh, and
causes the NULL pointer dereference above in
nilfs_palloc_commit_free_entry() function, which leads to a crash.
Fix this by adding a NULL check on req->pr_desc_bh and req->pr_bitmap_bh
before nilfs_palloc_commit_free_entry() in nilfs_dat_commit_free().
This also calls nilfs_error() in that case to notify that there is a fatal
flaw in the filesystem metadata and prevent further operations.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-49007", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:14:21.732997Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:18:39.586Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "fs/nilfs2/dat.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "2f2c59506ae39496588ceb8b88bdbdbaed895d63", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "165c7a3b27a3857ebf57f626b9f38b48b6792e68", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "bc3fd3293887b4cf84a9109700faeb82de533c89", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "9a130b72e6bd1fb07fc3cde839dc6fb53da76f07", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "e858917ab785afe83c14f5ac141301216ccda847", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "33021419fd81efd3d729a7f19341ba4b98fe66ce", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "381b84f60e549ea98cec4666c6c728b1b3318756", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "f0a0ccda18d6fd826d7c7e7ad48a6ed61c20f8b4", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "fs/nilfs2/dat.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "4.9.*", status: "unaffected", version: "4.9.335", versionType: "semver", }, { lessThanOrEqual: "4.14.*", status: "unaffected", version: "4.14.301", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.268", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.226", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.158", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.82", versionType: "semver", }, { lessThanOrEqual: "6.0.*", status: "unaffected", version: "6.0.12", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.1", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix NULL pointer dereference in nilfs_palloc_commit_free_entry()\n\nSyzbot reported a null-ptr-deref bug:\n\n NILFS (loop0): segctord starting. Construction interval = 5 seconds, CP\n frequency < 30 seconds\n general protection fault, probably for non-canonical address\n 0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN\n KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]\n CPU: 1 PID: 3603 Comm: segctord Not tainted\n 6.1.0-rc2-syzkaller-00105-gb229b6ca5abb #0\n Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google\n 10/11/2022\n RIP: 0010:nilfs_palloc_commit_free_entry+0xe5/0x6b0\n fs/nilfs2/alloc.c:608\n Code: 00 00 00 00 fc ff df 80 3c 02 00 0f 85 cd 05 00 00 48 b8 00 00 00\n 00 00 fc ff df 4c 8b 73 08 49 8d 7e 10 48 89 fa 48 c1 ea 03 <80> 3c 02\n 00 0f 85 26 05 00 00 49 8b 46 10 be a6 00 00 00 48 c7 c7\n RSP: 0018:ffffc90003dff830 EFLAGS: 00010212\n RAX: dffffc0000000000 RBX: ffff88802594e218 RCX: 000000000000000d\n RDX: 0000000000000002 RSI: 0000000000002000 RDI: 0000000000000010\n RBP: ffff888071880222 R08: 0000000000000005 R09: 000000000000003f\n R10: 000000000000000d R11: 0000000000000000 R12: ffff888071880158\n R13: ffff88802594e220 R14: 0000000000000000 R15: 0000000000000004\n FS: 0000000000000000(0000) GS:ffff8880b9b00000(0000)\n knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007fb1c08316a8 CR3: 0000000018560000 CR4: 0000000000350ee0\n Call Trace:\n <TASK>\n nilfs_dat_commit_free fs/nilfs2/dat.c:114 [inline]\n nilfs_dat_commit_end+0x464/0x5f0 fs/nilfs2/dat.c:193\n nilfs_dat_commit_update+0x26/0x40 fs/nilfs2/dat.c:236\n nilfs_btree_commit_update_v+0x87/0x4a0 fs/nilfs2/btree.c:1940\n nilfs_btree_commit_propagate_v fs/nilfs2/btree.c:2016 [inline]\n nilfs_btree_propagate_v fs/nilfs2/btree.c:2046 [inline]\n nilfs_btree_propagate+0xa00/0xd60 fs/nilfs2/btree.c:2088\n nilfs_bmap_propagate+0x73/0x170 fs/nilfs2/bmap.c:337\n nilfs_collect_file_data+0x45/0xd0 fs/nilfs2/segment.c:568\n nilfs_segctor_apply_buffers+0x14a/0x470 fs/nilfs2/segment.c:1018\n nilfs_segctor_scan_file+0x3f4/0x6f0 fs/nilfs2/segment.c:1067\n nilfs_segctor_collect_blocks fs/nilfs2/segment.c:1197 [inline]\n nilfs_segctor_collect fs/nilfs2/segment.c:1503 [inline]\n nilfs_segctor_do_construct+0x12fc/0x6af0 fs/nilfs2/segment.c:2045\n nilfs_segctor_construct+0x8e3/0xb30 fs/nilfs2/segment.c:2379\n nilfs_segctor_thread_construct fs/nilfs2/segment.c:2487 [inline]\n nilfs_segctor_thread+0x3c3/0xf30 fs/nilfs2/segment.c:2570\n kthread+0x2e4/0x3a0 kernel/kthread.c:376\n ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306\n </TASK>\n ...\n\nIf DAT metadata file is corrupted on disk, there is a case where\nreq->pr_desc_bh is NULL and blocknr is 0 at nilfs_dat_commit_end() during\na b-tree operation that cascadingly updates ancestor nodes of the b-tree,\nbecause nilfs_dat_commit_alloc() for a lower level block can initialize\nthe blocknr on the same DAT entry between nilfs_dat_prepare_end() and\nnilfs_dat_commit_end().\n\nIf this happens, nilfs_dat_commit_end() calls nilfs_dat_commit_free()\nwithout valid buffer heads in req->pr_desc_bh and req->pr_bitmap_bh, and\ncauses the NULL pointer dereference above in\nnilfs_palloc_commit_free_entry() function, which leads to a crash.\n\nFix this by adding a NULL check on req->pr_desc_bh and req->pr_bitmap_bh\nbefore nilfs_palloc_commit_free_entry() in nilfs_dat_commit_free().\n\nThis also calls nilfs_error() in that case to notify that there is a fatal\nflaw in the filesystem metadata and prevent further operations.", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:12:19.820Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/2f2c59506ae39496588ceb8b88bdbdbaed895d63", }, { url: "https://git.kernel.org/stable/c/165c7a3b27a3857ebf57f626b9f38b48b6792e68", }, { url: "https://git.kernel.org/stable/c/bc3fd3293887b4cf84a9109700faeb82de533c89", }, { url: "https://git.kernel.org/stable/c/9a130b72e6bd1fb07fc3cde839dc6fb53da76f07", }, { url: "https://git.kernel.org/stable/c/e858917ab785afe83c14f5ac141301216ccda847", }, { url: "https://git.kernel.org/stable/c/33021419fd81efd3d729a7f19341ba4b98fe66ce", }, { url: "https://git.kernel.org/stable/c/381b84f60e549ea98cec4666c6c728b1b3318756", }, { url: "https://git.kernel.org/stable/c/f0a0ccda18d6fd826d7c7e7ad48a6ed61c20f8b4", }, ], title: "nilfs2: fix NULL pointer dereference in nilfs_palloc_commit_free_entry()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-49007", datePublished: "2024-10-21T20:06:19.506Z", dateReserved: "2024-08-22T01:27:53.643Z", dateUpdated: "2024-12-19T08:12:19.820Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-47717
Vulnerability from cvelistv5
Published
2024-10-21 11:53
Modified
2024-12-19 09:26
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
RISC-V: KVM: Don't zero-out PMU snapshot area before freeing data
With the latest Linux-6.11-rc3, the below NULL pointer crash is observed
when SBI PMU snapshot is enabled for the guest and the guest is forcefully
powered-off.
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000508
Oops [#1]
Modules linked in: kvm
CPU: 0 UID: 0 PID: 61 Comm: term-poll Not tainted 6.11.0-rc3-00018-g44d7178dd77a #3
Hardware name: riscv-virtio,qemu (DT)
epc : __kvm_write_guest_page+0x94/0xa6 [kvm]
ra : __kvm_write_guest_page+0x54/0xa6 [kvm]
epc : ffffffff01590e98 ra : ffffffff01590e58 sp : ffff8f80001f39b0
gp : ffffffff81512a60 tp : ffffaf80024872c0 t0 : ffffaf800247e000
t1 : 00000000000007e0 t2 : 0000000000000000 s0 : ffff8f80001f39f0
s1 : 00007fff89ac4000 a0 : ffffffff015dd7e8 a1 : 0000000000000086
a2 : 0000000000000000 a3 : ffffaf8000000000 a4 : ffffaf80024882c0
a5 : 0000000000000000 a6 : ffffaf800328d780 a7 : 00000000000001cc
s2 : ffffaf800197bd00 s3 : 00000000000828c4 s4 : ffffaf800248c000
s5 : ffffaf800247d000 s6 : 0000000000001000 s7 : 0000000000001000
s8 : 0000000000000000 s9 : 00007fff861fd500 s10: 0000000000000001
s11: 0000000000800000 t3 : 00000000000004d3 t4 : 00000000000004d3
t5 : ffffffff814126e0 t6 : ffffffff81412700
status: 0000000200000120 badaddr: 0000000000000508 cause: 000000000000000d
[<ffffffff01590e98>] __kvm_write_guest_page+0x94/0xa6 [kvm]
[<ffffffff015943a6>] kvm_vcpu_write_guest+0x56/0x90 [kvm]
[<ffffffff015a175c>] kvm_pmu_clear_snapshot_area+0x42/0x7e [kvm]
[<ffffffff015a1972>] kvm_riscv_vcpu_pmu_deinit.part.0+0xe0/0x14e [kvm]
[<ffffffff015a2ad0>] kvm_riscv_vcpu_pmu_deinit+0x1a/0x24 [kvm]
[<ffffffff0159b344>] kvm_arch_vcpu_destroy+0x28/0x4c [kvm]
[<ffffffff0158e420>] kvm_destroy_vcpus+0x5a/0xda [kvm]
[<ffffffff0159930c>] kvm_arch_destroy_vm+0x14/0x28 [kvm]
[<ffffffff01593260>] kvm_destroy_vm+0x168/0x2a0 [kvm]
[<ffffffff015933d4>] kvm_put_kvm+0x3c/0x58 [kvm]
[<ffffffff01593412>] kvm_vm_release+0x22/0x2e [kvm]
Clearly, the kvm_vcpu_write_guest() function is crashing because it is
being called from kvm_pmu_clear_snapshot_area() upon guest tear down.
To address the above issue, simplify the kvm_pmu_clear_snapshot_area() to
not zero-out PMU snapshot area from kvm_pmu_clear_snapshot_area() because
the guest is anyway being tore down.
The kvm_pmu_clear_snapshot_area() is also called when guest changes
PMU snapshot area of a VCPU but even in this case the previous PMU
snaphsot area must not be zeroed-out because the guest might have
reclaimed the pervious PMU snapshot area for some other purpose.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-47717", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T13:02:30.490635Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T13:04:18.168Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "arch/riscv/kvm/vcpu_pmu.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "81aa95fd5bd14ff49617f07fa79a8d1f1cf2ce9a", status: "affected", version: "c2f41ddbcdd75689d9f512638a40263e3127be93", versionType: "git", }, { lessThan: "6d0a5dcfc78bd18f2abb9641f83380135494559b", status: "affected", version: "c2f41ddbcdd75689d9f512638a40263e3127be93", versionType: "git", }, { lessThan: "47d40d93292d9cff8dabb735bed83d930fa03950", status: "affected", version: "c2f41ddbcdd75689d9f512638a40263e3127be93", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "arch/riscv/kvm/vcpu_pmu.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.10", }, { lessThan: "6.10", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.13", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.2", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nRISC-V: KVM: Don't zero-out PMU snapshot area before freeing data\n\nWith the latest Linux-6.11-rc3, the below NULL pointer crash is observed\nwhen SBI PMU snapshot is enabled for the guest and the guest is forcefully\npowered-off.\n\n Unable to handle kernel NULL pointer dereference at virtual address 0000000000000508\n Oops [#1]\n Modules linked in: kvm\n CPU: 0 UID: 0 PID: 61 Comm: term-poll Not tainted 6.11.0-rc3-00018-g44d7178dd77a #3\n Hardware name: riscv-virtio,qemu (DT)\n epc : __kvm_write_guest_page+0x94/0xa6 [kvm]\n ra : __kvm_write_guest_page+0x54/0xa6 [kvm]\n epc : ffffffff01590e98 ra : ffffffff01590e58 sp : ffff8f80001f39b0\n gp : ffffffff81512a60 tp : ffffaf80024872c0 t0 : ffffaf800247e000\n t1 : 00000000000007e0 t2 : 0000000000000000 s0 : ffff8f80001f39f0\n s1 : 00007fff89ac4000 a0 : ffffffff015dd7e8 a1 : 0000000000000086\n a2 : 0000000000000000 a3 : ffffaf8000000000 a4 : ffffaf80024882c0\n a5 : 0000000000000000 a6 : ffffaf800328d780 a7 : 00000000000001cc\n s2 : ffffaf800197bd00 s3 : 00000000000828c4 s4 : ffffaf800248c000\n s5 : ffffaf800247d000 s6 : 0000000000001000 s7 : 0000000000001000\n s8 : 0000000000000000 s9 : 00007fff861fd500 s10: 0000000000000001\n s11: 0000000000800000 t3 : 00000000000004d3 t4 : 00000000000004d3\n t5 : ffffffff814126e0 t6 : ffffffff81412700\n status: 0000000200000120 badaddr: 0000000000000508 cause: 000000000000000d\n [<ffffffff01590e98>] __kvm_write_guest_page+0x94/0xa6 [kvm]\n [<ffffffff015943a6>] kvm_vcpu_write_guest+0x56/0x90 [kvm]\n [<ffffffff015a175c>] kvm_pmu_clear_snapshot_area+0x42/0x7e [kvm]\n [<ffffffff015a1972>] kvm_riscv_vcpu_pmu_deinit.part.0+0xe0/0x14e [kvm]\n [<ffffffff015a2ad0>] kvm_riscv_vcpu_pmu_deinit+0x1a/0x24 [kvm]\n [<ffffffff0159b344>] kvm_arch_vcpu_destroy+0x28/0x4c [kvm]\n [<ffffffff0158e420>] kvm_destroy_vcpus+0x5a/0xda [kvm]\n [<ffffffff0159930c>] kvm_arch_destroy_vm+0x14/0x28 [kvm]\n [<ffffffff01593260>] kvm_destroy_vm+0x168/0x2a0 [kvm]\n [<ffffffff015933d4>] kvm_put_kvm+0x3c/0x58 [kvm]\n [<ffffffff01593412>] kvm_vm_release+0x22/0x2e [kvm]\n\nClearly, the kvm_vcpu_write_guest() function is crashing because it is\nbeing called from kvm_pmu_clear_snapshot_area() upon guest tear down.\n\nTo address the above issue, simplify the kvm_pmu_clear_snapshot_area() to\nnot zero-out PMU snapshot area from kvm_pmu_clear_snapshot_area() because\nthe guest is anyway being tore down.\n\nThe kvm_pmu_clear_snapshot_area() is also called when guest changes\nPMU snapshot area of a VCPU but even in this case the previous PMU\nsnaphsot area must not be zeroed-out because the guest might have\nreclaimed the pervious PMU snapshot area for some other purpose.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:26:42.988Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/81aa95fd5bd14ff49617f07fa79a8d1f1cf2ce9a", }, { url: "https://git.kernel.org/stable/c/6d0a5dcfc78bd18f2abb9641f83380135494559b", }, { url: "https://git.kernel.org/stable/c/47d40d93292d9cff8dabb735bed83d930fa03950", }, ], title: "RISC-V: KVM: Don't zero-out PMU snapshot area before freeing data", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-47717", datePublished: "2024-10-21T11:53:48.181Z", dateReserved: "2024-09-30T16:00:12.949Z", dateUpdated: "2024-12-19T09:26:42.988Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-47718
Vulnerability from cvelistv5
Published
2024-10-21 11:53
Modified
2024-12-19 09:26
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: rtw88: always wait for both firmware loading attempts
In 'rtw_wait_firmware_completion()', always wait for both (regular and
wowlan) firmware loading attempts. Otherwise if 'rtw_usb_intf_init()'
has failed in 'rtw_usb_probe()', 'rtw_usb_disconnect()' may issue
'ieee80211_free_hw()' when one of 'rtw_load_firmware_cb()' (usually
the wowlan one) is still in progress, causing UAF detected by KASAN.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: c8e5695eae9959fc5774c0f490f2450be8bad3de Version: c8e5695eae9959fc5774c0f490f2450be8bad3de Version: c8e5695eae9959fc5774c0f490f2450be8bad3de Version: c8e5695eae9959fc5774c0f490f2450be8bad3de Version: c8e5695eae9959fc5774c0f490f2450be8bad3de Version: c8e5695eae9959fc5774c0f490f2450be8bad3de Version: c8e5695eae9959fc5774c0f490f2450be8bad3de |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-47718", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T13:02:23.252819Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T13:04:17.949Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/net/wireless/realtek/rtw88/main.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "a0c1e2da652cf70825739bc12d49ea15805690bf", status: "affected", version: "c8e5695eae9959fc5774c0f490f2450be8bad3de", versionType: "git", }, { lessThan: "ceaab3fb64d6a5426a3db8f87f3e5757964f2532", status: "affected", version: "c8e5695eae9959fc5774c0f490f2450be8bad3de", versionType: "git", }, { lessThan: "7887ad11995a4142671cc49146db536f923c8568", status: "affected", version: "c8e5695eae9959fc5774c0f490f2450be8bad3de", versionType: "git", }, { lessThan: "1b8178a2ae272256ea0dc4f940320a81003535e2", status: "affected", version: "c8e5695eae9959fc5774c0f490f2450be8bad3de", versionType: "git", }, { lessThan: "9432185540bafd42b7bfac6e6ef2f0a0fb4be447", status: "affected", version: "c8e5695eae9959fc5774c0f490f2450be8bad3de", versionType: "git", }, { lessThan: "e9a78d9417e167410d6fb83c4e908b077ad8ba6d", status: "affected", version: "c8e5695eae9959fc5774c0f490f2450be8bad3de", versionType: "git", }, { lessThan: "0e735a4c6137262bcefe45bb52fde7b1f5fc6c4d", status: "affected", version: "c8e5695eae9959fc5774c0f490f2450be8bad3de", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/net/wireless/realtek/rtw88/main.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.6", }, { lessThan: "5.6", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.54", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.13", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.2", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw88: always wait for both firmware loading attempts\n\nIn 'rtw_wait_firmware_completion()', always wait for both (regular and\nwowlan) firmware loading attempts. Otherwise if 'rtw_usb_intf_init()'\nhas failed in 'rtw_usb_probe()', 'rtw_usb_disconnect()' may issue\n'ieee80211_free_hw()' when one of 'rtw_load_firmware_cb()' (usually\nthe wowlan one) is still in progress, causing UAF detected by KASAN.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:26:44.244Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/a0c1e2da652cf70825739bc12d49ea15805690bf", }, { url: "https://git.kernel.org/stable/c/ceaab3fb64d6a5426a3db8f87f3e5757964f2532", }, { url: "https://git.kernel.org/stable/c/7887ad11995a4142671cc49146db536f923c8568", }, { url: "https://git.kernel.org/stable/c/1b8178a2ae272256ea0dc4f940320a81003535e2", }, { url: "https://git.kernel.org/stable/c/9432185540bafd42b7bfac6e6ef2f0a0fb4be447", }, { url: "https://git.kernel.org/stable/c/e9a78d9417e167410d6fb83c4e908b077ad8ba6d", }, { url: "https://git.kernel.org/stable/c/0e735a4c6137262bcefe45bb52fde7b1f5fc6c4d", }, ], title: "wifi: rtw88: always wait for both firmware loading attempts", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-47718", datePublished: "2024-10-21T11:53:48.859Z", dateReserved: "2024-09-30T16:00:12.949Z", dateUpdated: "2024-12-19T09:26:44.244Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-49000
Vulnerability from cvelistv5
Published
2024-10-21 20:06
Modified
2024-12-19 08:12
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
iommu/vt-d: Fix PCI device refcount leak in has_external_pci()
for_each_pci_dev() is implemented by pci_get_device(). The comment of
pci_get_device() says that it will increase the reference count for the
returned pci_dev and also decrease the reference count for the input
pci_dev @from if it is not NULL.
If we break for_each_pci_dev() loop with pdev not NULL, we need to call
pci_dev_put() to decrease the reference count. Add the missing
pci_dev_put() before 'return true' to avoid reference count leak.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-49000", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:15:17.821654Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:18:40.762Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/iommu/intel/iommu.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "10ed7655a17f6a3eaecd1293830488259ccd5723", status: "affected", version: "89a6079df791aeace2044ea93be1b397195824ec", versionType: "git", }, { lessThan: "b6eea8b2e858a20ad58ac62dc2de90fea2413f94", status: "affected", version: "89a6079df791aeace2044ea93be1b397195824ec", versionType: "git", }, { lessThan: "17f67414718e6aba123335a33b7d15aa594fff34", status: "affected", version: "89a6079df791aeace2044ea93be1b397195824ec", versionType: "git", }, { lessThan: "afca9e19cc720bfafc75dc5ce429c185ca93f31d", status: "affected", version: "89a6079df791aeace2044ea93be1b397195824ec", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/iommu/intel/iommu.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.0", }, { lessThan: "5.0", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.158", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.82", versionType: "semver", }, { lessThanOrEqual: "6.0.*", status: "unaffected", version: "6.0.12", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.1", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/vt-d: Fix PCI device refcount leak in has_external_pci()\n\nfor_each_pci_dev() is implemented by pci_get_device(). The comment of\npci_get_device() says that it will increase the reference count for the\nreturned pci_dev and also decrease the reference count for the input\npci_dev @from if it is not NULL.\n\nIf we break for_each_pci_dev() loop with pdev not NULL, we need to call\npci_dev_put() to decrease the reference count. Add the missing\npci_dev_put() before 'return true' to avoid reference count leak.", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:12:11.796Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/10ed7655a17f6a3eaecd1293830488259ccd5723", }, { url: "https://git.kernel.org/stable/c/b6eea8b2e858a20ad58ac62dc2de90fea2413f94", }, { url: "https://git.kernel.org/stable/c/17f67414718e6aba123335a33b7d15aa594fff34", }, { url: "https://git.kernel.org/stable/c/afca9e19cc720bfafc75dc5ce429c185ca93f31d", }, ], title: "iommu/vt-d: Fix PCI device refcount leak in has_external_pci()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-49000", datePublished: "2024-10-21T20:06:14.753Z", dateReserved: "2024-08-22T01:27:53.642Z", dateUpdated: "2024-12-19T08:12:11.796Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49988
Vulnerability from cvelistv5
Published
2024-10-21 18:02
Modified
2024-12-19 09:30
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: add refcnt to ksmbd_conn struct
When sending an oplock break request, opinfo->conn is used,
But freed ->conn can be used on multichannel.
This patch add a reference count to the ksmbd_conn struct
so that it can be freed when it is no longer used.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49988", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:31:36.656509Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:38:43.274Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "fs/smb/server/connection.c", "fs/smb/server/connection.h", "fs/smb/server/oplock.c", "fs/smb/server/vfs_cache.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "18f06bacc197d4ac9b518ad1c69999bc3d83e7aa", status: "affected", version: "0626e6641f6b467447c81dd7678a69c66f7746cf", versionType: "git", }, { lessThan: "9fd3cde4628bcd3549ab95061f2bab74d2ed4f3b", status: "affected", version: "0626e6641f6b467447c81dd7678a69c66f7746cf", versionType: "git", }, { lessThan: "e9dac92f4482a382e8c0fe1bc243da5fc3526b0c", status: "affected", version: "0626e6641f6b467447c81dd7678a69c66f7746cf", versionType: "git", }, { lessThan: "ee426bfb9d09b29987369b897fe9b6485ac2be27", status: "affected", version: "0626e6641f6b467447c81dd7678a69c66f7746cf", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "fs/smb/server/connection.c", "fs/smb/server/connection.h", "fs/smb/server/oplock.c", "fs/smb/server/vfs_cache.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.15", }, { lessThan: "5.15", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: add refcnt to ksmbd_conn struct\n\nWhen sending an oplock break request, opinfo->conn is used,\nBut freed ->conn can be used on multichannel.\nThis patch add a reference count to the ksmbd_conn struct\nso that it can be freed when it is no longer used.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:30:46.956Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/18f06bacc197d4ac9b518ad1c69999bc3d83e7aa", }, { url: "https://git.kernel.org/stable/c/9fd3cde4628bcd3549ab95061f2bab74d2ed4f3b", }, { url: "https://git.kernel.org/stable/c/e9dac92f4482a382e8c0fe1bc243da5fc3526b0c", }, { url: "https://git.kernel.org/stable/c/ee426bfb9d09b29987369b897fe9b6485ac2be27", }, ], title: "ksmbd: add refcnt to ksmbd_conn struct", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49988", datePublished: "2024-10-21T18:02:31.845Z", dateReserved: "2024-10-21T12:17:06.054Z", dateUpdated: "2024-12-19T09:30:46.956Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49886
Vulnerability from cvelistv5
Published
2024-10-21 18:01
Modified
2024-12-19 09:28
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
platform/x86: ISST: Fix the KASAN report slab-out-of-bounds bug
Attaching SST PCI device to VM causes "BUG: KASAN: slab-out-of-bounds".
kasan report:
[ 19.411889] ==================================================================
[ 19.413702] BUG: KASAN: slab-out-of-bounds in _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common]
[ 19.415634] Read of size 8 at addr ffff888829e65200 by task cpuhp/16/113
[ 19.417368]
[ 19.418627] CPU: 16 PID: 113 Comm: cpuhp/16 Tainted: G E 6.9.0 #10
[ 19.420435] Hardware name: VMware, Inc. VMware20,1/440BX Desktop Reference Platform, BIOS VMW201.00V.20192059.B64.2207280713 07/28/2022
[ 19.422687] Call Trace:
[ 19.424091] <TASK>
[ 19.425448] dump_stack_lvl+0x5d/0x80
[ 19.426963] ? _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common]
[ 19.428694] print_report+0x19d/0x52e
[ 19.430206] ? __pfx__raw_spin_lock_irqsave+0x10/0x10
[ 19.431837] ? _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common]
[ 19.433539] kasan_report+0xf0/0x170
[ 19.435019] ? _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common]
[ 19.436709] _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common]
[ 19.438379] ? __pfx_sched_clock_cpu+0x10/0x10
[ 19.439910] isst_if_cpu_online+0x406/0x58f [isst_if_common]
[ 19.441573] ? __pfx_isst_if_cpu_online+0x10/0x10 [isst_if_common]
[ 19.443263] ? ttwu_queue_wakelist+0x2c1/0x360
[ 19.444797] cpuhp_invoke_callback+0x221/0xec0
[ 19.446337] cpuhp_thread_fun+0x21b/0x610
[ 19.447814] ? __pfx_cpuhp_thread_fun+0x10/0x10
[ 19.449354] smpboot_thread_fn+0x2e7/0x6e0
[ 19.450859] ? __pfx_smpboot_thread_fn+0x10/0x10
[ 19.452405] kthread+0x29c/0x350
[ 19.453817] ? __pfx_kthread+0x10/0x10
[ 19.455253] ret_from_fork+0x31/0x70
[ 19.456685] ? __pfx_kthread+0x10/0x10
[ 19.458114] ret_from_fork_asm+0x1a/0x30
[ 19.459573] </TASK>
[ 19.460853]
[ 19.462055] Allocated by task 1198:
[ 19.463410] kasan_save_stack+0x30/0x50
[ 19.464788] kasan_save_track+0x14/0x30
[ 19.466139] __kasan_kmalloc+0xaa/0xb0
[ 19.467465] __kmalloc+0x1cd/0x470
[ 19.468748] isst_if_cdev_register+0x1da/0x350 [isst_if_common]
[ 19.470233] isst_if_mbox_init+0x108/0xff0 [isst_if_mbox_msr]
[ 19.471670] do_one_initcall+0xa4/0x380
[ 19.472903] do_init_module+0x238/0x760
[ 19.474105] load_module+0x5239/0x6f00
[ 19.475285] init_module_from_file+0xd1/0x130
[ 19.476506] idempotent_init_module+0x23b/0x650
[ 19.477725] __x64_sys_finit_module+0xbe/0x130
[ 19.476506] idempotent_init_module+0x23b/0x650
[ 19.477725] __x64_sys_finit_module+0xbe/0x130
[ 19.478920] do_syscall_64+0x82/0x160
[ 19.480036] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ 19.481292]
[ 19.482205] The buggy address belongs to the object at ffff888829e65000
which belongs to the cache kmalloc-512 of size 512
[ 19.484818] The buggy address is located 0 bytes to the right of
allocated 512-byte region [ffff888829e65000, ffff888829e65200)
[ 19.487447]
[ 19.488328] The buggy address belongs to the physical page:
[ 19.489569] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888829e60c00 pfn:0x829e60
[ 19.491140] head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 19.492466] anon flags: 0x57ffffc0000840(slab|head|node=1|zone=2|lastcpupid=0x1fffff)
[ 19.493914] page_type: 0xffffffff()
[ 19.494988] raw: 0057ffffc0000840 ffff88810004cc80 0000000000000000 0000000000000001
[ 19.496451] raw: ffff888829e60c00 0000000080200018 00000001ffffffff 0000000000000000
[ 19.497906] head: 0057ffffc0000840 ffff88810004cc80 0000000000000000 0000000000000001
[ 19.499379] head: ffff888829e60c00 0000000080200018 00000001ffffffff 0000000000000000
[ 19.500844] head: 0057ffffc0000003 ffffea0020a79801 ffffea0020a79848 00000000ffffffff
[ 19.502316] head: 0000000800000000 0000000000000000 00000000ffffffff 0000000000000000
[ 19.503784] page dumped because: k
---truncated---
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 017a634f9f38ae704d9d57817555773de700219e Version: 9a1aac8a96dc014bec49806a7a964bf2fdbd315f Version: 9a1aac8a96dc014bec49806a7a964bf2fdbd315f Version: 9a1aac8a96dc014bec49806a7a964bf2fdbd315f Version: 9a1aac8a96dc014bec49806a7a964bf2fdbd315f Version: 9a1aac8a96dc014bec49806a7a964bf2fdbd315f |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49886", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:44:59.932755Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:48:49.789Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/platform/x86/intel/speed_select_if/isst_if_common.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "1973c4d8ee0782a808303d75e3be9c12baaacd97", status: "affected", version: "017a634f9f38ae704d9d57817555773de700219e", versionType: "git", }, { lessThan: "cdd03afcb6eda3103da5a0948d3db12372f62910", status: "affected", version: "9a1aac8a96dc014bec49806a7a964bf2fdbd315f", versionType: "git", }, { lessThan: "8176d4878ed2af5d93ddd0e971e24c412124d38b", status: "affected", version: "9a1aac8a96dc014bec49806a7a964bf2fdbd315f", versionType: "git", }, { lessThan: "cebc705b097d5c16469b141a25e840161d1c517a", status: "affected", version: "9a1aac8a96dc014bec49806a7a964bf2fdbd315f", versionType: "git", }, { lessThan: "afa7f78d9a907cfded6c98c91aae2bf7b3b56e51", status: "affected", version: "9a1aac8a96dc014bec49806a7a964bf2fdbd315f", versionType: "git", }, { lessThan: "7d59ac07ccb58f8f604f8057db63b8efcebeb3de", status: "affected", version: "9a1aac8a96dc014bec49806a7a964bf2fdbd315f", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/platform/x86/intel/speed_select_if/isst_if_common.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.0", }, { lessThan: "6.0", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: ISST: Fix the KASAN report slab-out-of-bounds bug\n\nAttaching SST PCI device to VM causes \"BUG: KASAN: slab-out-of-bounds\".\nkasan report:\n[ 19.411889] ==================================================================\n[ 19.413702] BUG: KASAN: slab-out-of-bounds in _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common]\n[ 19.415634] Read of size 8 at addr ffff888829e65200 by task cpuhp/16/113\n[ 19.417368]\n[ 19.418627] CPU: 16 PID: 113 Comm: cpuhp/16 Tainted: G E 6.9.0 #10\n[ 19.420435] Hardware name: VMware, Inc. VMware20,1/440BX Desktop Reference Platform, BIOS VMW201.00V.20192059.B64.2207280713 07/28/2022\n[ 19.422687] Call Trace:\n[ 19.424091] <TASK>\n[ 19.425448] dump_stack_lvl+0x5d/0x80\n[ 19.426963] ? _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common]\n[ 19.428694] print_report+0x19d/0x52e\n[ 19.430206] ? __pfx__raw_spin_lock_irqsave+0x10/0x10\n[ 19.431837] ? _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common]\n[ 19.433539] kasan_report+0xf0/0x170\n[ 19.435019] ? _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common]\n[ 19.436709] _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common]\n[ 19.438379] ? __pfx_sched_clock_cpu+0x10/0x10\n[ 19.439910] isst_if_cpu_online+0x406/0x58f [isst_if_common]\n[ 19.441573] ? __pfx_isst_if_cpu_online+0x10/0x10 [isst_if_common]\n[ 19.443263] ? ttwu_queue_wakelist+0x2c1/0x360\n[ 19.444797] cpuhp_invoke_callback+0x221/0xec0\n[ 19.446337] cpuhp_thread_fun+0x21b/0x610\n[ 19.447814] ? __pfx_cpuhp_thread_fun+0x10/0x10\n[ 19.449354] smpboot_thread_fn+0x2e7/0x6e0\n[ 19.450859] ? __pfx_smpboot_thread_fn+0x10/0x10\n[ 19.452405] kthread+0x29c/0x350\n[ 19.453817] ? __pfx_kthread+0x10/0x10\n[ 19.455253] ret_from_fork+0x31/0x70\n[ 19.456685] ? __pfx_kthread+0x10/0x10\n[ 19.458114] ret_from_fork_asm+0x1a/0x30\n[ 19.459573] </TASK>\n[ 19.460853]\n[ 19.462055] Allocated by task 1198:\n[ 19.463410] kasan_save_stack+0x30/0x50\n[ 19.464788] kasan_save_track+0x14/0x30\n[ 19.466139] __kasan_kmalloc+0xaa/0xb0\n[ 19.467465] __kmalloc+0x1cd/0x470\n[ 19.468748] isst_if_cdev_register+0x1da/0x350 [isst_if_common]\n[ 19.470233] isst_if_mbox_init+0x108/0xff0 [isst_if_mbox_msr]\n[ 19.471670] do_one_initcall+0xa4/0x380\n[ 19.472903] do_init_module+0x238/0x760\n[ 19.474105] load_module+0x5239/0x6f00\n[ 19.475285] init_module_from_file+0xd1/0x130\n[ 19.476506] idempotent_init_module+0x23b/0x650\n[ 19.477725] __x64_sys_finit_module+0xbe/0x130\n[ 19.476506] idempotent_init_module+0x23b/0x650\n[ 19.477725] __x64_sys_finit_module+0xbe/0x130\n[ 19.478920] do_syscall_64+0x82/0x160\n[ 19.480036] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[ 19.481292]\n[ 19.482205] The buggy address belongs to the object at ffff888829e65000\n which belongs to the cache kmalloc-512 of size 512\n[ 19.484818] The buggy address is located 0 bytes to the right of\n allocated 512-byte region [ffff888829e65000, ffff888829e65200)\n[ 19.487447]\n[ 19.488328] The buggy address belongs to the physical page:\n[ 19.489569] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888829e60c00 pfn:0x829e60\n[ 19.491140] head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0\n[ 19.492466] anon flags: 0x57ffffc0000840(slab|head|node=1|zone=2|lastcpupid=0x1fffff)\n[ 19.493914] page_type: 0xffffffff()\n[ 19.494988] raw: 0057ffffc0000840 ffff88810004cc80 0000000000000000 0000000000000001\n[ 19.496451] raw: ffff888829e60c00 0000000080200018 00000001ffffffff 0000000000000000\n[ 19.497906] head: 0057ffffc0000840 ffff88810004cc80 0000000000000000 0000000000000001\n[ 19.499379] head: ffff888829e60c00 0000000080200018 00000001ffffffff 0000000000000000\n[ 19.500844] head: 0057ffffc0000003 ffffea0020a79801 ffffea0020a79848 00000000ffffffff\n[ 19.502316] head: 0000000800000000 0000000000000000 00000000ffffffff 0000000000000000\n[ 19.503784] page dumped because: k\n---truncated---", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:28:22.526Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/1973c4d8ee0782a808303d75e3be9c12baaacd97", }, { url: "https://git.kernel.org/stable/c/cdd03afcb6eda3103da5a0948d3db12372f62910", }, { url: "https://git.kernel.org/stable/c/8176d4878ed2af5d93ddd0e971e24c412124d38b", }, { url: "https://git.kernel.org/stable/c/cebc705b097d5c16469b141a25e840161d1c517a", }, { url: "https://git.kernel.org/stable/c/afa7f78d9a907cfded6c98c91aae2bf7b3b56e51", }, { url: "https://git.kernel.org/stable/c/7d59ac07ccb58f8f604f8057db63b8efcebeb3de", }, ], title: "platform/x86: ISST: Fix the KASAN report slab-out-of-bounds bug", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49886", datePublished: "2024-10-21T18:01:22.870Z", dateReserved: "2024-10-21T12:17:06.022Z", dateUpdated: "2024-12-19T09:28:22.526Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49994
Vulnerability from cvelistv5
Published
2024-10-21 18:02
Modified
2025-02-02 10:14
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
block: fix integer overflow in BLKSECDISCARD
I independently rediscovered
commit 22d24a544b0d49bbcbd61c8c0eaf77d3c9297155
block: fix overflow in blk_ioctl_discard()
but for secure erase.
Same problem:
uint64_t r[2] = {512, 18446744073709551104ULL};
ioctl(fd, BLKSECDISCARD, r);
will enter near infinite loop inside blkdev_issue_secure_erase():
a.out: attempt to access beyond end of device
loop0: rw=5, sector=3399043073, nr_sectors = 1024 limit=2048
bio_check_eod: 3286214 callbacks suppressed
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49994", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:30:51.719818Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:38:42.196Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "block/ioctl.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "8476f8428e8b48fd7a0e4258fa2a96a8f4468239", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "a99bacb35c1416355eef957560e8fcac3a665549", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "0842ddd83939eb4db940b9af7d39e79722bc41aa", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "6c9915fa9410cbb9bd75ee283c03120046c56d3d", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "697ba0b6ec4ae04afb67d3911799b5e2043b4455", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "block/ioctl.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.128", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.75", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: fix integer overflow in BLKSECDISCARD\n\nI independently rediscovered\n\n\tcommit 22d24a544b0d49bbcbd61c8c0eaf77d3c9297155\n\tblock: fix overflow in blk_ioctl_discard()\n\nbut for secure erase.\n\nSame problem:\n\n\tuint64_t r[2] = {512, 18446744073709551104ULL};\n\tioctl(fd, BLKSECDISCARD, r);\n\nwill enter near infinite loop inside blkdev_issue_secure_erase():\n\n\ta.out: attempt to access beyond end of device\n\tloop0: rw=5, sector=3399043073, nr_sectors = 1024 limit=2048\n\tbio_check_eod: 3286214 callbacks suppressed", }, ], providerMetadata: { dateUpdated: "2025-02-02T10:14:54.586Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/8476f8428e8b48fd7a0e4258fa2a96a8f4468239", }, { url: "https://git.kernel.org/stable/c/a99bacb35c1416355eef957560e8fcac3a665549", }, { url: "https://git.kernel.org/stable/c/0842ddd83939eb4db940b9af7d39e79722bc41aa", }, { url: "https://git.kernel.org/stable/c/6c9915fa9410cbb9bd75ee283c03120046c56d3d", }, { url: "https://git.kernel.org/stable/c/697ba0b6ec4ae04afb67d3911799b5e2043b4455", }, ], title: "block: fix integer overflow in BLKSECDISCARD", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49994", datePublished: "2024-10-21T18:02:35.722Z", dateReserved: "2024-10-21T12:17:06.055Z", dateUpdated: "2025-02-02T10:14:54.586Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49957
Vulnerability from cvelistv5
Published
2024-10-21 18:02
Modified
2024-12-19 09:30
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ocfs2: fix null-ptr-deref when journal load failed.
During the mounting process, if journal_reset() fails because of too short
journal, then lead to jbd2_journal_load() fails with NULL j_sb_buffer.
Subsequently, ocfs2_journal_shutdown() calls
jbd2_journal_flush()->jbd2_cleanup_journal_tail()->
__jbd2_update_log_tail()->jbd2_journal_update_sb_log_tail()
->lock_buffer(journal->j_sb_buffer), resulting in a null-pointer
dereference error.
To resolve this issue, we should check the JBD2_LOADED flag to ensure the
journal was properly loaded. Additionally, use journal instead of
osb->journal directly to simplify the code.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: f6f50e28f0cb8d7bcdfaacc83129f005dede11b1 Version: f6f50e28f0cb8d7bcdfaacc83129f005dede11b1 Version: f6f50e28f0cb8d7bcdfaacc83129f005dede11b1 Version: f6f50e28f0cb8d7bcdfaacc83129f005dede11b1 Version: f6f50e28f0cb8d7bcdfaacc83129f005dede11b1 Version: f6f50e28f0cb8d7bcdfaacc83129f005dede11b1 Version: f6f50e28f0cb8d7bcdfaacc83129f005dede11b1 Version: f6f50e28f0cb8d7bcdfaacc83129f005dede11b1 Version: f6f50e28f0cb8d7bcdfaacc83129f005dede11b1 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49957", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:35:36.575300Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:38:48.252Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "fs/ocfs2/journal.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "fd89d92c1140cee8f59de336cb37fa65e359c123", status: "affected", version: "f6f50e28f0cb8d7bcdfaacc83129f005dede11b1", versionType: "git", }, { lessThan: "703b2c7e0798d263154dc8593dc2345f75dc077f", status: "affected", version: "f6f50e28f0cb8d7bcdfaacc83129f005dede11b1", versionType: "git", }, { lessThan: "bf605ae98dab5c15c5b631d4d7f88898cb41b649", status: "affected", version: "f6f50e28f0cb8d7bcdfaacc83129f005dede11b1", versionType: "git", }, { lessThan: "ff55291fb36779819211b596da703389135f5b05", status: "affected", version: "f6f50e28f0cb8d7bcdfaacc83129f005dede11b1", versionType: "git", }, { lessThan: "82dfdd1e31e774578f76ce6dc90c834f96403a0f", status: "affected", version: "f6f50e28f0cb8d7bcdfaacc83129f005dede11b1", versionType: "git", }, { lessThan: "86a89e75e9e4dfa768b97db466ad6bedf2e7ea5b", status: "affected", version: "f6f50e28f0cb8d7bcdfaacc83129f005dede11b1", versionType: "git", }, { lessThan: "f60e94a83db799bde625ac8671a5b4a6354e7120", status: "affected", version: "f6f50e28f0cb8d7bcdfaacc83129f005dede11b1", versionType: "git", }, { lessThan: "387bf565cc03e2e8c720b8b4798efea4aacb6962", status: "affected", version: "f6f50e28f0cb8d7bcdfaacc83129f005dede11b1", versionType: "git", }, { lessThan: "5784d9fcfd43bd853654bb80c87ef293b9e8e80a", status: "affected", version: "f6f50e28f0cb8d7bcdfaacc83129f005dede11b1", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "fs/ocfs2/journal.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "2.6.32", }, { lessThan: "2.6.32", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.323", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.285", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: fix null-ptr-deref when journal load failed.\n\nDuring the mounting process, if journal_reset() fails because of too short\njournal, then lead to jbd2_journal_load() fails with NULL j_sb_buffer. \nSubsequently, ocfs2_journal_shutdown() calls\njbd2_journal_flush()->jbd2_cleanup_journal_tail()->\n__jbd2_update_log_tail()->jbd2_journal_update_sb_log_tail()\n->lock_buffer(journal->j_sb_buffer), resulting in a null-pointer\ndereference error.\n\nTo resolve this issue, we should check the JBD2_LOADED flag to ensure the\njournal was properly loaded. Additionally, use journal instead of\nosb->journal directly to simplify the code.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:30:08.641Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/fd89d92c1140cee8f59de336cb37fa65e359c123", }, { url: "https://git.kernel.org/stable/c/703b2c7e0798d263154dc8593dc2345f75dc077f", }, { url: "https://git.kernel.org/stable/c/bf605ae98dab5c15c5b631d4d7f88898cb41b649", }, { url: "https://git.kernel.org/stable/c/ff55291fb36779819211b596da703389135f5b05", }, { url: "https://git.kernel.org/stable/c/82dfdd1e31e774578f76ce6dc90c834f96403a0f", }, { url: "https://git.kernel.org/stable/c/86a89e75e9e4dfa768b97db466ad6bedf2e7ea5b", }, { url: "https://git.kernel.org/stable/c/f60e94a83db799bde625ac8671a5b4a6354e7120", }, { url: "https://git.kernel.org/stable/c/387bf565cc03e2e8c720b8b4798efea4aacb6962", }, { url: "https://git.kernel.org/stable/c/5784d9fcfd43bd853654bb80c87ef293b9e8e80a", }, ], title: "ocfs2: fix null-ptr-deref when journal load failed.", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49957", datePublished: "2024-10-21T18:02:11.046Z", dateReserved: "2024-10-21T12:17:06.048Z", dateUpdated: "2024-12-19T09:30:08.641Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-47693
Vulnerability from cvelistv5
Published
2024-10-21 11:53
Modified
2024-12-19 09:26
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
IB/core: Fix ib_cache_setup_one error flow cleanup
When ib_cache_update return an error, we exit ib_cache_setup_one
instantly with no proper cleanup, even though before this we had
already successfully done gid_table_setup_one, that results in
the kernel WARN below.
Do proper cleanup using gid_table_cleanup_one before returning
the err in order to fix the issue.
WARNING: CPU: 4 PID: 922 at drivers/infiniband/core/cache.c:806 gid_table_release_one+0x181/0x1a0
Modules linked in:
CPU: 4 UID: 0 PID: 922 Comm: c_repro Not tainted 6.11.0-rc1+ #3
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
RIP: 0010:gid_table_release_one+0x181/0x1a0
Code: 44 8b 38 75 0c e8 2f cb 34 ff 4d 8b b5 28 05 00 00 e8 23 cb 34 ff 44 89 f9 89 da 4c 89 f6 48 c7 c7 d0 58 14 83 e8 4f de 21 ff <0f> 0b 4c 8b 75 30 e9 54 ff ff ff 48 8 3 c4 10 5b 5d 41 5c 41 5d 41
RSP: 0018:ffffc90002b835b0 EFLAGS: 00010286
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff811c8527
RDX: 0000000000000000 RSI: ffffffff811c8534 RDI: 0000000000000001
RBP: ffff8881011b3d00 R08: ffff88810b3abe00 R09: 205d303839303631
R10: 666572207972746e R11: 72746e6520444947 R12: 0000000000000001
R13: ffff888106390000 R14: ffff8881011f2110 R15: 0000000000000001
FS: 00007fecc3b70800(0000) GS:ffff88813bd00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000340 CR3: 000000010435a001 CR4: 00000000003706b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
? show_regs+0x94/0xa0
? __warn+0x9e/0x1c0
? gid_table_release_one+0x181/0x1a0
? report_bug+0x1f9/0x340
? gid_table_release_one+0x181/0x1a0
? handle_bug+0xa2/0x110
? exc_invalid_op+0x31/0xa0
? asm_exc_invalid_op+0x16/0x20
? __warn_printk+0xc7/0x180
? __warn_printk+0xd4/0x180
? gid_table_release_one+0x181/0x1a0
ib_device_release+0x71/0xe0
? __pfx_ib_device_release+0x10/0x10
device_release+0x44/0xd0
kobject_put+0x135/0x3d0
put_device+0x20/0x30
rxe_net_add+0x7d/0xa0
rxe_newlink+0xd7/0x190
nldev_newlink+0x1b0/0x2a0
? __pfx_nldev_newlink+0x10/0x10
rdma_nl_rcv_msg+0x1ad/0x2e0
rdma_nl_rcv_skb.constprop.0+0x176/0x210
netlink_unicast+0x2de/0x400
netlink_sendmsg+0x306/0x660
__sock_sendmsg+0x110/0x120
____sys_sendmsg+0x30e/0x390
___sys_sendmsg+0x9b/0xf0
? kstrtouint+0x6e/0xa0
? kstrtouint_from_user+0x7c/0xb0
? get_pid_task+0xb0/0xd0
? proc_fail_nth_write+0x5b/0x140
? __fget_light+0x9a/0x200
? preempt_count_add+0x47/0xa0
__sys_sendmsg+0x61/0xd0
do_syscall_64+0x50/0x110
entry_SYSCALL_64_after_hwframe+0x76/0x7e
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1901b91f99821955eac2bd48fe25ee983385dc00 Version: 1901b91f99821955eac2bd48fe25ee983385dc00 Version: 1901b91f99821955eac2bd48fe25ee983385dc00 Version: 1901b91f99821955eac2bd48fe25ee983385dc00 Version: 1901b91f99821955eac2bd48fe25ee983385dc00 Version: 1901b91f99821955eac2bd48fe25ee983385dc00 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-47693", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T13:05:38.150217Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T13:14:14.795Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/infiniband/core/cache.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "1730d47d1865af89efd01cf0469a9a739cbf60f2", status: "affected", version: "1901b91f99821955eac2bd48fe25ee983385dc00", versionType: "git", }, { lessThan: "45f63f4bb9a7128a6209d766c2fc02b3d42fbf3e", status: "affected", version: "1901b91f99821955eac2bd48fe25ee983385dc00", versionType: "git", }, { lessThan: "d08754be993f270e3d296d8f5d8e071fe6638651", status: "affected", version: "1901b91f99821955eac2bd48fe25ee983385dc00", versionType: "git", }, { lessThan: "af633fd9d9fff59e31c804f47ca0c8a784977773", status: "affected", version: "1901b91f99821955eac2bd48fe25ee983385dc00", versionType: "git", }, { lessThan: "290fe42fe0165205c4451334d8833a9202ae1d52", status: "affected", version: "1901b91f99821955eac2bd48fe25ee983385dc00", versionType: "git", }, { lessThan: "1403c8b14765eab805377dd3b75e96ace8747aed", status: "affected", version: "1901b91f99821955eac2bd48fe25ee983385dc00", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/infiniband/core/cache.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.7", }, { lessThan: "5.7", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.54", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.13", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.2", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nIB/core: Fix ib_cache_setup_one error flow cleanup\n\nWhen ib_cache_update return an error, we exit ib_cache_setup_one\ninstantly with no proper cleanup, even though before this we had\nalready successfully done gid_table_setup_one, that results in\nthe kernel WARN below.\n\nDo proper cleanup using gid_table_cleanup_one before returning\nthe err in order to fix the issue.\n\nWARNING: CPU: 4 PID: 922 at drivers/infiniband/core/cache.c:806 gid_table_release_one+0x181/0x1a0\nModules linked in:\nCPU: 4 UID: 0 PID: 922 Comm: c_repro Not tainted 6.11.0-rc1+ #3\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\nRIP: 0010:gid_table_release_one+0x181/0x1a0\nCode: 44 8b 38 75 0c e8 2f cb 34 ff 4d 8b b5 28 05 00 00 e8 23 cb 34 ff 44 89 f9 89 da 4c 89 f6 48 c7 c7 d0 58 14 83 e8 4f de 21 ff <0f> 0b 4c 8b 75 30 e9 54 ff ff ff 48 8 3 c4 10 5b 5d 41 5c 41 5d 41\nRSP: 0018:ffffc90002b835b0 EFLAGS: 00010286\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff811c8527\nRDX: 0000000000000000 RSI: ffffffff811c8534 RDI: 0000000000000001\nRBP: ffff8881011b3d00 R08: ffff88810b3abe00 R09: 205d303839303631\nR10: 666572207972746e R11: 72746e6520444947 R12: 0000000000000001\nR13: ffff888106390000 R14: ffff8881011f2110 R15: 0000000000000001\nFS: 00007fecc3b70800(0000) GS:ffff88813bd00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000020000340 CR3: 000000010435a001 CR4: 00000000003706b0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n <TASK>\n ? show_regs+0x94/0xa0\n ? __warn+0x9e/0x1c0\n ? gid_table_release_one+0x181/0x1a0\n ? report_bug+0x1f9/0x340\n ? gid_table_release_one+0x181/0x1a0\n ? handle_bug+0xa2/0x110\n ? exc_invalid_op+0x31/0xa0\n ? asm_exc_invalid_op+0x16/0x20\n ? __warn_printk+0xc7/0x180\n ? __warn_printk+0xd4/0x180\n ? gid_table_release_one+0x181/0x1a0\n ib_device_release+0x71/0xe0\n ? __pfx_ib_device_release+0x10/0x10\n device_release+0x44/0xd0\n kobject_put+0x135/0x3d0\n put_device+0x20/0x30\n rxe_net_add+0x7d/0xa0\n rxe_newlink+0xd7/0x190\n nldev_newlink+0x1b0/0x2a0\n ? __pfx_nldev_newlink+0x10/0x10\n rdma_nl_rcv_msg+0x1ad/0x2e0\n rdma_nl_rcv_skb.constprop.0+0x176/0x210\n netlink_unicast+0x2de/0x400\n netlink_sendmsg+0x306/0x660\n __sock_sendmsg+0x110/0x120\n ____sys_sendmsg+0x30e/0x390\n ___sys_sendmsg+0x9b/0xf0\n ? kstrtouint+0x6e/0xa0\n ? kstrtouint_from_user+0x7c/0xb0\n ? get_pid_task+0xb0/0xd0\n ? proc_fail_nth_write+0x5b/0x140\n ? __fget_light+0x9a/0x200\n ? preempt_count_add+0x47/0xa0\n __sys_sendmsg+0x61/0xd0\n do_syscall_64+0x50/0x110\n entry_SYSCALL_64_after_hwframe+0x76/0x7e", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:26:13.245Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/1730d47d1865af89efd01cf0469a9a739cbf60f2", }, { url: "https://git.kernel.org/stable/c/45f63f4bb9a7128a6209d766c2fc02b3d42fbf3e", }, { url: "https://git.kernel.org/stable/c/d08754be993f270e3d296d8f5d8e071fe6638651", }, { url: "https://git.kernel.org/stable/c/af633fd9d9fff59e31c804f47ca0c8a784977773", }, { url: "https://git.kernel.org/stable/c/290fe42fe0165205c4451334d8833a9202ae1d52", }, { url: "https://git.kernel.org/stable/c/1403c8b14765eab805377dd3b75e96ace8747aed", }, ], title: "IB/core: Fix ib_cache_setup_one error flow cleanup", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-47693", datePublished: "2024-10-21T11:53:31.924Z", dateReserved: "2024-09-30T16:00:12.942Z", dateUpdated: "2024-12-19T09:26:13.245Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49899
Vulnerability from cvelistv5
Published
2024-10-21 18:01
Modified
2024-12-19 09:28
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Initialize denominators' default to 1
[WHAT & HOW]
Variables used as denominators and maybe not assigned to other values,
should not be 0. Change their default to 1 so they are never 0.
This fixes 10 DIVIDE_BY_ZERO issues reported by Coverity.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49899", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:43:09.954496Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:48:47.837Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/gpu/drm/amd/display/dc/dml/dcn20/display_rq_dlg_calc_20.c", "drivers/gpu/drm/amd/display/dc/dml/dml1_display_rq_dlg_calc.c", "drivers/gpu/drm/amd/display/dc/dml2/dml21/src/dml2_core/dml2_core_shared.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "9be768f08b16f020da376538b08463ac3a2ce8cd", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "9f35cec5e4b9759b38c663d18eae4eaf30f36527", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "7f8e93b862aba08d540f1e9e03e0ceb4d0cfd5fb", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "b995c0a6de6c74656a0c39cd57a0626351b13e3c", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/gpu/drm/amd/display/dc/dml/dcn20/display_rq_dlg_calc_20.c", "drivers/gpu/drm/amd/display/dc/dml/dml1_display_rq_dlg_calc.c", "drivers/gpu/drm/amd/display/dc/dml2/dml21/src/dml2_core/dml2_core_shared.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.120", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.64", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Initialize denominators' default to 1\n\n[WHAT & HOW]\nVariables used as denominators and maybe not assigned to other values,\nshould not be 0. Change their default to 1 so they are never 0.\n\nThis fixes 10 DIVIDE_BY_ZERO issues reported by Coverity.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:28:38.382Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/9be768f08b16f020da376538b08463ac3a2ce8cd", }, { url: "https://git.kernel.org/stable/c/9f35cec5e4b9759b38c663d18eae4eaf30f36527", }, { url: "https://git.kernel.org/stable/c/7f8e93b862aba08d540f1e9e03e0ceb4d0cfd5fb", }, { url: "https://git.kernel.org/stable/c/b995c0a6de6c74656a0c39cd57a0626351b13e3c", }, ], title: "drm/amd/display: Initialize denominators' default to 1", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49899", datePublished: "2024-10-21T18:01:31.911Z", dateReserved: "2024-10-21T12:17:06.026Z", dateUpdated: "2024-12-19T09:28:38.382Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-50000
Vulnerability from cvelistv5
Published
2024-10-21 18:02
Modified
2024-12-19 09:31
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5e: Fix NULL deref in mlx5e_tir_builder_alloc()
In mlx5e_tir_builder_alloc() kvzalloc() may return NULL
which is dereferenced on the next line in a reference
to the modify field.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: a6696735d694b365bca45873e9dbca26120a8375 Version: a6696735d694b365bca45873e9dbca26120a8375 Version: a6696735d694b365bca45873e9dbca26120a8375 Version: a6696735d694b365bca45873e9dbca26120a8375 Version: a6696735d694b365bca45873e9dbca26120a8375 Version: a6696735d694b365bca45873e9dbca26120a8375 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-50000", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:30:05.793869Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:38:41.258Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/net/ethernet/mellanox/mlx5/core/en/tir.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "4655456a64a0f936098c8432bac64e7176bd2aff", status: "affected", version: "a6696735d694b365bca45873e9dbca26120a8375", versionType: "git", }, { lessThan: "b48ee5bb25c02ca2b81e0d16bf8af17ab6ed3f8b", status: "affected", version: "a6696735d694b365bca45873e9dbca26120a8375", versionType: "git", }, { lessThan: "0168ab6fbd9e50d20b97486168b604b2ab28a2ca", status: "affected", version: "a6696735d694b365bca45873e9dbca26120a8375", versionType: "git", }, { lessThan: "1bcc86cc721bea68980098f51f102aa2c2b9d932", status: "affected", version: "a6696735d694b365bca45873e9dbca26120a8375", versionType: "git", }, { lessThan: "4d80dde26d7bab1320210279483ac854dcb274b2", status: "affected", version: "a6696735d694b365bca45873e9dbca26120a8375", versionType: "git", }, { lessThan: "f25389e779500cf4a59ef9804534237841bce536", status: "affected", version: "a6696735d694b365bca45873e9dbca26120a8375", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/net/ethernet/mellanox/mlx5/core/en/tir.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.15", }, { lessThan: "5.15", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Fix NULL deref in mlx5e_tir_builder_alloc()\n\nIn mlx5e_tir_builder_alloc() kvzalloc() may return NULL\nwhich is dereferenced on the next line in a reference\nto the modify field.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:31:01.388Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/4655456a64a0f936098c8432bac64e7176bd2aff", }, { url: "https://git.kernel.org/stable/c/b48ee5bb25c02ca2b81e0d16bf8af17ab6ed3f8b", }, { url: "https://git.kernel.org/stable/c/0168ab6fbd9e50d20b97486168b604b2ab28a2ca", }, { url: "https://git.kernel.org/stable/c/1bcc86cc721bea68980098f51f102aa2c2b9d932", }, { url: "https://git.kernel.org/stable/c/4d80dde26d7bab1320210279483ac854dcb274b2", }, { url: "https://git.kernel.org/stable/c/f25389e779500cf4a59ef9804534237841bce536", }, ], title: "net/mlx5e: Fix NULL deref in mlx5e_tir_builder_alloc()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-50000", datePublished: "2024-10-21T18:02:39.600Z", dateReserved: "2024-10-21T12:17:06.057Z", dateUpdated: "2024-12-19T09:31:01.388Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49998
Vulnerability from cvelistv5
Published
2024-10-21 18:02
Modified
2025-01-09 15:35
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: dsa: improve shutdown sequence
Alexander Sverdlin presents 2 problems during shutdown with the
lan9303 driver. One is specific to lan9303 and the other just happens
to reproduce there.
The first problem is that lan9303 is unique among DSA drivers in that it
calls dev_get_drvdata() at "arbitrary runtime" (not probe, not shutdown,
not remove):
phy_state_machine()
-> ...
-> dsa_user_phy_read()
-> ds->ops->phy_read()
-> lan9303_phy_read()
-> chip->ops->phy_read()
-> lan9303_mdio_phy_read()
-> dev_get_drvdata()
But we never stop the phy_state_machine(), so it may continue to run
after dsa_switch_shutdown(). Our common pattern in all DSA drivers is
to set drvdata to NULL to suppress the remove() method that may come
afterwards. But in this case it will result in an NPD.
The second problem is that the way in which we set
dp->conduit->dsa_ptr = NULL; is concurrent with receive packet
processing. dsa_switch_rcv() checks once whether dev->dsa_ptr is NULL,
but afterwards, rather than continuing to use that non-NULL value,
dev->dsa_ptr is dereferenced again and again without NULL checks:
dsa_conduit_find_user() and many other places. In between dereferences,
there is no locking to ensure that what was valid once continues to be
valid.
Both problems have the common aspect that closing the conduit interface
solves them.
In the first case, dev_close(conduit) triggers the NETDEV_GOING_DOWN
event in dsa_user_netdevice_event() which closes user ports as well.
dsa_port_disable_rt() calls phylink_stop(), which synchronously stops
the phylink state machine, and ds->ops->phy_read() will thus no longer
call into the driver after this point.
In the second case, dev_close(conduit) should do this, as per
Documentation/networking/driver.rst:
| Quiescence
| ----------
|
| After the ndo_stop routine has been called, the hardware must
| not receive or transmit any data. All in flight packets must
| be aborted. If necessary, poll or wait for completion of
| any reset commands.
So it should be sufficient to ensure that later, when we zeroize
conduit->dsa_ptr, there will be no concurrent dsa_switch_rcv() call
on this conduit.
The addition of the netif_device_detach() function is to ensure that
ioctls, rtnetlinks and ethtool requests on the user ports no longer
propagate down to the driver - we're no longer prepared to handle them.
The race condition actually did not exist when commit 0650bf52b31f
("net: dsa: be compatible with masters which unregister on shutdown")
first introduced dsa_switch_shutdown(). It was created later, when we
stopped unregistering the user interfaces from a bad spot, and we just
replaced that sequence with a racy zeroization of conduit->dsa_ptr
(one which doesn't ensure that the interfaces aren't up).
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49998", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:30:20.999100Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:38:41.547Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "net/dsa/dsa.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "87bd909a7014e32790e8c759d5b7694a95778ca5", status: "affected", version: "ff45899e732e57088985e3a497b1d9100571c0f5", versionType: "git", }, { lessThan: "ab5d3420a1120950703dbdc33698b28a6ebc3d23", status: "affected", version: "ee534378f00561207656663d93907583958339ae", versionType: "git", }, { lessThan: "b4a65d479213fe84ecb14e328271251eebe69492", status: "affected", version: "ee534378f00561207656663d93907583958339ae", versionType: "git", }, { lessThan: "6c24a03a61a245fe34d47582898331fa034b6ccd", status: "affected", version: "ee534378f00561207656663d93907583958339ae", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "net/dsa/dsa.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.17", }, { lessThan: "5.17", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.176", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: improve shutdown sequence\n\nAlexander Sverdlin presents 2 problems during shutdown with the\nlan9303 driver. One is specific to lan9303 and the other just happens\nto reproduce there.\n\nThe first problem is that lan9303 is unique among DSA drivers in that it\ncalls dev_get_drvdata() at \"arbitrary runtime\" (not probe, not shutdown,\nnot remove):\n\nphy_state_machine()\n-> ...\n -> dsa_user_phy_read()\n -> ds->ops->phy_read()\n -> lan9303_phy_read()\n -> chip->ops->phy_read()\n -> lan9303_mdio_phy_read()\n -> dev_get_drvdata()\n\nBut we never stop the phy_state_machine(), so it may continue to run\nafter dsa_switch_shutdown(). Our common pattern in all DSA drivers is\nto set drvdata to NULL to suppress the remove() method that may come\nafterwards. But in this case it will result in an NPD.\n\nThe second problem is that the way in which we set\ndp->conduit->dsa_ptr = NULL; is concurrent with receive packet\nprocessing. dsa_switch_rcv() checks once whether dev->dsa_ptr is NULL,\nbut afterwards, rather than continuing to use that non-NULL value,\ndev->dsa_ptr is dereferenced again and again without NULL checks:\ndsa_conduit_find_user() and many other places. In between dereferences,\nthere is no locking to ensure that what was valid once continues to be\nvalid.\n\nBoth problems have the common aspect that closing the conduit interface\nsolves them.\n\nIn the first case, dev_close(conduit) triggers the NETDEV_GOING_DOWN\nevent in dsa_user_netdevice_event() which closes user ports as well.\ndsa_port_disable_rt() calls phylink_stop(), which synchronously stops\nthe phylink state machine, and ds->ops->phy_read() will thus no longer\ncall into the driver after this point.\n\nIn the second case, dev_close(conduit) should do this, as per\nDocumentation/networking/driver.rst:\n\n| Quiescence\n| ----------\n|\n| After the ndo_stop routine has been called, the hardware must\n| not receive or transmit any data. All in flight packets must\n| be aborted. If necessary, poll or wait for completion of\n| any reset commands.\n\nSo it should be sufficient to ensure that later, when we zeroize\nconduit->dsa_ptr, there will be no concurrent dsa_switch_rcv() call\non this conduit.\n\nThe addition of the netif_device_detach() function is to ensure that\nioctls, rtnetlinks and ethtool requests on the user ports no longer\npropagate down to the driver - we're no longer prepared to handle them.\n\nThe race condition actually did not exist when commit 0650bf52b31f\n(\"net: dsa: be compatible with masters which unregister on shutdown\")\nfirst introduced dsa_switch_shutdown(). It was created later, when we\nstopped unregistering the user interfaces from a bad spot, and we just\nreplaced that sequence with a racy zeroization of conduit->dsa_ptr\n(one which doesn't ensure that the interfaces aren't up).", }, ], providerMetadata: { dateUpdated: "2025-01-09T15:35:28.672Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/87bd909a7014e32790e8c759d5b7694a95778ca5", }, { url: "https://git.kernel.org/stable/c/ab5d3420a1120950703dbdc33698b28a6ebc3d23", }, { url: "https://git.kernel.org/stable/c/b4a65d479213fe84ecb14e328271251eebe69492", }, { url: "https://git.kernel.org/stable/c/6c24a03a61a245fe34d47582898331fa034b6ccd", }, ], title: "net: dsa: improve shutdown sequence", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49998", datePublished: "2024-10-21T18:02:38.316Z", dateReserved: "2024-10-21T12:17:06.057Z", dateUpdated: "2025-01-09T15:35:28.672Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49993
Vulnerability from cvelistv5
This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Show details on NVD website{ containers: { cna: { providerMetadata: { dateUpdated: "2024-11-10T09:39:42.506Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, rejectedReasons: [ { lang: "en", value: "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", }, ], }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49993", datePublished: "2024-10-21T18:02:35.075Z", dateRejected: "2024-11-10T09:39:42.506Z", dateReserved: "2024-10-21T12:17:06.054Z", dateUpdated: "2024-11-10T09:39:42.506Z", state: "REJECTED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-50047
Vulnerability from cvelistv5
Published
2024-10-21 19:39
Modified
2025-02-02 10:14
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
smb: client: fix UAF in async decryption
Doing an async decryption (large read) crashes with a
slab-use-after-free way down in the crypto API.
Reproducer:
# mount.cifs -o ...,seal,esize=1 //srv/share /mnt
# dd if=/mnt/largefile of=/dev/null
...
[ 194.196391] ==================================================================
[ 194.196844] BUG: KASAN: slab-use-after-free in gf128mul_4k_lle+0xc1/0x110
[ 194.197269] Read of size 8 at addr ffff888112bd0448 by task kworker/u77:2/899
[ 194.197707]
[ 194.197818] CPU: 12 UID: 0 PID: 899 Comm: kworker/u77:2 Not tainted 6.11.0-lku-00028-gfca3ca14a17a-dirty #43
[ 194.198400] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.2-3-gd478f380-prebuilt.qemu.org 04/01/2014
[ 194.199046] Workqueue: smb3decryptd smb2_decrypt_offload [cifs]
[ 194.200032] Call Trace:
[ 194.200191] <TASK>
[ 194.200327] dump_stack_lvl+0x4e/0x70
[ 194.200558] ? gf128mul_4k_lle+0xc1/0x110
[ 194.200809] print_report+0x174/0x505
[ 194.201040] ? __pfx__raw_spin_lock_irqsave+0x10/0x10
[ 194.201352] ? srso_return_thunk+0x5/0x5f
[ 194.201604] ? __virt_addr_valid+0xdf/0x1c0
[ 194.201868] ? gf128mul_4k_lle+0xc1/0x110
[ 194.202128] kasan_report+0xc8/0x150
[ 194.202361] ? gf128mul_4k_lle+0xc1/0x110
[ 194.202616] gf128mul_4k_lle+0xc1/0x110
[ 194.202863] ghash_update+0x184/0x210
[ 194.203103] shash_ahash_update+0x184/0x2a0
[ 194.203377] ? __pfx_shash_ahash_update+0x10/0x10
[ 194.203651] ? srso_return_thunk+0x5/0x5f
[ 194.203877] ? crypto_gcm_init_common+0x1ba/0x340
[ 194.204142] gcm_hash_assoc_remain_continue+0x10a/0x140
[ 194.204434] crypt_message+0xec1/0x10a0 [cifs]
[ 194.206489] ? __pfx_crypt_message+0x10/0x10 [cifs]
[ 194.208507] ? srso_return_thunk+0x5/0x5f
[ 194.209205] ? srso_return_thunk+0x5/0x5f
[ 194.209925] ? srso_return_thunk+0x5/0x5f
[ 194.210443] ? srso_return_thunk+0x5/0x5f
[ 194.211037] decrypt_raw_data+0x15f/0x250 [cifs]
[ 194.212906] ? __pfx_decrypt_raw_data+0x10/0x10 [cifs]
[ 194.214670] ? srso_return_thunk+0x5/0x5f
[ 194.215193] smb2_decrypt_offload+0x12a/0x6c0 [cifs]
This is because TFM is being used in parallel.
Fix this by allocating a new AEAD TFM for async decryption, but keep
the existing one for synchronous READ cases (similar to what is done
in smb3_calc_signature()).
Also remove the calls to aead_request_set_callback() and
crypto_wait_req() since it's always going to be a synchronous operation.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-50047", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:23:59.456851Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:28:43.459Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "fs/smb/client/smb2ops.c", "fs/smb/client/smb2pdu.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "bce966530fd5542bbb422cb45ecb775f7a1a6bc3", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "0809fb86ad13b29e1d6d491364fc7ea4fb545995", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "538c26d9bf70c90edc460d18c81008a4e555925a", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "b0abcd65ec545701b8793e12bc27dc98042b151a", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "fs/smb/client/smb2ops.c", "fs/smb/client/smb2pdu.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.128", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.57", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.4", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix UAF in async decryption\n\nDoing an async decryption (large read) crashes with a\nslab-use-after-free way down in the crypto API.\n\nReproducer:\n # mount.cifs -o ...,seal,esize=1 //srv/share /mnt\n # dd if=/mnt/largefile of=/dev/null\n ...\n [ 194.196391] ==================================================================\n [ 194.196844] BUG: KASAN: slab-use-after-free in gf128mul_4k_lle+0xc1/0x110\n [ 194.197269] Read of size 8 at addr ffff888112bd0448 by task kworker/u77:2/899\n [ 194.197707]\n [ 194.197818] CPU: 12 UID: 0 PID: 899 Comm: kworker/u77:2 Not tainted 6.11.0-lku-00028-gfca3ca14a17a-dirty #43\n [ 194.198400] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.2-3-gd478f380-prebuilt.qemu.org 04/01/2014\n [ 194.199046] Workqueue: smb3decryptd smb2_decrypt_offload [cifs]\n [ 194.200032] Call Trace:\n [ 194.200191] <TASK>\n [ 194.200327] dump_stack_lvl+0x4e/0x70\n [ 194.200558] ? gf128mul_4k_lle+0xc1/0x110\n [ 194.200809] print_report+0x174/0x505\n [ 194.201040] ? __pfx__raw_spin_lock_irqsave+0x10/0x10\n [ 194.201352] ? srso_return_thunk+0x5/0x5f\n [ 194.201604] ? __virt_addr_valid+0xdf/0x1c0\n [ 194.201868] ? gf128mul_4k_lle+0xc1/0x110\n [ 194.202128] kasan_report+0xc8/0x150\n [ 194.202361] ? gf128mul_4k_lle+0xc1/0x110\n [ 194.202616] gf128mul_4k_lle+0xc1/0x110\n [ 194.202863] ghash_update+0x184/0x210\n [ 194.203103] shash_ahash_update+0x184/0x2a0\n [ 194.203377] ? __pfx_shash_ahash_update+0x10/0x10\n [ 194.203651] ? srso_return_thunk+0x5/0x5f\n [ 194.203877] ? crypto_gcm_init_common+0x1ba/0x340\n [ 194.204142] gcm_hash_assoc_remain_continue+0x10a/0x140\n [ 194.204434] crypt_message+0xec1/0x10a0 [cifs]\n [ 194.206489] ? __pfx_crypt_message+0x10/0x10 [cifs]\n [ 194.208507] ? srso_return_thunk+0x5/0x5f\n [ 194.209205] ? srso_return_thunk+0x5/0x5f\n [ 194.209925] ? srso_return_thunk+0x5/0x5f\n [ 194.210443] ? srso_return_thunk+0x5/0x5f\n [ 194.211037] decrypt_raw_data+0x15f/0x250 [cifs]\n [ 194.212906] ? __pfx_decrypt_raw_data+0x10/0x10 [cifs]\n [ 194.214670] ? srso_return_thunk+0x5/0x5f\n [ 194.215193] smb2_decrypt_offload+0x12a/0x6c0 [cifs]\n\nThis is because TFM is being used in parallel.\n\nFix this by allocating a new AEAD TFM for async decryption, but keep\nthe existing one for synchronous READ cases (similar to what is done\nin smb3_calc_signature()).\n\nAlso remove the calls to aead_request_set_callback() and\ncrypto_wait_req() since it's always going to be a synchronous operation.", }, ], providerMetadata: { dateUpdated: "2025-02-02T10:14:59.834Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/bce966530fd5542bbb422cb45ecb775f7a1a6bc3", }, { url: "https://git.kernel.org/stable/c/0809fb86ad13b29e1d6d491364fc7ea4fb545995", }, { url: "https://git.kernel.org/stable/c/538c26d9bf70c90edc460d18c81008a4e555925a", }, { url: "https://git.kernel.org/stable/c/b0abcd65ec545701b8793e12bc27dc98042b151a", }, ], title: "smb: client: fix UAF in async decryption", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-50047", datePublished: "2024-10-21T19:39:44.430Z", dateReserved: "2024-10-21T12:17:06.071Z", dateUpdated: "2025-02-02T10:14:59.834Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-48954
Vulnerability from cvelistv5
Published
2024-10-21 20:05
Modified
2024-12-19 08:11
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
s390/qeth: fix use-after-free in hsci
KASAN found that addr was dereferenced after br2dev_event_work was freed.
==================================================================
BUG: KASAN: use-after-free in qeth_l2_br2dev_worker+0x5ba/0x6b0
Read of size 1 at addr 00000000fdcea440 by task kworker/u760:4/540
CPU: 17 PID: 540 Comm: kworker/u760:4 Tainted: G E 6.1.0-20221128.rc7.git1.5aa3bed4ce83.300.fc36.s390x+kasan #1
Hardware name: IBM 8561 T01 703 (LPAR)
Workqueue: 0.0.8000_event qeth_l2_br2dev_worker
Call Trace:
[<000000016944d4ce>] dump_stack_lvl+0xc6/0xf8
[<000000016942cd9c>] print_address_description.constprop.0+0x34/0x2a0
[<000000016942d118>] print_report+0x110/0x1f8
[<0000000167a7bd04>] kasan_report+0xfc/0x128
[<000000016938d79a>] qeth_l2_br2dev_worker+0x5ba/0x6b0
[<00000001673edd1e>] process_one_work+0x76e/0x1128
[<00000001673ee85c>] worker_thread+0x184/0x1098
[<000000016740718a>] kthread+0x26a/0x310
[<00000001672c606a>] __ret_from_fork+0x8a/0xe8
[<00000001694711da>] ret_from_fork+0xa/0x40
Allocated by task 108338:
kasan_save_stack+0x40/0x68
kasan_set_track+0x36/0x48
__kasan_kmalloc+0xa0/0xc0
qeth_l2_switchdev_event+0x25a/0x738
atomic_notifier_call_chain+0x9c/0xf8
br_switchdev_fdb_notify+0xf4/0x110
fdb_notify+0x122/0x180
fdb_add_entry.constprop.0.isra.0+0x312/0x558
br_fdb_add+0x59e/0x858
rtnl_fdb_add+0x58a/0x928
rtnetlink_rcv_msg+0x5f8/0x8d8
netlink_rcv_skb+0x1f2/0x408
netlink_unicast+0x570/0x790
netlink_sendmsg+0x752/0xbe0
sock_sendmsg+0xca/0x110
____sys_sendmsg+0x510/0x6a8
___sys_sendmsg+0x12a/0x180
__sys_sendmsg+0xe6/0x168
__do_sys_socketcall+0x3c8/0x468
do_syscall+0x22c/0x328
__do_syscall+0x94/0xf0
system_call+0x82/0xb0
Freed by task 540:
kasan_save_stack+0x40/0x68
kasan_set_track+0x36/0x48
kasan_save_free_info+0x4c/0x68
____kasan_slab_free+0x14e/0x1a8
__kasan_slab_free+0x24/0x30
__kmem_cache_free+0x168/0x338
qeth_l2_br2dev_worker+0x154/0x6b0
process_one_work+0x76e/0x1128
worker_thread+0x184/0x1098
kthread+0x26a/0x310
__ret_from_fork+0x8a/0xe8
ret_from_fork+0xa/0x40
Last potentially related work creation:
kasan_save_stack+0x40/0x68
__kasan_record_aux_stack+0xbe/0xd0
insert_work+0x56/0x2e8
__queue_work+0x4ce/0xd10
queue_work_on+0xf4/0x100
qeth_l2_switchdev_event+0x520/0x738
atomic_notifier_call_chain+0x9c/0xf8
br_switchdev_fdb_notify+0xf4/0x110
fdb_notify+0x122/0x180
fdb_add_entry.constprop.0.isra.0+0x312/0x558
br_fdb_add+0x59e/0x858
rtnl_fdb_add+0x58a/0x928
rtnetlink_rcv_msg+0x5f8/0x8d8
netlink_rcv_skb+0x1f2/0x408
netlink_unicast+0x570/0x790
netlink_sendmsg+0x752/0xbe0
sock_sendmsg+0xca/0x110
____sys_sendmsg+0x510/0x6a8
___sys_sendmsg+0x12a/0x180
__sys_sendmsg+0xe6/0x168
__do_sys_socketcall+0x3c8/0x468
do_syscall+0x22c/0x328
__do_syscall+0x94/0xf0
system_call+0x82/0xb0
Second to last potentially related work creation:
kasan_save_stack+0x40/0x68
__kasan_record_aux_stack+0xbe/0xd0
kvfree_call_rcu+0xb2/0x760
kernfs_unlink_open_file+0x348/0x430
kernfs_fop_release+0xc2/0x320
__fput+0x1ae/0x768
task_work_run+0x1bc/0x298
exit_to_user_mode_prepare+0x1a0/0x1a8
__do_syscall+0x94/0xf0
system_call+0x82/0xb0
The buggy address belongs to the object at 00000000fdcea400
which belongs to the cache kmalloc-96 of size 96
The buggy address is located 64 bytes inside of
96-byte region [00000000fdcea400, 00000000fdcea460)
The buggy address belongs to the physical page:
page:000000005a9c26e8 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xfdcea
flags: 0x3ffff00000000200(slab|node=0|zone=1|lastcpupid=0x1ffff)
raw: 3ffff00000000200 0000000000000000 0000000100000122 000000008008cc00
raw: 0000000000000000 0020004100000000 ffffffff00000001 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
00000000fdcea300: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
00000000fdcea380: fb fb fb fb fb fb f
---truncated---
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-48954", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:21:15.283243Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:28:40.195Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/s390/net/qeth_l2_main.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "db6343a5b0d9661f2dd76f653c6d274d38234d2b", status: "affected", version: "f7936b7b2663c99a096a5c432ba96ab1e91a6c0f", versionType: "git", }, { lessThan: "bde0dfc7c4569406a6ddeec363d04a1df7b3073f", status: "affected", version: "f7936b7b2663c99a096a5c432ba96ab1e91a6c0f", versionType: "git", }, { lessThan: "ebaaadc332cd21e9df4dcf9ce12552d9354bbbe4", status: "affected", version: "f7936b7b2663c99a096a5c432ba96ab1e91a6c0f", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/s390/net/qeth_l2_main.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.15", }, { lessThan: "5.15", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.83", versionType: "semver", }, { lessThanOrEqual: "6.0.*", status: "unaffected", version: "6.0.13", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.1", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/qeth: fix use-after-free in hsci\n\nKASAN found that addr was dereferenced after br2dev_event_work was freed.\n\n==================================================================\nBUG: KASAN: use-after-free in qeth_l2_br2dev_worker+0x5ba/0x6b0\nRead of size 1 at addr 00000000fdcea440 by task kworker/u760:4/540\nCPU: 17 PID: 540 Comm: kworker/u760:4 Tainted: G E 6.1.0-20221128.rc7.git1.5aa3bed4ce83.300.fc36.s390x+kasan #1\nHardware name: IBM 8561 T01 703 (LPAR)\nWorkqueue: 0.0.8000_event qeth_l2_br2dev_worker\nCall Trace:\n [<000000016944d4ce>] dump_stack_lvl+0xc6/0xf8\n [<000000016942cd9c>] print_address_description.constprop.0+0x34/0x2a0\n [<000000016942d118>] print_report+0x110/0x1f8\n [<0000000167a7bd04>] kasan_report+0xfc/0x128\n [<000000016938d79a>] qeth_l2_br2dev_worker+0x5ba/0x6b0\n [<00000001673edd1e>] process_one_work+0x76e/0x1128\n [<00000001673ee85c>] worker_thread+0x184/0x1098\n [<000000016740718a>] kthread+0x26a/0x310\n [<00000001672c606a>] __ret_from_fork+0x8a/0xe8\n [<00000001694711da>] ret_from_fork+0xa/0x40\nAllocated by task 108338:\n kasan_save_stack+0x40/0x68\n kasan_set_track+0x36/0x48\n __kasan_kmalloc+0xa0/0xc0\n qeth_l2_switchdev_event+0x25a/0x738\n atomic_notifier_call_chain+0x9c/0xf8\n br_switchdev_fdb_notify+0xf4/0x110\n fdb_notify+0x122/0x180\n fdb_add_entry.constprop.0.isra.0+0x312/0x558\n br_fdb_add+0x59e/0x858\n rtnl_fdb_add+0x58a/0x928\n rtnetlink_rcv_msg+0x5f8/0x8d8\n netlink_rcv_skb+0x1f2/0x408\n netlink_unicast+0x570/0x790\n netlink_sendmsg+0x752/0xbe0\n sock_sendmsg+0xca/0x110\n ____sys_sendmsg+0x510/0x6a8\n ___sys_sendmsg+0x12a/0x180\n __sys_sendmsg+0xe6/0x168\n __do_sys_socketcall+0x3c8/0x468\n do_syscall+0x22c/0x328\n __do_syscall+0x94/0xf0\n system_call+0x82/0xb0\nFreed by task 540:\n kasan_save_stack+0x40/0x68\n kasan_set_track+0x36/0x48\n kasan_save_free_info+0x4c/0x68\n ____kasan_slab_free+0x14e/0x1a8\n __kasan_slab_free+0x24/0x30\n __kmem_cache_free+0x168/0x338\n qeth_l2_br2dev_worker+0x154/0x6b0\n process_one_work+0x76e/0x1128\n worker_thread+0x184/0x1098\n kthread+0x26a/0x310\n __ret_from_fork+0x8a/0xe8\n ret_from_fork+0xa/0x40\nLast potentially related work creation:\n kasan_save_stack+0x40/0x68\n __kasan_record_aux_stack+0xbe/0xd0\n insert_work+0x56/0x2e8\n __queue_work+0x4ce/0xd10\n queue_work_on+0xf4/0x100\n qeth_l2_switchdev_event+0x520/0x738\n atomic_notifier_call_chain+0x9c/0xf8\n br_switchdev_fdb_notify+0xf4/0x110\n fdb_notify+0x122/0x180\n fdb_add_entry.constprop.0.isra.0+0x312/0x558\n br_fdb_add+0x59e/0x858\n rtnl_fdb_add+0x58a/0x928\n rtnetlink_rcv_msg+0x5f8/0x8d8\n netlink_rcv_skb+0x1f2/0x408\n netlink_unicast+0x570/0x790\n netlink_sendmsg+0x752/0xbe0\n sock_sendmsg+0xca/0x110\n ____sys_sendmsg+0x510/0x6a8\n ___sys_sendmsg+0x12a/0x180\n __sys_sendmsg+0xe6/0x168\n __do_sys_socketcall+0x3c8/0x468\n do_syscall+0x22c/0x328\n __do_syscall+0x94/0xf0\n system_call+0x82/0xb0\nSecond to last potentially related work creation:\n kasan_save_stack+0x40/0x68\n __kasan_record_aux_stack+0xbe/0xd0\n kvfree_call_rcu+0xb2/0x760\n kernfs_unlink_open_file+0x348/0x430\n kernfs_fop_release+0xc2/0x320\n __fput+0x1ae/0x768\n task_work_run+0x1bc/0x298\n exit_to_user_mode_prepare+0x1a0/0x1a8\n __do_syscall+0x94/0xf0\n system_call+0x82/0xb0\nThe buggy address belongs to the object at 00000000fdcea400\n which belongs to the cache kmalloc-96 of size 96\nThe buggy address is located 64 bytes inside of\n 96-byte region [00000000fdcea400, 00000000fdcea460)\nThe buggy address belongs to the physical page:\npage:000000005a9c26e8 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xfdcea\nflags: 0x3ffff00000000200(slab|node=0|zone=1|lastcpupid=0x1ffff)\nraw: 3ffff00000000200 0000000000000000 0000000100000122 000000008008cc00\nraw: 0000000000000000 0020004100000000 ffffffff00000001 0000000000000000\npage dumped because: kasan: bad access detected\nMemory state around the buggy address:\n 00000000fdcea300: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc\n 00000000fdcea380: fb fb fb fb fb fb f\n---truncated---", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:11:11.649Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/db6343a5b0d9661f2dd76f653c6d274d38234d2b", }, { url: "https://git.kernel.org/stable/c/bde0dfc7c4569406a6ddeec363d04a1df7b3073f", }, { url: "https://git.kernel.org/stable/c/ebaaadc332cd21e9df4dcf9ce12552d9354bbbe4", }, ], title: "s390/qeth: fix use-after-free in hsci", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-48954", datePublished: "2024-10-21T20:05:41.057Z", dateReserved: "2024-08-22T01:27:53.627Z", dateUpdated: "2024-12-19T08:11:11.649Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49980
Vulnerability from cvelistv5
Published
2024-10-21 18:02
Modified
2024-12-19 09:30
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
vrf: revert "vrf: Remove unnecessary RCU-bh critical section"
This reverts commit 504fc6f4f7f681d2a03aa5f68aad549d90eab853.
dev_queue_xmit_nit is expected to be called with BH disabled.
__dev_queue_xmit has the following:
/* Disable soft irqs for various locks below. Also
* stops preemption for RCU.
*/
rcu_read_lock_bh();
VRF must follow this invariant. The referenced commit removed this
protection. Which triggered a lockdep warning:
================================
WARNING: inconsistent lock state
6.11.0 #1 Tainted: G W
--------------------------------
inconsistent {IN-SOFTIRQ-W} -> {SOFTIRQ-ON-W} usage.
btserver/134819 [HC0[0]:SC0[0]:HE1:SE1] takes:
ffff8882da30c118 (rlock-AF_PACKET){+.?.}-{2:2}, at: tpacket_rcv+0x863/0x3b30
{IN-SOFTIRQ-W} state was registered at:
lock_acquire+0x19a/0x4f0
_raw_spin_lock+0x27/0x40
packet_rcv+0xa33/0x1320
__netif_receive_skb_core.constprop.0+0xcb0/0x3a90
__netif_receive_skb_list_core+0x2c9/0x890
netif_receive_skb_list_internal+0x610/0xcc0
[...]
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
----
lock(rlock-AF_PACKET);
<Interrupt>
lock(rlock-AF_PACKET);
*** DEADLOCK ***
Call Trace:
<TASK>
dump_stack_lvl+0x73/0xa0
mark_lock+0x102e/0x16b0
__lock_acquire+0x9ae/0x6170
lock_acquire+0x19a/0x4f0
_raw_spin_lock+0x27/0x40
tpacket_rcv+0x863/0x3b30
dev_queue_xmit_nit+0x709/0xa40
vrf_finish_direct+0x26e/0x340 [vrf]
vrf_l3_out+0x5f4/0xe80 [vrf]
__ip_local_out+0x51e/0x7a0
[...]
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49980", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:32:37.764586Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:38:44.524Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/net/vrf.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "718a752bd746b3f4dd62516bb437baf73d548415", status: "affected", version: "504fc6f4f7f681d2a03aa5f68aad549d90eab853", versionType: "git", }, { lessThan: "8c9381b3138246d46536db93ed696832abd70204", status: "affected", version: "504fc6f4f7f681d2a03aa5f68aad549d90eab853", versionType: "git", }, { lessThan: "e61f8c4d179b2ffc0d3b7f821c3734be738643d0", status: "affected", version: "504fc6f4f7f681d2a03aa5f68aad549d90eab853", versionType: "git", }, { lessThan: "b04c4d9eb4f25b950b33218e33b04c94e7445e51", status: "affected", version: "504fc6f4f7f681d2a03aa5f68aad549d90eab853", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/net/vrf.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.6", }, { lessThan: "6.6", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nvrf: revert \"vrf: Remove unnecessary RCU-bh critical section\"\n\nThis reverts commit 504fc6f4f7f681d2a03aa5f68aad549d90eab853.\n\ndev_queue_xmit_nit is expected to be called with BH disabled.\n__dev_queue_xmit has the following:\n\n /* Disable soft irqs for various locks below. Also\n * stops preemption for RCU.\n */\n rcu_read_lock_bh();\n\nVRF must follow this invariant. The referenced commit removed this\nprotection. Which triggered a lockdep warning:\n\n\t================================\n\tWARNING: inconsistent lock state\n\t6.11.0 #1 Tainted: G W\n\t--------------------------------\n\tinconsistent {IN-SOFTIRQ-W} -> {SOFTIRQ-ON-W} usage.\n\tbtserver/134819 [HC0[0]:SC0[0]:HE1:SE1] takes:\n\tffff8882da30c118 (rlock-AF_PACKET){+.?.}-{2:2}, at: tpacket_rcv+0x863/0x3b30\n\t{IN-SOFTIRQ-W} state was registered at:\n\t lock_acquire+0x19a/0x4f0\n\t _raw_spin_lock+0x27/0x40\n\t packet_rcv+0xa33/0x1320\n\t __netif_receive_skb_core.constprop.0+0xcb0/0x3a90\n\t __netif_receive_skb_list_core+0x2c9/0x890\n\t netif_receive_skb_list_internal+0x610/0xcc0\n [...]\n\n\tother info that might help us debug this:\n\t Possible unsafe locking scenario:\n\n\t CPU0\n\t ----\n\t lock(rlock-AF_PACKET);\n\t <Interrupt>\n\t lock(rlock-AF_PACKET);\n\n\t *** DEADLOCK ***\n\n\tCall Trace:\n\t <TASK>\n\t dump_stack_lvl+0x73/0xa0\n\t mark_lock+0x102e/0x16b0\n\t __lock_acquire+0x9ae/0x6170\n\t lock_acquire+0x19a/0x4f0\n\t _raw_spin_lock+0x27/0x40\n\t tpacket_rcv+0x863/0x3b30\n\t dev_queue_xmit_nit+0x709/0xa40\n\t vrf_finish_direct+0x26e/0x340 [vrf]\n\t vrf_l3_out+0x5f4/0xe80 [vrf]\n\t __ip_local_out+0x51e/0x7a0\n [...]", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:30:36.882Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/718a752bd746b3f4dd62516bb437baf73d548415", }, { url: "https://git.kernel.org/stable/c/8c9381b3138246d46536db93ed696832abd70204", }, { url: "https://git.kernel.org/stable/c/e61f8c4d179b2ffc0d3b7f821c3734be738643d0", }, { url: "https://git.kernel.org/stable/c/b04c4d9eb4f25b950b33218e33b04c94e7445e51", }, ], title: "vrf: revert \"vrf: Remove unnecessary RCU-bh critical section\"", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49980", datePublished: "2024-10-21T18:02:26.494Z", dateReserved: "2024-10-21T12:17:06.052Z", dateUpdated: "2024-12-19T09:30:36.882Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49936
Vulnerability from cvelistv5
Published
2024-10-21 18:01
Modified
2025-02-02 10:14
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/xen-netback: prevent UAF in xenvif_flush_hash()
During the list_for_each_entry_rcu iteration call of xenvif_flush_hash,
kfree_rcu does not exist inside the rcu read critical section, so if
kfree_rcu is called when the rcu grace period ends during the iteration,
UAF occurs when accessing head->next after the entry becomes free.
Therefore, to solve this, you need to change it to list_for_each_entry_safe.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49936", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:38:23.774447Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:38:51.250Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/net/xen-netback/hash.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "3c4423b0c4b98213b3438e15061e1d08220e6982", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "a7f0073fcd12ed7de185ef2c0af9d0fa1ddef22c", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "a0465723b8581cad27164c9073fd780904cd22d4", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "efcff6ce7467f01f0753609f420333f3f2ceceda", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "143edf098b80669d05245b2f2367dd156a83a2c5", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "d408889d4b54f5501e4becc4dbbb9065143fbf4e", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "54d8639af5568fc41c0e274fc3ec9cf86c59fcbb", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "0fa5e94a1811d68fbffa0725efe6d4ca62c03d12", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/net/xen-netback/hash.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.290", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/xen-netback: prevent UAF in xenvif_flush_hash()\n\nDuring the list_for_each_entry_rcu iteration call of xenvif_flush_hash,\nkfree_rcu does not exist inside the rcu read critical section, so if\nkfree_rcu is called when the rcu grace period ends during the iteration,\nUAF occurs when accessing head->next after the entry becomes free.\n\nTherefore, to solve this, you need to change it to list_for_each_entry_safe.", }, ], providerMetadata: { dateUpdated: "2025-02-02T10:14:52.568Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/3c4423b0c4b98213b3438e15061e1d08220e6982", }, { url: "https://git.kernel.org/stable/c/a7f0073fcd12ed7de185ef2c0af9d0fa1ddef22c", }, { url: "https://git.kernel.org/stable/c/a0465723b8581cad27164c9073fd780904cd22d4", }, { url: "https://git.kernel.org/stable/c/efcff6ce7467f01f0753609f420333f3f2ceceda", }, { url: "https://git.kernel.org/stable/c/143edf098b80669d05245b2f2367dd156a83a2c5", }, { url: "https://git.kernel.org/stable/c/d408889d4b54f5501e4becc4dbbb9065143fbf4e", }, { url: "https://git.kernel.org/stable/c/54d8639af5568fc41c0e274fc3ec9cf86c59fcbb", }, { url: "https://git.kernel.org/stable/c/0fa5e94a1811d68fbffa0725efe6d4ca62c03d12", }, ], title: "net/xen-netback: prevent UAF in xenvif_flush_hash()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49936", datePublished: "2024-10-21T18:01:57.066Z", dateReserved: "2024-10-21T12:17:06.042Z", dateUpdated: "2025-02-02T10:14:52.568Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-47721
Vulnerability from cvelistv5
Published
2024-10-21 11:53
Modified
2024-12-19 09:26
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: rtw89: remove unused C2H event ID RTW89_MAC_C2H_FUNC_READ_WOW_CAM to prevent out-of-bounds reading
The handler of firmware C2H event RTW89_MAC_C2H_FUNC_READ_WOW_CAM isn't
implemented, but driver expects number of handlers is
NUM_OF_RTW89_MAC_C2H_FUNC_WOW causing out-of-bounds access. Fix it by
removing ID.
Addresses-Coverity-ID: 1598775 ("Out-of-bounds read")
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-47721", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T13:02:00.306477Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T13:04:17.474Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/net/wireless/realtek/rtw89/mac.h", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "10463308b9454f534d03300cf679bc4b3d078f46", status: "affected", version: "ff53fce5c78ba27ec7eb0baff7ef9648fde7ad8e", versionType: "git", }, { lessThan: "2c9c2d1a20916589497a7facbea3e82cabec4ab8", status: "affected", version: "ff53fce5c78ba27ec7eb0baff7ef9648fde7ad8e", versionType: "git", }, { lessThan: "56310ddb50b190b3390fdc974aec455d0a516bd2", status: "affected", version: "ff53fce5c78ba27ec7eb0baff7ef9648fde7ad8e", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/net/wireless/realtek/rtw89/mac.h", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.10", }, { lessThan: "6.10", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.13", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.2", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw89: remove unused C2H event ID RTW89_MAC_C2H_FUNC_READ_WOW_CAM to prevent out-of-bounds reading\n\nThe handler of firmware C2H event RTW89_MAC_C2H_FUNC_READ_WOW_CAM isn't\nimplemented, but driver expects number of handlers is\nNUM_OF_RTW89_MAC_C2H_FUNC_WOW causing out-of-bounds access. Fix it by\nremoving ID.\n\nAddresses-Coverity-ID: 1598775 (\"Out-of-bounds read\")", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:26:48.028Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/10463308b9454f534d03300cf679bc4b3d078f46", }, { url: "https://git.kernel.org/stable/c/2c9c2d1a20916589497a7facbea3e82cabec4ab8", }, { url: "https://git.kernel.org/stable/c/56310ddb50b190b3390fdc974aec455d0a516bd2", }, ], title: "wifi: rtw89: remove unused C2H event ID RTW89_MAC_C2H_FUNC_READ_WOW_CAM to prevent out-of-bounds reading", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-47721", datePublished: "2024-10-21T11:53:50.861Z", dateReserved: "2024-09-30T16:00:12.950Z", dateUpdated: "2024-12-19T09:26:48.028Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49859
Vulnerability from cvelistv5
Published
2024-10-21 12:27
Modified
2024-12-19 09:27
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
f2fs: fix to check atomic_file in f2fs ioctl interfaces
Some f2fs ioctl interfaces like f2fs_ioc_set_pin_file(),
f2fs_move_file_range(), and f2fs_defragment_range() missed to
check atomic_write status, which may cause potential race issue,
fix it.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49859", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T12:55:54.448840Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T13:04:10.668Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "fs/f2fs/file.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "26b07bd2e1f124b0e430c8d250023f7205c549c3", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "7cb51731f24b216b0b87942f519f2c67a17107ee", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "10569b682ebe9c75ef06ddd322ae844e9be6374b", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "d6f08c88047accc6127dddb6798a3ff11321539d", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "bfe5c02654261bfb8bd9cb174a67f3279ea99e58", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "fs/f2fs/file.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.54", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.13", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.2", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to check atomic_file in f2fs ioctl interfaces\n\nSome f2fs ioctl interfaces like f2fs_ioc_set_pin_file(),\nf2fs_move_file_range(), and f2fs_defragment_range() missed to\ncheck atomic_write status, which may cause potential race issue,\nfix it.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:27:43.282Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/26b07bd2e1f124b0e430c8d250023f7205c549c3", }, { url: "https://git.kernel.org/stable/c/7cb51731f24b216b0b87942f519f2c67a17107ee", }, { url: "https://git.kernel.org/stable/c/10569b682ebe9c75ef06ddd322ae844e9be6374b", }, { url: "https://git.kernel.org/stable/c/d6f08c88047accc6127dddb6798a3ff11321539d", }, { url: "https://git.kernel.org/stable/c/bfe5c02654261bfb8bd9cb174a67f3279ea99e58", }, ], title: "f2fs: fix to check atomic_file in f2fs ioctl interfaces", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49859", datePublished: "2024-10-21T12:27:17.968Z", dateReserved: "2024-10-21T12:17:06.017Z", dateUpdated: "2024-12-19T09:27:43.282Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49887
Vulnerability from cvelistv5
Published
2024-10-21 18:01
Modified
2024-12-19 09:28
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
f2fs: fix to don't panic system for no free segment fault injection
f2fs: fix to don't panic system for no free segment fault injection
syzbot reports a f2fs bug as below:
F2FS-fs (loop0): inject no free segment in get_new_segment of __allocate_new_segment+0x1ce/0x940 fs/f2fs/segment.c:3167
F2FS-fs (loop0): Stopped filesystem due to reason: 7
------------[ cut here ]------------
kernel BUG at fs/f2fs/segment.c:2748!
CPU: 0 UID: 0 PID: 5109 Comm: syz-executor304 Not tainted 6.11.0-rc6-syzkaller-00363-g89f5e14d05b4 #0
RIP: 0010:get_new_segment fs/f2fs/segment.c:2748 [inline]
RIP: 0010:new_curseg+0x1f61/0x1f70 fs/f2fs/segment.c:2836
Call Trace:
__allocate_new_segment+0x1ce/0x940 fs/f2fs/segment.c:3167
f2fs_allocate_new_section fs/f2fs/segment.c:3181 [inline]
f2fs_allocate_pinning_section+0xfa/0x4e0 fs/f2fs/segment.c:3195
f2fs_expand_inode_data+0x5d6/0xbb0 fs/f2fs/file.c:1799
f2fs_fallocate+0x448/0x960 fs/f2fs/file.c:1903
vfs_fallocate+0x553/0x6c0 fs/open.c:334
do_vfs_ioctl+0x2592/0x2e50 fs/ioctl.c:886
__do_sys_ioctl fs/ioctl.c:905 [inline]
__se_sys_ioctl+0x81/0x170 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0010:get_new_segment fs/f2fs/segment.c:2748 [inline]
RIP: 0010:new_curseg+0x1f61/0x1f70 fs/f2fs/segment.c:2836
The root cause is when we inject no free segment fault into f2fs,
we should not panic system, fix it.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49887", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:44:52.124172Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:48:49.668Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "fs/f2fs/segment.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "9f6e7a0512a57387d36f5e9e9635d6668cac13dd", status: "affected", version: "8b10d3653735e117bc1954ade80d75ad7b46b801", versionType: "git", }, { lessThan: "645ec43760e86d3079fee2e8b51fde7060a540d0", status: "affected", version: "8b10d3653735e117bc1954ade80d75ad7b46b801", versionType: "git", }, { lessThan: "65a6ce4726c27b45600303f06496fef46d00b57f", status: "affected", version: "8b10d3653735e117bc1954ade80d75ad7b46b801", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "fs/f2fs/segment.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.9", }, { lessThan: "6.9", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to don't panic system for no free segment fault injection\n\nf2fs: fix to don't panic system for no free segment fault injection\n\nsyzbot reports a f2fs bug as below:\n\nF2FS-fs (loop0): inject no free segment in get_new_segment of __allocate_new_segment+0x1ce/0x940 fs/f2fs/segment.c:3167\nF2FS-fs (loop0): Stopped filesystem due to reason: 7\n------------[ cut here ]------------\nkernel BUG at fs/f2fs/segment.c:2748!\nCPU: 0 UID: 0 PID: 5109 Comm: syz-executor304 Not tainted 6.11.0-rc6-syzkaller-00363-g89f5e14d05b4 #0\nRIP: 0010:get_new_segment fs/f2fs/segment.c:2748 [inline]\nRIP: 0010:new_curseg+0x1f61/0x1f70 fs/f2fs/segment.c:2836\nCall Trace:\n __allocate_new_segment+0x1ce/0x940 fs/f2fs/segment.c:3167\n f2fs_allocate_new_section fs/f2fs/segment.c:3181 [inline]\n f2fs_allocate_pinning_section+0xfa/0x4e0 fs/f2fs/segment.c:3195\n f2fs_expand_inode_data+0x5d6/0xbb0 fs/f2fs/file.c:1799\n f2fs_fallocate+0x448/0x960 fs/f2fs/file.c:1903\n vfs_fallocate+0x553/0x6c0 fs/open.c:334\n do_vfs_ioctl+0x2592/0x2e50 fs/ioctl.c:886\n __do_sys_ioctl fs/ioctl.c:905 [inline]\n __se_sys_ioctl+0x81/0x170 fs/ioctl.c:893\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0010:get_new_segment fs/f2fs/segment.c:2748 [inline]\nRIP: 0010:new_curseg+0x1f61/0x1f70 fs/f2fs/segment.c:2836\n\nThe root cause is when we inject no free segment fault into f2fs,\nwe should not panic system, fix it.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:28:23.785Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/9f6e7a0512a57387d36f5e9e9635d6668cac13dd", }, { url: "https://git.kernel.org/stable/c/645ec43760e86d3079fee2e8b51fde7060a540d0", }, { url: "https://git.kernel.org/stable/c/65a6ce4726c27b45600303f06496fef46d00b57f", }, ], title: "f2fs: fix to don't panic system for no free segment fault injection", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49887", datePublished: "2024-10-21T18:01:23.561Z", dateReserved: "2024-10-21T12:17:06.022Z", dateUpdated: "2024-12-19T09:28:23.785Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-48967
Vulnerability from cvelistv5
Published
2024-10-21 20:05
Modified
2024-12-19 08:11
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
NFC: nci: Bounds check struct nfc_target arrays
While running under CONFIG_FORTIFY_SOURCE=y, syzkaller reported:
memcpy: detected field-spanning write (size 129) of single field "target->sensf_res" at net/nfc/nci/ntf.c:260 (size 18)
This appears to be a legitimate lack of bounds checking in
nci_add_new_protocol(). Add the missing checks.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 019c4fbaa790e2b3f11dab0c8b7d9896d77db3e5 Version: 019c4fbaa790e2b3f11dab0c8b7d9896d77db3e5 Version: 019c4fbaa790e2b3f11dab0c8b7d9896d77db3e5 Version: 019c4fbaa790e2b3f11dab0c8b7d9896d77db3e5 Version: 019c4fbaa790e2b3f11dab0c8b7d9896d77db3e5 Version: 019c4fbaa790e2b3f11dab0c8b7d9896d77db3e5 Version: 019c4fbaa790e2b3f11dab0c8b7d9896d77db3e5 Version: 019c4fbaa790e2b3f11dab0c8b7d9896d77db3e5 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-48967", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:19:37.596608Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:28:38.363Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "net/nfc/nci/ntf.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "6b37f0dc0638d13a006f2f24d2f6ca61e83bc714", status: "affected", version: "019c4fbaa790e2b3f11dab0c8b7d9896d77db3e5", versionType: "git", }, { lessThan: "dbdcfb9f6748218a149f62468d6297ce3f014e9c", status: "affected", version: "019c4fbaa790e2b3f11dab0c8b7d9896d77db3e5", versionType: "git", }, { lessThan: "cff35329070b96b4484d23f9f48a5ca2c947e750", status: "affected", version: "019c4fbaa790e2b3f11dab0c8b7d9896d77db3e5", versionType: "git", }, { lessThan: "6778434706940b8fad7ef35f410d2b9929f256d2", status: "affected", version: "019c4fbaa790e2b3f11dab0c8b7d9896d77db3e5", versionType: "git", }, { lessThan: "27eb2d7a1b9987b6d0429b7716b1ff3b82c4ffc9", status: "affected", version: "019c4fbaa790e2b3f11dab0c8b7d9896d77db3e5", versionType: "git", }, { lessThan: "908b2da426fe9c3ce74cf541ba40e7a4251db191", status: "affected", version: "019c4fbaa790e2b3f11dab0c8b7d9896d77db3e5", versionType: "git", }, { lessThan: "f41547546db9af99da2c34e3368664d7a79cefae", status: "affected", version: "019c4fbaa790e2b3f11dab0c8b7d9896d77db3e5", versionType: "git", }, { lessThan: "e329e71013c9b5a4535b099208493c7826ee4a64", status: "affected", version: "019c4fbaa790e2b3f11dab0c8b7d9896d77db3e5", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "net/nfc/nci/ntf.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "3.4", }, { lessThan: "3.4", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.9.*", status: "unaffected", version: "4.9.336", versionType: "semver", }, { lessThanOrEqual: "4.14.*", status: "unaffected", version: "4.14.302", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.269", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.227", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.159", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.83", versionType: "semver", }, { lessThanOrEqual: "6.0.*", status: "unaffected", version: "6.0.13", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.1", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nNFC: nci: Bounds check struct nfc_target arrays\n\nWhile running under CONFIG_FORTIFY_SOURCE=y, syzkaller reported:\n\n memcpy: detected field-spanning write (size 129) of single field \"target->sensf_res\" at net/nfc/nci/ntf.c:260 (size 18)\n\nThis appears to be a legitimate lack of bounds checking in\nnci_add_new_protocol(). Add the missing checks.", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:11:32.523Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/6b37f0dc0638d13a006f2f24d2f6ca61e83bc714", }, { url: "https://git.kernel.org/stable/c/dbdcfb9f6748218a149f62468d6297ce3f014e9c", }, { url: "https://git.kernel.org/stable/c/cff35329070b96b4484d23f9f48a5ca2c947e750", }, { url: "https://git.kernel.org/stable/c/6778434706940b8fad7ef35f410d2b9929f256d2", }, { url: "https://git.kernel.org/stable/c/27eb2d7a1b9987b6d0429b7716b1ff3b82c4ffc9", }, { url: "https://git.kernel.org/stable/c/908b2da426fe9c3ce74cf541ba40e7a4251db191", }, { url: "https://git.kernel.org/stable/c/f41547546db9af99da2c34e3368664d7a79cefae", }, { url: "https://git.kernel.org/stable/c/e329e71013c9b5a4535b099208493c7826ee4a64", }, ], title: "NFC: nci: Bounds check struct nfc_target arrays", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-48967", datePublished: "2024-10-21T20:05:49.740Z", dateReserved: "2024-08-22T01:27:53.628Z", dateUpdated: "2024-12-19T08:11:32.523Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49949
Vulnerability from cvelistv5
Published
2024-10-21 18:02
Modified
2024-12-19 09:29
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: avoid potential underflow in qdisc_pkt_len_init() with UFO
After commit 7c6d2ecbda83 ("net: be more gentle about silly gso
requests coming from user") virtio_net_hdr_to_skb() had sanity check
to detect malicious attempts from user space to cook a bad GSO packet.
Then commit cf9acc90c80ec ("net: virtio_net_hdr_to_skb: count
transport header in UFO") while fixing one issue, allowed user space
to cook a GSO packet with the following characteristic :
IPv4 SKB_GSO_UDP, gso_size=3, skb->len = 28.
When this packet arrives in qdisc_pkt_len_init(), we end up
with hdr_len = 28 (IPv4 header + UDP header), matching skb->len
Then the following sets gso_segs to 0 :
gso_segs = DIV_ROUND_UP(skb->len - hdr_len,
shinfo->gso_size);
Then later we set qdisc_skb_cb(skb)->pkt_len to back to zero :/
qdisc_skb_cb(skb)->pkt_len += (gso_segs - 1) * hdr_len;
This leads to the following crash in fq_codel [1]
qdisc_pkt_len_init() is best effort, we only want an estimation
of the bytes sent on the wire, not crashing the kernel.
This patch is fixing this particular issue, a following one
adds more sanity checks for another potential bug.
[1]
[ 70.724101] BUG: kernel NULL pointer dereference, address: 0000000000000000
[ 70.724561] #PF: supervisor read access in kernel mode
[ 70.724561] #PF: error_code(0x0000) - not-present page
[ 70.724561] PGD 10ac61067 P4D 10ac61067 PUD 107ee2067 PMD 0
[ 70.724561] Oops: Oops: 0000 [#1] SMP NOPTI
[ 70.724561] CPU: 11 UID: 0 PID: 2163 Comm: b358537762 Not tainted 6.11.0-virtme #991
[ 70.724561] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 70.724561] RIP: 0010:fq_codel_enqueue (net/sched/sch_fq_codel.c:120 net/sched/sch_fq_codel.c:168 net/sched/sch_fq_codel.c:230) sch_fq_codel
[ 70.724561] Code: 24 08 49 c1 e1 06 44 89 7c 24 18 45 31 ed 45 31 c0 31 ff 89 44 24 14 4c 03 8b 90 01 00 00 eb 04 39 ca 73 37 4d 8b 39 83 c7 01 <49> 8b 17 49 89 11 41 8b 57 28 45 8b 5f 34 49 c7 07 00 00 00 00 49
All code
========
0: 24 08 and $0x8,%al
2: 49 c1 e1 06 shl $0x6,%r9
6: 44 89 7c 24 18 mov %r15d,0x18(%rsp)
b: 45 31 ed xor %r13d,%r13d
e: 45 31 c0 xor %r8d,%r8d
11: 31 ff xor %edi,%edi
13: 89 44 24 14 mov %eax,0x14(%rsp)
17: 4c 03 8b 90 01 00 00 add 0x190(%rbx),%r9
1e: eb 04 jmp 0x24
20: 39 ca cmp %ecx,%edx
22: 73 37 jae 0x5b
24: 4d 8b 39 mov (%r9),%r15
27: 83 c7 01 add $0x1,%edi
2a:* 49 8b 17 mov (%r15),%rdx <-- trapping instruction
2d: 49 89 11 mov %rdx,(%r9)
30: 41 8b 57 28 mov 0x28(%r15),%edx
34: 45 8b 5f 34 mov 0x34(%r15),%r11d
38: 49 c7 07 00 00 00 00 movq $0x0,(%r15)
3f: 49 rex.WB
Code starting with the faulting instruction
===========================================
0: 49 8b 17 mov (%r15),%rdx
3: 49 89 11 mov %rdx,(%r9)
6: 41 8b 57 28 mov 0x28(%r15),%edx
a: 45 8b 5f 34 mov 0x34(%r15),%r11d
e: 49 c7 07 00 00 00 00 movq $0x0,(%r15)
15: 49 rex.WB
[ 70.724561] RSP: 0018:ffff95ae85e6fb90 EFLAGS: 00000202
[ 70.724561] RAX: 0000000002000000 RBX: ffff95ae841de000 RCX: 0000000000000000
[ 70.724561] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000001
[ 70.724561] RBP: ffff95ae85e6fbf8 R08: 0000000000000000 R09: ffff95b710a30000
[ 70.724561] R10: 0000000000000000 R11: bdf289445ce31881 R12: ffff95ae85e6fc58
[ 70.724561] R13: 0000000000000000 R14: 0000000000000040 R15: 0000000000000000
[ 70.724561] FS: 000000002c5c1380(0000) GS:ffff95bd7fcc0000(0000) knlGS:0000000000000000
[ 70.724561] CS: 0010 DS: 0000 ES: 0000 C
---truncated---
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 960b360ca7463921c1a6b72e7066a706d6406223 Version: fb2dbc124a7f800cd0e4f901a1bbb769a017104c Version: 8e6bae950da9dc2d2c6c18b1c6b206dc00dc8772 Version: 0f810d06b507aa40fef8d1ac0a88e6d0590dbfc3 Version: cf9acc90c80ecbee00334aa85d92f4e74014bcff Version: cf9acc90c80ecbee00334aa85d92f4e74014bcff Version: cf9acc90c80ecbee00334aa85d92f4e74014bcff Version: cf9acc90c80ecbee00334aa85d92f4e74014bcff Version: cf9acc90c80ecbee00334aa85d92f4e74014bcff |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49949", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:36:39.259120Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:38:49.361Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "net/core/dev.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "d70ca7598943572d5e384227bd268acb5109bf72", status: "affected", version: "960b360ca7463921c1a6b72e7066a706d6406223", versionType: "git", }, { lessThan: "1598d70ad9c7d0a4d9d54b82094e9f45908fda6d", status: "affected", version: "fb2dbc124a7f800cd0e4f901a1bbb769a017104c", versionType: "git", }, { lessThan: "ba26060a29d3ca1bfc737aa79f7125128f35147c", status: "affected", version: "8e6bae950da9dc2d2c6c18b1c6b206dc00dc8772", versionType: "git", }, { lessThan: "939c88cbdc668dadd8cfa7a35d9066331239041c", status: "affected", version: "0f810d06b507aa40fef8d1ac0a88e6d0590dbfc3", versionType: "git", }, { lessThan: "d6114993e0a89fde84a60a60a8329a571580b174", status: "affected", version: "cf9acc90c80ecbee00334aa85d92f4e74014bcff", versionType: "git", }, { lessThan: "25ab0b87dbd89cecef8a9c60a02bb97832e471d1", status: "affected", version: "cf9acc90c80ecbee00334aa85d92f4e74014bcff", versionType: "git", }, { lessThan: "f959cce8a2a04ce776aa8b78e83ce339e0d7fbac", status: "affected", version: "cf9acc90c80ecbee00334aa85d92f4e74014bcff", versionType: "git", }, { lessThan: "81fd007dcd47c34471766249853e4d4bce8eea4b", status: "affected", version: "cf9acc90c80ecbee00334aa85d92f4e74014bcff", versionType: "git", }, { lessThan: "c20029db28399ecc50e556964eaba75c43b1e2f1", status: "affected", version: "cf9acc90c80ecbee00334aa85d92f4e74014bcff", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "net/core/dev.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.16", }, { lessThan: "5.16", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.323", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.285", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: avoid potential underflow in qdisc_pkt_len_init() with UFO\n\nAfter commit 7c6d2ecbda83 (\"net: be more gentle about silly gso\nrequests coming from user\") virtio_net_hdr_to_skb() had sanity check\nto detect malicious attempts from user space to cook a bad GSO packet.\n\nThen commit cf9acc90c80ec (\"net: virtio_net_hdr_to_skb: count\ntransport header in UFO\") while fixing one issue, allowed user space\nto cook a GSO packet with the following characteristic :\n\nIPv4 SKB_GSO_UDP, gso_size=3, skb->len = 28.\n\nWhen this packet arrives in qdisc_pkt_len_init(), we end up\nwith hdr_len = 28 (IPv4 header + UDP header), matching skb->len\n\nThen the following sets gso_segs to 0 :\n\ngso_segs = DIV_ROUND_UP(skb->len - hdr_len,\n shinfo->gso_size);\n\nThen later we set qdisc_skb_cb(skb)->pkt_len to back to zero :/\n\nqdisc_skb_cb(skb)->pkt_len += (gso_segs - 1) * hdr_len;\n\nThis leads to the following crash in fq_codel [1]\n\nqdisc_pkt_len_init() is best effort, we only want an estimation\nof the bytes sent on the wire, not crashing the kernel.\n\nThis patch is fixing this particular issue, a following one\nadds more sanity checks for another potential bug.\n\n[1]\n[ 70.724101] BUG: kernel NULL pointer dereference, address: 0000000000000000\n[ 70.724561] #PF: supervisor read access in kernel mode\n[ 70.724561] #PF: error_code(0x0000) - not-present page\n[ 70.724561] PGD 10ac61067 P4D 10ac61067 PUD 107ee2067 PMD 0\n[ 70.724561] Oops: Oops: 0000 [#1] SMP NOPTI\n[ 70.724561] CPU: 11 UID: 0 PID: 2163 Comm: b358537762 Not tainted 6.11.0-virtme #991\n[ 70.724561] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[ 70.724561] RIP: 0010:fq_codel_enqueue (net/sched/sch_fq_codel.c:120 net/sched/sch_fq_codel.c:168 net/sched/sch_fq_codel.c:230) sch_fq_codel\n[ 70.724561] Code: 24 08 49 c1 e1 06 44 89 7c 24 18 45 31 ed 45 31 c0 31 ff 89 44 24 14 4c 03 8b 90 01 00 00 eb 04 39 ca 73 37 4d 8b 39 83 c7 01 <49> 8b 17 49 89 11 41 8b 57 28 45 8b 5f 34 49 c7 07 00 00 00 00 49\nAll code\n========\n 0:\t24 08 \tand $0x8,%al\n 2:\t49 c1 e1 06 \tshl $0x6,%r9\n 6:\t44 89 7c 24 18 \tmov %r15d,0x18(%rsp)\n b:\t45 31 ed \txor %r13d,%r13d\n e:\t45 31 c0 \txor %r8d,%r8d\n 11:\t31 ff \txor %edi,%edi\n 13:\t89 44 24 14 \tmov %eax,0x14(%rsp)\n 17:\t4c 03 8b 90 01 00 00 \tadd 0x190(%rbx),%r9\n 1e:\teb 04 \tjmp 0x24\n 20:\t39 ca \tcmp %ecx,%edx\n 22:\t73 37 \tjae 0x5b\n 24:\t4d 8b 39 \tmov (%r9),%r15\n 27:\t83 c7 01 \tadd $0x1,%edi\n 2a:*\t49 8b 17 \tmov (%r15),%rdx\t\t<-- trapping instruction\n 2d:\t49 89 11 \tmov %rdx,(%r9)\n 30:\t41 8b 57 28 \tmov 0x28(%r15),%edx\n 34:\t45 8b 5f 34 \tmov 0x34(%r15),%r11d\n 38:\t49 c7 07 00 00 00 00 \tmovq $0x0,(%r15)\n 3f:\t49 \trex.WB\n\nCode starting with the faulting instruction\n===========================================\n 0:\t49 8b 17 \tmov (%r15),%rdx\n 3:\t49 89 11 \tmov %rdx,(%r9)\n 6:\t41 8b 57 28 \tmov 0x28(%r15),%edx\n a:\t45 8b 5f 34 \tmov 0x34(%r15),%r11d\n e:\t49 c7 07 00 00 00 00 \tmovq $0x0,(%r15)\n 15:\t49 \trex.WB\n[ 70.724561] RSP: 0018:ffff95ae85e6fb90 EFLAGS: 00000202\n[ 70.724561] RAX: 0000000002000000 RBX: ffff95ae841de000 RCX: 0000000000000000\n[ 70.724561] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000001\n[ 70.724561] RBP: ffff95ae85e6fbf8 R08: 0000000000000000 R09: ffff95b710a30000\n[ 70.724561] R10: 0000000000000000 R11: bdf289445ce31881 R12: ffff95ae85e6fc58\n[ 70.724561] R13: 0000000000000000 R14: 0000000000000040 R15: 0000000000000000\n[ 70.724561] FS: 000000002c5c1380(0000) GS:ffff95bd7fcc0000(0000) knlGS:0000000000000000\n[ 70.724561] CS: 0010 DS: 0000 ES: 0000 C\n---truncated---", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:29:56.887Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/d70ca7598943572d5e384227bd268acb5109bf72", }, { url: "https://git.kernel.org/stable/c/1598d70ad9c7d0a4d9d54b82094e9f45908fda6d", }, { url: "https://git.kernel.org/stable/c/ba26060a29d3ca1bfc737aa79f7125128f35147c", }, { url: "https://git.kernel.org/stable/c/939c88cbdc668dadd8cfa7a35d9066331239041c", }, { url: "https://git.kernel.org/stable/c/d6114993e0a89fde84a60a60a8329a571580b174", }, { url: "https://git.kernel.org/stable/c/25ab0b87dbd89cecef8a9c60a02bb97832e471d1", }, { url: "https://git.kernel.org/stable/c/f959cce8a2a04ce776aa8b78e83ce339e0d7fbac", }, { url: "https://git.kernel.org/stable/c/81fd007dcd47c34471766249853e4d4bce8eea4b", }, { url: "https://git.kernel.org/stable/c/c20029db28399ecc50e556964eaba75c43b1e2f1", }, ], title: "net: avoid potential underflow in qdisc_pkt_len_init() with UFO", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49949", datePublished: "2024-10-21T18:02:05.756Z", dateReserved: "2024-10-21T12:17:06.046Z", dateUpdated: "2024-12-19T09:29:56.887Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-48994
Vulnerability from cvelistv5
Published
2024-10-21 20:06
Modified
2024-12-19 08:12
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: seq: Fix function prototype mismatch in snd_seq_expand_var_event
With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG),
indirect call targets are validated against the expected function
pointer prototype to make sure the call target is valid to help mitigate
ROP attacks. If they are not identical, there is a failure at run time,
which manifests as either a kernel panic or thread getting killed.
seq_copy_in_user() and seq_copy_in_kernel() did not have prototypes
matching snd_seq_dump_func_t. Adjust this and remove the casts. There
are not resulting binary output differences.
This was found as a result of Clang's new -Wcast-function-type-strict
flag, which is more sensitive than the simpler -Wcast-function-type,
which only checks for type width mismatches.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-48994", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:16:04.929869Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:18:41.685Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "sound/core/seq/seq_memory.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "b38486e82ecb9f3046e0184205f6b61408fc40c9", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "e385360705a0b346bdb57ce938249175d0613b8a", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "2f46e95bf344abc4e74f8158901d32a869e0adb6", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "63badfed200219ca656968725f1a43df293ac936", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "15c42ab8d43acb73e2eba361ad05822c0af0ecfa", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "fccd454129f6a0739651f7f58307cdb631fd6e89", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "13ee8fb5410b740c8dd2867d3557c7662f7dda2d", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "05530ef7cf7c7d700f6753f058999b1b5099a026", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "sound/core/seq/seq_memory.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "4.9.*", status: "unaffected", version: "4.9.336", versionType: "semver", }, { lessThanOrEqual: "4.14.*", status: "unaffected", version: "4.14.302", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.269", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.227", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.159", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.83", versionType: "semver", }, { lessThanOrEqual: "6.0.*", status: "unaffected", version: "6.0.13", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.1", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: seq: Fix function prototype mismatch in snd_seq_expand_var_event\n\nWith clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG),\nindirect call targets are validated against the expected function\npointer prototype to make sure the call target is valid to help mitigate\nROP attacks. If they are not identical, there is a failure at run time,\nwhich manifests as either a kernel panic or thread getting killed.\n\nseq_copy_in_user() and seq_copy_in_kernel() did not have prototypes\nmatching snd_seq_dump_func_t. Adjust this and remove the casts. There\nare not resulting binary output differences.\n\nThis was found as a result of Clang's new -Wcast-function-type-strict\nflag, which is more sensitive than the simpler -Wcast-function-type,\nwhich only checks for type width mismatches.", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:12:04.882Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/b38486e82ecb9f3046e0184205f6b61408fc40c9", }, { url: "https://git.kernel.org/stable/c/e385360705a0b346bdb57ce938249175d0613b8a", }, { url: "https://git.kernel.org/stable/c/2f46e95bf344abc4e74f8158901d32a869e0adb6", }, { url: "https://git.kernel.org/stable/c/63badfed200219ca656968725f1a43df293ac936", }, { url: "https://git.kernel.org/stable/c/15c42ab8d43acb73e2eba361ad05822c0af0ecfa", }, { url: "https://git.kernel.org/stable/c/fccd454129f6a0739651f7f58307cdb631fd6e89", }, { url: "https://git.kernel.org/stable/c/13ee8fb5410b740c8dd2867d3557c7662f7dda2d", }, { url: "https://git.kernel.org/stable/c/05530ef7cf7c7d700f6753f058999b1b5099a026", }, ], title: "ALSA: seq: Fix function prototype mismatch in snd_seq_expand_var_event", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-48994", datePublished: "2024-10-21T20:06:10.814Z", dateReserved: "2024-08-22T01:27:53.637Z", dateUpdated: "2024-12-19T08:12:04.882Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49877
Vulnerability from cvelistv5
Published
2024-10-21 18:01
Modified
2024-12-19 09:28
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ocfs2: fix possible null-ptr-deref in ocfs2_set_buffer_uptodate
When doing cleanup, if flags without OCFS2_BH_READAHEAD, it may trigger
NULL pointer dereference in the following ocfs2_set_buffer_uptodate() if
bh is NULL.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 6c150df9c2e80b5cf86f5a0d98beb7390ad63bfc Version: cf76c78595ca87548ca5e45c862ac9e0949c4687 Version: cf76c78595ca87548ca5e45c862ac9e0949c4687 Version: cf76c78595ca87548ca5e45c862ac9e0949c4687 Version: cf76c78595ca87548ca5e45c862ac9e0949c4687 Version: cf76c78595ca87548ca5e45c862ac9e0949c4687 Version: cf76c78595ca87548ca5e45c862ac9e0949c4687 Version: cf76c78595ca87548ca5e45c862ac9e0949c4687 Version: cf76c78595ca87548ca5e45c862ac9e0949c4687 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49877", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:46:09.612488Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:48:51.090Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "fs/ocfs2/buffer_head_io.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "190d98bcd61117a78fe185222d162180f061a6ca", status: "affected", version: "6c150df9c2e80b5cf86f5a0d98beb7390ad63bfc", versionType: "git", }, { lessThan: "e68c8323355e8cedfbe0bec7d5a39009f61640b6", status: "affected", version: "cf76c78595ca87548ca5e45c862ac9e0949c4687", versionType: "git", }, { lessThan: "61b84013e560382cbe7dd56758be3154d43a3988", status: "affected", version: "cf76c78595ca87548ca5e45c862ac9e0949c4687", versionType: "git", }, { lessThan: "df944dc46d06af65a75191183d52be017e6b9dbe", status: "affected", version: "cf76c78595ca87548ca5e45c862ac9e0949c4687", versionType: "git", }, { lessThan: "01cb2e751cc61ade454c9bc1aaa2eac1f8197112", status: "affected", version: "cf76c78595ca87548ca5e45c862ac9e0949c4687", versionType: "git", }, { lessThan: "d52c5652e7dcb7a0648bbb8642cc3e617070ab49", status: "affected", version: "cf76c78595ca87548ca5e45c862ac9e0949c4687", versionType: "git", }, { lessThan: "46b1edf0536a5291a8ad2337f88c926214b209d9", status: "affected", version: "cf76c78595ca87548ca5e45c862ac9e0949c4687", versionType: "git", }, { lessThan: "4846e72ab5a0726e49ad4188b9d9df091ae78c64", status: "affected", version: "cf76c78595ca87548ca5e45c862ac9e0949c4687", versionType: "git", }, { lessThan: "33b525cef4cff49e216e4133cc48452e11c0391e", status: "affected", version: "cf76c78595ca87548ca5e45c862ac9e0949c4687", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "fs/ocfs2/buffer_head_io.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "4.20", }, { lessThan: "4.20", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.323", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.285", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: fix possible null-ptr-deref in ocfs2_set_buffer_uptodate\n\nWhen doing cleanup, if flags without OCFS2_BH_READAHEAD, it may trigger\nNULL pointer dereference in the following ocfs2_set_buffer_uptodate() if\nbh is NULL.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:28:11.547Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/190d98bcd61117a78fe185222d162180f061a6ca", }, { url: "https://git.kernel.org/stable/c/e68c8323355e8cedfbe0bec7d5a39009f61640b6", }, { url: "https://git.kernel.org/stable/c/61b84013e560382cbe7dd56758be3154d43a3988", }, { url: "https://git.kernel.org/stable/c/df944dc46d06af65a75191183d52be017e6b9dbe", }, { url: "https://git.kernel.org/stable/c/01cb2e751cc61ade454c9bc1aaa2eac1f8197112", }, { url: "https://git.kernel.org/stable/c/d52c5652e7dcb7a0648bbb8642cc3e617070ab49", }, { url: "https://git.kernel.org/stable/c/46b1edf0536a5291a8ad2337f88c926214b209d9", }, { url: "https://git.kernel.org/stable/c/4846e72ab5a0726e49ad4188b9d9df091ae78c64", }, { url: "https://git.kernel.org/stable/c/33b525cef4cff49e216e4133cc48452e11c0391e", }, ], title: "ocfs2: fix possible null-ptr-deref in ocfs2_set_buffer_uptodate", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49877", datePublished: "2024-10-21T18:01:16.788Z", dateReserved: "2024-10-21T12:17:06.021Z", dateUpdated: "2024-12-19T09:28:11.547Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-49002
Vulnerability from cvelistv5
Published
2024-10-21 20:06
Modified
2024-12-19 08:12
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
iommu/vt-d: Fix PCI device refcount leak in dmar_dev_scope_init()
for_each_pci_dev() is implemented by pci_get_device(). The comment of
pci_get_device() says that it will increase the reference count for the
returned pci_dev and also decrease the reference count for the input
pci_dev @from if it is not NULL.
If we break for_each_pci_dev() loop with pdev not NULL, we need to call
pci_dev_put() to decrease the reference count. Add the missing
pci_dev_put() for the error path to avoid reference count leak.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 2e45528930388658603ea24d49cf52867b928d3e Version: 2e45528930388658603ea24d49cf52867b928d3e Version: 2e45528930388658603ea24d49cf52867b928d3e Version: 2e45528930388658603ea24d49cf52867b928d3e Version: 2e45528930388658603ea24d49cf52867b928d3e Version: 2e45528930388658603ea24d49cf52867b928d3e Version: 2e45528930388658603ea24d49cf52867b928d3e Version: 2e45528930388658603ea24d49cf52867b928d3e |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-49002", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:15:03.202654Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:18:40.497Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/iommu/intel/dmar.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "d47bc9d7bcdbb9adc9703513d964b514fee5b0bf", status: "affected", version: "2e45528930388658603ea24d49cf52867b928d3e", versionType: "git", }, { lessThan: "71c4a621985fc051ab86d3a86c749069a993fcb2", status: "affected", version: "2e45528930388658603ea24d49cf52867b928d3e", versionType: "git", }, { lessThan: "876d7bfb89273997056220029ff12b1c2cc4691d", status: "affected", version: "2e45528930388658603ea24d49cf52867b928d3e", versionType: "git", }, { lessThan: "cbdd83bd2fd67142b03ce9dbdd1eab322ff7321f", status: "affected", version: "2e45528930388658603ea24d49cf52867b928d3e", versionType: "git", }, { lessThan: "a5c65cd56aed027f8a97fda8b691caaeb66d115e", status: "affected", version: "2e45528930388658603ea24d49cf52867b928d3e", versionType: "git", }, { lessThan: "bdb613ef179ad4bb9d56a2533e9b30e434f1dfb7", status: "affected", version: "2e45528930388658603ea24d49cf52867b928d3e", versionType: "git", }, { lessThan: "2a8f7b90681472948de172dbbf5a54cd342870aa", status: "affected", version: "2e45528930388658603ea24d49cf52867b928d3e", versionType: "git", }, { lessThan: "4bedbbd782ebbe7287231fea862c158d4f08a9e3", status: "affected", version: "2e45528930388658603ea24d49cf52867b928d3e", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/iommu/intel/dmar.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "3.15", }, { lessThan: "3.15", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.9.*", status: "unaffected", version: "4.9.335", versionType: "semver", }, { lessThanOrEqual: "4.14.*", status: "unaffected", version: "4.14.301", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.268", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.226", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.158", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.82", versionType: "semver", }, { lessThanOrEqual: "6.0.*", status: "unaffected", version: "6.0.12", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.1", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/vt-d: Fix PCI device refcount leak in dmar_dev_scope_init()\n\nfor_each_pci_dev() is implemented by pci_get_device(). The comment of\npci_get_device() says that it will increase the reference count for the\nreturned pci_dev and also decrease the reference count for the input\npci_dev @from if it is not NULL.\n\nIf we break for_each_pci_dev() loop with pdev not NULL, we need to call\npci_dev_put() to decrease the reference count. Add the missing\npci_dev_put() for the error path to avoid reference count leak.", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:12:14.036Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/d47bc9d7bcdbb9adc9703513d964b514fee5b0bf", }, { url: "https://git.kernel.org/stable/c/71c4a621985fc051ab86d3a86c749069a993fcb2", }, { url: "https://git.kernel.org/stable/c/876d7bfb89273997056220029ff12b1c2cc4691d", }, { url: "https://git.kernel.org/stable/c/cbdd83bd2fd67142b03ce9dbdd1eab322ff7321f", }, { url: "https://git.kernel.org/stable/c/a5c65cd56aed027f8a97fda8b691caaeb66d115e", }, { url: "https://git.kernel.org/stable/c/bdb613ef179ad4bb9d56a2533e9b30e434f1dfb7", }, { url: "https://git.kernel.org/stable/c/2a8f7b90681472948de172dbbf5a54cd342870aa", }, { url: "https://git.kernel.org/stable/c/4bedbbd782ebbe7287231fea862c158d4f08a9e3", }, ], title: "iommu/vt-d: Fix PCI device refcount leak in dmar_dev_scope_init()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-49002", datePublished: "2024-10-21T20:06:16.093Z", dateReserved: "2024-08-22T01:27:53.642Z", dateUpdated: "2024-12-19T08:12:14.036Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49883
Vulnerability from cvelistv5
Published
2024-10-21 18:01
Modified
2024-12-19 09:28
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: aovid use-after-free in ext4_ext_insert_extent()
As Ojaswin mentioned in Link, in ext4_ext_insert_extent(), if the path is
reallocated in ext4_ext_create_new_leaf(), we'll use the stale path and
cause UAF. Below is a sample trace with dummy values:
ext4_ext_insert_extent
path = *ppath = 2000
ext4_ext_create_new_leaf(ppath)
ext4_find_extent(ppath)
path = *ppath = 2000
if (depth > path[0].p_maxdepth)
kfree(path = 2000);
*ppath = path = NULL;
path = kcalloc() = 3000
*ppath = 3000;
return path;
/* here path is still 2000, UAF! */
eh = path[depth].p_hdr
==================================================================
BUG: KASAN: slab-use-after-free in ext4_ext_insert_extent+0x26d4/0x3330
Read of size 8 at addr ffff8881027bf7d0 by task kworker/u36:1/179
CPU: 3 UID: 0 PID: 179 Comm: kworker/u6:1 Not tainted 6.11.0-rc2-dirty #866
Call Trace:
<TASK>
ext4_ext_insert_extent+0x26d4/0x3330
ext4_ext_map_blocks+0xe22/0x2d40
ext4_map_blocks+0x71e/0x1700
ext4_do_writepages+0x1290/0x2800
[...]
Allocated by task 179:
ext4_find_extent+0x81c/0x1f70
ext4_ext_map_blocks+0x146/0x2d40
ext4_map_blocks+0x71e/0x1700
ext4_do_writepages+0x1290/0x2800
ext4_writepages+0x26d/0x4e0
do_writepages+0x175/0x700
[...]
Freed by task 179:
kfree+0xcb/0x240
ext4_find_extent+0x7c0/0x1f70
ext4_ext_insert_extent+0xa26/0x3330
ext4_ext_map_blocks+0xe22/0x2d40
ext4_map_blocks+0x71e/0x1700
ext4_do_writepages+0x1290/0x2800
ext4_writepages+0x26d/0x4e0
do_writepages+0x175/0x700
[...]
==================================================================
So use *ppath to update the path to avoid the above problem.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 10809df84a4d868db61af621bae3658494165279 Version: 10809df84a4d868db61af621bae3658494165279 Version: 10809df84a4d868db61af621bae3658494165279 Version: 10809df84a4d868db61af621bae3658494165279 Version: 10809df84a4d868db61af621bae3658494165279 Version: 10809df84a4d868db61af621bae3658494165279 Version: 10809df84a4d868db61af621bae3658494165279 Version: 10809df84a4d868db61af621bae3658494165279 Version: 10809df84a4d868db61af621bae3658494165279 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49883", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:45:23.101470Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:48:50.259Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "fs/ext4/extents.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "e17ebe4fdd7665c93ae9459ba40fcdfb76769ac1", status: "affected", version: "10809df84a4d868db61af621bae3658494165279", versionType: "git", }, { lessThan: "975ca06f3fd154c5f7742083e7b2574c57d1c0c3", status: "affected", version: "10809df84a4d868db61af621bae3658494165279", versionType: "git", }, { lessThan: "5e811066c5ab709b070659197dccfb80ab650ddd", status: "affected", version: "10809df84a4d868db61af621bae3658494165279", versionType: "git", }, { lessThan: "9df59009dfc6d9fc1bd9ddf6c5ab6e56d6ed887a", status: "affected", version: "10809df84a4d868db61af621bae3658494165279", versionType: "git", }, { lessThan: "51db04892a993cace63415be99848970a0f15ef2", status: "affected", version: "10809df84a4d868db61af621bae3658494165279", versionType: "git", }, { lessThan: "8162ee5d94b8c0351be0a9321be134872a7654a1", status: "affected", version: "10809df84a4d868db61af621bae3658494165279", versionType: "git", }, { lessThan: "beb7b66fb489041c50c6473100b383f7a51648fc", status: "affected", version: "10809df84a4d868db61af621bae3658494165279", versionType: "git", }, { lessThan: "bfed082ce4b1ce6349b05c09a0fa4f3da35ecb1b", status: "affected", version: "10809df84a4d868db61af621bae3658494165279", versionType: "git", }, { lessThan: "a164f3a432aae62ca23d03e6d926b122ee5b860d", status: "affected", version: "10809df84a4d868db61af621bae3658494165279", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "fs/ext4/extents.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "3.18", }, { lessThan: "3.18", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.323", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.285", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\next4: aovid use-after-free in ext4_ext_insert_extent()\n\nAs Ojaswin mentioned in Link, in ext4_ext_insert_extent(), if the path is\nreallocated in ext4_ext_create_new_leaf(), we'll use the stale path and\ncause UAF. Below is a sample trace with dummy values:\n\next4_ext_insert_extent\n path = *ppath = 2000\n ext4_ext_create_new_leaf(ppath)\n ext4_find_extent(ppath)\n path = *ppath = 2000\n if (depth > path[0].p_maxdepth)\n kfree(path = 2000);\n *ppath = path = NULL;\n path = kcalloc() = 3000\n *ppath = 3000;\n return path;\n /* here path is still 2000, UAF! */\n eh = path[depth].p_hdr\n\n==================================================================\nBUG: KASAN: slab-use-after-free in ext4_ext_insert_extent+0x26d4/0x3330\nRead of size 8 at addr ffff8881027bf7d0 by task kworker/u36:1/179\nCPU: 3 UID: 0 PID: 179 Comm: kworker/u6:1 Not tainted 6.11.0-rc2-dirty #866\nCall Trace:\n <TASK>\n ext4_ext_insert_extent+0x26d4/0x3330\n ext4_ext_map_blocks+0xe22/0x2d40\n ext4_map_blocks+0x71e/0x1700\n ext4_do_writepages+0x1290/0x2800\n[...]\n\nAllocated by task 179:\n ext4_find_extent+0x81c/0x1f70\n ext4_ext_map_blocks+0x146/0x2d40\n ext4_map_blocks+0x71e/0x1700\n ext4_do_writepages+0x1290/0x2800\n ext4_writepages+0x26d/0x4e0\n do_writepages+0x175/0x700\n[...]\n\nFreed by task 179:\n kfree+0xcb/0x240\n ext4_find_extent+0x7c0/0x1f70\n ext4_ext_insert_extent+0xa26/0x3330\n ext4_ext_map_blocks+0xe22/0x2d40\n ext4_map_blocks+0x71e/0x1700\n ext4_do_writepages+0x1290/0x2800\n ext4_writepages+0x26d/0x4e0\n do_writepages+0x175/0x700\n[...]\n==================================================================\n\nSo use *ppath to update the path to avoid the above problem.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:28:18.942Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/e17ebe4fdd7665c93ae9459ba40fcdfb76769ac1", }, { url: "https://git.kernel.org/stable/c/975ca06f3fd154c5f7742083e7b2574c57d1c0c3", }, { url: "https://git.kernel.org/stable/c/5e811066c5ab709b070659197dccfb80ab650ddd", }, { url: "https://git.kernel.org/stable/c/9df59009dfc6d9fc1bd9ddf6c5ab6e56d6ed887a", }, { url: "https://git.kernel.org/stable/c/51db04892a993cace63415be99848970a0f15ef2", }, { url: "https://git.kernel.org/stable/c/8162ee5d94b8c0351be0a9321be134872a7654a1", }, { url: "https://git.kernel.org/stable/c/beb7b66fb489041c50c6473100b383f7a51648fc", }, { url: "https://git.kernel.org/stable/c/bfed082ce4b1ce6349b05c09a0fa4f3da35ecb1b", }, { url: "https://git.kernel.org/stable/c/a164f3a432aae62ca23d03e6d926b122ee5b860d", }, ], title: "ext4: aovid use-after-free in ext4_ext_insert_extent()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49883", datePublished: "2024-10-21T18:01:20.827Z", dateReserved: "2024-10-21T12:17:06.021Z", dateUpdated: "2024-12-19T09:28:18.942Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-47699
Vulnerability from cvelistv5
Published
2024-10-21 11:53
Modified
2024-12-19 09:26
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
nilfs2: fix potential null-ptr-deref in nilfs_btree_insert()
Patch series "nilfs2: fix potential issues with empty b-tree nodes".
This series addresses three potential issues with empty b-tree nodes that
can occur with corrupted filesystem images, including one recently
discovered by syzbot.
This patch (of 3):
If a b-tree is broken on the device, and the b-tree height is greater than
2 (the level of the root node is greater than 1) even if the number of
child nodes of the b-tree root is 0, a NULL pointer dereference occurs in
nilfs_btree_prepare_insert(), which is called from nilfs_btree_insert().
This is because, when the number of child nodes of the b-tree root is 0,
nilfs_btree_do_lookup() does not set the block buffer head in any of
path[x].bp_bh, leaving it as the initial value of NULL, but if the level
of the b-tree root node is greater than 1, nilfs_btree_get_nonroot_node(),
which accesses the buffer memory of path[x].bp_bh, is called.
Fix this issue by adding a check to nilfs_btree_root_broken(), which
performs sanity checks when reading the root node from the device, to
detect this inconsistency.
Thanks to Lizhi Xu for trying to solve the bug and clarifying the cause
early on.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 17c76b0104e4a6513983777e1a17e0297a12b0c4 Version: 17c76b0104e4a6513983777e1a17e0297a12b0c4 Version: 17c76b0104e4a6513983777e1a17e0297a12b0c4 Version: 17c76b0104e4a6513983777e1a17e0297a12b0c4 Version: 17c76b0104e4a6513983777e1a17e0297a12b0c4 Version: 17c76b0104e4a6513983777e1a17e0297a12b0c4 Version: 17c76b0104e4a6513983777e1a17e0297a12b0c4 Version: 17c76b0104e4a6513983777e1a17e0297a12b0c4 Version: 17c76b0104e4a6513983777e1a17e0297a12b0c4 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-47699", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T13:04:48.707894Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T13:14:13.842Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "fs/nilfs2/btree.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "2b78e9df10fb7f4e9d3d7a18417dd72fbbc1dfd0", status: "affected", version: "17c76b0104e4a6513983777e1a17e0297a12b0c4", versionType: "git", }, { lessThan: "1d94dbdfbb64cc48d10dec65cc3c4fbf2497b343", status: "affected", version: "17c76b0104e4a6513983777e1a17e0297a12b0c4", versionType: "git", }, { lessThan: "24bf40740a3da6b4056721da34997ae6938f3da1", status: "affected", version: "17c76b0104e4a6513983777e1a17e0297a12b0c4", versionType: "git", }, { lessThan: "73d23ecf234b7a6d47fb883f2dabe10e3230b31d", status: "affected", version: "17c76b0104e4a6513983777e1a17e0297a12b0c4", versionType: "git", }, { lessThan: "f68523e0f26faade18833fbef577a4295d8e2c94", status: "affected", version: "17c76b0104e4a6513983777e1a17e0297a12b0c4", versionType: "git", }, { lessThan: "21839b6fbc3c41b3e374ecbdb0cabbbb2c53cf34", status: "affected", version: "17c76b0104e4a6513983777e1a17e0297a12b0c4", versionType: "git", }, { lessThan: "db73500d3f0e558eb642aae1d4782e7726b4a03f", status: "affected", version: "17c76b0104e4a6513983777e1a17e0297a12b0c4", versionType: "git", }, { lessThan: "3644554d308ddf2669e459a1551a7edf60b2d62b", status: "affected", version: "17c76b0104e4a6513983777e1a17e0297a12b0c4", versionType: "git", }, { lessThan: "9403001ad65ae4f4c5de368bdda3a0636b51d51a", status: "affected", version: "17c76b0104e4a6513983777e1a17e0297a12b0c4", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "fs/nilfs2/btree.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "2.6.30", }, { lessThan: "2.6.30", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.323", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.285", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.54", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.13", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.2", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix potential null-ptr-deref in nilfs_btree_insert()\n\nPatch series \"nilfs2: fix potential issues with empty b-tree nodes\".\n\nThis series addresses three potential issues with empty b-tree nodes that\ncan occur with corrupted filesystem images, including one recently\ndiscovered by syzbot.\n\n\nThis patch (of 3):\n\nIf a b-tree is broken on the device, and the b-tree height is greater than\n2 (the level of the root node is greater than 1) even if the number of\nchild nodes of the b-tree root is 0, a NULL pointer dereference occurs in\nnilfs_btree_prepare_insert(), which is called from nilfs_btree_insert().\n\nThis is because, when the number of child nodes of the b-tree root is 0,\nnilfs_btree_do_lookup() does not set the block buffer head in any of\npath[x].bp_bh, leaving it as the initial value of NULL, but if the level\nof the b-tree root node is greater than 1, nilfs_btree_get_nonroot_node(),\nwhich accesses the buffer memory of path[x].bp_bh, is called.\n\nFix this issue by adding a check to nilfs_btree_root_broken(), which\nperforms sanity checks when reading the root node from the device, to\ndetect this inconsistency.\n\nThanks to Lizhi Xu for trying to solve the bug and clarifying the cause\nearly on.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:26:20.537Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/2b78e9df10fb7f4e9d3d7a18417dd72fbbc1dfd0", }, { url: "https://git.kernel.org/stable/c/1d94dbdfbb64cc48d10dec65cc3c4fbf2497b343", }, { url: "https://git.kernel.org/stable/c/24bf40740a3da6b4056721da34997ae6938f3da1", }, { url: "https://git.kernel.org/stable/c/73d23ecf234b7a6d47fb883f2dabe10e3230b31d", }, { url: "https://git.kernel.org/stable/c/f68523e0f26faade18833fbef577a4295d8e2c94", }, { url: "https://git.kernel.org/stable/c/21839b6fbc3c41b3e374ecbdb0cabbbb2c53cf34", }, { url: "https://git.kernel.org/stable/c/db73500d3f0e558eb642aae1d4782e7726b4a03f", }, { url: "https://git.kernel.org/stable/c/3644554d308ddf2669e459a1551a7edf60b2d62b", }, { url: "https://git.kernel.org/stable/c/9403001ad65ae4f4c5de368bdda3a0636b51d51a", }, ], title: "nilfs2: fix potential null-ptr-deref in nilfs_btree_insert()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-47699", datePublished: "2024-10-21T11:53:35.962Z", dateReserved: "2024-09-30T16:00:12.944Z", dateUpdated: "2024-12-19T09:26:20.537Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-47745
Vulnerability from cvelistv5
Published
2024-10-21 12:14
Modified
2024-12-19 09:27
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm: call the security_mmap_file() LSM hook in remap_file_pages()
The remap_file_pages syscall handler calls do_mmap() directly, which
doesn't contain the LSM security check. And if the process has called
personality(READ_IMPLIES_EXEC) before and remap_file_pages() is called for
RW pages, this will actually result in remapping the pages to RWX,
bypassing a W^X policy enforced by SELinux.
So we should check prot by security_mmap_file LSM hook in the
remap_file_pages syscall handler before do_mmap() is called. Otherwise, it
potentially permits an attacker to bypass a W^X policy enforced by
SELinux.
The bypass is similar to CVE-2016-10044, which bypass the same thing via
AIO and can be found in [1].
The PoC:
$ cat > test.c
int main(void) {
size_t pagesz = sysconf(_SC_PAGE_SIZE);
int mfd = syscall(SYS_memfd_create, "test", 0);
const char *buf = mmap(NULL, 4 * pagesz, PROT_READ | PROT_WRITE,
MAP_SHARED, mfd, 0);
unsigned int old = syscall(SYS_personality, 0xffffffff);
syscall(SYS_personality, READ_IMPLIES_EXEC | old);
syscall(SYS_remap_file_pages, buf, pagesz, 0, 2, 0);
syscall(SYS_personality, old);
// show the RWX page exists even if W^X policy is enforced
int fd = open("/proc/self/maps", O_RDONLY);
unsigned char buf2[1024];
while (1) {
int ret = read(fd, buf2, 1024);
if (ret <= 0) break;
write(1, buf2, ret);
}
close(fd);
}
$ gcc test.c -o test
$ ./test | grep rwx
7f1836c34000-7f1836c35000 rwxs 00002000 00:01 2050 /memfd:test (deleted)
[PM: subject line tweaks]
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-47745", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T12:58:41.257228Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T13:04:13.918Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "mm/mmap.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "0f910dbf2f2a4a7820ba4bac7b280f7108aa05b1", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "49d3a4ad57c57227c3b0fd6cd4188b2a5ebd6178", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "3393fddbfa947c8e1fdcc4509226905ffffd8b89", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "ce14f38d6ee9e88e37ec28427b4b93a7c33c70d3", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "ea7e2d5e49c05e5db1922387b09ca74aa40f46e2", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "mm/mmap.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.120", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.54", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.13", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.2", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: call the security_mmap_file() LSM hook in remap_file_pages()\n\nThe remap_file_pages syscall handler calls do_mmap() directly, which\ndoesn't contain the LSM security check. And if the process has called\npersonality(READ_IMPLIES_EXEC) before and remap_file_pages() is called for\nRW pages, this will actually result in remapping the pages to RWX,\nbypassing a W^X policy enforced by SELinux.\n\nSo we should check prot by security_mmap_file LSM hook in the\nremap_file_pages syscall handler before do_mmap() is called. Otherwise, it\npotentially permits an attacker to bypass a W^X policy enforced by\nSELinux.\n\nThe bypass is similar to CVE-2016-10044, which bypass the same thing via\nAIO and can be found in [1].\n\nThe PoC:\n\n$ cat > test.c\n\nint main(void) {\n\tsize_t pagesz = sysconf(_SC_PAGE_SIZE);\n\tint mfd = syscall(SYS_memfd_create, \"test\", 0);\n\tconst char *buf = mmap(NULL, 4 * pagesz, PROT_READ | PROT_WRITE,\n\t\tMAP_SHARED, mfd, 0);\n\tunsigned int old = syscall(SYS_personality, 0xffffffff);\n\tsyscall(SYS_personality, READ_IMPLIES_EXEC | old);\n\tsyscall(SYS_remap_file_pages, buf, pagesz, 0, 2, 0);\n\tsyscall(SYS_personality, old);\n\t// show the RWX page exists even if W^X policy is enforced\n\tint fd = open(\"/proc/self/maps\", O_RDONLY);\n\tunsigned char buf2[1024];\n\twhile (1) {\n\t\tint ret = read(fd, buf2, 1024);\n\t\tif (ret <= 0) break;\n\t\twrite(1, buf2, ret);\n\t}\n\tclose(fd);\n}\n\n$ gcc test.c -o test\n$ ./test | grep rwx\n7f1836c34000-7f1836c35000 rwxs 00002000 00:01 2050 /memfd:test (deleted)\n\n[PM: subject line tweaks]", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:27:16.545Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/0f910dbf2f2a4a7820ba4bac7b280f7108aa05b1", }, { url: "https://git.kernel.org/stable/c/49d3a4ad57c57227c3b0fd6cd4188b2a5ebd6178", }, { url: "https://git.kernel.org/stable/c/3393fddbfa947c8e1fdcc4509226905ffffd8b89", }, { url: "https://git.kernel.org/stable/c/ce14f38d6ee9e88e37ec28427b4b93a7c33c70d3", }, { url: "https://git.kernel.org/stable/c/ea7e2d5e49c05e5db1922387b09ca74aa40f46e2", }, ], title: "mm: call the security_mmap_file() LSM hook in remap_file_pages()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-47745", datePublished: "2024-10-21T12:14:12.488Z", dateReserved: "2024-09-30T16:00:12.960Z", dateUpdated: "2024-12-19T09:27:16.545Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49855
Vulnerability from cvelistv5
Published
2024-10-21 12:18
Modified
2024-12-19 09:27
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
nbd: fix race between timeout and normal completion
If request timetout is handled by nbd_requeue_cmd(), normal completion
has to be stopped for avoiding to complete this requeued request, other
use-after-free can be triggered.
Fix the race by clearing NBD_CMD_INFLIGHT in nbd_requeue_cmd(), meantime
make sure that cmd->lock is grabbed for clearing the flag and the
requeue.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 2895f1831e911ca87d4efdf43e35eb72a0c7e66e Version: 2895f1831e911ca87d4efdf43e35eb72a0c7e66e Version: 2895f1831e911ca87d4efdf43e35eb72a0c7e66e Version: 2895f1831e911ca87d4efdf43e35eb72a0c7e66e Version: 2895f1831e911ca87d4efdf43e35eb72a0c7e66e |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49855", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T12:56:24.992815Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T13:04:11.227Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/block/nbd.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "9c25faf72d780a9c71081710cd48759d61ff6e9b", status: "affected", version: "2895f1831e911ca87d4efdf43e35eb72a0c7e66e", versionType: "git", }, { lessThan: "6e73b946a379a1dfbb62626af93843bdfb53753d", status: "affected", version: "2895f1831e911ca87d4efdf43e35eb72a0c7e66e", versionType: "git", }, { lessThan: "5236ada8ebbd9e7461f17477357582f5be4f46f7", status: "affected", version: "2895f1831e911ca87d4efdf43e35eb72a0c7e66e", versionType: "git", }, { lessThan: "9a74c3e6c0d686c26ba2aab66d15ddb89dc139cc", status: "affected", version: "2895f1831e911ca87d4efdf43e35eb72a0c7e66e", versionType: "git", }, { lessThan: "c9ea57c91f03bcad415e1a20113bdb2077bcf990", status: "affected", version: "2895f1831e911ca87d4efdf43e35eb72a0c7e66e", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/block/nbd.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.19", }, { lessThan: "5.19", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.54", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.13", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.2", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nnbd: fix race between timeout and normal completion\n\nIf request timetout is handled by nbd_requeue_cmd(), normal completion\nhas to be stopped for avoiding to complete this requeued request, other\nuse-after-free can be triggered.\n\nFix the race by clearing NBD_CMD_INFLIGHT in nbd_requeue_cmd(), meantime\nmake sure that cmd->lock is grabbed for clearing the flag and the\nrequeue.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:27:37.929Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/9c25faf72d780a9c71081710cd48759d61ff6e9b", }, { url: "https://git.kernel.org/stable/c/6e73b946a379a1dfbb62626af93843bdfb53753d", }, { url: "https://git.kernel.org/stable/c/5236ada8ebbd9e7461f17477357582f5be4f46f7", }, { url: "https://git.kernel.org/stable/c/9a74c3e6c0d686c26ba2aab66d15ddb89dc139cc", }, { url: "https://git.kernel.org/stable/c/c9ea57c91f03bcad415e1a20113bdb2077bcf990", }, ], title: "nbd: fix race between timeout and normal completion", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49855", datePublished: "2024-10-21T12:18:47.391Z", dateReserved: "2024-10-21T12:17:06.016Z", dateUpdated: "2024-12-19T09:27:37.929Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49955
Vulnerability from cvelistv5
Published
2024-10-21 18:02
Modified
2024-12-19 09:30
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ACPI: battery: Fix possible crash when unregistering a battery hook
When a battery hook returns an error when adding a new battery, then
the battery hook is automatically unregistered.
However the battery hook provider cannot know that, so it will later
call battery_hook_unregister() on the already unregistered battery
hook, resulting in a crash.
Fix this by using the list head to mark already unregistered battery
hooks as already being unregistered so that they can be ignored by
battery_hook_unregister().
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: fa93854f7a7ed63d054405bf3779247d5300edd3 Version: fa93854f7a7ed63d054405bf3779247d5300edd3 Version: fa93854f7a7ed63d054405bf3779247d5300edd3 Version: fa93854f7a7ed63d054405bf3779247d5300edd3 Version: fa93854f7a7ed63d054405bf3779247d5300edd3 Version: fa93854f7a7ed63d054405bf3779247d5300edd3 Version: fa93854f7a7ed63d054405bf3779247d5300edd3 Version: fa93854f7a7ed63d054405bf3779247d5300edd3 Version: fa93854f7a7ed63d054405bf3779247d5300edd3 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49955", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:35:51.725072Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:38:48.563Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/acpi/battery.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "76fb2cbf01571926da8ecf6876cc8cb07d3f5183", status: "affected", version: "fa93854f7a7ed63d054405bf3779247d5300edd3", versionType: "git", }, { lessThan: "c47843a831e0eae007ad7e848d208e675ba4c132", status: "affected", version: "fa93854f7a7ed63d054405bf3779247d5300edd3", versionType: "git", }, { lessThan: "da964de4c18199e14b961b5b2e5e6570552a313c", status: "affected", version: "fa93854f7a7ed63d054405bf3779247d5300edd3", versionType: "git", }, { lessThan: "07b98400cb0285a6348188aa8c5ec6a2ae0551f7", status: "affected", version: "fa93854f7a7ed63d054405bf3779247d5300edd3", versionType: "git", }, { lessThan: "ca1fb7942a287b40659cc79551a1de54a2c2e7d5", status: "affected", version: "fa93854f7a7ed63d054405bf3779247d5300edd3", versionType: "git", }, { lessThan: "ce31847f109c3a5b2abdd19d7bcaafaacfde53de", status: "affected", version: "fa93854f7a7ed63d054405bf3779247d5300edd3", versionType: "git", }, { lessThan: "ca26e8eed9c1c6651f51f7fa38fe444f8573cd1b", status: "affected", version: "fa93854f7a7ed63d054405bf3779247d5300edd3", versionType: "git", }, { lessThan: "9f469ef1c79dac7f9ac1518643a33703918f7e13", status: "affected", version: "fa93854f7a7ed63d054405bf3779247d5300edd3", versionType: "git", }, { lessThan: "76959aff14a0012ad6b984ec7686d163deccdc16", status: "affected", version: "fa93854f7a7ed63d054405bf3779247d5300edd3", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/acpi/battery.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "4.17", }, { lessThan: "4.17", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.323", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.285", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: battery: Fix possible crash when unregistering a battery hook\n\nWhen a battery hook returns an error when adding a new battery, then\nthe battery hook is automatically unregistered.\nHowever the battery hook provider cannot know that, so it will later\ncall battery_hook_unregister() on the already unregistered battery\nhook, resulting in a crash.\n\nFix this by using the list head to mark already unregistered battery\nhooks as already being unregistered so that they can be ignored by\nbattery_hook_unregister().", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:30:06.167Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/76fb2cbf01571926da8ecf6876cc8cb07d3f5183", }, { url: "https://git.kernel.org/stable/c/c47843a831e0eae007ad7e848d208e675ba4c132", }, { url: "https://git.kernel.org/stable/c/da964de4c18199e14b961b5b2e5e6570552a313c", }, { url: "https://git.kernel.org/stable/c/07b98400cb0285a6348188aa8c5ec6a2ae0551f7", }, { url: "https://git.kernel.org/stable/c/ca1fb7942a287b40659cc79551a1de54a2c2e7d5", }, { url: "https://git.kernel.org/stable/c/ce31847f109c3a5b2abdd19d7bcaafaacfde53de", }, { url: "https://git.kernel.org/stable/c/ca26e8eed9c1c6651f51f7fa38fe444f8573cd1b", }, { url: "https://git.kernel.org/stable/c/9f469ef1c79dac7f9ac1518643a33703918f7e13", }, { url: "https://git.kernel.org/stable/c/76959aff14a0012ad6b984ec7686d163deccdc16", }, ], title: "ACPI: battery: Fix possible crash when unregistering a battery hook", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49955", datePublished: "2024-10-21T18:02:09.707Z", dateReserved: "2024-10-21T12:17:06.047Z", dateUpdated: "2024-12-19T09:30:06.167Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-50013
Vulnerability from cvelistv5
Published
2024-10-21 18:54
Modified
2024-12-19 09:31
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
exfat: fix memory leak in exfat_load_bitmap()
If the first directory entry in the root directory is not a bitmap
directory entry, 'bh' will not be released and reassigned, which
will cause a memory leak.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1e49a94cf707204b66a3fb242f2814712c941f52 Version: 1e49a94cf707204b66a3fb242f2814712c941f52 Version: 1e49a94cf707204b66a3fb242f2814712c941f52 Version: 1e49a94cf707204b66a3fb242f2814712c941f52 Version: 1e49a94cf707204b66a3fb242f2814712c941f52 Version: 1e49a94cf707204b66a3fb242f2814712c941f52 Version: 1e49a94cf707204b66a3fb242f2814712c941f52 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-50013", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:28:23.211214Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:28:48.436Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "fs/exfat/balloc.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "f692160d3e1e5450605071b8df8f7d08d9b09a83", status: "affected", version: "1e49a94cf707204b66a3fb242f2814712c941f52", versionType: "git", }, { lessThan: "ddf704c2ce3b73f38d2dd8cf1bb0f7ec038bdf63", status: "affected", version: "1e49a94cf707204b66a3fb242f2814712c941f52", versionType: "git", }, { lessThan: "4e1813e52f86eb8db0c6c9570251f2fcbc571f5d", status: "affected", version: "1e49a94cf707204b66a3fb242f2814712c941f52", versionType: "git", }, { lessThan: "bf0b3b35259475d1fe377bcaa565488e26684f7a", status: "affected", version: "1e49a94cf707204b66a3fb242f2814712c941f52", versionType: "git", }, { lessThan: "dca359db1eb37f334267ebd7e3cab9a66d191d5b", status: "affected", version: "1e49a94cf707204b66a3fb242f2814712c941f52", versionType: "git", }, { lessThan: "89081e8407e637463db5880d168e3652fb9f4330", status: "affected", version: "1e49a94cf707204b66a3fb242f2814712c941f52", versionType: "git", }, { lessThan: "d2b537b3e533f28e0d97293fe9293161fe8cd137", status: "affected", version: "1e49a94cf707204b66a3fb242f2814712c941f52", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "fs/exfat/balloc.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.7", }, { lessThan: "5.7", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nexfat: fix memory leak in exfat_load_bitmap()\n\nIf the first directory entry in the root directory is not a bitmap\ndirectory entry, 'bh' will not be released and reassigned, which\nwill cause a memory leak.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:31:17.449Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/f692160d3e1e5450605071b8df8f7d08d9b09a83", }, { url: "https://git.kernel.org/stable/c/ddf704c2ce3b73f38d2dd8cf1bb0f7ec038bdf63", }, { url: "https://git.kernel.org/stable/c/4e1813e52f86eb8db0c6c9570251f2fcbc571f5d", }, { url: "https://git.kernel.org/stable/c/bf0b3b35259475d1fe377bcaa565488e26684f7a", }, { url: "https://git.kernel.org/stable/c/dca359db1eb37f334267ebd7e3cab9a66d191d5b", }, { url: "https://git.kernel.org/stable/c/89081e8407e637463db5880d168e3652fb9f4330", }, { url: "https://git.kernel.org/stable/c/d2b537b3e533f28e0d97293fe9293161fe8cd137", }, ], title: "exfat: fix memory leak in exfat_load_bitmap()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-50013", datePublished: "2024-10-21T18:54:05.089Z", dateReserved: "2024-10-21T12:17:06.061Z", dateUpdated: "2024-12-19T09:31:17.449Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-50040
Vulnerability from cvelistv5
Published
2024-10-21 19:39
Modified
2024-12-19 09:31
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
igb: Do not bring the device up after non-fatal error
Commit 004d25060c78 ("igb: Fix igb_down hung on surprise removal")
changed igb_io_error_detected() to ignore non-fatal pcie errors in order
to avoid hung task that can happen when igb_down() is called multiple
times. This caused an issue when processing transient non-fatal errors.
igb_io_resume(), which is called after igb_io_error_detected(), assumes
that device is brought down by igb_io_error_detected() if the interface
is up. This resulted in panic with stacktrace below.
[ T3256] igb 0000:09:00.0 haeth0: igb: haeth0 NIC Link is Down
[ T292] pcieport 0000:00:1c.5: AER: Uncorrected (Non-Fatal) error received: 0000:09:00.0
[ T292] igb 0000:09:00.0: PCIe Bus Error: severity=Uncorrected (Non-Fatal), type=Transaction Layer, (Requester ID)
[ T292] igb 0000:09:00.0: device [8086:1537] error status/mask=00004000/00000000
[ T292] igb 0000:09:00.0: [14] CmpltTO [ 200.105524,009][ T292] igb 0000:09:00.0: AER: TLP Header: 00000000 00000000 00000000 00000000
[ T292] pcieport 0000:00:1c.5: AER: broadcast error_detected message
[ T292] igb 0000:09:00.0: Non-correctable non-fatal error reported.
[ T292] pcieport 0000:00:1c.5: AER: broadcast mmio_enabled message
[ T292] pcieport 0000:00:1c.5: AER: broadcast resume message
[ T292] ------------[ cut here ]------------
[ T292] kernel BUG at net/core/dev.c:6539!
[ T292] invalid opcode: 0000 [#1] PREEMPT SMP
[ T292] RIP: 0010:napi_enable+0x37/0x40
[ T292] Call Trace:
[ T292] <TASK>
[ T292] ? die+0x33/0x90
[ T292] ? do_trap+0xdc/0x110
[ T292] ? napi_enable+0x37/0x40
[ T292] ? do_error_trap+0x70/0xb0
[ T292] ? napi_enable+0x37/0x40
[ T292] ? napi_enable+0x37/0x40
[ T292] ? exc_invalid_op+0x4e/0x70
[ T292] ? napi_enable+0x37/0x40
[ T292] ? asm_exc_invalid_op+0x16/0x20
[ T292] ? napi_enable+0x37/0x40
[ T292] igb_up+0x41/0x150
[ T292] igb_io_resume+0x25/0x70
[ T292] report_resume+0x54/0x70
[ T292] ? report_frozen_detected+0x20/0x20
[ T292] pci_walk_bus+0x6c/0x90
[ T292] ? aer_print_port_info+0xa0/0xa0
[ T292] pcie_do_recovery+0x22f/0x380
[ T292] aer_process_err_devices+0x110/0x160
[ T292] aer_isr+0x1c1/0x1e0
[ T292] ? disable_irq_nosync+0x10/0x10
[ T292] irq_thread_fn+0x1a/0x60
[ T292] irq_thread+0xe3/0x1a0
[ T292] ? irq_set_affinity_notifier+0x120/0x120
[ T292] ? irq_affinity_notify+0x100/0x100
[ T292] kthread+0xe2/0x110
[ T292] ? kthread_complete_and_exit+0x20/0x20
[ T292] ret_from_fork+0x2d/0x50
[ T292] ? kthread_complete_and_exit+0x20/0x20
[ T292] ret_from_fork_asm+0x11/0x20
[ T292] </TASK>
To fix this issue igb_io_resume() checks if the interface is running and
the device is not down this means igb_io_error_detected() did not bring
the device down and there is no need to bring it up.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 124e39a734cb90658b8f0dc110847bbfc6e33792 Version: c9f56f3c7bc908caa772112d3ae71cdd5d18c257 Version: 994c2ceb70ea99264ccc6f09e6703ca267dad63c Version: fa92c463eba75dcedbd8d689ffdcb83293aaa0c3 Version: 39695e87d86f0e7d897fba1d2559f825aa20caeb Version: 004d25060c78fc31f66da0fa439c544dda1ac9d5 Version: 004d25060c78fc31f66da0fa439c544dda1ac9d5 Version: 004d25060c78fc31f66da0fa439c544dda1ac9d5 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-50040", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:24:54.389339Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:28:44.369Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/net/ethernet/intel/igb/igb_main.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "dca2ca65a8695d9593e2cf1b40848e073ad75413", status: "affected", version: "124e39a734cb90658b8f0dc110847bbfc6e33792", versionType: "git", }, { lessThan: "c92cbd283ddcf55fd85a9a9b0ba13298213f3dd7", status: "affected", version: "c9f56f3c7bc908caa772112d3ae71cdd5d18c257", versionType: "git", }, { lessThan: "d79af3af2f49c6aae9add3d492c04d60c1b85ce4", status: "affected", version: "994c2ceb70ea99264ccc6f09e6703ca267dad63c", versionType: "git", }, { lessThan: "0a94079e3841d00ea5abb05e3233d019a86745f6", status: "affected", version: "fa92c463eba75dcedbd8d689ffdcb83293aaa0c3", versionType: "git", }, { lessThan: "6a39c8f5c8aae74c5ab2ba466791f59ffaab0178", status: "affected", version: "39695e87d86f0e7d897fba1d2559f825aa20caeb", versionType: "git", }, { lessThan: "57c5053eaa5f9a8a99e34732e37a86615318e464", status: "affected", version: "004d25060c78fc31f66da0fa439c544dda1ac9d5", versionType: "git", }, { lessThan: "500be93c5d53b7e2c5314292012185f0207bad0c", status: "affected", version: "004d25060c78fc31f66da0fa439c544dda1ac9d5", versionType: "git", }, { lessThan: "330a699ecbfc9c26ec92c6310686da1230b4e7eb", status: "affected", version: "004d25060c78fc31f66da0fa439c544dda1ac9d5", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/net/ethernet/intel/igb/igb_main.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.5", }, { lessThan: "6.5", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.323", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.285", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.57", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.4", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nigb: Do not bring the device up after non-fatal error\n\nCommit 004d25060c78 (\"igb: Fix igb_down hung on surprise removal\")\nchanged igb_io_error_detected() to ignore non-fatal pcie errors in order\nto avoid hung task that can happen when igb_down() is called multiple\ntimes. This caused an issue when processing transient non-fatal errors.\nigb_io_resume(), which is called after igb_io_error_detected(), assumes\nthat device is brought down by igb_io_error_detected() if the interface\nis up. This resulted in panic with stacktrace below.\n\n[ T3256] igb 0000:09:00.0 haeth0: igb: haeth0 NIC Link is Down\n[ T292] pcieport 0000:00:1c.5: AER: Uncorrected (Non-Fatal) error received: 0000:09:00.0\n[ T292] igb 0000:09:00.0: PCIe Bus Error: severity=Uncorrected (Non-Fatal), type=Transaction Layer, (Requester ID)\n[ T292] igb 0000:09:00.0: device [8086:1537] error status/mask=00004000/00000000\n[ T292] igb 0000:09:00.0: [14] CmpltTO [ 200.105524,009][ T292] igb 0000:09:00.0: AER: TLP Header: 00000000 00000000 00000000 00000000\n[ T292] pcieport 0000:00:1c.5: AER: broadcast error_detected message\n[ T292] igb 0000:09:00.0: Non-correctable non-fatal error reported.\n[ T292] pcieport 0000:00:1c.5: AER: broadcast mmio_enabled message\n[ T292] pcieport 0000:00:1c.5: AER: broadcast resume message\n[ T292] ------------[ cut here ]------------\n[ T292] kernel BUG at net/core/dev.c:6539!\n[ T292] invalid opcode: 0000 [#1] PREEMPT SMP\n[ T292] RIP: 0010:napi_enable+0x37/0x40\n[ T292] Call Trace:\n[ T292] <TASK>\n[ T292] ? die+0x33/0x90\n[ T292] ? do_trap+0xdc/0x110\n[ T292] ? napi_enable+0x37/0x40\n[ T292] ? do_error_trap+0x70/0xb0\n[ T292] ? napi_enable+0x37/0x40\n[ T292] ? napi_enable+0x37/0x40\n[ T292] ? exc_invalid_op+0x4e/0x70\n[ T292] ? napi_enable+0x37/0x40\n[ T292] ? asm_exc_invalid_op+0x16/0x20\n[ T292] ? napi_enable+0x37/0x40\n[ T292] igb_up+0x41/0x150\n[ T292] igb_io_resume+0x25/0x70\n[ T292] report_resume+0x54/0x70\n[ T292] ? report_frozen_detected+0x20/0x20\n[ T292] pci_walk_bus+0x6c/0x90\n[ T292] ? aer_print_port_info+0xa0/0xa0\n[ T292] pcie_do_recovery+0x22f/0x380\n[ T292] aer_process_err_devices+0x110/0x160\n[ T292] aer_isr+0x1c1/0x1e0\n[ T292] ? disable_irq_nosync+0x10/0x10\n[ T292] irq_thread_fn+0x1a/0x60\n[ T292] irq_thread+0xe3/0x1a0\n[ T292] ? irq_set_affinity_notifier+0x120/0x120\n[ T292] ? irq_affinity_notify+0x100/0x100\n[ T292] kthread+0xe2/0x110\n[ T292] ? kthread_complete_and_exit+0x20/0x20\n[ T292] ret_from_fork+0x2d/0x50\n[ T292] ? kthread_complete_and_exit+0x20/0x20\n[ T292] ret_from_fork_asm+0x11/0x20\n[ T292] </TASK>\n\nTo fix this issue igb_io_resume() checks if the interface is running and\nthe device is not down this means igb_io_error_detected() did not bring\nthe device down and there is no need to bring it up.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:31:54.984Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/dca2ca65a8695d9593e2cf1b40848e073ad75413", }, { url: "https://git.kernel.org/stable/c/c92cbd283ddcf55fd85a9a9b0ba13298213f3dd7", }, { url: "https://git.kernel.org/stable/c/d79af3af2f49c6aae9add3d492c04d60c1b85ce4", }, { url: "https://git.kernel.org/stable/c/0a94079e3841d00ea5abb05e3233d019a86745f6", }, { url: "https://git.kernel.org/stable/c/6a39c8f5c8aae74c5ab2ba466791f59ffaab0178", }, { url: "https://git.kernel.org/stable/c/57c5053eaa5f9a8a99e34732e37a86615318e464", }, { url: "https://git.kernel.org/stable/c/500be93c5d53b7e2c5314292012185f0207bad0c", }, { url: "https://git.kernel.org/stable/c/330a699ecbfc9c26ec92c6310686da1230b4e7eb", }, ], title: "igb: Do not bring the device up after non-fatal error", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-50040", datePublished: "2024-10-21T19:39:39.771Z", dateReserved: "2024-10-21T12:17:06.071Z", dateUpdated: "2024-12-19T09:31:54.984Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-47749
Vulnerability from cvelistv5
Published
2024-10-21 12:14
Modified
2024-12-19 09:27
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/cxgb4: Added NULL check for lookup_atid
The lookup_atid() function can return NULL if the ATID is
invalid or does not exist in the identifier table, which
could lead to dereferencing a null pointer without a
check in the `act_establish()` and `act_open_rpl()` functions.
Add a NULL check to prevent null pointer dereferencing.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: cfdda9d764362ab77b11a410bb928400e6520d57 Version: cfdda9d764362ab77b11a410bb928400e6520d57 Version: cfdda9d764362ab77b11a410bb928400e6520d57 Version: cfdda9d764362ab77b11a410bb928400e6520d57 Version: cfdda9d764362ab77b11a410bb928400e6520d57 Version: cfdda9d764362ab77b11a410bb928400e6520d57 Version: cfdda9d764362ab77b11a410bb928400e6520d57 Version: cfdda9d764362ab77b11a410bb928400e6520d57 Version: cfdda9d764362ab77b11a410bb928400e6520d57 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-47749", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T12:58:09.975914Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T13:04:13.297Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/infiniband/hw/cxgb4/cm.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "b12e25d91c7f97958341538c7dc63ee49d01548f", status: "affected", version: "cfdda9d764362ab77b11a410bb928400e6520d57", versionType: "git", }, { lessThan: "4e1fe68d695af367506ea3c794c5969630f21697", status: "affected", version: "cfdda9d764362ab77b11a410bb928400e6520d57", versionType: "git", }, { lessThan: "dd598ac57dcae796cb58551074660c39b43fb155", status: "affected", version: "cfdda9d764362ab77b11a410bb928400e6520d57", versionType: "git", }, { lessThan: "b11318dc8a1ec565300bb1a9073095af817cc508", status: "affected", version: "cfdda9d764362ab77b11a410bb928400e6520d57", versionType: "git", }, { lessThan: "39cb9f39913566ec5865581135f3e8123ad1aee1", status: "affected", version: "cfdda9d764362ab77b11a410bb928400e6520d57", versionType: "git", }, { lessThan: "0d50ae281a1712b9b2ca72830a96b8f11882358d", status: "affected", version: "cfdda9d764362ab77b11a410bb928400e6520d57", versionType: "git", }, { lessThan: "54aaa3ed40972511e423b604324b881425b9ff1e", status: "affected", version: "cfdda9d764362ab77b11a410bb928400e6520d57", versionType: "git", }, { lessThan: "b9c94c8ba5a713817cffd74c4bacc05187469624", status: "affected", version: "cfdda9d764362ab77b11a410bb928400e6520d57", versionType: "git", }, { lessThan: "e766e6a92410ca269161de059fff0843b8ddd65f", status: "affected", version: "cfdda9d764362ab77b11a410bb928400e6520d57", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/infiniband/hw/cxgb4/cm.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "2.6.35", }, { lessThan: "2.6.35", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.323", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.285", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.54", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.13", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.2", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/cxgb4: Added NULL check for lookup_atid\n\nThe lookup_atid() function can return NULL if the ATID is\ninvalid or does not exist in the identifier table, which\ncould lead to dereferencing a null pointer without a\ncheck in the `act_establish()` and `act_open_rpl()` functions.\nAdd a NULL check to prevent null pointer dereferencing.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:27:21.774Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/b12e25d91c7f97958341538c7dc63ee49d01548f", }, { url: "https://git.kernel.org/stable/c/4e1fe68d695af367506ea3c794c5969630f21697", }, { url: "https://git.kernel.org/stable/c/dd598ac57dcae796cb58551074660c39b43fb155", }, { url: "https://git.kernel.org/stable/c/b11318dc8a1ec565300bb1a9073095af817cc508", }, { url: "https://git.kernel.org/stable/c/39cb9f39913566ec5865581135f3e8123ad1aee1", }, { url: "https://git.kernel.org/stable/c/0d50ae281a1712b9b2ca72830a96b8f11882358d", }, { url: "https://git.kernel.org/stable/c/54aaa3ed40972511e423b604324b881425b9ff1e", }, { url: "https://git.kernel.org/stable/c/b9c94c8ba5a713817cffd74c4bacc05187469624", }, { url: "https://git.kernel.org/stable/c/e766e6a92410ca269161de059fff0843b8ddd65f", }, ], title: "RDMA/cxgb4: Added NULL check for lookup_atid", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-47749", datePublished: "2024-10-21T12:14:15.126Z", dateReserved: "2024-09-30T16:00:12.961Z", dateUpdated: "2024-12-19T09:27:21.774Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49905
Vulnerability from cvelistv5
Published
2024-10-21 18:01
Modified
2024-12-19 09:28
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Add null check for 'afb' in amdgpu_dm_plane_handle_cursor_update (v2)
This commit adds a null check for the 'afb' variable in the
amdgpu_dm_plane_handle_cursor_update function. Previously, 'afb' was
assumed to be null, but was used later in the code without a null check.
This could potentially lead to a null pointer dereference.
Changes since v1:
- Moved the null check for 'afb' to the line where 'afb' is used. (Alex)
Fixes the below:
drivers/gpu/drm/amd/amdgpu/../display/amdgpu_dm/amdgpu_dm_plane.c:1298 amdgpu_dm_plane_handle_cursor_update() error: we previously assumed 'afb' could be null (see line 1252)
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49905", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:42:22.532510Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:48:47.090Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "bd0e24e5e608ccb9fdda300bb974496d6d8cf57d", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "75839e2365b666ff4e1b9047e442cab138eac4f6", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "9132882eaae4d21d2fc5843b3308379a481ebdf0", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "e4e26cbe34d7c1c1db5fb7b3101573c29866439f", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "cd9e9e0852d501f169aa3bb34e4b413d2eb48c37", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add null check for 'afb' in amdgpu_dm_plane_handle_cursor_update (v2)\n\nThis commit adds a null check for the 'afb' variable in the\namdgpu_dm_plane_handle_cursor_update function. Previously, 'afb' was\nassumed to be null, but was used later in the code without a null check.\nThis could potentially lead to a null pointer dereference.\n\nChanges since v1:\n- Moved the null check for 'afb' to the line where 'afb' is used. (Alex)\n\nFixes the below:\ndrivers/gpu/drm/amd/amdgpu/../display/amdgpu_dm/amdgpu_dm_plane.c:1298 amdgpu_dm_plane_handle_cursor_update() error: we previously assumed 'afb' could be null (see line 1252)", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:28:45.643Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/bd0e24e5e608ccb9fdda300bb974496d6d8cf57d", }, { url: "https://git.kernel.org/stable/c/75839e2365b666ff4e1b9047e442cab138eac4f6", }, { url: "https://git.kernel.org/stable/c/9132882eaae4d21d2fc5843b3308379a481ebdf0", }, { url: "https://git.kernel.org/stable/c/e4e26cbe34d7c1c1db5fb7b3101573c29866439f", }, { url: "https://git.kernel.org/stable/c/cd9e9e0852d501f169aa3bb34e4b413d2eb48c37", }, ], title: "drm/amd/display: Add null check for 'afb' in amdgpu_dm_plane_handle_cursor_update (v2)", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49905", datePublished: "2024-10-21T18:01:36.038Z", dateReserved: "2024-10-21T12:17:06.027Z", dateUpdated: "2024-12-19T09:28:45.643Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-49009
Vulnerability from cvelistv5
Published
2024-10-21 20:06
Modified
2024-12-19 08:12
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
hwmon: (asus-ec-sensors) Add checks for devm_kcalloc
As the devm_kcalloc may return NULL, the return value needs to be checked
to avoid NULL poineter dereference.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-49009", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:14:06.171144Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:18:39.225Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/hwmon/asus-ec-sensors.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "a41ec58ac352fd176d5808af847663dc890f6053", status: "affected", version: "d0ddfd241e5719d696bc0b081e260db69d368668", versionType: "git", }, { lessThan: "9bdc112be727cf1ba65be79541147f960c3349d8", status: "affected", version: "d0ddfd241e5719d696bc0b081e260db69d368668", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/hwmon/asus-ec-sensors.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.18", }, { lessThan: "5.18", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.0.*", status: "unaffected", version: "6.0.12", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.1", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nhwmon: (asus-ec-sensors) Add checks for devm_kcalloc\n\nAs the devm_kcalloc may return NULL, the return value needs to be checked\nto avoid NULL poineter dereference.", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:12:22.057Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/a41ec58ac352fd176d5808af847663dc890f6053", }, { url: "https://git.kernel.org/stable/c/9bdc112be727cf1ba65be79541147f960c3349d8", }, ], title: "hwmon: (asus-ec-sensors) Add checks for devm_kcalloc", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-49009", datePublished: "2024-10-21T20:06:20.795Z", dateReserved: "2024-08-22T01:27:53.644Z", dateUpdated: "2024-12-19T08:12:22.057Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49937
Vulnerability from cvelistv5
Published
2024-10-21 18:01
Modified
2024-12-19 09:29
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: cfg80211: Set correct chandef when starting CAC
When starting CAC in a mode other than AP mode, it return a
"WARNING: CPU: 0 PID: 63 at cfg80211_chandef_dfs_usable+0x20/0xaf [cfg80211]"
caused by the chandef.chan being null at the end of CAC.
Solution: Ensure the channel definition is set for the different modes
when starting CAC to avoid getting a NULL 'chan' at the end of CAC.
Call Trace:
? show_regs.part.0+0x14/0x16
? __warn+0x67/0xc0
? cfg80211_chandef_dfs_usable+0x20/0xaf [cfg80211]
? report_bug+0xa7/0x130
? exc_overflow+0x30/0x30
? handle_bug+0x27/0x50
? exc_invalid_op+0x18/0x60
? handle_exception+0xf6/0xf6
? exc_overflow+0x30/0x30
? cfg80211_chandef_dfs_usable+0x20/0xaf [cfg80211]
? exc_overflow+0x30/0x30
? cfg80211_chandef_dfs_usable+0x20/0xaf [cfg80211]
? regulatory_propagate_dfs_state.cold+0x1b/0x4c [cfg80211]
? cfg80211_propagate_cac_done_wk+0x1a/0x30 [cfg80211]
? process_one_work+0x165/0x280
? worker_thread+0x120/0x3f0
? kthread+0xc2/0xf0
? process_one_work+0x280/0x280
? kthread_complete_and_exit+0x20/0x20
? ret_from_fork+0x19/0x24
[shorten subject, remove OCB, reorder cases to match previous list]
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49937", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:38:15.992141Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:38:51.114Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "net/wireless/nl80211.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "95f32191e50b75e0f75fae1bb925cdf51d8df0a3", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "04053e55dd50741cf6c59b9bbaa4238218c05c70", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "f4dbfda159e43d49b43003cc3c2914751939035f", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "c628026563f4ea9e0413dd4b69429e4a1db240b1", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "20361712880396e44ce80aaeec2d93d182035651", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "net/wireless/nl80211.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: cfg80211: Set correct chandef when starting CAC\n\nWhen starting CAC in a mode other than AP mode, it return a\n\"WARNING: CPU: 0 PID: 63 at cfg80211_chandef_dfs_usable+0x20/0xaf [cfg80211]\"\ncaused by the chandef.chan being null at the end of CAC.\n\nSolution: Ensure the channel definition is set for the different modes\nwhen starting CAC to avoid getting a NULL 'chan' at the end of CAC.\n\n Call Trace:\n ? show_regs.part.0+0x14/0x16\n ? __warn+0x67/0xc0\n ? cfg80211_chandef_dfs_usable+0x20/0xaf [cfg80211]\n ? report_bug+0xa7/0x130\n ? exc_overflow+0x30/0x30\n ? handle_bug+0x27/0x50\n ? exc_invalid_op+0x18/0x60\n ? handle_exception+0xf6/0xf6\n ? exc_overflow+0x30/0x30\n ? cfg80211_chandef_dfs_usable+0x20/0xaf [cfg80211]\n ? exc_overflow+0x30/0x30\n ? cfg80211_chandef_dfs_usable+0x20/0xaf [cfg80211]\n ? regulatory_propagate_dfs_state.cold+0x1b/0x4c [cfg80211]\n ? cfg80211_propagate_cac_done_wk+0x1a/0x30 [cfg80211]\n ? process_one_work+0x165/0x280\n ? worker_thread+0x120/0x3f0\n ? kthread+0xc2/0xf0\n ? process_one_work+0x280/0x280\n ? kthread_complete_and_exit+0x20/0x20\n ? ret_from_fork+0x19/0x24\n\n[shorten subject, remove OCB, reorder cases to match previous list]", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:29:24.314Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/95f32191e50b75e0f75fae1bb925cdf51d8df0a3", }, { url: "https://git.kernel.org/stable/c/04053e55dd50741cf6c59b9bbaa4238218c05c70", }, { url: "https://git.kernel.org/stable/c/f4dbfda159e43d49b43003cc3c2914751939035f", }, { url: "https://git.kernel.org/stable/c/c628026563f4ea9e0413dd4b69429e4a1db240b1", }, { url: "https://git.kernel.org/stable/c/20361712880396e44ce80aaeec2d93d182035651", }, ], title: "wifi: cfg80211: Set correct chandef when starting CAC", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49937", datePublished: "2024-10-21T18:01:57.730Z", dateReserved: "2024-10-21T12:17:06.042Z", dateUpdated: "2024-12-19T09:29:24.314Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49958
Vulnerability from cvelistv5
Published
2024-10-21 18:02
Modified
2024-12-19 09:30
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ocfs2: reserve space for inline xattr before attaching reflink tree
One of our customers reported a crash and a corrupted ocfs2 filesystem.
The crash was due to the detection of corruption. Upon troubleshooting,
the fsck -fn output showed the below corruption
[EXTENT_LIST_FREE] Extent list in owner 33080590 claims 230 as the next free chain record,
but fsck believes the largest valid value is 227. Clamp the next record value? n
The stat output from the debugfs.ocfs2 showed the following corruption
where the "Next Free Rec:" had overshot the "Count:" in the root metadata
block.
Inode: 33080590 Mode: 0640 Generation: 2619713622 (0x9c25a856)
FS Generation: 904309833 (0x35e6ac49)
CRC32: 00000000 ECC: 0000
Type: Regular Attr: 0x0 Flags: Valid
Dynamic Features: (0x16) HasXattr InlineXattr Refcounted
Extended Attributes Block: 0 Extended Attributes Inline Size: 256
User: 0 (root) Group: 0 (root) Size: 281320357888
Links: 1 Clusters: 141738
ctime: 0x66911b56 0x316edcb8 -- Fri Jul 12 06:02:30.829349048 2024
atime: 0x66911d6b 0x7f7a28d -- Fri Jul 12 06:11:23.133669517 2024
mtime: 0x66911b56 0x12ed75d7 -- Fri Jul 12 06:02:30.317552087 2024
dtime: 0x0 -- Wed Dec 31 17:00:00 1969
Refcount Block: 2777346
Last Extblk: 2886943 Orphan Slot: 0
Sub Alloc Slot: 0 Sub Alloc Bit: 14
Tree Depth: 1 Count: 227 Next Free Rec: 230
## Offset Clusters Block#
0 0 2310 2776351
1 2310 2139 2777375
2 4449 1221 2778399
3 5670 731 2779423
4 6401 566 2780447
....... .... .......
....... .... .......
The issue was in the reflink workfow while reserving space for inline
xattr. The problematic function is ocfs2_reflink_xattr_inline(). By the
time this function is called the reflink tree is already recreated at the
destination inode from the source inode. At this point, this function
reserves space for inline xattrs at the destination inode without even
checking if there is space at the root metadata block. It simply reduces
the l_count from 243 to 227 thereby making space of 256 bytes for inline
xattr whereas the inode already has extents beyond this index (in this
case up to 230), thereby causing corruption.
The fix for this is to reserve space for inline metadata at the destination
inode before the reflink tree gets recreated. The customer has verified the
fix.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: ef962df057aaafd714f5c22ba3de1be459571fdf Version: ef962df057aaafd714f5c22ba3de1be459571fdf Version: ef962df057aaafd714f5c22ba3de1be459571fdf Version: ef962df057aaafd714f5c22ba3de1be459571fdf Version: ef962df057aaafd714f5c22ba3de1be459571fdf Version: ef962df057aaafd714f5c22ba3de1be459571fdf Version: ef962df057aaafd714f5c22ba3de1be459571fdf Version: ef962df057aaafd714f5c22ba3de1be459571fdf Version: ef962df057aaafd714f5c22ba3de1be459571fdf |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49958", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:35:29.206736Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:38:48.118Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "fs/ocfs2/refcounttree.c", "fs/ocfs2/xattr.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "5c9807c523b4fca81d3e8e864dabc8c806402121", status: "affected", version: "ef962df057aaafd714f5c22ba3de1be459571fdf", versionType: "git", }, { lessThan: "74364cb578dcc0b6c9109519d19cbe5a56afac9a", status: "affected", version: "ef962df057aaafd714f5c22ba3de1be459571fdf", versionType: "git", }, { lessThan: "aac31d654a0a31cb0d2fa36ae694f4e164a52707", status: "affected", version: "ef962df057aaafd714f5c22ba3de1be459571fdf", versionType: "git", }, { lessThan: "020f5c53c17f66c0a8f2d37dad27ace301b8d8a1", status: "affected", version: "ef962df057aaafd714f5c22ba3de1be459571fdf", versionType: "git", }, { lessThan: "5c2072f02c0d75802ec28ec703b7d43a0dd008b5", status: "affected", version: "ef962df057aaafd714f5c22ba3de1be459571fdf", versionType: "git", }, { lessThan: "637c00e06564a945e9d0edb3d78d362d64935f9f", status: "affected", version: "ef962df057aaafd714f5c22ba3de1be459571fdf", versionType: "git", }, { lessThan: "9f9a8f3ac65b4147f1a7b6c05fad5192c0e3c3d9", status: "affected", version: "ef962df057aaafd714f5c22ba3de1be459571fdf", versionType: "git", }, { lessThan: "96ce4c3537114d1698be635f5e36c62dc49df7a4", status: "affected", version: "ef962df057aaafd714f5c22ba3de1be459571fdf", versionType: "git", }, { lessThan: "5ca60b86f57a4d9648f68418a725b3a7de2816b0", status: "affected", version: "ef962df057aaafd714f5c22ba3de1be459571fdf", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "fs/ocfs2/refcounttree.c", "fs/ocfs2/xattr.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "3.11", }, { lessThan: "3.11", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.323", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.285", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: reserve space for inline xattr before attaching reflink tree\n\nOne of our customers reported a crash and a corrupted ocfs2 filesystem. \nThe crash was due to the detection of corruption. Upon troubleshooting,\nthe fsck -fn output showed the below corruption\n\n[EXTENT_LIST_FREE] Extent list in owner 33080590 claims 230 as the next free chain record,\nbut fsck believes the largest valid value is 227. Clamp the next record value? n\n\nThe stat output from the debugfs.ocfs2 showed the following corruption\nwhere the \"Next Free Rec:\" had overshot the \"Count:\" in the root metadata\nblock.\n\n Inode: 33080590 Mode: 0640 Generation: 2619713622 (0x9c25a856)\n FS Generation: 904309833 (0x35e6ac49)\n CRC32: 00000000 ECC: 0000\n Type: Regular Attr: 0x0 Flags: Valid\n Dynamic Features: (0x16) HasXattr InlineXattr Refcounted\n Extended Attributes Block: 0 Extended Attributes Inline Size: 256\n User: 0 (root) Group: 0 (root) Size: 281320357888\n Links: 1 Clusters: 141738\n ctime: 0x66911b56 0x316edcb8 -- Fri Jul 12 06:02:30.829349048 2024\n atime: 0x66911d6b 0x7f7a28d -- Fri Jul 12 06:11:23.133669517 2024\n mtime: 0x66911b56 0x12ed75d7 -- Fri Jul 12 06:02:30.317552087 2024\n dtime: 0x0 -- Wed Dec 31 17:00:00 1969\n Refcount Block: 2777346\n Last Extblk: 2886943 Orphan Slot: 0\n Sub Alloc Slot: 0 Sub Alloc Bit: 14\n Tree Depth: 1 Count: 227 Next Free Rec: 230\n ## Offset Clusters Block#\n 0 0 2310 2776351\n 1 2310 2139 2777375\n 2 4449 1221 2778399\n 3 5670 731 2779423\n 4 6401 566 2780447\n ....... .... .......\n ....... .... .......\n\nThe issue was in the reflink workfow while reserving space for inline\nxattr. The problematic function is ocfs2_reflink_xattr_inline(). By the\ntime this function is called the reflink tree is already recreated at the\ndestination inode from the source inode. At this point, this function\nreserves space for inline xattrs at the destination inode without even\nchecking if there is space at the root metadata block. It simply reduces\nthe l_count from 243 to 227 thereby making space of 256 bytes for inline\nxattr whereas the inode already has extents beyond this index (in this\ncase up to 230), thereby causing corruption.\n\nThe fix for this is to reserve space for inline metadata at the destination\ninode before the reflink tree gets recreated. The customer has verified the\nfix.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:30:09.822Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/5c9807c523b4fca81d3e8e864dabc8c806402121", }, { url: "https://git.kernel.org/stable/c/74364cb578dcc0b6c9109519d19cbe5a56afac9a", }, { url: "https://git.kernel.org/stable/c/aac31d654a0a31cb0d2fa36ae694f4e164a52707", }, { url: "https://git.kernel.org/stable/c/020f5c53c17f66c0a8f2d37dad27ace301b8d8a1", }, { url: "https://git.kernel.org/stable/c/5c2072f02c0d75802ec28ec703b7d43a0dd008b5", }, { url: "https://git.kernel.org/stable/c/637c00e06564a945e9d0edb3d78d362d64935f9f", }, { url: "https://git.kernel.org/stable/c/9f9a8f3ac65b4147f1a7b6c05fad5192c0e3c3d9", }, { url: "https://git.kernel.org/stable/c/96ce4c3537114d1698be635f5e36c62dc49df7a4", }, { url: "https://git.kernel.org/stable/c/5ca60b86f57a4d9648f68418a725b3a7de2816b0", }, ], title: "ocfs2: reserve space for inline xattr before attaching reflink tree", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49958", datePublished: "2024-10-21T18:02:11.702Z", dateReserved: "2024-10-21T12:17:06.048Z", dateUpdated: "2024-12-19T09:30:09.822Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-48982
Vulnerability from cvelistv5
Published
2024-10-21 20:05
Modified
2024-12-19 08:11
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: Fix crash when replugging CSR fake controllers
It seems fake CSR 5.0 clones can cause the suspend notifier to be
registered twice causing the following kernel panic:
[ 71.986122] Call Trace:
[ 71.986124] <TASK>
[ 71.986125] blocking_notifier_chain_register+0x33/0x60
[ 71.986130] hci_register_dev+0x316/0x3d0 [bluetooth 99b5497ea3d09708fa1366c1dc03288bf3cca8da]
[ 71.986154] btusb_probe+0x979/0xd85 [btusb e1e0605a4f4c01984a4b9c8ac58c3666ae287477]
[ 71.986159] ? __pm_runtime_set_status+0x1a9/0x300
[ 71.986162] ? ktime_get_mono_fast_ns+0x3e/0x90
[ 71.986167] usb_probe_interface+0xe3/0x2b0
[ 71.986171] really_probe+0xdb/0x380
[ 71.986174] ? pm_runtime_barrier+0x54/0x90
[ 71.986177] __driver_probe_device+0x78/0x170
[ 71.986180] driver_probe_device+0x1f/0x90
[ 71.986183] __device_attach_driver+0x89/0x110
[ 71.986186] ? driver_allows_async_probing+0x70/0x70
[ 71.986189] bus_for_each_drv+0x8c/0xe0
[ 71.986192] __device_attach+0xb2/0x1e0
[ 71.986195] bus_probe_device+0x92/0xb0
[ 71.986198] device_add+0x422/0x9a0
[ 71.986201] ? sysfs_merge_group+0xd4/0x110
[ 71.986205] usb_set_configuration+0x57a/0x820
[ 71.986208] usb_generic_driver_probe+0x4f/0x70
[ 71.986211] usb_probe_device+0x3a/0x110
[ 71.986213] really_probe+0xdb/0x380
[ 71.986216] ? pm_runtime_barrier+0x54/0x90
[ 71.986219] __driver_probe_device+0x78/0x170
[ 71.986221] driver_probe_device+0x1f/0x90
[ 71.986224] __device_attach_driver+0x89/0x110
[ 71.986227] ? driver_allows_async_probing+0x70/0x70
[ 71.986230] bus_for_each_drv+0x8c/0xe0
[ 71.986232] __device_attach+0xb2/0x1e0
[ 71.986235] bus_probe_device+0x92/0xb0
[ 71.986237] device_add+0x422/0x9a0
[ 71.986239] ? _dev_info+0x7d/0x98
[ 71.986242] ? blake2s_update+0x4c/0xc0
[ 71.986246] usb_new_device.cold+0x148/0x36d
[ 71.986250] hub_event+0xa8a/0x1910
[ 71.986255] process_one_work+0x1c4/0x380
[ 71.986259] worker_thread+0x51/0x390
[ 71.986262] ? rescuer_thread+0x3b0/0x3b0
[ 71.986264] kthread+0xdb/0x110
[ 71.986266] ? kthread_complete_and_exit+0x20/0x20
[ 71.986268] ret_from_fork+0x1f/0x30
[ 71.986273] </TASK>
[ 71.986274] ---[ end trace 0000000000000000 ]---
[ 71.986284] btusb: probe of 2-1.6:1.0 failed with error -17
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-48982", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:17:43.177628Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:18:43.558Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "net/bluetooth/hci_core.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "549b46f8130effccf168293270bb3b1d5da529cc", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "a49894a5ac3656f1a4f0f6b110460060e8026bf8", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "dc8fa6570deadb70c3fb74d7cd8ce38849feaed0", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "b5ca338751ad4783ec8d37b5d99c3e37b7813e59", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "net/bluetooth/hci_core.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.159", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.83", versionType: "semver", }, { lessThanOrEqual: "6.0.*", status: "unaffected", version: "6.0.13", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.1", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: Fix crash when replugging CSR fake controllers\n\nIt seems fake CSR 5.0 clones can cause the suspend notifier to be\nregistered twice causing the following kernel panic:\n\n[ 71.986122] Call Trace:\n[ 71.986124] <TASK>\n[ 71.986125] blocking_notifier_chain_register+0x33/0x60\n[ 71.986130] hci_register_dev+0x316/0x3d0 [bluetooth 99b5497ea3d09708fa1366c1dc03288bf3cca8da]\n[ 71.986154] btusb_probe+0x979/0xd85 [btusb e1e0605a4f4c01984a4b9c8ac58c3666ae287477]\n[ 71.986159] ? __pm_runtime_set_status+0x1a9/0x300\n[ 71.986162] ? ktime_get_mono_fast_ns+0x3e/0x90\n[ 71.986167] usb_probe_interface+0xe3/0x2b0\n[ 71.986171] really_probe+0xdb/0x380\n[ 71.986174] ? pm_runtime_barrier+0x54/0x90\n[ 71.986177] __driver_probe_device+0x78/0x170\n[ 71.986180] driver_probe_device+0x1f/0x90\n[ 71.986183] __device_attach_driver+0x89/0x110\n[ 71.986186] ? driver_allows_async_probing+0x70/0x70\n[ 71.986189] bus_for_each_drv+0x8c/0xe0\n[ 71.986192] __device_attach+0xb2/0x1e0\n[ 71.986195] bus_probe_device+0x92/0xb0\n[ 71.986198] device_add+0x422/0x9a0\n[ 71.986201] ? sysfs_merge_group+0xd4/0x110\n[ 71.986205] usb_set_configuration+0x57a/0x820\n[ 71.986208] usb_generic_driver_probe+0x4f/0x70\n[ 71.986211] usb_probe_device+0x3a/0x110\n[ 71.986213] really_probe+0xdb/0x380\n[ 71.986216] ? pm_runtime_barrier+0x54/0x90\n[ 71.986219] __driver_probe_device+0x78/0x170\n[ 71.986221] driver_probe_device+0x1f/0x90\n[ 71.986224] __device_attach_driver+0x89/0x110\n[ 71.986227] ? driver_allows_async_probing+0x70/0x70\n[ 71.986230] bus_for_each_drv+0x8c/0xe0\n[ 71.986232] __device_attach+0xb2/0x1e0\n[ 71.986235] bus_probe_device+0x92/0xb0\n[ 71.986237] device_add+0x422/0x9a0\n[ 71.986239] ? _dev_info+0x7d/0x98\n[ 71.986242] ? blake2s_update+0x4c/0xc0\n[ 71.986246] usb_new_device.cold+0x148/0x36d\n[ 71.986250] hub_event+0xa8a/0x1910\n[ 71.986255] process_one_work+0x1c4/0x380\n[ 71.986259] worker_thread+0x51/0x390\n[ 71.986262] ? rescuer_thread+0x3b0/0x3b0\n[ 71.986264] kthread+0xdb/0x110\n[ 71.986266] ? kthread_complete_and_exit+0x20/0x20\n[ 71.986268] ret_from_fork+0x1f/0x30\n[ 71.986273] </TASK>\n[ 71.986274] ---[ end trace 0000000000000000 ]---\n[ 71.986284] btusb: probe of 2-1.6:1.0 failed with error -17", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:11:51.973Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/549b46f8130effccf168293270bb3b1d5da529cc", }, { url: "https://git.kernel.org/stable/c/a49894a5ac3656f1a4f0f6b110460060e8026bf8", }, { url: "https://git.kernel.org/stable/c/dc8fa6570deadb70c3fb74d7cd8ce38849feaed0", }, { url: "https://git.kernel.org/stable/c/b5ca338751ad4783ec8d37b5d99c3e37b7813e59", }, ], title: "Bluetooth: Fix crash when replugging CSR fake controllers", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-48982", datePublished: "2024-10-21T20:05:59.710Z", dateReserved: "2024-08-22T01:27:53.633Z", dateUpdated: "2024-12-19T08:11:51.973Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-47684
Vulnerability from cvelistv5
Published
2024-10-21 11:53
Modified
2024-12-19 09:25
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tcp: check skb is non-NULL in tcp_rto_delta_us()
We have some machines running stock Ubuntu 20.04.6 which is their 5.4.0-174-generic
kernel that are running ceph and recently hit a null ptr dereference in
tcp_rearm_rto(). Initially hitting it from the TLP path, but then later we also
saw it getting hit from the RACK case as well. Here are examples of the oops
messages we saw in each of those cases:
Jul 26 15:05:02 rx [11061395.780353] BUG: kernel NULL pointer dereference, address: 0000000000000020
Jul 26 15:05:02 rx [11061395.787572] #PF: supervisor read access in kernel mode
Jul 26 15:05:02 rx [11061395.792971] #PF: error_code(0x0000) - not-present page
Jul 26 15:05:02 rx [11061395.798362] PGD 0 P4D 0
Jul 26 15:05:02 rx [11061395.801164] Oops: 0000 [#1] SMP NOPTI
Jul 26 15:05:02 rx [11061395.805091] CPU: 0 PID: 9180 Comm: msgr-worker-1 Tainted: G W 5.4.0-174-generic #193-Ubuntu
Jul 26 15:05:02 rx [11061395.814996] Hardware name: Supermicro SMC 2x26 os-gen8 64C NVME-Y 256G/H12SSW-NTR, BIOS 2.5.V1.2U.NVMe.UEFI 05/09/2023
Jul 26 15:05:02 rx [11061395.825952] RIP: 0010:tcp_rearm_rto+0xe4/0x160
Jul 26 15:05:02 rx [11061395.830656] Code: 87 ca 04 00 00 00 5b 41 5c 41 5d 5d c3 c3 49 8b bc 24 40 06 00 00 eb 8d 48 bb cf f7 53 e3 a5 9b c4 20 4c 89 ef e8 0c fe 0e 00 <48> 8b 78 20 48 c1 ef 03 48 89 f8 41 8b bc 24 80 04 00 00 48 f7 e3
Jul 26 15:05:02 rx [11061395.849665] RSP: 0018:ffffb75d40003e08 EFLAGS: 00010246
Jul 26 15:05:02 rx [11061395.855149] RAX: 0000000000000000 RBX: 20c49ba5e353f7cf RCX: 0000000000000000
Jul 26 15:05:02 rx [11061395.862542] RDX: 0000000062177c30 RSI: 000000000000231c RDI: ffff9874ad283a60
Jul 26 15:05:02 rx [11061395.869933] RBP: ffffb75d40003e20 R08: 0000000000000000 R09: ffff987605e20aa8
Jul 26 15:05:02 rx [11061395.877318] R10: ffffb75d40003f00 R11: ffffb75d4460f740 R12: ffff9874ad283900
Jul 26 15:05:02 rx [11061395.884710] R13: ffff9874ad283a60 R14: ffff9874ad283980 R15: ffff9874ad283d30
Jul 26 15:05:02 rx [11061395.892095] FS: 00007f1ef4a2e700(0000) GS:ffff987605e00000(0000) knlGS:0000000000000000
Jul 26 15:05:02 rx [11061395.900438] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Jul 26 15:05:02 rx [11061395.906435] CR2: 0000000000000020 CR3: 0000003e450ba003 CR4: 0000000000760ef0
Jul 26 15:05:02 rx [11061395.913822] PKRU: 55555554
Jul 26 15:05:02 rx [11061395.916786] Call Trace:
Jul 26 15:05:02 rx [11061395.919488]
Jul 26 15:05:02 rx [11061395.921765] ? show_regs.cold+0x1a/0x1f
Jul 26 15:05:02 rx [11061395.925859] ? __die+0x90/0xd9
Jul 26 15:05:02 rx [11061395.929169] ? no_context+0x196/0x380
Jul 26 15:05:02 rx [11061395.933088] ? ip6_protocol_deliver_rcu+0x4e0/0x4e0
Jul 26 15:05:02 rx [11061395.938216] ? ip6_sublist_rcv_finish+0x3d/0x50
Jul 26 15:05:02 rx [11061395.943000] ? __bad_area_nosemaphore+0x50/0x1a0
Jul 26 15:05:02 rx [11061395.947873] ? bad_area_nosemaphore+0x16/0x20
Jul 26 15:05:02 rx [11061395.952486] ? do_user_addr_fault+0x267/0x450
Jul 26 15:05:02 rx [11061395.957104] ? ipv6_list_rcv+0x112/0x140
Jul 26 15:05:02 rx [11061395.961279] ? __do_page_fault+0x58/0x90
Jul 26 15:05:02 rx [11061395.965458] ? do_page_fault+0x2c/0xe0
Jul 26 15:05:02 rx [11061395.969465] ? page_fault+0x34/0x40
Jul 26 15:05:02 rx [11061395.973217] ? tcp_rearm_rto+0xe4/0x160
Jul 26 15:05:02 rx [11061395.977313] ? tcp_rearm_rto+0xe4/0x160
Jul 26 15:05:02 rx [11061395.981408] tcp_send_loss_probe+0x10b/0x220
Jul 26 15:05:02 rx [11061395.985937] tcp_write_timer_handler+0x1b4/0x240
Jul 26 15:05:02 rx [11061395.990809] tcp_write_timer+0x9e/0xe0
Jul 26 15:05:02 rx [11061395.994814] ? tcp_write_timer_handler+0x240/0x240
Jul 26 15:05:02 rx [11061395.999866] call_timer_fn+0x32/0x130
Jul 26 15:05:02 rx [11061396.003782] __run_timers.part.0+0x180/0x280
Jul 26 15:05:02 rx [11061396.008309] ? recalibrate_cpu_khz+0x10/0x10
Jul 26 15:05:02 rx [11061396.012841] ? native_x2apic_icr_write+0x30/0x30
Jul 26 15:05:02 rx [11061396.017718] ? lapic_next_even
---truncated---
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: e1a10ef7fa876f8510aaec36ea5c0cf34baba410 Version: e1a10ef7fa876f8510aaec36ea5c0cf34baba410 Version: e1a10ef7fa876f8510aaec36ea5c0cf34baba410 Version: e1a10ef7fa876f8510aaec36ea5c0cf34baba410 Version: e1a10ef7fa876f8510aaec36ea5c0cf34baba410 Version: e1a10ef7fa876f8510aaec36ea5c0cf34baba410 Version: e1a10ef7fa876f8510aaec36ea5c0cf34baba410 Version: e1a10ef7fa876f8510aaec36ea5c0cf34baba410 Version: e1a10ef7fa876f8510aaec36ea5c0cf34baba410 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-47684", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T13:06:54.270421Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T13:14:16.209Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "include/net/tcp.h", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "ad4f0a14d6856e68f023fc4e5017cfd881a3dfbc", status: "affected", version: "e1a10ef7fa876f8510aaec36ea5c0cf34baba410", versionType: "git", }, { lessThan: "16e0387d87fc858e34449fdf2b14ed5837f761db", status: "affected", version: "e1a10ef7fa876f8510aaec36ea5c0cf34baba410", versionType: "git", }, { lessThan: "ec31cf42fc4e35bb1248ce6eb1de6de9f851ac86", status: "affected", version: "e1a10ef7fa876f8510aaec36ea5c0cf34baba410", versionType: "git", }, { lessThan: "5c4c03288a4aea705e36aa44119c13d7ee4dce99", status: "affected", version: "e1a10ef7fa876f8510aaec36ea5c0cf34baba410", versionType: "git", }, { lessThan: "96c4983eab2a5da235f7fff90beaf17b008ba029", status: "affected", version: "e1a10ef7fa876f8510aaec36ea5c0cf34baba410", versionType: "git", }, { lessThan: "570f7d8c9bf14f041152ba8353d4330ef7575915", status: "affected", version: "e1a10ef7fa876f8510aaec36ea5c0cf34baba410", versionType: "git", }, { lessThan: "81d18c152e3f82bacadf83bc0a471b2363b9cc18", status: "affected", version: "e1a10ef7fa876f8510aaec36ea5c0cf34baba410", versionType: "git", }, { lessThan: "09aea49fbc7e755a915c405644f347137cdb62b0", status: "affected", version: "e1a10ef7fa876f8510aaec36ea5c0cf34baba410", versionType: "git", }, { lessThan: "c8770db2d54437a5f49417ae7b46f7de23d14db6", status: "affected", version: "e1a10ef7fa876f8510aaec36ea5c0cf34baba410", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "include/net/tcp.h", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "4.13", }, { lessThan: "4.13", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.323", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.285", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.54", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.13", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.2", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: check skb is non-NULL in tcp_rto_delta_us()\n\nWe have some machines running stock Ubuntu 20.04.6 which is their 5.4.0-174-generic\nkernel that are running ceph and recently hit a null ptr dereference in\ntcp_rearm_rto(). Initially hitting it from the TLP path, but then later we also\nsaw it getting hit from the RACK case as well. Here are examples of the oops\nmessages we saw in each of those cases:\n\nJul 26 15:05:02 rx [11061395.780353] BUG: kernel NULL pointer dereference, address: 0000000000000020\nJul 26 15:05:02 rx [11061395.787572] #PF: supervisor read access in kernel mode\nJul 26 15:05:02 rx [11061395.792971] #PF: error_code(0x0000) - not-present page\nJul 26 15:05:02 rx [11061395.798362] PGD 0 P4D 0\nJul 26 15:05:02 rx [11061395.801164] Oops: 0000 [#1] SMP NOPTI\nJul 26 15:05:02 rx [11061395.805091] CPU: 0 PID: 9180 Comm: msgr-worker-1 Tainted: G W 5.4.0-174-generic #193-Ubuntu\nJul 26 15:05:02 rx [11061395.814996] Hardware name: Supermicro SMC 2x26 os-gen8 64C NVME-Y 256G/H12SSW-NTR, BIOS 2.5.V1.2U.NVMe.UEFI 05/09/2023\nJul 26 15:05:02 rx [11061395.825952] RIP: 0010:tcp_rearm_rto+0xe4/0x160\nJul 26 15:05:02 rx [11061395.830656] Code: 87 ca 04 00 00 00 5b 41 5c 41 5d 5d c3 c3 49 8b bc 24 40 06 00 00 eb 8d 48 bb cf f7 53 e3 a5 9b c4 20 4c 89 ef e8 0c fe 0e 00 <48> 8b 78 20 48 c1 ef 03 48 89 f8 41 8b bc 24 80 04 00 00 48 f7 e3\nJul 26 15:05:02 rx [11061395.849665] RSP: 0018:ffffb75d40003e08 EFLAGS: 00010246\nJul 26 15:05:02 rx [11061395.855149] RAX: 0000000000000000 RBX: 20c49ba5e353f7cf RCX: 0000000000000000\nJul 26 15:05:02 rx [11061395.862542] RDX: 0000000062177c30 RSI: 000000000000231c RDI: ffff9874ad283a60\nJul 26 15:05:02 rx [11061395.869933] RBP: ffffb75d40003e20 R08: 0000000000000000 R09: ffff987605e20aa8\nJul 26 15:05:02 rx [11061395.877318] R10: ffffb75d40003f00 R11: ffffb75d4460f740 R12: ffff9874ad283900\nJul 26 15:05:02 rx [11061395.884710] R13: ffff9874ad283a60 R14: ffff9874ad283980 R15: ffff9874ad283d30\nJul 26 15:05:02 rx [11061395.892095] FS: 00007f1ef4a2e700(0000) GS:ffff987605e00000(0000) knlGS:0000000000000000\nJul 26 15:05:02 rx [11061395.900438] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nJul 26 15:05:02 rx [11061395.906435] CR2: 0000000000000020 CR3: 0000003e450ba003 CR4: 0000000000760ef0\nJul 26 15:05:02 rx [11061395.913822] PKRU: 55555554\nJul 26 15:05:02 rx [11061395.916786] Call Trace:\nJul 26 15:05:02 rx [11061395.919488]\nJul 26 15:05:02 rx [11061395.921765] ? show_regs.cold+0x1a/0x1f\nJul 26 15:05:02 rx [11061395.925859] ? __die+0x90/0xd9\nJul 26 15:05:02 rx [11061395.929169] ? no_context+0x196/0x380\nJul 26 15:05:02 rx [11061395.933088] ? ip6_protocol_deliver_rcu+0x4e0/0x4e0\nJul 26 15:05:02 rx [11061395.938216] ? ip6_sublist_rcv_finish+0x3d/0x50\nJul 26 15:05:02 rx [11061395.943000] ? __bad_area_nosemaphore+0x50/0x1a0\nJul 26 15:05:02 rx [11061395.947873] ? bad_area_nosemaphore+0x16/0x20\nJul 26 15:05:02 rx [11061395.952486] ? do_user_addr_fault+0x267/0x450\nJul 26 15:05:02 rx [11061395.957104] ? ipv6_list_rcv+0x112/0x140\nJul 26 15:05:02 rx [11061395.961279] ? __do_page_fault+0x58/0x90\nJul 26 15:05:02 rx [11061395.965458] ? do_page_fault+0x2c/0xe0\nJul 26 15:05:02 rx [11061395.969465] ? page_fault+0x34/0x40\nJul 26 15:05:02 rx [11061395.973217] ? tcp_rearm_rto+0xe4/0x160\nJul 26 15:05:02 rx [11061395.977313] ? tcp_rearm_rto+0xe4/0x160\nJul 26 15:05:02 rx [11061395.981408] tcp_send_loss_probe+0x10b/0x220\nJul 26 15:05:02 rx [11061395.985937] tcp_write_timer_handler+0x1b4/0x240\nJul 26 15:05:02 rx [11061395.990809] tcp_write_timer+0x9e/0xe0\nJul 26 15:05:02 rx [11061395.994814] ? tcp_write_timer_handler+0x240/0x240\nJul 26 15:05:02 rx [11061395.999866] call_timer_fn+0x32/0x130\nJul 26 15:05:02 rx [11061396.003782] __run_timers.part.0+0x180/0x280\nJul 26 15:05:02 rx [11061396.008309] ? recalibrate_cpu_khz+0x10/0x10\nJul 26 15:05:02 rx [11061396.012841] ? native_x2apic_icr_write+0x30/0x30\nJul 26 15:05:02 rx [11061396.017718] ? lapic_next_even\n---truncated---", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:25:57.237Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/ad4f0a14d6856e68f023fc4e5017cfd881a3dfbc", }, { url: "https://git.kernel.org/stable/c/16e0387d87fc858e34449fdf2b14ed5837f761db", }, { url: "https://git.kernel.org/stable/c/ec31cf42fc4e35bb1248ce6eb1de6de9f851ac86", }, { url: "https://git.kernel.org/stable/c/5c4c03288a4aea705e36aa44119c13d7ee4dce99", }, { url: "https://git.kernel.org/stable/c/96c4983eab2a5da235f7fff90beaf17b008ba029", }, { url: "https://git.kernel.org/stable/c/570f7d8c9bf14f041152ba8353d4330ef7575915", }, { url: "https://git.kernel.org/stable/c/81d18c152e3f82bacadf83bc0a471b2363b9cc18", }, { url: "https://git.kernel.org/stable/c/09aea49fbc7e755a915c405644f347137cdb62b0", }, { url: "https://git.kernel.org/stable/c/c8770db2d54437a5f49417ae7b46f7de23d14db6", }, ], title: "tcp: check skb is non-NULL in tcp_rto_delta_us()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-47684", datePublished: "2024-10-21T11:53:25.787Z", dateReserved: "2024-09-30T16:00:12.941Z", dateUpdated: "2024-12-19T09:25:57.237Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49864
Vulnerability from cvelistv5
Published
2024-10-21 18:01
Modified
2024-12-19 09:27
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
rxrpc: Fix a race between socket set up and I/O thread creation
In rxrpc_open_socket(), it sets up the socket and then sets up the I/O
thread that will handle it. This is a problem, however, as there's a gap
between the two phases in which a packet may come into rxrpc_encap_rcv()
from the UDP packet but we oops when trying to wake the not-yet created I/O
thread.
As a quick fix, just make rxrpc_encap_rcv() discard the packet if there's
no I/O thread yet.
A better, but more intrusive fix would perhaps be to rearrange things such
that the socket creation is done by the I/O thread.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49864", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:47:53.708864Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:48:52.920Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "net/rxrpc/ar-internal.h", "net/rxrpc/io_thread.c", "net/rxrpc/local_object.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "cdf4bbbdb956d7426f687f38757ebca2a2759a0f", status: "affected", version: "a275da62e8c111b897b9cb73eb91df2f4e475ca5", versionType: "git", }, { lessThan: "56e415202b8a17de6496f4023e545fcb66f118ec", status: "affected", version: "a275da62e8c111b897b9cb73eb91df2f4e475ca5", versionType: "git", }, { lessThan: "c64f5fc95e9612fdf75587c8e21e494e614c18e2", status: "affected", version: "a275da62e8c111b897b9cb73eb91df2f4e475ca5", versionType: "git", }, { lessThan: "bc212465326e8587325f520a052346f0b57360e6", status: "affected", version: "a275da62e8c111b897b9cb73eb91df2f4e475ca5", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "net/rxrpc/ar-internal.h", "net/rxrpc/io_thread.c", "net/rxrpc/local_object.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.2", }, { lessThan: "6.2", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Fix a race between socket set up and I/O thread creation\n\nIn rxrpc_open_socket(), it sets up the socket and then sets up the I/O\nthread that will handle it. This is a problem, however, as there's a gap\nbetween the two phases in which a packet may come into rxrpc_encap_rcv()\nfrom the UDP packet but we oops when trying to wake the not-yet created I/O\nthread.\n\nAs a quick fix, just make rxrpc_encap_rcv() discard the packet if there's\nno I/O thread yet.\n\nA better, but more intrusive fix would perhaps be to rearrange things such\nthat the socket creation is done by the I/O thread.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:27:49.620Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/cdf4bbbdb956d7426f687f38757ebca2a2759a0f", }, { url: "https://git.kernel.org/stable/c/56e415202b8a17de6496f4023e545fcb66f118ec", }, { url: "https://git.kernel.org/stable/c/c64f5fc95e9612fdf75587c8e21e494e614c18e2", }, { url: "https://git.kernel.org/stable/c/bc212465326e8587325f520a052346f0b57360e6", }, ], title: "rxrpc: Fix a race between socket set up and I/O thread creation", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49864", datePublished: "2024-10-21T18:01:07.874Z", dateReserved: "2024-10-21T12:17:06.017Z", dateUpdated: "2024-12-19T09:27:49.620Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-50022
Vulnerability from cvelistv5
Published
2024-10-21 19:39
Modified
2024-12-19 09:31
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
device-dax: correct pgoff align in dax_set_mapping()
pgoff should be aligned using ALIGN_DOWN() instead of ALIGN(). Otherwise,
vmf->address not aligned to fault_size will be aligned to the next
alignment, that can result in memory failure getting the wrong address.
It's a subtle situation that only can be observed in
page_mapped_in_vma() after the page is page fault handled by
dev_dax_huge_fault. Generally, there is little chance to perform
page_mapped_in_vma in dev-dax's page unless in specific error injection
to the dax device to trigger an MCE - memory-failure. In that case,
page_mapped_in_vma() will be triggered to determine which task is
accessing the failure address and kill that task in the end.
We used self-developed dax device (which is 2M aligned mapping) , to
perform error injection to random address. It turned out that error
injected to non-2M-aligned address was causing endless MCE until panic.
Because page_mapped_in_vma() kept resulting wrong address and the task
accessing the failure address was never killed properly:
[ 3783.719419] Memory failure: 0x200c9742: recovery action for dax page:
Recovered
[ 3784.049006] mce: Uncorrected hardware memory error in user-access at
200c9742380
[ 3784.049190] Memory failure: 0x200c9742: recovery action for dax page:
Recovered
[ 3784.448042] mce: Uncorrected hardware memory error in user-access at
200c9742380
[ 3784.448186] Memory failure: 0x200c9742: recovery action for dax page:
Recovered
[ 3784.792026] mce: Uncorrected hardware memory error in user-access at
200c9742380
[ 3784.792179] Memory failure: 0x200c9742: recovery action for dax page:
Recovered
[ 3785.162502] mce: Uncorrected hardware memory error in user-access at
200c9742380
[ 3785.162633] Memory failure: 0x200c9742: recovery action for dax page:
Recovered
[ 3785.461116] mce: Uncorrected hardware memory error in user-access at
200c9742380
[ 3785.461247] Memory failure: 0x200c9742: recovery action for dax page:
Recovered
[ 3785.764730] mce: Uncorrected hardware memory error in user-access at
200c9742380
[ 3785.764859] Memory failure: 0x200c9742: recovery action for dax page:
Recovered
[ 3786.042128] mce: Uncorrected hardware memory error in user-access at
200c9742380
[ 3786.042259] Memory failure: 0x200c9742: recovery action for dax page:
Recovered
[ 3786.464293] mce: Uncorrected hardware memory error in user-access at
200c9742380
[ 3786.464423] Memory failure: 0x200c9742: recovery action for dax page:
Recovered
[ 3786.818090] mce: Uncorrected hardware memory error in user-access at
200c9742380
[ 3786.818217] Memory failure: 0x200c9742: recovery action for dax page:
Recovered
[ 3787.085297] mce: Uncorrected hardware memory error in user-access at
200c9742380
[ 3787.085424] Memory failure: 0x200c9742: recovery action for dax page:
Recovered
It took us several weeks to pinpoint this problem, but we eventually
used bpftrace to trace the page fault and mce address and successfully
identified the issue.
Joao added:
; Likely we never reproduce in production because we always pin
: device-dax regions in the region align they provide (Qemu does
: similarly with prealloc in hugetlb/file backed memory). I think this
: bug requires that we touch *unpinned* device-dax regions unaligned to
: the device-dax selected alignment (page size i.e. 4K/2M/1G)
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-50022", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:27:15.558211Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:28:47.118Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/dax/device.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "9c4198dfdca818c5ce19c764d90eabd156bbc6da", status: "affected", version: "b9b5777f09be84d0de472ded2253d2f5101427f2", versionType: "git", }, { lessThan: "b822007e8db341d6f175c645ed79866db501ad86", status: "affected", version: "b9b5777f09be84d0de472ded2253d2f5101427f2", versionType: "git", }, { lessThan: "e877427d218159ac29c9326100920d24330c9ee6", status: "affected", version: "b9b5777f09be84d0de472ded2253d2f5101427f2", versionType: "git", }, { lessThan: "7fcbd9785d4c17ea533c42f20a9083a83f301fa6", status: "affected", version: "b9b5777f09be84d0de472ded2253d2f5101427f2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/dax/device.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.17", }, { lessThan: "5.17", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.57", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.4", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ndevice-dax: correct pgoff align in dax_set_mapping()\n\npgoff should be aligned using ALIGN_DOWN() instead of ALIGN(). Otherwise,\nvmf->address not aligned to fault_size will be aligned to the next\nalignment, that can result in memory failure getting the wrong address.\n\nIt's a subtle situation that only can be observed in\npage_mapped_in_vma() after the page is page fault handled by\ndev_dax_huge_fault. Generally, there is little chance to perform\npage_mapped_in_vma in dev-dax's page unless in specific error injection\nto the dax device to trigger an MCE - memory-failure. In that case,\npage_mapped_in_vma() will be triggered to determine which task is\naccessing the failure address and kill that task in the end.\n\n\nWe used self-developed dax device (which is 2M aligned mapping) , to\nperform error injection to random address. It turned out that error\ninjected to non-2M-aligned address was causing endless MCE until panic.\nBecause page_mapped_in_vma() kept resulting wrong address and the task\naccessing the failure address was never killed properly:\n\n\n[ 3783.719419] Memory failure: 0x200c9742: recovery action for dax page: \nRecovered\n[ 3784.049006] mce: Uncorrected hardware memory error in user-access at \n200c9742380\n[ 3784.049190] Memory failure: 0x200c9742: recovery action for dax page: \nRecovered\n[ 3784.448042] mce: Uncorrected hardware memory error in user-access at \n200c9742380\n[ 3784.448186] Memory failure: 0x200c9742: recovery action for dax page: \nRecovered\n[ 3784.792026] mce: Uncorrected hardware memory error in user-access at \n200c9742380\n[ 3784.792179] Memory failure: 0x200c9742: recovery action for dax page: \nRecovered\n[ 3785.162502] mce: Uncorrected hardware memory error in user-access at \n200c9742380\n[ 3785.162633] Memory failure: 0x200c9742: recovery action for dax page: \nRecovered\n[ 3785.461116] mce: Uncorrected hardware memory error in user-access at \n200c9742380\n[ 3785.461247] Memory failure: 0x200c9742: recovery action for dax page: \nRecovered\n[ 3785.764730] mce: Uncorrected hardware memory error in user-access at \n200c9742380\n[ 3785.764859] Memory failure: 0x200c9742: recovery action for dax page: \nRecovered\n[ 3786.042128] mce: Uncorrected hardware memory error in user-access at \n200c9742380\n[ 3786.042259] Memory failure: 0x200c9742: recovery action for dax page: \nRecovered\n[ 3786.464293] mce: Uncorrected hardware memory error in user-access at \n200c9742380\n[ 3786.464423] Memory failure: 0x200c9742: recovery action for dax page: \nRecovered\n[ 3786.818090] mce: Uncorrected hardware memory error in user-access at \n200c9742380\n[ 3786.818217] Memory failure: 0x200c9742: recovery action for dax page: \nRecovered\n[ 3787.085297] mce: Uncorrected hardware memory error in user-access at \n200c9742380\n[ 3787.085424] Memory failure: 0x200c9742: recovery action for dax page: \nRecovered\n\nIt took us several weeks to pinpoint this problem, but we eventually\nused bpftrace to trace the page fault and mce address and successfully\nidentified the issue.\n\n\nJoao added:\n\n; Likely we never reproduce in production because we always pin\n: device-dax regions in the region align they provide (Qemu does\n: similarly with prealloc in hugetlb/file backed memory). I think this\n: bug requires that we touch *unpinned* device-dax regions unaligned to\n: the device-dax selected alignment (page size i.e. 4K/2M/1G)", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:31:32.368Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/9c4198dfdca818c5ce19c764d90eabd156bbc6da", }, { url: "https://git.kernel.org/stable/c/b822007e8db341d6f175c645ed79866db501ad86", }, { url: "https://git.kernel.org/stable/c/e877427d218159ac29c9326100920d24330c9ee6", }, { url: "https://git.kernel.org/stable/c/7fcbd9785d4c17ea533c42f20a9083a83f301fa6", }, ], title: "device-dax: correct pgoff align in dax_set_mapping()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-50022", datePublished: "2024-10-21T19:39:27.873Z", dateReserved: "2024-10-21T12:17:06.064Z", dateUpdated: "2024-12-19T09:31:32.368Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-49015
Vulnerability from cvelistv5
Published
2024-10-21 20:06
Modified
2024-12-19 08:12
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: hsr: Fix potential use-after-free
The skb is delivered to netif_rx() which may free it, after calling this,
dereferencing skb may trigger use-after-free.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: f421436a591d34fa5279b54a96ac07d70250cc8d Version: f421436a591d34fa5279b54a96ac07d70250cc8d Version: f421436a591d34fa5279b54a96ac07d70250cc8d Version: f421436a591d34fa5279b54a96ac07d70250cc8d Version: f421436a591d34fa5279b54a96ac07d70250cc8d Version: f421436a591d34fa5279b54a96ac07d70250cc8d Version: f421436a591d34fa5279b54a96ac07d70250cc8d Version: f421436a591d34fa5279b54a96ac07d70250cc8d |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-49015", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:13:21.187546Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:18:38.056Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "net/hsr/hsr_forward.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "8393ce5040803666bfa26a3a7bf41e44fab0ace9", status: "affected", version: "f421436a591d34fa5279b54a96ac07d70250cc8d", versionType: "git", }, { lessThan: "4b351609af4fdbc23f79ab2b12748f4403ea9af4", status: "affected", version: "f421436a591d34fa5279b54a96ac07d70250cc8d", versionType: "git", }, { lessThan: "b35d899854d5d5d58eb7d7e7c0f61afc60d3a9e9", status: "affected", version: "f421436a591d34fa5279b54a96ac07d70250cc8d", versionType: "git", }, { lessThan: "53a62c5efe91665f7a41fad0f888a96f94dc59eb", status: "affected", version: "f421436a591d34fa5279b54a96ac07d70250cc8d", versionType: "git", }, { lessThan: "7ca81a161e406834a1fdc405fc83a572bd14b8d9", status: "affected", version: "f421436a591d34fa5279b54a96ac07d70250cc8d", versionType: "git", }, { lessThan: "dca370e575d9b6c983f5015e8dc035e23e219ee6", status: "affected", version: "f421436a591d34fa5279b54a96ac07d70250cc8d", versionType: "git", }, { lessThan: "f3add2b8cf620966de3ebfa07679ca12d33ec26f", status: "affected", version: "f421436a591d34fa5279b54a96ac07d70250cc8d", versionType: "git", }, { lessThan: "7e177d32442b7ed08a9fa61b61724abc548cb248", status: "affected", version: "f421436a591d34fa5279b54a96ac07d70250cc8d", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "net/hsr/hsr_forward.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "3.13", }, { lessThan: "3.13", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.9.*", status: "unaffected", version: "4.9.335", versionType: "semver", }, { lessThanOrEqual: "4.14.*", status: "unaffected", version: "4.14.301", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.268", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.226", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.158", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.82", versionType: "semver", }, { lessThanOrEqual: "6.0.*", status: "unaffected", version: "6.0.12", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.1", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hsr: Fix potential use-after-free\n\nThe skb is delivered to netif_rx() which may free it, after calling this,\ndereferencing skb may trigger use-after-free.", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:12:28.921Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/8393ce5040803666bfa26a3a7bf41e44fab0ace9", }, { url: "https://git.kernel.org/stable/c/4b351609af4fdbc23f79ab2b12748f4403ea9af4", }, { url: "https://git.kernel.org/stable/c/b35d899854d5d5d58eb7d7e7c0f61afc60d3a9e9", }, { url: "https://git.kernel.org/stable/c/53a62c5efe91665f7a41fad0f888a96f94dc59eb", }, { url: "https://git.kernel.org/stable/c/7ca81a161e406834a1fdc405fc83a572bd14b8d9", }, { url: "https://git.kernel.org/stable/c/dca370e575d9b6c983f5015e8dc035e23e219ee6", }, { url: "https://git.kernel.org/stable/c/f3add2b8cf620966de3ebfa07679ca12d33ec26f", }, { url: "https://git.kernel.org/stable/c/7e177d32442b7ed08a9fa61b61724abc548cb248", }, ], title: "net: hsr: Fix potential use-after-free", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-49015", datePublished: "2024-10-21T20:06:24.668Z", dateReserved: "2024-08-22T01:27:53.645Z", dateUpdated: "2024-12-19T08:12:28.921Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-48980
Vulnerability from cvelistv5
Published
2024-10-21 20:05
Modified
2024-12-19 08:11
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: dsa: sja1105: avoid out of bounds access in sja1105_init_l2_policing()
The SJA1105 family has 45 L2 policing table entries
(SJA1105_MAX_L2_POLICING_COUNT) and SJA1110 has 110
(SJA1110_MAX_L2_POLICING_COUNT). Keeping the table structure but
accounting for the difference in port count (5 in SJA1105 vs 10 in
SJA1110) does not fully explain the difference. Rather, the SJA1110 also
has L2 ingress policers for multicast traffic. If a packet is classified
as multicast, it will be processed by the policer index 99 + SRCPORT.
The sja1105_init_l2_policing() function initializes all L2 policers such
that they don't interfere with normal packet reception by default. To have
a common code between SJA1105 and SJA1110, the index of the multicast
policer for the port is calculated because it's an index that is out of
bounds for SJA1105 but in bounds for SJA1110, and a bounds check is
performed.
The code fails to do the proper thing when determining what to do with the
multicast policer of port 0 on SJA1105 (ds->num_ports = 5). The "mcast"
index will be equal to 45, which is also equal to
table->ops->max_entry_count (SJA1105_MAX_L2_POLICING_COUNT). So it passes
through the check. But at the same time, SJA1105 doesn't have multicast
policers. So the code programs the SHARINDX field of an out-of-bounds
element in the L2 Policing table of the static config.
The comparison between index 45 and 45 entries should have determined the
code to not access this policer index on SJA1105, since its memory wasn't
even allocated.
With enough bad luck, the out-of-bounds write could even overwrite other
valid kernel data, but in this case, the issue was detected using KASAN.
Kernel log:
sja1105 spi5.0: Probed switch chip: SJA1105Q
==================================================================
BUG: KASAN: slab-out-of-bounds in sja1105_setup+0x1cbc/0x2340
Write of size 8 at addr ffffff880bd57708 by task kworker/u8:0/8
...
Workqueue: events_unbound deferred_probe_work_func
Call trace:
...
sja1105_setup+0x1cbc/0x2340
dsa_register_switch+0x1284/0x18d0
sja1105_probe+0x748/0x840
...
Allocated by task 8:
...
sja1105_setup+0x1bcc/0x2340
dsa_register_switch+0x1284/0x18d0
sja1105_probe+0x748/0x840
...
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-48980", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:17:58.670522Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:18:43.887Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/net/dsa/sja1105/sja1105_main.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "5e88c6f4aaa70c542e59e5a9d2244bcc99cd245d", status: "affected", version: "38fbe91f2287c696f290d9115901aa435f7166a8", versionType: "git", }, { lessThan: "147f3e3d84054117ae6b9bf317ec4fda9f991192", status: "affected", version: "38fbe91f2287c696f290d9115901aa435f7166a8", versionType: "git", }, { lessThan: "f8bac7f9fdb0017b32157957ffffd490f95faa07", status: "affected", version: "38fbe91f2287c696f290d9115901aa435f7166a8", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/net/dsa/sja1105/sja1105_main.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.14", }, { lessThan: "5.14", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.83", versionType: "semver", }, { lessThanOrEqual: "6.0.*", status: "unaffected", version: "6.0.13", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.1", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: sja1105: avoid out of bounds access in sja1105_init_l2_policing()\n\nThe SJA1105 family has 45 L2 policing table entries\n(SJA1105_MAX_L2_POLICING_COUNT) and SJA1110 has 110\n(SJA1110_MAX_L2_POLICING_COUNT). Keeping the table structure but\naccounting for the difference in port count (5 in SJA1105 vs 10 in\nSJA1110) does not fully explain the difference. Rather, the SJA1110 also\nhas L2 ingress policers for multicast traffic. If a packet is classified\nas multicast, it will be processed by the policer index 99 + SRCPORT.\n\nThe sja1105_init_l2_policing() function initializes all L2 policers such\nthat they don't interfere with normal packet reception by default. To have\na common code between SJA1105 and SJA1110, the index of the multicast\npolicer for the port is calculated because it's an index that is out of\nbounds for SJA1105 but in bounds for SJA1110, and a bounds check is\nperformed.\n\nThe code fails to do the proper thing when determining what to do with the\nmulticast policer of port 0 on SJA1105 (ds->num_ports = 5). The \"mcast\"\nindex will be equal to 45, which is also equal to\ntable->ops->max_entry_count (SJA1105_MAX_L2_POLICING_COUNT). So it passes\nthrough the check. But at the same time, SJA1105 doesn't have multicast\npolicers. So the code programs the SHARINDX field of an out-of-bounds\nelement in the L2 Policing table of the static config.\n\nThe comparison between index 45 and 45 entries should have determined the\ncode to not access this policer index on SJA1105, since its memory wasn't\neven allocated.\n\nWith enough bad luck, the out-of-bounds write could even overwrite other\nvalid kernel data, but in this case, the issue was detected using KASAN.\n\nKernel log:\n\nsja1105 spi5.0: Probed switch chip: SJA1105Q\n==================================================================\nBUG: KASAN: slab-out-of-bounds in sja1105_setup+0x1cbc/0x2340\nWrite of size 8 at addr ffffff880bd57708 by task kworker/u8:0/8\n...\nWorkqueue: events_unbound deferred_probe_work_func\nCall trace:\n...\nsja1105_setup+0x1cbc/0x2340\ndsa_register_switch+0x1284/0x18d0\nsja1105_probe+0x748/0x840\n...\nAllocated by task 8:\n...\nsja1105_setup+0x1bcc/0x2340\ndsa_register_switch+0x1284/0x18d0\nsja1105_probe+0x748/0x840\n...", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:11:49.688Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/5e88c6f4aaa70c542e59e5a9d2244bcc99cd245d", }, { url: "https://git.kernel.org/stable/c/147f3e3d84054117ae6b9bf317ec4fda9f991192", }, { url: "https://git.kernel.org/stable/c/f8bac7f9fdb0017b32157957ffffd490f95faa07", }, ], title: "net: dsa: sja1105: avoid out of bounds access in sja1105_init_l2_policing()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-48980", datePublished: "2024-10-21T20:05:58.373Z", dateReserved: "2024-08-22T01:27:53.632Z", dateUpdated: "2024-12-19T08:11:49.688Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49906
Vulnerability from cvelistv5
Published
2024-10-21 18:01
Modified
2024-12-19 09:28
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Check null pointer before try to access it
[why & how]
Change the order of the pipe_ctx->plane_state check to ensure that
plane_state is not null before accessing it.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49906", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:42:14.797553Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:48:46.939Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/gpu/drm/amd/display/dc/hwss/dcn20/dcn20_hwseq.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "ebef6616219ff04abdeb39450625f85419787ee3", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "2002ccb93004e76a471b180560accb2c1f850f35", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "1b686053c06ffb9f4524b288110cf2a831ff7a25", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/gpu/drm/amd/display/dc/hwss/dcn20/dcn20_hwseq.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.64", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Check null pointer before try to access it\n\n[why & how]\nChange the order of the pipe_ctx->plane_state check to ensure that\nplane_state is not null before accessing it.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:28:46.786Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/ebef6616219ff04abdeb39450625f85419787ee3", }, { url: "https://git.kernel.org/stable/c/2002ccb93004e76a471b180560accb2c1f850f35", }, { url: "https://git.kernel.org/stable/c/1b686053c06ffb9f4524b288110cf2a831ff7a25", }, ], title: "drm/amd/display: Check null pointer before try to access it", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49906", datePublished: "2024-10-21T18:01:36.753Z", dateReserved: "2024-10-21T12:17:06.027Z", dateUpdated: "2024-12-19T09:28:46.786Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-47723
Vulnerability from cvelistv5
Published
2024-10-21 12:13
Modified
2024-12-19 09:26
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
jfs: fix out-of-bounds in dbNextAG() and diAlloc()
In dbNextAG() , there is no check for the case where bmp->db_numag is
greater or same than MAXAG due to a polluted image, which causes an
out-of-bounds. Therefore, a bounds check should be added in dbMount().
And in dbNextAG(), a check for the case where agpref is greater than
bmp->db_numag should be added, so an out-of-bounds exception should be
prevented.
Additionally, a check for the case where agno is greater or same than
MAXAG should be added in diAlloc() to prevent out-of-bounds.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-47723", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T13:01:38.378971Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T13:04:17.044Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "fs/jfs/jfs_dmap.c", "fs/jfs/jfs_imap.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "d1017d2a0f3f16dc1db5120e7ddbe7c6680425b0", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "5ad6284c8d433f8a213111c5c44ead4d9705b622", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "0338e66cba272351ca9d7d03f3628e390e70963b", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "ead82533278502428883085a787d5a00f15e5eb9", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "6ce8b6ab44a8b5918c0ee373d4ad19d19017931b", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "c1ba4b8ca799ff1d99d01f37d7ccb7d5ba5533d2", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "128d5cfdcf844cb690c9295a3a1c1114c21fc15a", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "96855f40e152989c9e7c20c4691ace5581098acc", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "e63866a475562810500ea7f784099bfe341e761a", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "fs/jfs/jfs_dmap.c", "fs/jfs/jfs_imap.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "2.6.12", }, { lessThan: "2.6.12", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.323", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.285", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.54", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.13", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.2", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: fix out-of-bounds in dbNextAG() and diAlloc()\n\nIn dbNextAG() , there is no check for the case where bmp->db_numag is\ngreater or same than MAXAG due to a polluted image, which causes an\nout-of-bounds. Therefore, a bounds check should be added in dbMount().\n\nAnd in dbNextAG(), a check for the case where agpref is greater than\nbmp->db_numag should be added, so an out-of-bounds exception should be\nprevented.\n\nAdditionally, a check for the case where agno is greater or same than\nMAXAG should be added in diAlloc() to prevent out-of-bounds.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:26:49.239Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/d1017d2a0f3f16dc1db5120e7ddbe7c6680425b0", }, { url: "https://git.kernel.org/stable/c/5ad6284c8d433f8a213111c5c44ead4d9705b622", }, { url: "https://git.kernel.org/stable/c/0338e66cba272351ca9d7d03f3628e390e70963b", }, { url: "https://git.kernel.org/stable/c/ead82533278502428883085a787d5a00f15e5eb9", }, { url: "https://git.kernel.org/stable/c/6ce8b6ab44a8b5918c0ee373d4ad19d19017931b", }, { url: "https://git.kernel.org/stable/c/c1ba4b8ca799ff1d99d01f37d7ccb7d5ba5533d2", }, { url: "https://git.kernel.org/stable/c/128d5cfdcf844cb690c9295a3a1c1114c21fc15a", }, { url: "https://git.kernel.org/stable/c/96855f40e152989c9e7c20c4691ace5581098acc", }, { url: "https://git.kernel.org/stable/c/e63866a475562810500ea7f784099bfe341e761a", }, ], title: "jfs: fix out-of-bounds in dbNextAG() and diAlloc()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-47723", datePublished: "2024-10-21T12:13:57.614Z", dateReserved: "2024-09-30T16:00:12.950Z", dateUpdated: "2024-12-19T09:26:49.239Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49919
Vulnerability from cvelistv5
Published
2024-10-21 18:01
Modified
2024-12-19 09:29
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Add null check for head_pipe in dcn201_acquire_free_pipe_for_layer
This commit addresses a potential null pointer dereference issue in the
`dcn201_acquire_free_pipe_for_layer` function. The issue could occur
when `head_pipe` is null.
The fix adds a check to ensure `head_pipe` is not null before asserting
it. If `head_pipe` is null, the function returns NULL to prevent a
potential null pointer dereference.
Reported by smatch:
drivers/gpu/drm/amd/amdgpu/../display/dc/resource/dcn201/dcn201_resource.c:1016 dcn201_acquire_free_pipe_for_layer() error: we previously assumed 'head_pipe' could be null (see line 1010)
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49919", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:40:36.842077Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:48:44.869Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/gpu/drm/amd/display/dc/resource/dcn201/dcn201_resource.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "390d757621f5f35d11a63ed7d9d3262ead240064", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "8a1b1655a490a492a5a6987254c935ecce4eb9de", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "f22f4754aaa47d8c59f166ba3042182859e5dff7", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/gpu/drm/amd/display/dc/resource/dcn201/dcn201_resource.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add null check for head_pipe in dcn201_acquire_free_pipe_for_layer\n\nThis commit addresses a potential null pointer dereference issue in the\n`dcn201_acquire_free_pipe_for_layer` function. The issue could occur\nwhen `head_pipe` is null.\n\nThe fix adds a check to ensure `head_pipe` is not null before asserting\nit. If `head_pipe` is null, the function returns NULL to prevent a\npotential null pointer dereference.\n\nReported by smatch:\ndrivers/gpu/drm/amd/amdgpu/../display/dc/resource/dcn201/dcn201_resource.c:1016 dcn201_acquire_free_pipe_for_layer() error: we previously assumed 'head_pipe' could be null (see line 1010)", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:29:02.821Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/390d757621f5f35d11a63ed7d9d3262ead240064", }, { url: "https://git.kernel.org/stable/c/8a1b1655a490a492a5a6987254c935ecce4eb9de", }, { url: "https://git.kernel.org/stable/c/f22f4754aaa47d8c59f166ba3042182859e5dff7", }, ], title: "drm/amd/display: Add null check for head_pipe in dcn201_acquire_free_pipe_for_layer", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49919", datePublished: "2024-10-21T18:01:45.769Z", dateReserved: "2024-10-21T12:17:06.034Z", dateUpdated: "2024-12-19T09:29:02.821Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49948
Vulnerability from cvelistv5
Published
2024-10-21 18:02
Modified
2024-12-19 09:29
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: add more sanity checks to qdisc_pkt_len_init()
One path takes care of SKB_GSO_DODGY, assuming
skb->len is bigger than hdr_len.
virtio_net_hdr_to_skb() does not fully dissect TCP headers,
it only make sure it is at least 20 bytes.
It is possible for an user to provide a malicious 'GSO' packet,
total length of 80 bytes.
- 20 bytes of IPv4 header
- 60 bytes TCP header
- a small gso_size like 8
virtio_net_hdr_to_skb() would declare this packet as a normal
GSO packet, because it would see 40 bytes of payload,
bigger than gso_size.
We need to make detect this case to not underflow
qdisc_skb_cb(skb)->pkt_len.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1def9238d4aa2146924994aa4b7dc861f03b9362 Version: 1def9238d4aa2146924994aa4b7dc861f03b9362 Version: 1def9238d4aa2146924994aa4b7dc861f03b9362 Version: 1def9238d4aa2146924994aa4b7dc861f03b9362 Version: 1def9238d4aa2146924994aa4b7dc861f03b9362 Version: 1def9238d4aa2146924994aa4b7dc861f03b9362 Version: 1def9238d4aa2146924994aa4b7dc861f03b9362 Version: 1def9238d4aa2146924994aa4b7dc861f03b9362 Version: 1def9238d4aa2146924994aa4b7dc861f03b9362 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49948", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:36:47.619949Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:38:49.499Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "net/core/dev.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "d7d1a28f5dd57b4d83def876f8d7b4403bd37df9", status: "affected", version: "1def9238d4aa2146924994aa4b7dc861f03b9362", versionType: "git", }, { lessThan: "473426a1d53a68dd1e718e6cd00d57936993fa6c", status: "affected", version: "1def9238d4aa2146924994aa4b7dc861f03b9362", versionType: "git", }, { lessThan: "566a931a1436d0e0ad13708ea55479b95426213c", status: "affected", version: "1def9238d4aa2146924994aa4b7dc861f03b9362", versionType: "git", }, { lessThan: "2415f465730e48b6e38da1c7c097317bf5dd2d20", status: "affected", version: "1def9238d4aa2146924994aa4b7dc861f03b9362", versionType: "git", }, { lessThan: "27a8fabc54d2f960d47bdfbebf2bdc6e8a92a4c4", status: "affected", version: "1def9238d4aa2146924994aa4b7dc861f03b9362", versionType: "git", }, { lessThan: "9b0ee571d20a238a22722126abdfde61f1b2bdd0", status: "affected", version: "1def9238d4aa2146924994aa4b7dc861f03b9362", versionType: "git", }, { lessThan: "ff1c3cadcf405ab37dd91418a62a7acecf3bc5e2", status: "affected", version: "1def9238d4aa2146924994aa4b7dc861f03b9362", versionType: "git", }, { lessThan: "1eebe602a8d8264a12e35e39d0645fa88dbbacdd", status: "affected", version: "1def9238d4aa2146924994aa4b7dc861f03b9362", versionType: "git", }, { lessThan: "ab9a9a9e9647392a19e7a885b08000e89c86b535", status: "affected", version: "1def9238d4aa2146924994aa4b7dc861f03b9362", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "net/core/dev.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "3.9", }, { lessThan: "3.9", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.323", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.285", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: add more sanity checks to qdisc_pkt_len_init()\n\nOne path takes care of SKB_GSO_DODGY, assuming\nskb->len is bigger than hdr_len.\n\nvirtio_net_hdr_to_skb() does not fully dissect TCP headers,\nit only make sure it is at least 20 bytes.\n\nIt is possible for an user to provide a malicious 'GSO' packet,\ntotal length of 80 bytes.\n\n- 20 bytes of IPv4 header\n- 60 bytes TCP header\n- a small gso_size like 8\n\nvirtio_net_hdr_to_skb() would declare this packet as a normal\nGSO packet, because it would see 40 bytes of payload,\nbigger than gso_size.\n\nWe need to make detect this case to not underflow\nqdisc_skb_cb(skb)->pkt_len.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:29:55.468Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/d7d1a28f5dd57b4d83def876f8d7b4403bd37df9", }, { url: "https://git.kernel.org/stable/c/473426a1d53a68dd1e718e6cd00d57936993fa6c", }, { url: "https://git.kernel.org/stable/c/566a931a1436d0e0ad13708ea55479b95426213c", }, { url: "https://git.kernel.org/stable/c/2415f465730e48b6e38da1c7c097317bf5dd2d20", }, { url: "https://git.kernel.org/stable/c/27a8fabc54d2f960d47bdfbebf2bdc6e8a92a4c4", }, { url: "https://git.kernel.org/stable/c/9b0ee571d20a238a22722126abdfde61f1b2bdd0", }, { url: "https://git.kernel.org/stable/c/ff1c3cadcf405ab37dd91418a62a7acecf3bc5e2", }, { url: "https://git.kernel.org/stable/c/1eebe602a8d8264a12e35e39d0645fa88dbbacdd", }, { url: "https://git.kernel.org/stable/c/ab9a9a9e9647392a19e7a885b08000e89c86b535", }, ], title: "net: add more sanity checks to qdisc_pkt_len_init()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49948", datePublished: "2024-10-21T18:02:05.121Z", dateReserved: "2024-10-21T12:17:06.045Z", dateUpdated: "2024-12-19T09:29:55.468Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-47751
Vulnerability from cvelistv5
Published
2024-10-21 12:14
Modified
2024-12-19 09:27
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
PCI: kirin: Fix buffer overflow in kirin_pcie_parse_port()
Within kirin_pcie_parse_port(), the pcie->num_slots is compared to
pcie->gpio_id_reset size (MAX_PCI_SLOTS) which is correct and would lead
to an overflow.
Thus, fix condition to pcie->num_slots + 1 >= MAX_PCI_SLOTS and move
pcie->num_slots increment below the if-statement to avoid out-of-bounds
array access.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
[kwilczynski: commit log]
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: b22dbbb24571c052364f476381dbac110bdca4d5 Version: b22dbbb24571c052364f476381dbac110bdca4d5 Version: b22dbbb24571c052364f476381dbac110bdca4d5 Version: b22dbbb24571c052364f476381dbac110bdca4d5 Version: b22dbbb24571c052364f476381dbac110bdca4d5 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-47751", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T12:57:54.600283Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T13:04:12.977Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/pci/controller/dwc/pcie-kirin.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "a5f795f9412854df28e66679c5e6b68b0b79c229", status: "affected", version: "b22dbbb24571c052364f476381dbac110bdca4d5", versionType: "git", }, { lessThan: "95248d7497bcbfe7deed4805469c6ff6ddd7f9d1", status: "affected", version: "b22dbbb24571c052364f476381dbac110bdca4d5", versionType: "git", }, { lessThan: "6dcc5b49d6607a741a14122bf3105f3ac50d259e", status: "affected", version: "b22dbbb24571c052364f476381dbac110bdca4d5", versionType: "git", }, { lessThan: "aeb0335971806e15ac91e838ca471936c8e7efd5", status: "affected", version: "b22dbbb24571c052364f476381dbac110bdca4d5", versionType: "git", }, { lessThan: "c500a86693a126c9393e602741e348f80f1b0fc5", status: "affected", version: "b22dbbb24571c052364f476381dbac110bdca4d5", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/pci/controller/dwc/pcie-kirin.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.16", }, { lessThan: "5.16", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.54", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.13", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.2", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: kirin: Fix buffer overflow in kirin_pcie_parse_port()\n\nWithin kirin_pcie_parse_port(), the pcie->num_slots is compared to\npcie->gpio_id_reset size (MAX_PCI_SLOTS) which is correct and would lead\nto an overflow.\n\nThus, fix condition to pcie->num_slots + 1 >= MAX_PCI_SLOTS and move\npcie->num_slots increment below the if-statement to avoid out-of-bounds\narray access.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.\n\n[kwilczynski: commit log]", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:27:24.320Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/a5f795f9412854df28e66679c5e6b68b0b79c229", }, { url: "https://git.kernel.org/stable/c/95248d7497bcbfe7deed4805469c6ff6ddd7f9d1", }, { url: "https://git.kernel.org/stable/c/6dcc5b49d6607a741a14122bf3105f3ac50d259e", }, { url: "https://git.kernel.org/stable/c/aeb0335971806e15ac91e838ca471936c8e7efd5", }, { url: "https://git.kernel.org/stable/c/c500a86693a126c9393e602741e348f80f1b0fc5", }, ], title: "PCI: kirin: Fix buffer overflow in kirin_pcie_parse_port()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-47751", datePublished: "2024-10-21T12:14:16.446Z", dateReserved: "2024-09-30T16:00:12.961Z", dateUpdated: "2024-12-19T09:27:24.320Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49867
Vulnerability from cvelistv5
Published
2024-10-21 18:01
Modified
2024-12-19 09:27
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: wait for fixup workers before stopping cleaner kthread during umount
During unmount, at close_ctree(), we have the following steps in this order:
1) Park the cleaner kthread - this doesn't destroy the kthread, it basically
halts its execution (wake ups against it work but do nothing);
2) We stop the cleaner kthread - this results in freeing the respective
struct task_struct;
3) We call btrfs_stop_all_workers() which waits for any jobs running in all
the work queues and then free the work queues.
Syzbot reported a case where a fixup worker resulted in a crash when doing
a delayed iput on its inode while attempting to wake up the cleaner at
btrfs_add_delayed_iput(), because the task_struct of the cleaner kthread
was already freed. This can happen during unmount because we don't wait
for any fixup workers still running before we call kthread_stop() against
the cleaner kthread, which stops and free all its resources.
Fix this by waiting for any fixup workers at close_ctree() before we call
kthread_stop() against the cleaner and run pending delayed iputs.
The stack traces reported by syzbot were the following:
BUG: KASAN: slab-use-after-free in __lock_acquire+0x77/0x2050 kernel/locking/lockdep.c:5065
Read of size 8 at addr ffff8880272a8a18 by task kworker/u8:3/52
CPU: 1 UID: 0 PID: 52 Comm: kworker/u8:3 Not tainted 6.12.0-rc1-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Workqueue: btrfs-fixup btrfs_work_helper
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
__lock_acquire+0x77/0x2050 kernel/locking/lockdep.c:5065
lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5825
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0xd5/0x120 kernel/locking/spinlock.c:162
class_raw_spinlock_irqsave_constructor include/linux/spinlock.h:551 [inline]
try_to_wake_up+0xb0/0x1480 kernel/sched/core.c:4154
btrfs_writepage_fixup_worker+0xc16/0xdf0 fs/btrfs/inode.c:2842
btrfs_work_helper+0x390/0xc50 fs/btrfs/async-thread.c:314
process_one_work kernel/workqueue.c:3229 [inline]
process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310
worker_thread+0x870/0xd30 kernel/workqueue.c:3391
kthread+0x2f0/0x390 kernel/kthread.c:389
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
Allocated by task 2:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
unpoison_slab_object mm/kasan/common.c:319 [inline]
__kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:345
kasan_slab_alloc include/linux/kasan.h:247 [inline]
slab_post_alloc_hook mm/slub.c:4086 [inline]
slab_alloc_node mm/slub.c:4135 [inline]
kmem_cache_alloc_node_noprof+0x16b/0x320 mm/slub.c:4187
alloc_task_struct_node kernel/fork.c:180 [inline]
dup_task_struct+0x57/0x8c0 kernel/fork.c:1107
copy_process+0x5d1/0x3d50 kernel/fork.c:2206
kernel_clone+0x223/0x880 kernel/fork.c:2787
kernel_thread+0x1bc/0x240 kernel/fork.c:2849
create_kthread kernel/kthread.c:412 [inline]
kthreadd+0x60d/0x810 kernel/kthread.c:765
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
Freed by task 61:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x59/0x70 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:230 [inline]
slab_free_h
---truncated---
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49867", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:47:28.241887Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:48:52.483Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "fs/btrfs/disk-io.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "cd686dfff63f27d712877aef5b962fbf6b8bc264", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "a71349b692ab34ea197949e13e3cc42570fe73d9", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "70b60c8d9b42763d6629e44f448aa5d8ae477d61", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "4c98fe0dfa2ae83c4631699695506d8941db4bfe", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "9da40aea63f8769f28afb91aea0fac4cf6fbbb65", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "ed87190e9d9c80aad220fb6b0b03a84d22e2c95b", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "bf0de0f9a0544c11f96f93206da04ab87dcea1f4", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "65d11eb276836d49003a8060cf31fa2284ad1047", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "41fd1e94066a815a7ab0a7025359e9b40e4b3576", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "fs/btrfs/disk-io.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.323", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.285", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: wait for fixup workers before stopping cleaner kthread during umount\n\nDuring unmount, at close_ctree(), we have the following steps in this order:\n\n1) Park the cleaner kthread - this doesn't destroy the kthread, it basically\n halts its execution (wake ups against it work but do nothing);\n\n2) We stop the cleaner kthread - this results in freeing the respective\n struct task_struct;\n\n3) We call btrfs_stop_all_workers() which waits for any jobs running in all\n the work queues and then free the work queues.\n\nSyzbot reported a case where a fixup worker resulted in a crash when doing\na delayed iput on its inode while attempting to wake up the cleaner at\nbtrfs_add_delayed_iput(), because the task_struct of the cleaner kthread\nwas already freed. This can happen during unmount because we don't wait\nfor any fixup workers still running before we call kthread_stop() against\nthe cleaner kthread, which stops and free all its resources.\n\nFix this by waiting for any fixup workers at close_ctree() before we call\nkthread_stop() against the cleaner and run pending delayed iputs.\n\nThe stack traces reported by syzbot were the following:\n\n BUG: KASAN: slab-use-after-free in __lock_acquire+0x77/0x2050 kernel/locking/lockdep.c:5065\n Read of size 8 at addr ffff8880272a8a18 by task kworker/u8:3/52\n\n CPU: 1 UID: 0 PID: 52 Comm: kworker/u8:3 Not tainted 6.12.0-rc1-syzkaller #0\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\n Workqueue: btrfs-fixup btrfs_work_helper\n Call Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:488\n kasan_report+0x143/0x180 mm/kasan/report.c:601\n __lock_acquire+0x77/0x2050 kernel/locking/lockdep.c:5065\n lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5825\n __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]\n _raw_spin_lock_irqsave+0xd5/0x120 kernel/locking/spinlock.c:162\n class_raw_spinlock_irqsave_constructor include/linux/spinlock.h:551 [inline]\n try_to_wake_up+0xb0/0x1480 kernel/sched/core.c:4154\n btrfs_writepage_fixup_worker+0xc16/0xdf0 fs/btrfs/inode.c:2842\n btrfs_work_helper+0x390/0xc50 fs/btrfs/async-thread.c:314\n process_one_work kernel/workqueue.c:3229 [inline]\n process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310\n worker_thread+0x870/0xd30 kernel/workqueue.c:3391\n kthread+0x2f0/0x390 kernel/kthread.c:389\n ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n </TASK>\n\n Allocated by task 2:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n unpoison_slab_object mm/kasan/common.c:319 [inline]\n __kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:345\n kasan_slab_alloc include/linux/kasan.h:247 [inline]\n slab_post_alloc_hook mm/slub.c:4086 [inline]\n slab_alloc_node mm/slub.c:4135 [inline]\n kmem_cache_alloc_node_noprof+0x16b/0x320 mm/slub.c:4187\n alloc_task_struct_node kernel/fork.c:180 [inline]\n dup_task_struct+0x57/0x8c0 kernel/fork.c:1107\n copy_process+0x5d1/0x3d50 kernel/fork.c:2206\n kernel_clone+0x223/0x880 kernel/fork.c:2787\n kernel_thread+0x1bc/0x240 kernel/fork.c:2849\n create_kthread kernel/kthread.c:412 [inline]\n kthreadd+0x60d/0x810 kernel/kthread.c:765\n ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n\n Freed by task 61:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579\n poison_slab_object mm/kasan/common.c:247 [inline]\n __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264\n kasan_slab_free include/linux/kasan.h:230 [inline]\n slab_free_h\n---truncated---", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:27:53.199Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/cd686dfff63f27d712877aef5b962fbf6b8bc264", }, { url: "https://git.kernel.org/stable/c/a71349b692ab34ea197949e13e3cc42570fe73d9", }, { url: "https://git.kernel.org/stable/c/70b60c8d9b42763d6629e44f448aa5d8ae477d61", }, { url: "https://git.kernel.org/stable/c/4c98fe0dfa2ae83c4631699695506d8941db4bfe", }, { url: "https://git.kernel.org/stable/c/9da40aea63f8769f28afb91aea0fac4cf6fbbb65", }, { url: "https://git.kernel.org/stable/c/ed87190e9d9c80aad220fb6b0b03a84d22e2c95b", }, { url: "https://git.kernel.org/stable/c/bf0de0f9a0544c11f96f93206da04ab87dcea1f4", }, { url: "https://git.kernel.org/stable/c/65d11eb276836d49003a8060cf31fa2284ad1047", }, { url: "https://git.kernel.org/stable/c/41fd1e94066a815a7ab0a7025359e9b40e4b3576", }, ], title: "btrfs: wait for fixup workers before stopping cleaner kthread during umount", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49867", datePublished: "2024-10-21T18:01:09.962Z", dateReserved: "2024-10-21T12:17:06.018Z", dateUpdated: "2024-12-19T09:27:53.199Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49900
Vulnerability from cvelistv5
Published
2024-10-21 18:01
Modified
2024-12-19 09:28
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
jfs: Fix uninit-value access of new_ea in ea_buffer
syzbot reports that lzo1x_1_do_compress is using uninit-value:
=====================================================
BUG: KMSAN: uninit-value in lzo1x_1_do_compress+0x19f9/0x2510 lib/lzo/lzo1x_compress.c:178
...
Uninit was stored to memory at:
ea_put fs/jfs/xattr.c:639 [inline]
...
Local variable ea_buf created at:
__jfs_setxattr+0x5d/0x1ae0 fs/jfs/xattr.c:662
__jfs_xattr_set+0xe6/0x1f0 fs/jfs/xattr.c:934
=====================================================
The reason is ea_buf->new_ea is not initialized properly.
Fix this by using memset to empty its content at the beginning
in ea_get().
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49900", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:43:02.007949Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:48:47.719Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "fs/jfs/xattr.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "7b24d41d47a6805c45378debf8bd115675d41da8", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "dac398ed272a378d2f42ac68ae408333a51baf52", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "8b1dcf25c26d42e4a68c4725ce52a0543c7878cc", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "d7444f91a9f93eaa48827087ed0f3381c194181d", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "6041536d18c5f51a84bc37cd568cbab61870031e", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "c076b3746224982eebdba5c9e4b1467e146c0d64", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "7c244d5b48284a770d96ff703df2dfeadf804a73", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "8ad8b531de79c348bcb8133e7f5e827b884226af", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "2b59ffad47db1c46af25ccad157bb3b25147c35c", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "fs/jfs/xattr.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.323", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.285", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: Fix uninit-value access of new_ea in ea_buffer\n\nsyzbot reports that lzo1x_1_do_compress is using uninit-value:\n\n=====================================================\nBUG: KMSAN: uninit-value in lzo1x_1_do_compress+0x19f9/0x2510 lib/lzo/lzo1x_compress.c:178\n\n...\n\nUninit was stored to memory at:\n ea_put fs/jfs/xattr.c:639 [inline]\n\n...\n\nLocal variable ea_buf created at:\n __jfs_setxattr+0x5d/0x1ae0 fs/jfs/xattr.c:662\n __jfs_xattr_set+0xe6/0x1f0 fs/jfs/xattr.c:934\n\n=====================================================\n\nThe reason is ea_buf->new_ea is not initialized properly.\n\nFix this by using memset to empty its content at the beginning\nin ea_get().", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:28:39.544Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/7b24d41d47a6805c45378debf8bd115675d41da8", }, { url: "https://git.kernel.org/stable/c/dac398ed272a378d2f42ac68ae408333a51baf52", }, { url: "https://git.kernel.org/stable/c/8b1dcf25c26d42e4a68c4725ce52a0543c7878cc", }, { url: "https://git.kernel.org/stable/c/d7444f91a9f93eaa48827087ed0f3381c194181d", }, { url: "https://git.kernel.org/stable/c/6041536d18c5f51a84bc37cd568cbab61870031e", }, { url: "https://git.kernel.org/stable/c/c076b3746224982eebdba5c9e4b1467e146c0d64", }, { url: "https://git.kernel.org/stable/c/7c244d5b48284a770d96ff703df2dfeadf804a73", }, { url: "https://git.kernel.org/stable/c/8ad8b531de79c348bcb8133e7f5e827b884226af", }, { url: "https://git.kernel.org/stable/c/2b59ffad47db1c46af25ccad157bb3b25147c35c", }, ], title: "jfs: Fix uninit-value access of new_ea in ea_buffer", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49900", datePublished: "2024-10-21T18:01:32.607Z", dateReserved: "2024-10-21T12:17:06.026Z", dateUpdated: "2024-12-19T09:28:39.544Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-48993
Vulnerability from cvelistv5
This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Show details on NVD website{ containers: { cna: { providerMetadata: { dateUpdated: "2024-10-23T09:06:14.790Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, rejectedReasons: [ { lang: "en", value: "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", }, ], }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-48993", datePublished: "2024-10-21T20:06:10.140Z", dateRejected: "2024-10-23T09:06:14.790Z", dateReserved: "2024-08-22T01:27:53.637Z", dateUpdated: "2024-10-23T09:06:14.790Z", state: "REJECTED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49857
Vulnerability from cvelistv5
Published
2024-10-21 12:18
Modified
2024-12-19 09:27
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: iwlwifi: mvm: set the cipher for secured NDP ranging
The cipher pointer is not set, but is derefereced trying to set its
content, which leads to a NULL pointer dereference.
Fix it by pointing to the cipher parameter before dereferencing.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49857", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T12:56:09.512718Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T13:04:10.927Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/net/wireless/intel/iwlwifi/mvm/ftm-initiator.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "b3322a6d6aa9bc17b395c4b38d3b97578887aa8a", status: "affected", version: "626be4bf99f6250cd66da5d311a72ad7455c5a64", versionType: "git", }, { lessThan: "a949075d4bbf1ca83ccdeaa6ef4ac2ce7526c5f4", status: "affected", version: "626be4bf99f6250cd66da5d311a72ad7455c5a64", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/net/wireless/intel/iwlwifi/mvm/ftm-initiator.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.11", }, { lessThan: "6.11", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.2", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: mvm: set the cipher for secured NDP ranging\n\nThe cipher pointer is not set, but is derefereced trying to set its\ncontent, which leads to a NULL pointer dereference.\nFix it by pointing to the cipher parameter before dereferencing.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:27:40.802Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/b3322a6d6aa9bc17b395c4b38d3b97578887aa8a", }, { url: "https://git.kernel.org/stable/c/a949075d4bbf1ca83ccdeaa6ef4ac2ce7526c5f4", }, ], title: "wifi: iwlwifi: mvm: set the cipher for secured NDP ranging", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49857", datePublished: "2024-10-21T12:18:48.784Z", dateReserved: "2024-10-21T12:17:06.016Z", dateUpdated: "2024-12-19T09:27:40.802Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-48974
Vulnerability from cvelistv5
Published
2024-10-21 20:05
Modified
2024-12-19 08:11
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: conntrack: fix using __this_cpu_add in preemptible
Currently in nf_conntrack_hash_check_insert(), when it fails in
nf_ct_ext_valid_pre/post(), NF_CT_STAT_INC() will be called in the
preemptible context, a call trace can be triggered:
BUG: using __this_cpu_add() in preemptible [00000000] code: conntrack/1636
caller is nf_conntrack_hash_check_insert+0x45/0x430 [nf_conntrack]
Call Trace:
<TASK>
dump_stack_lvl+0x33/0x46
check_preemption_disabled+0xc3/0xf0
nf_conntrack_hash_check_insert+0x45/0x430 [nf_conntrack]
ctnetlink_create_conntrack+0x3cd/0x4e0 [nf_conntrack_netlink]
ctnetlink_new_conntrack+0x1c0/0x450 [nf_conntrack_netlink]
nfnetlink_rcv_msg+0x277/0x2f0 [nfnetlink]
netlink_rcv_skb+0x50/0x100
nfnetlink_rcv+0x65/0x144 [nfnetlink]
netlink_unicast+0x1ae/0x290
netlink_sendmsg+0x257/0x4f0
sock_sendmsg+0x5f/0x70
This patch is to fix it by changing to use NF_CT_STAT_INC_ATOMIC() for
nf_ct_ext_valid_pre/post() check in nf_conntrack_hash_check_insert(),
as well as nf_ct_ext_valid_post() in __nf_conntrack_confirm().
Note that nf_ct_ext_valid_pre() check in __nf_conntrack_confirm() is
safe to use NF_CT_STAT_INC(), as it's under local_bh_disable().
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-48974", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:18:44.032188Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:28:37.347Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "net/netfilter/nf_conntrack_core.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "d9bf1138a5db419db13bd9fcd3a7178d6bb20f7c", status: "affected", version: "c56716c69ce1ac320432fb1ea5654196ba24d2f8", versionType: "git", }, { lessThan: "9464d0b68f11a9bc768370c3260ec02b3550447b", status: "affected", version: "c56716c69ce1ac320432fb1ea5654196ba24d2f8", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "net/netfilter/nf_conntrack_core.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.19", }, { lessThan: "5.19", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.0.*", status: "unaffected", version: "6.0.13", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.1", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: conntrack: fix using __this_cpu_add in preemptible\n\nCurrently in nf_conntrack_hash_check_insert(), when it fails in\nnf_ct_ext_valid_pre/post(), NF_CT_STAT_INC() will be called in the\npreemptible context, a call trace can be triggered:\n\n BUG: using __this_cpu_add() in preemptible [00000000] code: conntrack/1636\n caller is nf_conntrack_hash_check_insert+0x45/0x430 [nf_conntrack]\n Call Trace:\n <TASK>\n dump_stack_lvl+0x33/0x46\n check_preemption_disabled+0xc3/0xf0\n nf_conntrack_hash_check_insert+0x45/0x430 [nf_conntrack]\n ctnetlink_create_conntrack+0x3cd/0x4e0 [nf_conntrack_netlink]\n ctnetlink_new_conntrack+0x1c0/0x450 [nf_conntrack_netlink]\n nfnetlink_rcv_msg+0x277/0x2f0 [nfnetlink]\n netlink_rcv_skb+0x50/0x100\n nfnetlink_rcv+0x65/0x144 [nfnetlink]\n netlink_unicast+0x1ae/0x290\n netlink_sendmsg+0x257/0x4f0\n sock_sendmsg+0x5f/0x70\n\nThis patch is to fix it by changing to use NF_CT_STAT_INC_ATOMIC() for\nnf_ct_ext_valid_pre/post() check in nf_conntrack_hash_check_insert(),\nas well as nf_ct_ext_valid_post() in __nf_conntrack_confirm().\n\nNote that nf_ct_ext_valid_pre() check in __nf_conntrack_confirm() is\nsafe to use NF_CT_STAT_INC(), as it's under local_bh_disable().", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:11:41.910Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/d9bf1138a5db419db13bd9fcd3a7178d6bb20f7c", }, { url: "https://git.kernel.org/stable/c/9464d0b68f11a9bc768370c3260ec02b3550447b", }, ], title: "netfilter: conntrack: fix using __this_cpu_add in preemptible", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-48974", datePublished: "2024-10-21T20:05:54.438Z", dateReserved: "2024-08-22T01:27:53.631Z", dateUpdated: "2024-12-19T08:11:41.910Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-49018
Vulnerability from cvelistv5
Published
2024-10-21 20:06
Modified
2024-12-19 08:12
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mptcp: fix sleep in atomic at close time
Matt reported a splat at msk close time:
BUG: sleeping function called from invalid context at net/mptcp/protocol.c:2877
in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 155, name: packetdrill
preempt_count: 201, expected: 0
RCU nest depth: 0, expected: 0
4 locks held by packetdrill/155:
#0: ffff888001536990 (&sb->s_type->i_mutex_key#6){+.+.}-{3:3}, at: __sock_release (net/socket.c:650)
#1: ffff88800b498130 (sk_lock-AF_INET){+.+.}-{0:0}, at: mptcp_close (net/mptcp/protocol.c:2973)
#2: ffff88800b49a130 (sk_lock-AF_INET/1){+.+.}-{0:0}, at: __mptcp_close_ssk (net/mptcp/protocol.c:2363)
#3: ffff88800b49a0b0 (slock-AF_INET){+...}-{2:2}, at: __lock_sock_fast (include/net/sock.h:1820)
Preemption disabled at:
0x0
CPU: 1 PID: 155 Comm: packetdrill Not tainted 6.1.0-rc5 #365
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl (lib/dump_stack.c:107 (discriminator 4))
__might_resched.cold (kernel/sched/core.c:9891)
__mptcp_destroy_sock (include/linux/kernel.h:110)
__mptcp_close (net/mptcp/protocol.c:2959)
mptcp_subflow_queue_clean (include/net/sock.h:1777)
__mptcp_close_ssk (net/mptcp/protocol.c:2363)
mptcp_destroy_common (net/mptcp/protocol.c:3170)
mptcp_destroy (include/net/sock.h:1495)
__mptcp_destroy_sock (net/mptcp/protocol.c:2886)
__mptcp_close (net/mptcp/protocol.c:2959)
mptcp_close (net/mptcp/protocol.c:2974)
inet_release (net/ipv4/af_inet.c:432)
__sock_release (net/socket.c:651)
sock_close (net/socket.c:1367)
__fput (fs/file_table.c:320)
task_work_run (kernel/task_work.c:181 (discriminator 1))
exit_to_user_mode_prepare (include/linux/resume_user_mode.h:49)
syscall_exit_to_user_mode (kernel/entry/common.c:130)
do_syscall_64 (arch/x86/entry/common.c:87)
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)
We can't call mptcp_close under the 'fast' socket lock variant, replace
it with a sock_lock_nested() as the relevant code is already under the
listening msk socket lock protection.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-49018", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:12:58.392450Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:18:37.571Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "net/mptcp/subflow.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "d8e6c5500dbf0f3e87aace90d4beba6ae928e866", status: "affected", version: "30e51b923e436b631e8d5b77fa5e318c6b066dc7", versionType: "git", }, { lessThan: "b4f166651d03b5484fa179817ba8ad4899a5a6ac", status: "affected", version: "30e51b923e436b631e8d5b77fa5e318c6b066dc7", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "net/mptcp/subflow.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.0", }, { lessThan: "6.0", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.0.*", status: "unaffected", version: "6.0.12", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.1", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix sleep in atomic at close time\n\nMatt reported a splat at msk close time:\n\n BUG: sleeping function called from invalid context at net/mptcp/protocol.c:2877\n in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 155, name: packetdrill\n preempt_count: 201, expected: 0\n RCU nest depth: 0, expected: 0\n 4 locks held by packetdrill/155:\n #0: ffff888001536990 (&sb->s_type->i_mutex_key#6){+.+.}-{3:3}, at: __sock_release (net/socket.c:650)\n #1: ffff88800b498130 (sk_lock-AF_INET){+.+.}-{0:0}, at: mptcp_close (net/mptcp/protocol.c:2973)\n #2: ffff88800b49a130 (sk_lock-AF_INET/1){+.+.}-{0:0}, at: __mptcp_close_ssk (net/mptcp/protocol.c:2363)\n #3: ffff88800b49a0b0 (slock-AF_INET){+...}-{2:2}, at: __lock_sock_fast (include/net/sock.h:1820)\n Preemption disabled at:\n 0x0\n CPU: 1 PID: 155 Comm: packetdrill Not tainted 6.1.0-rc5 #365\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\n Call Trace:\n <TASK>\n dump_stack_lvl (lib/dump_stack.c:107 (discriminator 4))\n __might_resched.cold (kernel/sched/core.c:9891)\n __mptcp_destroy_sock (include/linux/kernel.h:110)\n __mptcp_close (net/mptcp/protocol.c:2959)\n mptcp_subflow_queue_clean (include/net/sock.h:1777)\n __mptcp_close_ssk (net/mptcp/protocol.c:2363)\n mptcp_destroy_common (net/mptcp/protocol.c:3170)\n mptcp_destroy (include/net/sock.h:1495)\n __mptcp_destroy_sock (net/mptcp/protocol.c:2886)\n __mptcp_close (net/mptcp/protocol.c:2959)\n mptcp_close (net/mptcp/protocol.c:2974)\n inet_release (net/ipv4/af_inet.c:432)\n __sock_release (net/socket.c:651)\n sock_close (net/socket.c:1367)\n __fput (fs/file_table.c:320)\n task_work_run (kernel/task_work.c:181 (discriminator 1))\n exit_to_user_mode_prepare (include/linux/resume_user_mode.h:49)\n syscall_exit_to_user_mode (kernel/entry/common.c:130)\n do_syscall_64 (arch/x86/entry/common.c:87)\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)\n\nWe can't call mptcp_close under the 'fast' socket lock variant, replace\nit with a sock_lock_nested() as the relevant code is already under the\nlistening msk socket lock protection.", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:12:32.365Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/d8e6c5500dbf0f3e87aace90d4beba6ae928e866", }, { url: "https://git.kernel.org/stable/c/b4f166651d03b5484fa179817ba8ad4899a5a6ac", }, ], title: "mptcp: fix sleep in atomic at close time", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-49018", datePublished: "2024-10-21T20:06:26.627Z", dateReserved: "2024-08-22T01:27:53.646Z", dateUpdated: "2024-12-19T08:12:32.365Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-49019
Vulnerability from cvelistv5
Published
2024-10-21 20:06
Modified
2024-12-19 08:12
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: ethernet: nixge: fix NULL dereference
In function nixge_hw_dma_bd_release() dereference of NULL pointer
priv->rx_bd_v is possible for the case of its allocation failure in
nixge_hw_dma_bd_init().
Move for() loop with priv->rx_bd_v dereference under the check for
its validity.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 492caffa8a1a405f661c111acabfe6b8b9645db8 Version: 492caffa8a1a405f661c111acabfe6b8b9645db8 Version: 492caffa8a1a405f661c111acabfe6b8b9645db8 Version: 492caffa8a1a405f661c111acabfe6b8b9645db8 Version: 492caffa8a1a405f661c111acabfe6b8b9645db8 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-49019", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:12:50.494969Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:18:37.422Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/net/ethernet/ni/nixge.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "910c0264b64ef2dad8887714a7c56c93e39a0ed3", status: "affected", version: "492caffa8a1a405f661c111acabfe6b8b9645db8", versionType: "git", }, { lessThan: "45752af0247589e6d3dede577415bfe117b4392c", status: "affected", version: "492caffa8a1a405f661c111acabfe6b8b9645db8", versionType: "git", }, { lessThan: "9c584d6d9cfb935dce8fc81a4c26debac0a3049b", status: "affected", version: "492caffa8a1a405f661c111acabfe6b8b9645db8", versionType: "git", }, { lessThan: "80e82f7b440b65cf131dce10f487dc73a7046e6b", status: "affected", version: "492caffa8a1a405f661c111acabfe6b8b9645db8", versionType: "git", }, { lessThan: "9256db4e45e8b497b0e993cc3ed4ad08eb2389b6", status: "affected", version: "492caffa8a1a405f661c111acabfe6b8b9645db8", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/net/ethernet/ni/nixge.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "4.17", }, { lessThan: "4.17", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.226", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.158", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.82", versionType: "semver", }, { lessThanOrEqual: "6.0.*", status: "unaffected", version: "6.0.12", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.1", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ethernet: nixge: fix NULL dereference\n\nIn function nixge_hw_dma_bd_release() dereference of NULL pointer\npriv->rx_bd_v is possible for the case of its allocation failure in\nnixge_hw_dma_bd_init().\n\nMove for() loop with priv->rx_bd_v dereference under the check for\nits validity.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:12:33.532Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/910c0264b64ef2dad8887714a7c56c93e39a0ed3", }, { url: "https://git.kernel.org/stable/c/45752af0247589e6d3dede577415bfe117b4392c", }, { url: "https://git.kernel.org/stable/c/9c584d6d9cfb935dce8fc81a4c26debac0a3049b", }, { url: "https://git.kernel.org/stable/c/80e82f7b440b65cf131dce10f487dc73a7046e6b", }, { url: "https://git.kernel.org/stable/c/9256db4e45e8b497b0e993cc3ed4ad08eb2389b6", }, ], title: "net: ethernet: nixge: fix NULL dereference", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-49019", datePublished: "2024-10-21T20:06:27.306Z", dateReserved: "2024-08-22T01:27:53.646Z", dateUpdated: "2024-12-19T08:12:33.532Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49941
Vulnerability from cvelistv5
Published
2024-10-21 18:02
Modified
2024-12-19 09:29
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
gpiolib: Fix potential NULL pointer dereference in gpiod_get_label()
In `gpiod_get_label()`, it is possible that `srcu_dereference_check()` may
return a NULL pointer, leading to a scenario where `label->str` is accessed
without verifying if `label` itself is NULL.
This patch adds a proper NULL check for `label` before accessing
`label->str`. The check for `label->str != NULL` is removed because
`label->str` can never be NULL if `label` is not NULL.
This fixes the issue where the label name was being printed as `(efault)`
when dumping the sysfs GPIO file when `label == NULL`.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49941", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:37:44.721753Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:38:50.518Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/gpio/gpiolib.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "9ee4b907d7a5d7a53b4ff7727c371ff3d44ccbbb", status: "affected", version: "a86d27693066a34a29be86f394bbad847b2d1749", versionType: "git", }, { lessThan: "7b99b5ab885993bff010ebcd93be5e511c56e28a", status: "affected", version: "a86d27693066a34a29be86f394bbad847b2d1749", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/gpio/gpiolib.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.9", }, { lessThan: "6.9", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ngpiolib: Fix potential NULL pointer dereference in gpiod_get_label()\n\nIn `gpiod_get_label()`, it is possible that `srcu_dereference_check()` may\nreturn a NULL pointer, leading to a scenario where `label->str` is accessed\nwithout verifying if `label` itself is NULL.\n\nThis patch adds a proper NULL check for `label` before accessing\n`label->str`. The check for `label->str != NULL` is removed because\n`label->str` can never be NULL if `label` is not NULL.\n\nThis fixes the issue where the label name was being printed as `(efault)`\nwhen dumping the sysfs GPIO file when `label == NULL`.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:29:46.855Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/9ee4b907d7a5d7a53b4ff7727c371ff3d44ccbbb", }, { url: "https://git.kernel.org/stable/c/7b99b5ab885993bff010ebcd93be5e511c56e28a", }, ], title: "gpiolib: Fix potential NULL pointer dereference in gpiod_get_label()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49941", datePublished: "2024-10-21T18:02:00.361Z", dateReserved: "2024-10-21T12:17:06.043Z", dateUpdated: "2024-12-19T09:29:46.855Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-50043
Vulnerability from cvelistv5
Published
2024-10-21 19:39
Modified
2024-12-19 09:31
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
nfsd: fix possible badness in FREE_STATEID
When multiple FREE_STATEIDs are sent for the same delegation stateid,
it can lead to a possible either use-after-free or counter refcount
underflow errors.
In nfsd4_free_stateid() under the client lock we find a delegation
stateid, however the code drops the lock before calling nfs4_put_stid(),
that allows another FREE_STATE to find the stateid again. The first one
will proceed to then free the stateid which leads to either
use-after-free or decrementing already zeroed counter.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-50043", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:24:30.411615Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:28:43.975Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "fs/nfsd/nfs4state.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "7ca9e472ce5c67daa3188a348ece8c02a0765039", status: "affected", version: "3f29cc82a84c23cfd12b903029dd26002ca825f5", versionType: "git", }, { lessThan: "c88c150a467fcb670a1608e2272beeee3e86df6e", status: "affected", version: "3f29cc82a84c23cfd12b903029dd26002ca825f5", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "fs/nfsd/nfs4state.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.9", }, { lessThan: "6.9", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.4", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: fix possible badness in FREE_STATEID\n\nWhen multiple FREE_STATEIDs are sent for the same delegation stateid,\nit can lead to a possible either use-after-free or counter refcount\nunderflow errors.\n\nIn nfsd4_free_stateid() under the client lock we find a delegation\nstateid, however the code drops the lock before calling nfs4_put_stid(),\nthat allows another FREE_STATE to find the stateid again. The first one\nwill proceed to then free the stateid which leads to either\nuse-after-free or decrementing already zeroed counter.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:31:58.757Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/7ca9e472ce5c67daa3188a348ece8c02a0765039", }, { url: "https://git.kernel.org/stable/c/c88c150a467fcb670a1608e2272beeee3e86df6e", }, ], title: "nfsd: fix possible badness in FREE_STATEID", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-50043", datePublished: "2024-10-21T19:39:41.758Z", dateReserved: "2024-10-21T12:17:06.071Z", dateUpdated: "2024-12-19T09:31:58.757Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49985
Vulnerability from cvelistv5
Published
2024-10-21 18:02
Modified
2024-12-19 09:30
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
i2c: stm32f7: Do not prepare/unprepare clock during runtime suspend/resume
In case there is any sort of clock controller attached to this I2C bus
controller, for example Versaclock or even an AIC32x4 I2C codec, then
an I2C transfer triggered from the clock controller clk_ops .prepare
callback may trigger a deadlock on drivers/clk/clk.c prepare_lock mutex.
This is because the clock controller first grabs the prepare_lock mutex
and then performs the prepare operation, including its I2C access. The
I2C access resumes this I2C bus controller via .runtime_resume callback,
which calls clk_prepare_enable(), which attempts to grab the prepare_lock
mutex again and deadlocks.
Since the clock are already prepared since probe() and unprepared in
remove(), use simple clk_enable()/clk_disable() calls to enable and
disable the clock on runtime suspend and resume, to avoid hitting the
prepare_lock mutex.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 4e7bca6fc07bf9526d797b9787dcb21e40cd10cf Version: 4e7bca6fc07bf9526d797b9787dcb21e40cd10cf Version: 4e7bca6fc07bf9526d797b9787dcb21e40cd10cf Version: 4e7bca6fc07bf9526d797b9787dcb21e40cd10cf Version: 4e7bca6fc07bf9526d797b9787dcb21e40cd10cf Version: 4e7bca6fc07bf9526d797b9787dcb21e40cd10cf Version: 4e7bca6fc07bf9526d797b9787dcb21e40cd10cf Version: 4e7bca6fc07bf9526d797b9787dcb21e40cd10cf |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49985", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:31:59.737497Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:38:43.742Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/i2c/busses/i2c-stm32f7.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "d6f1250a4d5773f447740b9fe37b8692105796d4", status: "affected", version: "4e7bca6fc07bf9526d797b9787dcb21e40cd10cf", versionType: "git", }, { lessThan: "9b8bc33ad64192f54142396470cc34ce539a8940", status: "affected", version: "4e7bca6fc07bf9526d797b9787dcb21e40cd10cf", versionType: "git", }, { lessThan: "1883cad2cc629ded4a3556c0bbb8b42533ad8764", status: "affected", version: "4e7bca6fc07bf9526d797b9787dcb21e40cd10cf", versionType: "git", }, { lessThan: "c2024b1a583ab9176c797ea1e5f57baf8d5e2682", status: "affected", version: "4e7bca6fc07bf9526d797b9787dcb21e40cd10cf", versionType: "git", }, { lessThan: "22a1f8a5b56ba93d3e8b7a1dafa24e01c8bb48ba", status: "affected", version: "4e7bca6fc07bf9526d797b9787dcb21e40cd10cf", versionType: "git", }, { lessThan: "fac3c9f7784e8184c0338e9f0877b81e55d3ef1c", status: "affected", version: "4e7bca6fc07bf9526d797b9787dcb21e40cd10cf", versionType: "git", }, { lessThan: "894cd5f5fd9061983445bbd1fa3d81be43095344", status: "affected", version: "4e7bca6fc07bf9526d797b9787dcb21e40cd10cf", versionType: "git", }, { lessThan: "048bbbdbf85e5e00258dfb12f5e368f908801d7b", status: "affected", version: "4e7bca6fc07bf9526d797b9787dcb21e40cd10cf", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/i2c/busses/i2c-stm32f7.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.0", }, { lessThan: "5.0", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.285", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: stm32f7: Do not prepare/unprepare clock during runtime suspend/resume\n\nIn case there is any sort of clock controller attached to this I2C bus\ncontroller, for example Versaclock or even an AIC32x4 I2C codec, then\nan I2C transfer triggered from the clock controller clk_ops .prepare\ncallback may trigger a deadlock on drivers/clk/clk.c prepare_lock mutex.\n\nThis is because the clock controller first grabs the prepare_lock mutex\nand then performs the prepare operation, including its I2C access. The\nI2C access resumes this I2C bus controller via .runtime_resume callback,\nwhich calls clk_prepare_enable(), which attempts to grab the prepare_lock\nmutex again and deadlocks.\n\nSince the clock are already prepared since probe() and unprepared in\nremove(), use simple clk_enable()/clk_disable() calls to enable and\ndisable the clock on runtime suspend and resume, to avoid hitting the\nprepare_lock mutex.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:30:43.222Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/d6f1250a4d5773f447740b9fe37b8692105796d4", }, { url: "https://git.kernel.org/stable/c/9b8bc33ad64192f54142396470cc34ce539a8940", }, { url: "https://git.kernel.org/stable/c/1883cad2cc629ded4a3556c0bbb8b42533ad8764", }, { url: "https://git.kernel.org/stable/c/c2024b1a583ab9176c797ea1e5f57baf8d5e2682", }, { url: "https://git.kernel.org/stable/c/22a1f8a5b56ba93d3e8b7a1dafa24e01c8bb48ba", }, { url: "https://git.kernel.org/stable/c/fac3c9f7784e8184c0338e9f0877b81e55d3ef1c", }, { url: "https://git.kernel.org/stable/c/894cd5f5fd9061983445bbd1fa3d81be43095344", }, { url: "https://git.kernel.org/stable/c/048bbbdbf85e5e00258dfb12f5e368f908801d7b", }, ], title: "i2c: stm32f7: Do not prepare/unprepare clock during runtime suspend/resume", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49985", datePublished: "2024-10-21T18:02:29.827Z", dateReserved: "2024-10-21T12:17:06.054Z", dateUpdated: "2024-12-19T09:30:43.222Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-47710
Vulnerability from cvelistv5
Published
2024-10-21 11:53
Modified
2024-12-19 09:26
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
sock_map: Add a cond_resched() in sock_hash_free()
Several syzbot soft lockup reports all have in common sock_hash_free()
If a map with a large number of buckets is destroyed, we need to yield
the cpu when needed.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 5bed77b0a2a0e6b6bc0ae8e851cafb38ef0374df Version: 75e68e5bf2c7fa9d3e874099139df03d5952a3e1 Version: 75e68e5bf2c7fa9d3e874099139df03d5952a3e1 Version: 75e68e5bf2c7fa9d3e874099139df03d5952a3e1 Version: 75e68e5bf2c7fa9d3e874099139df03d5952a3e1 Version: 75e68e5bf2c7fa9d3e874099139df03d5952a3e1 Version: 75e68e5bf2c7fa9d3e874099139df03d5952a3e1 Version: 75e68e5bf2c7fa9d3e874099139df03d5952a3e1 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-47710", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T13:03:22.525296Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T13:04:19.097Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "net/core/sock_map.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "bc05f6855642cff3c0eeb63060b35d8c4f8a851d", status: "affected", version: "5bed77b0a2a0e6b6bc0ae8e851cafb38ef0374df", versionType: "git", }, { lessThan: "1a11a1a53255ddab8a903cdae01b9d3eb2c1a47b", status: "affected", version: "75e68e5bf2c7fa9d3e874099139df03d5952a3e1", versionType: "git", }, { lessThan: "984648aac87a6a1c8fd61663bec3f7b61eafad5e", status: "affected", version: "75e68e5bf2c7fa9d3e874099139df03d5952a3e1", versionType: "git", }, { lessThan: "04f62c012e0e4683e572b30baf6004ca0a3f6772", status: "affected", version: "75e68e5bf2c7fa9d3e874099139df03d5952a3e1", versionType: "git", }, { lessThan: "80bd490ac0a3b662a489e17d8eedeb1e905a3d40", status: "affected", version: "75e68e5bf2c7fa9d3e874099139df03d5952a3e1", versionType: "git", }, { lessThan: "ae8c1b3e7353ad240b829eabac7ba2584b2c6bdc", status: "affected", version: "75e68e5bf2c7fa9d3e874099139df03d5952a3e1", versionType: "git", }, { lessThan: "cd10abf41bae55c9d2b93f34a516dbf52626bcb7", status: "affected", version: "75e68e5bf2c7fa9d3e874099139df03d5952a3e1", versionType: "git", }, { lessThan: "b1339be951ad31947ae19bc25cb08769bf255100", status: "affected", version: "75e68e5bf2c7fa9d3e874099139df03d5952a3e1", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "net/core/sock_map.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.8", }, { lessThan: "5.8", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.285", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.54", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.13", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.2", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nsock_map: Add a cond_resched() in sock_hash_free()\n\nSeveral syzbot soft lockup reports all have in common sock_hash_free()\n\nIf a map with a large number of buckets is destroyed, we need to yield\nthe cpu when needed.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:26:34.456Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/bc05f6855642cff3c0eeb63060b35d8c4f8a851d", }, { url: "https://git.kernel.org/stable/c/1a11a1a53255ddab8a903cdae01b9d3eb2c1a47b", }, { url: "https://git.kernel.org/stable/c/984648aac87a6a1c8fd61663bec3f7b61eafad5e", }, { url: "https://git.kernel.org/stable/c/04f62c012e0e4683e572b30baf6004ca0a3f6772", }, { url: "https://git.kernel.org/stable/c/80bd490ac0a3b662a489e17d8eedeb1e905a3d40", }, { url: "https://git.kernel.org/stable/c/ae8c1b3e7353ad240b829eabac7ba2584b2c6bdc", }, { url: "https://git.kernel.org/stable/c/cd10abf41bae55c9d2b93f34a516dbf52626bcb7", }, { url: "https://git.kernel.org/stable/c/b1339be951ad31947ae19bc25cb08769bf255100", }, ], title: "sock_map: Add a cond_resched() in sock_hash_free()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-47710", datePublished: "2024-10-21T11:53:43.420Z", dateReserved: "2024-09-30T16:00:12.947Z", dateUpdated: "2024-12-19T09:26:34.456Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-48959
Vulnerability from cvelistv5
Published
2024-10-21 20:05
Modified
2024-12-19 08:11
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: dsa: sja1105: fix memory leak in sja1105_setup_devlink_regions()
When dsa_devlink_region_create failed in sja1105_setup_devlink_regions(),
priv->regions is not released.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-48959", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:20:37.907468Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:28:39.436Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/net/dsa/sja1105/sja1105_devlink.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "4be43e46c3f945fc7dd9e23c73a7a66927a3b814", status: "affected", version: "bf425b82059e0b0752c0026353c1902112200837", versionType: "git", }, { lessThan: "f3b5dda26cd0535aac09ed09c5d83f19b979ec9f", status: "affected", version: "bf425b82059e0b0752c0026353c1902112200837", versionType: "git", }, { lessThan: "e5e59629654b8826f0167dae480d0e3fa0f8f038", status: "affected", version: "bf425b82059e0b0752c0026353c1902112200837", versionType: "git", }, { lessThan: "78a9ea43fc1a7c06a420b132d2d47cbf4344a5df", status: "affected", version: "bf425b82059e0b0752c0026353c1902112200837", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/net/dsa/sja1105/sja1105_devlink.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.10", }, { lessThan: "5.10", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.159", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.83", versionType: "semver", }, { lessThanOrEqual: "6.0.*", status: "unaffected", version: "6.0.13", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.1", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: sja1105: fix memory leak in sja1105_setup_devlink_regions()\n\nWhen dsa_devlink_region_create failed in sja1105_setup_devlink_regions(),\npriv->regions is not released.", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:11:22.493Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/4be43e46c3f945fc7dd9e23c73a7a66927a3b814", }, { url: "https://git.kernel.org/stable/c/f3b5dda26cd0535aac09ed09c5d83f19b979ec9f", }, { url: "https://git.kernel.org/stable/c/e5e59629654b8826f0167dae480d0e3fa0f8f038", }, { url: "https://git.kernel.org/stable/c/78a9ea43fc1a7c06a420b132d2d47cbf4344a5df", }, ], title: "net: dsa: sja1105: fix memory leak in sja1105_setup_devlink_regions()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-48959", datePublished: "2024-10-21T20:05:44.447Z", dateReserved: "2024-08-22T01:27:53.627Z", dateUpdated: "2024-12-19T08:11:22.493Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-47681
Vulnerability from cvelistv5
Published
2024-10-21 11:53
Modified
2024-12-19 09:25
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: mt76: mt7996: fix NULL pointer dereference in mt7996_mcu_sta_bfer_he
Fix the NULL pointer dereference in mt7996_mcu_sta_bfer_he
routine adding an sta interface to the mt7996 driver.
Found by code review.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-47681", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T13:07:16.939766Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T13:14:16.609Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/net/wireless/mediatek/mt76/mt7996/mcu.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "8e4b60ae8a047ad2fb175fcfdd54feee80983a45", status: "affected", version: "98686cd21624c75a043e96812beadddf4f6f48e5", versionType: "git", }, { lessThan: "174c803b432596cdd7dd3ec5e0ec52b561969ee2", status: "affected", version: "98686cd21624c75a043e96812beadddf4f6f48e5", versionType: "git", }, { lessThan: "1afdde3b5f56217d875a543cf565075c11bbddad", status: "affected", version: "98686cd21624c75a043e96812beadddf4f6f48e5", versionType: "git", }, { lessThan: "f503ae90c7355e8506e68498fe84c1357894cd5b", status: "affected", version: "98686cd21624c75a043e96812beadddf4f6f48e5", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/net/wireless/mediatek/mt76/mt7996/mcu.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.2", }, { lessThan: "6.2", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.54", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.13", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.2", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: mt7996: fix NULL pointer dereference in mt7996_mcu_sta_bfer_he\n\nFix the NULL pointer dereference in mt7996_mcu_sta_bfer_he\nroutine adding an sta interface to the mt7996 driver.\n\nFound by code review.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:25:47.966Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/8e4b60ae8a047ad2fb175fcfdd54feee80983a45", }, { url: "https://git.kernel.org/stable/c/174c803b432596cdd7dd3ec5e0ec52b561969ee2", }, { url: "https://git.kernel.org/stable/c/1afdde3b5f56217d875a543cf565075c11bbddad", }, { url: "https://git.kernel.org/stable/c/f503ae90c7355e8506e68498fe84c1357894cd5b", }, ], title: "wifi: mt76: mt7996: fix NULL pointer dereference in mt7996_mcu_sta_bfer_he", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-47681", datePublished: "2024-10-21T11:53:23.785Z", dateReserved: "2024-09-30T16:00:12.940Z", dateUpdated: "2024-12-19T09:25:47.966Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49875
Vulnerability from cvelistv5
Published
2024-10-21 18:01
Modified
2024-12-19 09:28
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
nfsd: map the EBADMSG to nfserr_io to avoid warning
Ext4 will throw -EBADMSG through ext4_readdir when a checksum error
occurs, resulting in the following WARNING.
Fix it by mapping EBADMSG to nfserr_io.
nfsd_buffered_readdir
iterate_dir // -EBADMSG -74
ext4_readdir // .iterate_shared
ext4_dx_readdir
ext4_htree_fill_tree
htree_dirblock_to_tree
ext4_read_dirblock
__ext4_read_dirblock
ext4_dirblock_csum_verify
warn_no_space_for_csum
__warn_no_space_for_csum
return ERR_PTR(-EFSBADCRC) // -EBADMSG -74
nfserrno // WARNING
[ 161.115610] ------------[ cut here ]------------
[ 161.116465] nfsd: non-standard errno: -74
[ 161.117315] WARNING: CPU: 1 PID: 780 at fs/nfsd/nfsproc.c:878 nfserrno+0x9d/0xd0
[ 161.118596] Modules linked in:
[ 161.119243] CPU: 1 PID: 780 Comm: nfsd Not tainted 5.10.0-00014-g79679361fd5d #138
[ 161.120684] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qe
mu.org 04/01/2014
[ 161.123601] RIP: 0010:nfserrno+0x9d/0xd0
[ 161.124676] Code: 0f 87 da 30 dd 00 83 e3 01 b8 00 00 00 05 75 d7 44 89 ee 48 c7 c7 c0 57 24 98 89 44 24 04 c6
05 ce 2b 61 03 01 e8 99 20 d8 00 <0f> 0b 8b 44 24 04 eb b5 4c 89 e6 48 c7 c7 a0 6d a4 99 e8 cc 15 33
[ 161.127797] RSP: 0018:ffffc90000e2f9c0 EFLAGS: 00010286
[ 161.128794] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
[ 161.130089] RDX: 1ffff1103ee16f6d RSI: 0000000000000008 RDI: fffff520001c5f2a
[ 161.131379] RBP: 0000000000000022 R08: 0000000000000001 R09: ffff8881f70c1827
[ 161.132664] R10: ffffed103ee18304 R11: 0000000000000001 R12: 0000000000000021
[ 161.133949] R13: 00000000ffffffb6 R14: ffff8881317c0000 R15: ffffc90000e2fbd8
[ 161.135244] FS: 0000000000000000(0000) GS:ffff8881f7080000(0000) knlGS:0000000000000000
[ 161.136695] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 161.137761] CR2: 00007fcaad70b348 CR3: 0000000144256006 CR4: 0000000000770ee0
[ 161.139041] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 161.140291] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 161.141519] PKRU: 55555554
[ 161.142076] Call Trace:
[ 161.142575] ? __warn+0x9b/0x140
[ 161.143229] ? nfserrno+0x9d/0xd0
[ 161.143872] ? report_bug+0x125/0x150
[ 161.144595] ? handle_bug+0x41/0x90
[ 161.145284] ? exc_invalid_op+0x14/0x70
[ 161.146009] ? asm_exc_invalid_op+0x12/0x20
[ 161.146816] ? nfserrno+0x9d/0xd0
[ 161.147487] nfsd_buffered_readdir+0x28b/0x2b0
[ 161.148333] ? nfsd4_encode_dirent_fattr+0x380/0x380
[ 161.149258] ? nfsd_buffered_filldir+0xf0/0xf0
[ 161.150093] ? wait_for_concurrent_writes+0x170/0x170
[ 161.151004] ? generic_file_llseek_size+0x48/0x160
[ 161.151895] nfsd_readdir+0x132/0x190
[ 161.152606] ? nfsd4_encode_dirent_fattr+0x380/0x380
[ 161.153516] ? nfsd_unlink+0x380/0x380
[ 161.154256] ? override_creds+0x45/0x60
[ 161.155006] nfsd4_encode_readdir+0x21a/0x3d0
[ 161.155850] ? nfsd4_encode_readlink+0x210/0x210
[ 161.156731] ? write_bytes_to_xdr_buf+0x97/0xe0
[ 161.157598] ? __write_bytes_to_xdr_buf+0xd0/0xd0
[ 161.158494] ? lock_downgrade+0x90/0x90
[ 161.159232] ? nfs4svc_decode_voidarg+0x10/0x10
[ 161.160092] nfsd4_encode_operation+0x15a/0x440
[ 161.160959] nfsd4_proc_compound+0x718/0xe90
[ 161.161818] nfsd_dispatch+0x18e/0x2c0
[ 161.162586] svc_process_common+0x786/0xc50
[ 161.163403] ? nfsd_svc+0x380/0x380
[ 161.164137] ? svc_printk+0x160/0x160
[ 161.164846] ? svc_xprt_do_enqueue.part.0+0x365/0x380
[ 161.165808] ? nfsd_svc+0x380/0x380
[ 161.166523] ? rcu_is_watching+0x23/0x40
[ 161.167309] svc_process+0x1a5/0x200
[ 161.168019] nfsd+0x1f5/0x380
[ 161.168663] ? nfsd_shutdown_threads+0x260/0x260
[ 161.169554] kthread+0x1c4/0x210
[ 161.170224] ? kthread_insert_work_sanity_check+0x80/0x80
[ 161.171246] ret_from_fork+0x1f/0x30
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49875", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:46:25.129845Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:48:51.375Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "fs/nfsd/vfs.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "0ea4333c679f333e23956de743ad17387819d3f2", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "825789ca94602543101045ad3aad19b2b60c6b2a", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "6fe058502f8864649c3d614b06b2235223798f48", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "f7d8ee9db94372b8235f5f22bb24381891594c42", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "c76005adfa93d1a027433331252422078750321f", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "e9cfecca22a36b927a440abc6307efb9e138fed5", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "340e61e44c1d2a15c42ec72ade9195ad525fd048", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "fs/nfsd/vfs.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: map the EBADMSG to nfserr_io to avoid warning\n\nExt4 will throw -EBADMSG through ext4_readdir when a checksum error\noccurs, resulting in the following WARNING.\n\nFix it by mapping EBADMSG to nfserr_io.\n\nnfsd_buffered_readdir\n iterate_dir // -EBADMSG -74\n ext4_readdir // .iterate_shared\n ext4_dx_readdir\n ext4_htree_fill_tree\n htree_dirblock_to_tree\n ext4_read_dirblock\n __ext4_read_dirblock\n ext4_dirblock_csum_verify\n warn_no_space_for_csum\n __warn_no_space_for_csum\n return ERR_PTR(-EFSBADCRC) // -EBADMSG -74\n nfserrno // WARNING\n\n[ 161.115610] ------------[ cut here ]------------\n[ 161.116465] nfsd: non-standard errno: -74\n[ 161.117315] WARNING: CPU: 1 PID: 780 at fs/nfsd/nfsproc.c:878 nfserrno+0x9d/0xd0\n[ 161.118596] Modules linked in:\n[ 161.119243] CPU: 1 PID: 780 Comm: nfsd Not tainted 5.10.0-00014-g79679361fd5d #138\n[ 161.120684] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qe\nmu.org 04/01/2014\n[ 161.123601] RIP: 0010:nfserrno+0x9d/0xd0\n[ 161.124676] Code: 0f 87 da 30 dd 00 83 e3 01 b8 00 00 00 05 75 d7 44 89 ee 48 c7 c7 c0 57 24 98 89 44 24 04 c6\n 05 ce 2b 61 03 01 e8 99 20 d8 00 <0f> 0b 8b 44 24 04 eb b5 4c 89 e6 48 c7 c7 a0 6d a4 99 e8 cc 15 33\n[ 161.127797] RSP: 0018:ffffc90000e2f9c0 EFLAGS: 00010286\n[ 161.128794] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000\n[ 161.130089] RDX: 1ffff1103ee16f6d RSI: 0000000000000008 RDI: fffff520001c5f2a\n[ 161.131379] RBP: 0000000000000022 R08: 0000000000000001 R09: ffff8881f70c1827\n[ 161.132664] R10: ffffed103ee18304 R11: 0000000000000001 R12: 0000000000000021\n[ 161.133949] R13: 00000000ffffffb6 R14: ffff8881317c0000 R15: ffffc90000e2fbd8\n[ 161.135244] FS: 0000000000000000(0000) GS:ffff8881f7080000(0000) knlGS:0000000000000000\n[ 161.136695] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 161.137761] CR2: 00007fcaad70b348 CR3: 0000000144256006 CR4: 0000000000770ee0\n[ 161.139041] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 161.140291] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 161.141519] PKRU: 55555554\n[ 161.142076] Call Trace:\n[ 161.142575] ? __warn+0x9b/0x140\n[ 161.143229] ? nfserrno+0x9d/0xd0\n[ 161.143872] ? report_bug+0x125/0x150\n[ 161.144595] ? handle_bug+0x41/0x90\n[ 161.145284] ? exc_invalid_op+0x14/0x70\n[ 161.146009] ? asm_exc_invalid_op+0x12/0x20\n[ 161.146816] ? nfserrno+0x9d/0xd0\n[ 161.147487] nfsd_buffered_readdir+0x28b/0x2b0\n[ 161.148333] ? nfsd4_encode_dirent_fattr+0x380/0x380\n[ 161.149258] ? nfsd_buffered_filldir+0xf0/0xf0\n[ 161.150093] ? wait_for_concurrent_writes+0x170/0x170\n[ 161.151004] ? generic_file_llseek_size+0x48/0x160\n[ 161.151895] nfsd_readdir+0x132/0x190\n[ 161.152606] ? nfsd4_encode_dirent_fattr+0x380/0x380\n[ 161.153516] ? nfsd_unlink+0x380/0x380\n[ 161.154256] ? override_creds+0x45/0x60\n[ 161.155006] nfsd4_encode_readdir+0x21a/0x3d0\n[ 161.155850] ? nfsd4_encode_readlink+0x210/0x210\n[ 161.156731] ? write_bytes_to_xdr_buf+0x97/0xe0\n[ 161.157598] ? __write_bytes_to_xdr_buf+0xd0/0xd0\n[ 161.158494] ? lock_downgrade+0x90/0x90\n[ 161.159232] ? nfs4svc_decode_voidarg+0x10/0x10\n[ 161.160092] nfsd4_encode_operation+0x15a/0x440\n[ 161.160959] nfsd4_proc_compound+0x718/0xe90\n[ 161.161818] nfsd_dispatch+0x18e/0x2c0\n[ 161.162586] svc_process_common+0x786/0xc50\n[ 161.163403] ? nfsd_svc+0x380/0x380\n[ 161.164137] ? svc_printk+0x160/0x160\n[ 161.164846] ? svc_xprt_do_enqueue.part.0+0x365/0x380\n[ 161.165808] ? nfsd_svc+0x380/0x380\n[ 161.166523] ? rcu_is_watching+0x23/0x40\n[ 161.167309] svc_process+0x1a5/0x200\n[ 161.168019] nfsd+0x1f5/0x380\n[ 161.168663] ? nfsd_shutdown_threads+0x260/0x260\n[ 161.169554] kthread+0x1c4/0x210\n[ 161.170224] ? kthread_insert_work_sanity_check+0x80/0x80\n[ 161.171246] ret_from_fork+0x1f/0x30", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:28:04.114Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/0ea4333c679f333e23956de743ad17387819d3f2", }, { url: "https://git.kernel.org/stable/c/825789ca94602543101045ad3aad19b2b60c6b2a", }, { url: "https://git.kernel.org/stable/c/6fe058502f8864649c3d614b06b2235223798f48", }, { url: "https://git.kernel.org/stable/c/f7d8ee9db94372b8235f5f22bb24381891594c42", }, { url: "https://git.kernel.org/stable/c/c76005adfa93d1a027433331252422078750321f", }, { url: "https://git.kernel.org/stable/c/e9cfecca22a36b927a440abc6307efb9e138fed5", }, { url: "https://git.kernel.org/stable/c/340e61e44c1d2a15c42ec72ade9195ad525fd048", }, ], title: "nfsd: map the EBADMSG to nfserr_io to avoid warning", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49875", datePublished: "2024-10-21T18:01:15.434Z", dateReserved: "2024-10-21T12:17:06.020Z", dateUpdated: "2024-12-19T09:28:04.114Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-47727
Vulnerability from cvelistv5
Published
2024-10-21 12:14
Modified
2024-12-19 09:26
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
x86/tdx: Fix "in-kernel MMIO" check
TDX only supports kernel-initiated MMIO operations. The handle_mmio()
function checks if the #VE exception occurred in the kernel and rejects
the operation if it did not.
However, userspace can deceive the kernel into performing MMIO on its
behalf. For example, if userspace can point a syscall to an MMIO address,
syscall does get_user() or put_user() on it, triggering MMIO #VE. The
kernel will treat the #VE as in-kernel MMIO.
Ensure that the target MMIO address is within the kernel before decoding
instruction.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 31d58c4e557d46fa7f8557714250fb6f89c941ae Version: 31d58c4e557d46fa7f8557714250fb6f89c941ae Version: 31d58c4e557d46fa7f8557714250fb6f89c941ae Version: 31d58c4e557d46fa7f8557714250fb6f89c941ae Version: 31d58c4e557d46fa7f8557714250fb6f89c941ae |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-47727", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T13:01:01.673306Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T13:04:16.452Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "arch/x86/coco/tdx/tdx.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "25703a3c980e21548774eea8c8a87a75c5c8f58c", status: "affected", version: "31d58c4e557d46fa7f8557714250fb6f89c941ae", versionType: "git", }, { lessThan: "4c0c5dcb5471de5fc8f0a1c4980e5815339e1cee", status: "affected", version: "31d58c4e557d46fa7f8557714250fb6f89c941ae", versionType: "git", }, { lessThan: "18ecd5b74682839e7cdafb7cd1ec106df7baa18c", status: "affected", version: "31d58c4e557d46fa7f8557714250fb6f89c941ae", versionType: "git", }, { lessThan: "bca2e29f7e26ce7c3522f8b324c0bd85612f68e3", status: "affected", version: "31d58c4e557d46fa7f8557714250fb6f89c941ae", versionType: "git", }, { lessThan: "d4fc4d01471528da8a9797a065982e05090e1d81", status: "affected", version: "31d58c4e557d46fa7f8557714250fb6f89c941ae", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "arch/x86/coco/tdx/tdx.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.19", }, { lessThan: "5.19", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.54", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.13", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.2", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/tdx: Fix \"in-kernel MMIO\" check\n\nTDX only supports kernel-initiated MMIO operations. The handle_mmio()\nfunction checks if the #VE exception occurred in the kernel and rejects\nthe operation if it did not.\n\nHowever, userspace can deceive the kernel into performing MMIO on its\nbehalf. For example, if userspace can point a syscall to an MMIO address,\nsyscall does get_user() or put_user() on it, triggering MMIO #VE. The\nkernel will treat the #VE as in-kernel MMIO.\n\nEnsure that the target MMIO address is within the kernel before decoding\ninstruction.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:26:52.916Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/25703a3c980e21548774eea8c8a87a75c5c8f58c", }, { url: "https://git.kernel.org/stable/c/4c0c5dcb5471de5fc8f0a1c4980e5815339e1cee", }, { url: "https://git.kernel.org/stable/c/18ecd5b74682839e7cdafb7cd1ec106df7baa18c", }, { url: "https://git.kernel.org/stable/c/bca2e29f7e26ce7c3522f8b324c0bd85612f68e3", }, { url: "https://git.kernel.org/stable/c/d4fc4d01471528da8a9797a065982e05090e1d81", }, ], title: "x86/tdx: Fix \"in-kernel MMIO\" check", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-47727", datePublished: "2024-10-21T12:14:00.330Z", dateReserved: "2024-09-30T16:00:12.957Z", dateUpdated: "2024-12-19T09:26:52.916Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-47725
Vulnerability from cvelistv5
This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Show details on NVD website{ containers: { cna: { providerMetadata: { dateUpdated: "2024-10-23T06:07:36.698Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, rejectedReasons: [ { lang: "en", value: "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", }, ], }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-47725", datePublished: "2024-10-21T12:13:58.942Z", dateRejected: "2024-10-23T06:07:36.698Z", dateReserved: "2024-09-30T16:00:12.957Z", dateUpdated: "2024-10-23T06:07:36.698Z", state: "REJECTED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-50019
Vulnerability from cvelistv5
Published
2024-10-21 19:39
Modified
2024-12-19 09:31
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
kthread: unpark only parked kthread
Calling into kthread unparking unconditionally is mostly harmless when
the kthread is already unparked. The wake up is then simply ignored
because the target is not in TASK_PARKED state.
However if the kthread is per CPU, the wake up is preceded by a call
to kthread_bind() which expects the task to be inactive and in
TASK_PARKED state, which obviously isn't the case if it is unparked.
As a result, calling kthread_stop() on an unparked per-cpu kthread
triggers such a warning:
WARNING: CPU: 0 PID: 11 at kernel/kthread.c:525 __kthread_bind_mask kernel/kthread.c:525
<TASK>
kthread_stop+0x17a/0x630 kernel/kthread.c:707
destroy_workqueue+0x136/0xc40 kernel/workqueue.c:5810
wg_destruct+0x1e2/0x2e0 drivers/net/wireguard/device.c:257
netdev_run_todo+0xe1a/0x1000 net/core/dev.c:10693
default_device_exit_batch+0xa14/0xa90 net/core/dev.c:11769
ops_exit_list net/core/net_namespace.c:178 [inline]
cleanup_net+0x89d/0xcc0 net/core/net_namespace.c:640
process_one_work kernel/workqueue.c:3231 [inline]
process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3312
worker_thread+0x86d/0xd70 kernel/workqueue.c:3393
kthread+0x2f0/0x390 kernel/kthread.c:389
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
Fix this with skipping unecessary unparking while stopping a kthread.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 5c25b5ff89f004c30b04759dc34ace8585a4085f Version: 5c25b5ff89f004c30b04759dc34ace8585a4085f Version: 5c25b5ff89f004c30b04759dc34ace8585a4085f Version: 5c25b5ff89f004c30b04759dc34ace8585a4085f Version: 5c25b5ff89f004c30b04759dc34ace8585a4085f |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-50019", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:27:38.124925Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:28:47.562Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "kernel/kthread.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "40a6e660d2a3a7a5cb99f0b8ff4fb41bad039f68", status: "affected", version: "5c25b5ff89f004c30b04759dc34ace8585a4085f", versionType: "git", }, { lessThan: "8608196a155cb6cfae04d96b10a2652d0327e33f", status: "affected", version: "5c25b5ff89f004c30b04759dc34ace8585a4085f", versionType: "git", }, { lessThan: "19a5029981c87c2ad0845e713837faa88f5d8e2b", status: "affected", version: "5c25b5ff89f004c30b04759dc34ace8585a4085f", versionType: "git", }, { lessThan: "cda5423c1a1c906062ef235c940f249b97d9d135", status: "affected", version: "5c25b5ff89f004c30b04759dc34ace8585a4085f", versionType: "git", }, { lessThan: "214e01ad4ed7158cab66498810094fac5d09b218", status: "affected", version: "5c25b5ff89f004c30b04759dc34ace8585a4085f", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "kernel/kthread.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.11", }, { lessThan: "5.11", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.57", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.4", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nkthread: unpark only parked kthread\n\nCalling into kthread unparking unconditionally is mostly harmless when\nthe kthread is already unparked. The wake up is then simply ignored\nbecause the target is not in TASK_PARKED state.\n\nHowever if the kthread is per CPU, the wake up is preceded by a call\nto kthread_bind() which expects the task to be inactive and in\nTASK_PARKED state, which obviously isn't the case if it is unparked.\n\nAs a result, calling kthread_stop() on an unparked per-cpu kthread\ntriggers such a warning:\n\n\tWARNING: CPU: 0 PID: 11 at kernel/kthread.c:525 __kthread_bind_mask kernel/kthread.c:525\n\t <TASK>\n\t kthread_stop+0x17a/0x630 kernel/kthread.c:707\n\t destroy_workqueue+0x136/0xc40 kernel/workqueue.c:5810\n\t wg_destruct+0x1e2/0x2e0 drivers/net/wireguard/device.c:257\n\t netdev_run_todo+0xe1a/0x1000 net/core/dev.c:10693\n\t default_device_exit_batch+0xa14/0xa90 net/core/dev.c:11769\n\t ops_exit_list net/core/net_namespace.c:178 [inline]\n\t cleanup_net+0x89d/0xcc0 net/core/net_namespace.c:640\n\t process_one_work kernel/workqueue.c:3231 [inline]\n\t process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3312\n\t worker_thread+0x86d/0xd70 kernel/workqueue.c:3393\n\t kthread+0x2f0/0x390 kernel/kthread.c:389\n\t ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147\n\t ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n\t </TASK>\n\nFix this with skipping unecessary unparking while stopping a kthread.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:31:28.700Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/40a6e660d2a3a7a5cb99f0b8ff4fb41bad039f68", }, { url: "https://git.kernel.org/stable/c/8608196a155cb6cfae04d96b10a2652d0327e33f", }, { url: "https://git.kernel.org/stable/c/19a5029981c87c2ad0845e713837faa88f5d8e2b", }, { url: "https://git.kernel.org/stable/c/cda5423c1a1c906062ef235c940f249b97d9d135", }, { url: "https://git.kernel.org/stable/c/214e01ad4ed7158cab66498810094fac5d09b218", }, ], title: "kthread: unpark only parked kthread", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-50019", datePublished: "2024-10-21T19:39:25.908Z", dateReserved: "2024-10-21T12:17:06.064Z", dateUpdated: "2024-12-19T09:31:28.700Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-50003
Vulnerability from cvelistv5
Published
2024-10-21 18:53
Modified
2024-12-19 09:31
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Fix system hang while resume with TBT monitor
[Why]
Connected with a Thunderbolt monitor and do the suspend and the system
may hang while resume.
The TBT monitor HPD will be triggered during the resume procedure
and call the drm_client_modeset_probe() while
struct drm_connector connector->dev->master is NULL.
It will mess up the pipe topology after resume.
[How]
Skip the TBT monitor HPD during the resume procedure because we
currently will probe the connectors after resume by default.
(cherry picked from commit 453f86a26945207a16b8f66aaed5962dc2b95b85)
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-50003", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:29:41.534295Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:38:40.794Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "eb9329cd882aa274e92bdb1003bc088433fdee86", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "722d2d8fc423108597b97efbf165187d16d9aa1e", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "68d603f467a75618eeae5bfe8af32cda47097010", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "73e441be033d3ed0bdff09b575da3e7d4606ffc9", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "c2356296f546326f9f06c109e201d42201e1e783", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "52d4e3fb3d340447dcdac0e14ff21a764f326907", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix system hang while resume with TBT monitor\n\n[Why]\nConnected with a Thunderbolt monitor and do the suspend and the system\nmay hang while resume.\n\nThe TBT monitor HPD will be triggered during the resume procedure\nand call the drm_client_modeset_probe() while\nstruct drm_connector connector->dev->master is NULL.\n\nIt will mess up the pipe topology after resume.\n\n[How]\nSkip the TBT monitor HPD during the resume procedure because we\ncurrently will probe the connectors after resume by default.\n\n(cherry picked from commit 453f86a26945207a16b8f66aaed5962dc2b95b85)", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:31:05.045Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/eb9329cd882aa274e92bdb1003bc088433fdee86", }, { url: "https://git.kernel.org/stable/c/722d2d8fc423108597b97efbf165187d16d9aa1e", }, { url: "https://git.kernel.org/stable/c/68d603f467a75618eeae5bfe8af32cda47097010", }, { url: "https://git.kernel.org/stable/c/73e441be033d3ed0bdff09b575da3e7d4606ffc9", }, { url: "https://git.kernel.org/stable/c/c2356296f546326f9f06c109e201d42201e1e783", }, { url: "https://git.kernel.org/stable/c/52d4e3fb3d340447dcdac0e14ff21a764f326907", }, ], title: "drm/amd/display: Fix system hang while resume with TBT monitor", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-50003", datePublished: "2024-10-21T18:53:57.938Z", dateReserved: "2024-10-21T12:17:06.059Z", dateUpdated: "2024-12-19T09:31:05.045Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49925
Vulnerability from cvelistv5
Published
2024-10-21 18:01
Modified
2024-12-19 09:29
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
fbdev: efifb: Register sysfs groups through driver core
The driver core can register and cleanup sysfs groups already.
Make use of that functionality to simplify the error handling and
cleanup.
Also avoid a UAF race during unregistering where the sysctl attributes
were usable after the info struct was freed.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49925", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:39:49.983687Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:48:44.061Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/video/fbdev/efifb.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "2a9c40c72097b583b23aeb2a26d429ccfc81fbc1", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "36bfefb6baaa8e46de44f4fd919ce4347337620f", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "872cd2d029d2c970a8a1eea88b48dab2b3f2e93a", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "4684d69b9670a83992189f6271dc0fcdec4ed0d7", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "95cdd538e0e5677efbdf8aade04ec098ab98f457", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/video/fbdev/efifb.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.120", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: efifb: Register sysfs groups through driver core\n\nThe driver core can register and cleanup sysfs groups already.\nMake use of that functionality to simplify the error handling and\ncleanup.\n\nAlso avoid a UAF race during unregistering where the sysctl attributes\nwere usable after the info struct was freed.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:29:09.920Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/2a9c40c72097b583b23aeb2a26d429ccfc81fbc1", }, { url: "https://git.kernel.org/stable/c/36bfefb6baaa8e46de44f4fd919ce4347337620f", }, { url: "https://git.kernel.org/stable/c/872cd2d029d2c970a8a1eea88b48dab2b3f2e93a", }, { url: "https://git.kernel.org/stable/c/4684d69b9670a83992189f6271dc0fcdec4ed0d7", }, { url: "https://git.kernel.org/stable/c/95cdd538e0e5677efbdf8aade04ec098ab98f457", }, ], title: "fbdev: efifb: Register sysfs groups through driver core", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49925", datePublished: "2024-10-21T18:01:49.732Z", dateReserved: "2024-10-21T12:17:06.036Z", dateUpdated: "2024-12-19T09:29:09.920Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49952
Vulnerability from cvelistv5
Published
2024-10-21 18:02
Modified
2024-12-19 09:30
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_tables: prevent nf_skb_duplicated corruption
syzbot found that nf_dup_ipv4() or nf_dup_ipv6() could write
per-cpu variable nf_skb_duplicated in an unsafe way [1].
Disabling preemption as hinted by the splat is not enough,
we have to disable soft interrupts as well.
[1]
BUG: using __this_cpu_write() in preemptible [00000000] code: syz.4.282/6316
caller is nf_dup_ipv4+0x651/0x8f0 net/ipv4/netfilter/nf_dup_ipv4.c:87
CPU: 0 UID: 0 PID: 6316 Comm: syz.4.282 Not tainted 6.11.0-rc7-syzkaller-00104-g7052622fccb1 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:93 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119
check_preemption_disabled+0x10e/0x120 lib/smp_processor_id.c:49
nf_dup_ipv4+0x651/0x8f0 net/ipv4/netfilter/nf_dup_ipv4.c:87
nft_dup_ipv4_eval+0x1db/0x300 net/ipv4/netfilter/nft_dup_ipv4.c:30
expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline]
nft_do_chain+0x4ad/0x1da0 net/netfilter/nf_tables_core.c:288
nft_do_chain_ipv4+0x202/0x320 net/netfilter/nft_chain_filter.c:23
nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]
nf_hook_slow+0xc3/0x220 net/netfilter/core.c:626
nf_hook+0x2c4/0x450 include/linux/netfilter.h:269
NF_HOOK_COND include/linux/netfilter.h:302 [inline]
ip_output+0x185/0x230 net/ipv4/ip_output.c:433
ip_local_out net/ipv4/ip_output.c:129 [inline]
ip_send_skb+0x74/0x100 net/ipv4/ip_output.c:1495
udp_send_skb+0xacf/0x1650 net/ipv4/udp.c:981
udp_sendmsg+0x1c21/0x2a60 net/ipv4/udp.c:1269
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg+0x1a6/0x270 net/socket.c:745
____sys_sendmsg+0x525/0x7d0 net/socket.c:2597
___sys_sendmsg net/socket.c:2651 [inline]
__sys_sendmmsg+0x3b2/0x740 net/socket.c:2737
__do_sys_sendmmsg net/socket.c:2766 [inline]
__se_sys_sendmmsg net/socket.c:2763 [inline]
__x64_sys_sendmmsg+0xa0/0xb0 net/socket.c:2763
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f4ce4f7def9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f4ce5d4a038 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
RAX: ffffffffffffffda RBX: 00007f4ce5135f80 RCX: 00007f4ce4f7def9
RDX: 0000000000000001 RSI: 0000000020005d40 RDI: 0000000000000006
RBP: 00007f4ce4ff0b76 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f4ce5135f80 R15: 00007ffd4cbc6d68
</TASK>
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: d877f07112f1e5a247c6b585c971a93895c9f738 Version: d877f07112f1e5a247c6b585c971a93895c9f738 Version: d877f07112f1e5a247c6b585c971a93895c9f738 Version: d877f07112f1e5a247c6b585c971a93895c9f738 Version: d877f07112f1e5a247c6b585c971a93895c9f738 Version: d877f07112f1e5a247c6b585c971a93895c9f738 Version: d877f07112f1e5a247c6b585c971a93895c9f738 Version: d877f07112f1e5a247c6b585c971a93895c9f738 Version: d877f07112f1e5a247c6b585c971a93895c9f738 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49952", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:36:15.803620Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:38:48.971Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "net/ipv4/netfilter/nf_dup_ipv4.c", "net/ipv6/netfilter/nf_dup_ipv6.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "50067d8b3f48e4cd4c9e817d3e9a5b5ff3507ca7", status: "affected", version: "d877f07112f1e5a247c6b585c971a93895c9f738", versionType: "git", }, { lessThan: "c0add6ed2cf1c4733cd489efc61faeccd3433b41", status: "affected", version: "d877f07112f1e5a247c6b585c971a93895c9f738", versionType: "git", }, { lessThan: "531754952f5dfc4b141523088147071d6e6112c4", status: "affected", version: "d877f07112f1e5a247c6b585c971a93895c9f738", versionType: "git", }, { lessThan: "38e3fd0c4a2616052eb3c8f4e6f32d1ff47cd663", status: "affected", version: "d877f07112f1e5a247c6b585c971a93895c9f738", versionType: "git", }, { lessThan: "b40b027a0c0cc1cb9471a13f9730bb2fff12a15b", status: "affected", version: "d877f07112f1e5a247c6b585c971a93895c9f738", versionType: "git", }, { lessThan: "4e3542f40f3a94efa59ea328e307c50601ed7065", status: "affected", version: "d877f07112f1e5a247c6b585c971a93895c9f738", versionType: "git", }, { lessThan: "f839c5cd348201fec440d987cbca9b979bdb4fa7", status: "affected", version: "d877f07112f1e5a247c6b585c971a93895c9f738", versionType: "git", }, { lessThan: "752e1924604254f1708f3e3700283a86ebdd325d", status: "affected", version: "d877f07112f1e5a247c6b585c971a93895c9f738", versionType: "git", }, { lessThan: "92ceba94de6fb4cee2bf40b485979c342f44a492", status: "affected", version: "d877f07112f1e5a247c6b585c971a93895c9f738", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "net/ipv4/netfilter/nf_dup_ipv4.c", "net/ipv6/netfilter/nf_dup_ipv6.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "4.3", }, { lessThan: "4.3", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.323", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.285", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: prevent nf_skb_duplicated corruption\n\nsyzbot found that nf_dup_ipv4() or nf_dup_ipv6() could write\nper-cpu variable nf_skb_duplicated in an unsafe way [1].\n\nDisabling preemption as hinted by the splat is not enough,\nwe have to disable soft interrupts as well.\n\n[1]\nBUG: using __this_cpu_write() in preemptible [00000000] code: syz.4.282/6316\n caller is nf_dup_ipv4+0x651/0x8f0 net/ipv4/netfilter/nf_dup_ipv4.c:87\nCPU: 0 UID: 0 PID: 6316 Comm: syz.4.282 Not tainted 6.11.0-rc7-syzkaller-00104-g7052622fccb1 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:93 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119\n check_preemption_disabled+0x10e/0x120 lib/smp_processor_id.c:49\n nf_dup_ipv4+0x651/0x8f0 net/ipv4/netfilter/nf_dup_ipv4.c:87\n nft_dup_ipv4_eval+0x1db/0x300 net/ipv4/netfilter/nft_dup_ipv4.c:30\n expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline]\n nft_do_chain+0x4ad/0x1da0 net/netfilter/nf_tables_core.c:288\n nft_do_chain_ipv4+0x202/0x320 net/netfilter/nft_chain_filter.c:23\n nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]\n nf_hook_slow+0xc3/0x220 net/netfilter/core.c:626\n nf_hook+0x2c4/0x450 include/linux/netfilter.h:269\n NF_HOOK_COND include/linux/netfilter.h:302 [inline]\n ip_output+0x185/0x230 net/ipv4/ip_output.c:433\n ip_local_out net/ipv4/ip_output.c:129 [inline]\n ip_send_skb+0x74/0x100 net/ipv4/ip_output.c:1495\n udp_send_skb+0xacf/0x1650 net/ipv4/udp.c:981\n udp_sendmsg+0x1c21/0x2a60 net/ipv4/udp.c:1269\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x1a6/0x270 net/socket.c:745\n ____sys_sendmsg+0x525/0x7d0 net/socket.c:2597\n ___sys_sendmsg net/socket.c:2651 [inline]\n __sys_sendmmsg+0x3b2/0x740 net/socket.c:2737\n __do_sys_sendmmsg net/socket.c:2766 [inline]\n __se_sys_sendmmsg net/socket.c:2763 [inline]\n __x64_sys_sendmmsg+0xa0/0xb0 net/socket.c:2763\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f4ce4f7def9\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f4ce5d4a038 EFLAGS: 00000246 ORIG_RAX: 0000000000000133\nRAX: ffffffffffffffda RBX: 00007f4ce5135f80 RCX: 00007f4ce4f7def9\nRDX: 0000000000000001 RSI: 0000000020005d40 RDI: 0000000000000006\nRBP: 00007f4ce4ff0b76 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 0000000000000000 R14: 00007f4ce5135f80 R15: 00007ffd4cbc6d68\n </TASK>", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:30:00.913Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/50067d8b3f48e4cd4c9e817d3e9a5b5ff3507ca7", }, { url: "https://git.kernel.org/stable/c/c0add6ed2cf1c4733cd489efc61faeccd3433b41", }, { url: "https://git.kernel.org/stable/c/531754952f5dfc4b141523088147071d6e6112c4", }, { url: "https://git.kernel.org/stable/c/38e3fd0c4a2616052eb3c8f4e6f32d1ff47cd663", }, { url: "https://git.kernel.org/stable/c/b40b027a0c0cc1cb9471a13f9730bb2fff12a15b", }, { url: "https://git.kernel.org/stable/c/4e3542f40f3a94efa59ea328e307c50601ed7065", }, { url: "https://git.kernel.org/stable/c/f839c5cd348201fec440d987cbca9b979bdb4fa7", }, { url: "https://git.kernel.org/stable/c/752e1924604254f1708f3e3700283a86ebdd325d", }, { url: "https://git.kernel.org/stable/c/92ceba94de6fb4cee2bf40b485979c342f44a492", }, ], title: "netfilter: nf_tables: prevent nf_skb_duplicated corruption", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49952", datePublished: "2024-10-21T18:02:07.718Z", dateReserved: "2024-10-21T12:17:06.047Z", dateUpdated: "2024-12-19T09:30:00.913Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-50001
Vulnerability from cvelistv5
Published
2024-10-21 18:02
Modified
2024-12-19 09:31
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5: Fix error path in multi-packet WQE transmit
Remove the erroneous unmap in case no DMA mapping was established
The multi-packet WQE transmit code attempts to obtain a DMA mapping for
the skb. This could fail, e.g. under memory pressure, when the IOMMU
driver just can't allocate more memory for page tables. While the code
tries to handle this in the path below the err_unmap label it erroneously
unmaps one entry from the sq's FIFO list of active mappings. Since the
current map attempt failed this unmap is removing some random DMA mapping
that might still be required. If the PCI function now presents that IOVA,
the IOMMU may assumes a rogue DMA access and e.g. on s390 puts the PCI
function in error state.
The erroneous behavior was seen in a stress-test environment that created
memory pressure.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 5af75c747e2a868abbf8611494b50ed5e076fca7 Version: 5af75c747e2a868abbf8611494b50ed5e076fca7 Version: 5af75c747e2a868abbf8611494b50ed5e076fca7 Version: 5af75c747e2a868abbf8611494b50ed5e076fca7 Version: 5af75c747e2a868abbf8611494b50ed5e076fca7 Version: 5af75c747e2a868abbf8611494b50ed5e076fca7 Version: 5af75c747e2a868abbf8611494b50ed5e076fca7 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-50001", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:29:57.852551Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:38:41.116Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/net/ethernet/mellanox/mlx5/core/en_tx.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "ca36d6c1a49b6965c86dd528a73f38bc62d9c625", status: "affected", version: "5af75c747e2a868abbf8611494b50ed5e076fca7", versionType: "git", }, { lessThan: "ce828b347cf1b3c1b12b091d02463c35ce5097f5", status: "affected", version: "5af75c747e2a868abbf8611494b50ed5e076fca7", versionType: "git", }, { lessThan: "fc357e78176945ca7bcacf92ab794b9ccd41b4f4", status: "affected", version: "5af75c747e2a868abbf8611494b50ed5e076fca7", versionType: "git", }, { lessThan: "26fad69b34fcba80d5c7d9e651f628e6ac927754", status: "affected", version: "5af75c747e2a868abbf8611494b50ed5e076fca7", versionType: "git", }, { lessThan: "ecf310aaf256acbc8182189fe0aa1021c3ddef72", status: "affected", version: "5af75c747e2a868abbf8611494b50ed5e076fca7", versionType: "git", }, { lessThan: "8bb8c12fb5e2b1f03d603d493c92941676f109b5", status: "affected", version: "5af75c747e2a868abbf8611494b50ed5e076fca7", versionType: "git", }, { lessThan: "2bcae12c795f32ddfbf8c80d1b5f1d3286341c32", status: "affected", version: "5af75c747e2a868abbf8611494b50ed5e076fca7", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/net/ethernet/mellanox/mlx5/core/en_tx.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.10", }, { lessThan: "5.10", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Fix error path in multi-packet WQE transmit\n\nRemove the erroneous unmap in case no DMA mapping was established\n\nThe multi-packet WQE transmit code attempts to obtain a DMA mapping for\nthe skb. This could fail, e.g. under memory pressure, when the IOMMU\ndriver just can't allocate more memory for page tables. While the code\ntries to handle this in the path below the err_unmap label it erroneously\nunmaps one entry from the sq's FIFO list of active mappings. Since the\ncurrent map attempt failed this unmap is removing some random DMA mapping\nthat might still be required. If the PCI function now presents that IOVA,\nthe IOMMU may assumes a rogue DMA access and e.g. on s390 puts the PCI\nfunction in error state.\n\nThe erroneous behavior was seen in a stress-test environment that created\nmemory pressure.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:31:02.695Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/ca36d6c1a49b6965c86dd528a73f38bc62d9c625", }, { url: "https://git.kernel.org/stable/c/ce828b347cf1b3c1b12b091d02463c35ce5097f5", }, { url: "https://git.kernel.org/stable/c/fc357e78176945ca7bcacf92ab794b9ccd41b4f4", }, { url: "https://git.kernel.org/stable/c/26fad69b34fcba80d5c7d9e651f628e6ac927754", }, { url: "https://git.kernel.org/stable/c/ecf310aaf256acbc8182189fe0aa1021c3ddef72", }, { url: "https://git.kernel.org/stable/c/8bb8c12fb5e2b1f03d603d493c92941676f109b5", }, { url: "https://git.kernel.org/stable/c/2bcae12c795f32ddfbf8c80d1b5f1d3286341c32", }, ], title: "net/mlx5: Fix error path in multi-packet WQE transmit", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-50001", datePublished: "2024-10-21T18:02:40.254Z", dateReserved: "2024-10-21T12:17:06.058Z", dateUpdated: "2024-12-19T09:31:02.695Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-50028
Vulnerability from cvelistv5
Published
2024-10-21 19:39
Modified
2024-12-19 09:31
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
thermal: core: Reference count the zone in thermal_zone_get_by_id()
There are places in the thermal netlink code where nothing prevents
the thermal zone object from going away while being accessed after it
has been returned by thermal_zone_get_by_id().
To address this, make thermal_zone_get_by_id() get a reference on the
thermal zone device object to be returned with the help of get_device(),
under thermal_list_lock, and adjust all of its callers to this change
with the help of the cleanup.h infrastructure.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-50028", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:26:28.280587Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:28:46.203Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/thermal/thermal_core.c", "drivers/thermal/thermal_core.h", "drivers/thermal/thermal_netlink.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "c95538b286efc6109c987e97a051bc7844ede802", status: "affected", version: "1ce50e7d408ef2bdc8ca021363fd46d1b8bfad00", versionType: "git", }, { lessThan: "a42a5839f400e929c489bb1b58f54596c4535167", status: "affected", version: "1ce50e7d408ef2bdc8ca021363fd46d1b8bfad00", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/thermal/thermal_core.c", "drivers/thermal/thermal_core.h", "drivers/thermal/thermal_netlink.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.9", }, { lessThan: "5.9", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.4", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nthermal: core: Reference count the zone in thermal_zone_get_by_id()\n\nThere are places in the thermal netlink code where nothing prevents\nthe thermal zone object from going away while being accessed after it\nhas been returned by thermal_zone_get_by_id().\n\nTo address this, make thermal_zone_get_by_id() get a reference on the\nthermal zone device object to be returned with the help of get_device(),\nunder thermal_list_lock, and adjust all of its callers to this change\nwith the help of the cleanup.h infrastructure.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:31:39.765Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/c95538b286efc6109c987e97a051bc7844ede802", }, { url: "https://git.kernel.org/stable/c/a42a5839f400e929c489bb1b58f54596c4535167", }, ], title: "thermal: core: Reference count the zone in thermal_zone_get_by_id()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-50028", datePublished: "2024-10-21T19:39:31.809Z", dateReserved: "2024-10-21T12:17:06.066Z", dateUpdated: "2024-12-19T09:31:39.765Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49853
Vulnerability from cvelistv5
Published
2024-10-21 12:18
Modified
2024-12-19 09:27
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
firmware: arm_scmi: Fix double free in OPTEE transport
Channels can be shared between protocols, avoid freeing the same channel
descriptors twice when unloading the stack.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 5f90f189a052f6fc46048f6ce29a37b709548b81 Version: 5f90f189a052f6fc46048f6ce29a37b709548b81 Version: 5f90f189a052f6fc46048f6ce29a37b709548b81 Version: 5f90f189a052f6fc46048f6ce29a37b709548b81 Version: 5f90f189a052f6fc46048f6ce29a37b709548b81 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49853", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T12:56:39.770816Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T13:04:11.566Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/firmware/arm_scmi/optee.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "d7f4fc2bc101e666da649605a9ece2bd42529c7a", status: "affected", version: "5f90f189a052f6fc46048f6ce29a37b709548b81", versionType: "git", }, { lessThan: "6699567b0bbb378600a4dc0a1f929439a4e84a2c", status: "affected", version: "5f90f189a052f6fc46048f6ce29a37b709548b81", versionType: "git", }, { lessThan: "dc9543a4f2a5498a4a12d6d2427492a6f1a28056", status: "affected", version: "5f90f189a052f6fc46048f6ce29a37b709548b81", versionType: "git", }, { lessThan: "aef6ae124bb3cc12e34430fed91fbb7efd7a444d", status: "affected", version: "5f90f189a052f6fc46048f6ce29a37b709548b81", versionType: "git", }, { lessThan: "e98dba934b2fc587eafb83f47ad64d9053b18ae0", status: "affected", version: "5f90f189a052f6fc46048f6ce29a37b709548b81", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/firmware/arm_scmi/optee.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.18", }, { lessThan: "5.18", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.54", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.13", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.2", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: arm_scmi: Fix double free in OPTEE transport\n\nChannels can be shared between protocols, avoid freeing the same channel\ndescriptors twice when unloading the stack.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:27:35.475Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/d7f4fc2bc101e666da649605a9ece2bd42529c7a", }, { url: "https://git.kernel.org/stable/c/6699567b0bbb378600a4dc0a1f929439a4e84a2c", }, { url: "https://git.kernel.org/stable/c/dc9543a4f2a5498a4a12d6d2427492a6f1a28056", }, { url: "https://git.kernel.org/stable/c/aef6ae124bb3cc12e34430fed91fbb7efd7a444d", }, { url: "https://git.kernel.org/stable/c/e98dba934b2fc587eafb83f47ad64d9053b18ae0", }, ], title: "firmware: arm_scmi: Fix double free in OPTEE transport", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49853", datePublished: "2024-10-21T12:18:46.093Z", dateReserved: "2024-10-21T12:17:06.016Z", dateUpdated: "2024-12-19T09:27:35.475Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-47740
Vulnerability from cvelistv5
Published
2024-10-21 12:14
Modified
2024-12-19 09:27
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
f2fs: Require FMODE_WRITE for atomic write ioctls
The F2FS ioctls for starting and committing atomic writes check for
inode_owner_or_capable(), but this does not give LSMs like SELinux or
Landlock an opportunity to deny the write access - if the caller's FSUID
matches the inode's UID, inode_owner_or_capable() immediately returns true.
There are scenarios where LSMs want to deny a process the ability to write
particular files, even files that the FSUID of the process owns; but this
can currently partially be bypassed using atomic write ioctls in two ways:
- F2FS_IOC_START_ATOMIC_REPLACE + F2FS_IOC_COMMIT_ATOMIC_WRITE can
truncate an inode to size 0
- F2FS_IOC_START_ATOMIC_WRITE + F2FS_IOC_ABORT_ATOMIC_WRITE can revert
changes another process concurrently made to a file
Fix it by requiring FMODE_WRITE for these operations, just like for
F2FS_IOC_MOVE_RANGE. Since any legitimate caller should only be using these
ioctls when intending to write into the file, that seems unlikely to break
anything.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 88b88a66797159949cec32eaab12b4968f6fae2d Version: 88b88a66797159949cec32eaab12b4968f6fae2d Version: 88b88a66797159949cec32eaab12b4968f6fae2d Version: 88b88a66797159949cec32eaab12b4968f6fae2d Version: 88b88a66797159949cec32eaab12b4968f6fae2d Version: 88b88a66797159949cec32eaab12b4968f6fae2d Version: 88b88a66797159949cec32eaab12b4968f6fae2d Version: 88b88a66797159949cec32eaab12b4968f6fae2d Version: 88b88a66797159949cec32eaab12b4968f6fae2d |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-47740", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T12:59:19.414286Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T13:04:14.597Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "fs/f2fs/file.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "700f3a7c7fa5764c9f24bbf7c78e0b6e479fa653", status: "affected", version: "88b88a66797159949cec32eaab12b4968f6fae2d", versionType: "git", }, { lessThan: "4ce87674c3a6b4d3b3d45f85b584ab8618a3cece", status: "affected", version: "88b88a66797159949cec32eaab12b4968f6fae2d", versionType: "git", }, { lessThan: "000bab8753ae29a259feb339b99ee759795a48ac", status: "affected", version: "88b88a66797159949cec32eaab12b4968f6fae2d", versionType: "git", }, { lessThan: "88ff021e1fea2d9b40b2d5efd9013c89f7be04ac", status: "affected", version: "88b88a66797159949cec32eaab12b4968f6fae2d", versionType: "git", }, { lessThan: "32f348ecc149e9ca70a1c424ae8fa9b6919d2713", status: "affected", version: "88b88a66797159949cec32eaab12b4968f6fae2d", versionType: "git", }, { lessThan: "5e0de753bfe87768ebe6744d869caa92f35e5731", status: "affected", version: "88b88a66797159949cec32eaab12b4968f6fae2d", versionType: "git", }, { lessThan: "f3bfac2cabf5333506b263bc0c8497c95302f32d", status: "affected", version: "88b88a66797159949cec32eaab12b4968f6fae2d", versionType: "git", }, { lessThan: "4583290898c13c2c2e5eb8773886d153c2c5121d", status: "affected", version: "88b88a66797159949cec32eaab12b4968f6fae2d", versionType: "git", }, { lessThan: "4f5a100f87f32cb65d4bb1ad282a08c92f6f591e", status: "affected", version: "88b88a66797159949cec32eaab12b4968f6fae2d", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "fs/f2fs/file.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "3.18", }, { lessThan: "3.18", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.323", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.285", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.54", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.13", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.2", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: Require FMODE_WRITE for atomic write ioctls\n\nThe F2FS ioctls for starting and committing atomic writes check for\ninode_owner_or_capable(), but this does not give LSMs like SELinux or\nLandlock an opportunity to deny the write access - if the caller's FSUID\nmatches the inode's UID, inode_owner_or_capable() immediately returns true.\n\nThere are scenarios where LSMs want to deny a process the ability to write\nparticular files, even files that the FSUID of the process owns; but this\ncan currently partially be bypassed using atomic write ioctls in two ways:\n\n - F2FS_IOC_START_ATOMIC_REPLACE + F2FS_IOC_COMMIT_ATOMIC_WRITE can\n truncate an inode to size 0\n - F2FS_IOC_START_ATOMIC_WRITE + F2FS_IOC_ABORT_ATOMIC_WRITE can revert\n changes another process concurrently made to a file\n\nFix it by requiring FMODE_WRITE for these operations, just like for\nF2FS_IOC_MOVE_RANGE. Since any legitimate caller should only be using these\nioctls when intending to write into the file, that seems unlikely to break\nanything.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:27:10.188Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/700f3a7c7fa5764c9f24bbf7c78e0b6e479fa653", }, { url: "https://git.kernel.org/stable/c/4ce87674c3a6b4d3b3d45f85b584ab8618a3cece", }, { url: "https://git.kernel.org/stable/c/000bab8753ae29a259feb339b99ee759795a48ac", }, { url: "https://git.kernel.org/stable/c/88ff021e1fea2d9b40b2d5efd9013c89f7be04ac", }, { url: "https://git.kernel.org/stable/c/32f348ecc149e9ca70a1c424ae8fa9b6919d2713", }, { url: "https://git.kernel.org/stable/c/5e0de753bfe87768ebe6744d869caa92f35e5731", }, { url: "https://git.kernel.org/stable/c/f3bfac2cabf5333506b263bc0c8497c95302f32d", }, { url: "https://git.kernel.org/stable/c/4583290898c13c2c2e5eb8773886d153c2c5121d", }, { url: "https://git.kernel.org/stable/c/4f5a100f87f32cb65d4bb1ad282a08c92f6f591e", }, ], title: "f2fs: Require FMODE_WRITE for atomic write ioctls", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-47740", datePublished: "2024-10-21T12:14:09.171Z", dateReserved: "2024-09-30T16:00:12.959Z", dateUpdated: "2024-12-19T09:27:10.188Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-48990
Vulnerability from cvelistv5
Published
2024-10-21 20:06
Modified
2024-12-19 08:12
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu: fix use-after-free during gpu recovery
[Why]
[ 754.862560] refcount_t: underflow; use-after-free.
[ 754.862898] Call Trace:
[ 754.862903] <TASK>
[ 754.862913] amdgpu_job_free_cb+0xc2/0xe1 [amdgpu]
[ 754.863543] drm_sched_main.cold+0x34/0x39 [amd_sched]
[How]
The fw_fence may be not init, check whether dma_fence_init
is performed before job free
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-48990", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:16:41.708497Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:18:42.361Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/gpu/drm/amd/amdgpu/amdgpu_job.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "d2a89cd942edd50c1e652004fd64019be78b0a96", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "3cb93f390453cde4d6afda1587aaa00e75e09617", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/gpu/drm/amd/amdgpu/amdgpu_job.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "6.0.*", status: "unaffected", version: "6.0.13", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.1", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: fix use-after-free during gpu recovery\n\n[Why]\n [ 754.862560] refcount_t: underflow; use-after-free.\n [ 754.862898] Call Trace:\n [ 754.862903] <TASK>\n [ 754.862913] amdgpu_job_free_cb+0xc2/0xe1 [amdgpu]\n [ 754.863543] drm_sched_main.cold+0x34/0x39 [amd_sched]\n\n[How]\n The fw_fence may be not init, check whether dma_fence_init\n is performed before job free", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:12:01.407Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/d2a89cd942edd50c1e652004fd64019be78b0a96", }, { url: "https://git.kernel.org/stable/c/3cb93f390453cde4d6afda1587aaa00e75e09617", }, ], title: "drm/amdgpu: fix use-after-free during gpu recovery", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-48990", datePublished: "2024-10-21T20:06:07.203Z", dateReserved: "2024-08-22T01:27:53.635Z", dateUpdated: "2024-12-19T08:12:01.407Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-50063
Vulnerability from cvelistv5
Published
2024-10-21 19:39
Modified
2024-12-19 09:32
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Prevent tail call between progs attached to different hooks
bpf progs can be attached to kernel functions, and the attached functions
can take different parameters or return different return values. If
prog attached to one kernel function tail calls prog attached to another
kernel function, the ctx access or return value verification could be
bypassed.
For example, if prog1 is attached to func1 which takes only 1 parameter
and prog2 is attached to func2 which takes two parameters. Since verifier
assumes the bpf ctx passed to prog2 is constructed based on func2's
prototype, verifier allows prog2 to access the second parameter from
the bpf ctx passed to it. The problem is that verifier does not prevent
prog1 from passing its bpf ctx to prog2 via tail call. In this case,
the bpf ctx passed to prog2 is constructed from func1 instead of func2,
that is, the assumption for ctx access verification is bypassed.
Another example, if BPF LSM prog1 is attached to hook file_alloc_security,
and BPF LSM prog2 is attached to hook bpf_lsm_audit_rule_known. Verifier
knows the return value rules for these two hooks, e.g. it is legal for
bpf_lsm_audit_rule_known to return positive number 1, and it is illegal
for file_alloc_security to return positive number. So verifier allows
prog2 to return positive number 1, but does not allow prog1 to return
positive number. The problem is that verifier does not prevent prog1
from calling prog2 via tail call. In this case, prog2's return value 1
will be used as the return value for prog1's hook file_alloc_security.
That is, the return value rule is bypassed.
This patch adds restriction for tail call to prevent such bypasses.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-50063", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:22:37.407385Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:28:41.892Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "include/linux/bpf.h", "kernel/bpf/core.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "5d5e3b4cbe8ee16b7bf96fd73a421c92a9da3ca1", status: "affected", version: "f1b9509c2fb0ef4db8d22dac9aef8e856a5d81f6", versionType: "git", }, { lessThan: "88c2a10e6c176c2860cd0659f4c0e9d20b3f64d1", status: "affected", version: "f1b9509c2fb0ef4db8d22dac9aef8e856a5d81f6", versionType: "git", }, { lessThan: "28ead3eaabc16ecc907cfb71876da028080f6356", status: "affected", version: "f1b9509c2fb0ef4db8d22dac9aef8e856a5d81f6", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "include/linux/bpf.h", "kernel/bpf/core.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.5", }, { lessThan: "5.5", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.57", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.4", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Prevent tail call between progs attached to different hooks\n\nbpf progs can be attached to kernel functions, and the attached functions\ncan take different parameters or return different return values. If\nprog attached to one kernel function tail calls prog attached to another\nkernel function, the ctx access or return value verification could be\nbypassed.\n\nFor example, if prog1 is attached to func1 which takes only 1 parameter\nand prog2 is attached to func2 which takes two parameters. Since verifier\nassumes the bpf ctx passed to prog2 is constructed based on func2's\nprototype, verifier allows prog2 to access the second parameter from\nthe bpf ctx passed to it. The problem is that verifier does not prevent\nprog1 from passing its bpf ctx to prog2 via tail call. In this case,\nthe bpf ctx passed to prog2 is constructed from func1 instead of func2,\nthat is, the assumption for ctx access verification is bypassed.\n\nAnother example, if BPF LSM prog1 is attached to hook file_alloc_security,\nand BPF LSM prog2 is attached to hook bpf_lsm_audit_rule_known. Verifier\nknows the return value rules for these two hooks, e.g. it is legal for\nbpf_lsm_audit_rule_known to return positive number 1, and it is illegal\nfor file_alloc_security to return positive number. So verifier allows\nprog2 to return positive number 1, but does not allow prog1 to return\npositive number. The problem is that verifier does not prevent prog1\nfrom calling prog2 via tail call. In this case, prog2's return value 1\nwill be used as the return value for prog1's hook file_alloc_security.\nThat is, the return value rule is bypassed.\n\nThis patch adds restriction for tail call to prevent such bypasses.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:32:16.780Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/5d5e3b4cbe8ee16b7bf96fd73a421c92a9da3ca1", }, { url: "https://git.kernel.org/stable/c/88c2a10e6c176c2860cd0659f4c0e9d20b3f64d1", }, { url: "https://git.kernel.org/stable/c/28ead3eaabc16ecc907cfb71876da028080f6356", }, ], title: "bpf: Prevent tail call between progs attached to different hooks", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-50063", datePublished: "2024-10-21T19:39:51.718Z", dateReserved: "2024-10-21T19:36:19.939Z", dateUpdated: "2024-12-19T09:32:16.780Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49851
Vulnerability from cvelistv5
Published
2024-10-21 12:18
Modified
2024-12-19 09:27
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tpm: Clean up TPM space after command failure
tpm_dev_transmit prepares the TPM space before attempting command
transmission. However if the command fails no rollback of this
preparation is done. This can result in transient handles being leaked
if the device is subsequently closed with no further commands performed.
Fix this by flushing the space in the event of command transmission
failure.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 745b361e989af21ad40811c2586b60229f870a68 Version: 745b361e989af21ad40811c2586b60229f870a68 Version: 745b361e989af21ad40811c2586b60229f870a68 Version: 745b361e989af21ad40811c2586b60229f870a68 Version: 745b361e989af21ad40811c2586b60229f870a68 Version: 745b361e989af21ad40811c2586b60229f870a68 Version: 745b361e989af21ad40811c2586b60229f870a68 Version: 745b361e989af21ad40811c2586b60229f870a68 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49851", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T12:56:54.610460Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T13:04:11.872Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/char/tpm/tpm-dev-common.c", "drivers/char/tpm/tpm2-space.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "87e8134c18977b566f4ec248c8a147244da69402", status: "affected", version: "745b361e989af21ad40811c2586b60229f870a68", versionType: "git", }, { lessThan: "2c9b228938e9266a1065a3f4fe5c99b7235dc439", status: "affected", version: "745b361e989af21ad40811c2586b60229f870a68", versionType: "git", }, { lessThan: "ebc4e1f4492d114f9693950621b3ea42b2f82bec", status: "affected", version: "745b361e989af21ad40811c2586b60229f870a68", versionType: "git", }, { lessThan: "c84ceb546f30432fccea4891163f7050f5bee5dd", status: "affected", version: "745b361e989af21ad40811c2586b60229f870a68", versionType: "git", }, { lessThan: "82478cb8a23bd4f97935bbe60d64528c6d9918b4", status: "affected", version: "745b361e989af21ad40811c2586b60229f870a68", versionType: "git", }, { lessThan: "adf4ce162561222338cf2c9a2caa294527f7f721", status: "affected", version: "745b361e989af21ad40811c2586b60229f870a68", versionType: "git", }, { lessThan: "3f9f72d843c92fb6f4ff7460d774413cde7f254c", status: "affected", version: "745b361e989af21ad40811c2586b60229f870a68", versionType: "git", }, { lessThan: "e3aaebcbb7c6b403416f442d1de70d437ce313a7", status: "affected", version: "745b361e989af21ad40811c2586b60229f870a68", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/char/tpm/tpm-dev-common.c", "drivers/char/tpm/tpm2-space.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "4.12", }, { lessThan: "4.12", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.285", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.54", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.13", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.2", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ntpm: Clean up TPM space after command failure\n\ntpm_dev_transmit prepares the TPM space before attempting command\ntransmission. However if the command fails no rollback of this\npreparation is done. This can result in transient handles being leaked\nif the device is subsequently closed with no further commands performed.\n\nFix this by flushing the space in the event of command transmission\nfailure.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:27:32.938Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/87e8134c18977b566f4ec248c8a147244da69402", }, { url: "https://git.kernel.org/stable/c/2c9b228938e9266a1065a3f4fe5c99b7235dc439", }, { url: "https://git.kernel.org/stable/c/ebc4e1f4492d114f9693950621b3ea42b2f82bec", }, { url: "https://git.kernel.org/stable/c/c84ceb546f30432fccea4891163f7050f5bee5dd", }, { url: "https://git.kernel.org/stable/c/82478cb8a23bd4f97935bbe60d64528c6d9918b4", }, { url: "https://git.kernel.org/stable/c/adf4ce162561222338cf2c9a2caa294527f7f721", }, { url: "https://git.kernel.org/stable/c/3f9f72d843c92fb6f4ff7460d774413cde7f254c", }, { url: "https://git.kernel.org/stable/c/e3aaebcbb7c6b403416f442d1de70d437ce313a7", }, ], title: "tpm: Clean up TPM space after command failure", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49851", datePublished: "2024-10-21T12:18:44.742Z", dateReserved: "2024-10-21T12:17:06.015Z", dateUpdated: "2024-12-19T09:27:32.938Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49964
Vulnerability from cvelistv5
Published
2024-10-21 18:02
Modified
2024-12-19 09:30
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/hugetlb: fix memfd_pin_folios free_huge_pages leak
memfd_pin_folios followed by unpin_folios fails to restore free_huge_pages
if the pages were not already faulted in, because the folio refcount for
pages created by memfd_alloc_folio never goes to 0. memfd_pin_folios
needs another folio_put to undo the folio_try_get below:
memfd_alloc_folio()
alloc_hugetlb_folio_nodemask()
dequeue_hugetlb_folio_nodemask()
dequeue_hugetlb_folio_node_exact()
folio_ref_unfreeze(folio, 1); ; adds 1 refcount
folio_try_get() ; adds 1 refcount
hugetlb_add_to_page_cache() ; adds 512 refcount (on x86)
With the fix, after memfd_pin_folios + unpin_folios, the refcount for the
(unfaulted) page is 512, which is correct, as the refcount for a faulted
unpinned page is 513.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49964", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:34:43.848599Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:38:47.238Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "mm/gup.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "59e081ff2e91bbf19b8c1ecb75b031f778858383", status: "affected", version: "89c1905d9c140372b7f50ef48f42378cf85d9bc5", versionType: "git", }, { lessThan: "c56b6f3d801d7ec8965993342bdd9e2972b6cb8e", status: "affected", version: "89c1905d9c140372b7f50ef48f42378cf85d9bc5", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "mm/gup.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.11", }, { lessThan: "6.11", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/hugetlb: fix memfd_pin_folios free_huge_pages leak\n\nmemfd_pin_folios followed by unpin_folios fails to restore free_huge_pages\nif the pages were not already faulted in, because the folio refcount for\npages created by memfd_alloc_folio never goes to 0. memfd_pin_folios\nneeds another folio_put to undo the folio_try_get below:\n\nmemfd_alloc_folio()\n alloc_hugetlb_folio_nodemask()\n dequeue_hugetlb_folio_nodemask()\n dequeue_hugetlb_folio_node_exact()\n folio_ref_unfreeze(folio, 1); ; adds 1 refcount\n folio_try_get() ; adds 1 refcount\n hugetlb_add_to_page_cache() ; adds 512 refcount (on x86)\n\nWith the fix, after memfd_pin_folios + unpin_folios, the refcount for the\n(unfaulted) page is 512, which is correct, as the refcount for a faulted\nunpinned page is 513.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:30:17.408Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/59e081ff2e91bbf19b8c1ecb75b031f778858383", }, { url: "https://git.kernel.org/stable/c/c56b6f3d801d7ec8965993342bdd9e2972b6cb8e", }, ], title: "mm/hugetlb: fix memfd_pin_folios free_huge_pages leak", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49964", datePublished: "2024-10-21T18:02:15.755Z", dateReserved: "2024-10-21T12:17:06.050Z", dateUpdated: "2024-12-19T09:30:17.408Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49967
Vulnerability from cvelistv5
This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Show details on NVD website{ containers: { cna: { providerMetadata: { dateUpdated: "2025-01-07T08:46:31.368Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, rejectedReasons: [ { lang: "en", value: "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", }, ], }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49967", datePublished: "2024-10-21T18:02:17.714Z", dateRejected: "2025-01-07T08:46:31.368Z", dateReserved: "2024-10-21T12:17:06.050Z", dateUpdated: "2025-01-07T08:46:31.368Z", state: "REJECTED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49959
Vulnerability from cvelistv5
Published
2024-10-21 18:02
Modified
2024-12-19 09:30
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
jbd2: stop waiting for space when jbd2_cleanup_journal_tail() returns error
In __jbd2_log_wait_for_space(), we might call jbd2_cleanup_journal_tail()
to recover some journal space. But if an error occurs while executing
jbd2_cleanup_journal_tail() (e.g., an EIO), we don't stop waiting for free
space right away, we try other branches, and if j_committing_transaction
is NULL (i.e., the tid is 0), we will get the following complain:
============================================
JBD2: I/O error when updating journal superblock for sdd-8.
__jbd2_log_wait_for_space: needed 256 blocks and only had 217 space available
__jbd2_log_wait_for_space: no way to get more journal space in sdd-8
------------[ cut here ]------------
WARNING: CPU: 2 PID: 139804 at fs/jbd2/checkpoint.c:109 __jbd2_log_wait_for_space+0x251/0x2e0
Modules linked in:
CPU: 2 PID: 139804 Comm: kworker/u8:3 Not tainted 6.6.0+ #1
RIP: 0010:__jbd2_log_wait_for_space+0x251/0x2e0
Call Trace:
<TASK>
add_transaction_credits+0x5d1/0x5e0
start_this_handle+0x1ef/0x6a0
jbd2__journal_start+0x18b/0x340
ext4_dirty_inode+0x5d/0xb0
__mark_inode_dirty+0xe4/0x5d0
generic_update_time+0x60/0x70
[...]
============================================
So only if jbd2_cleanup_journal_tail() returns 1, i.e., there is nothing to
clean up at the moment, continue to try to reclaim free space in other ways.
Note that this fix relies on commit 6f6a6fda2945 ("jbd2: fix ocfs2 corrupt
when updating journal superblock fails") to make jbd2_cleanup_journal_tail
return the correct error code.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 8c3f25d8950c3e9fe6c9849f88679b3f2a071550 Version: 8c3f25d8950c3e9fe6c9849f88679b3f2a071550 Version: 8c3f25d8950c3e9fe6c9849f88679b3f2a071550 Version: 8c3f25d8950c3e9fe6c9849f88679b3f2a071550 Version: 8c3f25d8950c3e9fe6c9849f88679b3f2a071550 Version: 8c3f25d8950c3e9fe6c9849f88679b3f2a071550 Version: 8c3f25d8950c3e9fe6c9849f88679b3f2a071550 Version: 8c3f25d8950c3e9fe6c9849f88679b3f2a071550 Version: 8c3f25d8950c3e9fe6c9849f88679b3f2a071550 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49959", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:35:21.788104Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:38:47.931Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "fs/jbd2/checkpoint.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "801a35dfef6996f3d5eaa96a59caf00440d9165e", status: "affected", version: "8c3f25d8950c3e9fe6c9849f88679b3f2a071550", versionType: "git", }, { lessThan: "d5dc65370a746750dbb2f03eabcf86b18db65f32", status: "affected", version: "8c3f25d8950c3e9fe6c9849f88679b3f2a071550", versionType: "git", }, { lessThan: "481e8f18a290e39e04ddb7feb2bb2a2cc3b213ed", status: "affected", version: "8c3f25d8950c3e9fe6c9849f88679b3f2a071550", versionType: "git", }, { lessThan: "ec7f8337c98ad281020ad1f11ba492462d80737a", status: "affected", version: "8c3f25d8950c3e9fe6c9849f88679b3f2a071550", versionType: "git", }, { lessThan: "70bae48377a2c4296fd3caf4caf8f11079111019", status: "affected", version: "8c3f25d8950c3e9fe6c9849f88679b3f2a071550", versionType: "git", }, { lessThan: "1c62dc0d82c62f0dc8fcdc4843208e522acccaf5", status: "affected", version: "8c3f25d8950c3e9fe6c9849f88679b3f2a071550", versionType: "git", }, { lessThan: "3ced0fe6c0eff032733ea8b38778b34707270138", status: "affected", version: "8c3f25d8950c3e9fe6c9849f88679b3f2a071550", versionType: "git", }, { lessThan: "c6bf043b210eac67d35a114e345c4e5585672913", status: "affected", version: "8c3f25d8950c3e9fe6c9849f88679b3f2a071550", versionType: "git", }, { lessThan: "f5cacdc6f2bb2a9bf214469dd7112b43dd2dd68a", status: "affected", version: "8c3f25d8950c3e9fe6c9849f88679b3f2a071550", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "fs/jbd2/checkpoint.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "2.6.28", }, { lessThan: "2.6.28", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.323", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.285", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\njbd2: stop waiting for space when jbd2_cleanup_journal_tail() returns error\n\nIn __jbd2_log_wait_for_space(), we might call jbd2_cleanup_journal_tail()\nto recover some journal space. But if an error occurs while executing\njbd2_cleanup_journal_tail() (e.g., an EIO), we don't stop waiting for free\nspace right away, we try other branches, and if j_committing_transaction\nis NULL (i.e., the tid is 0), we will get the following complain:\n\n============================================\nJBD2: I/O error when updating journal superblock for sdd-8.\n__jbd2_log_wait_for_space: needed 256 blocks and only had 217 space available\n__jbd2_log_wait_for_space: no way to get more journal space in sdd-8\n------------[ cut here ]------------\nWARNING: CPU: 2 PID: 139804 at fs/jbd2/checkpoint.c:109 __jbd2_log_wait_for_space+0x251/0x2e0\nModules linked in:\nCPU: 2 PID: 139804 Comm: kworker/u8:3 Not tainted 6.6.0+ #1\nRIP: 0010:__jbd2_log_wait_for_space+0x251/0x2e0\nCall Trace:\n <TASK>\n add_transaction_credits+0x5d1/0x5e0\n start_this_handle+0x1ef/0x6a0\n jbd2__journal_start+0x18b/0x340\n ext4_dirty_inode+0x5d/0xb0\n __mark_inode_dirty+0xe4/0x5d0\n generic_update_time+0x60/0x70\n[...]\n============================================\n\nSo only if jbd2_cleanup_journal_tail() returns 1, i.e., there is nothing to\nclean up at the moment, continue to try to reclaim free space in other ways.\n\nNote that this fix relies on commit 6f6a6fda2945 (\"jbd2: fix ocfs2 corrupt\nwhen updating journal superblock fails\") to make jbd2_cleanup_journal_tail\nreturn the correct error code.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:30:11.072Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/801a35dfef6996f3d5eaa96a59caf00440d9165e", }, { url: "https://git.kernel.org/stable/c/d5dc65370a746750dbb2f03eabcf86b18db65f32", }, { url: "https://git.kernel.org/stable/c/481e8f18a290e39e04ddb7feb2bb2a2cc3b213ed", }, { url: "https://git.kernel.org/stable/c/ec7f8337c98ad281020ad1f11ba492462d80737a", }, { url: "https://git.kernel.org/stable/c/70bae48377a2c4296fd3caf4caf8f11079111019", }, { url: "https://git.kernel.org/stable/c/1c62dc0d82c62f0dc8fcdc4843208e522acccaf5", }, { url: "https://git.kernel.org/stable/c/3ced0fe6c0eff032733ea8b38778b34707270138", }, { url: "https://git.kernel.org/stable/c/c6bf043b210eac67d35a114e345c4e5585672913", }, { url: "https://git.kernel.org/stable/c/f5cacdc6f2bb2a9bf214469dd7112b43dd2dd68a", }, ], title: "jbd2: stop waiting for space when jbd2_cleanup_journal_tail() returns error", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49959", datePublished: "2024-10-21T18:02:12.355Z", dateReserved: "2024-10-21T12:17:06.049Z", dateUpdated: "2024-12-19T09:30:11.072Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-50015
Vulnerability from cvelistv5
Published
2024-10-21 18:54
Modified
2024-12-19 09:31
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: dax: fix overflowing extents beyond inode size when partially writing
The dax_iomap_rw() does two things in each iteration: map written blocks
and copy user data to blocks. If the process is killed by user(See signal
handling in dax_iomap_iter()), the copied data will be returned and added
on inode size, which means that the length of written extents may exceed
the inode size, then fsck will fail. An example is given as:
dd if=/dev/urandom of=file bs=4M count=1
dax_iomap_rw
iomap_iter // round 1
ext4_iomap_begin
ext4_iomap_alloc // allocate 0~2M extents(written flag)
dax_iomap_iter // copy 2M data
iomap_iter // round 2
iomap_iter_advance
iter->pos += iter->processed // iter->pos = 2M
ext4_iomap_begin
ext4_iomap_alloc // allocate 2~4M extents(written flag)
dax_iomap_iter
fatal_signal_pending
done = iter->pos - iocb->ki_pos // done = 2M
ext4_handle_inode_extension
ext4_update_inode_size // inode size = 2M
fsck reports: Inode 13, i_size is 2097152, should be 4194304. Fix?
Fix the problem by truncating extents if the written length is smaller
than expected.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 776722e85d3b0936253ecc3d14db4fba37f191ba Version: 776722e85d3b0936253ecc3d14db4fba37f191ba Version: 776722e85d3b0936253ecc3d14db4fba37f191ba Version: 776722e85d3b0936253ecc3d14db4fba37f191ba Version: 776722e85d3b0936253ecc3d14db4fba37f191ba Version: 776722e85d3b0936253ecc3d14db4fba37f191ba Version: 776722e85d3b0936253ecc3d14db4fba37f191ba |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-50015", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:28:08.580885Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:28:48.148Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "fs/ext4/file.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "f8a7c342326f6ad1dfdb30a18dd013c70f5e9669", status: "affected", version: "776722e85d3b0936253ecc3d14db4fba37f191ba", versionType: "git", }, { lessThan: "8c30a9a8610c314554997f86370140746aa35661", status: "affected", version: "776722e85d3b0936253ecc3d14db4fba37f191ba", versionType: "git", }, { lessThan: "abfaa876b948baaea4d14f21a1963789845c8b4c", status: "affected", version: "776722e85d3b0936253ecc3d14db4fba37f191ba", versionType: "git", }, { lessThan: "5efccdee4a7d507a483f20f880b809cc4eaef14d", status: "affected", version: "776722e85d3b0936253ecc3d14db4fba37f191ba", versionType: "git", }, { lessThan: "a9f331f51515bdb3ebc8d0963131af367ef468f6", status: "affected", version: "776722e85d3b0936253ecc3d14db4fba37f191ba", versionType: "git", }, { lessThan: "ec0dd451e236c46e4858d53e9e82bae7797a7af5", status: "affected", version: "776722e85d3b0936253ecc3d14db4fba37f191ba", versionType: "git", }, { lessThan: "dda898d7ffe85931f9cca6d702a51f33717c501e", status: "affected", version: "776722e85d3b0936253ecc3d14db4fba37f191ba", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "fs/ext4/file.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "4.10", }, { lessThan: "4.10", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\next4: dax: fix overflowing extents beyond inode size when partially writing\n\nThe dax_iomap_rw() does two things in each iteration: map written blocks\nand copy user data to blocks. If the process is killed by user(See signal\nhandling in dax_iomap_iter()), the copied data will be returned and added\non inode size, which means that the length of written extents may exceed\nthe inode size, then fsck will fail. An example is given as:\n\ndd if=/dev/urandom of=file bs=4M count=1\n dax_iomap_rw\n iomap_iter // round 1\n ext4_iomap_begin\n ext4_iomap_alloc // allocate 0~2M extents(written flag)\n dax_iomap_iter // copy 2M data\n iomap_iter // round 2\n iomap_iter_advance\n iter->pos += iter->processed // iter->pos = 2M\n ext4_iomap_begin\n ext4_iomap_alloc // allocate 2~4M extents(written flag)\n dax_iomap_iter\n fatal_signal_pending\n done = iter->pos - iocb->ki_pos // done = 2M\n ext4_handle_inode_extension\n ext4_update_inode_size // inode size = 2M\n\nfsck reports: Inode 13, i_size is 2097152, should be 4194304. Fix?\n\nFix the problem by truncating extents if the written length is smaller\nthan expected.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:31:19.991Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/f8a7c342326f6ad1dfdb30a18dd013c70f5e9669", }, { url: "https://git.kernel.org/stable/c/8c30a9a8610c314554997f86370140746aa35661", }, { url: "https://git.kernel.org/stable/c/abfaa876b948baaea4d14f21a1963789845c8b4c", }, { url: "https://git.kernel.org/stable/c/5efccdee4a7d507a483f20f880b809cc4eaef14d", }, { url: "https://git.kernel.org/stable/c/a9f331f51515bdb3ebc8d0963131af367ef468f6", }, { url: "https://git.kernel.org/stable/c/ec0dd451e236c46e4858d53e9e82bae7797a7af5", }, { url: "https://git.kernel.org/stable/c/dda898d7ffe85931f9cca6d702a51f33717c501e", }, ], title: "ext4: dax: fix overflowing extents beyond inode size when partially writing", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-50015", datePublished: "2024-10-21T18:54:06.465Z", dateReserved: "2024-10-21T12:17:06.062Z", dateUpdated: "2024-12-19T09:31:19.991Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-47715
Vulnerability from cvelistv5
Published
2024-10-21 11:53
Modified
2024-12-19 09:26
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: mt76: mt7915: fix oops on non-dbdc mt7986
mt7915_band_config() sets band_idx = 1 on the main phy for mt7986
with MT7975_ONE_ADIE or MT7976_ONE_ADIE.
Commit 0335c034e726 ("wifi: mt76: fix race condition related to
checking tx queue fill status") introduced a dereference of the
phys array indirectly indexed by band_idx via wcid->phy_idx in
mt76_wcid_cleanup(). This caused the following Oops on affected
mt7986 devices:
Unable to handle kernel read from unreadable memory at virtual address 0000000000000024
Mem abort info:
ESR = 0x0000000096000005
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x05: level 1 translation fault
Data abort info:
ISV = 0, ISS = 0x00000005
CM = 0, WnR = 0
user pgtable: 4k pages, 39-bit VAs, pgdp=0000000042545000
[0000000000000024] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000
Internal error: Oops: 0000000096000005 [#1] SMP
Modules linked in: ... mt7915e mt76_connac_lib mt76 mac80211 cfg80211 ...
CPU: 2 PID: 1631 Comm: hostapd Not tainted 5.15.150 #0
Hardware name: ZyXEL EX5700 (Telenor) (DT)
pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : mt76_wcid_cleanup+0x84/0x22c [mt76]
lr : mt76_wcid_cleanup+0x64/0x22c [mt76]
sp : ffffffc00a803700
x29: ffffffc00a803700 x28: ffffff80008f7300 x27: ffffff80003f3c00
x26: ffffff80000a7880 x25: ffffffc008c26e00 x24: 0000000000000001
x23: ffffffc000a68114 x22: 0000000000000000 x21: ffffff8004172cc8
x20: ffffffc00a803748 x19: ffffff8004152020 x18: 0000000000000000
x17: 00000000000017c0 x16: ffffffc008ef5000 x15: 0000000000000be0
x14: ffffff8004172e28 x13: ffffff8004172e28 x12: 0000000000000000
x11: 0000000000000000 x10: ffffff8004172e30 x9 : ffffff8004172e28
x8 : 0000000000000000 x7 : ffffff8004156020 x6 : 0000000000000000
x5 : 0000000000000031 x4 : 0000000000000000 x3 : 0000000000000001
x2 : 0000000000000000 x1 : ffffff80008f7300 x0 : 0000000000000024
Call trace:
mt76_wcid_cleanup+0x84/0x22c [mt76]
__mt76_sta_remove+0x70/0xbc [mt76]
mt76_sta_state+0x8c/0x1a4 [mt76]
mt7915_eeprom_get_power_delta+0x11e4/0x23a0 [mt7915e]
drv_sta_state+0x144/0x274 [mac80211]
sta_info_move_state+0x1cc/0x2a4 [mac80211]
sta_set_sinfo+0xaf8/0xc24 [mac80211]
sta_info_destroy_addr_bss+0x4c/0x6c [mac80211]
ieee80211_color_change_finish+0x1c08/0x1e70 [mac80211]
cfg80211_check_station_change+0x1360/0x4710 [cfg80211]
genl_family_rcv_msg_doit+0xb4/0x110
genl_rcv_msg+0xd0/0x1bc
netlink_rcv_skb+0x58/0x120
genl_rcv+0x34/0x50
netlink_unicast+0x1f0/0x2ec
netlink_sendmsg+0x198/0x3d0
____sys_sendmsg+0x1b0/0x210
___sys_sendmsg+0x80/0xf0
__sys_sendmsg+0x44/0xa0
__arm64_sys_sendmsg+0x20/0x30
invoke_syscall.constprop.0+0x4c/0xe0
do_el0_svc+0x40/0xd0
el0_svc+0x14/0x4c
el0t_64_sync_handler+0x100/0x110
el0t_64_sync+0x15c/0x160
Code: d2800002 910092c0 52800023 f9800011 (885f7c01)
---[ end trace 7e42dd9a39ed2281 ]---
Fix by using mt76_dev_phy() which will map band_idx to the correct phy
for all hardware combinations.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-47715", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T13:02:44.864133Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T13:04:18.425Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/net/wireless/mediatek/mt76/mac80211.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "818dd118f4a997f8b4fe9c010b22402d410a2424", status: "affected", version: "d2defcddfe90b3be0cfccc2482495ab1fb759586", versionType: "git", }, { lessThan: "7c128f3ff0be5802aef66f332e4bba6afe98735e", status: "affected", version: "0335c034e7265d36d956e806f33202c94a8a9860", versionType: "git", }, { lessThan: "a94d2bd111b39f0c2c7fcbfbf8276ab98c3b8353", status: "affected", version: "0335c034e7265d36d956e806f33202c94a8a9860", versionType: "git", }, { lessThan: "862bf7cbd772c2bad570ef0c5b5556a1330656dd", status: "affected", version: "0335c034e7265d36d956e806f33202c94a8a9860", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/net/wireless/mediatek/mt76/mac80211.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.7", }, { lessThan: "6.7", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.54", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.13", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.2", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: mt7915: fix oops on non-dbdc mt7986\n\nmt7915_band_config() sets band_idx = 1 on the main phy for mt7986\nwith MT7975_ONE_ADIE or MT7976_ONE_ADIE.\n\nCommit 0335c034e726 (\"wifi: mt76: fix race condition related to\nchecking tx queue fill status\") introduced a dereference of the\nphys array indirectly indexed by band_idx via wcid->phy_idx in\nmt76_wcid_cleanup(). This caused the following Oops on affected\nmt7986 devices:\n\n Unable to handle kernel read from unreadable memory at virtual address 0000000000000024\n Mem abort info:\n ESR = 0x0000000096000005\n EC = 0x25: DABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n FSC = 0x05: level 1 translation fault\n Data abort info:\n ISV = 0, ISS = 0x00000005\n CM = 0, WnR = 0\n user pgtable: 4k pages, 39-bit VAs, pgdp=0000000042545000\n [0000000000000024] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000\n Internal error: Oops: 0000000096000005 [#1] SMP\n Modules linked in: ... mt7915e mt76_connac_lib mt76 mac80211 cfg80211 ...\n CPU: 2 PID: 1631 Comm: hostapd Not tainted 5.15.150 #0\n Hardware name: ZyXEL EX5700 (Telenor) (DT)\n pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : mt76_wcid_cleanup+0x84/0x22c [mt76]\n lr : mt76_wcid_cleanup+0x64/0x22c [mt76]\n sp : ffffffc00a803700\n x29: ffffffc00a803700 x28: ffffff80008f7300 x27: ffffff80003f3c00\n x26: ffffff80000a7880 x25: ffffffc008c26e00 x24: 0000000000000001\n x23: ffffffc000a68114 x22: 0000000000000000 x21: ffffff8004172cc8\n x20: ffffffc00a803748 x19: ffffff8004152020 x18: 0000000000000000\n x17: 00000000000017c0 x16: ffffffc008ef5000 x15: 0000000000000be0\n x14: ffffff8004172e28 x13: ffffff8004172e28 x12: 0000000000000000\n x11: 0000000000000000 x10: ffffff8004172e30 x9 : ffffff8004172e28\n x8 : 0000000000000000 x7 : ffffff8004156020 x6 : 0000000000000000\n x5 : 0000000000000031 x4 : 0000000000000000 x3 : 0000000000000001\n x2 : 0000000000000000 x1 : ffffff80008f7300 x0 : 0000000000000024\n Call trace:\n mt76_wcid_cleanup+0x84/0x22c [mt76]\n __mt76_sta_remove+0x70/0xbc [mt76]\n mt76_sta_state+0x8c/0x1a4 [mt76]\n mt7915_eeprom_get_power_delta+0x11e4/0x23a0 [mt7915e]\n drv_sta_state+0x144/0x274 [mac80211]\n sta_info_move_state+0x1cc/0x2a4 [mac80211]\n sta_set_sinfo+0xaf8/0xc24 [mac80211]\n sta_info_destroy_addr_bss+0x4c/0x6c [mac80211]\n\n ieee80211_color_change_finish+0x1c08/0x1e70 [mac80211]\n cfg80211_check_station_change+0x1360/0x4710 [cfg80211]\n genl_family_rcv_msg_doit+0xb4/0x110\n genl_rcv_msg+0xd0/0x1bc\n netlink_rcv_skb+0x58/0x120\n genl_rcv+0x34/0x50\n netlink_unicast+0x1f0/0x2ec\n netlink_sendmsg+0x198/0x3d0\n ____sys_sendmsg+0x1b0/0x210\n ___sys_sendmsg+0x80/0xf0\n __sys_sendmsg+0x44/0xa0\n __arm64_sys_sendmsg+0x20/0x30\n invoke_syscall.constprop.0+0x4c/0xe0\n do_el0_svc+0x40/0xd0\n el0_svc+0x14/0x4c\n el0t_64_sync_handler+0x100/0x110\n el0t_64_sync+0x15c/0x160\n Code: d2800002 910092c0 52800023 f9800011 (885f7c01)\n ---[ end trace 7e42dd9a39ed2281 ]---\n\nFix by using mt76_dev_phy() which will map band_idx to the correct phy\nfor all hardware combinations.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:26:40.648Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/818dd118f4a997f8b4fe9c010b22402d410a2424", }, { url: "https://git.kernel.org/stable/c/7c128f3ff0be5802aef66f332e4bba6afe98735e", }, { url: "https://git.kernel.org/stable/c/a94d2bd111b39f0c2c7fcbfbf8276ab98c3b8353", }, { url: "https://git.kernel.org/stable/c/862bf7cbd772c2bad570ef0c5b5556a1330656dd", }, ], title: "wifi: mt76: mt7915: fix oops on non-dbdc mt7986", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-47715", datePublished: "2024-10-21T11:53:46.772Z", dateReserved: "2024-09-30T16:00:12.949Z", dateUpdated: "2024-12-19T09:26:40.648Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-48952
Vulnerability from cvelistv5
Published
2024-10-21 20:05
Modified
2024-12-19 08:11
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
PCI: mt7621: Add sentinel to quirks table
Current driver is missing a sentinel in the struct soc_device_attribute
array, which causes an oops when assessed by the
soc_device_match(mt7621_pcie_quirks_match) call.
This was only exposed once the CONFIG_SOC_MT7621 mt7621 soc_dev_attr
was fixed to register the SOC as a device, in:
commit 7c18b64bba3b ("mips: ralink: mt7621: do not use kzalloc too early")
Fix it by adding the required sentinel.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-48952", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:21:30.198741Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:28:40.502Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/pci/controller/pcie-mt7621.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "3e9c395ef2d52975b2c2894d2da09d6db2958bc6", status: "affected", version: "b483b4e4d3f6bfd5089b9e6dc9ba259879c6ce6f", versionType: "git", }, { lessThan: "cb7323ece786f243f6d6ccf2e5b2b27b736bdc04", status: "affected", version: "b483b4e4d3f6bfd5089b9e6dc9ba259879c6ce6f", versionType: "git", }, { lessThan: "a4997bae1b5b012c8a6e2643e26578a7bc2cae36", status: "affected", version: "b483b4e4d3f6bfd5089b9e6dc9ba259879c6ce6f", versionType: "git", }, { lessThan: "19098934f910b4d47cb30251dd39ffa57bef9523", status: "affected", version: "b483b4e4d3f6bfd5089b9e6dc9ba259879c6ce6f", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/pci/controller/pcie-mt7621.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.5", }, { lessThan: "5.5", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.86", versionType: "semver", }, { lessThanOrEqual: "6.0.*", status: "unaffected", version: "6.0.15", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.1", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.2", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: mt7621: Add sentinel to quirks table\n\nCurrent driver is missing a sentinel in the struct soc_device_attribute\narray, which causes an oops when assessed by the\nsoc_device_match(mt7621_pcie_quirks_match) call.\n\nThis was only exposed once the CONFIG_SOC_MT7621 mt7621 soc_dev_attr\nwas fixed to register the SOC as a device, in:\n\ncommit 7c18b64bba3b (\"mips: ralink: mt7621: do not use kzalloc too early\")\n\nFix it by adding the required sentinel.", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:11:09.353Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/3e9c395ef2d52975b2c2894d2da09d6db2958bc6", }, { url: "https://git.kernel.org/stable/c/cb7323ece786f243f6d6ccf2e5b2b27b736bdc04", }, { url: "https://git.kernel.org/stable/c/a4997bae1b5b012c8a6e2643e26578a7bc2cae36", }, { url: "https://git.kernel.org/stable/c/19098934f910b4d47cb30251dd39ffa57bef9523", }, ], title: "PCI: mt7621: Add sentinel to quirks table", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-48952", datePublished: "2024-10-21T20:05:39.755Z", dateReserved: "2024-08-22T01:27:53.626Z", dateUpdated: "2024-12-19T08:11:09.353Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49939
Vulnerability from cvelistv5
Published
2024-10-21 18:01
Modified
2024-12-19 09:29
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: rtw89: avoid to add interface to list twice when SER
If SER L2 occurs during the WoWLAN resume flow, the add interface flow
is triggered by ieee80211_reconfig(). However, due to
rtw89_wow_resume() return failure, it will cause the add interface flow
to be executed again, resulting in a double add list and causing a kernel
panic. Therefore, we have added a check to prevent double adding of the
list.
list_add double add: new=ffff99d6992e2010, prev=ffff99d6992e2010, next=ffff99d695302628.
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:37!
invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
CPU: 0 PID: 9 Comm: kworker/0:1 Tainted: G W O 6.6.30-02659-gc18865c4dfbd #1 770df2933251a0e3c888ba69d1053a817a6376a7
Hardware name: HP Grunt/Grunt, BIOS Google_Grunt.11031.169.0 06/24/2021
Workqueue: events_freezable ieee80211_restart_work [mac80211]
RIP: 0010:__list_add_valid_or_report+0x5e/0xb0
Code: c7 74 18 48 39 ce 74 13 b0 01 59 5a 5e 5f 41 58 41 59 41 5a 5d e9 e2 d6 03 00 cc 48 c7 c7 8d 4f 17 83 48 89 c2 e8 02 c0 00 00 <0f> 0b 48 c7 c7 aa 8c 1c 83 e8 f4 bf 00 00 0f 0b 48 c7 c7 c8 bc 12
RSP: 0018:ffffa91b8007bc50 EFLAGS: 00010246
RAX: 0000000000000058 RBX: ffff99d6992e0900 RCX: a014d76c70ef3900
RDX: ffffa91b8007bae8 RSI: 00000000ffffdfff RDI: 0000000000000001
RBP: ffffa91b8007bc88 R08: 0000000000000000 R09: ffffa91b8007bae0
R10: 00000000ffffdfff R11: ffffffff83a79800 R12: ffff99d695302060
R13: ffff99d695300900 R14: ffff99d6992e1be0 R15: ffff99d6992e2010
FS: 0000000000000000(0000) GS:ffff99d6aac00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000078fbdba43480 CR3: 000000010e464000 CR4: 00000000001506f0
Call Trace:
<TASK>
? __die_body+0x1f/0x70
? die+0x3d/0x60
? do_trap+0xa4/0x110
? __list_add_valid_or_report+0x5e/0xb0
? do_error_trap+0x6d/0x90
? __list_add_valid_or_report+0x5e/0xb0
? handle_invalid_op+0x30/0x40
? __list_add_valid_or_report+0x5e/0xb0
? exc_invalid_op+0x3c/0x50
? asm_exc_invalid_op+0x16/0x20
? __list_add_valid_or_report+0x5e/0xb0
rtw89_ops_add_interface+0x309/0x310 [rtw89_core 7c32b1ee6854761c0321027c8a58c5160e41f48f]
drv_add_interface+0x5c/0x130 [mac80211 83e989e6e616bd5b4b8a2b0a9f9352a2c385a3bc]
ieee80211_reconfig+0x241/0x13d0 [mac80211 83e989e6e616bd5b4b8a2b0a9f9352a2c385a3bc]
? finish_wait+0x3e/0x90
? synchronize_rcu_expedited+0x174/0x260
? sync_rcu_exp_done_unlocked+0x50/0x50
? wake_bit_function+0x40/0x40
ieee80211_restart_work+0xf0/0x140 [mac80211 83e989e6e616bd5b4b8a2b0a9f9352a2c385a3bc]
process_scheduled_works+0x1e5/0x480
worker_thread+0xea/0x1e0
kthread+0xdb/0x110
? move_linked_works+0x90/0x90
? kthread_associate_blkcg+0xa0/0xa0
ret_from_fork+0x3b/0x50
? kthread_associate_blkcg+0xa0/0xa0
ret_from_fork_asm+0x11/0x20
</TASK>
Modules linked in: dm_integrity async_xor xor async_tx lz4 lz4_compress zstd zstd_compress zram zsmalloc rfcomm cmac uinput algif_hash algif_skcipher af_alg btusb btrtl iio_trig_hrtimer industrialio_sw_trigger btmtk industrialio_configfs btbcm btintel uvcvideo videobuf2_vmalloc iio_trig_sysfs videobuf2_memops videobuf2_v4l2 videobuf2_common uvc snd_hda_codec_hdmi veth snd_hda_intel snd_intel_dspcfg acpi_als snd_hda_codec industrialio_triggered_buffer kfifo_buf snd_hwdep industrialio i2c_piix4 snd_hda_core designware_i2s ip6table_nat snd_soc_max98357a xt_MASQUERADE xt_cgroup snd_soc_acp_rt5682_mach fuse rtw89_8922ae(O) rtw89_8922a(O) rtw89_pci(O) rtw89_core(O) 8021q mac80211(O) bluetooth ecdh_generic ecc cfg80211 r8152 mii joydev
gsmi: Log Shutdown Reason 0x03
---[ end trace 0000000000000000 ]---
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: e3ec7017f6a20d12ddd9fe23d345ebb7b8c104dd Version: e3ec7017f6a20d12ddd9fe23d345ebb7b8c104dd Version: e3ec7017f6a20d12ddd9fe23d345ebb7b8c104dd Version: e3ec7017f6a20d12ddd9fe23d345ebb7b8c104dd Version: e3ec7017f6a20d12ddd9fe23d345ebb7b8c104dd |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49939", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:38:00.571603Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:38:50.803Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/net/wireless/realtek/rtw89/mac80211.c", "drivers/net/wireless/realtek/rtw89/util.h", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "b04650b5a9990cf5c0de480e62c68199f1396a04", status: "affected", version: "e3ec7017f6a20d12ddd9fe23d345ebb7b8c104dd", versionType: "git", }, { lessThan: "fdc73f2cfbe897f4733156df211d79ced649b23c", status: "affected", version: "e3ec7017f6a20d12ddd9fe23d345ebb7b8c104dd", versionType: "git", }, { lessThan: "37c319503023de49a4c87301c8998c8d928112cb", status: "affected", version: "e3ec7017f6a20d12ddd9fe23d345ebb7b8c104dd", versionType: "git", }, { lessThan: "490eddc836b2a6ec286e5df14bed4c7cf5e1f475", status: "affected", version: "e3ec7017f6a20d12ddd9fe23d345ebb7b8c104dd", versionType: "git", }, { lessThan: "7dd5d2514a8ea58f12096e888b0bd050d7eae20a", status: "affected", version: "e3ec7017f6a20d12ddd9fe23d345ebb7b8c104dd", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/net/wireless/realtek/rtw89/mac80211.c", "drivers/net/wireless/realtek/rtw89/util.h", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.16", }, { lessThan: "5.16", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.120", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw89: avoid to add interface to list twice when SER\n\nIf SER L2 occurs during the WoWLAN resume flow, the add interface flow\nis triggered by ieee80211_reconfig(). However, due to\nrtw89_wow_resume() return failure, it will cause the add interface flow\nto be executed again, resulting in a double add list and causing a kernel\npanic. Therefore, we have added a check to prevent double adding of the\nlist.\n\nlist_add double add: new=ffff99d6992e2010, prev=ffff99d6992e2010, next=ffff99d695302628.\n------------[ cut here ]------------\nkernel BUG at lib/list_debug.c:37!\ninvalid opcode: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 0 PID: 9 Comm: kworker/0:1 Tainted: G W O 6.6.30-02659-gc18865c4dfbd #1 770df2933251a0e3c888ba69d1053a817a6376a7\nHardware name: HP Grunt/Grunt, BIOS Google_Grunt.11031.169.0 06/24/2021\nWorkqueue: events_freezable ieee80211_restart_work [mac80211]\nRIP: 0010:__list_add_valid_or_report+0x5e/0xb0\nCode: c7 74 18 48 39 ce 74 13 b0 01 59 5a 5e 5f 41 58 41 59 41 5a 5d e9 e2 d6 03 00 cc 48 c7 c7 8d 4f 17 83 48 89 c2 e8 02 c0 00 00 <0f> 0b 48 c7 c7 aa 8c 1c 83 e8 f4 bf 00 00 0f 0b 48 c7 c7 c8 bc 12\nRSP: 0018:ffffa91b8007bc50 EFLAGS: 00010246\nRAX: 0000000000000058 RBX: ffff99d6992e0900 RCX: a014d76c70ef3900\nRDX: ffffa91b8007bae8 RSI: 00000000ffffdfff RDI: 0000000000000001\nRBP: ffffa91b8007bc88 R08: 0000000000000000 R09: ffffa91b8007bae0\nR10: 00000000ffffdfff R11: ffffffff83a79800 R12: ffff99d695302060\nR13: ffff99d695300900 R14: ffff99d6992e1be0 R15: ffff99d6992e2010\nFS: 0000000000000000(0000) GS:ffff99d6aac00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000078fbdba43480 CR3: 000000010e464000 CR4: 00000000001506f0\nCall Trace:\n <TASK>\n ? __die_body+0x1f/0x70\n ? die+0x3d/0x60\n ? do_trap+0xa4/0x110\n ? __list_add_valid_or_report+0x5e/0xb0\n ? do_error_trap+0x6d/0x90\n ? __list_add_valid_or_report+0x5e/0xb0\n ? handle_invalid_op+0x30/0x40\n ? __list_add_valid_or_report+0x5e/0xb0\n ? exc_invalid_op+0x3c/0x50\n ? asm_exc_invalid_op+0x16/0x20\n ? __list_add_valid_or_report+0x5e/0xb0\n rtw89_ops_add_interface+0x309/0x310 [rtw89_core 7c32b1ee6854761c0321027c8a58c5160e41f48f]\n drv_add_interface+0x5c/0x130 [mac80211 83e989e6e616bd5b4b8a2b0a9f9352a2c385a3bc]\n ieee80211_reconfig+0x241/0x13d0 [mac80211 83e989e6e616bd5b4b8a2b0a9f9352a2c385a3bc]\n ? finish_wait+0x3e/0x90\n ? synchronize_rcu_expedited+0x174/0x260\n ? sync_rcu_exp_done_unlocked+0x50/0x50\n ? wake_bit_function+0x40/0x40\n ieee80211_restart_work+0xf0/0x140 [mac80211 83e989e6e616bd5b4b8a2b0a9f9352a2c385a3bc]\n process_scheduled_works+0x1e5/0x480\n worker_thread+0xea/0x1e0\n kthread+0xdb/0x110\n ? move_linked_works+0x90/0x90\n ? kthread_associate_blkcg+0xa0/0xa0\n ret_from_fork+0x3b/0x50\n ? kthread_associate_blkcg+0xa0/0xa0\n ret_from_fork_asm+0x11/0x20\n </TASK>\nModules linked in: dm_integrity async_xor xor async_tx lz4 lz4_compress zstd zstd_compress zram zsmalloc rfcomm cmac uinput algif_hash algif_skcipher af_alg btusb btrtl iio_trig_hrtimer industrialio_sw_trigger btmtk industrialio_configfs btbcm btintel uvcvideo videobuf2_vmalloc iio_trig_sysfs videobuf2_memops videobuf2_v4l2 videobuf2_common uvc snd_hda_codec_hdmi veth snd_hda_intel snd_intel_dspcfg acpi_als snd_hda_codec industrialio_triggered_buffer kfifo_buf snd_hwdep industrialio i2c_piix4 snd_hda_core designware_i2s ip6table_nat snd_soc_max98357a xt_MASQUERADE xt_cgroup snd_soc_acp_rt5682_mach fuse rtw89_8922ae(O) rtw89_8922a(O) rtw89_pci(O) rtw89_core(O) 8021q mac80211(O) bluetooth ecdh_generic ecc cfg80211 r8152 mii joydev\ngsmi: Log Shutdown Reason 0x03\n---[ end trace 0000000000000000 ]---", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:29:26.728Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/b04650b5a9990cf5c0de480e62c68199f1396a04", }, { url: "https://git.kernel.org/stable/c/fdc73f2cfbe897f4733156df211d79ced649b23c", }, { url: "https://git.kernel.org/stable/c/37c319503023de49a4c87301c8998c8d928112cb", }, { url: "https://git.kernel.org/stable/c/490eddc836b2a6ec286e5df14bed4c7cf5e1f475", }, { url: "https://git.kernel.org/stable/c/7dd5d2514a8ea58f12096e888b0bd050d7eae20a", }, ], title: "wifi: rtw89: avoid to add interface to list twice when SER", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49939", datePublished: "2024-10-21T18:01:59.011Z", dateReserved: "2024-10-21T12:17:06.043Z", dateUpdated: "2024-12-19T09:29:26.728Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49986
Vulnerability from cvelistv5
Published
2024-10-21 18:02
Modified
2024-12-19 09:30
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
platform/x86: x86-android-tablets: Fix use after free on platform_device_register() errors
x86_android_tablet_remove() frees the pdevs[] array, so it should not
be used after calling x86_android_tablet_remove().
When platform_device_register() fails, store the pdevs[x] PTR_ERR() value
into the local ret variable before calling x86_android_tablet_remove()
to avoid using pdevs[] after it has been freed.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 5eba0141206ea521bbcfcf5067c174e825e943dd Version: 5eba0141206ea521bbcfcf5067c174e825e943dd Version: 5eba0141206ea521bbcfcf5067c174e825e943dd Version: 5eba0141206ea521bbcfcf5067c174e825e943dd Version: 5eba0141206ea521bbcfcf5067c174e825e943dd |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49986", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:31:52.405386Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:38:43.597Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/platform/x86/x86-android-tablets/core.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "ba0b09a2f327319e252d8f3032019b958c0a5cd9", status: "affected", version: "5eba0141206ea521bbcfcf5067c174e825e943dd", versionType: "git", }, { lessThan: "aac871e493fc8809e60209d9899b1af07e9dbfc8", status: "affected", version: "5eba0141206ea521bbcfcf5067c174e825e943dd", versionType: "git", }, { lessThan: "f08adc5177bd4343df09033f62ab562c09ba7f7d", status: "affected", version: "5eba0141206ea521bbcfcf5067c174e825e943dd", versionType: "git", }, { lessThan: "73a98cf79e4dbfa3d0c363e826c65aae089b313c", status: "affected", version: "5eba0141206ea521bbcfcf5067c174e825e943dd", versionType: "git", }, { lessThan: "2fae3129c0c08e72b1fe93e61fd8fd203252094a", status: "affected", version: "5eba0141206ea521bbcfcf5067c174e825e943dd", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/platform/x86/x86-android-tablets/core.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.17", }, { lessThan: "5.17", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.118", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: x86-android-tablets: Fix use after free on platform_device_register() errors\n\nx86_android_tablet_remove() frees the pdevs[] array, so it should not\nbe used after calling x86_android_tablet_remove().\n\nWhen platform_device_register() fails, store the pdevs[x] PTR_ERR() value\ninto the local ret variable before calling x86_android_tablet_remove()\nto avoid using pdevs[] after it has been freed.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:30:44.427Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/ba0b09a2f327319e252d8f3032019b958c0a5cd9", }, { url: "https://git.kernel.org/stable/c/aac871e493fc8809e60209d9899b1af07e9dbfc8", }, { url: "https://git.kernel.org/stable/c/f08adc5177bd4343df09033f62ab562c09ba7f7d", }, { url: "https://git.kernel.org/stable/c/73a98cf79e4dbfa3d0c363e826c65aae089b313c", }, { url: "https://git.kernel.org/stable/c/2fae3129c0c08e72b1fe93e61fd8fd203252094a", }, ], title: "platform/x86: x86-android-tablets: Fix use after free on platform_device_register() errors", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49986", datePublished: "2024-10-21T18:02:30.507Z", dateReserved: "2024-10-21T12:17:06.054Z", dateUpdated: "2024-12-19T09:30:44.427Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-47714
Vulnerability from cvelistv5
Published
2024-10-21 11:53
Modified
2024-12-19 09:26
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: mt76: mt7996: use hweight16 to get correct tx antenna
The chainmask is u16 so using hweight8 cannot get correct tx_ant.
Without this patch, the tx_ant of band 2 would be -1 and lead to the
following issue:
BUG: KASAN: stack-out-of-bounds in mt7996_mcu_add_sta+0x12e0/0x16e0 [mt7996e]
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-47714", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T13:02:52.416293Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T13:04:18.545Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/net/wireless/mediatek/mt76/mt7996/mcu.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "50d87e3b70980abc090676b6b4703fcbd96221f9", status: "affected", version: "98686cd21624c75a043e96812beadddf4f6f48e5", versionType: "git", }, { lessThan: "8f51fc8a9e2fd96363d8ec3f4ee4b78dd64754e3", status: "affected", version: "98686cd21624c75a043e96812beadddf4f6f48e5", versionType: "git", }, { lessThan: "33954930870c18ec549e4bca0eeff43e252cb740", status: "affected", version: "98686cd21624c75a043e96812beadddf4f6f48e5", versionType: "git", }, { lessThan: "f98c3de92bb05dac4a4969df8a4595ed380b4604", status: "affected", version: "98686cd21624c75a043e96812beadddf4f6f48e5", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/net/wireless/mediatek/mt76/mt7996/mcu.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.2", }, { lessThan: "6.2", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.54", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.13", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.2", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: mt7996: use hweight16 to get correct tx antenna\n\nThe chainmask is u16 so using hweight8 cannot get correct tx_ant.\nWithout this patch, the tx_ant of band 2 would be -1 and lead to the\nfollowing issue:\nBUG: KASAN: stack-out-of-bounds in mt7996_mcu_add_sta+0x12e0/0x16e0 [mt7996e]", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:26:39.357Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/50d87e3b70980abc090676b6b4703fcbd96221f9", }, { url: "https://git.kernel.org/stable/c/8f51fc8a9e2fd96363d8ec3f4ee4b78dd64754e3", }, { url: "https://git.kernel.org/stable/c/33954930870c18ec549e4bca0eeff43e252cb740", }, { url: "https://git.kernel.org/stable/c/f98c3de92bb05dac4a4969df8a4595ed380b4604", }, ], title: "wifi: mt76: mt7996: use hweight16 to get correct tx antenna", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-47714", datePublished: "2024-10-21T11:53:46.090Z", dateReserved: "2024-09-30T16:00:12.948Z", dateUpdated: "2024-12-19T09:26:39.357Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-47712
Vulnerability from cvelistv5
Published
2024-10-21 11:53
Modified
2024-12-19 09:26
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: wilc1000: fix potential RCU dereference issue in wilc_parse_join_bss_param
In the `wilc_parse_join_bss_param` function, the TSF field of the `ies`
structure is accessed after the RCU read-side critical section is
unlocked. According to RCU usage rules, this is illegal. Reusing this
pointer can lead to unpredictable behavior, including accessing memory
that has been updated or causing use-after-free issues.
This possible bug was identified using a static analysis tool developed
by myself, specifically designed to detect RCU-related issues.
To address this, the TSF value is now stored in a local variable
`ies_tsf` before the RCU lock is released. The `param->tsf_lo` field is
then assigned using this local variable, ensuring that the TSF value is
safely accessed.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: e556006de4ea93abe2b46cba202a2556c544b8b2 Version: b4bbf38c350acb6500cbe667b1e2e68f896e4b38 Version: d80fc436751cfa6b02a8eda74eb6cce7dadfe5a2 Version: 745003b5917b610352f52fe0d11ef658d6471ec2 Version: 4bfd20d5f5c62b5495d6c0016ee6933bd3add7ce Version: 205c50306acf58a335eb19fa84e40140f4fe814f Version: 205c50306acf58a335eb19fa84e40140f4fe814f Version: 205c50306acf58a335eb19fa84e40140f4fe814f |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-47712", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T13:03:07.439547Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T13:04:18.804Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/net/wireless/microchip/wilc1000/hif.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "5a24cedc243ace5ed7c1016f52a7bfc8f5b07815", status: "affected", version: "e556006de4ea93abe2b46cba202a2556c544b8b2", versionType: "git", }, { lessThan: "557418e1704605a81c9e26732449f71b1d40ba1e", status: "affected", version: "b4bbf38c350acb6500cbe667b1e2e68f896e4b38", versionType: "git", }, { lessThan: "bf090f4fe935294361eabd9dc5a949fdd77d3d1b", status: "affected", version: "d80fc436751cfa6b02a8eda74eb6cce7dadfe5a2", versionType: "git", }, { lessThan: "b040b71d99ee5e17bb7a743dc01cbfcae8908ce1", status: "affected", version: "745003b5917b610352f52fe0d11ef658d6471ec2", versionType: "git", }, { lessThan: "84398204c5df5aaf89453056cf0647cda9664d2b", status: "affected", version: "4bfd20d5f5c62b5495d6c0016ee6933bd3add7ce", versionType: "git", }, { lessThan: "2f944e6255c2fc1c9bd9ee32f6b14ee0b2a51eb5", status: "affected", version: "205c50306acf58a335eb19fa84e40140f4fe814f", versionType: "git", }, { lessThan: "79510414a7626317f13cc9073244ab7a8deb3192", status: "affected", version: "205c50306acf58a335eb19fa84e40140f4fe814f", versionType: "git", }, { lessThan: "6d7c6ae1efb1ff68bc01d79d94fdf0388f86cdd8", status: "affected", version: "205c50306acf58a335eb19fa84e40140f4fe814f", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/net/wireless/microchip/wilc1000/hif.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.9", }, { lessThan: "6.9", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.285", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.54", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.13", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.2", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: wilc1000: fix potential RCU dereference issue in wilc_parse_join_bss_param\n\nIn the `wilc_parse_join_bss_param` function, the TSF field of the `ies`\nstructure is accessed after the RCU read-side critical section is\nunlocked. According to RCU usage rules, this is illegal. Reusing this\npointer can lead to unpredictable behavior, including accessing memory\nthat has been updated or causing use-after-free issues.\n\nThis possible bug was identified using a static analysis tool developed\nby myself, specifically designed to detect RCU-related issues.\n\nTo address this, the TSF value is now stored in a local variable\n`ies_tsf` before the RCU lock is released. The `param->tsf_lo` field is\nthen assigned using this local variable, ensuring that the TSF value is\nsafely accessed.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:26:36.935Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/5a24cedc243ace5ed7c1016f52a7bfc8f5b07815", }, { url: "https://git.kernel.org/stable/c/557418e1704605a81c9e26732449f71b1d40ba1e", }, { url: "https://git.kernel.org/stable/c/bf090f4fe935294361eabd9dc5a949fdd77d3d1b", }, { url: "https://git.kernel.org/stable/c/b040b71d99ee5e17bb7a743dc01cbfcae8908ce1", }, { url: "https://git.kernel.org/stable/c/84398204c5df5aaf89453056cf0647cda9664d2b", }, { url: "https://git.kernel.org/stable/c/2f944e6255c2fc1c9bd9ee32f6b14ee0b2a51eb5", }, { url: "https://git.kernel.org/stable/c/79510414a7626317f13cc9073244ab7a8deb3192", }, { url: "https://git.kernel.org/stable/c/6d7c6ae1efb1ff68bc01d79d94fdf0388f86cdd8", }, ], title: "wifi: wilc1000: fix potential RCU dereference issue in wilc_parse_join_bss_param", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-47712", datePublished: "2024-10-21T11:53:44.763Z", dateReserved: "2024-09-30T16:00:12.948Z", dateUpdated: "2024-12-19T09:26:36.935Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-49010
Vulnerability from cvelistv5
Published
2024-10-21 20:06
Modified
2024-12-19 08:12
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
hwmon: (coretemp) Check for null before removing sysfs attrs
If coretemp_add_core() gets an error then pdata->core_data[indx]
is already NULL and has been kfreed. Don't pass that to
sysfs_remove_group() as that will crash in sysfs_remove_group().
[Shortened for readability]
[91854.020159] sysfs: cannot create duplicate filename '/devices/platform/coretemp.0/hwmon/hwmon2/temp20_label'
<cpu offline>
[91855.126115] BUG: kernel NULL pointer dereference, address: 0000000000000188
[91855.165103] #PF: supervisor read access in kernel mode
[91855.194506] #PF: error_code(0x0000) - not-present page
[91855.224445] PGD 0 P4D 0
[91855.238508] Oops: 0000 [#1] PREEMPT SMP PTI
...
[91855.342716] RIP: 0010:sysfs_remove_group+0xc/0x80
...
[91855.796571] Call Trace:
[91855.810524] coretemp_cpu_offline+0x12b/0x1dd [coretemp]
[91855.841738] ? coretemp_cpu_online+0x180/0x180 [coretemp]
[91855.871107] cpuhp_invoke_callback+0x105/0x4b0
[91855.893432] cpuhp_thread_fun+0x8e/0x150
...
Fix this by checking for NULL first.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 199e0de7f5df31a4fc485d4aaaf8a07718252ace Version: 199e0de7f5df31a4fc485d4aaaf8a07718252ace Version: 199e0de7f5df31a4fc485d4aaaf8a07718252ace Version: 199e0de7f5df31a4fc485d4aaaf8a07718252ace Version: 199e0de7f5df31a4fc485d4aaaf8a07718252ace Version: 199e0de7f5df31a4fc485d4aaaf8a07718252ace Version: 199e0de7f5df31a4fc485d4aaaf8a07718252ace Version: 199e0de7f5df31a4fc485d4aaaf8a07718252ace |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-49010", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:13:58.658832Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:18:38.960Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/hwmon/coretemp.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "fb503d077ff7b43913503eaf72995d1239028b99", status: "affected", version: "199e0de7f5df31a4fc485d4aaaf8a07718252ace", versionType: "git", }, { lessThan: "070d5ea4a0592a37ad96ce7f7b6b024f90bb009f", status: "affected", version: "199e0de7f5df31a4fc485d4aaaf8a07718252ace", versionType: "git", }, { lessThan: "280110db1a7d62ad635b103bafc3ae96e8bef75c", status: "affected", version: "199e0de7f5df31a4fc485d4aaaf8a07718252ace", versionType: "git", }, { lessThan: "89eecabe6a47403237f45aafd7d24f93cb973653", status: "affected", version: "199e0de7f5df31a4fc485d4aaaf8a07718252ace", versionType: "git", }, { lessThan: "f06e0cd01eab954bd5f2190c9faa79bb5357e05b", status: "affected", version: "199e0de7f5df31a4fc485d4aaaf8a07718252ace", versionType: "git", }, { lessThan: "7692700ac818866d138a8de555130a6e70e6ac16", status: "affected", version: "199e0de7f5df31a4fc485d4aaaf8a07718252ace", versionType: "git", }, { lessThan: "ae6c8b6e5d5628df1c475c0a8fca1465e205c95b", status: "affected", version: "199e0de7f5df31a4fc485d4aaaf8a07718252ace", versionType: "git", }, { lessThan: "a89ff5f5cc64b9fe7a992cf56988fd36f56ca82a", status: "affected", version: "199e0de7f5df31a4fc485d4aaaf8a07718252ace", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/hwmon/coretemp.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "3.0", }, { lessThan: "3.0", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.9.*", status: "unaffected", version: "4.9.335", versionType: "semver", }, { lessThanOrEqual: "4.14.*", status: "unaffected", version: "4.14.301", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.268", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.226", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.158", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.82", versionType: "semver", }, { lessThanOrEqual: "6.0.*", status: "unaffected", version: "6.0.12", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.1", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nhwmon: (coretemp) Check for null before removing sysfs attrs\n\nIf coretemp_add_core() gets an error then pdata->core_data[indx]\nis already NULL and has been kfreed. Don't pass that to\nsysfs_remove_group() as that will crash in sysfs_remove_group().\n\n[Shortened for readability]\n[91854.020159] sysfs: cannot create duplicate filename '/devices/platform/coretemp.0/hwmon/hwmon2/temp20_label'\n<cpu offline>\n[91855.126115] BUG: kernel NULL pointer dereference, address: 0000000000000188\n[91855.165103] #PF: supervisor read access in kernel mode\n[91855.194506] #PF: error_code(0x0000) - not-present page\n[91855.224445] PGD 0 P4D 0\n[91855.238508] Oops: 0000 [#1] PREEMPT SMP PTI\n...\n[91855.342716] RIP: 0010:sysfs_remove_group+0xc/0x80\n...\n[91855.796571] Call Trace:\n[91855.810524] coretemp_cpu_offline+0x12b/0x1dd [coretemp]\n[91855.841738] ? coretemp_cpu_online+0x180/0x180 [coretemp]\n[91855.871107] cpuhp_invoke_callback+0x105/0x4b0\n[91855.893432] cpuhp_thread_fun+0x8e/0x150\n...\n\nFix this by checking for NULL first.", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:12:23.232Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/fb503d077ff7b43913503eaf72995d1239028b99", }, { url: "https://git.kernel.org/stable/c/070d5ea4a0592a37ad96ce7f7b6b024f90bb009f", }, { url: "https://git.kernel.org/stable/c/280110db1a7d62ad635b103bafc3ae96e8bef75c", }, { url: "https://git.kernel.org/stable/c/89eecabe6a47403237f45aafd7d24f93cb973653", }, { url: "https://git.kernel.org/stable/c/f06e0cd01eab954bd5f2190c9faa79bb5357e05b", }, { url: "https://git.kernel.org/stable/c/7692700ac818866d138a8de555130a6e70e6ac16", }, { url: "https://git.kernel.org/stable/c/ae6c8b6e5d5628df1c475c0a8fca1465e205c95b", }, { url: "https://git.kernel.org/stable/c/a89ff5f5cc64b9fe7a992cf56988fd36f56ca82a", }, ], title: "hwmon: (coretemp) Check for null before removing sysfs attrs", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-49010", datePublished: "2024-10-21T20:06:21.423Z", dateReserved: "2024-08-22T01:27:53.644Z", dateUpdated: "2024-12-19T08:12:23.232Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-47720
Vulnerability from cvelistv5
Published
2024-10-21 11:53
Modified
2024-12-19 09:26
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Add null check for set_output_gamma in dcn30_set_output_transfer_func
This commit adds a null check for the set_output_gamma function pointer
in the dcn30_set_output_transfer_func function. Previously,
set_output_gamma was being checked for nullity at line 386, but then it
was being dereferenced without any nullity check at line 401. This
could potentially lead to a null pointer dereference error if
set_output_gamma is indeed null.
To fix this, we now ensure that set_output_gamma is not null before
dereferencing it. We do this by adding a nullity check for
set_output_gamma before the call to set_output_gamma at line 401. If
set_output_gamma is null, we log an error message and do not call the
function.
This fix prevents a potential null pointer dereference error.
drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c:401 dcn30_set_output_transfer_func()
error: we previously assumed 'mpc->funcs->set_output_gamma' could be null (see line 386)
drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c
373 bool dcn30_set_output_transfer_func(struct dc *dc,
374 struct pipe_ctx *pipe_ctx,
375 const struct dc_stream_state *stream)
376 {
377 int mpcc_id = pipe_ctx->plane_res.hubp->inst;
378 struct mpc *mpc = pipe_ctx->stream_res.opp->ctx->dc->res_pool->mpc;
379 const struct pwl_params *params = NULL;
380 bool ret = false;
381
382 /* program OGAM or 3DLUT only for the top pipe*/
383 if (pipe_ctx->top_pipe == NULL) {
384 /*program rmu shaper and 3dlut in MPC*/
385 ret = dcn30_set_mpc_shaper_3dlut(pipe_ctx, stream);
386 if (ret == false && mpc->funcs->set_output_gamma) {
^^^^^^^^^^^^^^^^^^^^^^^^^^^^ If this is NULL
387 if (stream->out_transfer_func.type == TF_TYPE_HWPWL)
388 params = &stream->out_transfer_func.pwl;
389 else if (pipe_ctx->stream->out_transfer_func.type ==
390 TF_TYPE_DISTRIBUTED_POINTS &&
391 cm3_helper_translate_curve_to_hw_format(
392 &stream->out_transfer_func,
393 &mpc->blender_params, false))
394 params = &mpc->blender_params;
395 /* there are no ROM LUTs in OUTGAM */
396 if (stream->out_transfer_func.type == TF_TYPE_PREDEFINED)
397 BREAK_TO_DEBUGGER();
398 }
399 }
400
--> 401 mpc->funcs->set_output_gamma(mpc, mpcc_id, params);
^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Then it will crash
402 return ret;
403 }
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: d99f13878d6f9c286b13860d8bf0b4db9ffb189a Version: d99f13878d6f9c286b13860d8bf0b4db9ffb189a Version: d99f13878d6f9c286b13860d8bf0b4db9ffb189a Version: d99f13878d6f9c286b13860d8bf0b4db9ffb189a Version: d99f13878d6f9c286b13860d8bf0b4db9ffb189a Version: d99f13878d6f9c286b13860d8bf0b4db9ffb189a |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-47720", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T13:02:07.747616Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T13:04:17.600Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/gpu/drm/amd/display/dc/hwss/dcn30/dcn30_hwseq.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "44948d3cb943602ba4a0b5ed3c91ae0525838fb1", status: "affected", version: "d99f13878d6f9c286b13860d8bf0b4db9ffb189a", versionType: "git", }, { lessThan: "64886a4e6f1dce843c0889505cf0673b5211e16a", status: "affected", version: "d99f13878d6f9c286b13860d8bf0b4db9ffb189a", versionType: "git", }, { lessThan: "ddf9ff244d704e1903533f7be377615ed34b83e7", status: "affected", version: "d99f13878d6f9c286b13860d8bf0b4db9ffb189a", versionType: "git", }, { lessThan: "84edd5a3f5fa6aafa4afcaf9f101f46426c620c9", status: "affected", version: "d99f13878d6f9c286b13860d8bf0b4db9ffb189a", versionType: "git", }, { lessThan: "72ee32d0907364104fbcf4f68dd5ae63cd8eae9e", status: "affected", version: "d99f13878d6f9c286b13860d8bf0b4db9ffb189a", versionType: "git", }, { lessThan: "08ae395ea22fb3d9b318c8bde28c0dfd2f5fa4d2", status: "affected", version: "d99f13878d6f9c286b13860d8bf0b4db9ffb189a", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/gpu/drm/amd/display/dc/hwss/dcn30/dcn30_hwseq.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.9", }, { lessThan: "5.9", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.54", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.13", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.2", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add null check for set_output_gamma in dcn30_set_output_transfer_func\n\nThis commit adds a null check for the set_output_gamma function pointer\nin the dcn30_set_output_transfer_func function. Previously,\nset_output_gamma was being checked for nullity at line 386, but then it\nwas being dereferenced without any nullity check at line 401. This\ncould potentially lead to a null pointer dereference error if\nset_output_gamma is indeed null.\n\nTo fix this, we now ensure that set_output_gamma is not null before\ndereferencing it. We do this by adding a nullity check for\nset_output_gamma before the call to set_output_gamma at line 401. If\nset_output_gamma is null, we log an error message and do not call the\nfunction.\n\nThis fix prevents a potential null pointer dereference error.\n\ndrivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c:401 dcn30_set_output_transfer_func()\nerror: we previously assumed 'mpc->funcs->set_output_gamma' could be null (see line 386)\n\ndrivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c\n 373 bool dcn30_set_output_transfer_func(struct dc *dc,\n 374 struct pipe_ctx *pipe_ctx,\n 375 const struct dc_stream_state *stream)\n 376 {\n 377 int mpcc_id = pipe_ctx->plane_res.hubp->inst;\n 378 struct mpc *mpc = pipe_ctx->stream_res.opp->ctx->dc->res_pool->mpc;\n 379 const struct pwl_params *params = NULL;\n 380 bool ret = false;\n 381\n 382 /* program OGAM or 3DLUT only for the top pipe*/\n 383 if (pipe_ctx->top_pipe == NULL) {\n 384 /*program rmu shaper and 3dlut in MPC*/\n 385 ret = dcn30_set_mpc_shaper_3dlut(pipe_ctx, stream);\n 386 if (ret == false && mpc->funcs->set_output_gamma) {\n ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ If this is NULL\n\n 387 if (stream->out_transfer_func.type == TF_TYPE_HWPWL)\n 388 params = &stream->out_transfer_func.pwl;\n 389 else if (pipe_ctx->stream->out_transfer_func.type ==\n 390 TF_TYPE_DISTRIBUTED_POINTS &&\n 391 cm3_helper_translate_curve_to_hw_format(\n 392 &stream->out_transfer_func,\n 393 &mpc->blender_params, false))\n 394 params = &mpc->blender_params;\n 395 /* there are no ROM LUTs in OUTGAM */\n 396 if (stream->out_transfer_func.type == TF_TYPE_PREDEFINED)\n 397 BREAK_TO_DEBUGGER();\n 398 }\n 399 }\n 400\n--> 401 mpc->funcs->set_output_gamma(mpc, mpcc_id, params);\n ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Then it will crash\n\n 402 return ret;\n 403 }", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:26:46.836Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/44948d3cb943602ba4a0b5ed3c91ae0525838fb1", }, { url: "https://git.kernel.org/stable/c/64886a4e6f1dce843c0889505cf0673b5211e16a", }, { url: "https://git.kernel.org/stable/c/ddf9ff244d704e1903533f7be377615ed34b83e7", }, { url: "https://git.kernel.org/stable/c/84edd5a3f5fa6aafa4afcaf9f101f46426c620c9", }, { url: "https://git.kernel.org/stable/c/72ee32d0907364104fbcf4f68dd5ae63cd8eae9e", }, { url: "https://git.kernel.org/stable/c/08ae395ea22fb3d9b318c8bde28c0dfd2f5fa4d2", }, ], title: "drm/amd/display: Add null check for set_output_gamma in dcn30_set_output_transfer_func", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-47720", datePublished: "2024-10-21T11:53:50.178Z", dateReserved: "2024-09-30T16:00:12.950Z", dateUpdated: "2024-12-19T09:26:46.836Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-48968
Vulnerability from cvelistv5
Published
2024-10-21 20:05
Modified
2024-12-19 08:11
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
octeontx2-pf: Fix potential memory leak in otx2_init_tc()
In otx2_init_tc(), if rhashtable_init() failed, it does not free
tc->tc_entries_bitmap which is allocated in otx2_tc_alloc_ent_bitmap().
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-48968", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:19:30.002244Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:28:38.232Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/net/ethernet/marvell/octeontx2/nic/otx2_tc.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "eefd8953a74822cb72006632b9ee9dd95f92c146", status: "affected", version: "2e2a8126ffac66b9b177ce78ad430281c0c8cc74", versionType: "git", }, { lessThan: "db5ec358cf4ef0ab382ee733d05f018e8bef9462", status: "affected", version: "2e2a8126ffac66b9b177ce78ad430281c0c8cc74", versionType: "git", }, { lessThan: "fbf33f5ac76f2cdb47ad9763f620026d5cfa57ce", status: "affected", version: "2e2a8126ffac66b9b177ce78ad430281c0c8cc74", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/net/ethernet/marvell/octeontx2/nic/otx2_tc.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.15", }, { lessThan: "5.15", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.83", versionType: "semver", }, { lessThanOrEqual: "6.0.*", status: "unaffected", version: "6.0.13", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.1", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nocteontx2-pf: Fix potential memory leak in otx2_init_tc()\n\nIn otx2_init_tc(), if rhashtable_init() failed, it does not free\ntc->tc_entries_bitmap which is allocated in otx2_tc_alloc_ent_bitmap().", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:11:33.775Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/eefd8953a74822cb72006632b9ee9dd95f92c146", }, { url: "https://git.kernel.org/stable/c/db5ec358cf4ef0ab382ee733d05f018e8bef9462", }, { url: "https://git.kernel.org/stable/c/fbf33f5ac76f2cdb47ad9763f620026d5cfa57ce", }, ], title: "octeontx2-pf: Fix potential memory leak in otx2_init_tc()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-48968", datePublished: "2024-10-21T20:05:50.402Z", dateReserved: "2024-08-22T01:27:53.629Z", dateUpdated: "2024-12-19T08:11:33.775Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49874
Vulnerability from cvelistv5
Published
2024-10-21 18:01
Modified
2024-12-19 09:28
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
i3c: master: svc: Fix use after free vulnerability in svc_i3c_master Driver Due to Race Condition
In the svc_i3c_master_probe function, &master->hj_work is bound with
svc_i3c_master_hj_work, &master->ibi_work is bound with
svc_i3c_master_ibi_work. And svc_i3c_master_ibi_work can start the
hj_work, svc_i3c_master_irq_handler can start the ibi_work.
If we remove the module which will call svc_i3c_master_remove to
make cleanup, it will free master->base through i3c_master_unregister
while the work mentioned above will be used. The sequence of operations
that may lead to a UAF bug is as follows:
CPU0 CPU1
| svc_i3c_master_hj_work
svc_i3c_master_remove |
i3c_master_unregister(&master->base)|
device_unregister(&master->dev) |
device_release |
//free master->base |
| i3c_master_do_daa(&master->base)
| //use master->base
Fix it by ensuring that the work is canceled before proceeding with the
cleanup in svc_i3c_master_remove.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 87e0f28eda36c7843523aa8dd0c5dab3331e9718 Version: 0f74f8b6675cc36d689abb4d9b3d75ab4049b7d7 Version: 0f74f8b6675cc36d689abb4d9b3d75ab4049b7d7 Version: 0f74f8b6675cc36d689abb4d9b3d75ab4049b7d7 Version: 0f74f8b6675cc36d689abb4d9b3d75ab4049b7d7 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49874", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:46:33.404172Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:48:51.538Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/i3c/master/svc-i3c-master.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "56bddf543d4d7ddeff3f87b554ddacfdf086bffe", status: "affected", version: "87e0f28eda36c7843523aa8dd0c5dab3331e9718", versionType: "git", }, { lessThan: "4ac637122930cc4ab7e2c22e364cf3aaf96b05b1", status: "affected", version: "0f74f8b6675cc36d689abb4d9b3d75ab4049b7d7", versionType: "git", }, { lessThan: "4318998892bf8fe99f97bea18c37ae7b685af75a", status: "affected", version: "0f74f8b6675cc36d689abb4d9b3d75ab4049b7d7", versionType: "git", }, { lessThan: "27b55724d3f781dd6e635e89dc6e2fd78fa81a00", status: "affected", version: "0f74f8b6675cc36d689abb4d9b3d75ab4049b7d7", versionType: "git", }, { lessThan: "61850725779709369c7e907ae8c7c75dc7cec4f3", status: "affected", version: "0f74f8b6675cc36d689abb4d9b3d75ab4049b7d7", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/i3c/master/svc-i3c-master.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.4", }, { lessThan: "6.4", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ni3c: master: svc: Fix use after free vulnerability in svc_i3c_master Driver Due to Race Condition\n\nIn the svc_i3c_master_probe function, &master->hj_work is bound with\nsvc_i3c_master_hj_work, &master->ibi_work is bound with\nsvc_i3c_master_ibi_work. And svc_i3c_master_ibi_work can start the\nhj_work, svc_i3c_master_irq_handler can start the ibi_work.\n\nIf we remove the module which will call svc_i3c_master_remove to\nmake cleanup, it will free master->base through i3c_master_unregister\nwhile the work mentioned above will be used. The sequence of operations\nthat may lead to a UAF bug is as follows:\n\nCPU0 CPU1\n\n | svc_i3c_master_hj_work\nsvc_i3c_master_remove |\ni3c_master_unregister(&master->base)|\ndevice_unregister(&master->dev) |\ndevice_release |\n//free master->base |\n | i3c_master_do_daa(&master->base)\n | //use master->base\n\nFix it by ensuring that the work is canceled before proceeding with the\ncleanup in svc_i3c_master_remove.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:28:02.872Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/56bddf543d4d7ddeff3f87b554ddacfdf086bffe", }, { url: "https://git.kernel.org/stable/c/4ac637122930cc4ab7e2c22e364cf3aaf96b05b1", }, { url: "https://git.kernel.org/stable/c/4318998892bf8fe99f97bea18c37ae7b685af75a", }, { url: "https://git.kernel.org/stable/c/27b55724d3f781dd6e635e89dc6e2fd78fa81a00", }, { url: "https://git.kernel.org/stable/c/61850725779709369c7e907ae8c7c75dc7cec4f3", }, ], title: "i3c: master: svc: Fix use after free vulnerability in svc_i3c_master Driver Due to Race Condition", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49874", datePublished: "2024-10-21T18:01:14.762Z", dateReserved: "2024-10-21T12:17:06.020Z", dateUpdated: "2024-12-19T09:28:02.872Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49971
Vulnerability from cvelistv5
Published
2024-10-21 18:02
Modified
2025-01-16 11:53
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Increase array size of dummy_boolean
[WHY]
dml2_core_shared_mode_support and dml_core_mode_support access the third
element of dummy_boolean, i.e. hw_debug5 = &s->dummy_boolean[2], when
dummy_boolean has size of 2. Any assignment to hw_debug5 causes an
OVERRUN.
[HOW]
Increase dummy_boolean's array size to 3.
This fixes 2 OVERRUN issues reported by Coverity.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49971", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:33:47.547811Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:38:46.174Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/gpu/drm/amd/display/dc/dml2/dml21/src/dml2_core/dml2_core_shared_types.h", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "e9e48b7bb9cf3b78f0305ef0144aaf61da0a83d8", status: "affected", version: "70839da6360500a82e4d5f78499284474cbed7c1", versionType: "git", }, { lessThan: "6d64d39486197083497a01b39e23f2f8474b35d3", status: "affected", version: "70839da6360500a82e4d5f78499284474cbed7c1", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/gpu/drm/amd/display/dc/dml2/dml21/src/dml2_core/dml2_core_shared_types.h", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.11", }, { lessThan: "6.11", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Increase array size of dummy_boolean\n\n[WHY]\ndml2_core_shared_mode_support and dml_core_mode_support access the third\nelement of dummy_boolean, i.e. hw_debug5 = &s->dummy_boolean[2], when\ndummy_boolean has size of 2. Any assignment to hw_debug5 causes an\nOVERRUN.\n\n[HOW]\nIncrease dummy_boolean's array size to 3.\n\nThis fixes 2 OVERRUN issues reported by Coverity.", }, ], providerMetadata: { dateUpdated: "2025-01-16T11:53:24.847Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/e9e48b7bb9cf3b78f0305ef0144aaf61da0a83d8", }, { url: "https://git.kernel.org/stable/c/6d64d39486197083497a01b39e23f2f8474b35d3", }, ], title: "drm/amd/display: Increase array size of dummy_boolean", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49971", datePublished: "2024-10-21T18:02:20.344Z", dateReserved: "2024-10-21T12:17:06.051Z", dateUpdated: "2025-01-16T11:53:24.847Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49866
Vulnerability from cvelistv5
Published
2024-10-21 18:01
Modified
2024-12-19 09:27
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tracing/timerlat: Fix a race during cpuhp processing
There is another found exception that the "timerlat/1" thread was
scheduled on CPU0, and lead to timer corruption finally:
```
ODEBUG: init active (active state 0) object: ffff888237c2e108 object type: hrtimer hint: timerlat_irq+0x0/0x220
WARNING: CPU: 0 PID: 426 at lib/debugobjects.c:518 debug_print_object+0x7d/0xb0
Modules linked in:
CPU: 0 UID: 0 PID: 426 Comm: timerlat/1 Not tainted 6.11.0-rc7+ #45
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
RIP: 0010:debug_print_object+0x7d/0xb0
...
Call Trace:
<TASK>
? __warn+0x7c/0x110
? debug_print_object+0x7d/0xb0
? report_bug+0xf1/0x1d0
? prb_read_valid+0x17/0x20
? handle_bug+0x3f/0x70
? exc_invalid_op+0x13/0x60
? asm_exc_invalid_op+0x16/0x20
? debug_print_object+0x7d/0xb0
? debug_print_object+0x7d/0xb0
? __pfx_timerlat_irq+0x10/0x10
__debug_object_init+0x110/0x150
hrtimer_init+0x1d/0x60
timerlat_main+0xab/0x2d0
? __pfx_timerlat_main+0x10/0x10
kthread+0xb7/0xe0
? __pfx_kthread+0x10/0x10
ret_from_fork+0x2d/0x40
? __pfx_kthread+0x10/0x10
ret_from_fork_asm+0x1a/0x30
</TASK>
```
After tracing the scheduling event, it was discovered that the migration
of the "timerlat/1" thread was performed during thread creation. Further
analysis confirmed that it is because the CPU online processing for
osnoise is implemented through workers, which is asynchronous with the
offline processing. When the worker was scheduled to create a thread, the
CPU may has already been removed from the cpu_online_mask during the offline
process, resulting in the inability to select the right CPU:
T1 | T2
[CPUHP_ONLINE] | cpu_device_down()
osnoise_hotplug_workfn() |
| cpus_write_lock()
| takedown_cpu(1)
| cpus_write_unlock()
[CPUHP_OFFLINE] |
cpus_read_lock() |
start_kthread(1) |
cpus_read_unlock() |
To fix this, skip online processing if the CPU is already offline.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: c8895e271f7994a3ecb13b8a280e39aa53879545 Version: c8895e271f7994a3ecb13b8a280e39aa53879545 Version: c8895e271f7994a3ecb13b8a280e39aa53879545 Version: c8895e271f7994a3ecb13b8a280e39aa53879545 Version: c8895e271f7994a3ecb13b8a280e39aa53879545 Version: c8895e271f7994a3ecb13b8a280e39aa53879545 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49866", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:47:35.638203Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:48:52.640Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "kernel/trace/trace_osnoise.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "322920b53dc11f9c2b33397eb3ae5bc6a175b60d", status: "affected", version: "c8895e271f7994a3ecb13b8a280e39aa53879545", versionType: "git", }, { lessThan: "ce25f33ba89d6eefef64157655d318444580fa14", status: "affected", version: "c8895e271f7994a3ecb13b8a280e39aa53879545", versionType: "git", }, { lessThan: "a6e9849063a6c8f4cb2f652a437e44e3ed24356c", status: "affected", version: "c8895e271f7994a3ecb13b8a280e39aa53879545", versionType: "git", }, { lessThan: "a0d9c0cd5856191e095cf43a2e141b73945b7716", status: "affected", version: "c8895e271f7994a3ecb13b8a280e39aa53879545", versionType: "git", }, { lessThan: "f72b451dc75578f644a3019c1489e9ae2c14e6c4", status: "affected", version: "c8895e271f7994a3ecb13b8a280e39aa53879545", versionType: "git", }, { lessThan: "829e0c9f0855f26b3ae830d17b24aec103f7e915", status: "affected", version: "c8895e271f7994a3ecb13b8a280e39aa53879545", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "kernel/trace/trace_osnoise.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.14", }, { lessThan: "5.14", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing/timerlat: Fix a race during cpuhp processing\n\nThere is another found exception that the \"timerlat/1\" thread was\nscheduled on CPU0, and lead to timer corruption finally:\n\n```\nODEBUG: init active (active state 0) object: ffff888237c2e108 object type: hrtimer hint: timerlat_irq+0x0/0x220\nWARNING: CPU: 0 PID: 426 at lib/debugobjects.c:518 debug_print_object+0x7d/0xb0\nModules linked in:\nCPU: 0 UID: 0 PID: 426 Comm: timerlat/1 Not tainted 6.11.0-rc7+ #45\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014\nRIP: 0010:debug_print_object+0x7d/0xb0\n...\nCall Trace:\n <TASK>\n ? __warn+0x7c/0x110\n ? debug_print_object+0x7d/0xb0\n ? report_bug+0xf1/0x1d0\n ? prb_read_valid+0x17/0x20\n ? handle_bug+0x3f/0x70\n ? exc_invalid_op+0x13/0x60\n ? asm_exc_invalid_op+0x16/0x20\n ? debug_print_object+0x7d/0xb0\n ? debug_print_object+0x7d/0xb0\n ? __pfx_timerlat_irq+0x10/0x10\n __debug_object_init+0x110/0x150\n hrtimer_init+0x1d/0x60\n timerlat_main+0xab/0x2d0\n ? __pfx_timerlat_main+0x10/0x10\n kthread+0xb7/0xe0\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x2d/0x40\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30\n </TASK>\n```\n\nAfter tracing the scheduling event, it was discovered that the migration\nof the \"timerlat/1\" thread was performed during thread creation. Further\nanalysis confirmed that it is because the CPU online processing for\nosnoise is implemented through workers, which is asynchronous with the\noffline processing. When the worker was scheduled to create a thread, the\nCPU may has already been removed from the cpu_online_mask during the offline\nprocess, resulting in the inability to select the right CPU:\n\nT1 | T2\n[CPUHP_ONLINE] | cpu_device_down()\nosnoise_hotplug_workfn() |\n | cpus_write_lock()\n | takedown_cpu(1)\n | cpus_write_unlock()\n[CPUHP_OFFLINE] |\n cpus_read_lock() |\n start_kthread(1) |\n cpus_read_unlock() |\n\nTo fix this, skip online processing if the CPU is already offline.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:27:52.057Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/322920b53dc11f9c2b33397eb3ae5bc6a175b60d", }, { url: "https://git.kernel.org/stable/c/ce25f33ba89d6eefef64157655d318444580fa14", }, { url: "https://git.kernel.org/stable/c/a6e9849063a6c8f4cb2f652a437e44e3ed24356c", }, { url: "https://git.kernel.org/stable/c/a0d9c0cd5856191e095cf43a2e141b73945b7716", }, { url: "https://git.kernel.org/stable/c/f72b451dc75578f644a3019c1489e9ae2c14e6c4", }, { url: "https://git.kernel.org/stable/c/829e0c9f0855f26b3ae830d17b24aec103f7e915", }, ], title: "tracing/timerlat: Fix a race during cpuhp processing", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49866", datePublished: "2024-10-21T18:01:09.284Z", dateReserved: "2024-10-21T12:17:06.018Z", dateUpdated: "2024-12-19T09:27:52.057Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-48970
Vulnerability from cvelistv5
Published
2024-10-21 20:05
Modified
2024-12-19 08:11
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
af_unix: Get user_ns from in_skb in unix_diag_get_exact().
Wei Chen reported a NULL deref in sk_user_ns() [0][1], and Paolo diagnosed
the root cause: in unix_diag_get_exact(), the newly allocated skb does not
have sk. [2]
We must get the user_ns from the NETLINK_CB(in_skb).sk and pass it to
sk_diag_fill().
[0]:
BUG: kernel NULL pointer dereference, address: 0000000000000270
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 12bbce067 P4D 12bbce067 PUD 12bc40067 PMD 0
Oops: 0000 [#1] PREEMPT SMP
CPU: 0 PID: 27942 Comm: syz-executor.0 Not tainted 6.1.0-rc5-next-20221118 #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.13.0-48-gd9c812dda519-prebuilt.qemu.org 04/01/2014
RIP: 0010:sk_user_ns include/net/sock.h:920 [inline]
RIP: 0010:sk_diag_dump_uid net/unix/diag.c:119 [inline]
RIP: 0010:sk_diag_fill+0x77d/0x890 net/unix/diag.c:170
Code: 89 ef e8 66 d4 2d fd c7 44 24 40 00 00 00 00 49 8d 7c 24 18 e8
54 d7 2d fd 49 8b 5c 24 18 48 8d bb 70 02 00 00 e8 43 d7 2d fd <48> 8b
9b 70 02 00 00 48 8d 7b 10 e8 33 d7 2d fd 48 8b 5b 10 48 8d
RSP: 0018:ffffc90000d67968 EFLAGS: 00010246
RAX: ffff88812badaa48 RBX: 0000000000000000 RCX: ffffffff840d481d
RDX: 0000000000000465 RSI: 0000000000000000 RDI: 0000000000000270
RBP: ffffc90000d679a8 R08: 0000000000000277 R09: 0000000000000000
R10: 0001ffffffffffff R11: 0001c90000d679a8 R12: ffff88812ac03800
R13: ffff88812c87c400 R14: ffff88812ae42210 R15: ffff888103026940
FS: 00007f08b4e6f700(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000270 CR3: 000000012c58b000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
unix_diag_get_exact net/unix/diag.c:285 [inline]
unix_diag_handler_dump+0x3f9/0x500 net/unix/diag.c:317
__sock_diag_cmd net/core/sock_diag.c:235 [inline]
sock_diag_rcv_msg+0x237/0x250 net/core/sock_diag.c:266
netlink_rcv_skb+0x13e/0x250 net/netlink/af_netlink.c:2564
sock_diag_rcv+0x24/0x40 net/core/sock_diag.c:277
netlink_unicast_kernel net/netlink/af_netlink.c:1330 [inline]
netlink_unicast+0x5e9/0x6b0 net/netlink/af_netlink.c:1356
netlink_sendmsg+0x739/0x860 net/netlink/af_netlink.c:1932
sock_sendmsg_nosec net/socket.c:714 [inline]
sock_sendmsg net/socket.c:734 [inline]
____sys_sendmsg+0x38f/0x500 net/socket.c:2476
___sys_sendmsg net/socket.c:2530 [inline]
__sys_sendmsg+0x197/0x230 net/socket.c:2559
__do_sys_sendmsg net/socket.c:2568 [inline]
__se_sys_sendmsg net/socket.c:2566 [inline]
__x64_sys_sendmsg+0x42/0x50 net/socket.c:2566
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x4697f9
Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f08b4e6ec48 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 000000000077bf80 RCX: 00000000004697f9
RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003
RBP: 00000000004d29e9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000077bf80
R13: 0000000000000000 R14: 000000000077bf80 R15: 00007ffdb36bc6c0
</TASK>
Modules linked in:
CR2: 0000000000000270
[1]: https://lore.kernel.org/netdev/CAO4mrfdvyjFpokhNsiwZiP-wpdSD0AStcJwfKcKQdAALQ9_2Qw@mail.gmail.com/
[2]: https://lore.kernel.org/netdev/e04315e7c90d9a75613f3993c2baf2d344eef7eb.camel@redhat.com/
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: cae9910e73446cac68a54e3a7b02aaa12b689026 Version: cae9910e73446cac68a54e3a7b02aaa12b689026 Version: cae9910e73446cac68a54e3a7b02aaa12b689026 Version: cae9910e73446cac68a54e3a7b02aaa12b689026 Version: cae9910e73446cac68a54e3a7b02aaa12b689026 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-48970", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:19:15.629837Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:28:37.951Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "net/unix/diag.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "c66d78aee55dab72c92020ebfbebc464d4f5dd2a", status: "affected", version: "cae9910e73446cac68a54e3a7b02aaa12b689026", versionType: "git", }, { lessThan: "575a6266f63dbb3b8eb1da03671451f0d81b8034", status: "affected", version: "cae9910e73446cac68a54e3a7b02aaa12b689026", versionType: "git", }, { lessThan: "5c014eb0ed6c8c57f483e94cc6e90f34ce426d91", status: "affected", version: "cae9910e73446cac68a54e3a7b02aaa12b689026", versionType: "git", }, { lessThan: "9c1d6f79a2c7b8221dcec27defc6dc461052ead4", status: "affected", version: "cae9910e73446cac68a54e3a7b02aaa12b689026", versionType: "git", }, { lessThan: "b3abe42e94900bdd045c472f9c9be620ba5ce553", status: "affected", version: "cae9910e73446cac68a54e3a7b02aaa12b689026", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "net/unix/diag.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.3", }, { lessThan: "5.3", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.227", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.159", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.83", versionType: "semver", }, { lessThanOrEqual: "6.0.*", status: "unaffected", version: "6.0.13", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.1", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Get user_ns from in_skb in unix_diag_get_exact().\n\nWei Chen reported a NULL deref in sk_user_ns() [0][1], and Paolo diagnosed\nthe root cause: in unix_diag_get_exact(), the newly allocated skb does not\nhave sk. [2]\n\nWe must get the user_ns from the NETLINK_CB(in_skb).sk and pass it to\nsk_diag_fill().\n\n[0]:\nBUG: kernel NULL pointer dereference, address: 0000000000000270\n#PF: supervisor read access in kernel mode\n#PF: error_code(0x0000) - not-present page\nPGD 12bbce067 P4D 12bbce067 PUD 12bc40067 PMD 0\nOops: 0000 [#1] PREEMPT SMP\nCPU: 0 PID: 27942 Comm: syz-executor.0 Not tainted 6.1.0-rc5-next-20221118 #2\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\nrel-1.13.0-48-gd9c812dda519-prebuilt.qemu.org 04/01/2014\nRIP: 0010:sk_user_ns include/net/sock.h:920 [inline]\nRIP: 0010:sk_diag_dump_uid net/unix/diag.c:119 [inline]\nRIP: 0010:sk_diag_fill+0x77d/0x890 net/unix/diag.c:170\nCode: 89 ef e8 66 d4 2d fd c7 44 24 40 00 00 00 00 49 8d 7c 24 18 e8\n54 d7 2d fd 49 8b 5c 24 18 48 8d bb 70 02 00 00 e8 43 d7 2d fd <48> 8b\n9b 70 02 00 00 48 8d 7b 10 e8 33 d7 2d fd 48 8b 5b 10 48 8d\nRSP: 0018:ffffc90000d67968 EFLAGS: 00010246\nRAX: ffff88812badaa48 RBX: 0000000000000000 RCX: ffffffff840d481d\nRDX: 0000000000000465 RSI: 0000000000000000 RDI: 0000000000000270\nRBP: ffffc90000d679a8 R08: 0000000000000277 R09: 0000000000000000\nR10: 0001ffffffffffff R11: 0001c90000d679a8 R12: ffff88812ac03800\nR13: ffff88812c87c400 R14: ffff88812ae42210 R15: ffff888103026940\nFS: 00007f08b4e6f700(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000270 CR3: 000000012c58b000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n <TASK>\n unix_diag_get_exact net/unix/diag.c:285 [inline]\n unix_diag_handler_dump+0x3f9/0x500 net/unix/diag.c:317\n __sock_diag_cmd net/core/sock_diag.c:235 [inline]\n sock_diag_rcv_msg+0x237/0x250 net/core/sock_diag.c:266\n netlink_rcv_skb+0x13e/0x250 net/netlink/af_netlink.c:2564\n sock_diag_rcv+0x24/0x40 net/core/sock_diag.c:277\n netlink_unicast_kernel net/netlink/af_netlink.c:1330 [inline]\n netlink_unicast+0x5e9/0x6b0 net/netlink/af_netlink.c:1356\n netlink_sendmsg+0x739/0x860 net/netlink/af_netlink.c:1932\n sock_sendmsg_nosec net/socket.c:714 [inline]\n sock_sendmsg net/socket.c:734 [inline]\n ____sys_sendmsg+0x38f/0x500 net/socket.c:2476\n ___sys_sendmsg net/socket.c:2530 [inline]\n __sys_sendmsg+0x197/0x230 net/socket.c:2559\n __do_sys_sendmsg net/socket.c:2568 [inline]\n __se_sys_sendmsg net/socket.c:2566 [inline]\n __x64_sys_sendmsg+0x42/0x50 net/socket.c:2566\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\nRIP: 0033:0x4697f9\nCode: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48\n89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d\n01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f08b4e6ec48 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 000000000077bf80 RCX: 00000000004697f9\nRDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003\nRBP: 00000000004d29e9 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 000000000077bf80\nR13: 0000000000000000 R14: 000000000077bf80 R15: 00007ffdb36bc6c0\n </TASK>\nModules linked in:\nCR2: 0000000000000270\n\n[1]: https://lore.kernel.org/netdev/CAO4mrfdvyjFpokhNsiwZiP-wpdSD0AStcJwfKcKQdAALQ9_2Qw@mail.gmail.com/\n[2]: https://lore.kernel.org/netdev/e04315e7c90d9a75613f3993c2baf2d344eef7eb.camel@redhat.com/", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:11:36.563Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/c66d78aee55dab72c92020ebfbebc464d4f5dd2a", }, { url: "https://git.kernel.org/stable/c/575a6266f63dbb3b8eb1da03671451f0d81b8034", }, { url: "https://git.kernel.org/stable/c/5c014eb0ed6c8c57f483e94cc6e90f34ce426d91", }, { url: "https://git.kernel.org/stable/c/9c1d6f79a2c7b8221dcec27defc6dc461052ead4", }, { url: "https://git.kernel.org/stable/c/b3abe42e94900bdd045c472f9c9be620ba5ce553", }, ], title: "af_unix: Get user_ns from in_skb in unix_diag_get_exact().", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-48970", datePublished: "2024-10-21T20:05:51.703Z", dateReserved: "2024-08-22T01:27:53.629Z", dateUpdated: "2024-12-19T08:11:36.563Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49979
Vulnerability from cvelistv5
Published
2024-10-21 18:02
Modified
2024-12-19 09:30
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: gso: fix tcp fraglist segmentation after pull from frag_list
Detect tcp gso fraglist skbs with corrupted geometry (see below) and
pass these to skb_segment instead of skb_segment_list, as the first
can segment them correctly.
Valid SKB_GSO_FRAGLIST skbs
- consist of two or more segments
- the head_skb holds the protocol headers plus first gso_size
- one or more frag_list skbs hold exactly one segment
- all but the last must be gso_size
Optional datapath hooks such as NAT and BPF (bpf_skb_pull_data) can
modify these skbs, breaking these invariants.
In extreme cases they pull all data into skb linear. For TCP, this
causes a NULL ptr deref in __tcpv4_gso_segment_list_csum at
tcp_hdr(seg->next).
Detect invalid geometry due to pull, by checking head_skb size.
Don't just drop, as this may blackhole a destination. Convert to be
able to pass to regular skb_segment.
Approach and description based on a patch by Willem de Bruijn.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49979", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:32:45.687666Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:38:44.690Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "net/ipv4/tcp_offload.c", "net/ipv6/tcpv6_offload.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "3fdd8c83e83fa5e82f1b5585245c51e0355c9f46", status: "affected", version: "bee88cd5bd83d40b8aec4d6cb729378f707f6197", versionType: "git", }, { lessThan: "2d4a83a44428de45bfe9dccb0192a3711d1097e0", status: "affected", version: "bee88cd5bd83d40b8aec4d6cb729378f707f6197", versionType: "git", }, { lessThan: "17bd3bd82f9f79f3feba15476c2b2c95a9b11ff8", status: "affected", version: "bee88cd5bd83d40b8aec4d6cb729378f707f6197", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "net/ipv4/tcp_offload.c", "net/ipv6/tcpv6_offload.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.10", }, { lessThan: "6.10", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: gso: fix tcp fraglist segmentation after pull from frag_list\n\nDetect tcp gso fraglist skbs with corrupted geometry (see below) and\npass these to skb_segment instead of skb_segment_list, as the first\ncan segment them correctly.\n\nValid SKB_GSO_FRAGLIST skbs\n- consist of two or more segments\n- the head_skb holds the protocol headers plus first gso_size\n- one or more frag_list skbs hold exactly one segment\n- all but the last must be gso_size\n\nOptional datapath hooks such as NAT and BPF (bpf_skb_pull_data) can\nmodify these skbs, breaking these invariants.\n\nIn extreme cases they pull all data into skb linear. For TCP, this\ncauses a NULL ptr deref in __tcpv4_gso_segment_list_csum at\ntcp_hdr(seg->next).\n\nDetect invalid geometry due to pull, by checking head_skb size.\nDon't just drop, as this may blackhole a destination. Convert to be\nable to pass to regular skb_segment.\n\nApproach and description based on a patch by Willem de Bruijn.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:30:35.582Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/3fdd8c83e83fa5e82f1b5585245c51e0355c9f46", }, { url: "https://git.kernel.org/stable/c/2d4a83a44428de45bfe9dccb0192a3711d1097e0", }, { url: "https://git.kernel.org/stable/c/17bd3bd82f9f79f3feba15476c2b2c95a9b11ff8", }, ], title: "net: gso: fix tcp fraglist segmentation after pull from frag_list", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49979", datePublished: "2024-10-21T18:02:25.819Z", dateReserved: "2024-10-21T12:17:06.052Z", dateUpdated: "2024-12-19T09:30:35.582Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-49003
Vulnerability from cvelistv5
Published
2024-10-21 20:06
Modified
2024-12-19 08:12
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
nvme: fix SRCU protection of nvme_ns_head list
Walking the nvme_ns_head siblings list is protected by the head's srcu
in nvme_ns_head_submit_bio() but not nvme_mpath_revalidate_paths().
Removing namespaces from the list also fails to synchronize the srcu.
Concurrent scan work can therefore cause use-after-frees.
Hold the head's srcu lock in nvme_mpath_revalidate_paths() and
synchronize with the srcu, not the global RCU, in nvme_ns_remove().
Observed the following panic when making NVMe/RDMA connections
with native multipath on the Rocky Linux 8.6 kernel
(it seems the upstream kernel has the same race condition).
Disassembly shows the faulting instruction is cmp 0x50(%rdx),%rcx;
computing capacity != get_capacity(ns->disk).
Address 0x50 is dereferenced because ns->disk is NULL.
The NULL disk appears to be the result of concurrent scan work
freeing the namespace (note the log line in the middle of the panic).
[37314.206036] BUG: unable to handle kernel NULL pointer dereference at 0000000000000050
[37314.206036] nvme0n3: detected capacity change from 0 to 11811160064
[37314.299753] PGD 0 P4D 0
[37314.299756] Oops: 0000 [#1] SMP PTI
[37314.299759] CPU: 29 PID: 322046 Comm: kworker/u98:3 Kdump: loaded Tainted: G W X --------- - - 4.18.0-372.32.1.el8test86.x86_64 #1
[37314.299762] Hardware name: Dell Inc. PowerEdge R720/0JP31P, BIOS 2.7.0 05/23/2018
[37314.299763] Workqueue: nvme-wq nvme_scan_work [nvme_core]
[37314.299783] RIP: 0010:nvme_mpath_revalidate_paths+0x26/0xb0 [nvme_core]
[37314.299790] Code: 1f 44 00 00 66 66 66 66 90 55 53 48 8b 5f 50 48 8b 83 c8 c9 00 00 48 8b 13 48 8b 48 50 48 39 d3 74 20 48 8d 42 d0 48 8b 50 20 <48> 3b 4a 50 74 05 f0 80 60 70 ef 48 8b 50 30 48 8d 42 d0 48 39 d3
[37315.058803] RSP: 0018:ffffabe28f913d10 EFLAGS: 00010202
[37315.121316] RAX: ffff927a077da800 RBX: ffff92991dd70000 RCX: 0000000001600000
[37315.206704] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff92991b719800
[37315.292106] RBP: ffff929a6b70c000 R08: 000000010234cd4a R09: c0000000ffff7fff
[37315.377501] R10: 0000000000000001 R11: ffffabe28f913a30 R12: 0000000000000000
[37315.462889] R13: ffff92992716600c R14: ffff929964e6e030 R15: ffff92991dd70000
[37315.548286] FS: 0000000000000000(0000) GS:ffff92b87fb80000(0000) knlGS:0000000000000000
[37315.645111] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[37315.713871] CR2: 0000000000000050 CR3: 0000002208810006 CR4: 00000000000606e0
[37315.799267] Call Trace:
[37315.828515] nvme_update_ns_info+0x1ac/0x250 [nvme_core]
[37315.892075] nvme_validate_or_alloc_ns+0x2ff/0xa00 [nvme_core]
[37315.961871] ? __blk_mq_free_request+0x6b/0x90
[37316.015021] nvme_scan_work+0x151/0x240 [nvme_core]
[37316.073371] process_one_work+0x1a7/0x360
[37316.121318] ? create_worker+0x1a0/0x1a0
[37316.168227] worker_thread+0x30/0x390
[37316.212024] ? create_worker+0x1a0/0x1a0
[37316.258939] kthread+0x10a/0x120
[37316.297557] ? set_kthread_struct+0x50/0x50
[37316.347590] ret_from_fork+0x35/0x40
[37316.390360] Modules linked in: nvme_rdma nvme_tcp(X) nvme_fabrics nvme_core netconsole iscsi_tcp libiscsi_tcp dm_queue_length dm_service_time nf_conntrack_netlink br_netfilter bridge stp llc overlay nft_chain_nat ipt_MASQUERADE nf_nat xt_addrtype xt_CT nft_counter xt_state xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 xt_comment xt_multiport nft_compat nf_tables libcrc32c nfnetlink dm_multipath tg3 rpcrdma sunrpc rdma_ucm ib_srpt ib_isert iscsi_target_mod target_core_mod ib_iser libiscsi scsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm intel_rapl_msr iTCO_wdt iTCO_vendor_support dcdbas intel_rapl_common sb_edac x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel ipmi_ssif kvm irqbypass crct10dif_pclmul crc32_pclmul mlx5_ib ghash_clmulni_intel ib_uverbs rapl intel_cstate intel_uncore ib_core ipmi_si joydev mei_me pcspkr ipmi_devintf mei lpc_ich wmi ipmi_msghandler acpi_power_meter ex
---truncated---
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-49003", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:14:55.180723Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:18:40.333Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/nvme/host/core.c", "drivers/nvme/host/multipath.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "787d81d4eb150e443e5d1276c6e8f03cfecc2302", status: "affected", version: "e7d65803e2bb5bc739548b67a5fc72c626cf7e3b", versionType: "git", }, { lessThan: "5b566d09ab1b975566a53f9c5466ee260d087582", status: "affected", version: "e7d65803e2bb5bc739548b67a5fc72c626cf7e3b", versionType: "git", }, { lessThan: "899d2a05dc14733cfba6224083c6b0dd5a738590", status: "affected", version: "e7d65803e2bb5bc739548b67a5fc72c626cf7e3b", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/nvme/host/core.c", "drivers/nvme/host/multipath.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.15", }, { lessThan: "5.15", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.82", versionType: "semver", }, { lessThanOrEqual: "6.0.*", status: "unaffected", version: "6.0.12", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.1", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme: fix SRCU protection of nvme_ns_head list\n\nWalking the nvme_ns_head siblings list is protected by the head's srcu\nin nvme_ns_head_submit_bio() but not nvme_mpath_revalidate_paths().\nRemoving namespaces from the list also fails to synchronize the srcu.\nConcurrent scan work can therefore cause use-after-frees.\n\nHold the head's srcu lock in nvme_mpath_revalidate_paths() and\nsynchronize with the srcu, not the global RCU, in nvme_ns_remove().\n\nObserved the following panic when making NVMe/RDMA connections\nwith native multipath on the Rocky Linux 8.6 kernel\n(it seems the upstream kernel has the same race condition).\nDisassembly shows the faulting instruction is cmp 0x50(%rdx),%rcx;\ncomputing capacity != get_capacity(ns->disk).\nAddress 0x50 is dereferenced because ns->disk is NULL.\nThe NULL disk appears to be the result of concurrent scan work\nfreeing the namespace (note the log line in the middle of the panic).\n\n[37314.206036] BUG: unable to handle kernel NULL pointer dereference at 0000000000000050\n[37314.206036] nvme0n3: detected capacity change from 0 to 11811160064\n[37314.299753] PGD 0 P4D 0\n[37314.299756] Oops: 0000 [#1] SMP PTI\n[37314.299759] CPU: 29 PID: 322046 Comm: kworker/u98:3 Kdump: loaded Tainted: G W X --------- - - 4.18.0-372.32.1.el8test86.x86_64 #1\n[37314.299762] Hardware name: Dell Inc. PowerEdge R720/0JP31P, BIOS 2.7.0 05/23/2018\n[37314.299763] Workqueue: nvme-wq nvme_scan_work [nvme_core]\n[37314.299783] RIP: 0010:nvme_mpath_revalidate_paths+0x26/0xb0 [nvme_core]\n[37314.299790] Code: 1f 44 00 00 66 66 66 66 90 55 53 48 8b 5f 50 48 8b 83 c8 c9 00 00 48 8b 13 48 8b 48 50 48 39 d3 74 20 48 8d 42 d0 48 8b 50 20 <48> 3b 4a 50 74 05 f0 80 60 70 ef 48 8b 50 30 48 8d 42 d0 48 39 d3\n[37315.058803] RSP: 0018:ffffabe28f913d10 EFLAGS: 00010202\n[37315.121316] RAX: ffff927a077da800 RBX: ffff92991dd70000 RCX: 0000000001600000\n[37315.206704] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff92991b719800\n[37315.292106] RBP: ffff929a6b70c000 R08: 000000010234cd4a R09: c0000000ffff7fff\n[37315.377501] R10: 0000000000000001 R11: ffffabe28f913a30 R12: 0000000000000000\n[37315.462889] R13: ffff92992716600c R14: ffff929964e6e030 R15: ffff92991dd70000\n[37315.548286] FS: 0000000000000000(0000) GS:ffff92b87fb80000(0000) knlGS:0000000000000000\n[37315.645111] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[37315.713871] CR2: 0000000000000050 CR3: 0000002208810006 CR4: 00000000000606e0\n[37315.799267] Call Trace:\n[37315.828515] nvme_update_ns_info+0x1ac/0x250 [nvme_core]\n[37315.892075] nvme_validate_or_alloc_ns+0x2ff/0xa00 [nvme_core]\n[37315.961871] ? __blk_mq_free_request+0x6b/0x90\n[37316.015021] nvme_scan_work+0x151/0x240 [nvme_core]\n[37316.073371] process_one_work+0x1a7/0x360\n[37316.121318] ? create_worker+0x1a0/0x1a0\n[37316.168227] worker_thread+0x30/0x390\n[37316.212024] ? create_worker+0x1a0/0x1a0\n[37316.258939] kthread+0x10a/0x120\n[37316.297557] ? set_kthread_struct+0x50/0x50\n[37316.347590] ret_from_fork+0x35/0x40\n[37316.390360] Modules linked in: nvme_rdma nvme_tcp(X) nvme_fabrics nvme_core netconsole iscsi_tcp libiscsi_tcp dm_queue_length dm_service_time nf_conntrack_netlink br_netfilter bridge stp llc overlay nft_chain_nat ipt_MASQUERADE nf_nat xt_addrtype xt_CT nft_counter xt_state xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 xt_comment xt_multiport nft_compat nf_tables libcrc32c nfnetlink dm_multipath tg3 rpcrdma sunrpc rdma_ucm ib_srpt ib_isert iscsi_target_mod target_core_mod ib_iser libiscsi scsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm intel_rapl_msr iTCO_wdt iTCO_vendor_support dcdbas intel_rapl_common sb_edac x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel ipmi_ssif kvm irqbypass crct10dif_pclmul crc32_pclmul mlx5_ib ghash_clmulni_intel ib_uverbs rapl intel_cstate intel_uncore ib_core ipmi_si joydev mei_me pcspkr ipmi_devintf mei lpc_ich wmi ipmi_msghandler acpi_power_meter ex\n---truncated---", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:12:15.244Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/787d81d4eb150e443e5d1276c6e8f03cfecc2302", }, { url: "https://git.kernel.org/stable/c/5b566d09ab1b975566a53f9c5466ee260d087582", }, { url: "https://git.kernel.org/stable/c/899d2a05dc14733cfba6224083c6b0dd5a738590", }, ], title: "nvme: fix SRCU protection of nvme_ns_head list", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-49003", datePublished: "2024-10-21T20:06:16.737Z", dateReserved: "2024-08-22T01:27:53.642Z", dateUpdated: "2024-12-19T08:12:15.244Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-47687
Vulnerability from cvelistv5
Published
2024-10-21 11:53
Modified
2024-12-19 09:26
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
vdpa/mlx5: Fix invalid mr resource destroy
Certain error paths from mlx5_vdpa_dev_add() can end up releasing mr
resources which never got initialized in the first place.
This patch adds the missing check in mlx5_vdpa_destroy_mr_resources()
to block releasing non-initialized mr resources.
Reference trace:
mlx5_core 0000:08:00.2: mlx5_vdpa_dev_add:3274:(pid 2700) warning: No mac address provisioned?
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 140216067 P4D 0
Oops: 0000 [#1] PREEMPT SMP NOPTI
CPU: 8 PID: 2700 Comm: vdpa Kdump: loaded Not tainted 5.14.0-496.el9.x86_64 #1
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
RIP: 0010:vhost_iotlb_del_range+0xf/0xe0 [vhost_iotlb]
Code: [...]
RSP: 0018:ff1c823ac23077f0 EFLAGS: 00010246
RAX: ffffffffc1a21a60 RBX: ffffffff899567a0 RCX: 0000000000000000
RDX: ffffffffffffffff RSI: 0000000000000000 RDI: 0000000000000000
RBP: ff1bda1f7c21e800 R08: 0000000000000000 R09: ff1c823ac2307670
R10: ff1c823ac2307668 R11: ffffffff8a9e7b68 R12: 0000000000000000
R13: 0000000000000000 R14: ff1bda1f43e341a0 R15: 00000000ffffffea
FS: 00007f56eba7c740(0000) GS:ff1bda269f800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 0000000104d90001 CR4: 0000000000771ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
? show_trace_log_lvl+0x1c4/0x2df
? show_trace_log_lvl+0x1c4/0x2df
? mlx5_vdpa_free+0x3d/0x150 [mlx5_vdpa]
? __die_body.cold+0x8/0xd
? page_fault_oops+0x134/0x170
? __irq_work_queue_local+0x2b/0xc0
? irq_work_queue+0x2c/0x50
? exc_page_fault+0x62/0x150
? asm_exc_page_fault+0x22/0x30
? __pfx_mlx5_vdpa_free+0x10/0x10 [mlx5_vdpa]
? vhost_iotlb_del_range+0xf/0xe0 [vhost_iotlb]
mlx5_vdpa_free+0x3d/0x150 [mlx5_vdpa]
vdpa_release_dev+0x1e/0x50 [vdpa]
device_release+0x31/0x90
kobject_cleanup+0x37/0x130
mlx5_vdpa_dev_add+0x2d2/0x7a0 [mlx5_vdpa]
vdpa_nl_cmd_dev_add_set_doit+0x277/0x4c0 [vdpa]
genl_family_rcv_msg_doit+0xd9/0x130
genl_family_rcv_msg+0x14d/0x220
? __pfx_vdpa_nl_cmd_dev_add_set_doit+0x10/0x10 [vdpa]
? _copy_to_user+0x1a/0x30
? move_addr_to_user+0x4b/0xe0
genl_rcv_msg+0x47/0xa0
? __import_iovec+0x46/0x150
? __pfx_genl_rcv_msg+0x10/0x10
netlink_rcv_skb+0x54/0x100
genl_rcv+0x24/0x40
netlink_unicast+0x245/0x370
netlink_sendmsg+0x206/0x440
__sys_sendto+0x1dc/0x1f0
? do_read_fault+0x10c/0x1d0
? do_pte_missing+0x10d/0x190
__x64_sys_sendto+0x20/0x30
do_syscall_64+0x5c/0xf0
? __count_memcg_events+0x4f/0xb0
? mm_account_fault+0x6c/0x100
? handle_mm_fault+0x116/0x270
? do_user_addr_fault+0x1d6/0x6a0
? do_syscall_64+0x6b/0xf0
? clear_bhb_loop+0x25/0x80
? clear_bhb_loop+0x25/0x80
? clear_bhb_loop+0x25/0x80
? clear_bhb_loop+0x25/0x80
? clear_bhb_loop+0x25/0x80
entry_SYSCALL_64_after_hwframe+0x78/0x80
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-47687", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T13:06:29.452318Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T13:14:15.726Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/vdpa/mlx5/core/mr.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "b6fbb1c7801f46a0e5461c02904eab0d7535c790", status: "affected", version: "512c0cdd80c19ec11f6dbe769d5899dcfefcd5c9", versionType: "git", }, { lessThan: "5fe351def237df1ad29aa8af574350bc5340b4cf", status: "affected", version: "512c0cdd80c19ec11f6dbe769d5899dcfefcd5c9", versionType: "git", }, { lessThan: "dc12502905b7a3de9097ea6b98870470c2921e09", status: "affected", version: "512c0cdd80c19ec11f6dbe769d5899dcfefcd5c9", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/vdpa/mlx5/core/mr.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.7", }, { lessThan: "6.7", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.13", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.2", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nvdpa/mlx5: Fix invalid mr resource destroy\n\nCertain error paths from mlx5_vdpa_dev_add() can end up releasing mr\nresources which never got initialized in the first place.\n\nThis patch adds the missing check in mlx5_vdpa_destroy_mr_resources()\nto block releasing non-initialized mr resources.\n\nReference trace:\n\n mlx5_core 0000:08:00.2: mlx5_vdpa_dev_add:3274:(pid 2700) warning: No mac address provisioned?\n BUG: kernel NULL pointer dereference, address: 0000000000000000\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 140216067 P4D 0\n Oops: 0000 [#1] PREEMPT SMP NOPTI\n CPU: 8 PID: 2700 Comm: vdpa Kdump: loaded Not tainted 5.14.0-496.el9.x86_64 #1\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n RIP: 0010:vhost_iotlb_del_range+0xf/0xe0 [vhost_iotlb]\n Code: [...]\n RSP: 0018:ff1c823ac23077f0 EFLAGS: 00010246\n RAX: ffffffffc1a21a60 RBX: ffffffff899567a0 RCX: 0000000000000000\n RDX: ffffffffffffffff RSI: 0000000000000000 RDI: 0000000000000000\n RBP: ff1bda1f7c21e800 R08: 0000000000000000 R09: ff1c823ac2307670\n R10: ff1c823ac2307668 R11: ffffffff8a9e7b68 R12: 0000000000000000\n R13: 0000000000000000 R14: ff1bda1f43e341a0 R15: 00000000ffffffea\n FS: 00007f56eba7c740(0000) GS:ff1bda269f800000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000000 CR3: 0000000104d90001 CR4: 0000000000771ef0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n PKRU: 55555554\n Call Trace:\n\n ? show_trace_log_lvl+0x1c4/0x2df\n ? show_trace_log_lvl+0x1c4/0x2df\n ? mlx5_vdpa_free+0x3d/0x150 [mlx5_vdpa]\n ? __die_body.cold+0x8/0xd\n ? page_fault_oops+0x134/0x170\n ? __irq_work_queue_local+0x2b/0xc0\n ? irq_work_queue+0x2c/0x50\n ? exc_page_fault+0x62/0x150\n ? asm_exc_page_fault+0x22/0x30\n ? __pfx_mlx5_vdpa_free+0x10/0x10 [mlx5_vdpa]\n ? vhost_iotlb_del_range+0xf/0xe0 [vhost_iotlb]\n mlx5_vdpa_free+0x3d/0x150 [mlx5_vdpa]\n vdpa_release_dev+0x1e/0x50 [vdpa]\n device_release+0x31/0x90\n kobject_cleanup+0x37/0x130\n mlx5_vdpa_dev_add+0x2d2/0x7a0 [mlx5_vdpa]\n vdpa_nl_cmd_dev_add_set_doit+0x277/0x4c0 [vdpa]\n genl_family_rcv_msg_doit+0xd9/0x130\n genl_family_rcv_msg+0x14d/0x220\n ? __pfx_vdpa_nl_cmd_dev_add_set_doit+0x10/0x10 [vdpa]\n ? _copy_to_user+0x1a/0x30\n ? move_addr_to_user+0x4b/0xe0\n genl_rcv_msg+0x47/0xa0\n ? __import_iovec+0x46/0x150\n ? __pfx_genl_rcv_msg+0x10/0x10\n netlink_rcv_skb+0x54/0x100\n genl_rcv+0x24/0x40\n netlink_unicast+0x245/0x370\n netlink_sendmsg+0x206/0x440\n __sys_sendto+0x1dc/0x1f0\n ? do_read_fault+0x10c/0x1d0\n ? do_pte_missing+0x10d/0x190\n __x64_sys_sendto+0x20/0x30\n do_syscall_64+0x5c/0xf0\n ? __count_memcg_events+0x4f/0xb0\n ? mm_account_fault+0x6c/0x100\n ? handle_mm_fault+0x116/0x270\n ? do_user_addr_fault+0x1d6/0x6a0\n ? do_syscall_64+0x6b/0xf0\n ? clear_bhb_loop+0x25/0x80\n ? clear_bhb_loop+0x25/0x80\n ? clear_bhb_loop+0x25/0x80\n ? clear_bhb_loop+0x25/0x80\n ? clear_bhb_loop+0x25/0x80\n entry_SYSCALL_64_after_hwframe+0x78/0x80", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:26:05.981Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/b6fbb1c7801f46a0e5461c02904eab0d7535c790", }, { url: "https://git.kernel.org/stable/c/5fe351def237df1ad29aa8af574350bc5340b4cf", }, { url: "https://git.kernel.org/stable/c/dc12502905b7a3de9097ea6b98870470c2921e09", }, ], title: "vdpa/mlx5: Fix invalid mr resource destroy", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-47687", datePublished: "2024-10-21T11:53:27.834Z", dateReserved: "2024-09-30T16:00:12.941Z", dateUpdated: "2024-12-19T09:26:05.981Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-50010
Vulnerability from cvelistv5
Published
2024-10-21 18:54
Modified
2025-01-24 16:01
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
exec: don't WARN for racy path_noexec check
Both i_mode and noexec checks wrapped in WARN_ON stem from an artifact
of the previous implementation. They used to legitimately check for the
condition, but that got moved up in two commits:
633fb6ac3980 ("exec: move S_ISREG() check earlier")
0fd338b2d2cd ("exec: move path_noexec() check earlier")
Instead of being removed said checks are WARN_ON'ed instead, which
has some debug value.
However, the spurious path_noexec check is racy, resulting in
unwarranted warnings should someone race with setting the noexec flag.
One can note there is more to perm-checking whether execve is allowed
and none of the conditions are guaranteed to still hold after they were
tested for.
Additionally this does not validate whether the code path did any perm
checking to begin with -- it will pass if the inode happens to be
regular.
Keep the redundant path_noexec() check even though it's mindless
nonsense checking for guarantee that isn't given so drop the WARN.
Reword the commentary and do small tidy ups while here.
[brauner: keep redundant path_noexec() check]
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-50010", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:28:46.297827Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:38:39.816Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "fs/exec.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "c9b77438077d5a20c79ead95bcdaf9bd4797baaf", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "b723f96407a0a078cf75970e4dbf16b46d286a61", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "0bdf77be2330062b3a64f2bec39f62ab874a6796", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "0d16f53c91111cec914f0811fcc526a2ba77b20d", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "0d196e7589cefe207d5d41f37a0a28a1fdeeb7c6", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "fs/exec.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.229", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.170", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.115", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.59", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nexec: don't WARN for racy path_noexec check\n\nBoth i_mode and noexec checks wrapped in WARN_ON stem from an artifact\nof the previous implementation. They used to legitimately check for the\ncondition, but that got moved up in two commits:\n633fb6ac3980 (\"exec: move S_ISREG() check earlier\")\n0fd338b2d2cd (\"exec: move path_noexec() check earlier\")\n\nInstead of being removed said checks are WARN_ON'ed instead, which\nhas some debug value.\n\nHowever, the spurious path_noexec check is racy, resulting in\nunwarranted warnings should someone race with setting the noexec flag.\n\nOne can note there is more to perm-checking whether execve is allowed\nand none of the conditions are guaranteed to still hold after they were\ntested for.\n\nAdditionally this does not validate whether the code path did any perm\nchecking to begin with -- it will pass if the inode happens to be\nregular.\n\nKeep the redundant path_noexec() check even though it's mindless\nnonsense checking for guarantee that isn't given so drop the WARN.\n\nReword the commentary and do small tidy ups while here.\n\n[brauner: keep redundant path_noexec() check]", }, ], providerMetadata: { dateUpdated: "2025-01-24T16:01:34.515Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/c9b77438077d5a20c79ead95bcdaf9bd4797baaf", }, { url: "https://git.kernel.org/stable/c/b723f96407a0a078cf75970e4dbf16b46d286a61", }, { url: "https://git.kernel.org/stable/c/0bdf77be2330062b3a64f2bec39f62ab874a6796", }, { url: "https://git.kernel.org/stable/c/0d16f53c91111cec914f0811fcc526a2ba77b20d", }, { url: "https://git.kernel.org/stable/c/0d196e7589cefe207d5d41f37a0a28a1fdeeb7c6", }, ], title: "exec: don't WARN for racy path_noexec check", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-50010", datePublished: "2024-10-21T18:54:02.974Z", dateReserved: "2024-10-21T12:17:06.061Z", dateUpdated: "2025-01-24T16:01:34.515Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-48998
Vulnerability from cvelistv5
Published
2024-10-21 20:06
Modified
2024-12-19 08:12
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
powerpc/bpf/32: Fix Oops on tail call tests
test_bpf tail call tests end up as:
test_bpf: #0 Tail call leaf jited:1 85 PASS
test_bpf: #1 Tail call 2 jited:1 111 PASS
test_bpf: #2 Tail call 3 jited:1 145 PASS
test_bpf: #3 Tail call 4 jited:1 170 PASS
test_bpf: #4 Tail call load/store leaf jited:1 190 PASS
test_bpf: #5 Tail call load/store jited:1
BUG: Unable to handle kernel data access on write at 0xf1b4e000
Faulting instruction address: 0xbe86b710
Oops: Kernel access of bad area, sig: 11 [#1]
BE PAGE_SIZE=4K MMU=Hash PowerMac
Modules linked in: test_bpf(+)
CPU: 0 PID: 97 Comm: insmod Not tainted 6.1.0-rc4+ #195
Hardware name: PowerMac3,1 750CL 0x87210 PowerMac
NIP: be86b710 LR: be857e88 CTR: be86b704
REGS: f1b4df20 TRAP: 0300 Not tainted (6.1.0-rc4+)
MSR: 00009032 <EE,ME,IR,DR,RI> CR: 28008242 XER: 00000000
DAR: f1b4e000 DSISR: 42000000
GPR00: 00000001 f1b4dfe0 c11d2280 00000000 00000000 00000000 00000002 00000000
GPR08: f1b4e000 be86b704 f1b4e000 00000000 00000000 100d816a f2440000 fe73baa8
GPR16: f2458000 00000000 c1941ae4 f1fe2248 00000045 c0de0000 f2458030 00000000
GPR24: 000003e8 0000000f f2458000 f1b4dc90 3e584b46 00000000 f24466a0 c1941a00
NIP [be86b710] 0xbe86b710
LR [be857e88] __run_one+0xec/0x264 [test_bpf]
Call Trace:
[f1b4dfe0] [00000002] 0x2 (unreliable)
Instruction dump:
XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
---[ end trace 0000000000000000 ]---
This is a tentative to write above the stack. The problem is encoutered
with tests added by commit 38608ee7b690 ("bpf, tests: Add load store
test case for tail call")
This happens because tail call is done to a BPF prog with a different
stack_depth. At the time being, the stack is kept as is when the caller
tail calls its callee. But at exit, the callee restores the stack based
on its own properties. Therefore here, at each run, r1 is erroneously
increased by 32 - 16 = 16 bytes.
This was done that way in order to pass the tail call count from caller
to callee through the stack. As powerpc32 doesn't have a red zone in
the stack, it was necessary the maintain the stack as is for the tail
call. But it was not anticipated that the BPF frame size could be
different.
Let's take a new approach. Use register r4 to carry the tail call count
during the tail call, and save it into the stack at function entry if
required. This means the input parameter must be in r3, which is more
correct as it is a 32 bits parameter, then tail call better match with
normal BPF function entry, the down side being that we move that input
parameter back and forth between r3 and r4. That can be optimised later.
Doing that also has the advantage of maximising the common parts between
tail calls and a normal function exit.
With the fix, tail call tests are now successfull:
test_bpf: #0 Tail call leaf jited:1 53 PASS
test_bpf: #1 Tail call 2 jited:1 115 PASS
test_bpf: #2 Tail call 3 jited:1 154 PASS
test_bpf: #3 Tail call 4 jited:1 165 PASS
test_bpf: #4 Tail call load/store leaf jited:1 101 PASS
test_bpf: #5 Tail call load/store jited:1 141 PASS
test_bpf: #6 Tail call error path, max count reached jited:1 994 PASS
test_bpf: #7 Tail call count preserved across function calls jited:1 140975 PASS
test_bpf: #8 Tail call error path, NULL target jited:1 110 PASS
test_bpf: #9 Tail call error path, index out of range jited:1 69 PASS
test_bpf: test_tail_calls: Summary: 10 PASSED, 0 FAILED, [10/10 JIT'ed]
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-48998", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:15:34.218660Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:18:41.122Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "arch/powerpc/net/bpf_jit_comp32.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "747a6e547240baaaf41874d27333b87b87cfd24c", status: "affected", version: "51c66ad849a703d9bbfd7704c941827aed0fd9fd", versionType: "git", }, { lessThan: "89d21e259a94f7d5582ec675aa445f5a79f347e4", status: "affected", version: "51c66ad849a703d9bbfd7704c941827aed0fd9fd", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "arch/powerpc/net/bpf_jit_comp32.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.13", }, { lessThan: "5.13", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.0.*", status: "unaffected", version: "6.0.12", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.1", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/bpf/32: Fix Oops on tail call tests\n\ntest_bpf tail call tests end up as:\n\n test_bpf: #0 Tail call leaf jited:1 85 PASS\n test_bpf: #1 Tail call 2 jited:1 111 PASS\n test_bpf: #2 Tail call 3 jited:1 145 PASS\n test_bpf: #3 Tail call 4 jited:1 170 PASS\n test_bpf: #4 Tail call load/store leaf jited:1 190 PASS\n test_bpf: #5 Tail call load/store jited:1\n BUG: Unable to handle kernel data access on write at 0xf1b4e000\n Faulting instruction address: 0xbe86b710\n Oops: Kernel access of bad area, sig: 11 [#1]\n BE PAGE_SIZE=4K MMU=Hash PowerMac\n Modules linked in: test_bpf(+)\n CPU: 0 PID: 97 Comm: insmod Not tainted 6.1.0-rc4+ #195\n Hardware name: PowerMac3,1 750CL 0x87210 PowerMac\n NIP: be86b710 LR: be857e88 CTR: be86b704\n REGS: f1b4df20 TRAP: 0300 Not tainted (6.1.0-rc4+)\n MSR: 00009032 <EE,ME,IR,DR,RI> CR: 28008242 XER: 00000000\n DAR: f1b4e000 DSISR: 42000000\n GPR00: 00000001 f1b4dfe0 c11d2280 00000000 00000000 00000000 00000002 00000000\n GPR08: f1b4e000 be86b704 f1b4e000 00000000 00000000 100d816a f2440000 fe73baa8\n GPR16: f2458000 00000000 c1941ae4 f1fe2248 00000045 c0de0000 f2458030 00000000\n GPR24: 000003e8 0000000f f2458000 f1b4dc90 3e584b46 00000000 f24466a0 c1941a00\n NIP [be86b710] 0xbe86b710\n LR [be857e88] __run_one+0xec/0x264 [test_bpf]\n Call Trace:\n [f1b4dfe0] [00000002] 0x2 (unreliable)\n Instruction dump:\n XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX\n XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX\n ---[ end trace 0000000000000000 ]---\n\nThis is a tentative to write above the stack. The problem is encoutered\nwith tests added by commit 38608ee7b690 (\"bpf, tests: Add load store\ntest case for tail call\")\n\nThis happens because tail call is done to a BPF prog with a different\nstack_depth. At the time being, the stack is kept as is when the caller\ntail calls its callee. But at exit, the callee restores the stack based\non its own properties. Therefore here, at each run, r1 is erroneously\nincreased by 32 - 16 = 16 bytes.\n\nThis was done that way in order to pass the tail call count from caller\nto callee through the stack. As powerpc32 doesn't have a red zone in\nthe stack, it was necessary the maintain the stack as is for the tail\ncall. But it was not anticipated that the BPF frame size could be\ndifferent.\n\nLet's take a new approach. Use register r4 to carry the tail call count\nduring the tail call, and save it into the stack at function entry if\nrequired. This means the input parameter must be in r3, which is more\ncorrect as it is a 32 bits parameter, then tail call better match with\nnormal BPF function entry, the down side being that we move that input\nparameter back and forth between r3 and r4. That can be optimised later.\n\nDoing that also has the advantage of maximising the common parts between\ntail calls and a normal function exit.\n\nWith the fix, tail call tests are now successfull:\n\n test_bpf: #0 Tail call leaf jited:1 53 PASS\n test_bpf: #1 Tail call 2 jited:1 115 PASS\n test_bpf: #2 Tail call 3 jited:1 154 PASS\n test_bpf: #3 Tail call 4 jited:1 165 PASS\n test_bpf: #4 Tail call load/store leaf jited:1 101 PASS\n test_bpf: #5 Tail call load/store jited:1 141 PASS\n test_bpf: #6 Tail call error path, max count reached jited:1 994 PASS\n test_bpf: #7 Tail call count preserved across function calls jited:1 140975 PASS\n test_bpf: #8 Tail call error path, NULL target jited:1 110 PASS\n test_bpf: #9 Tail call error path, index out of range jited:1 69 PASS\n test_bpf: test_tail_calls: Summary: 10 PASSED, 0 FAILED, [10/10 JIT'ed]", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:12:09.452Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/747a6e547240baaaf41874d27333b87b87cfd24c", }, { url: "https://git.kernel.org/stable/c/89d21e259a94f7d5582ec675aa445f5a79f347e4", }, ], title: "powerpc/bpf/32: Fix Oops on tail call tests", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-48998", datePublished: "2024-10-21T20:06:13.440Z", dateReserved: "2024-08-22T01:27:53.637Z", dateUpdated: "2024-12-19T08:12:09.452Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49888
Vulnerability from cvelistv5
Published
2024-10-21 18:01
Modified
2024-12-19 09:28
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix a sdiv overflow issue
Zac Ecob reported a problem where a bpf program may cause kernel crash due
to the following error:
Oops: divide error: 0000 [#1] PREEMPT SMP KASAN PTI
The failure is due to the below signed divide:
LLONG_MIN/-1 where LLONG_MIN equals to -9,223,372,036,854,775,808.
LLONG_MIN/-1 is supposed to give a positive number 9,223,372,036,854,775,808,
but it is impossible since for 64-bit system, the maximum positive
number is 9,223,372,036,854,775,807. On x86_64, LLONG_MIN/-1 will
cause a kernel exception. On arm64, the result for LLONG_MIN/-1 is
LLONG_MIN.
Further investigation found all the following sdiv/smod cases may trigger
an exception when bpf program is running on x86_64 platform:
- LLONG_MIN/-1 for 64bit operation
- INT_MIN/-1 for 32bit operation
- LLONG_MIN%-1 for 64bit operation
- INT_MIN%-1 for 32bit operation
where -1 can be an immediate or in a register.
On arm64, there are no exceptions:
- LLONG_MIN/-1 = LLONG_MIN
- INT_MIN/-1 = INT_MIN
- LLONG_MIN%-1 = 0
- INT_MIN%-1 = 0
where -1 can be an immediate or in a register.
Insn patching is needed to handle the above cases and the patched codes
produced results aligned with above arm64 result. The below are pseudo
codes to handle sdiv/smod exceptions including both divisor -1 and divisor 0
and the divisor is stored in a register.
sdiv:
tmp = rX
tmp += 1 /* [-1, 0] -> [0, 1]
if tmp >(unsigned) 1 goto L2
if tmp == 0 goto L1
rY = 0
L1:
rY = -rY;
goto L3
L2:
rY /= rX
L3:
smod:
tmp = rX
tmp += 1 /* [-1, 0] -> [0, 1]
if tmp >(unsigned) 1 goto L1
if tmp == 1 (is64 ? goto L2 : goto L3)
rY = 0;
goto L2
L1:
rY %= rX
L2:
goto L4 // only when !is64
L3:
wY = wY // only when !is64
L4:
[1] https://lore.kernel.org/bpf/tPJLTEh7S_DxFEqAI2Ji5MBSoZVg7_G-Py2iaZpAaWtM961fFTWtsnlzwvTbzBzaUzwQAoNATXKUlt0LZOFgnDcIyKCswAnAGdUF3LBrhGQ=@protonmail.com/
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49888", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:44:44.632925Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:48:49.455Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "kernel/bpf/verifier.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "4902a6a0dc593c82055fc8c9ada371bafe26c9cc", status: "affected", version: "ec0e2da95f72d4a46050a4d994e4fe471474fd80", versionType: "git", }, { lessThan: "d22e45a369afc7c28f11acfa5b5e8e478227ca5d", status: "affected", version: "ec0e2da95f72d4a46050a4d994e4fe471474fd80", versionType: "git", }, { lessThan: "7dd34d7b7dcf9309fc6224caf4dd5b35bedddcb7", status: "affected", version: "ec0e2da95f72d4a46050a4d994e4fe471474fd80", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "kernel/bpf/verifier.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.6", }, { lessThan: "6.6", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix a sdiv overflow issue\n\nZac Ecob reported a problem where a bpf program may cause kernel crash due\nto the following error:\n Oops: divide error: 0000 [#1] PREEMPT SMP KASAN PTI\n\nThe failure is due to the below signed divide:\n LLONG_MIN/-1 where LLONG_MIN equals to -9,223,372,036,854,775,808.\nLLONG_MIN/-1 is supposed to give a positive number 9,223,372,036,854,775,808,\nbut it is impossible since for 64-bit system, the maximum positive\nnumber is 9,223,372,036,854,775,807. On x86_64, LLONG_MIN/-1 will\ncause a kernel exception. On arm64, the result for LLONG_MIN/-1 is\nLLONG_MIN.\n\nFurther investigation found all the following sdiv/smod cases may trigger\nan exception when bpf program is running on x86_64 platform:\n - LLONG_MIN/-1 for 64bit operation\n - INT_MIN/-1 for 32bit operation\n - LLONG_MIN%-1 for 64bit operation\n - INT_MIN%-1 for 32bit operation\nwhere -1 can be an immediate or in a register.\n\nOn arm64, there are no exceptions:\n - LLONG_MIN/-1 = LLONG_MIN\n - INT_MIN/-1 = INT_MIN\n - LLONG_MIN%-1 = 0\n - INT_MIN%-1 = 0\nwhere -1 can be an immediate or in a register.\n\nInsn patching is needed to handle the above cases and the patched codes\nproduced results aligned with above arm64 result. The below are pseudo\ncodes to handle sdiv/smod exceptions including both divisor -1 and divisor 0\nand the divisor is stored in a register.\n\nsdiv:\n tmp = rX\n tmp += 1 /* [-1, 0] -> [0, 1]\n if tmp >(unsigned) 1 goto L2\n if tmp == 0 goto L1\n rY = 0\n L1:\n rY = -rY;\n goto L3\n L2:\n rY /= rX\n L3:\n\nsmod:\n tmp = rX\n tmp += 1 /* [-1, 0] -> [0, 1]\n if tmp >(unsigned) 1 goto L1\n if tmp == 1 (is64 ? goto L2 : goto L3)\n rY = 0;\n goto L2\n L1:\n rY %= rX\n L2:\n goto L4 // only when !is64\n L3:\n wY = wY // only when !is64\n L4:\n\n [1] https://lore.kernel.org/bpf/tPJLTEh7S_DxFEqAI2Ji5MBSoZVg7_G-Py2iaZpAaWtM961fFTWtsnlzwvTbzBzaUzwQAoNATXKUlt0LZOFgnDcIyKCswAnAGdUF3LBrhGQ=@protonmail.com/", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:28:24.923Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/4902a6a0dc593c82055fc8c9ada371bafe26c9cc", }, { url: "https://git.kernel.org/stable/c/d22e45a369afc7c28f11acfa5b5e8e478227ca5d", }, { url: "https://git.kernel.org/stable/c/7dd34d7b7dcf9309fc6224caf4dd5b35bedddcb7", }, ], title: "bpf: Fix a sdiv overflow issue", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49888", datePublished: "2024-10-21T18:01:24.235Z", dateReserved: "2024-10-21T12:17:06.022Z", dateUpdated: "2024-12-19T09:28:24.923Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-49025
Vulnerability from cvelistv5
Published
2024-10-21 20:06
Modified
2024-12-19 08:12
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5e: Fix use-after-free when reverting termination table
When having multiple dests with termination tables and second one
or afterwards fails the driver reverts usage of term tables but
doesn't reset the assignment in attr->dests[num_vport_dests].termtbl
which case a use-after-free when releasing the rule.
Fix by resetting the assignment of termtbl to null.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 10caabdaad5ace85577a453da97d1f8d3b944427 Version: 10caabdaad5ace85577a453da97d1f8d3b944427 Version: 10caabdaad5ace85577a453da97d1f8d3b944427 Version: 10caabdaad5ace85577a453da97d1f8d3b944427 Version: 10caabdaad5ace85577a453da97d1f8d3b944427 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-49025", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:12:03.785297Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:18:36.599Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads_termtbl.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "0a2d73a77060c3cbdc6e801cd5d979d674cd404b", status: "affected", version: "10caabdaad5ace85577a453da97d1f8d3b944427", versionType: "git", }, { lessThan: "0d2f9d95d9fbe993f3c4bafb87d59897b0325aff", status: "affected", version: "10caabdaad5ace85577a453da97d1f8d3b944427", versionType: "git", }, { lessThan: "372eb550faa0757349040fd43f59483cbfdb2c0b", status: "affected", version: "10caabdaad5ace85577a453da97d1f8d3b944427", versionType: "git", }, { lessThan: "e6d2d26a49c3a9cd46b232975e45236304810904", status: "affected", version: "10caabdaad5ace85577a453da97d1f8d3b944427", versionType: "git", }, { lessThan: "52c795af04441d76f565c4634f893e5b553df2ae", status: "affected", version: "10caabdaad5ace85577a453da97d1f8d3b944427", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads_termtbl.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.3", }, { lessThan: "5.3", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.226", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.158", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.82", versionType: "semver", }, { lessThanOrEqual: "6.0.*", status: "unaffected", version: "6.0.12", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.1", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Fix use-after-free when reverting termination table\n\nWhen having multiple dests with termination tables and second one\nor afterwards fails the driver reverts usage of term tables but\ndoesn't reset the assignment in attr->dests[num_vport_dests].termtbl\nwhich case a use-after-free when releasing the rule.\nFix by resetting the assignment of termtbl to null.", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:12:40.440Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/0a2d73a77060c3cbdc6e801cd5d979d674cd404b", }, { url: "https://git.kernel.org/stable/c/0d2f9d95d9fbe993f3c4bafb87d59897b0325aff", }, { url: "https://git.kernel.org/stable/c/372eb550faa0757349040fd43f59483cbfdb2c0b", }, { url: "https://git.kernel.org/stable/c/e6d2d26a49c3a9cd46b232975e45236304810904", }, { url: "https://git.kernel.org/stable/c/52c795af04441d76f565c4634f893e5b553df2ae", }, ], title: "net/mlx5e: Fix use-after-free when reverting termination table", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-49025", datePublished: "2024-10-21T20:06:31.189Z", dateReserved: "2024-08-22T01:27:53.650Z", dateUpdated: "2024-12-19T08:12:40.440Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49956
Vulnerability from cvelistv5
Published
2024-10-21 18:02
Modified
2024-12-19 09:30
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
gfs2: fix double destroy_workqueue error
When gfs2_fill_super() fails, destroy_workqueue() is called within
gfs2_gl_hash_clear(), and the subsequent code path calls
destroy_workqueue() on the same work queue again.
This issue can be fixed by setting the work queue pointer to NULL after
the first destroy_workqueue() call and checking for a NULL pointer
before attempting to destroy the work queue again.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49956", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:35:44.463461Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:38:48.390Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "fs/gfs2/glock.c", "fs/gfs2/ops_fstype.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "a5336035728d77efd76306940d742a6f23debe68", status: "affected", version: "30e388d573673474cbd089dec83688331c117add", versionType: "git", }, { lessThan: "6cb9df81a2c462b89d2f9611009ab43ae8717841", status: "affected", version: "30e388d573673474cbd089dec83688331c117add", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "fs/gfs2/glock.c", "fs/gfs2/ops_fstype.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.11", }, { lessThan: "6.11", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ngfs2: fix double destroy_workqueue error\n\nWhen gfs2_fill_super() fails, destroy_workqueue() is called within\ngfs2_gl_hash_clear(), and the subsequent code path calls\ndestroy_workqueue() on the same work queue again.\n\nThis issue can be fixed by setting the work queue pointer to NULL after\nthe first destroy_workqueue() call and checking for a NULL pointer\nbefore attempting to destroy the work queue again.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:30:07.335Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/a5336035728d77efd76306940d742a6f23debe68", }, { url: "https://git.kernel.org/stable/c/6cb9df81a2c462b89d2f9611009ab43ae8717841", }, ], title: "gfs2: fix double destroy_workqueue error", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49956", datePublished: "2024-10-21T18:02:10.385Z", dateReserved: "2024-10-21T12:17:06.048Z", dateUpdated: "2024-12-19T09:30:07.335Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49852
Vulnerability from cvelistv5
Published
2024-10-21 12:18
Modified
2024-12-19 09:27
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: elx: libefc: Fix potential use after free in efc_nport_vport_del()
The kref_put() function will call nport->release if the refcount drops to
zero. The nport->release release function is _efc_nport_free() which frees
"nport". But then we dereference "nport" on the next line which is a use
after free. Re-order these lines to avoid the use after free.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: fcd427303eb90aa3cb08e7e0b68e0e67a6d47346 Version: fcd427303eb90aa3cb08e7e0b68e0e67a6d47346 Version: fcd427303eb90aa3cb08e7e0b68e0e67a6d47346 Version: fcd427303eb90aa3cb08e7e0b68e0e67a6d47346 Version: fcd427303eb90aa3cb08e7e0b68e0e67a6d47346 Version: fcd427303eb90aa3cb08e7e0b68e0e67a6d47346 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49852", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T12:56:47.269710Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T13:04:11.737Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/scsi/elx/libefc/efc_nport.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "16a570f07d870a285b0c0b0d1ca4dff79e8aa5ff", status: "affected", version: "fcd427303eb90aa3cb08e7e0b68e0e67a6d47346", versionType: "git", }, { lessThan: "abc71e89170ed32ecf0a5a29f31aa711e143e941", status: "affected", version: "fcd427303eb90aa3cb08e7e0b68e0e67a6d47346", versionType: "git", }, { lessThan: "baeb8628ab7f4577740f00e439d3fdf7c876b0ff", status: "affected", version: "fcd427303eb90aa3cb08e7e0b68e0e67a6d47346", versionType: "git", }, { lessThan: "7c2908985e4ae0ea1b526b3916de9e5351650908", status: "affected", version: "fcd427303eb90aa3cb08e7e0b68e0e67a6d47346", versionType: "git", }, { lessThan: "98752fcd076a8cbc978016eae7125b4971be1eec", status: "affected", version: "fcd427303eb90aa3cb08e7e0b68e0e67a6d47346", versionType: "git", }, { lessThan: "2e4b02fad094976763af08fec2c620f4f8edd9ae", status: "affected", version: "fcd427303eb90aa3cb08e7e0b68e0e67a6d47346", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/scsi/elx/libefc/efc_nport.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.14", }, { lessThan: "5.14", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.54", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.13", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.2", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: elx: libefc: Fix potential use after free in efc_nport_vport_del()\n\nThe kref_put() function will call nport->release if the refcount drops to\nzero. The nport->release release function is _efc_nport_free() which frees\n\"nport\". But then we dereference \"nport\" on the next line which is a use\nafter free. Re-order these lines to avoid the use after free.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:27:34.203Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/16a570f07d870a285b0c0b0d1ca4dff79e8aa5ff", }, { url: "https://git.kernel.org/stable/c/abc71e89170ed32ecf0a5a29f31aa711e143e941", }, { url: "https://git.kernel.org/stable/c/baeb8628ab7f4577740f00e439d3fdf7c876b0ff", }, { url: "https://git.kernel.org/stable/c/7c2908985e4ae0ea1b526b3916de9e5351650908", }, { url: "https://git.kernel.org/stable/c/98752fcd076a8cbc978016eae7125b4971be1eec", }, { url: "https://git.kernel.org/stable/c/2e4b02fad094976763af08fec2c620f4f8edd9ae", }, ], title: "scsi: elx: libefc: Fix potential use after free in efc_nport_vport_del()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49852", datePublished: "2024-10-21T12:18:45.418Z", dateReserved: "2024-10-21T12:17:06.016Z", dateUpdated: "2024-12-19T09:27:34.203Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-50061
Vulnerability from cvelistv5
Published
2024-10-21 19:39
Modified
2025-01-15 12:24
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
i3c: master: cdns: Fix use after free vulnerability in cdns_i3c_master Driver Due to Race Condition
In the cdns_i3c_master_probe function, &master->hj_work is bound with
cdns_i3c_master_hj. And cdns_i3c_master_interrupt can call
cnds_i3c_master_demux_ibis function to start the work.
If we remove the module which will call cdns_i3c_master_remove to
make cleanup, it will free master->base through i3c_master_unregister
while the work mentioned above will be used. The sequence of operations
that may lead to a UAF bug is as follows:
CPU0 CPU1
| cdns_i3c_master_hj
cdns_i3c_master_remove |
i3c_master_unregister(&master->base) |
device_unregister(&master->dev) |
device_release |
//free master->base |
| i3c_master_do_daa(&master->base)
| //use master->base
Fix it by ensuring that the work is canceled before proceeding with
the cleanup in cdns_i3c_master_remove.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-50061", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:22:52.478098Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:28:42.185Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/i3c/master/i3c-master-cdns.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "ea0256e393e0072e8c80fd941547807f0c28108b", status: "affected", version: "3a379bbcea0af6280e1ca0d1edfcf4e68cde6ee0", versionType: "git", }, { lessThan: "687016d6a1efbfacdd2af913e2108de6b75a28d5", status: "affected", version: "3a379bbcea0af6280e1ca0d1edfcf4e68cde6ee0", versionType: "git", }, { lessThan: "609366e7a06d035990df78f1562291c3bf0d4a12", status: "affected", version: "3a379bbcea0af6280e1ca0d1edfcf4e68cde6ee0", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/i3c/master/i3c-master-cdns.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.0", }, { lessThan: "5.0", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.57", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.4", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ni3c: master: cdns: Fix use after free vulnerability in cdns_i3c_master Driver Due to Race Condition\n\nIn the cdns_i3c_master_probe function, &master->hj_work is bound with\ncdns_i3c_master_hj. And cdns_i3c_master_interrupt can call\ncnds_i3c_master_demux_ibis function to start the work.\n\nIf we remove the module which will call cdns_i3c_master_remove to\nmake cleanup, it will free master->base through i3c_master_unregister\nwhile the work mentioned above will be used. The sequence of operations\nthat may lead to a UAF bug is as follows:\n\nCPU0 CPU1\n\n | cdns_i3c_master_hj\ncdns_i3c_master_remove |\ni3c_master_unregister(&master->base) |\ndevice_unregister(&master->dev) |\ndevice_release |\n//free master->base |\n | i3c_master_do_daa(&master->base)\n | //use master->base\n\nFix it by ensuring that the work is canceled before proceeding with\nthe cleanup in cdns_i3c_master_remove.", }, ], providerMetadata: { dateUpdated: "2025-01-15T12:24:41.279Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/ea0256e393e0072e8c80fd941547807f0c28108b", }, { url: "https://git.kernel.org/stable/c/687016d6a1efbfacdd2af913e2108de6b75a28d5", }, { url: "https://git.kernel.org/stable/c/609366e7a06d035990df78f1562291c3bf0d4a12", }, ], title: "i3c: master: cdns: Fix use after free vulnerability in cdns_i3c_master Driver Due to Race Condition", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-50061", datePublished: "2024-10-21T19:39:50.415Z", dateReserved: "2024-10-21T19:36:19.939Z", dateUpdated: "2025-01-15T12:24:41.279Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-49023
Vulnerability from cvelistv5
Published
2024-10-21 20:06
Modified
2024-12-19 08:12
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: cfg80211: fix buffer overflow in elem comparison
For vendor elements, the code here assumes that 5 octets
are present without checking. Since the element itself is
already checked to fit, we only need to check the length.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 0b8fb8235be8be99a197e8d948fc0a2df8dc261a Version: 0b8fb8235be8be99a197e8d948fc0a2df8dc261a Version: 0b8fb8235be8be99a197e8d948fc0a2df8dc261a Version: 0b8fb8235be8be99a197e8d948fc0a2df8dc261a Version: 0b8fb8235be8be99a197e8d948fc0a2df8dc261a |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-49023", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:12:18.800355Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:18:36.843Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "net/wireless/scan.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "f5c2ec288a865dbe3706b09bed12302e9f6d696b", status: "affected", version: "0b8fb8235be8be99a197e8d948fc0a2df8dc261a", versionType: "git", }, { lessThan: "9e6b79a3cd17620d467311b30d56f2648f6880aa", status: "affected", version: "0b8fb8235be8be99a197e8d948fc0a2df8dc261a", versionType: "git", }, { lessThan: "88a6fe3707888bd1893e9741157a7035c4159ab6", status: "affected", version: "0b8fb8235be8be99a197e8d948fc0a2df8dc261a", versionType: "git", }, { lessThan: "391cb872553627bdcf236c03ee7d5adb275e37e1", status: "affected", version: "0b8fb8235be8be99a197e8d948fc0a2df8dc261a", versionType: "git", }, { lessThan: "9f16b5c82a025cd4c864737409234ddc44fb166a", status: "affected", version: "0b8fb8235be8be99a197e8d948fc0a2df8dc261a", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "net/wireless/scan.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.1", }, { lessThan: "5.1", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.226", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.158", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.82", versionType: "semver", }, { lessThanOrEqual: "6.0.*", status: "unaffected", version: "6.0.12", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.1", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: cfg80211: fix buffer overflow in elem comparison\n\nFor vendor elements, the code here assumes that 5 octets\nare present without checking. Since the element itself is\nalready checked to fit, we only need to check the length.", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:12:38.236Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/f5c2ec288a865dbe3706b09bed12302e9f6d696b", }, { url: "https://git.kernel.org/stable/c/9e6b79a3cd17620d467311b30d56f2648f6880aa", }, { url: "https://git.kernel.org/stable/c/88a6fe3707888bd1893e9741157a7035c4159ab6", }, { url: "https://git.kernel.org/stable/c/391cb872553627bdcf236c03ee7d5adb275e37e1", }, { url: "https://git.kernel.org/stable/c/9f16b5c82a025cd4c864737409234ddc44fb166a", }, ], title: "wifi: cfg80211: fix buffer overflow in elem comparison", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-49023", datePublished: "2024-10-21T20:06:29.901Z", dateReserved: "2024-08-22T01:27:53.649Z", dateUpdated: "2024-12-19T08:12:38.236Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-47709
Vulnerability from cvelistv5
Published
2024-10-21 11:53
Modified
2024-12-19 09:26
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
can: bcm: Clear bo->bcm_proc_read after remove_proc_entry().
syzbot reported a warning in bcm_release(). [0]
The blamed change fixed another warning that is triggered when
connect() is issued again for a socket whose connect()ed device has
been unregistered.
However, if the socket is just close()d without the 2nd connect(), the
remaining bo->bcm_proc_read triggers unnecessary remove_proc_entry()
in bcm_release().
Let's clear bo->bcm_proc_read after remove_proc_entry() in bcm_notify().
[0]
name '4986'
WARNING: CPU: 0 PID: 5234 at fs/proc/generic.c:711 remove_proc_entry+0x2e7/0x5d0 fs/proc/generic.c:711
Modules linked in:
CPU: 0 UID: 0 PID: 5234 Comm: syz-executor606 Not tainted 6.11.0-rc5-syzkaller-00178-g5517ae241919 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
RIP: 0010:remove_proc_entry+0x2e7/0x5d0 fs/proc/generic.c:711
Code: ff eb 05 e8 cb 1e 5e ff 48 8b 5c 24 10 48 c7 c7 e0 f7 aa 8e e8 2a 38 8e 09 90 48 c7 c7 60 3a 1b 8c 48 89 de e8 da 42 20 ff 90 <0f> 0b 90 90 48 8b 44 24 18 48 c7 44 24 40 0e 36 e0 45 49 c7 04 07
RSP: 0018:ffffc9000345fa20 EFLAGS: 00010246
RAX: 2a2d0aee2eb64600 RBX: ffff888032f1f548 RCX: ffff888029431e00
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc9000345fb08 R08: ffffffff8155b2f2 R09: 1ffff1101710519a
R10: dffffc0000000000 R11: ffffed101710519b R12: ffff888011d38640
R13: 0000000000000004 R14: 0000000000000000 R15: dffffc0000000000
FS: 0000000000000000(0000) GS:ffff8880b8800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fcfb52722f0 CR3: 000000000e734000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
bcm_release+0x250/0x880 net/can/bcm.c:1578
__sock_release net/socket.c:659 [inline]
sock_close+0xbc/0x240 net/socket.c:1421
__fput+0x24a/0x8a0 fs/file_table.c:422
task_work_run+0x24f/0x310 kernel/task_work.c:228
exit_task_work include/linux/task_work.h:40 [inline]
do_exit+0xa2f/0x27f0 kernel/exit.c:882
do_group_exit+0x207/0x2c0 kernel/exit.c:1031
__do_sys_exit_group kernel/exit.c:1042 [inline]
__se_sys_exit_group kernel/exit.c:1040 [inline]
__x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1040
x64_sys_call+0x2634/0x2640 arch/x86/include/generated/asm/syscalls_64.h:232
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fcfb51ee969
Code: Unable to access opcode bytes at 0x7fcfb51ee93f.
RSP: 002b:00007ffce0109ca8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007fcfb51ee969
RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001
RBP: 00007fcfb526f3b0 R08: ffffffffffffffb8 R09: 0000555500000000
R10: 0000555500000000 R11: 0000000000000246 R12: 00007fcfb526f3b0
R13: 0000000000000000 R14: 00007fcfb5271ee0 R15: 00007fcfb51bf160
</TASK>
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 5c680022c4e28ba18ea500f3e29f0428271afa92 Version: 33ed4ba73caae39f34ab874ba79138badc2c65dd Version: aec92dbebdbec7567d9f56d7c9296a572b8fd849 Version: 10bfacbd5e8d821011d857bee73310457c9c989a Version: 3b39dc2901aa7a679a5ca981a3de9f8d5658afe8 Version: 4377b79323df62eb5d310354f19b4d130ff58d50 Version: abb0a615569ec008e8a93d9f3ab2d5b418ea94d4 Version: 76fe372ccb81b0c89b6cd2fec26e2f38c958be85 Version: 76fe372ccb81b0c89b6cd2fec26e2f38c958be85 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-47709", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T13:03:30.318469Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T13:04:19.235Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "net/can/bcm.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "f5059fae5ed518fc56494ce5bdd4f5360de4b3bc", status: "affected", version: "5c680022c4e28ba18ea500f3e29f0428271afa92", versionType: "git", }, { lessThan: "a833da8eec20b51af39643faa7067b25c8b20f3e", status: "affected", version: "33ed4ba73caae39f34ab874ba79138badc2c65dd", versionType: "git", }, { lessThan: "5cc00913c1fdcab861c4e65fa20d1f1e1bbbf977", status: "affected", version: "aec92dbebdbec7567d9f56d7c9296a572b8fd849", versionType: "git", }, { lessThan: "9550baada4c8ef8cebefccc746384842820b4dff", status: "affected", version: "10bfacbd5e8d821011d857bee73310457c9c989a", versionType: "git", }, { lessThan: "7a145d6ec2124bdb94bd6fc436b342ff6ddf2b70", status: "affected", version: "3b39dc2901aa7a679a5ca981a3de9f8d5658afe8", versionType: "git", }, { lessThan: "c3d941cc734e0c8dc486c062926d5249070af5e4", status: "affected", version: "4377b79323df62eb5d310354f19b4d130ff58d50", versionType: "git", }, { lessThan: "770b463264426cc3c167b1d44efa85f6a526ce5b", status: "affected", version: "abb0a615569ec008e8a93d9f3ab2d5b418ea94d4", versionType: "git", }, { lessThan: "b02ed2f01240b226570b4a19b5041d61f5125784", status: "affected", version: "76fe372ccb81b0c89b6cd2fec26e2f38c958be85", versionType: "git", }, { lessThan: "94b0818fa63555a65f6ba107080659ea6bcca63e", status: "affected", version: "76fe372ccb81b0c89b6cd2fec26e2f38c958be85", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "net/can/bcm.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.11", }, { lessThan: "6.11", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.323", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.285", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.54", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.13", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.2", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: bcm: Clear bo->bcm_proc_read after remove_proc_entry().\n\nsyzbot reported a warning in bcm_release(). [0]\n\nThe blamed change fixed another warning that is triggered when\nconnect() is issued again for a socket whose connect()ed device has\nbeen unregistered.\n\nHowever, if the socket is just close()d without the 2nd connect(), the\nremaining bo->bcm_proc_read triggers unnecessary remove_proc_entry()\nin bcm_release().\n\nLet's clear bo->bcm_proc_read after remove_proc_entry() in bcm_notify().\n\n[0]\nname '4986'\nWARNING: CPU: 0 PID: 5234 at fs/proc/generic.c:711 remove_proc_entry+0x2e7/0x5d0 fs/proc/generic.c:711\nModules linked in:\nCPU: 0 UID: 0 PID: 5234 Comm: syz-executor606 Not tainted 6.11.0-rc5-syzkaller-00178-g5517ae241919 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024\nRIP: 0010:remove_proc_entry+0x2e7/0x5d0 fs/proc/generic.c:711\nCode: ff eb 05 e8 cb 1e 5e ff 48 8b 5c 24 10 48 c7 c7 e0 f7 aa 8e e8 2a 38 8e 09 90 48 c7 c7 60 3a 1b 8c 48 89 de e8 da 42 20 ff 90 <0f> 0b 90 90 48 8b 44 24 18 48 c7 44 24 40 0e 36 e0 45 49 c7 04 07\nRSP: 0018:ffffc9000345fa20 EFLAGS: 00010246\nRAX: 2a2d0aee2eb64600 RBX: ffff888032f1f548 RCX: ffff888029431e00\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: ffffc9000345fb08 R08: ffffffff8155b2f2 R09: 1ffff1101710519a\nR10: dffffc0000000000 R11: ffffed101710519b R12: ffff888011d38640\nR13: 0000000000000004 R14: 0000000000000000 R15: dffffc0000000000\nFS: 0000000000000000(0000) GS:ffff8880b8800000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007fcfb52722f0 CR3: 000000000e734000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n <TASK>\n bcm_release+0x250/0x880 net/can/bcm.c:1578\n __sock_release net/socket.c:659 [inline]\n sock_close+0xbc/0x240 net/socket.c:1421\n __fput+0x24a/0x8a0 fs/file_table.c:422\n task_work_run+0x24f/0x310 kernel/task_work.c:228\n exit_task_work include/linux/task_work.h:40 [inline]\n do_exit+0xa2f/0x27f0 kernel/exit.c:882\n do_group_exit+0x207/0x2c0 kernel/exit.c:1031\n __do_sys_exit_group kernel/exit.c:1042 [inline]\n __se_sys_exit_group kernel/exit.c:1040 [inline]\n __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1040\n x64_sys_call+0x2634/0x2640 arch/x86/include/generated/asm/syscalls_64.h:232\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7fcfb51ee969\nCode: Unable to access opcode bytes at 0x7fcfb51ee93f.\nRSP: 002b:00007ffce0109ca8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7\nRAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007fcfb51ee969\nRDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001\nRBP: 00007fcfb526f3b0 R08: ffffffffffffffb8 R09: 0000555500000000\nR10: 0000555500000000 R11: 0000000000000246 R12: 00007fcfb526f3b0\nR13: 0000000000000000 R14: 00007fcfb5271ee0 R15: 00007fcfb51bf160\n </TASK>", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:26:33.199Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/f5059fae5ed518fc56494ce5bdd4f5360de4b3bc", }, { url: "https://git.kernel.org/stable/c/a833da8eec20b51af39643faa7067b25c8b20f3e", }, { url: "https://git.kernel.org/stable/c/5cc00913c1fdcab861c4e65fa20d1f1e1bbbf977", }, { url: "https://git.kernel.org/stable/c/9550baada4c8ef8cebefccc746384842820b4dff", }, { url: "https://git.kernel.org/stable/c/7a145d6ec2124bdb94bd6fc436b342ff6ddf2b70", }, { url: "https://git.kernel.org/stable/c/c3d941cc734e0c8dc486c062926d5249070af5e4", }, { url: "https://git.kernel.org/stable/c/770b463264426cc3c167b1d44efa85f6a526ce5b", }, { url: "https://git.kernel.org/stable/c/b02ed2f01240b226570b4a19b5041d61f5125784", }, { url: "https://git.kernel.org/stable/c/94b0818fa63555a65f6ba107080659ea6bcca63e", }, ], title: "can: bcm: Clear bo->bcm_proc_read after remove_proc_entry().", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-47709", datePublished: "2024-10-21T11:53:42.749Z", dateReserved: "2024-09-30T16:00:12.947Z", dateUpdated: "2024-12-19T09:26:33.199Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-50029
Vulnerability from cvelistv5
Published
2024-10-21 19:39
Modified
2024-12-19 09:31
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: hci_conn: Fix UAF in hci_enhanced_setup_sync
This checks if the ACL connection remains valid as it could be destroyed
while hci_enhanced_setup_sync is pending on cmd_sync leading to the
following trace:
BUG: KASAN: slab-use-after-free in hci_enhanced_setup_sync+0x91b/0xa60
Read of size 1 at addr ffff888002328ffd by task kworker/u5:2/37
CPU: 0 UID: 0 PID: 37 Comm: kworker/u5:2 Not tainted 6.11.0-rc6-01300-g810be445d8d6 #7099
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014
Workqueue: hci0 hci_cmd_sync_work
Call Trace:
<TASK>
dump_stack_lvl+0x5d/0x80
? hci_enhanced_setup_sync+0x91b/0xa60
print_report+0x152/0x4c0
? hci_enhanced_setup_sync+0x91b/0xa60
? __virt_addr_valid+0x1fa/0x420
? hci_enhanced_setup_sync+0x91b/0xa60
kasan_report+0xda/0x1b0
? hci_enhanced_setup_sync+0x91b/0xa60
hci_enhanced_setup_sync+0x91b/0xa60
? __pfx_hci_enhanced_setup_sync+0x10/0x10
? __pfx___mutex_lock+0x10/0x10
hci_cmd_sync_work+0x1c2/0x330
process_one_work+0x7d9/0x1360
? __pfx_lock_acquire+0x10/0x10
? __pfx_process_one_work+0x10/0x10
? assign_work+0x167/0x240
worker_thread+0x5b7/0xf60
? __kthread_parkme+0xac/0x1c0
? __pfx_worker_thread+0x10/0x10
? __pfx_worker_thread+0x10/0x10
kthread+0x293/0x360
? __pfx_kthread+0x10/0x10
ret_from_fork+0x2f/0x70
? __pfx_kthread+0x10/0x10
ret_from_fork_asm+0x1a/0x30
</TASK>
Allocated by task 34:
kasan_save_stack+0x30/0x50
kasan_save_track+0x14/0x30
__kasan_kmalloc+0x8f/0xa0
__hci_conn_add+0x187/0x17d0
hci_connect_sco+0x2e1/0xb90
sco_sock_connect+0x2a2/0xb80
__sys_connect+0x227/0x2a0
__x64_sys_connect+0x6d/0xb0
do_syscall_64+0x71/0x140
entry_SYSCALL_64_after_hwframe+0x76/0x7e
Freed by task 37:
kasan_save_stack+0x30/0x50
kasan_save_track+0x14/0x30
kasan_save_free_info+0x3b/0x60
__kasan_slab_free+0x101/0x160
kfree+0xd0/0x250
device_release+0x9a/0x210
kobject_put+0x151/0x280
hci_conn_del+0x448/0xbf0
hci_abort_conn_sync+0x46f/0x980
hci_cmd_sync_work+0x1c2/0x330
process_one_work+0x7d9/0x1360
worker_thread+0x5b7/0xf60
kthread+0x293/0x360
ret_from_fork+0x2f/0x70
ret_from_fork_asm+0x1a/0x30
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-50029", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:26:20.682749Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:28:46.027Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "net/bluetooth/hci_conn.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "867639300759e3e1c5b1e1a5ff89231f263a32a7", status: "affected", version: "e07a06b4eb417f5271d33ce2240e93c62d98b7b4", versionType: "git", }, { lessThan: "98ccd44002d88cbf4edfc4480df532a3da5a013e", status: "affected", version: "e07a06b4eb417f5271d33ce2240e93c62d98b7b4", versionType: "git", }, { lessThan: "18fd04ad856df07733f5bb07e7f7168e7443d393", status: "affected", version: "e07a06b4eb417f5271d33ce2240e93c62d98b7b4", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "net/bluetooth/hci_conn.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.1", }, { lessThan: "6.1", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.57", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.4", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_conn: Fix UAF in hci_enhanced_setup_sync\n\nThis checks if the ACL connection remains valid as it could be destroyed\nwhile hci_enhanced_setup_sync is pending on cmd_sync leading to the\nfollowing trace:\n\nBUG: KASAN: slab-use-after-free in hci_enhanced_setup_sync+0x91b/0xa60\nRead of size 1 at addr ffff888002328ffd by task kworker/u5:2/37\n\nCPU: 0 UID: 0 PID: 37 Comm: kworker/u5:2 Not tainted 6.11.0-rc6-01300-g810be445d8d6 #7099\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014\nWorkqueue: hci0 hci_cmd_sync_work\nCall Trace:\n <TASK>\n dump_stack_lvl+0x5d/0x80\n ? hci_enhanced_setup_sync+0x91b/0xa60\n print_report+0x152/0x4c0\n ? hci_enhanced_setup_sync+0x91b/0xa60\n ? __virt_addr_valid+0x1fa/0x420\n ? hci_enhanced_setup_sync+0x91b/0xa60\n kasan_report+0xda/0x1b0\n ? hci_enhanced_setup_sync+0x91b/0xa60\n hci_enhanced_setup_sync+0x91b/0xa60\n ? __pfx_hci_enhanced_setup_sync+0x10/0x10\n ? __pfx___mutex_lock+0x10/0x10\n hci_cmd_sync_work+0x1c2/0x330\n process_one_work+0x7d9/0x1360\n ? __pfx_lock_acquire+0x10/0x10\n ? __pfx_process_one_work+0x10/0x10\n ? assign_work+0x167/0x240\n worker_thread+0x5b7/0xf60\n ? __kthread_parkme+0xac/0x1c0\n ? __pfx_worker_thread+0x10/0x10\n ? __pfx_worker_thread+0x10/0x10\n kthread+0x293/0x360\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x2f/0x70\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30\n </TASK>\n\nAllocated by task 34:\n kasan_save_stack+0x30/0x50\n kasan_save_track+0x14/0x30\n __kasan_kmalloc+0x8f/0xa0\n __hci_conn_add+0x187/0x17d0\n hci_connect_sco+0x2e1/0xb90\n sco_sock_connect+0x2a2/0xb80\n __sys_connect+0x227/0x2a0\n __x64_sys_connect+0x6d/0xb0\n do_syscall_64+0x71/0x140\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nFreed by task 37:\n kasan_save_stack+0x30/0x50\n kasan_save_track+0x14/0x30\n kasan_save_free_info+0x3b/0x60\n __kasan_slab_free+0x101/0x160\n kfree+0xd0/0x250\n device_release+0x9a/0x210\n kobject_put+0x151/0x280\n hci_conn_del+0x448/0xbf0\n hci_abort_conn_sync+0x46f/0x980\n hci_cmd_sync_work+0x1c2/0x330\n process_one_work+0x7d9/0x1360\n worker_thread+0x5b7/0xf60\n kthread+0x293/0x360\n ret_from_fork+0x2f/0x70\n ret_from_fork_asm+0x1a/0x30", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:31:40.982Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/867639300759e3e1c5b1e1a5ff89231f263a32a7", }, { url: "https://git.kernel.org/stable/c/98ccd44002d88cbf4edfc4480df532a3da5a013e", }, { url: "https://git.kernel.org/stable/c/18fd04ad856df07733f5bb07e7f7168e7443d393", }, ], title: "Bluetooth: hci_conn: Fix UAF in hci_enhanced_setup_sync", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-50029", datePublished: "2024-10-21T19:39:32.459Z", dateReserved: "2024-10-21T12:17:06.067Z", dateUpdated: "2024-12-19T09:31:40.982Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-47708
Vulnerability from cvelistv5
Published
2024-10-21 11:53
Modified
2024-12-19 09:26
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
netkit: Assign missing bpf_net_context
During the introduction of struct bpf_net_context handling for
XDP-redirect, the netkit driver has been missed, which also requires it
because NETKIT_REDIRECT invokes skb_do_redirect() which is accessing the
per-CPU variables. Otherwise we see the following crash:
BUG: kernel NULL pointer dereference, address: 0000000000000038
bpf_redirect()
netkit_xmit()
dev_hard_start_xmit()
Set the bpf_net_context before invoking netkit_xmit() program within the
netkit driver.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-47708", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T13:03:38.371923Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T13:04:19.377Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/net/netkit.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "182c6fed8c7f62cddce0126ec1fc0da2b700fb11", status: "affected", version: "401cb7dae8130fd34eb84648e02ab4c506df7d5e", versionType: "git", }, { lessThan: "157f29152b61ca41809dd7ead29f5733adeced19", status: "affected", version: "401cb7dae8130fd34eb84648e02ab4c506df7d5e", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/net/netkit.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.11", }, { lessThan: "6.11", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.2", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nnetkit: Assign missing bpf_net_context\n\nDuring the introduction of struct bpf_net_context handling for\nXDP-redirect, the netkit driver has been missed, which also requires it\nbecause NETKIT_REDIRECT invokes skb_do_redirect() which is accessing the\nper-CPU variables. Otherwise we see the following crash:\n\n\tBUG: kernel NULL pointer dereference, address: 0000000000000038\n\tbpf_redirect()\n\tnetkit_xmit()\n\tdev_hard_start_xmit()\n\nSet the bpf_net_context before invoking netkit_xmit() program within the\nnetkit driver.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:26:31.869Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/182c6fed8c7f62cddce0126ec1fc0da2b700fb11", }, { url: "https://git.kernel.org/stable/c/157f29152b61ca41809dd7ead29f5733adeced19", }, ], title: "netkit: Assign missing bpf_net_context", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-47708", datePublished: "2024-10-21T11:53:42.086Z", dateReserved: "2024-09-30T16:00:12.947Z", dateUpdated: "2024-12-19T09:26:31.869Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-50030
Vulnerability from cvelistv5
Published
2024-10-21 19:39
Modified
2024-12-19 09:31
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/xe/ct: prevent UAF in send_recv()
Ensure we serialize with completion side to prevent UAF with fence going
out of scope on the stack, since we have no clue if it will fire after
the timeout before we can erase from the xa. Also we have some dependent
loads and stores for which we need the correct ordering, and we lack the
needed barriers. Fix this by grabbing the ct->lock after the wait, which
is also held by the completion side.
v2 (Badal):
- Also print done after acquiring the lock and seeing timeout.
(cherry picked from commit 52789ce35c55ccd30c4b67b9cc5b2af55e0122ea)
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-50030", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:26:12.362646Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:28:45.887Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/gpu/drm/xe/xe_guc_ct.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "8ed7dd4c55e4fb21531a9645aeb66a30eaf43a46", status: "affected", version: "dd08ebf6c3525a7ea2186e636df064ea47281987", versionType: "git", }, { lessThan: "db7f92af626178ba59dbbcdd5dee9ec24a987a88", status: "affected", version: "dd08ebf6c3525a7ea2186e636df064ea47281987", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/gpu/drm/xe/xe_guc_ct.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.8", }, { lessThan: "6.8", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.4", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/ct: prevent UAF in send_recv()\n\nEnsure we serialize with completion side to prevent UAF with fence going\nout of scope on the stack, since we have no clue if it will fire after\nthe timeout before we can erase from the xa. Also we have some dependent\nloads and stores for which we need the correct ordering, and we lack the\nneeded barriers. Fix this by grabbing the ct->lock after the wait, which\nis also held by the completion side.\n\nv2 (Badal):\n - Also print done after acquiring the lock and seeing timeout.\n\n(cherry picked from commit 52789ce35c55ccd30c4b67b9cc5b2af55e0122ea)", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:31:42.230Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/8ed7dd4c55e4fb21531a9645aeb66a30eaf43a46", }, { url: "https://git.kernel.org/stable/c/db7f92af626178ba59dbbcdd5dee9ec24a987a88", }, ], title: "drm/xe/ct: prevent UAF in send_recv()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-50030", datePublished: "2024-10-21T19:39:33.127Z", dateReserved: "2024-10-21T12:17:06.068Z", dateUpdated: "2024-12-19T09:31:42.230Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49963
Vulnerability from cvelistv5
Published
2024-10-21 18:02
Modified
2024-12-19 09:30
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mailbox: bcm2835: Fix timeout during suspend mode
During noirq suspend phase the Raspberry Pi power driver suffer of
firmware property timeouts. The reason is that the IRQ of the underlying
BCM2835 mailbox is disabled and rpi_firmware_property_list() will always
run into a timeout [1].
Since the VideoCore side isn't consider as a wakeup source, set the
IRQF_NO_SUSPEND flag for the mailbox IRQ in order to keep it enabled
during suspend-resume cycle.
[1]
PM: late suspend of devices complete after 1.754 msecs
WARNING: CPU: 0 PID: 438 at drivers/firmware/raspberrypi.c:128
rpi_firmware_property_list+0x204/0x22c
Firmware transaction 0x00028001 timeout
Modules linked in:
CPU: 0 PID: 438 Comm: bash Tainted: G C 6.9.3-dirty #17
Hardware name: BCM2835
Call trace:
unwind_backtrace from show_stack+0x18/0x1c
show_stack from dump_stack_lvl+0x34/0x44
dump_stack_lvl from __warn+0x88/0xec
__warn from warn_slowpath_fmt+0x7c/0xb0
warn_slowpath_fmt from rpi_firmware_property_list+0x204/0x22c
rpi_firmware_property_list from rpi_firmware_property+0x68/0x8c
rpi_firmware_property from rpi_firmware_set_power+0x54/0xc0
rpi_firmware_set_power from _genpd_power_off+0xe4/0x148
_genpd_power_off from genpd_sync_power_off+0x7c/0x11c
genpd_sync_power_off from genpd_finish_suspend+0xcc/0xe0
genpd_finish_suspend from dpm_run_callback+0x78/0xd0
dpm_run_callback from device_suspend_noirq+0xc0/0x238
device_suspend_noirq from dpm_suspend_noirq+0xb0/0x168
dpm_suspend_noirq from suspend_devices_and_enter+0x1b8/0x5ac
suspend_devices_and_enter from pm_suspend+0x254/0x2e4
pm_suspend from state_store+0xa8/0xd4
state_store from kernfs_fop_write_iter+0x154/0x1a0
kernfs_fop_write_iter from vfs_write+0x12c/0x184
vfs_write from ksys_write+0x78/0xc0
ksys_write from ret_fast_syscall+0x0/0x54
Exception stack(0xcc93dfa8 to 0xcc93dff0)
[...]
PM: noirq suspend of devices complete after 3095.584 msecs
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 0bae6af6d704f026d4938739786e0a69d50177ca Version: 0bae6af6d704f026d4938739786e0a69d50177ca Version: 0bae6af6d704f026d4938739786e0a69d50177ca Version: 0bae6af6d704f026d4938739786e0a69d50177ca Version: 0bae6af6d704f026d4938739786e0a69d50177ca Version: 0bae6af6d704f026d4938739786e0a69d50177ca Version: 0bae6af6d704f026d4938739786e0a69d50177ca Version: 0bae6af6d704f026d4938739786e0a69d50177ca Version: 0bae6af6d704f026d4938739786e0a69d50177ca |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49963", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:34:51.005901Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:38:47.368Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/mailbox/bcm2835-mailbox.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "4e1e03760ee7cc4779b6306867fe0fc02921b963", status: "affected", version: "0bae6af6d704f026d4938739786e0a69d50177ca", versionType: "git", }, { lessThan: "b0de20de29b13950493a36bd4cf531200eb0e807", status: "affected", version: "0bae6af6d704f026d4938739786e0a69d50177ca", versionType: "git", }, { lessThan: "32ee78823dea2d54adaf6e05f86622eba359e091", status: "affected", version: "0bae6af6d704f026d4938739786e0a69d50177ca", versionType: "git", }, { lessThan: "df293ea78740a41384d648041f38f645700288e1", status: "affected", version: "0bae6af6d704f026d4938739786e0a69d50177ca", versionType: "git", }, { lessThan: "90320cfc07b7d6e7a58fd8168f6380ec52ff0251", status: "affected", version: "0bae6af6d704f026d4938739786e0a69d50177ca", versionType: "git", }, { lessThan: "10a58555e0bb5cc4673c8bb73b8afc5fa651f0ac", status: "affected", version: "0bae6af6d704f026d4938739786e0a69d50177ca", versionType: "git", }, { lessThan: "e65a9af05a0b59ebeba28e5e82265a233db7bc27", status: "affected", version: "0bae6af6d704f026d4938739786e0a69d50177ca", versionType: "git", }, { lessThan: "dfeb67b2194ecc55ef8065468c5adda3cdf59114", status: "affected", version: "0bae6af6d704f026d4938739786e0a69d50177ca", versionType: "git", }, { lessThan: "dc09f007caed3b2f6a3b6bd7e13777557ae22bfd", status: "affected", version: "0bae6af6d704f026d4938739786e0a69d50177ca", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/mailbox/bcm2835-mailbox.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "4.2", }, { lessThan: "4.2", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.323", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.285", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nmailbox: bcm2835: Fix timeout during suspend mode\n\nDuring noirq suspend phase the Raspberry Pi power driver suffer of\nfirmware property timeouts. The reason is that the IRQ of the underlying\nBCM2835 mailbox is disabled and rpi_firmware_property_list() will always\nrun into a timeout [1].\n\nSince the VideoCore side isn't consider as a wakeup source, set the\nIRQF_NO_SUSPEND flag for the mailbox IRQ in order to keep it enabled\nduring suspend-resume cycle.\n\n[1]\nPM: late suspend of devices complete after 1.754 msecs\nWARNING: CPU: 0 PID: 438 at drivers/firmware/raspberrypi.c:128\n rpi_firmware_property_list+0x204/0x22c\nFirmware transaction 0x00028001 timeout\nModules linked in:\nCPU: 0 PID: 438 Comm: bash Tainted: G C 6.9.3-dirty #17\nHardware name: BCM2835\nCall trace:\nunwind_backtrace from show_stack+0x18/0x1c\nshow_stack from dump_stack_lvl+0x34/0x44\ndump_stack_lvl from __warn+0x88/0xec\n__warn from warn_slowpath_fmt+0x7c/0xb0\nwarn_slowpath_fmt from rpi_firmware_property_list+0x204/0x22c\nrpi_firmware_property_list from rpi_firmware_property+0x68/0x8c\nrpi_firmware_property from rpi_firmware_set_power+0x54/0xc0\nrpi_firmware_set_power from _genpd_power_off+0xe4/0x148\n_genpd_power_off from genpd_sync_power_off+0x7c/0x11c\ngenpd_sync_power_off from genpd_finish_suspend+0xcc/0xe0\ngenpd_finish_suspend from dpm_run_callback+0x78/0xd0\ndpm_run_callback from device_suspend_noirq+0xc0/0x238\ndevice_suspend_noirq from dpm_suspend_noirq+0xb0/0x168\ndpm_suspend_noirq from suspend_devices_and_enter+0x1b8/0x5ac\nsuspend_devices_and_enter from pm_suspend+0x254/0x2e4\npm_suspend from state_store+0xa8/0xd4\nstate_store from kernfs_fop_write_iter+0x154/0x1a0\nkernfs_fop_write_iter from vfs_write+0x12c/0x184\nvfs_write from ksys_write+0x78/0xc0\nksys_write from ret_fast_syscall+0x0/0x54\nException stack(0xcc93dfa8 to 0xcc93dff0)\n[...]\nPM: noirq suspend of devices complete after 3095.584 msecs", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:30:16.246Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/4e1e03760ee7cc4779b6306867fe0fc02921b963", }, { url: "https://git.kernel.org/stable/c/b0de20de29b13950493a36bd4cf531200eb0e807", }, { url: "https://git.kernel.org/stable/c/32ee78823dea2d54adaf6e05f86622eba359e091", }, { url: "https://git.kernel.org/stable/c/df293ea78740a41384d648041f38f645700288e1", }, { url: "https://git.kernel.org/stable/c/90320cfc07b7d6e7a58fd8168f6380ec52ff0251", }, { url: "https://git.kernel.org/stable/c/10a58555e0bb5cc4673c8bb73b8afc5fa651f0ac", }, { url: "https://git.kernel.org/stable/c/e65a9af05a0b59ebeba28e5e82265a233db7bc27", }, { url: "https://git.kernel.org/stable/c/dfeb67b2194ecc55ef8065468c5adda3cdf59114", }, { url: "https://git.kernel.org/stable/c/dc09f007caed3b2f6a3b6bd7e13777557ae22bfd", }, ], title: "mailbox: bcm2835: Fix timeout during suspend mode", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49963", datePublished: "2024-10-21T18:02:15.091Z", dateReserved: "2024-10-21T12:17:06.049Z", dateUpdated: "2024-12-19T09:30:16.246Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-50027
Vulnerability from cvelistv5
Published
2024-10-21 19:39
Modified
2024-12-19 09:31
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
thermal: core: Free tzp copy along with the thermal zone
The object pointed to by tz->tzp may still be accessed after being
freed in thermal_zone_device_unregister(), so move the freeing of it
to the point after the removal completion has been completed at which
it cannot be accessed any more.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-50027", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:26:36.583525Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:28:46.345Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/thermal/thermal_core.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "eabe285e1c629a719d6e68fc319939c63b83bf22", status: "affected", version: "3d439b1a2ad36c8b4ea151c8de25309d60d17407", versionType: "git", }, { lessThan: "bdb0d40507c85bee33c2a71fde7b2e857346f112", status: "affected", version: "3d439b1a2ad36c8b4ea151c8de25309d60d17407", versionType: "git", }, { lessThan: "827a07525c099f54d3b15110408824541ec66b3c", status: "affected", version: "3d439b1a2ad36c8b4ea151c8de25309d60d17407", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/thermal/thermal_core.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.4", }, { lessThan: "6.4", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.60", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.4", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nthermal: core: Free tzp copy along with the thermal zone\n\nThe object pointed to by tz->tzp may still be accessed after being\nfreed in thermal_zone_device_unregister(), so move the freeing of it\nto the point after the removal completion has been completed at which\nit cannot be accessed any more.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:31:38.468Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/eabe285e1c629a719d6e68fc319939c63b83bf22", }, { url: "https://git.kernel.org/stable/c/bdb0d40507c85bee33c2a71fde7b2e857346f112", }, { url: "https://git.kernel.org/stable/c/827a07525c099f54d3b15110408824541ec66b3c", }, ], title: "thermal: core: Free tzp copy along with the thermal zone", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-50027", datePublished: "2024-10-21T19:39:31.141Z", dateReserved: "2024-10-21T12:17:06.066Z", dateUpdated: "2024-12-19T09:31:38.468Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-48996
Vulnerability from cvelistv5
Published
2024-10-21 20:06
Modified
2024-12-19 08:12
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/damon/sysfs: fix wrong empty schemes assumption under online tuning in damon_sysfs_set_schemes()
Commit da87878010e5 ("mm/damon/sysfs: support online inputs update") made
'damon_sysfs_set_schemes()' to be called for running DAMON context, which
could have schemes. In the case, DAMON sysfs interface is supposed to
update, remove, or add schemes to reflect the sysfs files. However, the
code is assuming the DAMON context wouldn't have schemes at all, and
therefore creates and adds new schemes. As a result, the code doesn't
work as intended for online schemes tuning and could have more than
expected memory footprint. The schemes are all in the DAMON context, so
it doesn't leak the memory, though.
Remove the wrong asssumption (the DAMON context wouldn't have schemes) in
'damon_sysfs_set_schemes()' to fix the bug.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-48996", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:15:49.578394Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:18:41.449Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "mm/damon/sysfs.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "f98d1f2a36ad7ab48fb4cf73ca14e7b19482fd4d", status: "affected", version: "da87878010e59869d4d27b3c01ecc8ec06ff4a20", versionType: "git", }, { lessThan: "95bc35f9bee5220dad4e8567654ab3288a181639", status: "affected", version: "da87878010e59869d4d27b3c01ecc8ec06ff4a20", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "mm/damon/sysfs.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.19", }, { lessThan: "5.19", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.0.*", status: "unaffected", version: "6.0.12", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.1", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/sysfs: fix wrong empty schemes assumption under online tuning in damon_sysfs_set_schemes()\n\nCommit da87878010e5 (\"mm/damon/sysfs: support online inputs update\") made\n'damon_sysfs_set_schemes()' to be called for running DAMON context, which\ncould have schemes. In the case, DAMON sysfs interface is supposed to\nupdate, remove, or add schemes to reflect the sysfs files. However, the\ncode is assuming the DAMON context wouldn't have schemes at all, and\ntherefore creates and adds new schemes. As a result, the code doesn't\nwork as intended for online schemes tuning and could have more than\nexpected memory footprint. The schemes are all in the DAMON context, so\nit doesn't leak the memory, though.\n\nRemove the wrong asssumption (the DAMON context wouldn't have schemes) in\n'damon_sysfs_set_schemes()' to fix the bug.", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:12:07.190Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/f98d1f2a36ad7ab48fb4cf73ca14e7b19482fd4d", }, { url: "https://git.kernel.org/stable/c/95bc35f9bee5220dad4e8567654ab3288a181639", }, ], title: "mm/damon/sysfs: fix wrong empty schemes assumption under online tuning in damon_sysfs_set_schemes()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-48996", datePublished: "2024-10-21T20:06:12.122Z", dateReserved: "2024-08-22T01:27:53.637Z", dateUpdated: "2024-12-19T08:12:07.190Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-48983
Vulnerability from cvelistv5
Published
2024-10-21 20:06
Modified
2024-12-19 08:11
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
io_uring: Fix a null-ptr-deref in io_tctx_exit_cb()
Syzkaller reports a NULL deref bug as follows:
BUG: KASAN: null-ptr-deref in io_tctx_exit_cb+0x53/0xd3
Read of size 4 at addr 0000000000000138 by task file1/1955
CPU: 1 PID: 1955 Comm: file1 Not tainted 6.1.0-rc7-00103-gef4d3ea40565 #75
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0xcd/0x134
? io_tctx_exit_cb+0x53/0xd3
kasan_report+0xbb/0x1f0
? io_tctx_exit_cb+0x53/0xd3
kasan_check_range+0x140/0x190
io_tctx_exit_cb+0x53/0xd3
task_work_run+0x164/0x250
? task_work_cancel+0x30/0x30
get_signal+0x1c3/0x2440
? lock_downgrade+0x6e0/0x6e0
? lock_downgrade+0x6e0/0x6e0
? exit_signals+0x8b0/0x8b0
? do_raw_read_unlock+0x3b/0x70
? do_raw_spin_unlock+0x50/0x230
arch_do_signal_or_restart+0x82/0x2470
? kmem_cache_free+0x260/0x4b0
? putname+0xfe/0x140
? get_sigframe_size+0x10/0x10
? do_execveat_common.isra.0+0x226/0x710
? lockdep_hardirqs_on+0x79/0x100
? putname+0xfe/0x140
? do_execveat_common.isra.0+0x238/0x710
exit_to_user_mode_prepare+0x15f/0x250
syscall_exit_to_user_mode+0x19/0x50
do_syscall_64+0x42/0xb0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0023:0x0
Code: Unable to access opcode bytes at 0xffffffffffffffd6.
RSP: 002b:00000000fffb7790 EFLAGS: 00000200 ORIG_RAX: 000000000000000b
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
</TASK>
Kernel panic - not syncing: panic_on_warn set ...
This happens because the adding of task_work from io_ring_exit_work()
isn't synchronized with canceling all work items from eg exec. The
execution of the two are ordered in that they are both run by the task
itself, but if io_tctx_exit_cb() is queued while we're canceling all
work items off exec AND gets executed when the task exits to userspace
rather than in the main loop in io_uring_cancel_generic(), then we can
find current->io_uring == NULL and hit the above crash.
It's safe to add this NULL check here, because the execution of the two
paths are done by the task itself.
[axboe: add code comment and also put an explanation in the commit msg]
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-48983", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:17:35.242008Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:18:43.423Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "io_uring/io_uring.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "f895511de9d27fff71dad2c234ad53b4afd2b06c", status: "affected", version: "d56d938b4bef3e1421a42023cdcd6e13c1f50831", versionType: "git", }, { lessThan: "d91edca1943453aaaba4f380f6f364346222e5cf", status: "affected", version: "d56d938b4bef3e1421a42023cdcd6e13c1f50831", versionType: "git", }, { lessThan: "998b30c3948e4d0b1097e639918c5cff332acac5", status: "affected", version: "d56d938b4bef3e1421a42023cdcd6e13c1f50831", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "io_uring/io_uring.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.12", }, { lessThan: "5.12", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.83", versionType: "semver", }, { lessThanOrEqual: "6.0.*", status: "unaffected", version: "6.0.13", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.1", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: Fix a null-ptr-deref in io_tctx_exit_cb()\n\nSyzkaller reports a NULL deref bug as follows:\n\n BUG: KASAN: null-ptr-deref in io_tctx_exit_cb+0x53/0xd3\n Read of size 4 at addr 0000000000000138 by task file1/1955\n\n CPU: 1 PID: 1955 Comm: file1 Not tainted 6.1.0-rc7-00103-gef4d3ea40565 #75\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014\n Call Trace:\n <TASK>\n dump_stack_lvl+0xcd/0x134\n ? io_tctx_exit_cb+0x53/0xd3\n kasan_report+0xbb/0x1f0\n ? io_tctx_exit_cb+0x53/0xd3\n kasan_check_range+0x140/0x190\n io_tctx_exit_cb+0x53/0xd3\n task_work_run+0x164/0x250\n ? task_work_cancel+0x30/0x30\n get_signal+0x1c3/0x2440\n ? lock_downgrade+0x6e0/0x6e0\n ? lock_downgrade+0x6e0/0x6e0\n ? exit_signals+0x8b0/0x8b0\n ? do_raw_read_unlock+0x3b/0x70\n ? do_raw_spin_unlock+0x50/0x230\n arch_do_signal_or_restart+0x82/0x2470\n ? kmem_cache_free+0x260/0x4b0\n ? putname+0xfe/0x140\n ? get_sigframe_size+0x10/0x10\n ? do_execveat_common.isra.0+0x226/0x710\n ? lockdep_hardirqs_on+0x79/0x100\n ? putname+0xfe/0x140\n ? do_execveat_common.isra.0+0x238/0x710\n exit_to_user_mode_prepare+0x15f/0x250\n syscall_exit_to_user_mode+0x19/0x50\n do_syscall_64+0x42/0xb0\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n RIP: 0023:0x0\n Code: Unable to access opcode bytes at 0xffffffffffffffd6.\n RSP: 002b:00000000fffb7790 EFLAGS: 00000200 ORIG_RAX: 000000000000000b\n RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000\n RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\n RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\n R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n </TASK>\n Kernel panic - not syncing: panic_on_warn set ...\n\nThis happens because the adding of task_work from io_ring_exit_work()\nisn't synchronized with canceling all work items from eg exec. The\nexecution of the two are ordered in that they are both run by the task\nitself, but if io_tctx_exit_cb() is queued while we're canceling all\nwork items off exec AND gets executed when the task exits to userspace\nrather than in the main loop in io_uring_cancel_generic(), then we can\nfind current->io_uring == NULL and hit the above crash.\n\nIt's safe to add this NULL check here, because the execution of the two\npaths are done by the task itself.\n\n[axboe: add code comment and also put an explanation in the commit msg]", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:11:53.174Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/f895511de9d27fff71dad2c234ad53b4afd2b06c", }, { url: "https://git.kernel.org/stable/c/d91edca1943453aaaba4f380f6f364346222e5cf", }, { url: "https://git.kernel.org/stable/c/998b30c3948e4d0b1097e639918c5cff332acac5", }, ], title: "io_uring: Fix a null-ptr-deref in io_tctx_exit_cb()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-48983", datePublished: "2024-10-21T20:06:00.376Z", dateReserved: "2024-08-22T01:27:53.633Z", dateUpdated: "2024-12-19T08:11:53.174Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-49026
Vulnerability from cvelistv5
Published
2024-10-21 20:06
Modified
2024-12-19 08:12
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
e100: Fix possible use after free in e100_xmit_prepare
In e100_xmit_prepare(), if we can't map the skb, then return -ENOMEM, so
e100_xmit_frame() will return NETDEV_TX_BUSY and the upper layer will
resend the skb. But the skb is already freed, which will cause UAF bug
when the upper layer resends the skb.
Remove the harmful free.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-49026", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:11:54.975076Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:18:36.450Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/net/ethernet/intel/e100.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "b775f37d943966f6f77dca402f5a9dedce502c25", status: "affected", version: "5e5d49422dfb035ca9e280cd61d434095c151272", versionType: "git", }, { lessThan: "9fc27d22cdb9b1fcd754599d216a8992fed280cd", status: "affected", version: "5e5d49422dfb035ca9e280cd61d434095c151272", versionType: "git", }, { lessThan: "b46f6144ab89d3d757ead940759c505091626a7d", status: "affected", version: "5e5d49422dfb035ca9e280cd61d434095c151272", versionType: "git", }, { lessThan: "45605c75c52c7ae7bfe902214343aabcfe5ba0ff", status: "affected", version: "5e5d49422dfb035ca9e280cd61d434095c151272", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/net/ethernet/intel/e100.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "4.3", }, { lessThan: "4.3", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.158", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.82", versionType: "semver", }, { lessThanOrEqual: "6.0.*", status: "unaffected", version: "6.0.12", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.1", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ne100: Fix possible use after free in e100_xmit_prepare\n\nIn e100_xmit_prepare(), if we can't map the skb, then return -ENOMEM, so\ne100_xmit_frame() will return NETDEV_TX_BUSY and the upper layer will\nresend the skb. But the skb is already freed, which will cause UAF bug\nwhen the upper layer resends the skb.\n\nRemove the harmful free.", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:12:41.710Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/b775f37d943966f6f77dca402f5a9dedce502c25", }, { url: "https://git.kernel.org/stable/c/9fc27d22cdb9b1fcd754599d216a8992fed280cd", }, { url: "https://git.kernel.org/stable/c/b46f6144ab89d3d757ead940759c505091626a7d", }, { url: "https://git.kernel.org/stable/c/45605c75c52c7ae7bfe902214343aabcfe5ba0ff", }, ], title: "e100: Fix possible use after free in e100_xmit_prepare", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-49026", datePublished: "2024-10-21T20:06:31.876Z", dateReserved: "2024-08-22T01:27:53.651Z", dateUpdated: "2024-12-19T08:12:41.710Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-50044
Vulnerability from cvelistv5
Published
2024-10-21 19:39
Modified
2024-12-19 09:31
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: RFCOMM: FIX possible deadlock in rfcomm_sk_state_change
rfcomm_sk_state_change attempts to use sock_lock so it must never be
called with it locked but rfcomm_sock_ioctl always attempt to lock it
causing the following trace:
======================================================
WARNING: possible circular locking dependency detected
6.8.0-syzkaller-08951-gfe46a7dd189e #0 Not tainted
------------------------------------------------------
syz-executor386/5093 is trying to acquire lock:
ffff88807c396258 (sk_lock-AF_BLUETOOTH-BTPROTO_RFCOMM){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1671 [inline]
ffff88807c396258 (sk_lock-AF_BLUETOOTH-BTPROTO_RFCOMM){+.+.}-{0:0}, at: rfcomm_sk_state_change+0x5b/0x310 net/bluetooth/rfcomm/sock.c:73
but task is already holding lock:
ffff88807badfd28 (&d->lock){+.+.}-{3:3}, at: __rfcomm_dlc_close+0x226/0x6a0 net/bluetooth/rfcomm/core.c:491
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 3241ad820dbb172021e0268b5611031991431626 Version: 3241ad820dbb172021e0268b5611031991431626 Version: 3241ad820dbb172021e0268b5611031991431626 Version: 3241ad820dbb172021e0268b5611031991431626 Version: 3241ad820dbb172021e0268b5611031991431626 Version: 3241ad820dbb172021e0268b5611031991431626 Version: 3241ad820dbb172021e0268b5611031991431626 Version: 3241ad820dbb172021e0268b5611031991431626 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-50044", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:24:23.000943Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:28:43.832Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "net/bluetooth/rfcomm/sock.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "b77b3fb12fd483cae7c28648903b1d8a6b275f01", status: "affected", version: "3241ad820dbb172021e0268b5611031991431626", versionType: "git", }, { lessThan: "869c6ee62ab8f01bf2419e45326642be5c9b670a", status: "affected", version: "3241ad820dbb172021e0268b5611031991431626", versionType: "git", }, { lessThan: "ef44274dae9b0a90d1a97ce8b242a3b8243a7745", status: "affected", version: "3241ad820dbb172021e0268b5611031991431626", versionType: "git", }, { lessThan: "496b2ab0fd10f205e08909a125485fdc98843dbe", status: "affected", version: "3241ad820dbb172021e0268b5611031991431626", versionType: "git", }, { lessThan: "ced98072d3511b232ae1d3347945f35f30c0e303", status: "affected", version: "3241ad820dbb172021e0268b5611031991431626", versionType: "git", }, { lessThan: "38b2d5a57d125e1c17661b8308c0240c4a43b534", status: "affected", version: "3241ad820dbb172021e0268b5611031991431626", versionType: "git", }, { lessThan: "4cb9807c9b53bf1e5560420d26f319f528b50268", status: "affected", version: "3241ad820dbb172021e0268b5611031991431626", versionType: "git", }, { lessThan: "08d1914293dae38350b8088980e59fbc699a72fe", status: "affected", version: "3241ad820dbb172021e0268b5611031991431626", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "net/bluetooth/rfcomm/sock.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "2.6.27", }, { lessThan: "2.6.27", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.323", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.285", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.57", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.4", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: RFCOMM: FIX possible deadlock in rfcomm_sk_state_change\n\nrfcomm_sk_state_change attempts to use sock_lock so it must never be\ncalled with it locked but rfcomm_sock_ioctl always attempt to lock it\ncausing the following trace:\n\n======================================================\nWARNING: possible circular locking dependency detected\n6.8.0-syzkaller-08951-gfe46a7dd189e #0 Not tainted\n------------------------------------------------------\nsyz-executor386/5093 is trying to acquire lock:\nffff88807c396258 (sk_lock-AF_BLUETOOTH-BTPROTO_RFCOMM){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1671 [inline]\nffff88807c396258 (sk_lock-AF_BLUETOOTH-BTPROTO_RFCOMM){+.+.}-{0:0}, at: rfcomm_sk_state_change+0x5b/0x310 net/bluetooth/rfcomm/sock.c:73\n\nbut task is already holding lock:\nffff88807badfd28 (&d->lock){+.+.}-{3:3}, at: __rfcomm_dlc_close+0x226/0x6a0 net/bluetooth/rfcomm/core.c:491", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:31:59.938Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/b77b3fb12fd483cae7c28648903b1d8a6b275f01", }, { url: "https://git.kernel.org/stable/c/869c6ee62ab8f01bf2419e45326642be5c9b670a", }, { url: "https://git.kernel.org/stable/c/ef44274dae9b0a90d1a97ce8b242a3b8243a7745", }, { url: "https://git.kernel.org/stable/c/496b2ab0fd10f205e08909a125485fdc98843dbe", }, { url: "https://git.kernel.org/stable/c/ced98072d3511b232ae1d3347945f35f30c0e303", }, { url: "https://git.kernel.org/stable/c/38b2d5a57d125e1c17661b8308c0240c4a43b534", }, { url: "https://git.kernel.org/stable/c/4cb9807c9b53bf1e5560420d26f319f528b50268", }, { url: "https://git.kernel.org/stable/c/08d1914293dae38350b8088980e59fbc699a72fe", }, ], title: "Bluetooth: RFCOMM: FIX possible deadlock in rfcomm_sk_state_change", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-50044", datePublished: "2024-10-21T19:39:42.430Z", dateReserved: "2024-10-21T12:17:06.071Z", dateUpdated: "2024-12-19T09:31:59.938Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-50055
Vulnerability from cvelistv5
Published
2024-10-21 19:39
Modified
2024-12-19 09:32
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
driver core: bus: Fix double free in driver API bus_register()
For bus_register(), any error which happens after kset_register() will
cause that @priv are freed twice, fixed by setting @priv with NULL after
the first free.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-50055", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:23:36.877414Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:28:43.087Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/base/bus.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "5be4bc1c73ca389a96d418a52054d897c6fe6d21", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "4797953712214ea57a437443bb0ad6d1e0646d70", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "fc1f391a71a3ee88291e205cffd673fe24d99266", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "d885c464c25018b81a6b58f5d548fc2e3ef87dd1", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "9ce15f68abedfae7ae0a35e95895aeddfd0f0c6a", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "bfa54a793ba77ef696755b66f3ac4ed00c7d1248", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/base/bus.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.231", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.174", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.120", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.57", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.4", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ndriver core: bus: Fix double free in driver API bus_register()\n\nFor bus_register(), any error which happens after kset_register() will\ncause that @priv are freed twice, fixed by setting @priv with NULL after\nthe first free.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:32:07.282Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/5be4bc1c73ca389a96d418a52054d897c6fe6d21", }, { url: "https://git.kernel.org/stable/c/4797953712214ea57a437443bb0ad6d1e0646d70", }, { url: "https://git.kernel.org/stable/c/fc1f391a71a3ee88291e205cffd673fe24d99266", }, { url: "https://git.kernel.org/stable/c/d885c464c25018b81a6b58f5d548fc2e3ef87dd1", }, { url: "https://git.kernel.org/stable/c/9ce15f68abedfae7ae0a35e95895aeddfd0f0c6a", }, { url: "https://git.kernel.org/stable/c/bfa54a793ba77ef696755b66f3ac4ed00c7d1248", }, ], title: "driver core: bus: Fix double free in driver API bus_register()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-50055", datePublished: "2024-10-21T19:39:46.476Z", dateReserved: "2024-10-21T19:36:19.938Z", dateUpdated: "2024-12-19T09:32:07.282Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-47686
Vulnerability from cvelistv5
Published
2024-10-21 11:53
Modified
2024-12-19 09:25
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ep93xx: clock: Fix off by one in ep93xx_div_recalc_rate()
The psc->div[] array has psc->num_div elements. These values come from
when we call clk_hw_register_div(). It's adc_divisors and
ARRAY_SIZE(adc_divisors)) and so on. So this condition needs to be >=
instead of > to prevent an out of bounds read.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 9645ccc7bd7a16cd73c3be9dee70cd702b03be37 Version: 9645ccc7bd7a16cd73c3be9dee70cd702b03be37 Version: 9645ccc7bd7a16cd73c3be9dee70cd702b03be37 Version: 9645ccc7bd7a16cd73c3be9dee70cd702b03be37 Version: 9645ccc7bd7a16cd73c3be9dee70cd702b03be37 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-47686", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T13:06:37.712927Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T13:14:15.903Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "arch/arm/mach-ep93xx/clock.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "7a5bd2fb92388c51d267f6ce57c40f1cca8af1e0", status: "affected", version: "9645ccc7bd7a16cd73c3be9dee70cd702b03be37", versionType: "git", }, { lessThan: "66e78ade976dbd9bea09166aa8d66afc0963cde4", status: "affected", version: "9645ccc7bd7a16cd73c3be9dee70cd702b03be37", versionType: "git", }, { lessThan: "27f493e141823db052586010c1532b70b164507c", status: "affected", version: "9645ccc7bd7a16cd73c3be9dee70cd702b03be37", versionType: "git", }, { lessThan: "ae59eaf36a1ad396e9f657ec9b8b52da6206ed5f", status: "affected", version: "9645ccc7bd7a16cd73c3be9dee70cd702b03be37", versionType: "git", }, { lessThan: "c7f06284a6427475e3df742215535ec3f6cd9662", status: "affected", version: "9645ccc7bd7a16cd73c3be9dee70cd702b03be37", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "arch/arm/mach-ep93xx/clock.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.16", }, { lessThan: "5.16", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.54", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.13", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.2", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nep93xx: clock: Fix off by one in ep93xx_div_recalc_rate()\n\nThe psc->div[] array has psc->num_div elements. These values come from\nwhen we call clk_hw_register_div(). It's adc_divisors and\nARRAY_SIZE(adc_divisors)) and so on. So this condition needs to be >=\ninstead of > to prevent an out of bounds read.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:25:59.795Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/7a5bd2fb92388c51d267f6ce57c40f1cca8af1e0", }, { url: "https://git.kernel.org/stable/c/66e78ade976dbd9bea09166aa8d66afc0963cde4", }, { url: "https://git.kernel.org/stable/c/27f493e141823db052586010c1532b70b164507c", }, { url: "https://git.kernel.org/stable/c/ae59eaf36a1ad396e9f657ec9b8b52da6206ed5f", }, { url: "https://git.kernel.org/stable/c/c7f06284a6427475e3df742215535ec3f6cd9662", }, ], title: "ep93xx: clock: Fix off by one in ep93xx_div_recalc_rate()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-47686", datePublished: "2024-10-21T11:53:27.144Z", dateReserved: "2024-09-30T16:00:12.941Z", dateUpdated: "2024-12-19T09:25:59.795Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49927
Vulnerability from cvelistv5
Published
2024-10-21 18:01
Modified
2024-12-19 09:29
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
x86/ioapic: Handle allocation failures gracefully
Breno observed panics when using failslab under certain conditions during
runtime:
can not alloc irq_pin_list (-1,0,20)
Kernel panic - not syncing: IO-APIC: failed to add irq-pin. Can not proceed
panic+0x4e9/0x590
mp_irqdomain_alloc+0x9ab/0xa80
irq_domain_alloc_irqs_locked+0x25d/0x8d0
__irq_domain_alloc_irqs+0x80/0x110
mp_map_pin_to_irq+0x645/0x890
acpi_register_gsi_ioapic+0xe6/0x150
hpet_open+0x313/0x480
That's a pointless panic which is a leftover of the historic IO/APIC code
which panic'ed during early boot when the interrupt allocation failed.
The only place which might justify panic is the PIT/HPET timer_check() code
which tries to figure out whether the timer interrupt is delivered through
the IO/APIC. But that code does not require to handle interrupt allocation
failures. If the interrupt cannot be allocated then timer delivery fails
and it either panics due to that or falls back to legacy mode.
Cure this by removing the panic wrapper around __add_pin_to_irq_node() and
making mp_irqdomain_alloc() aware of the failure condition and handle it as
any other failure in this function gracefully.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49927", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:39:34.506279Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:48:43.819Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "arch/x86/kernel/apic/io_apic.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "e479cb835feeb2abff97f25766e23b96a6eabe28", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "ec862cd843faa6f0e84a7a07362f2786446bf697", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "077e1b7cd521163ded545987bbbd389519aeed71", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "649a5c2ffae797ce792023a70e84c7fe4b6fb8e0", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "f17efbeb2922327ea01a9efa8829fea9a30e547d", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "830802a0fea8fb39d3dc9fb7d6b5581e1343eb1f", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "arch/x86/kernel/apic/io_apic.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/ioapic: Handle allocation failures gracefully\n\nBreno observed panics when using failslab under certain conditions during\nruntime:\n\n can not alloc irq_pin_list (-1,0,20)\n Kernel panic - not syncing: IO-APIC: failed to add irq-pin. Can not proceed\n\n panic+0x4e9/0x590\n mp_irqdomain_alloc+0x9ab/0xa80\n irq_domain_alloc_irqs_locked+0x25d/0x8d0\n __irq_domain_alloc_irqs+0x80/0x110\n mp_map_pin_to_irq+0x645/0x890\n acpi_register_gsi_ioapic+0xe6/0x150\n hpet_open+0x313/0x480\n\nThat's a pointless panic which is a leftover of the historic IO/APIC code\nwhich panic'ed during early boot when the interrupt allocation failed.\n\nThe only place which might justify panic is the PIT/HPET timer_check() code\nwhich tries to figure out whether the timer interrupt is delivered through\nthe IO/APIC. But that code does not require to handle interrupt allocation\nfailures. If the interrupt cannot be allocated then timer delivery fails\nand it either panics due to that or falls back to legacy mode.\n\nCure this by removing the panic wrapper around __add_pin_to_irq_node() and\nmaking mp_irqdomain_alloc() aware of the failure condition and handle it as\nany other failure in this function gracefully.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:29:12.324Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/e479cb835feeb2abff97f25766e23b96a6eabe28", }, { url: "https://git.kernel.org/stable/c/ec862cd843faa6f0e84a7a07362f2786446bf697", }, { url: "https://git.kernel.org/stable/c/077e1b7cd521163ded545987bbbd389519aeed71", }, { url: "https://git.kernel.org/stable/c/649a5c2ffae797ce792023a70e84c7fe4b6fb8e0", }, { url: "https://git.kernel.org/stable/c/f17efbeb2922327ea01a9efa8829fea9a30e547d", }, { url: "https://git.kernel.org/stable/c/830802a0fea8fb39d3dc9fb7d6b5581e1343eb1f", }, ], title: "x86/ioapic: Handle allocation failures gracefully", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49927", datePublished: "2024-10-21T18:01:51.110Z", dateReserved: "2024-10-21T12:17:06.038Z", dateUpdated: "2024-12-19T09:29:12.324Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-47688
Vulnerability from cvelistv5
Published
2024-10-21 11:53
Modified
2024-12-19 09:26
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
driver core: Fix a potential null-ptr-deref in module_add_driver()
Inject fault while probing of-fpga-region, if kasprintf() fails in
module_add_driver(), the second sysfs_remove_link() in exit path will cause
null-ptr-deref as below because kernfs_name_hash() will call strlen() with
NULL driver_name.
Fix it by releasing resources based on the exit path sequence.
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
Mem abort info:
ESR = 0x0000000096000005
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x05: level 1 translation fault
Data abort info:
ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000
CM = 0, WnR = 0, TnD = 0, TagAccess = 0
GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[dfffffc000000000] address between user and kernel address ranges
Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in: of_fpga_region(+) fpga_region fpga_bridge cfg80211 rfkill 8021q garp mrp stp llc ipv6 [last unloaded: of_fpga_region]
CPU: 2 UID: 0 PID: 2036 Comm: modprobe Not tainted 6.11.0-rc2-g6a0e38264012 #295
Hardware name: linux,dummy-virt (DT)
pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : strlen+0x24/0xb0
lr : kernfs_name_hash+0x1c/0xc4
sp : ffffffc081f97380
x29: ffffffc081f97380 x28: ffffffc081f97b90 x27: ffffff80c821c2a0
x26: ffffffedac0be418 x25: 0000000000000000 x24: ffffff80c09d2000
x23: 0000000000000000 x22: 0000000000000000 x21: 0000000000000000
x20: 0000000000000000 x19: 0000000000000000 x18: 0000000000001840
x17: 0000000000000000 x16: 0000000000000000 x15: 1ffffff8103f2e42
x14: 00000000f1f1f1f1 x13: 0000000000000004 x12: ffffffb01812d61d
x11: 1ffffff01812d61c x10: ffffffb01812d61c x9 : dfffffc000000000
x8 : 0000004fe7ed29e4 x7 : ffffff80c096b0e7 x6 : 0000000000000001
x5 : ffffff80c096b0e0 x4 : 1ffffffdb990efa2 x3 : 0000000000000000
x2 : 0000000000000000 x1 : dfffffc000000000 x0 : 0000000000000000
Call trace:
strlen+0x24/0xb0
kernfs_name_hash+0x1c/0xc4
kernfs_find_ns+0x118/0x2e8
kernfs_remove_by_name_ns+0x80/0x100
sysfs_remove_link+0x74/0xa8
module_add_driver+0x278/0x394
bus_add_driver+0x1f0/0x43c
driver_register+0xf4/0x3c0
__platform_driver_register+0x60/0x88
of_fpga_region_init+0x20/0x1000 [of_fpga_region]
do_one_initcall+0x110/0x788
do_init_module+0x1dc/0x5c8
load_module+0x3c38/0x4cac
init_module_from_file+0xd4/0x128
idempotent_init_module+0x2cc/0x528
__arm64_sys_finit_module+0xac/0x100
invoke_syscall+0x6c/0x258
el0_svc_common.constprop.0+0x160/0x22c
do_el0_svc+0x44/0x5c
el0_svc+0x48/0xb8
el0t_64_sync_handler+0x13c/0x158
el0t_64_sync+0x190/0x194
Code: f2fbffe1 a90157f4 12000802 aa0003f5 (38e16861)
---[ end trace 0000000000000000 ]---
Kernel panic - not syncing: Oops: Fatal exception
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-47688", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T13:06:20.271909Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T13:14:15.570Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/base/module.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "b8e45b910525704010d10c9dcbf2abf3005aa97c", status: "affected", version: "28f5a08600d0ea6831629d450193c4045094e729", versionType: "git", }, { lessThan: "4b5d48b7a29cc6d508121a4b4e0c97a891e5273c", status: "affected", version: "85d2b0aa170351380be39fe4ff7973df1427fe76", versionType: "git", }, { lessThan: "dcb9d581dee4c23f2378b6650511ece80dda4e2f", status: "affected", version: "85d2b0aa170351380be39fe4ff7973df1427fe76", versionType: "git", }, { lessThan: "18ec12c97b39ff6aa15beb8d2b25d15cd44b87d8", status: "affected", version: "85d2b0aa170351380be39fe4ff7973df1427fe76", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/base/module.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.10", }, { lessThan: "6.10", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.54", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.13", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.2", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ndriver core: Fix a potential null-ptr-deref in module_add_driver()\n\nInject fault while probing of-fpga-region, if kasprintf() fails in\nmodule_add_driver(), the second sysfs_remove_link() in exit path will cause\nnull-ptr-deref as below because kernfs_name_hash() will call strlen() with\nNULL driver_name.\n\nFix it by releasing resources based on the exit path sequence.\n\n\t KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\n\t Mem abort info:\n\t ESR = 0x0000000096000005\n\t EC = 0x25: DABT (current EL), IL = 32 bits\n\t SET = 0, FnV = 0\n\t EA = 0, S1PTW = 0\n\t FSC = 0x05: level 1 translation fault\n\t Data abort info:\n\t ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000\n\t CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n\t GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n\t [dfffffc000000000] address between user and kernel address ranges\n\t Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP\n\t Dumping ftrace buffer:\n\t (ftrace buffer empty)\n\t Modules linked in: of_fpga_region(+) fpga_region fpga_bridge cfg80211 rfkill 8021q garp mrp stp llc ipv6 [last unloaded: of_fpga_region]\n\t CPU: 2 UID: 0 PID: 2036 Comm: modprobe Not tainted 6.11.0-rc2-g6a0e38264012 #295\n\t Hardware name: linux,dummy-virt (DT)\n\t pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n\t pc : strlen+0x24/0xb0\n\t lr : kernfs_name_hash+0x1c/0xc4\n\t sp : ffffffc081f97380\n\t x29: ffffffc081f97380 x28: ffffffc081f97b90 x27: ffffff80c821c2a0\n\t x26: ffffffedac0be418 x25: 0000000000000000 x24: ffffff80c09d2000\n\t x23: 0000000000000000 x22: 0000000000000000 x21: 0000000000000000\n\t x20: 0000000000000000 x19: 0000000000000000 x18: 0000000000001840\n\t x17: 0000000000000000 x16: 0000000000000000 x15: 1ffffff8103f2e42\n\t x14: 00000000f1f1f1f1 x13: 0000000000000004 x12: ffffffb01812d61d\n\t x11: 1ffffff01812d61c x10: ffffffb01812d61c x9 : dfffffc000000000\n\t x8 : 0000004fe7ed29e4 x7 : ffffff80c096b0e7 x6 : 0000000000000001\n\t x5 : ffffff80c096b0e0 x4 : 1ffffffdb990efa2 x3 : 0000000000000000\n\t x2 : 0000000000000000 x1 : dfffffc000000000 x0 : 0000000000000000\n\t Call trace:\n\t strlen+0x24/0xb0\n\t kernfs_name_hash+0x1c/0xc4\n\t kernfs_find_ns+0x118/0x2e8\n\t kernfs_remove_by_name_ns+0x80/0x100\n\t sysfs_remove_link+0x74/0xa8\n\t module_add_driver+0x278/0x394\n\t bus_add_driver+0x1f0/0x43c\n\t driver_register+0xf4/0x3c0\n\t __platform_driver_register+0x60/0x88\n\t of_fpga_region_init+0x20/0x1000 [of_fpga_region]\n\t do_one_initcall+0x110/0x788\n\t do_init_module+0x1dc/0x5c8\n\t load_module+0x3c38/0x4cac\n\t init_module_from_file+0xd4/0x128\n\t idempotent_init_module+0x2cc/0x528\n\t __arm64_sys_finit_module+0xac/0x100\n\t invoke_syscall+0x6c/0x258\n\t el0_svc_common.constprop.0+0x160/0x22c\n\t do_el0_svc+0x44/0x5c\n\t el0_svc+0x48/0xb8\n\t el0t_64_sync_handler+0x13c/0x158\n\t el0t_64_sync+0x190/0x194\n\t Code: f2fbffe1 a90157f4 12000802 aa0003f5 (38e16861)\n\t ---[ end trace 0000000000000000 ]---\n\t Kernel panic - not syncing: Oops: Fatal exception", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:26:07.156Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/b8e45b910525704010d10c9dcbf2abf3005aa97c", }, { url: "https://git.kernel.org/stable/c/4b5d48b7a29cc6d508121a4b4e0c97a891e5273c", }, { url: "https://git.kernel.org/stable/c/dcb9d581dee4c23f2378b6650511ece80dda4e2f", }, { url: "https://git.kernel.org/stable/c/18ec12c97b39ff6aa15beb8d2b25d15cd44b87d8", }, ], title: "driver core: Fix a potential null-ptr-deref in module_add_driver()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-47688", datePublished: "2024-10-21T11:53:28.526Z", dateReserved: "2024-09-30T16:00:12.941Z", dateUpdated: "2024-12-19T09:26:07.156Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-47703
Vulnerability from cvelistv5
Published
2024-10-21 11:53
Modified
2024-12-19 09:26
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf, lsm: Add check for BPF LSM return value
A bpf prog returning a positive number attached to file_alloc_security
hook makes kernel panic.
This happens because file system can not filter out the positive number
returned by the LSM prog using IS_ERR, and misinterprets this positive
number as a file pointer.
Given that hook file_alloc_security never returned positive number
before the introduction of BPF LSM, and other BPF LSM hooks may
encounter similar issues, this patch adds LSM return value check
in verifier, to ensure no unexpected value is returned.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-47703", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T13:04:16.628163Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T13:14:13.303Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "include/linux/bpf.h", "include/linux/bpf_lsm.h", "kernel/bpf/bpf_lsm.c", "kernel/bpf/btf.c", "kernel/bpf/verifier.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "1050727d83e70449991c29dd1cf29fe936a63da3", status: "affected", version: "520b7aa00d8cd8e411ecc09f63a2acd90feb6d29", versionType: "git", }, { lessThan: "27ca3e20fe80be85a92b10064dfeb56cb2564b1c", status: "affected", version: "520b7aa00d8cd8e411ecc09f63a2acd90feb6d29", versionType: "git", }, { lessThan: "5d99e198be279045e6ecefe220f5c52f8ce9bfd5", status: "affected", version: "520b7aa00d8cd8e411ecc09f63a2acd90feb6d29", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "include/linux/bpf.h", "include/linux/bpf_lsm.h", "kernel/bpf/bpf_lsm.c", "kernel/bpf/btf.c", "kernel/bpf/verifier.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.7", }, { lessThan: "5.7", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.13", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.2", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, lsm: Add check for BPF LSM return value\n\nA bpf prog returning a positive number attached to file_alloc_security\nhook makes kernel panic.\n\nThis happens because file system can not filter out the positive number\nreturned by the LSM prog using IS_ERR, and misinterprets this positive\nnumber as a file pointer.\n\nGiven that hook file_alloc_security never returned positive number\nbefore the introduction of BPF LSM, and other BPF LSM hooks may\nencounter similar issues, this patch adds LSM return value check\nin verifier, to ensure no unexpected value is returned.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:26:25.636Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/1050727d83e70449991c29dd1cf29fe936a63da3", }, { url: "https://git.kernel.org/stable/c/27ca3e20fe80be85a92b10064dfeb56cb2564b1c", }, { url: "https://git.kernel.org/stable/c/5d99e198be279045e6ecefe220f5c52f8ce9bfd5", }, ], title: "bpf, lsm: Add check for BPF LSM return value", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-47703", datePublished: "2024-10-21T11:53:38.714Z", dateReserved: "2024-09-30T16:00:12.945Z", dateUpdated: "2024-12-19T09:26:25.636Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-50065
Vulnerability from cvelistv5
Published
2024-10-21 19:39
Modified
2024-12-19 09:32
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ntfs3: Change to non-blocking allocation in ntfs_d_hash
d_hash is done while under "rcu-walk" and should not sleep.
__get_name() allocates using GFP_KERNEL, having the possibility
to sleep when under memory pressure. Change the allocation to
GFP_NOWAIT.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-50065", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:22:22.472390Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:28:41.577Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "fs/ntfs3/namei.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "c556e72cea2a1131ae418be017dd6fc76fffe2fb", status: "affected", version: "58ebd50d22529f79d2497abbb006137a7c7f5336", versionType: "git", }, { lessThan: "d0c710372e238510db08ea01e7b8bd81ed995dd6", status: "affected", version: "d392e85fd1e8d58e460c17ca7d0d5c157848d9c1", versionType: "git", }, { lessThan: "589996bf8c459deb5bbc9747d8f1c51658608103", status: "affected", version: "d392e85fd1e8d58e460c17ca7d0d5c157848d9c1", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "fs/ntfs3/namei.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.11", }, { lessThan: "6.11", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.57", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.4", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nntfs3: Change to non-blocking allocation in ntfs_d_hash\n\nd_hash is done while under \"rcu-walk\" and should not sleep.\n__get_name() allocates using GFP_KERNEL, having the possibility\nto sleep when under memory pressure. Change the allocation to\nGFP_NOWAIT.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:32:19.113Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/c556e72cea2a1131ae418be017dd6fc76fffe2fb", }, { url: "https://git.kernel.org/stable/c/d0c710372e238510db08ea01e7b8bd81ed995dd6", }, { url: "https://git.kernel.org/stable/c/589996bf8c459deb5bbc9747d8f1c51658608103", }, ], title: "ntfs3: Change to non-blocking allocation in ntfs_d_hash", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-50065", datePublished: "2024-10-21T19:39:53.080Z", dateReserved: "2024-10-21T19:36:19.939Z", dateUpdated: "2024-12-19T09:32:19.113Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-47677
Vulnerability from cvelistv5
Published
2024-10-21 11:53
Modified
2024-12-19 09:25
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
exfat: resolve memory leak from exfat_create_upcase_table()
If exfat_load_upcase_table reaches end and returns -EINVAL,
allocated memory doesn't get freed and while
exfat_load_default_upcase_table allocates more memory, leading to a
memory leak.
Here's link to syzkaller crash report illustrating this issue:
https://syzkaller.appspot.com/text?tag=CrashReport&x=1406c201980000
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-47677", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T13:07:50.723044Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T13:14:17.233Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "fs/exfat/nls.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "f9835aec49670c46ebe2973032caaa1043b3d4da", status: "affected", version: "a13d1a4de3b0fe3c41d818697d691c886c5585fa", versionType: "git", }, { lessThan: "331ed2c739ce656a67865f6b3ee0a478349d78cb", status: "affected", version: "a13d1a4de3b0fe3c41d818697d691c886c5585fa", versionType: "git", }, { lessThan: "c290fe508eee36df1640c3cb35dc8f89e073c8a8", status: "affected", version: "a13d1a4de3b0fe3c41d818697d691c886c5585fa", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "fs/exfat/nls.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.8", }, { lessThan: "6.8", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.13", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.2", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nexfat: resolve memory leak from exfat_create_upcase_table()\n\nIf exfat_load_upcase_table reaches end and returns -EINVAL,\nallocated memory doesn't get freed and while\nexfat_load_default_upcase_table allocates more memory, leading to a\nmemory leak.\n\nHere's link to syzkaller crash report illustrating this issue:\nhttps://syzkaller.appspot.com/text?tag=CrashReport&x=1406c201980000", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:25:42.947Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/f9835aec49670c46ebe2973032caaa1043b3d4da", }, { url: "https://git.kernel.org/stable/c/331ed2c739ce656a67865f6b3ee0a478349d78cb", }, { url: "https://git.kernel.org/stable/c/c290fe508eee36df1640c3cb35dc8f89e073c8a8", }, ], title: "exfat: resolve memory leak from exfat_create_upcase_table()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-47677", datePublished: "2024-10-21T11:53:21.138Z", dateReserved: "2024-09-30T16:00:12.938Z", dateUpdated: "2024-12-19T09:25:42.947Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-50007
Vulnerability from cvelistv5
Published
2024-10-21 18:54
Modified
2024-12-19 09:31
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: asihpi: Fix potential OOB array access
ASIHPI driver stores some values in the static array upon a response
from the driver, and its index depends on the firmware. We shouldn't
trust it blindly.
This patch adds a sanity check of the array index to fit in the array
size.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-50007", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:29:11.400121Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:38:40.227Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "sound/pci/asihpi/hpimsgx.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "a6bdb691cf7b66dcd929de1a253c5c42edd2e522", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "ce2953e44829ec54bcbb57e9d890fc8af0900c80", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "219587bca2678e31700ef09ecec178ba1f735674", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "36ee4021bcc37b834996e79740d095d6f8dd948f", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "e658227d9d4f4e122d81690fdbc0d438b10288f5", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "7a55740996701f7b2bc46dc988b60ef2e416a747", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "ad7248a5e92587b9266c62db8bcc4e58de53e372", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "876d04bf5a8ac1d6af5afd258cd37ab83ab2cf3d", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "7b986c7430a6bb68d523dac7bfc74cbd5b44ef96", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "sound/pci/asihpi/hpimsgx.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.323", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.285", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: asihpi: Fix potential OOB array access\n\nASIHPI driver stores some values in the static array upon a response\nfrom the driver, and its index depends on the firmware. We shouldn't\ntrust it blindly.\n\nThis patch adds a sanity check of the array index to fit in the array\nsize.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:31:10.059Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/a6bdb691cf7b66dcd929de1a253c5c42edd2e522", }, { url: "https://git.kernel.org/stable/c/ce2953e44829ec54bcbb57e9d890fc8af0900c80", }, { url: "https://git.kernel.org/stable/c/219587bca2678e31700ef09ecec178ba1f735674", }, { url: "https://git.kernel.org/stable/c/36ee4021bcc37b834996e79740d095d6f8dd948f", }, { url: "https://git.kernel.org/stable/c/e658227d9d4f4e122d81690fdbc0d438b10288f5", }, { url: "https://git.kernel.org/stable/c/7a55740996701f7b2bc46dc988b60ef2e416a747", }, { url: "https://git.kernel.org/stable/c/ad7248a5e92587b9266c62db8bcc4e58de53e372", }, { url: "https://git.kernel.org/stable/c/876d04bf5a8ac1d6af5afd258cd37ab83ab2cf3d", }, { url: "https://git.kernel.org/stable/c/7b986c7430a6bb68d523dac7bfc74cbd5b44ef96", }, ], title: "ALSA: asihpi: Fix potential OOB array access", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-50007", datePublished: "2024-10-21T18:54:00.611Z", dateReserved: "2024-10-21T12:17:06.060Z", dateUpdated: "2024-12-19T09:31:10.059Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49995
Vulnerability from cvelistv5
Published
2024-10-21 18:02
Modified
2024-12-19 09:30
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tipc: guard against string buffer overrun
Smatch reports that copying media_name and if_name to name_parts may
overwrite the destination.
.../bearer.c:166 bearer_name_validate() error: strcpy() 'media_name' too large for 'name_parts->media_name' (32 vs 16)
.../bearer.c:167 bearer_name_validate() error: strcpy() 'if_name' too large for 'name_parts->if_name' (1010102 vs 16)
This does seem to be the case so guard against this possibility by using
strscpy() and failing if truncation occurs.
Introduced by commit b97bf3fd8f6a ("[TIPC] Initial merge")
Compile tested only.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49995", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:30:44.478513Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:38:42.020Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "net/tipc/bearer.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "8298b6e45fb4d8944f356b08e4ea3e54df5e0488", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "c79768ffba5b6e95569a463a69b3101c95694867", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "e2b2558971e02ca33eb637a8350d68a48b3e8e46", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "54dae0e9063ed23c9acf8d5ab9b18d3426a8ac18", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "80c0be7bcf940ce9308311575c3aff8983c9b97a", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "12d26aa7fd3cbdbc5149b6e516563478d575026e", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "2ed7f42dfd3edb387034128ca5b0f639836d4ddd", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "a18c7b239d02aafb791ae2c45226f6bb40641792", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "6555a2a9212be6983d2319d65276484f7c5f431a", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "net/tipc/bearer.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.323", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.285", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: guard against string buffer overrun\n\nSmatch reports that copying media_name and if_name to name_parts may\noverwrite the destination.\n\n .../bearer.c:166 bearer_name_validate() error: strcpy() 'media_name' too large for 'name_parts->media_name' (32 vs 16)\n .../bearer.c:167 bearer_name_validate() error: strcpy() 'if_name' too large for 'name_parts->if_name' (1010102 vs 16)\n\nThis does seem to be the case so guard against this possibility by using\nstrscpy() and failing if truncation occurs.\n\nIntroduced by commit b97bf3fd8f6a (\"[TIPC] Initial merge\")\n\nCompile tested only.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:30:54.482Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/8298b6e45fb4d8944f356b08e4ea3e54df5e0488", }, { url: "https://git.kernel.org/stable/c/c79768ffba5b6e95569a463a69b3101c95694867", }, { url: "https://git.kernel.org/stable/c/e2b2558971e02ca33eb637a8350d68a48b3e8e46", }, { url: "https://git.kernel.org/stable/c/54dae0e9063ed23c9acf8d5ab9b18d3426a8ac18", }, { url: "https://git.kernel.org/stable/c/80c0be7bcf940ce9308311575c3aff8983c9b97a", }, { url: "https://git.kernel.org/stable/c/12d26aa7fd3cbdbc5149b6e516563478d575026e", }, { url: "https://git.kernel.org/stable/c/2ed7f42dfd3edb387034128ca5b0f639836d4ddd", }, { url: "https://git.kernel.org/stable/c/a18c7b239d02aafb791ae2c45226f6bb40641792", }, { url: "https://git.kernel.org/stable/c/6555a2a9212be6983d2319d65276484f7c5f431a", }, ], title: "tipc: guard against string buffer overrun", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49995", datePublished: "2024-10-21T18:02:36.411Z", dateReserved: "2024-10-21T12:17:06.056Z", dateUpdated: "2024-12-19T09:30:54.482Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-50062
Vulnerability from cvelistv5
Published
2024-10-21 19:39
Modified
2024-12-19 09:32
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/rtrs-srv: Avoid null pointer deref during path establishment
For RTRS path establishment, RTRS client initiates and completes con_num
of connections. After establishing all its connections, the information
is exchanged between the client and server through the info_req message.
During this exchange, it is essential that all connections have been
established, and the state of the RTRS srv path is CONNECTED.
So add these sanity checks, to make sure we detect and abort process in
error scenarios to avoid null pointer deref.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-50062", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:22:44.962134Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:28:42.012Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/infiniband/ulp/rtrs/rtrs-srv.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "394b2f4d5e014820455af3eb5859eb328eaafcfd", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "b5d4076664465487a9a3d226756995b12fb73d71", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "ccb8e44ae3e2391235f80ffc6be59bec6b889ead", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "b720792d7e8515bc695752e0ed5884e2ea34d12a", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "d0e62bf7b575fbfe591f6f570e7595dd60a2f5eb", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/infiniband/ulp/rtrs/rtrs-srv.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.57", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.4", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rtrs-srv: Avoid null pointer deref during path establishment\n\nFor RTRS path establishment, RTRS client initiates and completes con_num\nof connections. After establishing all its connections, the information\nis exchanged between the client and server through the info_req message.\nDuring this exchange, it is essential that all connections have been\nestablished, and the state of the RTRS srv path is CONNECTED.\n\nSo add these sanity checks, to make sure we detect and abort process in\nerror scenarios to avoid null pointer deref.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:32:15.648Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/394b2f4d5e014820455af3eb5859eb328eaafcfd", }, { url: "https://git.kernel.org/stable/c/b5d4076664465487a9a3d226756995b12fb73d71", }, { url: "https://git.kernel.org/stable/c/ccb8e44ae3e2391235f80ffc6be59bec6b889ead", }, { url: "https://git.kernel.org/stable/c/b720792d7e8515bc695752e0ed5884e2ea34d12a", }, { url: "https://git.kernel.org/stable/c/d0e62bf7b575fbfe591f6f570e7595dd60a2f5eb", }, ], title: "RDMA/rtrs-srv: Avoid null pointer deref during path establishment", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-50062", datePublished: "2024-10-21T19:39:51.078Z", dateReserved: "2024-10-21T19:36:19.939Z", dateUpdated: "2024-12-19T09:32:15.648Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49992
Vulnerability from cvelistv5
Published
2024-10-21 18:02
Modified
2024-12-19 09:30
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/stm: Avoid use-after-free issues with crtc and plane
ltdc_load() calls functions drm_crtc_init_with_planes(),
drm_universal_plane_init() and drm_encoder_init(). These functions
should not be called with parameters allocated with devm_kzalloc()
to avoid use-after-free issues [1].
Use allocations managed by the DRM framework.
Found by Linux Verification Center (linuxtesting.org).
[1]
https://lore.kernel.org/lkml/u366i76e3qhh3ra5oxrtngjtm2u5lterkekcz6y2jkndhuxzli@diujon4h7qwb/
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49992", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:31:07.009365Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:38:42.528Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/gpu/drm/stm/drv.c", "drivers/gpu/drm/stm/ltdc.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "d02611ff001454358be6910cb926799e2d818716", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "0a1741d10da29aa84955ef89ae9a03c4b6038657", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "454e5d7e671946698af0f201e48469e5ddb42851", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "b22eec4b57d04befa90e8554ede34e6c67257606", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "19dd9780b7ac673be95bf6fd6892a184c9db611f", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/gpu/drm/stm/drv.c", "drivers/gpu/drm/stm/ltdc.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/stm: Avoid use-after-free issues with crtc and plane\n\nltdc_load() calls functions drm_crtc_init_with_planes(),\ndrm_universal_plane_init() and drm_encoder_init(). These functions\nshould not be called with parameters allocated with devm_kzalloc()\nto avoid use-after-free issues [1].\n\nUse allocations managed by the DRM framework.\n\nFound by Linux Verification Center (linuxtesting.org).\n\n[1]\nhttps://lore.kernel.org/lkml/u366i76e3qhh3ra5oxrtngjtm2u5lterkekcz6y2jkndhuxzli@diujon4h7qwb/", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:30:52.010Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/d02611ff001454358be6910cb926799e2d818716", }, { url: "https://git.kernel.org/stable/c/0a1741d10da29aa84955ef89ae9a03c4b6038657", }, { url: "https://git.kernel.org/stable/c/454e5d7e671946698af0f201e48469e5ddb42851", }, { url: "https://git.kernel.org/stable/c/b22eec4b57d04befa90e8554ede34e6c67257606", }, { url: "https://git.kernel.org/stable/c/19dd9780b7ac673be95bf6fd6892a184c9db611f", }, ], title: "drm/stm: Avoid use-after-free issues with crtc and plane", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49992", datePublished: "2024-10-21T18:02:34.442Z", dateReserved: "2024-10-21T12:17:06.054Z", dateUpdated: "2024-12-19T09:30:52.010Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-47716
Vulnerability from cvelistv5
Published
2024-10-21 11:53
Modified
2024-12-19 09:26
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ARM: 9410/1: vfp: Use asm volatile in fmrx/fmxr macros
Floating point instructions in userspace can crash some arm kernels
built with clang/LLD 17.0.6:
BUG: unsupported FP instruction in kernel mode
FPEXC == 0xc0000780
Internal error: Oops - undefined instruction: 0 [#1] ARM
CPU: 0 PID: 196 Comm: vfp-reproducer Not tainted 6.10.0 #1
Hardware name: BCM2835
PC is at vfp_support_entry+0xc8/0x2cc
LR is at do_undefinstr+0xa8/0x250
pc : [<c0101d50>] lr : [<c010a80c>] psr: a0000013
sp : dc8d1f68 ip : 60000013 fp : bedea19c
r10: ec532b17 r9 : 00000010 r8 : 0044766c
r7 : c0000780 r6 : ec532b17 r5 : c1c13800 r4 : dc8d1fb0
r3 : c10072c4 r2 : c0101c88 r1 : ec532b17 r0 : 0044766c
Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
Control: 00c5387d Table: 0251c008 DAC: 00000051
Register r0 information: non-paged memory
Register r1 information: vmalloc memory
Register r2 information: non-slab/vmalloc memory
Register r3 information: non-slab/vmalloc memory
Register r4 information: 2-page vmalloc region
Register r5 information: slab kmalloc-cg-2k
Register r6 information: vmalloc memory
Register r7 information: non-slab/vmalloc memory
Register r8 information: non-paged memory
Register r9 information: zero-size pointer
Register r10 information: vmalloc memory
Register r11 information: non-paged memory
Register r12 information: non-paged memory
Process vfp-reproducer (pid: 196, stack limit = 0x61aaaf8b)
Stack: (0xdc8d1f68 to 0xdc8d2000)
1f60: 0000081f b6f69300 0000000f c10073f4 c10072c4 dc8d1fb0
1f80: ec532b17 0c532b17 0044766c b6f9ccd8 00000000 c010a80c 00447670 60000010
1fa0: ffffffff c1c13800 00c5387d c0100f10 b6f68af8 00448fc0 00000000 bedea188
1fc0: bedea314 00000001 00448ebc b6f9d000 00447608 b6f9ccd8 00000000 bedea19c
1fe0: bede9198 bedea188 b6e1061c 0044766c 60000010 ffffffff 00000000 00000000
Call trace:
[<c0101d50>] (vfp_support_entry) from [<c010a80c>] (do_undefinstr+0xa8/0x250)
[<c010a80c>] (do_undefinstr) from [<c0100f10>] (__und_usr+0x70/0x80)
Exception stack(0xdc8d1fb0 to 0xdc8d1ff8)
1fa0: b6f68af8 00448fc0 00000000 bedea188
1fc0: bedea314 00000001 00448ebc b6f9d000 00447608 b6f9ccd8 00000000 bedea19c
1fe0: bede9198 bedea188 b6e1061c 0044766c 60000010 ffffffff
Code: 0a000061 e3877202 e594003c e3a09010 (eef16a10)
---[ end trace 0000000000000000 ]---
Kernel panic - not syncing: Fatal exception in interrupt
---[ end Kernel panic - not syncing: Fatal exception in interrupt ]---
This is a minimal userspace reproducer on a Raspberry Pi Zero W:
#include <stdio.h>
#include <math.h>
int main(void)
{
double v = 1.0;
printf("%fn", NAN + *(volatile double *)&v);
return 0;
}
Another way to consistently trigger the oops is:
calvin@raspberry-pi-zero-w ~$ python -c "import json"
The bug reproduces only when the kernel is built with DYNAMIC_DEBUG=n,
because the pr_debug() calls act as barriers even when not activated.
This is the output from the same kernel source built with the same
compiler and DYNAMIC_DEBUG=y, where the userspace reproducer works as
expected:
VFP: bounce: trigger ec532b17 fpexc c0000780
VFP: emulate: INST=0xee377b06 SCR=0x00000000
VFP: bounce: trigger eef1fa10 fpexc c0000780
VFP: emulate: INST=0xeeb40b40 SCR=0x00000000
VFP: raising exceptions 30000000
calvin@raspberry-pi-zero-w ~$ ./vfp-reproducer
nan
Crudely grepping for vmsr/vmrs instructions in the otherwise nearly
idential text for vfp_support_entry() makes the problem obvious:
vmlinux.llvm.good [0xc0101cb8] <+48>: vmrs r7, fpexc
vmlinux.llvm.good [0xc0101cd8] <+80>: vmsr fpexc, r0
vmlinux.llvm.good [0xc0101d20
---truncated---
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-47716", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T13:02:37.747830Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T13:04:18.288Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "arch/arm/vfp/vfpinstr.h", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "9fc60f2bdd43e758bdf0305c0fc83221419ddb3f", status: "affected", version: "4708fb041346fa9cc6745dafb8c248a3e2f1075b", versionType: "git", }, { lessThan: "cd595d87e5fdd2fc09ea69359aa85e7f12f4b97b", status: "affected", version: "4708fb041346fa9cc6745dafb8c248a3e2f1075b", versionType: "git", }, { lessThan: "39caf610a63786b3b0ef3348ac015edc19827d6a", status: "affected", version: "4708fb041346fa9cc6745dafb8c248a3e2f1075b", versionType: "git", }, { lessThan: "89a906dfa8c3b21b3e5360f73c49234ac1eb885b", status: "affected", version: "4708fb041346fa9cc6745dafb8c248a3e2f1075b", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "arch/arm/vfp/vfpinstr.h", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.6", }, { lessThan: "6.6", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.54", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.13", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.2", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nARM: 9410/1: vfp: Use asm volatile in fmrx/fmxr macros\n\nFloating point instructions in userspace can crash some arm kernels\nbuilt with clang/LLD 17.0.6:\n\n BUG: unsupported FP instruction in kernel mode\n FPEXC == 0xc0000780\n Internal error: Oops - undefined instruction: 0 [#1] ARM\n CPU: 0 PID: 196 Comm: vfp-reproducer Not tainted 6.10.0 #1\n Hardware name: BCM2835\n PC is at vfp_support_entry+0xc8/0x2cc\n LR is at do_undefinstr+0xa8/0x250\n pc : [<c0101d50>] lr : [<c010a80c>] psr: a0000013\n sp : dc8d1f68 ip : 60000013 fp : bedea19c\n r10: ec532b17 r9 : 00000010 r8 : 0044766c\n r7 : c0000780 r6 : ec532b17 r5 : c1c13800 r4 : dc8d1fb0\n r3 : c10072c4 r2 : c0101c88 r1 : ec532b17 r0 : 0044766c\n Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none\n Control: 00c5387d Table: 0251c008 DAC: 00000051\n Register r0 information: non-paged memory\n Register r1 information: vmalloc memory\n Register r2 information: non-slab/vmalloc memory\n Register r3 information: non-slab/vmalloc memory\n Register r4 information: 2-page vmalloc region\n Register r5 information: slab kmalloc-cg-2k\n Register r6 information: vmalloc memory\n Register r7 information: non-slab/vmalloc memory\n Register r8 information: non-paged memory\n Register r9 information: zero-size pointer\n Register r10 information: vmalloc memory\n Register r11 information: non-paged memory\n Register r12 information: non-paged memory\n Process vfp-reproducer (pid: 196, stack limit = 0x61aaaf8b)\n Stack: (0xdc8d1f68 to 0xdc8d2000)\n 1f60: 0000081f b6f69300 0000000f c10073f4 c10072c4 dc8d1fb0\n 1f80: ec532b17 0c532b17 0044766c b6f9ccd8 00000000 c010a80c 00447670 60000010\n 1fa0: ffffffff c1c13800 00c5387d c0100f10 b6f68af8 00448fc0 00000000 bedea188\n 1fc0: bedea314 00000001 00448ebc b6f9d000 00447608 b6f9ccd8 00000000 bedea19c\n 1fe0: bede9198 bedea188 b6e1061c 0044766c 60000010 ffffffff 00000000 00000000\n Call trace:\n [<c0101d50>] (vfp_support_entry) from [<c010a80c>] (do_undefinstr+0xa8/0x250)\n [<c010a80c>] (do_undefinstr) from [<c0100f10>] (__und_usr+0x70/0x80)\n Exception stack(0xdc8d1fb0 to 0xdc8d1ff8)\n 1fa0: b6f68af8 00448fc0 00000000 bedea188\n 1fc0: bedea314 00000001 00448ebc b6f9d000 00447608 b6f9ccd8 00000000 bedea19c\n 1fe0: bede9198 bedea188 b6e1061c 0044766c 60000010 ffffffff\n Code: 0a000061 e3877202 e594003c e3a09010 (eef16a10)\n ---[ end trace 0000000000000000 ]---\n Kernel panic - not syncing: Fatal exception in interrupt\n ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]---\n\nThis is a minimal userspace reproducer on a Raspberry Pi Zero W:\n\n #include <stdio.h>\n #include <math.h>\n\n int main(void)\n {\n double v = 1.0;\n printf(\"%fn\", NAN + *(volatile double *)&v);\n return 0;\n }\n\nAnother way to consistently trigger the oops is:\n\n calvin@raspberry-pi-zero-w ~$ python -c \"import json\"\n\nThe bug reproduces only when the kernel is built with DYNAMIC_DEBUG=n,\nbecause the pr_debug() calls act as barriers even when not activated.\n\nThis is the output from the same kernel source built with the same\ncompiler and DYNAMIC_DEBUG=y, where the userspace reproducer works as\nexpected:\n\n VFP: bounce: trigger ec532b17 fpexc c0000780\n VFP: emulate: INST=0xee377b06 SCR=0x00000000\n VFP: bounce: trigger eef1fa10 fpexc c0000780\n VFP: emulate: INST=0xeeb40b40 SCR=0x00000000\n VFP: raising exceptions 30000000\n\n calvin@raspberry-pi-zero-w ~$ ./vfp-reproducer\n nan\n\nCrudely grepping for vmsr/vmrs instructions in the otherwise nearly\nidential text for vfp_support_entry() makes the problem obvious:\n\n vmlinux.llvm.good [0xc0101cb8] <+48>: vmrs r7, fpexc\n vmlinux.llvm.good [0xc0101cd8] <+80>: vmsr fpexc, r0\n vmlinux.llvm.good [0xc0101d20\n---truncated---", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:26:41.821Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/9fc60f2bdd43e758bdf0305c0fc83221419ddb3f", }, { url: "https://git.kernel.org/stable/c/cd595d87e5fdd2fc09ea69359aa85e7f12f4b97b", }, { url: "https://git.kernel.org/stable/c/39caf610a63786b3b0ef3348ac015edc19827d6a", }, { url: "https://git.kernel.org/stable/c/89a906dfa8c3b21b3e5360f73c49234ac1eb885b", }, ], title: "ARM: 9410/1: vfp: Use asm volatile in fmrx/fmxr macros", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-47716", datePublished: "2024-10-21T11:53:47.434Z", dateReserved: "2024-09-30T16:00:12.949Z", dateUpdated: "2024-12-19T09:26:41.821Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49991
Vulnerability from cvelistv5
Published
2024-10-21 18:02
Modified
2024-12-19 09:30
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdkfd: amdkfd_free_gtt_mem clear the correct pointer
Pass pointer reference to amdgpu_bo_unref to clear the correct pointer,
otherwise amdgpu_bo_unref clear the local variable, the original pointer
not set to NULL, this could cause use-after-free bug.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49991", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:31:14.431279Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:38:42.686Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.c", "drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h", "drivers/gpu/drm/amd/amdkfd/kfd_chardev.c", "drivers/gpu/drm/amd/amdkfd/kfd_device.c", "drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c", "drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager.c", "drivers/gpu/drm/amd/amdkfd/kfd_process.c", "drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "e7831613cbbcd9058d3658fbcdc5d5884ceb2e0c", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "30ceb873cc2e97348d9da2265b2d1ddf07f682e1", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "71f3240f82987f0f070ea5bed559033de7d4c0e1", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "6c9289806591807e4e3be9a23df8ee2069180055", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "c86ad39140bbcb9dc75a10046c2221f657e8083b", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.c", "drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h", "drivers/gpu/drm/amd/amdkfd/kfd_chardev.c", "drivers/gpu/drm/amd/amdkfd/kfd_device.c", "drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c", "drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager.c", "drivers/gpu/drm/amd/amdkfd/kfd_process.c", "drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.118", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: amdkfd_free_gtt_mem clear the correct pointer\n\nPass pointer reference to amdgpu_bo_unref to clear the correct pointer,\notherwise amdgpu_bo_unref clear the local variable, the original pointer\nnot set to NULL, this could cause use-after-free bug.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:30:50.769Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/e7831613cbbcd9058d3658fbcdc5d5884ceb2e0c", }, { url: "https://git.kernel.org/stable/c/30ceb873cc2e97348d9da2265b2d1ddf07f682e1", }, { url: "https://git.kernel.org/stable/c/71f3240f82987f0f070ea5bed559033de7d4c0e1", }, { url: "https://git.kernel.org/stable/c/6c9289806591807e4e3be9a23df8ee2069180055", }, { url: "https://git.kernel.org/stable/c/c86ad39140bbcb9dc75a10046c2221f657e8083b", }, ], title: "drm/amdkfd: amdkfd_free_gtt_mem clear the correct pointer", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49991", datePublished: "2024-10-21T18:02:33.805Z", dateReserved: "2024-10-21T12:17:06.054Z", dateUpdated: "2024-12-19T09:30:50.769Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-50026
Vulnerability from cvelistv5
Published
2024-10-21 19:39
Modified
2024-12-19 09:31
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: wd33c93: Don't use stale scsi_pointer value
A regression was introduced with commit dbb2da557a6a ("scsi: wd33c93:
Move the SCSI pointer to private command data") which results in an oops
in wd33c93_intr(). That commit added the scsi_pointer variable and
initialized it from hostdata->connected. However, during selection,
hostdata->connected is not yet valid. Fix this by getting the current
scsi_pointer from hostdata->selecting.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-50026", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:26:45.594464Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:28:46.514Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/scsi/wd33c93.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "3afeceda855dea9b85cddd96307d4d17c8742005", status: "affected", version: "dbb2da557a6a87c88bbb4b1fef037091b57f701b", versionType: "git", }, { lessThan: "e04642a207f1d2ae28a08624c04c67f5681f3451", status: "affected", version: "dbb2da557a6a87c88bbb4b1fef037091b57f701b", versionType: "git", }, { lessThan: "b60ff1a95c7c386cdd6153de3d7d85edaeabd800", status: "affected", version: "dbb2da557a6a87c88bbb4b1fef037091b57f701b", versionType: "git", }, { lessThan: "9023ed8d91eb1fcc93e64dc4962f7412b1c4cbec", status: "affected", version: "dbb2da557a6a87c88bbb4b1fef037091b57f701b", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/scsi/wd33c93.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.18", }, { lessThan: "5.18", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.57", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.4", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: wd33c93: Don't use stale scsi_pointer value\n\nA regression was introduced with commit dbb2da557a6a (\"scsi: wd33c93:\nMove the SCSI pointer to private command data\") which results in an oops\nin wd33c93_intr(). That commit added the scsi_pointer variable and\ninitialized it from hostdata->connected. However, during selection,\nhostdata->connected is not yet valid. Fix this by getting the current\nscsi_pointer from hostdata->selecting.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:31:37.271Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/3afeceda855dea9b85cddd96307d4d17c8742005", }, { url: "https://git.kernel.org/stable/c/e04642a207f1d2ae28a08624c04c67f5681f3451", }, { url: "https://git.kernel.org/stable/c/b60ff1a95c7c386cdd6153de3d7d85edaeabd800", }, { url: "https://git.kernel.org/stable/c/9023ed8d91eb1fcc93e64dc4962f7412b1c4cbec", }, ], title: "scsi: wd33c93: Don't use stale scsi_pointer value", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-50026", datePublished: "2024-10-21T19:39:30.495Z", dateReserved: "2024-10-21T12:17:06.065Z", dateUpdated: "2024-12-19T09:31:37.271Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-48976
Vulnerability from cvelistv5
Published
2024-10-21 20:05
Modified
2024-12-19 08:11
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: flowtable_offload: fix using __this_cpu_add in preemptible
flow_offload_queue_work() can be called in workqueue without
bh disabled, like the call trace showed in my act_ct testing,
calling NF_FLOW_TABLE_STAT_INC() there would cause a call
trace:
BUG: using __this_cpu_add() in preemptible [00000000] code: kworker/u4:0/138560
caller is flow_offload_queue_work+0xec/0x1b0 [nf_flow_table]
Workqueue: act_ct_workqueue tcf_ct_flow_table_cleanup_work [act_ct]
Call Trace:
<TASK>
dump_stack_lvl+0x33/0x46
check_preemption_disabled+0xc3/0xf0
flow_offload_queue_work+0xec/0x1b0 [nf_flow_table]
nf_flow_table_iterate+0x138/0x170 [nf_flow_table]
nf_flow_table_free+0x140/0x1a0 [nf_flow_table]
tcf_ct_flow_table_cleanup_work+0x2f/0x2b0 [act_ct]
process_one_work+0x6a3/0x1030
worker_thread+0x8a/0xdf0
This patch fixes it by using NF_FLOW_TABLE_STAT_INC_ATOMIC()
instead in flow_offload_queue_work().
Note that for FLOW_CLS_REPLACE branch in flow_offload_queue_work(),
it may not be called in preemptible path, but it's good to use
NF_FLOW_TABLE_STAT_INC_ATOMIC() for all cases in
flow_offload_queue_work().
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-48976", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:18:28.477565Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:18:44.516Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "net/netfilter/nf_flow_table_offload.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "a220a11fda012fba506b35929672374c2723ae6d", status: "affected", version: "b038177636f83bbf87c2b238706474145dd2cd04", versionType: "git", }, { lessThan: "a81047154e7ce4eb8769d5d21adcbc9693542a79", status: "affected", version: "b038177636f83bbf87c2b238706474145dd2cd04", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "net/netfilter/nf_flow_table_offload.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.0", }, { lessThan: "6.0", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.0.*", status: "unaffected", version: "6.0.13", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.1", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: flowtable_offload: fix using __this_cpu_add in preemptible\n\nflow_offload_queue_work() can be called in workqueue without\nbh disabled, like the call trace showed in my act_ct testing,\ncalling NF_FLOW_TABLE_STAT_INC() there would cause a call\ntrace:\n\n BUG: using __this_cpu_add() in preemptible [00000000] code: kworker/u4:0/138560\n caller is flow_offload_queue_work+0xec/0x1b0 [nf_flow_table]\n Workqueue: act_ct_workqueue tcf_ct_flow_table_cleanup_work [act_ct]\n Call Trace:\n <TASK>\n dump_stack_lvl+0x33/0x46\n check_preemption_disabled+0xc3/0xf0\n flow_offload_queue_work+0xec/0x1b0 [nf_flow_table]\n nf_flow_table_iterate+0x138/0x170 [nf_flow_table]\n nf_flow_table_free+0x140/0x1a0 [nf_flow_table]\n tcf_ct_flow_table_cleanup_work+0x2f/0x2b0 [act_ct]\n process_one_work+0x6a3/0x1030\n worker_thread+0x8a/0xdf0\n\nThis patch fixes it by using NF_FLOW_TABLE_STAT_INC_ATOMIC()\ninstead in flow_offload_queue_work().\n\nNote that for FLOW_CLS_REPLACE branch in flow_offload_queue_work(),\nit may not be called in preemptible path, but it's good to use\nNF_FLOW_TABLE_STAT_INC_ATOMIC() for all cases in\nflow_offload_queue_work().", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:11:44.405Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/a220a11fda012fba506b35929672374c2723ae6d", }, { url: "https://git.kernel.org/stable/c/a81047154e7ce4eb8769d5d21adcbc9693542a79", }, ], title: "netfilter: flowtable_offload: fix using __this_cpu_add in preemptible", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-48976", datePublished: "2024-10-21T20:05:55.739Z", dateReserved: "2024-08-22T01:27:53.632Z", dateUpdated: "2024-12-19T08:11:44.405Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-48979
Vulnerability from cvelistv5
Published
2024-10-21 20:05
Modified
2024-12-19 08:11
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: fix array index out of bound error in DCN32 DML
[Why&How]
LinkCapacitySupport array is indexed with the number of voltage states and
not the number of max DPPs. Fix the error by changing the array
declaration to use the correct (larger) array size of total number of
voltage states.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-48979", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:18:06.288121Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:18:44.044Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/gpu/drm/amd/display/dc/dml/display_mode_vba.h", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "3d8a298b2e83b98042e6ec726e934f535b23e6aa", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "aeffc8fb2174f017a10df114bc312f899904dc68", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/gpu/drm/amd/display/dc/dml/display_mode_vba.h", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "6.0.*", status: "unaffected", version: "6.0.13", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.1", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: fix array index out of bound error in DCN32 DML\n\n[Why&How]\nLinkCapacitySupport array is indexed with the number of voltage states and\nnot the number of max DPPs. Fix the error by changing the array\ndeclaration to use the correct (larger) array size of total number of\nvoltage states.", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:11:48.555Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/3d8a298b2e83b98042e6ec726e934f535b23e6aa", }, { url: "https://git.kernel.org/stable/c/aeffc8fb2174f017a10df114bc312f899904dc68", }, ], title: "drm/amd/display: fix array index out of bound error in DCN32 DML", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-48979", datePublished: "2024-10-21T20:05:57.707Z", dateReserved: "2024-08-22T01:27:53.632Z", dateUpdated: "2024-12-19T08:11:48.555Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-47704
Vulnerability from cvelistv5
Published
2024-10-21 11:53
Modified
2024-12-19 09:26
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Check link_res->hpo_dp_link_enc before using it
[WHAT & HOW]
Functions dp_enable_link_phy and dp_disable_link_phy can pass link_res
without initializing hpo_dp_link_enc and it is necessary to check for
null before dereferencing.
This fixes 2 FORWARD_NULL issues reported by Coverity.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-47704", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T13:04:08.947653Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T13:14:13.147Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/gpu/drm/amd/display/dc/link/hwss/link_hwss_hpo_dp.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "be2ca7a2c1561390d28bf2f92654d819659ba510", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "530e29452b955c30cf2102fa4d07420dc6e0c953", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "0508a4e95ac1aefd851ceb97ea050d8abb93262c", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "0beca868cde8742240cd0038141c30482d2b7eb8", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/gpu/drm/amd/display/dc/link/hwss/link_hwss_hpo_dp.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.2", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Check link_res->hpo_dp_link_enc before using it\n\n[WHAT & HOW]\nFunctions dp_enable_link_phy and dp_disable_link_phy can pass link_res\nwithout initializing hpo_dp_link_enc and it is necessary to check for\nnull before dereferencing.\n\nThis fixes 2 FORWARD_NULL issues reported by Coverity.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:26:26.867Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/be2ca7a2c1561390d28bf2f92654d819659ba510", }, { url: "https://git.kernel.org/stable/c/530e29452b955c30cf2102fa4d07420dc6e0c953", }, { url: "https://git.kernel.org/stable/c/0508a4e95ac1aefd851ceb97ea050d8abb93262c", }, { url: "https://git.kernel.org/stable/c/0beca868cde8742240cd0038141c30482d2b7eb8", }, ], title: "drm/amd/display: Check link_res->hpo_dp_link_enc before using it", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-47704", datePublished: "2024-10-21T11:53:39.381Z", dateReserved: "2024-09-30T16:00:12.946Z", dateUpdated: "2024-12-19T09:26:26.867Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-47744
Vulnerability from cvelistv5
Published
2024-10-21 12:14
Modified
2024-12-19 09:27
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
KVM: Use dedicated mutex to protect kvm_usage_count to avoid deadlock
Use a dedicated mutex to guard kvm_usage_count to fix a potential deadlock
on x86 due to a chain of locks and SRCU synchronizations. Translating the
below lockdep splat, CPU1 #6 will wait on CPU0 #1, CPU0 #8 will wait on
CPU2 #3, and CPU2 #7 will wait on CPU1 #4 (if there's a writer, due to the
fairness of r/w semaphores).
CPU0 CPU1 CPU2
1 lock(&kvm->slots_lock);
2 lock(&vcpu->mutex);
3 lock(&kvm->srcu);
4 lock(cpu_hotplug_lock);
5 lock(kvm_lock);
6 lock(&kvm->slots_lock);
7 lock(cpu_hotplug_lock);
8 sync(&kvm->srcu);
Note, there are likely more potential deadlocks in KVM x86, e.g. the same
pattern of taking cpu_hotplug_lock outside of kvm_lock likely exists with
__kvmclock_cpufreq_notifier():
cpuhp_cpufreq_online()
|
-> cpufreq_online()
|
-> cpufreq_gov_performance_limits()
|
-> __cpufreq_driver_target()
|
-> __target_index()
|
-> cpufreq_freq_transition_begin()
|
-> cpufreq_notify_transition()
|
-> ... __kvmclock_cpufreq_notifier()
But, actually triggering such deadlocks is beyond rare due to the
combination of dependencies and timings involved. E.g. the cpufreq
notifier is only used on older CPUs without a constant TSC, mucking with
the NX hugepage mitigation while VMs are running is very uncommon, and
doing so while also onlining/offlining a CPU (necessary to generate
contention on cpu_hotplug_lock) would be even more unusual.
The most robust solution to the general cpu_hotplug_lock issue is likely
to switch vm_list to be an RCU-protected list, e.g. so that x86's cpufreq
notifier doesn't to take kvm_lock. For now, settle for fixing the most
blatant deadlock, as switching to an RCU-protected list is a much more
involved change, but add a comment in locking.rst to call out that care
needs to be taken when walking holding kvm_lock and walking vm_list.
======================================================
WARNING: possible circular locking dependency detected
6.10.0-smp--c257535a0c9d-pip #330 Tainted: G S O
------------------------------------------------------
tee/35048 is trying to acquire lock:
ff6a80eced71e0a8 (&kvm->slots_lock){+.+.}-{3:3}, at: set_nx_huge_pages+0x179/0x1e0 [kvm]
but task is already holding lock:
ffffffffc07abb08 (kvm_lock){+.+.}-{3:3}, at: set_nx_huge_pages+0x14a/0x1e0 [kvm]
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #3 (kvm_lock){+.+.}-{3:3}:
__mutex_lock+0x6a/0xb40
mutex_lock_nested+0x1f/0x30
kvm_dev_ioctl+0x4fb/0xe50 [kvm]
__se_sys_ioctl+0x7b/0xd0
__x64_sys_ioctl+0x21/0x30
x64_sys_call+0x15d0/0x2e60
do_syscall_64+0x83/0x160
entry_SYSCALL_64_after_hwframe+0x76/0x7e
-> #2 (cpu_hotplug_lock){++++}-{0:0}:
cpus_read_lock+0x2e/0xb0
static_key_slow_inc+0x16/0x30
kvm_lapic_set_base+0x6a/0x1c0 [kvm]
kvm_set_apic_base+0x8f/0xe0 [kvm]
kvm_set_msr_common+0x9ae/0xf80 [kvm]
vmx_set_msr+0xa54/0xbe0 [kvm_intel]
__kvm_set_msr+0xb6/0x1a0 [kvm]
kvm_arch_vcpu_ioctl+0xeca/0x10c0 [kvm]
kvm_vcpu_ioctl+0x485/0x5b0 [kvm]
__se_sys_ioctl+0x7b/0xd0
__x64_sys_ioctl+0x21/0x30
x64_sys_call+0x15d0/0x2e60
do_syscall_64+0x83/0x160
entry_SYSCALL_64_after_hwframe+0x76/0x7e
-> #1 (&kvm->srcu){.+.+}-{0:0}:
__synchronize_srcu+0x44/0x1a0
---truncated---
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-47744", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T12:58:48.680064Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T13:04:14.065Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "Documentation/virt/kvm/locking.rst", "virt/kvm/kvm_main.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "4777225ec89f52bb9ca16a33cfb44c189f1b7b47", status: "affected", version: "0bf50497f03b3d892c470c7d1a10a3e9c3c95821", versionType: "git", }, { lessThan: "a2764afce521fd9fd7a5ff6ed52ac2095873128a", status: "affected", version: "0bf50497f03b3d892c470c7d1a10a3e9c3c95821", versionType: "git", }, { lessThan: "760a196e6dcb29580e468b44b5400171dae184d8", status: "affected", version: "0bf50497f03b3d892c470c7d1a10a3e9c3c95821", versionType: "git", }, { lessThan: "44d17459626052a2390457e550a12cb973506b2f", status: "affected", version: "0bf50497f03b3d892c470c7d1a10a3e9c3c95821", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "Documentation/virt/kvm/locking.rst", "virt/kvm/kvm_main.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.3", }, { lessThan: "6.3", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.54", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.13", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.2", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: Use dedicated mutex to protect kvm_usage_count to avoid deadlock\n\nUse a dedicated mutex to guard kvm_usage_count to fix a potential deadlock\non x86 due to a chain of locks and SRCU synchronizations. Translating the\nbelow lockdep splat, CPU1 #6 will wait on CPU0 #1, CPU0 #8 will wait on\nCPU2 #3, and CPU2 #7 will wait on CPU1 #4 (if there's a writer, due to the\nfairness of r/w semaphores).\n\n CPU0 CPU1 CPU2\n1 lock(&kvm->slots_lock);\n2 lock(&vcpu->mutex);\n3 lock(&kvm->srcu);\n4 lock(cpu_hotplug_lock);\n5 lock(kvm_lock);\n6 lock(&kvm->slots_lock);\n7 lock(cpu_hotplug_lock);\n8 sync(&kvm->srcu);\n\nNote, there are likely more potential deadlocks in KVM x86, e.g. the same\npattern of taking cpu_hotplug_lock outside of kvm_lock likely exists with\n__kvmclock_cpufreq_notifier():\n\n cpuhp_cpufreq_online()\n |\n -> cpufreq_online()\n |\n -> cpufreq_gov_performance_limits()\n |\n -> __cpufreq_driver_target()\n |\n -> __target_index()\n |\n -> cpufreq_freq_transition_begin()\n |\n -> cpufreq_notify_transition()\n |\n -> ... __kvmclock_cpufreq_notifier()\n\nBut, actually triggering such deadlocks is beyond rare due to the\ncombination of dependencies and timings involved. E.g. the cpufreq\nnotifier is only used on older CPUs without a constant TSC, mucking with\nthe NX hugepage mitigation while VMs are running is very uncommon, and\ndoing so while also onlining/offlining a CPU (necessary to generate\ncontention on cpu_hotplug_lock) would be even more unusual.\n\nThe most robust solution to the general cpu_hotplug_lock issue is likely\nto switch vm_list to be an RCU-protected list, e.g. so that x86's cpufreq\nnotifier doesn't to take kvm_lock. For now, settle for fixing the most\nblatant deadlock, as switching to an RCU-protected list is a much more\ninvolved change, but add a comment in locking.rst to call out that care\nneeds to be taken when walking holding kvm_lock and walking vm_list.\n\n ======================================================\n WARNING: possible circular locking dependency detected\n 6.10.0-smp--c257535a0c9d-pip #330 Tainted: G S O\n ------------------------------------------------------\n tee/35048 is trying to acquire lock:\n ff6a80eced71e0a8 (&kvm->slots_lock){+.+.}-{3:3}, at: set_nx_huge_pages+0x179/0x1e0 [kvm]\n\n but task is already holding lock:\n ffffffffc07abb08 (kvm_lock){+.+.}-{3:3}, at: set_nx_huge_pages+0x14a/0x1e0 [kvm]\n\n which lock already depends on the new lock.\n\n the existing dependency chain (in reverse order) is:\n\n -> #3 (kvm_lock){+.+.}-{3:3}:\n __mutex_lock+0x6a/0xb40\n mutex_lock_nested+0x1f/0x30\n kvm_dev_ioctl+0x4fb/0xe50 [kvm]\n __se_sys_ioctl+0x7b/0xd0\n __x64_sys_ioctl+0x21/0x30\n x64_sys_call+0x15d0/0x2e60\n do_syscall_64+0x83/0x160\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\n -> #2 (cpu_hotplug_lock){++++}-{0:0}:\n cpus_read_lock+0x2e/0xb0\n static_key_slow_inc+0x16/0x30\n kvm_lapic_set_base+0x6a/0x1c0 [kvm]\n kvm_set_apic_base+0x8f/0xe0 [kvm]\n kvm_set_msr_common+0x9ae/0xf80 [kvm]\n vmx_set_msr+0xa54/0xbe0 [kvm_intel]\n __kvm_set_msr+0xb6/0x1a0 [kvm]\n kvm_arch_vcpu_ioctl+0xeca/0x10c0 [kvm]\n kvm_vcpu_ioctl+0x485/0x5b0 [kvm]\n __se_sys_ioctl+0x7b/0xd0\n __x64_sys_ioctl+0x21/0x30\n x64_sys_call+0x15d0/0x2e60\n do_syscall_64+0x83/0x160\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\n -> #1 (&kvm->srcu){.+.+}-{0:0}:\n __synchronize_srcu+0x44/0x1a0\n \n---truncated---", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:27:15.269Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/4777225ec89f52bb9ca16a33cfb44c189f1b7b47", }, { url: "https://git.kernel.org/stable/c/a2764afce521fd9fd7a5ff6ed52ac2095873128a", }, { url: "https://git.kernel.org/stable/c/760a196e6dcb29580e468b44b5400171dae184d8", }, { url: "https://git.kernel.org/stable/c/44d17459626052a2390457e550a12cb973506b2f", }, ], title: "KVM: Use dedicated mutex to protect kvm_usage_count to avoid deadlock", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-47744", datePublished: "2024-10-21T12:14:11.830Z", dateReserved: "2024-09-30T16:00:12.960Z", dateUpdated: "2024-12-19T09:27:15.269Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49930
Vulnerability from cvelistv5
Published
2024-10-21 18:01
Modified
2024-12-19 09:29
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath11k: fix array out-of-bound access in SoC stats
Currently, the ath11k_soc_dp_stats::hal_reo_error array is defined with a
maximum size of DP_REO_DST_RING_MAX. However, the ath11k_dp_process_rx()
function access ath11k_soc_dp_stats::hal_reo_error using the REO
destination SRNG ring ID, which is incorrect. SRNG ring ID differ from
normal ring ID, and this usage leads to out-of-bounds array access. To fix
this issue, modify ath11k_dp_process_rx() to use the normal ring ID
directly instead of the SRNG ring ID to avoid out-of-bounds array access.
Tested-on: QCN9074 hw1.0 PCI WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: d5c65159f2895379e11ca13f62feabe93278985d Version: d5c65159f2895379e11ca13f62feabe93278985d Version: d5c65159f2895379e11ca13f62feabe93278985d Version: d5c65159f2895379e11ca13f62feabe93278985d Version: d5c65159f2895379e11ca13f62feabe93278985d Version: d5c65159f2895379e11ca13f62feabe93278985d Version: d5c65159f2895379e11ca13f62feabe93278985d |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49930", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:39:11.615882Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:48:43.370Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/net/wireless/ath/ath11k/dp_rx.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "0f26f26944035ec67546a944f182cbad6577a9c0", status: "affected", version: "d5c65159f2895379e11ca13f62feabe93278985d", versionType: "git", }, { lessThan: "4dd732893bd38cec51f887244314e2b47f0d658f", status: "affected", version: "d5c65159f2895379e11ca13f62feabe93278985d", versionType: "git", }, { lessThan: "73e235728e515faccc104b0153b47d0f263b3344", status: "affected", version: "d5c65159f2895379e11ca13f62feabe93278985d", versionType: "git", }, { lessThan: "7a552bc2f3efe2aaf77a85cb34cdf4a63d81a1a7", status: "affected", version: "d5c65159f2895379e11ca13f62feabe93278985d", versionType: "git", }, { lessThan: "6045ef5b4b00fee3629689f791992900a1c94009", status: "affected", version: "d5c65159f2895379e11ca13f62feabe93278985d", versionType: "git", }, { lessThan: "01b77f5ee11c89754fb836af8f76799d3b72ae2f", status: "affected", version: "d5c65159f2895379e11ca13f62feabe93278985d", versionType: "git", }, { lessThan: "69f253e46af98af17e3efa3e5dfa72fcb7d1983d", status: "affected", version: "d5c65159f2895379e11ca13f62feabe93278985d", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/net/wireless/ath/ath11k/dp_rx.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.6", }, { lessThan: "5.6", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath11k: fix array out-of-bound access in SoC stats\n\nCurrently, the ath11k_soc_dp_stats::hal_reo_error array is defined with a\nmaximum size of DP_REO_DST_RING_MAX. However, the ath11k_dp_process_rx()\nfunction access ath11k_soc_dp_stats::hal_reo_error using the REO\ndestination SRNG ring ID, which is incorrect. SRNG ring ID differ from\nnormal ring ID, and this usage leads to out-of-bounds array access. To fix\nthis issue, modify ath11k_dp_process_rx() to use the normal ring ID\ndirectly instead of the SRNG ring ID to avoid out-of-bounds array access.\n\nTested-on: QCN9074 hw1.0 PCI WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:29:15.994Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/0f26f26944035ec67546a944f182cbad6577a9c0", }, { url: "https://git.kernel.org/stable/c/4dd732893bd38cec51f887244314e2b47f0d658f", }, { url: "https://git.kernel.org/stable/c/73e235728e515faccc104b0153b47d0f263b3344", }, { url: "https://git.kernel.org/stable/c/7a552bc2f3efe2aaf77a85cb34cdf4a63d81a1a7", }, { url: "https://git.kernel.org/stable/c/6045ef5b4b00fee3629689f791992900a1c94009", }, { url: "https://git.kernel.org/stable/c/01b77f5ee11c89754fb836af8f76799d3b72ae2f", }, { url: "https://git.kernel.org/stable/c/69f253e46af98af17e3efa3e5dfa72fcb7d1983d", }, ], title: "wifi: ath11k: fix array out-of-bound access in SoC stats", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49930", datePublished: "2024-10-21T18:01:53.126Z", dateReserved: "2024-10-21T12:17:06.039Z", dateUpdated: "2024-12-19T09:29:15.994Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-50045
Vulnerability from cvelistv5
Published
2024-10-21 19:39
Modified
2024-12-19 09:32
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: br_netfilter: fix panic with metadata_dst skb
Fix a kernel panic in the br_netfilter module when sending untagged
traffic via a VxLAN device.
This happens during the check for fragmentation in br_nf_dev_queue_xmit.
It is dependent on:
1) the br_netfilter module being loaded;
2) net.bridge.bridge-nf-call-iptables set to 1;
3) a bridge with a VxLAN (single-vxlan-device) netdevice as a bridge port;
4) untagged frames with size higher than the VxLAN MTU forwarded/flooded
When forwarding the untagged packet to the VxLAN bridge port, before
the netfilter hooks are called, br_handle_egress_vlan_tunnel is called and
changes the skb_dst to the tunnel dst. The tunnel_dst is a metadata type
of dst, i.e., skb_valid_dst(skb) is false, and metadata->dst.dev is NULL.
Then in the br_netfilter hooks, in br_nf_dev_queue_xmit, there's a check
for frames that needs to be fragmented: frames with higher MTU than the
VxLAN device end up calling br_nf_ip_fragment, which in turns call
ip_skb_dst_mtu.
The ip_dst_mtu tries to use the skb_dst(skb) as if it was a valid dst
with valid dst->dev, thus the crash.
This case was never supported in the first place, so drop the packet
instead.
PING 10.0.0.2 (10.0.0.2) from 0.0.0.0 h1-eth0: 2000(2028) bytes of data.
[ 176.291791] Unable to handle kernel NULL pointer dereference at
virtual address 0000000000000110
[ 176.292101] Mem abort info:
[ 176.292184] ESR = 0x0000000096000004
[ 176.292322] EC = 0x25: DABT (current EL), IL = 32 bits
[ 176.292530] SET = 0, FnV = 0
[ 176.292709] EA = 0, S1PTW = 0
[ 176.292862] FSC = 0x04: level 0 translation fault
[ 176.293013] Data abort info:
[ 176.293104] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
[ 176.293488] CM = 0, WnR = 0, TnD = 0, TagAccess = 0
[ 176.293787] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[ 176.293995] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000043ef5000
[ 176.294166] [0000000000000110] pgd=0000000000000000,
p4d=0000000000000000
[ 176.294827] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP
[ 176.295252] Modules linked in: vxlan ip6_udp_tunnel udp_tunnel veth
br_netfilter bridge stp llc ipv6 crct10dif_ce
[ 176.295923] CPU: 0 PID: 188 Comm: ping Not tainted
6.8.0-rc3-g5b3fbd61b9d1 #2
[ 176.296314] Hardware name: linux,dummy-virt (DT)
[ 176.296535] pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS
BTYPE=--)
[ 176.296808] pc : br_nf_dev_queue_xmit+0x390/0x4ec [br_netfilter]
[ 176.297382] lr : br_nf_dev_queue_xmit+0x2ac/0x4ec [br_netfilter]
[ 176.297636] sp : ffff800080003630
[ 176.297743] x29: ffff800080003630 x28: 0000000000000008 x27:
ffff6828c49ad9f8
[ 176.298093] x26: ffff6828c49ad000 x25: 0000000000000000 x24:
00000000000003e8
[ 176.298430] x23: 0000000000000000 x22: ffff6828c4960b40 x21:
ffff6828c3b16d28
[ 176.298652] x20: ffff6828c3167048 x19: ffff6828c3b16d00 x18:
0000000000000014
[ 176.298926] x17: ffffb0476322f000 x16: ffffb7e164023730 x15:
0000000095744632
[ 176.299296] x14: ffff6828c3f1c880 x13: 0000000000000002 x12:
ffffb7e137926a70
[ 176.299574] x11: 0000000000000001 x10: ffff6828c3f1c898 x9 :
0000000000000000
[ 176.300049] x8 : ffff6828c49bf070 x7 : 0008460f18d5f20e x6 :
f20e0100bebafeca
[ 176.300302] x5 : ffff6828c7f918fe x4 : ffff6828c49bf070 x3 :
0000000000000000
[ 176.300586] x2 : 0000000000000000 x1 : ffff6828c3c7ad00 x0 :
ffff6828c7f918f0
[ 176.300889] Call trace:
[ 176.301123] br_nf_dev_queue_xmit+0x390/0x4ec [br_netfilter]
[ 176.301411] br_nf_post_routing+0x2a8/0x3e4 [br_netfilter]
[ 176.301703] nf_hook_slow+0x48/0x124
[ 176.302060] br_forward_finish+0xc8/0xe8 [bridge]
[ 176.302371] br_nf_hook_thresh+0x124/0x134 [br_netfilter]
[ 176.302605] br_nf_forward_finish+0x118/0x22c [br_netfilter]
[ 176.302824] br_nf_forward_ip.part.0+0x264/0x290 [br_netfilter]
[ 176.303136] br_nf_forward+0x2b8/0x4e0 [br_netfilter]
[ 176.303359] nf_hook_slow+0x48/0x124
[ 176.303
---truncated---
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 11538d039ac6efcf4f1a6c536e1b87cd3668a9fd Version: 11538d039ac6efcf4f1a6c536e1b87cd3668a9fd Version: 11538d039ac6efcf4f1a6c536e1b87cd3668a9fd Version: 11538d039ac6efcf4f1a6c536e1b87cd3668a9fd Version: 11538d039ac6efcf4f1a6c536e1b87cd3668a9fd Version: 11538d039ac6efcf4f1a6c536e1b87cd3668a9fd Version: 11538d039ac6efcf4f1a6c536e1b87cd3668a9fd Version: 11538d039ac6efcf4f1a6c536e1b87cd3668a9fd |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-50045", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:24:15.720711Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:28:43.698Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "net/bridge/br_netfilter_hooks.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "f07131239a76cc10d5e82c19d91f53cb55727297", status: "affected", version: "11538d039ac6efcf4f1a6c536e1b87cd3668a9fd", versionType: "git", }, { lessThan: "75dfcb758015c97e1accd6340691fca67d363bed", status: "affected", version: "11538d039ac6efcf4f1a6c536e1b87cd3668a9fd", versionType: "git", }, { lessThan: "cce8419b8168f6e7eb637103a47f916f3de8bc81", status: "affected", version: "11538d039ac6efcf4f1a6c536e1b87cd3668a9fd", versionType: "git", }, { lessThan: "95c0cff5a1a5d28bf623b92eb5d1a8f56ed30803", status: "affected", version: "11538d039ac6efcf4f1a6c536e1b87cd3668a9fd", versionType: "git", }, { lessThan: "78ed917133b118661e1fe62d4a85d5d428ee9568", status: "affected", version: "11538d039ac6efcf4f1a6c536e1b87cd3668a9fd", versionType: "git", }, { lessThan: "3453f5839420bfbb85c86c61e49f49ffd0f041c4", status: "affected", version: "11538d039ac6efcf4f1a6c536e1b87cd3668a9fd", versionType: "git", }, { lessThan: "915717e0bb9837cc5c101bc545af487bd787239e", status: "affected", version: "11538d039ac6efcf4f1a6c536e1b87cd3668a9fd", versionType: "git", }, { lessThan: "f9ff7665cd128012868098bbd07e28993e314fdb", status: "affected", version: "11538d039ac6efcf4f1a6c536e1b87cd3668a9fd", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "net/bridge/br_netfilter_hooks.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "4.11", }, { lessThan: "4.11", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.323", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.285", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.57", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.4", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: br_netfilter: fix panic with metadata_dst skb\n\nFix a kernel panic in the br_netfilter module when sending untagged\ntraffic via a VxLAN device.\nThis happens during the check for fragmentation in br_nf_dev_queue_xmit.\n\nIt is dependent on:\n1) the br_netfilter module being loaded;\n2) net.bridge.bridge-nf-call-iptables set to 1;\n3) a bridge with a VxLAN (single-vxlan-device) netdevice as a bridge port;\n4) untagged frames with size higher than the VxLAN MTU forwarded/flooded\n\nWhen forwarding the untagged packet to the VxLAN bridge port, before\nthe netfilter hooks are called, br_handle_egress_vlan_tunnel is called and\nchanges the skb_dst to the tunnel dst. The tunnel_dst is a metadata type\nof dst, i.e., skb_valid_dst(skb) is false, and metadata->dst.dev is NULL.\n\nThen in the br_netfilter hooks, in br_nf_dev_queue_xmit, there's a check\nfor frames that needs to be fragmented: frames with higher MTU than the\nVxLAN device end up calling br_nf_ip_fragment, which in turns call\nip_skb_dst_mtu.\n\nThe ip_dst_mtu tries to use the skb_dst(skb) as if it was a valid dst\nwith valid dst->dev, thus the crash.\n\nThis case was never supported in the first place, so drop the packet\ninstead.\n\nPING 10.0.0.2 (10.0.0.2) from 0.0.0.0 h1-eth0: 2000(2028) bytes of data.\n[ 176.291791] Unable to handle kernel NULL pointer dereference at\nvirtual address 0000000000000110\n[ 176.292101] Mem abort info:\n[ 176.292184] ESR = 0x0000000096000004\n[ 176.292322] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 176.292530] SET = 0, FnV = 0\n[ 176.292709] EA = 0, S1PTW = 0\n[ 176.292862] FSC = 0x04: level 0 translation fault\n[ 176.293013] Data abort info:\n[ 176.293104] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\n[ 176.293488] CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n[ 176.293787] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[ 176.293995] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000043ef5000\n[ 176.294166] [0000000000000110] pgd=0000000000000000,\np4d=0000000000000000\n[ 176.294827] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP\n[ 176.295252] Modules linked in: vxlan ip6_udp_tunnel udp_tunnel veth\nbr_netfilter bridge stp llc ipv6 crct10dif_ce\n[ 176.295923] CPU: 0 PID: 188 Comm: ping Not tainted\n6.8.0-rc3-g5b3fbd61b9d1 #2\n[ 176.296314] Hardware name: linux,dummy-virt (DT)\n[ 176.296535] pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS\nBTYPE=--)\n[ 176.296808] pc : br_nf_dev_queue_xmit+0x390/0x4ec [br_netfilter]\n[ 176.297382] lr : br_nf_dev_queue_xmit+0x2ac/0x4ec [br_netfilter]\n[ 176.297636] sp : ffff800080003630\n[ 176.297743] x29: ffff800080003630 x28: 0000000000000008 x27:\nffff6828c49ad9f8\n[ 176.298093] x26: ffff6828c49ad000 x25: 0000000000000000 x24:\n00000000000003e8\n[ 176.298430] x23: 0000000000000000 x22: ffff6828c4960b40 x21:\nffff6828c3b16d28\n[ 176.298652] x20: ffff6828c3167048 x19: ffff6828c3b16d00 x18:\n0000000000000014\n[ 176.298926] x17: ffffb0476322f000 x16: ffffb7e164023730 x15:\n0000000095744632\n[ 176.299296] x14: ffff6828c3f1c880 x13: 0000000000000002 x12:\nffffb7e137926a70\n[ 176.299574] x11: 0000000000000001 x10: ffff6828c3f1c898 x9 :\n0000000000000000\n[ 176.300049] x8 : ffff6828c49bf070 x7 : 0008460f18d5f20e x6 :\nf20e0100bebafeca\n[ 176.300302] x5 : ffff6828c7f918fe x4 : ffff6828c49bf070 x3 :\n0000000000000000\n[ 176.300586] x2 : 0000000000000000 x1 : ffff6828c3c7ad00 x0 :\nffff6828c7f918f0\n[ 176.300889] Call trace:\n[ 176.301123] br_nf_dev_queue_xmit+0x390/0x4ec [br_netfilter]\n[ 176.301411] br_nf_post_routing+0x2a8/0x3e4 [br_netfilter]\n[ 176.301703] nf_hook_slow+0x48/0x124\n[ 176.302060] br_forward_finish+0xc8/0xe8 [bridge]\n[ 176.302371] br_nf_hook_thresh+0x124/0x134 [br_netfilter]\n[ 176.302605] br_nf_forward_finish+0x118/0x22c [br_netfilter]\n[ 176.302824] br_nf_forward_ip.part.0+0x264/0x290 [br_netfilter]\n[ 176.303136] br_nf_forward+0x2b8/0x4e0 [br_netfilter]\n[ 176.303359] nf_hook_slow+0x48/0x124\n[ 176.303\n---truncated---", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:32:01.141Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/f07131239a76cc10d5e82c19d91f53cb55727297", }, { url: "https://git.kernel.org/stable/c/75dfcb758015c97e1accd6340691fca67d363bed", }, { url: "https://git.kernel.org/stable/c/cce8419b8168f6e7eb637103a47f916f3de8bc81", }, { url: "https://git.kernel.org/stable/c/95c0cff5a1a5d28bf623b92eb5d1a8f56ed30803", }, { url: "https://git.kernel.org/stable/c/78ed917133b118661e1fe62d4a85d5d428ee9568", }, { url: "https://git.kernel.org/stable/c/3453f5839420bfbb85c86c61e49f49ffd0f041c4", }, { url: "https://git.kernel.org/stable/c/915717e0bb9837cc5c101bc545af487bd787239e", }, { url: "https://git.kernel.org/stable/c/f9ff7665cd128012868098bbd07e28993e314fdb", }, ], title: "netfilter: br_netfilter: fix panic with metadata_dst skb", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-50045", datePublished: "2024-10-21T19:39:43.117Z", dateReserved: "2024-10-21T12:17:06.071Z", dateUpdated: "2024-12-19T09:32:01.141Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-48972
Vulnerability from cvelistv5
Published
2024-10-21 20:05
Modified
2024-12-19 08:11
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mac802154: fix missing INIT_LIST_HEAD in ieee802154_if_add()
Kernel fault injection test reports null-ptr-deref as follows:
BUG: kernel NULL pointer dereference, address: 0000000000000008
RIP: 0010:cfg802154_netdev_notifier_call+0x120/0x310 include/linux/list.h:114
Call Trace:
<TASK>
raw_notifier_call_chain+0x6d/0xa0 kernel/notifier.c:87
call_netdevice_notifiers_info+0x6e/0xc0 net/core/dev.c:1944
unregister_netdevice_many_notify+0x60d/0xcb0 net/core/dev.c:1982
unregister_netdevice_queue+0x154/0x1a0 net/core/dev.c:10879
register_netdevice+0x9a8/0xb90 net/core/dev.c:10083
ieee802154_if_add+0x6ed/0x7e0 net/mac802154/iface.c:659
ieee802154_register_hw+0x29c/0x330 net/mac802154/main.c:229
mcr20a_probe+0xaaa/0xcb1 drivers/net/ieee802154/mcr20a.c:1316
ieee802154_if_add() allocates wpan_dev as netdev's private data, but not
init the list in struct wpan_dev. cfg802154_netdev_notifier_call() manage
the list when device register/unregister, and may lead to null-ptr-deref.
Use INIT_LIST_HEAD() on it to initialize it correctly.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: fcf39e6e88e9492f6688ec8ba4e1be622b904232 Version: fcf39e6e88e9492f6688ec8ba4e1be622b904232 Version: fcf39e6e88e9492f6688ec8ba4e1be622b904232 Version: fcf39e6e88e9492f6688ec8ba4e1be622b904232 Version: fcf39e6e88e9492f6688ec8ba4e1be622b904232 Version: fcf39e6e88e9492f6688ec8ba4e1be622b904232 Version: fcf39e6e88e9492f6688ec8ba4e1be622b904232 Version: fcf39e6e88e9492f6688ec8ba4e1be622b904232 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-48972", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:19:01.056200Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:28:37.621Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "net/mac802154/iface.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "7410f4d1221bb182510b7778ab6eefa8b9b7102d", status: "affected", version: "fcf39e6e88e9492f6688ec8ba4e1be622b904232", versionType: "git", }, { lessThan: "9980a3ea20de40c83817877106c909cb032692d2", status: "affected", version: "fcf39e6e88e9492f6688ec8ba4e1be622b904232", versionType: "git", }, { lessThan: "f00c84fb1635c27ba24ec5df65d5bd7d7dc00008", status: "affected", version: "fcf39e6e88e9492f6688ec8ba4e1be622b904232", versionType: "git", }, { lessThan: "1831d4540406708e48239cf38fd9c3b7ea98e08f", status: "affected", version: "fcf39e6e88e9492f6688ec8ba4e1be622b904232", versionType: "git", }, { lessThan: "42c319635c0cf7eb36eccac6cda76532f47b61a3", status: "affected", version: "fcf39e6e88e9492f6688ec8ba4e1be622b904232", versionType: "git", }, { lessThan: "a110287ef4a423980309490df632e1c1e73b3dc9", status: "affected", version: "fcf39e6e88e9492f6688ec8ba4e1be622b904232", versionType: "git", }, { lessThan: "623918f40fa68e3bb21312a3fafb90f491bf5358", status: "affected", version: "fcf39e6e88e9492f6688ec8ba4e1be622b904232", versionType: "git", }, { lessThan: "b3d72d3135d2ef68296c1ee174436efd65386f04", status: "affected", version: "fcf39e6e88e9492f6688ec8ba4e1be622b904232", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "net/mac802154/iface.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "3.19", }, { lessThan: "3.19", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.9.*", status: "unaffected", version: "4.9.336", versionType: "semver", }, { lessThanOrEqual: "4.14.*", status: "unaffected", version: "4.14.302", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.269", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.227", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.159", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.83", versionType: "semver", }, { lessThanOrEqual: "6.0.*", status: "unaffected", version: "6.0.13", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.1", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nmac802154: fix missing INIT_LIST_HEAD in ieee802154_if_add()\n\nKernel fault injection test reports null-ptr-deref as follows:\n\nBUG: kernel NULL pointer dereference, address: 0000000000000008\nRIP: 0010:cfg802154_netdev_notifier_call+0x120/0x310 include/linux/list.h:114\nCall Trace:\n <TASK>\n raw_notifier_call_chain+0x6d/0xa0 kernel/notifier.c:87\n call_netdevice_notifiers_info+0x6e/0xc0 net/core/dev.c:1944\n unregister_netdevice_many_notify+0x60d/0xcb0 net/core/dev.c:1982\n unregister_netdevice_queue+0x154/0x1a0 net/core/dev.c:10879\n register_netdevice+0x9a8/0xb90 net/core/dev.c:10083\n ieee802154_if_add+0x6ed/0x7e0 net/mac802154/iface.c:659\n ieee802154_register_hw+0x29c/0x330 net/mac802154/main.c:229\n mcr20a_probe+0xaaa/0xcb1 drivers/net/ieee802154/mcr20a.c:1316\n\nieee802154_if_add() allocates wpan_dev as netdev's private data, but not\ninit the list in struct wpan_dev. cfg802154_netdev_notifier_call() manage\nthe list when device register/unregister, and may lead to null-ptr-deref.\n\nUse INIT_LIST_HEAD() on it to initialize it correctly.", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:11:39.264Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/7410f4d1221bb182510b7778ab6eefa8b9b7102d", }, { url: "https://git.kernel.org/stable/c/9980a3ea20de40c83817877106c909cb032692d2", }, { url: "https://git.kernel.org/stable/c/f00c84fb1635c27ba24ec5df65d5bd7d7dc00008", }, { url: "https://git.kernel.org/stable/c/1831d4540406708e48239cf38fd9c3b7ea98e08f", }, { url: "https://git.kernel.org/stable/c/42c319635c0cf7eb36eccac6cda76532f47b61a3", }, { url: "https://git.kernel.org/stable/c/a110287ef4a423980309490df632e1c1e73b3dc9", }, { url: "https://git.kernel.org/stable/c/623918f40fa68e3bb21312a3fafb90f491bf5358", }, { url: "https://git.kernel.org/stable/c/b3d72d3135d2ef68296c1ee174436efd65386f04", }, ], title: "mac802154: fix missing INIT_LIST_HEAD in ieee802154_if_add()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-48972", datePublished: "2024-10-21T20:05:53.061Z", dateReserved: "2024-08-22T01:27:53.629Z", dateUpdated: "2024-12-19T08:11:39.264Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-49027
Vulnerability from cvelistv5
Published
2024-10-21 20:06
Modified
2024-12-19 08:12
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
iavf: Fix error handling in iavf_init_module()
The iavf_init_module() won't destroy workqueue when pci_register_driver()
failed. Call destroy_workqueue() when pci_register_driver() failed to
prevent the resource leak.
Similar to the handling of u132_hcd_init in commit f276e002793c
("usb: u132-hcd: fix resource leak")
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-49027", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:11:47.379081Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:18:36.321Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/net/ethernet/intel/iavf/iavf_main.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "971c55f0763b480e63ceb7a22beb19be2509e5ed", status: "affected", version: "2803b16c10ea7eec170c485388f5f26ae30e92fe", versionType: "git", }, { lessThan: "0d9f5bd54b913018031c5b964fc1f9a31f5f6cb5", status: "affected", version: "2803b16c10ea7eec170c485388f5f26ae30e92fe", versionType: "git", }, { lessThan: "bd477b891a4fa084561234eed4afacb3001dd359", status: "affected", version: "2803b16c10ea7eec170c485388f5f26ae30e92fe", versionType: "git", }, { lessThan: "227d8d2f7f2278b8468c5531b0cd0f2a905b4486", status: "affected", version: "2803b16c10ea7eec170c485388f5f26ae30e92fe", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/net/ethernet/intel/iavf/iavf_main.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "4.6", }, { lessThan: "4.6", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.158", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.82", versionType: "semver", }, { lessThanOrEqual: "6.0.*", status: "unaffected", version: "6.0.12", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.1", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\niavf: Fix error handling in iavf_init_module()\n\nThe iavf_init_module() won't destroy workqueue when pci_register_driver()\nfailed. Call destroy_workqueue() when pci_register_driver() failed to\nprevent the resource leak.\n\nSimilar to the handling of u132_hcd_init in commit f276e002793c\n(\"usb: u132-hcd: fix resource leak\")", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:12:42.854Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/971c55f0763b480e63ceb7a22beb19be2509e5ed", }, { url: "https://git.kernel.org/stable/c/0d9f5bd54b913018031c5b964fc1f9a31f5f6cb5", }, { url: "https://git.kernel.org/stable/c/bd477b891a4fa084561234eed4afacb3001dd359", }, { url: "https://git.kernel.org/stable/c/227d8d2f7f2278b8468c5531b0cd0f2a905b4486", }, ], title: "iavf: Fix error handling in iavf_init_module()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-49027", datePublished: "2024-10-21T20:06:32.560Z", dateReserved: "2024-08-22T01:27:53.651Z", dateUpdated: "2024-12-19T08:12:42.854Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49924
Vulnerability from cvelistv5
Published
2024-10-21 18:01
Modified
2024-12-19 09:29
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
fbdev: pxafb: Fix possible use after free in pxafb_task()
In the pxafb_probe function, it calls the pxafb_init_fbinfo function,
after which &fbi->task is associated with pxafb_task. Moreover,
within this pxafb_init_fbinfo function, the pxafb_blank function
within the &pxafb_ops struct is capable of scheduling work.
If we remove the module which will call pxafb_remove to make cleanup,
it will call unregister_framebuffer function which can call
do_unregister_framebuffer to free fbi->fb through
put_fb_info(fb_info), while the work mentioned above will be used.
The sequence of operations that may lead to a UAF bug is as follows:
CPU0 CPU1
| pxafb_task
pxafb_remove |
unregister_framebuffer(info) |
do_unregister_framebuffer(fb_info) |
put_fb_info(fb_info) |
// free fbi->fb | set_ctrlr_state(fbi, state)
| __pxafb_lcd_power(fbi, 0)
| fbi->lcd_power(on, &fbi->fb.var)
| //use fbi->fb
Fix it by ensuring that the work is canceled before proceeding
with the cleanup in pxafb_remove.
Note that only root user can remove the driver at runtime.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49924", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:39:57.349772Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:48:44.187Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/video/fbdev/pxafb.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "e657fa2df4429f3805a9b3e47fb1a4a1b02a72bd", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "6d0a07f68b66269e167def6c0b90a219cd3e7473", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "e6897e299f57b103e999e62010b88e363b3eebae", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "4cda484e584be34d55ee17436ebf7ad11922b97a", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "3c0d416eb4bef705f699213cee94bf54b6acdacd", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "fdda354f60a576d52dcf90351254714681df4370", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "aaadc0cb05c999ccd8898a03298b7e5c31509b08", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "a3a855764dbacbdb1cc51e15dc588f2d21c93e0e", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "4a6921095eb04a900e0000da83d9475eb958e61e", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/video/fbdev/pxafb.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.323", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.285", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: pxafb: Fix possible use after free in pxafb_task()\n\nIn the pxafb_probe function, it calls the pxafb_init_fbinfo function,\nafter which &fbi->task is associated with pxafb_task. Moreover,\nwithin this pxafb_init_fbinfo function, the pxafb_blank function\nwithin the &pxafb_ops struct is capable of scheduling work.\n\nIf we remove the module which will call pxafb_remove to make cleanup,\nit will call unregister_framebuffer function which can call\ndo_unregister_framebuffer to free fbi->fb through\nput_fb_info(fb_info), while the work mentioned above will be used.\nThe sequence of operations that may lead to a UAF bug is as follows:\n\nCPU0 CPU1\n\n | pxafb_task\npxafb_remove |\nunregister_framebuffer(info) |\ndo_unregister_framebuffer(fb_info) |\nput_fb_info(fb_info) |\n// free fbi->fb | set_ctrlr_state(fbi, state)\n | __pxafb_lcd_power(fbi, 0)\n | fbi->lcd_power(on, &fbi->fb.var)\n | //use fbi->fb\n\nFix it by ensuring that the work is canceled before proceeding\nwith the cleanup in pxafb_remove.\n\nNote that only root user can remove the driver at runtime.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:29:08.760Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/e657fa2df4429f3805a9b3e47fb1a4a1b02a72bd", }, { url: "https://git.kernel.org/stable/c/6d0a07f68b66269e167def6c0b90a219cd3e7473", }, { url: "https://git.kernel.org/stable/c/e6897e299f57b103e999e62010b88e363b3eebae", }, { url: "https://git.kernel.org/stable/c/4cda484e584be34d55ee17436ebf7ad11922b97a", }, { url: "https://git.kernel.org/stable/c/3c0d416eb4bef705f699213cee94bf54b6acdacd", }, { url: "https://git.kernel.org/stable/c/fdda354f60a576d52dcf90351254714681df4370", }, { url: "https://git.kernel.org/stable/c/aaadc0cb05c999ccd8898a03298b7e5c31509b08", }, { url: "https://git.kernel.org/stable/c/a3a855764dbacbdb1cc51e15dc588f2d21c93e0e", }, { url: "https://git.kernel.org/stable/c/4a6921095eb04a900e0000da83d9475eb958e61e", }, ], title: "fbdev: pxafb: Fix possible use after free in pxafb_task()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49924", datePublished: "2024-10-21T18:01:49.076Z", dateReserved: "2024-10-21T12:17:06.036Z", dateUpdated: "2024-12-19T09:29:08.760Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-49012
Vulnerability from cvelistv5
Published
2024-10-21 20:06
Modified
2024-12-19 08:12
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
afs: Fix server->active leak in afs_put_server
The atomic_read was accidentally replaced with atomic_inc_return,
which prevents the server from getting cleaned up and causes rmmod
to hang with a warning:
Can't purge s=00000001
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-49012", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:13:43.816985Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:18:38.624Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "fs/afs/server.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "c5078548c29c735f71b05053659c0cb294e738ad", status: "affected", version: "2757a4dc184997c66ef1de32636f73b9f21aac14", versionType: "git", }, { lessThan: "ef4d3ea40565a781c25847e9cb96c1bd9f462bc6", status: "affected", version: "2757a4dc184997c66ef1de32636f73b9f21aac14", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "fs/afs/server.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.0", }, { lessThan: "6.0", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.0.*", status: "unaffected", version: "6.0.12", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.1", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nafs: Fix server->active leak in afs_put_server\n\nThe atomic_read was accidentally replaced with atomic_inc_return,\nwhich prevents the server from getting cleaned up and causes rmmod\nto hang with a warning:\n\n Can't purge s=00000001", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:12:25.511Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/c5078548c29c735f71b05053659c0cb294e738ad", }, { url: "https://git.kernel.org/stable/c/ef4d3ea40565a781c25847e9cb96c1bd9f462bc6", }, ], title: "afs: Fix server->active leak in afs_put_server", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-49012", datePublished: "2024-10-21T20:06:22.749Z", dateReserved: "2024-08-22T01:27:53.644Z", dateUpdated: "2024-12-19T08:12:25.511Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-49001
Vulnerability from cvelistv5
Published
2024-10-21 20:06
Modified
2024-12-19 08:12
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
riscv: fix race when vmap stack overflow
Currently, when detecting vmap stack overflow, riscv firstly switches
to the so called shadow stack, then use this shadow stack to call the
get_overflow_stack() to get the overflow stack. However, there's
a race here if two or more harts use the same shadow stack at the same
time.
To solve this race, we introduce spin_shadow_stack atomic var, which
will be swap between its own address and 0 in atomic way, when the
var is set, it means the shadow_stack is being used; when the var
is cleared, it means the shadow_stack isn't being used.
[Palmer: Add AQ to the swap, and also some comments.]
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-49001", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:15:10.722004Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:18:40.637Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "arch/riscv/include/asm/asm.h", "arch/riscv/kernel/entry.S", "arch/riscv/kernel/traps.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "ac00301adb19df54f2eae1efc4bad7447c0156ce", status: "affected", version: "31da94c25aea835ceac00575a9fd206c5a833fed", versionType: "git", }, { lessThan: "879fabc5a95401d9bce357e4b1d24ae4a360a81f", status: "affected", version: "31da94c25aea835ceac00575a9fd206c5a833fed", versionType: "git", }, { lessThan: "7e1864332fbc1b993659eab7974da9fe8bf8c128", status: "affected", version: "31da94c25aea835ceac00575a9fd206c5a833fed", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "arch/riscv/include/asm/asm.h", "arch/riscv/kernel/entry.S", "arch/riscv/kernel/traps.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.14", }, { lessThan: "5.14", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.82", versionType: "semver", }, { lessThanOrEqual: "6.0.*", status: "unaffected", version: "6.0.12", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.1", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: fix race when vmap stack overflow\n\nCurrently, when detecting vmap stack overflow, riscv firstly switches\nto the so called shadow stack, then use this shadow stack to call the\nget_overflow_stack() to get the overflow stack. However, there's\na race here if two or more harts use the same shadow stack at the same\ntime.\n\nTo solve this race, we introduce spin_shadow_stack atomic var, which\nwill be swap between its own address and 0 in atomic way, when the\nvar is set, it means the shadow_stack is being used; when the var\nis cleared, it means the shadow_stack isn't being used.\n\n[Palmer: Add AQ to the swap, and also some comments.]", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:12:12.917Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/ac00301adb19df54f2eae1efc4bad7447c0156ce", }, { url: "https://git.kernel.org/stable/c/879fabc5a95401d9bce357e4b1d24ae4a360a81f", }, { url: "https://git.kernel.org/stable/c/7e1864332fbc1b993659eab7974da9fe8bf8c128", }, ], title: "riscv: fix race when vmap stack overflow", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-49001", datePublished: "2024-10-21T20:06:15.443Z", dateReserved: "2024-08-22T01:27:53.642Z", dateUpdated: "2024-12-19T08:12:12.917Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49943
Vulnerability from cvelistv5
Published
2024-10-21 18:02
Modified
2024-12-19 09:29
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/xe/guc_submit: add missing locking in wedged_fini
Any non-wedged queue can have a zero refcount here and can be running
concurrently with an async queue destroy, therefore dereferencing the
queue ptr to check wedge status after the lookup can trigger UAF if
queue is not wedged. Fix this by keeping the submission_state lock held
around the check to postpone the free and make the check safe, before
dropping again around the put() to avoid the deadlock.
(cherry picked from commit d28af0b6b9580b9f90c265a7da0315b0ad20bbfd)
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49943", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:37:27.904932Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:38:50.255Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/gpu/drm/xe/xe_guc_submit.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "d88f9bab7e62dd0dbe983fa70cf040042a60cc84", status: "affected", version: "8ed9aaae39f39130b7a3eb2726be05d7f64b344c", versionType: "git", }, { lessThan: "790533e44bfc7af929842fccd9674c9f424d4627", status: "affected", version: "8ed9aaae39f39130b7a3eb2726be05d7f64b344c", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/gpu/drm/xe/xe_guc_submit.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.11", }, { lessThan: "6.11", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/guc_submit: add missing locking in wedged_fini\n\nAny non-wedged queue can have a zero refcount here and can be running\nconcurrently with an async queue destroy, therefore dereferencing the\nqueue ptr to check wedge status after the lookup can trigger UAF if\nqueue is not wedged. Fix this by keeping the submission_state lock held\naround the check to postpone the free and make the check safe, before\ndropping again around the put() to avoid the deadlock.\n\n(cherry picked from commit d28af0b6b9580b9f90c265a7da0315b0ad20bbfd)", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:29:49.220Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/d88f9bab7e62dd0dbe983fa70cf040042a60cc84", }, { url: "https://git.kernel.org/stable/c/790533e44bfc7af929842fccd9674c9f424d4627", }, ], title: "drm/xe/guc_submit: add missing locking in wedged_fini", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49943", datePublished: "2024-10-21T18:02:01.794Z", dateReserved: "2024-10-21T12:17:06.044Z", dateUpdated: "2024-12-19T09:29:49.220Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49962
Vulnerability from cvelistv5
Published
2024-10-21 18:02
Modified
2024-12-19 09:30
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ACPICA: check null return of ACPI_ALLOCATE_ZEROED() in acpi_db_convert_to_package()
ACPICA commit 4d4547cf13cca820ff7e0f859ba83e1a610b9fd0
ACPI_ALLOCATE_ZEROED() may fail, elements might be NULL and will cause
NULL pointer dereference later.
[ rjw: Subject and changelog edits ]
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49962", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:34:59.044898Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:38:47.506Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/acpi/acpica/dbconvert.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "4669da66ebc5b09881487f30669b0fcdb462188e", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "402b4c6b7500c7cca6972d2456a4a422801035b5", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "cbb67e245dacd02b5e1d82733892647df1523982", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "1c9b8775062f8d854a80caf186af57fc617d454c", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "f282db38953ad71dd4f3f8877a4e1d37e580e30a", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "4588ea78d3904bebb613b0bb025669e75800f546", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "a907c113a8b66972f15f084d7dff960207b1f71d", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "ae5d4c7e76ba393d20366dfea1f39f24560ffb1d", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "a5242874488eba2b9062985bf13743c029821330", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/acpi/acpica/dbconvert.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.323", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.285", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nACPICA: check null return of ACPI_ALLOCATE_ZEROED() in acpi_db_convert_to_package()\n\nACPICA commit 4d4547cf13cca820ff7e0f859ba83e1a610b9fd0\n\nACPI_ALLOCATE_ZEROED() may fail, elements might be NULL and will cause\nNULL pointer dereference later.\n\n[ rjw: Subject and changelog edits ]", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:30:14.971Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/4669da66ebc5b09881487f30669b0fcdb462188e", }, { url: "https://git.kernel.org/stable/c/402b4c6b7500c7cca6972d2456a4a422801035b5", }, { url: "https://git.kernel.org/stable/c/cbb67e245dacd02b5e1d82733892647df1523982", }, { url: "https://git.kernel.org/stable/c/1c9b8775062f8d854a80caf186af57fc617d454c", }, { url: "https://git.kernel.org/stable/c/f282db38953ad71dd4f3f8877a4e1d37e580e30a", }, { url: "https://git.kernel.org/stable/c/4588ea78d3904bebb613b0bb025669e75800f546", }, { url: "https://git.kernel.org/stable/c/a907c113a8b66972f15f084d7dff960207b1f71d", }, { url: "https://git.kernel.org/stable/c/ae5d4c7e76ba393d20366dfea1f39f24560ffb1d", }, { url: "https://git.kernel.org/stable/c/a5242874488eba2b9062985bf13743c029821330", }, ], title: "ACPICA: check null return of ACPI_ALLOCATE_ZEROED() in acpi_db_convert_to_package()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49962", datePublished: "2024-10-21T18:02:14.418Z", dateReserved: "2024-10-21T12:17:06.049Z", dateUpdated: "2024-12-19T09:30:14.971Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-50025
Vulnerability from cvelistv5
Published
2024-10-21 19:39
Modified
2024-12-19 09:31
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: fnic: Move flush_work initialization out of if block
After commit 379a58caa199 ("scsi: fnic: Move fnic_fnic_flush_tx() to a
work queue"), it can happen that a work item is sent to an uninitialized
work queue. This may has the effect that the item being queued is never
actually queued, and any further actions depending on it will not
proceed.
The following warning is observed while the fnic driver is loaded:
kernel: WARNING: CPU: 11 PID: 0 at ../kernel/workqueue.c:1524 __queue_work+0x373/0x410
kernel: <IRQ>
kernel: queue_work_on+0x3a/0x50
kernel: fnic_wq_copy_cmpl_handler+0x54a/0x730 [fnic 62fbff0c42e7fb825c60a55cde2fb91facb2ed24]
kernel: fnic_isr_msix_wq_copy+0x2d/0x60 [fnic 62fbff0c42e7fb825c60a55cde2fb91facb2ed24]
kernel: __handle_irq_event_percpu+0x36/0x1a0
kernel: handle_irq_event_percpu+0x30/0x70
kernel: handle_irq_event+0x34/0x60
kernel: handle_edge_irq+0x7e/0x1a0
kernel: __common_interrupt+0x3b/0xb0
kernel: common_interrupt+0x58/0xa0
kernel: </IRQ>
It has been observed that this may break the rediscovery of Fibre
Channel devices after a temporary fabric failure.
This patch fixes it by moving the work queue initialization out of
an if block in fnic_probe().
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-50025", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:26:53.078526Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:28:46.677Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/scsi/fnic/fnic_main.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "6b7836b80061bf1accc5d78b12bc086aed252388", status: "affected", version: "379a58caa19930e010b7efa1c1f3b9411d3d2ca3", versionType: "git", }, { lessThan: "f30e5f77d2f205ac14d09dec40fd4bb76712f13d", status: "affected", version: "379a58caa19930e010b7efa1c1f3b9411d3d2ca3", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/scsi/fnic/fnic_main.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.8", }, { lessThan: "6.8", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.4", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: fnic: Move flush_work initialization out of if block\n\nAfter commit 379a58caa199 (\"scsi: fnic: Move fnic_fnic_flush_tx() to a\nwork queue\"), it can happen that a work item is sent to an uninitialized\nwork queue. This may has the effect that the item being queued is never\nactually queued, and any further actions depending on it will not\nproceed.\n\nThe following warning is observed while the fnic driver is loaded:\n\nkernel: WARNING: CPU: 11 PID: 0 at ../kernel/workqueue.c:1524 __queue_work+0x373/0x410\nkernel: <IRQ>\nkernel: queue_work_on+0x3a/0x50\nkernel: fnic_wq_copy_cmpl_handler+0x54a/0x730 [fnic 62fbff0c42e7fb825c60a55cde2fb91facb2ed24]\nkernel: fnic_isr_msix_wq_copy+0x2d/0x60 [fnic 62fbff0c42e7fb825c60a55cde2fb91facb2ed24]\nkernel: __handle_irq_event_percpu+0x36/0x1a0\nkernel: handle_irq_event_percpu+0x30/0x70\nkernel: handle_irq_event+0x34/0x60\nkernel: handle_edge_irq+0x7e/0x1a0\nkernel: __common_interrupt+0x3b/0xb0\nkernel: common_interrupt+0x58/0xa0\nkernel: </IRQ>\n\nIt has been observed that this may break the rediscovery of Fibre\nChannel devices after a temporary fabric failure.\n\nThis patch fixes it by moving the work queue initialization out of\nan if block in fnic_probe().", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:31:36.120Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/6b7836b80061bf1accc5d78b12bc086aed252388", }, { url: "https://git.kernel.org/stable/c/f30e5f77d2f205ac14d09dec40fd4bb76712f13d", }, ], title: "scsi: fnic: Move flush_work initialization out of if block", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-50025", datePublished: "2024-10-21T19:39:29.845Z", dateReserved: "2024-10-21T12:17:06.065Z", dateUpdated: "2024-12-19T09:31:36.120Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-49028
Vulnerability from cvelistv5
Published
2024-10-21 20:06
Modified
2024-12-19 08:12
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ixgbevf: Fix resource leak in ixgbevf_init_module()
ixgbevf_init_module() won't destroy the workqueue created by
create_singlethread_workqueue() when pci_register_driver() failed. Add
destroy_workqueue() in fail path to prevent the resource leak.
Similar to the handling of u132_hcd_init in commit f276e002793c
("usb: u132-hcd: fix resource leak")
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-49028", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:11:38.668001Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:18:36.197Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "f166c62cad798c53300b4b327e44300c73ec492d", status: "affected", version: "40a13e2493c9882cb4d09054d81a5063cd1589a2", versionType: "git", }, { lessThan: "7109e941099244cc876a4b3cb7a3ec79f104374a", status: "affected", version: "40a13e2493c9882cb4d09054d81a5063cd1589a2", versionType: "git", }, { lessThan: "c99671d4699dcf90d6939923c8fe8a8918e140b2", status: "affected", version: "40a13e2493c9882cb4d09054d81a5063cd1589a2", versionType: "git", }, { lessThan: "8cfa238a48f34038464b99d0b4825238c2687181", status: "affected", version: "40a13e2493c9882cb4d09054d81a5063cd1589a2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "4.5", }, { lessThan: "4.5", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.158", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.82", versionType: "semver", }, { lessThanOrEqual: "6.0.*", status: "unaffected", version: "6.0.12", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.1", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nixgbevf: Fix resource leak in ixgbevf_init_module()\n\nixgbevf_init_module() won't destroy the workqueue created by\ncreate_singlethread_workqueue() when pci_register_driver() failed. Add\ndestroy_workqueue() in fail path to prevent the resource leak.\n\nSimilar to the handling of u132_hcd_init in commit f276e002793c\n(\"usb: u132-hcd: fix resource leak\")", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:12:43.956Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/f166c62cad798c53300b4b327e44300c73ec492d", }, { url: "https://git.kernel.org/stable/c/7109e941099244cc876a4b3cb7a3ec79f104374a", }, { url: "https://git.kernel.org/stable/c/c99671d4699dcf90d6939923c8fe8a8918e140b2", }, { url: "https://git.kernel.org/stable/c/8cfa238a48f34038464b99d0b4825238c2687181", }, ], title: "ixgbevf: Fix resource leak in ixgbevf_init_module()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-49028", datePublished: "2024-10-21T20:06:33.205Z", dateReserved: "2024-08-22T01:27:53.651Z", dateUpdated: "2024-12-19T08:12:43.956Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-47719
Vulnerability from cvelistv5
Published
2024-10-21 11:53
Modified
2024-12-19 09:26
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
iommufd: Protect against overflow of ALIGN() during iova allocation
Userspace can supply an iova and uptr such that the target iova alignment
becomes really big and ALIGN() overflows which corrupts the selected area
range during allocation. CONFIG_IOMMUFD_TEST can detect this:
WARNING: CPU: 1 PID: 5092 at drivers/iommu/iommufd/io_pagetable.c:268 iopt_alloc_area_pages drivers/iommu/iommufd/io_pagetable.c:268 [inline]
WARNING: CPU: 1 PID: 5092 at drivers/iommu/iommufd/io_pagetable.c:268 iopt_map_pages+0xf95/0x1050 drivers/iommu/iommufd/io_pagetable.c:352
Modules linked in:
CPU: 1 PID: 5092 Comm: syz-executor294 Not tainted 6.10.0-rc5-syzkaller-00294-g3ffea9a7a6f7 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
RIP: 0010:iopt_alloc_area_pages drivers/iommu/iommufd/io_pagetable.c:268 [inline]
RIP: 0010:iopt_map_pages+0xf95/0x1050 drivers/iommu/iommufd/io_pagetable.c:352
Code: fc e9 a4 f3 ff ff e8 1a 8b 4c fc 41 be e4 ff ff ff e9 8a f3 ff ff e8 0a 8b 4c fc 90 0f 0b 90 e9 37 f5 ff ff e8 fc 8a 4c fc 90 <0f> 0b 90 e9 68 f3 ff ff 48 c7 c1 ec 82 ad 8f 80 e1 07 80 c1 03 38
RSP: 0018:ffffc90003ebf9e0 EFLAGS: 00010293
RAX: ffffffff85499fa4 RBX: 00000000ffffffef RCX: ffff888079b49e00
RDX: 0000000000000000 RSI: 00000000ffffffef RDI: 0000000000000000
RBP: ffffc90003ebfc50 R08: ffffffff85499b30 R09: ffffffff85499942
R10: 0000000000000002 R11: ffff888079b49e00 R12: ffff8880228e0010
R13: 0000000000000000 R14: 1ffff920007d7f68 R15: ffffc90003ebfd00
FS: 000055557d760380(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000005fdeb8 CR3: 000000007404a000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
iommufd_ioas_copy+0x610/0x7b0 drivers/iommu/iommufd/ioas.c:274
iommufd_fops_ioctl+0x4d9/0x5a0 drivers/iommu/iommufd/main.c:421
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Cap the automatic alignment to the huge page size, which is probably a
better idea overall. Huge automatic alignments can fragment and chew up
the available IOVA space without any reason.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-47719", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T13:02:15.050204Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T13:04:17.762Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/iommu/iommufd/io_pagetable.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "cd6dd564ae7d99967ef50078216929418160b30e", status: "affected", version: "51fe6141f0f64ae0bbc096a41a07572273e8c0ef", versionType: "git", }, { lessThan: "a6e9f9fd14772c0b23c6d1d7002d98f9d27cb1f6", status: "affected", version: "51fe6141f0f64ae0bbc096a41a07572273e8c0ef", versionType: "git", }, { lessThan: "72b78287ce92802e8ba678181a34b84ae844a112", status: "affected", version: "51fe6141f0f64ae0bbc096a41a07572273e8c0ef", versionType: "git", }, { lessThan: "8f6887349b2f829a4121c518aeb064fc922714e4", status: "affected", version: "51fe6141f0f64ae0bbc096a41a07572273e8c0ef", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/iommu/iommufd/io_pagetable.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.2", }, { lessThan: "6.2", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.54", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.13", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.2", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\niommufd: Protect against overflow of ALIGN() during iova allocation\n\nUserspace can supply an iova and uptr such that the target iova alignment\nbecomes really big and ALIGN() overflows which corrupts the selected area\nrange during allocation. CONFIG_IOMMUFD_TEST can detect this:\n\n WARNING: CPU: 1 PID: 5092 at drivers/iommu/iommufd/io_pagetable.c:268 iopt_alloc_area_pages drivers/iommu/iommufd/io_pagetable.c:268 [inline]\n WARNING: CPU: 1 PID: 5092 at drivers/iommu/iommufd/io_pagetable.c:268 iopt_map_pages+0xf95/0x1050 drivers/iommu/iommufd/io_pagetable.c:352\n Modules linked in:\n CPU: 1 PID: 5092 Comm: syz-executor294 Not tainted 6.10.0-rc5-syzkaller-00294-g3ffea9a7a6f7 #0\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024\n RIP: 0010:iopt_alloc_area_pages drivers/iommu/iommufd/io_pagetable.c:268 [inline]\n RIP: 0010:iopt_map_pages+0xf95/0x1050 drivers/iommu/iommufd/io_pagetable.c:352\n Code: fc e9 a4 f3 ff ff e8 1a 8b 4c fc 41 be e4 ff ff ff e9 8a f3 ff ff e8 0a 8b 4c fc 90 0f 0b 90 e9 37 f5 ff ff e8 fc 8a 4c fc 90 <0f> 0b 90 e9 68 f3 ff ff 48 c7 c1 ec 82 ad 8f 80 e1 07 80 c1 03 38\n RSP: 0018:ffffc90003ebf9e0 EFLAGS: 00010293\n RAX: ffffffff85499fa4 RBX: 00000000ffffffef RCX: ffff888079b49e00\n RDX: 0000000000000000 RSI: 00000000ffffffef RDI: 0000000000000000\n RBP: ffffc90003ebfc50 R08: ffffffff85499b30 R09: ffffffff85499942\n R10: 0000000000000002 R11: ffff888079b49e00 R12: ffff8880228e0010\n R13: 0000000000000000 R14: 1ffff920007d7f68 R15: ffffc90003ebfd00\n FS: 000055557d760380(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00000000005fdeb8 CR3: 000000007404a000 CR4: 00000000003506f0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n <TASK>\n iommufd_ioas_copy+0x610/0x7b0 drivers/iommu/iommufd/ioas.c:274\n iommufd_fops_ioctl+0x4d9/0x5a0 drivers/iommu/iommufd/main.c:421\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:907 [inline]\n __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nCap the automatic alignment to the huge page size, which is probably a\nbetter idea overall. Huge automatic alignments can fragment and chew up\nthe available IOVA space without any reason.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:26:45.668Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/cd6dd564ae7d99967ef50078216929418160b30e", }, { url: "https://git.kernel.org/stable/c/a6e9f9fd14772c0b23c6d1d7002d98f9d27cb1f6", }, { url: "https://git.kernel.org/stable/c/72b78287ce92802e8ba678181a34b84ae844a112", }, { url: "https://git.kernel.org/stable/c/8f6887349b2f829a4121c518aeb064fc922714e4", }, ], title: "iommufd: Protect against overflow of ALIGN() during iova allocation", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-47719", datePublished: "2024-10-21T11:53:49.516Z", dateReserved: "2024-09-30T16:00:12.949Z", dateUpdated: "2024-12-19T09:26:45.668Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49908
Vulnerability from cvelistv5
Published
2024-10-21 18:01
Modified
2024-12-19 09:28
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Add null check for 'afb' in amdgpu_dm_update_cursor (v2)
This commit adds a null check for the 'afb' variable in the
amdgpu_dm_update_cursor function. Previously, 'afb' was assumed to be
null at line 8388, but was used later in the code without a null check.
This could potentially lead to a null pointer dereference.
Changes since v1:
- Moved the null check for 'afb' to the line where 'afb' is used. (Alex)
Fixes the below:
drivers/gpu/drm/amd/amdgpu/../display/amdgpu_dm/amdgpu_dm.c:8433 amdgpu_dm_update_cursor()
error: we previously assumed 'afb' could be null (see line 8388)
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49908", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:41:59.337369Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:48:46.551Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "a742168b6a39ead257da53bcbe472384d6e14a1b", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "0fe20258b4989b9112b5e9470df33a0939403fd4", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add null check for 'afb' in amdgpu_dm_update_cursor (v2)\n\nThis commit adds a null check for the 'afb' variable in the\namdgpu_dm_update_cursor function. Previously, 'afb' was assumed to be\nnull at line 8388, but was used later in the code without a null check.\nThis could potentially lead to a null pointer dereference.\n\nChanges since v1:\n- Moved the null check for 'afb' to the line where 'afb' is used. (Alex)\n\nFixes the below:\ndrivers/gpu/drm/amd/amdgpu/../display/amdgpu_dm/amdgpu_dm.c:8433 amdgpu_dm_update_cursor()\n\terror: we previously assumed 'afb' could be null (see line 8388)", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:28:49.130Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/a742168b6a39ead257da53bcbe472384d6e14a1b", }, { url: "https://git.kernel.org/stable/c/0fe20258b4989b9112b5e9470df33a0939403fd4", }, ], title: "drm/amd/display: Add null check for 'afb' in amdgpu_dm_update_cursor (v2)", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49908", datePublished: "2024-10-21T18:01:38.149Z", dateReserved: "2024-10-21T12:17:06.027Z", dateUpdated: "2024-12-19T09:28:49.130Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-50038
Vulnerability from cvelistv5
Published
2024-10-21 19:39
Modified
2024-12-19 09:31
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: xtables: avoid NFPROTO_UNSPEC where needed
syzbot managed to call xt_cluster match via ebtables:
WARNING: CPU: 0 PID: 11 at net/netfilter/xt_cluster.c:72 xt_cluster_mt+0x196/0x780
[..]
ebt_do_table+0x174b/0x2a40
Module registers to NFPROTO_UNSPEC, but it assumes ipv4/ipv6 packet
processing. As this is only useful to restrict locally terminating
TCP/UDP traffic, register this for ipv4 and ipv6 family only.
Pablo points out that this is a general issue, direct users of the
set/getsockopt interface can call into targets/matches that were only
intended for use with ip(6)tables.
Check all UNSPEC matches and targets for similar issues:
- matches and targets are fine except if they assume skb_network_header()
is valid -- this is only true when called from inet layer: ip(6) stack
pulls the ip/ipv6 header into linear data area.
- targets that return XT_CONTINUE or other xtables verdicts must be
restricted too, they are incompatbile with the ebtables traverser, e.g.
EBT_CONTINUE is a completely different value than XT_CONTINUE.
Most matches/targets are changed to register for NFPROTO_IPV4/IPV6, as
they are provided for use by ip(6)tables.
The MARK target is also used by arptables, so register for NFPROTO_ARP too.
While at it, bail out if connbytes fails to enable the corresponding
conntrack family.
This change passes the selftests in iptables.git.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 0269ea4937343536ec7e85649932bc8c9686ea78 Version: 0269ea4937343536ec7e85649932bc8c9686ea78 Version: 0269ea4937343536ec7e85649932bc8c9686ea78 Version: 0269ea4937343536ec7e85649932bc8c9686ea78 Version: 0269ea4937343536ec7e85649932bc8c9686ea78 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-50038", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:25:10.359959Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:28:44.637Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "net/netfilter/xt_CHECKSUM.c", "net/netfilter/xt_CLASSIFY.c", "net/netfilter/xt_CONNSECMARK.c", "net/netfilter/xt_CT.c", "net/netfilter/xt_IDLETIMER.c", "net/netfilter/xt_LED.c", "net/netfilter/xt_NFLOG.c", "net/netfilter/xt_RATEEST.c", "net/netfilter/xt_SECMARK.c", "net/netfilter/xt_TRACE.c", "net/netfilter/xt_addrtype.c", "net/netfilter/xt_cluster.c", "net/netfilter/xt_connbytes.c", "net/netfilter/xt_connlimit.c", "net/netfilter/xt_connmark.c", "net/netfilter/xt_mark.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "85ff9a0f793ca52c527e75cd40a69c948627ebde", status: "affected", version: "0269ea4937343536ec7e85649932bc8c9686ea78", versionType: "git", }, { lessThan: "8f482bb7e27b37f1f734bb9a8eeb28b23d59d189", status: "affected", version: "0269ea4937343536ec7e85649932bc8c9686ea78", versionType: "git", }, { lessThan: "997f67d813ce0cf5eb3cdb8f124da68141e91b6c", status: "affected", version: "0269ea4937343536ec7e85649932bc8c9686ea78", versionType: "git", }, { lessThan: "4cdc55ec6222bb195995cc58f7cb46e4d8907056", status: "affected", version: "0269ea4937343536ec7e85649932bc8c9686ea78", versionType: "git", }, { lessThan: "0bfcb7b71e735560077a42847f69597ec7dcc326", status: "affected", version: "0269ea4937343536ec7e85649932bc8c9686ea78", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "net/netfilter/xt_CHECKSUM.c", "net/netfilter/xt_CLASSIFY.c", "net/netfilter/xt_CONNSECMARK.c", "net/netfilter/xt_CT.c", "net/netfilter/xt_IDLETIMER.c", "net/netfilter/xt_LED.c", "net/netfilter/xt_NFLOG.c", "net/netfilter/xt_RATEEST.c", "net/netfilter/xt_SECMARK.c", "net/netfilter/xt_TRACE.c", "net/netfilter/xt_addrtype.c", "net/netfilter/xt_cluster.c", "net/netfilter/xt_connbytes.c", "net/netfilter/xt_connlimit.c", "net/netfilter/xt_connmark.c", "net/netfilter/xt_mark.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "2.6.30", }, { lessThan: "2.6.30", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.57", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.4", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: xtables: avoid NFPROTO_UNSPEC where needed\n\nsyzbot managed to call xt_cluster match via ebtables:\n\n WARNING: CPU: 0 PID: 11 at net/netfilter/xt_cluster.c:72 xt_cluster_mt+0x196/0x780\n [..]\n ebt_do_table+0x174b/0x2a40\n\nModule registers to NFPROTO_UNSPEC, but it assumes ipv4/ipv6 packet\nprocessing. As this is only useful to restrict locally terminating\nTCP/UDP traffic, register this for ipv4 and ipv6 family only.\n\nPablo points out that this is a general issue, direct users of the\nset/getsockopt interface can call into targets/matches that were only\nintended for use with ip(6)tables.\n\nCheck all UNSPEC matches and targets for similar issues:\n\n- matches and targets are fine except if they assume skb_network_header()\n is valid -- this is only true when called from inet layer: ip(6) stack\n pulls the ip/ipv6 header into linear data area.\n- targets that return XT_CONTINUE or other xtables verdicts must be\n restricted too, they are incompatbile with the ebtables traverser, e.g.\n EBT_CONTINUE is a completely different value than XT_CONTINUE.\n\nMost matches/targets are changed to register for NFPROTO_IPV4/IPV6, as\nthey are provided for use by ip(6)tables.\n\nThe MARK target is also used by arptables, so register for NFPROTO_ARP too.\n\nWhile at it, bail out if connbytes fails to enable the corresponding\nconntrack family.\n\nThis change passes the selftests in iptables.git.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:31:52.316Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/85ff9a0f793ca52c527e75cd40a69c948627ebde", }, { url: "https://git.kernel.org/stable/c/8f482bb7e27b37f1f734bb9a8eeb28b23d59d189", }, { url: "https://git.kernel.org/stable/c/997f67d813ce0cf5eb3cdb8f124da68141e91b6c", }, { url: "https://git.kernel.org/stable/c/4cdc55ec6222bb195995cc58f7cb46e4d8907056", }, { url: "https://git.kernel.org/stable/c/0bfcb7b71e735560077a42847f69597ec7dcc326", }, ], title: "netfilter: xtables: avoid NFPROTO_UNSPEC where needed", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-50038", datePublished: "2024-10-21T19:39:38.451Z", dateReserved: "2024-10-21T12:17:06.070Z", dateUpdated: "2024-12-19T09:31:52.316Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49946
Vulnerability from cvelistv5
Published
2024-10-21 18:02
Modified
2024-12-19 09:29
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ppp: do not assume bh is held in ppp_channel_bridge_input()
Networking receive path is usually handled from BH handler.
However, some protocols need to acquire the socket lock, and
packets might be stored in the socket backlog is the socket was
owned by a user process.
In this case, release_sock(), __release_sock(), and sk_backlog_rcv()
might call the sk->sk_backlog_rcv() handler in process context.
sybot caught ppp was not considering this case in
ppp_channel_bridge_input() :
WARNING: inconsistent lock state
6.11.0-rc7-syzkaller-g5f5673607153 #0 Not tainted
--------------------------------
inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage.
ksoftirqd/1/24 [HC0[0]:SC1[1]:HE1:SE0] takes:
ffff0000db7f11e0 (&pch->downl){+.?.}-{2:2}, at: spin_lock include/linux/spinlock.h:351 [inline]
ffff0000db7f11e0 (&pch->downl){+.?.}-{2:2}, at: ppp_channel_bridge_input drivers/net/ppp/ppp_generic.c:2272 [inline]
ffff0000db7f11e0 (&pch->downl){+.?.}-{2:2}, at: ppp_input+0x16c/0x854 drivers/net/ppp/ppp_generic.c:2304
{SOFTIRQ-ON-W} state was registered at:
lock_acquire+0x240/0x728 kernel/locking/lockdep.c:5759
__raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
_raw_spin_lock+0x48/0x60 kernel/locking/spinlock.c:154
spin_lock include/linux/spinlock.h:351 [inline]
ppp_channel_bridge_input drivers/net/ppp/ppp_generic.c:2272 [inline]
ppp_input+0x16c/0x854 drivers/net/ppp/ppp_generic.c:2304
pppoe_rcv_core+0xfc/0x314 drivers/net/ppp/pppoe.c:379
sk_backlog_rcv include/net/sock.h:1111 [inline]
__release_sock+0x1a8/0x3d8 net/core/sock.c:3004
release_sock+0x68/0x1b8 net/core/sock.c:3558
pppoe_sendmsg+0xc8/0x5d8 drivers/net/ppp/pppoe.c:903
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg net/socket.c:745 [inline]
__sys_sendto+0x374/0x4f4 net/socket.c:2204
__do_sys_sendto net/socket.c:2216 [inline]
__se_sys_sendto net/socket.c:2212 [inline]
__arm64_sys_sendto+0xd8/0xf8 net/socket.c:2212
__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:712
el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730
el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598
irq event stamp: 282914
hardirqs last enabled at (282914): [<ffff80008b42e30c>] __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:151 [inline]
hardirqs last enabled at (282914): [<ffff80008b42e30c>] _raw_spin_unlock_irqrestore+0x38/0x98 kernel/locking/spinlock.c:194
hardirqs last disabled at (282913): [<ffff80008b42e13c>] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline]
hardirqs last disabled at (282913): [<ffff80008b42e13c>] _raw_spin_lock_irqsave+0x2c/0x7c kernel/locking/spinlock.c:162
softirqs last enabled at (282904): [<ffff8000801f8e88>] softirq_handle_end kernel/softirq.c:400 [inline]
softirqs last enabled at (282904): [<ffff8000801f8e88>] handle_softirqs+0xa3c/0xbfc kernel/softirq.c:582
softirqs last disabled at (282909): [<ffff8000801fbdf8>] run_ksoftirqd+0x70/0x158 kernel/softirq.c:928
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
----
lock(&pch->downl);
<Interrupt>
lock(&pch->downl);
*** DEADLOCK ***
1 lock held by ksoftirqd/1/24:
#0: ffff80008f74dfa0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire+0x10/0x4c include/linux/rcupdate.h:325
stack backtrace:
CPU: 1 UID: 0 PID: 24 Comm: ksoftirqd/1 Not tainted 6.11.0-rc7-syzkaller-g5f5673607153 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
Call trace:
dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:319
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:326
__dump_sta
---truncated---
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 4cf476ced45d7f12df30a68e833b263e7a2202d1 Version: 4cf476ced45d7f12df30a68e833b263e7a2202d1 Version: 4cf476ced45d7f12df30a68e833b263e7a2202d1 Version: 4cf476ced45d7f12df30a68e833b263e7a2202d1 Version: 4cf476ced45d7f12df30a68e833b263e7a2202d1 Version: 4cf476ced45d7f12df30a68e833b263e7a2202d1 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49946", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:37:03.573119Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:38:49.783Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/net/ppp/ppp_generic.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "176dd41e8c2bd997ed3d66568a3362e69ecce99b", status: "affected", version: "4cf476ced45d7f12df30a68e833b263e7a2202d1", versionType: "git", }, { lessThan: "635deca1800a68624f185dc1e04a8495b48cf185", status: "affected", version: "4cf476ced45d7f12df30a68e833b263e7a2202d1", versionType: "git", }, { lessThan: "f9620e2a665aa642625bd2501282bbddff556bd7", status: "affected", version: "4cf476ced45d7f12df30a68e833b263e7a2202d1", versionType: "git", }, { lessThan: "efe9cc0f7c0279216a5522271ec675b8288602e4", status: "affected", version: "4cf476ced45d7f12df30a68e833b263e7a2202d1", versionType: "git", }, { lessThan: "c837f8583535f094a39386308c2ccfd92c8596cd", status: "affected", version: "4cf476ced45d7f12df30a68e833b263e7a2202d1", versionType: "git", }, { lessThan: "aec7291003df78cb71fd461d7b672912bde55807", status: "affected", version: "4cf476ced45d7f12df30a68e833b263e7a2202d1", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/net/ppp/ppp_generic.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.11", }, { lessThan: "5.11", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nppp: do not assume bh is held in ppp_channel_bridge_input()\n\nNetworking receive path is usually handled from BH handler.\nHowever, some protocols need to acquire the socket lock, and\npackets might be stored in the socket backlog is the socket was\nowned by a user process.\n\nIn this case, release_sock(), __release_sock(), and sk_backlog_rcv()\nmight call the sk->sk_backlog_rcv() handler in process context.\n\nsybot caught ppp was not considering this case in\nppp_channel_bridge_input() :\n\nWARNING: inconsistent lock state\n6.11.0-rc7-syzkaller-g5f5673607153 #0 Not tainted\n--------------------------------\ninconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage.\nksoftirqd/1/24 [HC0[0]:SC1[1]:HE1:SE0] takes:\n ffff0000db7f11e0 (&pch->downl){+.?.}-{2:2}, at: spin_lock include/linux/spinlock.h:351 [inline]\n ffff0000db7f11e0 (&pch->downl){+.?.}-{2:2}, at: ppp_channel_bridge_input drivers/net/ppp/ppp_generic.c:2272 [inline]\n ffff0000db7f11e0 (&pch->downl){+.?.}-{2:2}, at: ppp_input+0x16c/0x854 drivers/net/ppp/ppp_generic.c:2304\n{SOFTIRQ-ON-W} state was registered at:\n lock_acquire+0x240/0x728 kernel/locking/lockdep.c:5759\n __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]\n _raw_spin_lock+0x48/0x60 kernel/locking/spinlock.c:154\n spin_lock include/linux/spinlock.h:351 [inline]\n ppp_channel_bridge_input drivers/net/ppp/ppp_generic.c:2272 [inline]\n ppp_input+0x16c/0x854 drivers/net/ppp/ppp_generic.c:2304\n pppoe_rcv_core+0xfc/0x314 drivers/net/ppp/pppoe.c:379\n sk_backlog_rcv include/net/sock.h:1111 [inline]\n __release_sock+0x1a8/0x3d8 net/core/sock.c:3004\n release_sock+0x68/0x1b8 net/core/sock.c:3558\n pppoe_sendmsg+0xc8/0x5d8 drivers/net/ppp/pppoe.c:903\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg net/socket.c:745 [inline]\n __sys_sendto+0x374/0x4f4 net/socket.c:2204\n __do_sys_sendto net/socket.c:2216 [inline]\n __se_sys_sendto net/socket.c:2212 [inline]\n __arm64_sys_sendto+0xd8/0xf8 net/socket.c:2212\n __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]\n invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49\n el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132\n do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151\n el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:712\n el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730\n el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598\nirq event stamp: 282914\n hardirqs last enabled at (282914): [<ffff80008b42e30c>] __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:151 [inline]\n hardirqs last enabled at (282914): [<ffff80008b42e30c>] _raw_spin_unlock_irqrestore+0x38/0x98 kernel/locking/spinlock.c:194\n hardirqs last disabled at (282913): [<ffff80008b42e13c>] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline]\n hardirqs last disabled at (282913): [<ffff80008b42e13c>] _raw_spin_lock_irqsave+0x2c/0x7c kernel/locking/spinlock.c:162\n softirqs last enabled at (282904): [<ffff8000801f8e88>] softirq_handle_end kernel/softirq.c:400 [inline]\n softirqs last enabled at (282904): [<ffff8000801f8e88>] handle_softirqs+0xa3c/0xbfc kernel/softirq.c:582\n softirqs last disabled at (282909): [<ffff8000801fbdf8>] run_ksoftirqd+0x70/0x158 kernel/softirq.c:928\n\nother info that might help us debug this:\n Possible unsafe locking scenario:\n\n CPU0\n ----\n lock(&pch->downl);\n <Interrupt>\n lock(&pch->downl);\n\n *** DEADLOCK ***\n\n1 lock held by ksoftirqd/1/24:\n #0: ffff80008f74dfa0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire+0x10/0x4c include/linux/rcupdate.h:325\n\nstack backtrace:\nCPU: 1 UID: 0 PID: 24 Comm: ksoftirqd/1 Not tainted 6.11.0-rc7-syzkaller-g5f5673607153 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024\nCall trace:\n dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:319\n show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:326\n __dump_sta\n---truncated---", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:29:52.931Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/176dd41e8c2bd997ed3d66568a3362e69ecce99b", }, { url: "https://git.kernel.org/stable/c/635deca1800a68624f185dc1e04a8495b48cf185", }, { url: "https://git.kernel.org/stable/c/f9620e2a665aa642625bd2501282bbddff556bd7", }, { url: "https://git.kernel.org/stable/c/efe9cc0f7c0279216a5522271ec675b8288602e4", }, { url: "https://git.kernel.org/stable/c/c837f8583535f094a39386308c2ccfd92c8596cd", }, { url: "https://git.kernel.org/stable/c/aec7291003df78cb71fd461d7b672912bde55807", }, ], title: "ppp: do not assume bh is held in ppp_channel_bridge_input()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49946", datePublished: "2024-10-21T18:02:03.779Z", dateReserved: "2024-10-21T12:17:06.044Z", dateUpdated: "2024-12-19T09:29:52.931Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-6270
Vulnerability from cvelistv5
Published
2024-01-04 17:01
Modified
2025-02-07 02:37
Severity ?
EPSS score ?
Summary
A flaw was found in the ATA over Ethernet (AoE) driver in the Linux kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on `struct net_device`, and a use-after-free can be triggered by racing between the free on the struct and the access through the `skbtxq` global queue. This could lead to a denial of service condition or potential code execution.
References
▼ | URL | Tags |
---|---|---|
https://access.redhat.com/security/cve/CVE-2023-6270 | vdb-entry, x_refsource_REDHAT | |
https://bugzilla.redhat.com/show_bug.cgi?id=2256786 | issue-tracking, x_refsource_REDHAT |
Impacted products
Vendor | Product | Version | ||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
▼ | Red Hat | Red Hat Enterprise Linux 6 |
cpe:/o:redhat:enterprise_linux:6 |
|||||||||||||||||||||||||||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2023-6270", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:48:09.407937Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:48:53.219Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2024-08-02T08:28:20.376Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "vdb-entry", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/security/cve/CVE-2023-6270", }, { name: "RHBZ#2256786", tags: [ "issue-tracking", "x_refsource_REDHAT", "x_transferred", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2256786", }, { tags: [ "x_transferred", ], url: "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", }, { tags: [ "x_transferred", ], url: "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/o:redhat:enterprise_linux:6", ], defaultStatus: "unknown", packageName: "kernel", product: "Red Hat Enterprise Linux 6", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/o:redhat:enterprise_linux:7", ], defaultStatus: "unknown", packageName: "kernel", product: "Red Hat Enterprise Linux 7", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/o:redhat:enterprise_linux:7", ], defaultStatus: "unknown", packageName: "kernel-rt", product: "Red Hat Enterprise Linux 7", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/o:redhat:enterprise_linux:8", ], defaultStatus: "unaffected", packageName: "kernel", product: "Red Hat Enterprise Linux 8", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/o:redhat:enterprise_linux:8", ], defaultStatus: "unaffected", packageName: "kernel-rt", product: "Red Hat Enterprise Linux 8", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/o:redhat:enterprise_linux:9", ], defaultStatus: "unaffected", packageName: "kernel", product: "Red Hat Enterprise Linux 9", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/o:redhat:enterprise_linux:9", ], defaultStatus: "unaffected", packageName: "kernel-rt", product: "Red Hat Enterprise Linux 9", vendor: "Red Hat", }, ], datePublic: "2024-01-04T00:00:00.000Z", descriptions: [ { lang: "en", value: "A flaw was found in the ATA over Ethernet (AoE) driver in the Linux kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on `struct net_device`, and a use-after-free can be triggered by racing between the free on the struct and the access through the `skbtxq` global queue. This could lead to a denial of service condition or potential code execution.", }, ], metrics: [ { other: { content: { namespace: "https://access.redhat.com/security/updates/classification/", value: "Moderate", }, type: "Red Hat severity rating", }, }, { cvssV3_1: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 7, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, format: "CVSS", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-416", description: "Use After Free", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2025-02-07T02:37:25.137Z", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { tags: [ "vdb-entry", "x_refsource_REDHAT", ], url: "https://access.redhat.com/security/cve/CVE-2023-6270", }, { name: "RHBZ#2256786", tags: [ "issue-tracking", "x_refsource_REDHAT", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2256786", }, ], timeline: [ { lang: "en", time: "2023-09-29T00:00:00+00:00", value: "Reported to Red Hat.", }, { lang: "en", time: "2024-01-04T00:00:00+00:00", value: "Made public.", }, ], title: "Kernel: aoe: improper reference count leads to use-after-free vulnerability", workarounds: [ { lang: "en", value: "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", }, ], x_redhatCweChain: "CWE-911->CWE-416: Improper Update of Reference Count leads to Use After Free", }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2023-6270", datePublished: "2024-01-04T17:01:51.165Z", dateReserved: "2023-11-23T14:31:28.637Z", dateUpdated: "2025-02-07T02:37:25.137Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49861
Vulnerability from cvelistv5
Published
2024-10-21 12:27
Modified
2024-12-19 09:27
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix helper writes to read-only maps
Lonial found an issue that despite user- and BPF-side frozen BPF map
(like in case of .rodata), it was still possible to write into it from
a BPF program side through specific helpers having ARG_PTR_TO_{LONG,INT}
as arguments.
In check_func_arg() when the argument is as mentioned, the meta->raw_mode
is never set. Later, check_helper_mem_access(), under the case of
PTR_TO_MAP_VALUE as register base type, it assumes BPF_READ for the
subsequent call to check_map_access_type() and given the BPF map is
read-only it succeeds.
The helpers really need to be annotated as ARG_PTR_TO_{LONG,INT} | MEM_UNINIT
when results are written into them as opposed to read out of them. The
latter indicates that it's okay to pass a pointer to uninitialized memory
as the memory is written to anyway.
However, ARG_PTR_TO_{LONG,INT} is a special case of ARG_PTR_TO_FIXED_SIZE_MEM
just with additional alignment requirement. So it is better to just get
rid of the ARG_PTR_TO_{LONG,INT} special cases altogether and reuse the
fixed size memory types. For this, add MEM_ALIGNED to additionally ensure
alignment given these helpers write directly into the args via *<ptr> = val.
The .arg*_size has been initialized reflecting the actual sizeof(*<ptr>).
MEM_ALIGNED can only be used in combination with MEM_FIXED_SIZE annotated
argument types, since in !MEM_FIXED_SIZE cases the verifier does not know
the buffer size a priori and therefore cannot blindly write *<ptr> = val.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 57c3bb725a3dd97d960d7e1cd0845d88de53217f Version: 57c3bb725a3dd97d960d7e1cd0845d88de53217f Version: 57c3bb725a3dd97d960d7e1cd0845d88de53217f Version: 57c3bb725a3dd97d960d7e1cd0845d88de53217f Version: 57c3bb725a3dd97d960d7e1cd0845d88de53217f |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49861", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T12:55:39.105078Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T13:04:10.325Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "include/linux/bpf.h", "kernel/bpf/helpers.c", "kernel/bpf/syscall.c", "kernel/bpf/verifier.c", "kernel/trace/bpf_trace.c", "net/core/filter.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "988e55abcf7fdb8fc9a76a7cf3f4e939a4d4fb3a", status: "affected", version: "57c3bb725a3dd97d960d7e1cd0845d88de53217f", versionType: "git", }, { lessThan: "a2c8dc7e21803257e762b0bf067fd13e9c995da0", status: "affected", version: "57c3bb725a3dd97d960d7e1cd0845d88de53217f", versionType: "git", }, { lessThan: "2ed98ee02d1e08afee88f54baec39ea78dc8a23c", status: "affected", version: "57c3bb725a3dd97d960d7e1cd0845d88de53217f", versionType: "git", }, { lessThan: "1e75d25133158b525e0456876e9bcfd6b2993fd5", status: "affected", version: "57c3bb725a3dd97d960d7e1cd0845d88de53217f", versionType: "git", }, { lessThan: "32556ce93bc45c730829083cb60f95a2728ea48b", status: "affected", version: "57c3bb725a3dd97d960d7e1cd0845d88de53217f", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "include/linux/bpf.h", "kernel/bpf/helpers.c", "kernel/bpf/syscall.c", "kernel/bpf/verifier.c", "kernel/trace/bpf_trace.c", "net/core/filter.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.2", }, { lessThan: "5.2", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.120", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.54", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.13", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.2", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix helper writes to read-only maps\n\nLonial found an issue that despite user- and BPF-side frozen BPF map\n(like in case of .rodata), it was still possible to write into it from\na BPF program side through specific helpers having ARG_PTR_TO_{LONG,INT}\nas arguments.\n\nIn check_func_arg() when the argument is as mentioned, the meta->raw_mode\nis never set. Later, check_helper_mem_access(), under the case of\nPTR_TO_MAP_VALUE as register base type, it assumes BPF_READ for the\nsubsequent call to check_map_access_type() and given the BPF map is\nread-only it succeeds.\n\nThe helpers really need to be annotated as ARG_PTR_TO_{LONG,INT} | MEM_UNINIT\nwhen results are written into them as opposed to read out of them. The\nlatter indicates that it's okay to pass a pointer to uninitialized memory\nas the memory is written to anyway.\n\nHowever, ARG_PTR_TO_{LONG,INT} is a special case of ARG_PTR_TO_FIXED_SIZE_MEM\njust with additional alignment requirement. So it is better to just get\nrid of the ARG_PTR_TO_{LONG,INT} special cases altogether and reuse the\nfixed size memory types. For this, add MEM_ALIGNED to additionally ensure\nalignment given these helpers write directly into the args via *<ptr> = val.\nThe .arg*_size has been initialized reflecting the actual sizeof(*<ptr>).\n\nMEM_ALIGNED can only be used in combination with MEM_FIXED_SIZE annotated\nargument types, since in !MEM_FIXED_SIZE cases the verifier does not know\nthe buffer size a priori and therefore cannot blindly write *<ptr> = val.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:27:45.743Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/988e55abcf7fdb8fc9a76a7cf3f4e939a4d4fb3a", }, { url: "https://git.kernel.org/stable/c/a2c8dc7e21803257e762b0bf067fd13e9c995da0", }, { url: "https://git.kernel.org/stable/c/2ed98ee02d1e08afee88f54baec39ea78dc8a23c", }, { url: "https://git.kernel.org/stable/c/1e75d25133158b525e0456876e9bcfd6b2993fd5", }, { url: "https://git.kernel.org/stable/c/32556ce93bc45c730829083cb60f95a2728ea48b", }, ], title: "bpf: Fix helper writes to read-only maps", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49861", datePublished: "2024-10-21T12:27:19.321Z", dateReserved: "2024-10-21T12:17:06.017Z", dateUpdated: "2024-12-19T09:27:45.743Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-48960
Vulnerability from cvelistv5
Published
2024-10-21 20:05
Modified
2024-12-19 08:11
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: hisilicon: Fix potential use-after-free in hix5hd2_rx()
The skb is delivered to napi_gro_receive() which may free it, after
calling this, dereferencing skb may trigger use-after-free.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 57c5bc9ad7d799e9507ba6e993398d2c55f03fab Version: 57c5bc9ad7d799e9507ba6e993398d2c55f03fab Version: 57c5bc9ad7d799e9507ba6e993398d2c55f03fab Version: 57c5bc9ad7d799e9507ba6e993398d2c55f03fab Version: 57c5bc9ad7d799e9507ba6e993398d2c55f03fab Version: 57c5bc9ad7d799e9507ba6e993398d2c55f03fab Version: 57c5bc9ad7d799e9507ba6e993398d2c55f03fab Version: 57c5bc9ad7d799e9507ba6e993398d2c55f03fab |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-48960", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:20:30.429141Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:28:39.279Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/net/ethernet/hisilicon/hix5hd2_gmac.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "179499e7a240b2ef590f05eb379c810c26bbc8a4", status: "affected", version: "57c5bc9ad7d799e9507ba6e993398d2c55f03fab", versionType: "git", }, { lessThan: "8067cd244cea2c332f8326842fd10158fa2cb64f", status: "affected", version: "57c5bc9ad7d799e9507ba6e993398d2c55f03fab", versionType: "git", }, { lessThan: "3a4eddd1cb023a71df4152fcc76092953e6fe95a", status: "affected", version: "57c5bc9ad7d799e9507ba6e993398d2c55f03fab", versionType: "git", }, { lessThan: "1b6360a093ab8969c91a30bb58b753282e2ced4c", status: "affected", version: "57c5bc9ad7d799e9507ba6e993398d2c55f03fab", versionType: "git", }, { lessThan: "93aaa4bb72e388f6a4887541fd3d18b84f1b5ddc", status: "affected", version: "57c5bc9ad7d799e9507ba6e993398d2c55f03fab", versionType: "git", }, { lessThan: "b8ce0e6f9f88a6bb49d291498377e61ea27a5387", status: "affected", version: "57c5bc9ad7d799e9507ba6e993398d2c55f03fab", versionType: "git", }, { lessThan: "b6307f7a2fc1c5407b6176f2af34a95214a8c262", status: "affected", version: "57c5bc9ad7d799e9507ba6e993398d2c55f03fab", versionType: "git", }, { lessThan: "433c07a13f59856e4585e89e86b7d4cc59348fab", status: "affected", version: "57c5bc9ad7d799e9507ba6e993398d2c55f03fab", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/net/ethernet/hisilicon/hix5hd2_gmac.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "3.16", }, { lessThan: "3.16", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.9.*", status: "unaffected", version: "4.9.336", versionType: "semver", }, { lessThanOrEqual: "4.14.*", status: "unaffected", version: "4.14.302", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.269", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.227", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.159", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.83", versionType: "semver", }, { lessThanOrEqual: "6.0.*", status: "unaffected", version: "6.0.13", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.1", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hisilicon: Fix potential use-after-free in hix5hd2_rx()\n\nThe skb is delivered to napi_gro_receive() which may free it, after\ncalling this, dereferencing skb may trigger use-after-free.", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:11:23.894Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/179499e7a240b2ef590f05eb379c810c26bbc8a4", }, { url: "https://git.kernel.org/stable/c/8067cd244cea2c332f8326842fd10158fa2cb64f", }, { url: "https://git.kernel.org/stable/c/3a4eddd1cb023a71df4152fcc76092953e6fe95a", }, { url: "https://git.kernel.org/stable/c/1b6360a093ab8969c91a30bb58b753282e2ced4c", }, { url: "https://git.kernel.org/stable/c/93aaa4bb72e388f6a4887541fd3d18b84f1b5ddc", }, { url: "https://git.kernel.org/stable/c/b8ce0e6f9f88a6bb49d291498377e61ea27a5387", }, { url: "https://git.kernel.org/stable/c/b6307f7a2fc1c5407b6176f2af34a95214a8c262", }, { url: "https://git.kernel.org/stable/c/433c07a13f59856e4585e89e86b7d4cc59348fab", }, ], title: "net: hisilicon: Fix potential use-after-free in hix5hd2_rx()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-48960", datePublished: "2024-10-21T20:05:45.167Z", dateReserved: "2024-08-22T01:27:53.627Z", dateUpdated: "2024-12-19T08:11:23.894Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49947
Vulnerability from cvelistv5
Published
2024-10-21 18:02
Modified
2024-12-19 09:29
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: test for not too small csum_start in virtio_net_hdr_to_skb()
syzbot was able to trigger this warning [1], after injecting a
malicious packet through af_packet, setting skb->csum_start and thus
the transport header to an incorrect value.
We can at least make sure the transport header is after
the end of the network header (with a estimated minimal size).
[1]
[ 67.873027] skb len=4096 headroom=16 headlen=14 tailroom=0
mac=(-1,-1) mac_len=0 net=(16,-6) trans=10
shinfo(txflags=0 nr_frags=1 gso(size=0 type=0 segs=0))
csum(0xa start=10 offset=0 ip_summed=3 complete_sw=0 valid=0 level=0)
hash(0x0 sw=0 l4=0) proto=0x0800 pkttype=0 iif=0
priority=0x0 mark=0x0 alloc_cpu=10 vlan_all=0x0
encapsulation=0 inner(proto=0x0000, mac=0, net=0, trans=0)
[ 67.877172] dev name=veth0_vlan feat=0x000061164fdd09e9
[ 67.877764] sk family=17 type=3 proto=0
[ 67.878279] skb linear: 00000000: 00 00 10 00 00 00 00 00 0f 00 00 00 08 00
[ 67.879128] skb frag: 00000000: 0e 00 07 00 00 00 28 00 08 80 1c 00 04 00 00 02
[ 67.879877] skb frag: 00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 67.880647] skb frag: 00000020: 00 00 02 00 00 00 08 00 1b 00 00 00 00 00 00 00
[ 67.881156] skb frag: 00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 67.881753] skb frag: 00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 67.882173] skb frag: 00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 67.882790] skb frag: 00000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 67.883171] skb frag: 00000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 67.883733] skb frag: 00000080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 67.884206] skb frag: 00000090: 00 00 00 00 00 00 00 00 00 00 69 70 76 6c 61 6e
[ 67.884704] skb frag: 000000a0: 31 00 00 00 00 00 00 00 00 00 2b 00 00 00 00 00
[ 67.885139] skb frag: 000000b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 67.885677] skb frag: 000000c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 67.886042] skb frag: 000000d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 67.886408] skb frag: 000000e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 67.887020] skb frag: 000000f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 67.887384] skb frag: 00000100: 00 00
[ 67.887878] ------------[ cut here ]------------
[ 67.887908] offset (-6) >= skb_headlen() (14)
[ 67.888445] WARNING: CPU: 10 PID: 2088 at net/core/dev.c:3332 skb_checksum_help (net/core/dev.c:3332 (discriminator 2))
[ 67.889353] Modules linked in: macsec macvtap macvlan hsr wireguard curve25519_x86_64 libcurve25519_generic libchacha20poly1305 chacha_x86_64 libchacha poly1305_x86_64 dummy bridge sr_mod cdrom evdev pcspkr i2c_piix4 9pnet_virtio 9p 9pnet netfs
[ 67.890111] CPU: 10 UID: 0 PID: 2088 Comm: b363492833 Not tainted 6.11.0-virtme #1011
[ 67.890183] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 67.890309] RIP: 0010:skb_checksum_help (net/core/dev.c:3332 (discriminator 2))
[ 67.891043] Call Trace:
[ 67.891173] <TASK>
[ 67.891274] ? __warn (kernel/panic.c:741)
[ 67.891320] ? skb_checksum_help (net/core/dev.c:3332 (discriminator 2))
[ 67.891333] ? report_bug (lib/bug.c:180 lib/bug.c:219)
[ 67.891348] ? handle_bug (arch/x86/kernel/traps.c:239)
[ 67.891363] ? exc_invalid_op (arch/x86/kernel/traps.c:260 (discriminator 1))
[ 67.891372] ? asm_exc_invalid_op (./arch/x86/include/asm/idtentry.h:621)
[ 67.891388] ? skb_checksum_help (net/core/dev.c:3332 (discriminator 2))
[ 67.891399] ? skb_checksum_help (net/core/dev.c:3332 (discriminator 2))
[ 67.891416] ip_do_fragment (net/ipv4/ip_output.c:777 (discriminator 1))
[ 67.891448] ? __ip_local_out (./include/linux/skbuff.h:1146 ./include/net/l3mdev.h:196 ./include/net/l3mdev.h:213 ne
---truncated---
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49947", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:36:56.071723Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:38:49.630Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "include/linux/virtio_net.h", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "d9dfd41e32ccc5198033ddd1ff1516822dfefa5a", status: "affected", version: "342c88f406c2acd3dd00767aeacafe883cebb374", versionType: "git", }, { lessThan: "4cc0648e9e3240496835dc698ace1d046d8d57ea", status: "affected", version: "9181d6f8a2bb32d158de66a84164fac05e3ddd18", versionType: "git", }, { lessThan: "7711c419a915ee0dd91c125d2b967bbf2a72e9ac", status: "affected", version: "9181d6f8a2bb32d158de66a84164fac05e3ddd18", versionType: "git", }, { lessThan: "49d14b54a527289d09a9480f214b8c586322310a", status: "affected", version: "9181d6f8a2bb32d158de66a84164fac05e3ddd18", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "include/linux/virtio_net.h", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.8", }, { lessThan: "6.8", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: test for not too small csum_start in virtio_net_hdr_to_skb()\n\nsyzbot was able to trigger this warning [1], after injecting a\nmalicious packet through af_packet, setting skb->csum_start and thus\nthe transport header to an incorrect value.\n\nWe can at least make sure the transport header is after\nthe end of the network header (with a estimated minimal size).\n\n[1]\n[ 67.873027] skb len=4096 headroom=16 headlen=14 tailroom=0\nmac=(-1,-1) mac_len=0 net=(16,-6) trans=10\nshinfo(txflags=0 nr_frags=1 gso(size=0 type=0 segs=0))\ncsum(0xa start=10 offset=0 ip_summed=3 complete_sw=0 valid=0 level=0)\nhash(0x0 sw=0 l4=0) proto=0x0800 pkttype=0 iif=0\npriority=0x0 mark=0x0 alloc_cpu=10 vlan_all=0x0\nencapsulation=0 inner(proto=0x0000, mac=0, net=0, trans=0)\n[ 67.877172] dev name=veth0_vlan feat=0x000061164fdd09e9\n[ 67.877764] sk family=17 type=3 proto=0\n[ 67.878279] skb linear: 00000000: 00 00 10 00 00 00 00 00 0f 00 00 00 08 00\n[ 67.879128] skb frag: 00000000: 0e 00 07 00 00 00 28 00 08 80 1c 00 04 00 00 02\n[ 67.879877] skb frag: 00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n[ 67.880647] skb frag: 00000020: 00 00 02 00 00 00 08 00 1b 00 00 00 00 00 00 00\n[ 67.881156] skb frag: 00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n[ 67.881753] skb frag: 00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n[ 67.882173] skb frag: 00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n[ 67.882790] skb frag: 00000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n[ 67.883171] skb frag: 00000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n[ 67.883733] skb frag: 00000080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n[ 67.884206] skb frag: 00000090: 00 00 00 00 00 00 00 00 00 00 69 70 76 6c 61 6e\n[ 67.884704] skb frag: 000000a0: 31 00 00 00 00 00 00 00 00 00 2b 00 00 00 00 00\n[ 67.885139] skb frag: 000000b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n[ 67.885677] skb frag: 000000c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n[ 67.886042] skb frag: 000000d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n[ 67.886408] skb frag: 000000e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n[ 67.887020] skb frag: 000000f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n[ 67.887384] skb frag: 00000100: 00 00\n[ 67.887878] ------------[ cut here ]------------\n[ 67.887908] offset (-6) >= skb_headlen() (14)\n[ 67.888445] WARNING: CPU: 10 PID: 2088 at net/core/dev.c:3332 skb_checksum_help (net/core/dev.c:3332 (discriminator 2))\n[ 67.889353] Modules linked in: macsec macvtap macvlan hsr wireguard curve25519_x86_64 libcurve25519_generic libchacha20poly1305 chacha_x86_64 libchacha poly1305_x86_64 dummy bridge sr_mod cdrom evdev pcspkr i2c_piix4 9pnet_virtio 9p 9pnet netfs\n[ 67.890111] CPU: 10 UID: 0 PID: 2088 Comm: b363492833 Not tainted 6.11.0-virtme #1011\n[ 67.890183] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[ 67.890309] RIP: 0010:skb_checksum_help (net/core/dev.c:3332 (discriminator 2))\n[ 67.891043] Call Trace:\n[ 67.891173] <TASK>\n[ 67.891274] ? __warn (kernel/panic.c:741)\n[ 67.891320] ? skb_checksum_help (net/core/dev.c:3332 (discriminator 2))\n[ 67.891333] ? report_bug (lib/bug.c:180 lib/bug.c:219)\n[ 67.891348] ? handle_bug (arch/x86/kernel/traps.c:239)\n[ 67.891363] ? exc_invalid_op (arch/x86/kernel/traps.c:260 (discriminator 1))\n[ 67.891372] ? asm_exc_invalid_op (./arch/x86/include/asm/idtentry.h:621)\n[ 67.891388] ? skb_checksum_help (net/core/dev.c:3332 (discriminator 2))\n[ 67.891399] ? skb_checksum_help (net/core/dev.c:3332 (discriminator 2))\n[ 67.891416] ip_do_fragment (net/ipv4/ip_output.c:777 (discriminator 1))\n[ 67.891448] ? __ip_local_out (./include/linux/skbuff.h:1146 ./include/net/l3mdev.h:196 ./include/net/l3mdev.h:213 ne\n---truncated---", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:29:54.086Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/d9dfd41e32ccc5198033ddd1ff1516822dfefa5a", }, { url: "https://git.kernel.org/stable/c/4cc0648e9e3240496835dc698ace1d046d8d57ea", }, { url: "https://git.kernel.org/stable/c/7711c419a915ee0dd91c125d2b967bbf2a72e9ac", }, { url: "https://git.kernel.org/stable/c/49d14b54a527289d09a9480f214b8c586322310a", }, ], title: "net: test for not too small csum_start in virtio_net_hdr_to_skb()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49947", datePublished: "2024-10-21T18:02:04.456Z", dateReserved: "2024-10-21T12:17:06.045Z", dateUpdated: "2024-12-19T09:29:54.086Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-48987
Vulnerability from cvelistv5
Published
2024-10-21 20:06
Modified
2024-12-19 08:11
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: v4l2-dv-timings.c: fix too strict blanking sanity checks
Sanity checks were added to verify the v4l2_bt_timings blanking fields
in order to avoid integer overflows when userspace passes weird values.
But that assumed that userspace would correctly fill in the front porch,
backporch and sync values, but sometimes all you know is the total
blanking, which is then assigned to just one of these fields.
And that can fail with these checks.
So instead set a maximum for the total horizontal and vertical
blanking and check that each field remains below that.
That is still sufficient to avoid integer overflows, but it also
allows for more flexibility in how userspace fills in these fields.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 15ded23db134da975b49ea99770de0346c193b24 Version: 3d43b2b8a3cdadd6cef9ac8ef5d156b6214a01c8 Version: 9cf9211635b68e8e0c8cb88d43ca7dc83e4632aa Version: b4a3a01762ae072c7f6ff2ff53b5019761288346 Version: 683015ae163481457a16fad2317af66360dc4762 Version: 491c0959f01d87bcbd5a1498bc70e0a3382c65a8 Version: dc7276c3f6ca008be1faf531f84b49906c9bcf7f Version: 4b6d66a45ed34a15721cb9e11492fa1a24bc83df |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-48987", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:17:04.941322Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:18:42.763Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/media/v4l2-core/v4l2-dv-timings.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "0d73b49c4037199472b29574ae21c21aef493971", status: "affected", version: "15ded23db134da975b49ea99770de0346c193b24", versionType: "git", }, { lessThan: "a2b56627c0d13009e02f6f2c0206c0451ed19a0e", status: "affected", version: "3d43b2b8a3cdadd6cef9ac8ef5d156b6214a01c8", versionType: "git", }, { lessThan: "2572ab14b73aa45b6ae7e4c089ccf119fed5cf89", status: "affected", version: "9cf9211635b68e8e0c8cb88d43ca7dc83e4632aa", versionType: "git", }, { lessThan: "4afc77068e36cee45b39d4fdc7513de26980f72c", status: "affected", version: "b4a3a01762ae072c7f6ff2ff53b5019761288346", versionType: "git", }, { lessThan: "32f01f0306a98629508f84d7ef0d1d037bc274a2", status: "affected", version: "683015ae163481457a16fad2317af66360dc4762", versionType: "git", }, { lessThan: "6fb8bc29bfa80707994a63cc97e2f9920e0b0608", status: "affected", version: "491c0959f01d87bcbd5a1498bc70e0a3382c65a8", versionType: "git", }, { lessThan: "d3d14cdf1c7ae2caa3e999bae95ba99e955fb7c3", status: "affected", version: "dc7276c3f6ca008be1faf531f84b49906c9bcf7f", versionType: "git", }, { lessThan: "5eef2141776da02772c44ec406d6871a790761ee", status: "affected", version: "4b6d66a45ed34a15721cb9e11492fa1a24bc83df", versionType: "git", }, ], }, { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/media/v4l2-core/v4l2-dv-timings.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "4.9.336", status: "affected", version: "4.9.332", versionType: "semver", }, { lessThan: "4.14.302", status: "affected", version: "4.14.298", versionType: "semver", }, { lessThan: "4.19.269", status: "affected", version: "4.19.264", versionType: "semver", }, { lessThan: "5.4.227", status: "affected", version: "5.4.223", versionType: "semver", }, { lessThan: "5.10.159", status: "affected", version: "5.10.153", versionType: "semver", }, { lessThan: "5.15.83", status: "affected", version: "5.15.77", versionType: "semver", }, { lessThan: "6.0.13", status: "affected", version: "6.0.7", versionType: "semver", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: v4l2-dv-timings.c: fix too strict blanking sanity checks\n\nSanity checks were added to verify the v4l2_bt_timings blanking fields\nin order to avoid integer overflows when userspace passes weird values.\n\nBut that assumed that userspace would correctly fill in the front porch,\nbackporch and sync values, but sometimes all you know is the total\nblanking, which is then assigned to just one of these fields.\n\nAnd that can fail with these checks.\n\nSo instead set a maximum for the total horizontal and vertical\nblanking and check that each field remains below that.\n\nThat is still sufficient to avoid integer overflows, but it also\nallows for more flexibility in how userspace fills in these fields.", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:11:57.880Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/0d73b49c4037199472b29574ae21c21aef493971", }, { url: "https://git.kernel.org/stable/c/a2b56627c0d13009e02f6f2c0206c0451ed19a0e", }, { url: "https://git.kernel.org/stable/c/2572ab14b73aa45b6ae7e4c089ccf119fed5cf89", }, { url: "https://git.kernel.org/stable/c/4afc77068e36cee45b39d4fdc7513de26980f72c", }, { url: "https://git.kernel.org/stable/c/32f01f0306a98629508f84d7ef0d1d037bc274a2", }, { url: "https://git.kernel.org/stable/c/6fb8bc29bfa80707994a63cc97e2f9920e0b0608", }, { url: "https://git.kernel.org/stable/c/d3d14cdf1c7ae2caa3e999bae95ba99e955fb7c3", }, { url: "https://git.kernel.org/stable/c/5eef2141776da02772c44ec406d6871a790761ee", }, ], title: "media: v4l2-dv-timings.c: fix too strict blanking sanity checks", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-48987", datePublished: "2024-10-21T20:06:03.328Z", dateReserved: "2024-08-22T01:27:53.634Z", dateUpdated: "2024-12-19T08:11:57.880Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49870
Vulnerability from cvelistv5
Published
2024-10-21 18:01
Modified
2024-12-19 09:27
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
cachefiles: fix dentry leak in cachefiles_open_file()
A dentry leak may be caused when a lookup cookie and a cull are concurrent:
P1 | P2
-----------------------------------------------------------
cachefiles_lookup_cookie
cachefiles_look_up_object
lookup_one_positive_unlocked
// get dentry
cachefiles_cull
inode->i_flags |= S_KERNEL_FILE;
cachefiles_open_file
cachefiles_mark_inode_in_use
__cachefiles_mark_inode_in_use
can_use = false
if (!(inode->i_flags & S_KERNEL_FILE))
can_use = true
return false
return false
// Returns an error but doesn't put dentry
After that the following WARNING will be triggered when the backend folder
is umounted:
==================================================================
BUG: Dentry 000000008ad87947{i=7a,n=Dx_1_1.img} still in use (1) [unmount of ext4 sda]
WARNING: CPU: 4 PID: 359261 at fs/dcache.c:1767 umount_check+0x5d/0x70
CPU: 4 PID: 359261 Comm: umount Not tainted 6.6.0-dirty #25
RIP: 0010:umount_check+0x5d/0x70
Call Trace:
<TASK>
d_walk+0xda/0x2b0
do_one_tree+0x20/0x40
shrink_dcache_for_umount+0x2c/0x90
generic_shutdown_super+0x20/0x160
kill_block_super+0x1a/0x40
ext4_kill_sb+0x22/0x40
deactivate_locked_super+0x35/0x80
cleanup_mnt+0x104/0x160
==================================================================
Whether cachefiles_open_file() returns true or false, the reference count
obtained by lookup_positive_unlocked() in cachefiles_look_up_object()
should be released.
Therefore release that reference count in cachefiles_look_up_object() to
fix the above issue and simplify the code.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1f08c925e7a38002bde509e66f6f891468848511 Version: 1f08c925e7a38002bde509e66f6f891468848511 Version: 1f08c925e7a38002bde509e66f6f891468848511 Version: 1f08c925e7a38002bde509e66f6f891468848511 Version: 1f08c925e7a38002bde509e66f6f891468848511 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49870", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:47:04.248927Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:48:52.047Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "fs/cachefiles/namei.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "d32ff64c872d7e08e893c32ba6a2374583444410", status: "affected", version: "1f08c925e7a38002bde509e66f6f891468848511", versionType: "git", }, { lessThan: "c7d10fa7d7691558ff967668494672415f5fa151", status: "affected", version: "1f08c925e7a38002bde509e66f6f891468848511", versionType: "git", }, { lessThan: "e4a28489b310339b2b8187bec0a437709be551c1", status: "affected", version: "1f08c925e7a38002bde509e66f6f891468848511", versionType: "git", }, { lessThan: "7fa2382f97421978514a419c93054eca69f5247b", status: "affected", version: "1f08c925e7a38002bde509e66f6f891468848511", versionType: "git", }, { lessThan: "da6ef2dffe6056aad3435e6cf7c6471c2a62187c", status: "affected", version: "1f08c925e7a38002bde509e66f6f891468848511", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "fs/cachefiles/namei.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.17", }, { lessThan: "5.17", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ncachefiles: fix dentry leak in cachefiles_open_file()\n\nA dentry leak may be caused when a lookup cookie and a cull are concurrent:\n\n P1 | P2\n-----------------------------------------------------------\ncachefiles_lookup_cookie\n cachefiles_look_up_object\n lookup_one_positive_unlocked\n // get dentry\n cachefiles_cull\n inode->i_flags |= S_KERNEL_FILE;\n cachefiles_open_file\n cachefiles_mark_inode_in_use\n __cachefiles_mark_inode_in_use\n can_use = false\n if (!(inode->i_flags & S_KERNEL_FILE))\n can_use = true\n\t return false\n return false\n // Returns an error but doesn't put dentry\n\nAfter that the following WARNING will be triggered when the backend folder\nis umounted:\n\n==================================================================\nBUG: Dentry 000000008ad87947{i=7a,n=Dx_1_1.img} still in use (1) [unmount of ext4 sda]\nWARNING: CPU: 4 PID: 359261 at fs/dcache.c:1767 umount_check+0x5d/0x70\nCPU: 4 PID: 359261 Comm: umount Not tainted 6.6.0-dirty #25\nRIP: 0010:umount_check+0x5d/0x70\nCall Trace:\n <TASK>\n d_walk+0xda/0x2b0\n do_one_tree+0x20/0x40\n shrink_dcache_for_umount+0x2c/0x90\n generic_shutdown_super+0x20/0x160\n kill_block_super+0x1a/0x40\n ext4_kill_sb+0x22/0x40\n deactivate_locked_super+0x35/0x80\n cleanup_mnt+0x104/0x160\n==================================================================\n\nWhether cachefiles_open_file() returns true or false, the reference count\nobtained by lookup_positive_unlocked() in cachefiles_look_up_object()\nshould be released.\n\nTherefore release that reference count in cachefiles_look_up_object() to\nfix the above issue and simplify the code.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:27:57.281Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/d32ff64c872d7e08e893c32ba6a2374583444410", }, { url: "https://git.kernel.org/stable/c/c7d10fa7d7691558ff967668494672415f5fa151", }, { url: "https://git.kernel.org/stable/c/e4a28489b310339b2b8187bec0a437709be551c1", }, { url: "https://git.kernel.org/stable/c/7fa2382f97421978514a419c93054eca69f5247b", }, { url: "https://git.kernel.org/stable/c/da6ef2dffe6056aad3435e6cf7c6471c2a62187c", }, ], title: "cachefiles: fix dentry leak in cachefiles_open_file()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49870", datePublished: "2024-10-21T18:01:12.048Z", dateReserved: "2024-10-21T12:17:06.019Z", dateUpdated: "2024-12-19T09:27:57.281Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-47680
Vulnerability from cvelistv5
Published
2024-10-21 11:53
Modified
2024-12-19 09:25
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
f2fs: check discard support for conventional zones
As the helper function f2fs_bdev_support_discard() shows, f2fs checks if
the target block devices support discard by calling
bdev_max_discard_sectors() and bdev_is_zoned(). This check works well
for most cases, but it does not work for conventional zones on zoned
block devices. F2fs assumes that zoned block devices support discard,
and calls __submit_discard_cmd(). When __submit_discard_cmd() is called
for sequential write required zones, it works fine since
__submit_discard_cmd() issues zone reset commands instead of discard
commands. However, when __submit_discard_cmd() is called for
conventional zones, __blkdev_issue_discard() is called even when the
devices do not support discard.
The inappropriate __blkdev_issue_discard() call was not a problem before
the commit 30f1e7241422 ("block: move discard checks into the ioctl
handler") because __blkdev_issue_discard() checked if the target devices
support discard or not. If not, it returned EOPNOTSUPP. After the
commit, __blkdev_issue_discard() no longer checks it. It always returns
zero and sets NULL to the given bio pointer. This NULL pointer triggers
f2fs_bug_on() in __submit_discard_cmd(). The BUG is recreated with the
commands below at the umount step, where /dev/nullb0 is a zoned null_blk
with 5GB total size, 128MB zone size and 10 conventional zones.
$ mkfs.f2fs -f -m /dev/nullb0
$ mount /dev/nullb0 /mnt
$ for ((i=0;i<5;i++)); do dd if=/dev/zero of=/mnt/test bs=65536 count=1600 conv=fsync; done
$ umount /mnt
To fix the BUG, avoid the inappropriate __blkdev_issue_discard() call.
When discard is requested for conventional zones, check if the device
supports discard or not. If not, return EOPNOTSUPP.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-47680", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T13:07:25.799925Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T13:14:16.790Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "fs/f2fs/segment.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "7bd7ce68ddad5a28565e42ef21cacaff113773a9", status: "affected", version: "30f1e724142242a453f92d90b33e030014900bf0", versionType: "git", }, { lessThan: "d2352b57897f6a3349666fc318dcbec99092c6a5", status: "affected", version: "30f1e724142242a453f92d90b33e030014900bf0", versionType: "git", }, { lessThan: "43aec4d01bd2ce961817a777b3846f8318f398e4", status: "affected", version: "30f1e724142242a453f92d90b33e030014900bf0", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "fs/f2fs/segment.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.10", }, { lessThan: "6.10", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.13", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.2", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: check discard support for conventional zones\n\nAs the helper function f2fs_bdev_support_discard() shows, f2fs checks if\nthe target block devices support discard by calling\nbdev_max_discard_sectors() and bdev_is_zoned(). This check works well\nfor most cases, but it does not work for conventional zones on zoned\nblock devices. F2fs assumes that zoned block devices support discard,\nand calls __submit_discard_cmd(). When __submit_discard_cmd() is called\nfor sequential write required zones, it works fine since\n__submit_discard_cmd() issues zone reset commands instead of discard\ncommands. However, when __submit_discard_cmd() is called for\nconventional zones, __blkdev_issue_discard() is called even when the\ndevices do not support discard.\n\nThe inappropriate __blkdev_issue_discard() call was not a problem before\nthe commit 30f1e7241422 (\"block: move discard checks into the ioctl\nhandler\") because __blkdev_issue_discard() checked if the target devices\nsupport discard or not. If not, it returned EOPNOTSUPP. After the\ncommit, __blkdev_issue_discard() no longer checks it. It always returns\nzero and sets NULL to the given bio pointer. This NULL pointer triggers\nf2fs_bug_on() in __submit_discard_cmd(). The BUG is recreated with the\ncommands below at the umount step, where /dev/nullb0 is a zoned null_blk\nwith 5GB total size, 128MB zone size and 10 conventional zones.\n\n$ mkfs.f2fs -f -m /dev/nullb0\n$ mount /dev/nullb0 /mnt\n$ for ((i=0;i<5;i++)); do dd if=/dev/zero of=/mnt/test bs=65536 count=1600 conv=fsync; done\n$ umount /mnt\n\nTo fix the BUG, avoid the inappropriate __blkdev_issue_discard() call.\nWhen discard is requested for conventional zones, check if the device\nsupports discard or not. If not, return EOPNOTSUPP.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:25:46.750Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/7bd7ce68ddad5a28565e42ef21cacaff113773a9", }, { url: "https://git.kernel.org/stable/c/d2352b57897f6a3349666fc318dcbec99092c6a5", }, { url: "https://git.kernel.org/stable/c/43aec4d01bd2ce961817a777b3846f8318f398e4", }, ], title: "f2fs: check discard support for conventional zones", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-47680", datePublished: "2024-10-21T11:53:23.128Z", dateReserved: "2024-09-30T16:00:12.940Z", dateUpdated: "2024-12-19T09:25:46.750Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-48999
Vulnerability from cvelistv5
Published
2024-10-21 20:06
Modified
2024-12-19 08:12
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipv4: Handle attempt to delete multipath route when fib_info contains an nh reference
Gwangun Jung reported a slab-out-of-bounds access in fib_nh_match:
fib_nh_match+0xf98/0x1130 linux-6.0-rc7/net/ipv4/fib_semantics.c:961
fib_table_delete+0x5f3/0xa40 linux-6.0-rc7/net/ipv4/fib_trie.c:1753
inet_rtm_delroute+0x2b3/0x380 linux-6.0-rc7/net/ipv4/fib_frontend.c:874
Separate nexthop objects are mutually exclusive with the legacy
multipath spec. Fix fib_nh_match to return if the config for the
to be deleted route contains a multipath spec while the fib_info
is using a nexthop object.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 493ced1ac47c48bb86d9d4e8e87df8592be85a0e Version: 493ced1ac47c48bb86d9d4e8e87df8592be85a0e Version: 493ced1ac47c48bb86d9d4e8e87df8592be85a0e Version: 493ced1ac47c48bb86d9d4e8e87df8592be85a0e Version: 493ced1ac47c48bb86d9d4e8e87df8592be85a0e |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-48999", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:15:25.948167Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:18:40.948Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "net/ipv4/fib_semantics.c", "tools/testing/selftests/net/fib_nexthops.sh", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "cc3cd130ecfb8b0ae52e235e487bae3f16a24a32", status: "affected", version: "493ced1ac47c48bb86d9d4e8e87df8592be85a0e", versionType: "git", }, { lessThan: "0b5394229ebae09afc07aabccb5ffd705ffd250e", status: "affected", version: "493ced1ac47c48bb86d9d4e8e87df8592be85a0e", versionType: "git", }, { lessThan: "25174d91e4a32a24204060d283bd5fa6d0ddf133", status: "affected", version: "493ced1ac47c48bb86d9d4e8e87df8592be85a0e", versionType: "git", }, { lessThan: "bb20a2ae241be846bc3c11ea4b3a3c69e41d51f2", status: "affected", version: "493ced1ac47c48bb86d9d4e8e87df8592be85a0e", versionType: "git", }, { lessThan: "61b91eb33a69c3be11b259c5ea484505cd79f883", status: "affected", version: "493ced1ac47c48bb86d9d4e8e87df8592be85a0e", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "net/ipv4/fib_semantics.c", "tools/testing/selftests/net/fib_nexthops.sh", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.3", }, { lessThan: "5.3", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.226", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.158", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.82", versionType: "semver", }, { lessThanOrEqual: "6.0.*", status: "unaffected", version: "6.0.12", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.1", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nipv4: Handle attempt to delete multipath route when fib_info contains an nh reference\n\nGwangun Jung reported a slab-out-of-bounds access in fib_nh_match:\n fib_nh_match+0xf98/0x1130 linux-6.0-rc7/net/ipv4/fib_semantics.c:961\n fib_table_delete+0x5f3/0xa40 linux-6.0-rc7/net/ipv4/fib_trie.c:1753\n inet_rtm_delroute+0x2b3/0x380 linux-6.0-rc7/net/ipv4/fib_frontend.c:874\n\nSeparate nexthop objects are mutually exclusive with the legacy\nmultipath spec. Fix fib_nh_match to return if the config for the\nto be deleted route contains a multipath spec while the fib_info\nis using a nexthop object.", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:12:10.647Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/cc3cd130ecfb8b0ae52e235e487bae3f16a24a32", }, { url: "https://git.kernel.org/stable/c/0b5394229ebae09afc07aabccb5ffd705ffd250e", }, { url: "https://git.kernel.org/stable/c/25174d91e4a32a24204060d283bd5fa6d0ddf133", }, { url: "https://git.kernel.org/stable/c/bb20a2ae241be846bc3c11ea4b3a3c69e41d51f2", }, { url: "https://git.kernel.org/stable/c/61b91eb33a69c3be11b259c5ea484505cd79f883", }, ], title: "ipv4: Handle attempt to delete multipath route when fib_info contains an nh reference", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-48999", datePublished: "2024-10-21T20:06:14.118Z", dateReserved: "2024-08-22T01:27:53.642Z", dateUpdated: "2024-12-19T08:12:10.647Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49860
Vulnerability from cvelistv5
Published
2024-10-21 12:27
Modified
2024-12-19 09:27
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ACPI: sysfs: validate return type of _STR method
Only buffer objects are valid return values of _STR.
If something else is returned description_show() will access invalid
memory.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: d1efe3c324ead77d3f6cd85093b50f6bd2e17aba Version: d1efe3c324ead77d3f6cd85093b50f6bd2e17aba Version: d1efe3c324ead77d3f6cd85093b50f6bd2e17aba Version: d1efe3c324ead77d3f6cd85093b50f6bd2e17aba Version: d1efe3c324ead77d3f6cd85093b50f6bd2e17aba Version: d1efe3c324ead77d3f6cd85093b50f6bd2e17aba Version: d1efe3c324ead77d3f6cd85093b50f6bd2e17aba Version: d1efe3c324ead77d3f6cd85093b50f6bd2e17aba Version: d1efe3c324ead77d3f6cd85093b50f6bd2e17aba |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49860", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T12:55:46.676497Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T13:04:10.485Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/acpi/device_sysfs.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "92fd5209fc014405f63a7db79802ca4b01dc0c05", status: "affected", version: "d1efe3c324ead77d3f6cd85093b50f6bd2e17aba", versionType: "git", }, { lessThan: "2364b6af90c6b6d8a4783e0d3481ca80af699554", status: "affected", version: "d1efe3c324ead77d3f6cd85093b50f6bd2e17aba", versionType: "git", }, { lessThan: "4b081991c4363e072e1748efed0bbec8a77daba5", status: "affected", version: "d1efe3c324ead77d3f6cd85093b50f6bd2e17aba", versionType: "git", }, { lessThan: "0cdfb9178a3bba843c95c2117c82c15f1a64b9ce", status: "affected", version: "d1efe3c324ead77d3f6cd85093b50f6bd2e17aba", versionType: "git", }, { lessThan: "5c8d007c14aefc3f2ddf71e4c40713733dc827be", status: "affected", version: "d1efe3c324ead77d3f6cd85093b50f6bd2e17aba", versionType: "git", }, { lessThan: "f0921ecd4ddc14646bb5511f49db4d7d3b0829f0", status: "affected", version: "d1efe3c324ead77d3f6cd85093b50f6bd2e17aba", versionType: "git", }, { lessThan: "f51e5a88f2e7224858b261546cf6b3037dfb1323", status: "affected", version: "d1efe3c324ead77d3f6cd85093b50f6bd2e17aba", versionType: "git", }, { lessThan: "f51f711d36e61fbb87c67b524fd200e05172668d", status: "affected", version: "d1efe3c324ead77d3f6cd85093b50f6bd2e17aba", versionType: "git", }, { lessThan: "4bb1e7d027413835b086aed35bc3f0713bc0f72b", status: "affected", version: "d1efe3c324ead77d3f6cd85093b50f6bd2e17aba", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/acpi/device_sysfs.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "3.7", }, { lessThan: "3.7", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.323", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.285", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.54", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.13", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.2", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: sysfs: validate return type of _STR method\n\nOnly buffer objects are valid return values of _STR.\n\nIf something else is returned description_show() will access invalid\nmemory.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:27:44.451Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/92fd5209fc014405f63a7db79802ca4b01dc0c05", }, { url: "https://git.kernel.org/stable/c/2364b6af90c6b6d8a4783e0d3481ca80af699554", }, { url: "https://git.kernel.org/stable/c/4b081991c4363e072e1748efed0bbec8a77daba5", }, { url: "https://git.kernel.org/stable/c/0cdfb9178a3bba843c95c2117c82c15f1a64b9ce", }, { url: "https://git.kernel.org/stable/c/5c8d007c14aefc3f2ddf71e4c40713733dc827be", }, { url: "https://git.kernel.org/stable/c/f0921ecd4ddc14646bb5511f49db4d7d3b0829f0", }, { url: "https://git.kernel.org/stable/c/f51e5a88f2e7224858b261546cf6b3037dfb1323", }, { url: "https://git.kernel.org/stable/c/f51f711d36e61fbb87c67b524fd200e05172668d", }, { url: "https://git.kernel.org/stable/c/4bb1e7d027413835b086aed35bc3f0713bc0f72b", }, ], title: "ACPI: sysfs: validate return type of _STR method", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49860", datePublished: "2024-10-21T12:27:18.640Z", dateReserved: "2024-10-21T12:17:06.017Z", dateUpdated: "2024-12-19T09:27:44.451Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-50064
Vulnerability from cvelistv5
Published
2024-10-21 19:39
Modified
2024-12-19 09:32
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
zram: free secondary algorithms names
We need to kfree() secondary algorithms names when reset zram device that
had multi-streams, otherwise we leak memory.
[senozhatsky@chromium.org: kfree(NULL) is legal]
Link: https://lkml.kernel.org/r/20240917013021.868769-1-senozhatsky@chromium.org
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-50064", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:22:29.918345Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:28:41.739Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/block/zram/zram_drv.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "6272936fd242ca1f784c3e21596dfb3859dff276", status: "affected", version: "001d9273570115b2eb360d5452bbc46f6cc063a1", versionType: "git", }, { lessThan: "ef35cc0d15b89dd013e1bb829fe97db7b1ab79eb", status: "affected", version: "001d9273570115b2eb360d5452bbc46f6cc063a1", versionType: "git", }, { lessThan: "684826f8271ad97580b138b9ffd462005e470b99", status: "affected", version: "001d9273570115b2eb360d5452bbc46f6cc063a1", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/block/zram/zram_drv.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.2", }, { lessThan: "6.2", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.57", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.4", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nzram: free secondary algorithms names\n\nWe need to kfree() secondary algorithms names when reset zram device that\nhad multi-streams, otherwise we leak memory.\n\n[senozhatsky@chromium.org: kfree(NULL) is legal]\n Link: https://lkml.kernel.org/r/20240917013021.868769-1-senozhatsky@chromium.org", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:32:17.970Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/6272936fd242ca1f784c3e21596dfb3859dff276", }, { url: "https://git.kernel.org/stable/c/ef35cc0d15b89dd013e1bb829fe97db7b1ab79eb", }, { url: "https://git.kernel.org/stable/c/684826f8271ad97580b138b9ffd462005e470b99", }, ], title: "zram: free secondary algorithms names", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-50064", datePublished: "2024-10-21T19:39:52.348Z", dateReserved: "2024-10-21T19:36:19.939Z", dateUpdated: "2024-12-19T09:32:17.970Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-50009
Vulnerability from cvelistv5
Published
2024-10-21 18:54
Modified
2025-02-02 10:14
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
cpufreq: amd-pstate: add check for cpufreq_cpu_get's return value
cpufreq_cpu_get may return NULL. To avoid NULL-dereference check it
and return in case of error.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-50009", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:28:54.062883Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:38:39.972Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/cpufreq/amd-pstate.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "cd9f7bf6cad8b2d3876105ce3c9fc63460a046f6", status: "affected", version: "ec437d71db77a181227bf6d0ac9d4a80e58ecf0f", versionType: "git", }, { lessThan: "5f250d44b8191d612355dd97b89b37bbc1b5d2cb", status: "affected", version: "ec437d71db77a181227bf6d0ac9d4a80e58ecf0f", versionType: "git", }, { lessThan: "5493f9714e4cdaf0ee7cec15899a231400cb1a9f", status: "affected", version: "ec437d71db77a181227bf6d0ac9d4a80e58ecf0f", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/cpufreq/amd-pstate.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.17", }, { lessThan: "5.17", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.75", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ncpufreq: amd-pstate: add check for cpufreq_cpu_get's return value\n\ncpufreq_cpu_get may return NULL. To avoid NULL-dereference check it\nand return in case of error.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", }, ], providerMetadata: { dateUpdated: "2025-02-02T10:14:56.358Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/cd9f7bf6cad8b2d3876105ce3c9fc63460a046f6", }, { url: "https://git.kernel.org/stable/c/5f250d44b8191d612355dd97b89b37bbc1b5d2cb", }, { url: "https://git.kernel.org/stable/c/5493f9714e4cdaf0ee7cec15899a231400cb1a9f", }, ], title: "cpufreq: amd-pstate: add check for cpufreq_cpu_get's return value", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-50009", datePublished: "2024-10-21T18:54:02.180Z", dateReserved: "2024-10-21T12:17:06.061Z", dateUpdated: "2025-02-02T10:14:56.358Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49990
Vulnerability from cvelistv5
Published
2024-10-21 18:02
Modified
2024-12-19 09:30
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/xe/hdcp: Check GSC structure validity
Sometimes xe_gsc is not initialized when checked at HDCP capability
check. Add gsc structure check to avoid null pointer error.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49990", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:31:21.654012Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:38:42.915Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/gpu/drm/xe/display/xe_hdcp_gsc.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "c940627857eedca8407b84b40ceb4252b100d291", status: "affected", version: "dd08ebf6c3525a7ea2186e636df064ea47281987", versionType: "git", }, { lessThan: "7266a424b1e502745170322e3c27f697d12de627", status: "affected", version: "dd08ebf6c3525a7ea2186e636df064ea47281987", versionType: "git", }, { lessThan: "b4224f6bae3801d589f815672ec62800a1501b0d", status: "affected", version: "dd08ebf6c3525a7ea2186e636df064ea47281987", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/gpu/drm/xe/display/xe_hdcp_gsc.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.8", }, { lessThan: "6.8", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/hdcp: Check GSC structure validity\n\nSometimes xe_gsc is not initialized when checked at HDCP capability\ncheck. Add gsc structure check to avoid null pointer error.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:30:49.552Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/c940627857eedca8407b84b40ceb4252b100d291", }, { url: "https://git.kernel.org/stable/c/7266a424b1e502745170322e3c27f697d12de627", }, { url: "https://git.kernel.org/stable/c/b4224f6bae3801d589f815672ec62800a1501b0d", }, ], title: "drm/xe/hdcp: Check GSC structure validity", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49990", datePublished: "2024-10-21T18:02:33.167Z", dateReserved: "2024-10-21T12:17:06.054Z", dateUpdated: "2024-12-19T09:30:49.552Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-50039
Vulnerability from cvelistv5
Published
2024-10-21 19:39
Modified
2024-12-19 09:31
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: accept TCA_STAB only for root qdisc
Most qdiscs maintain their backlog using qdisc_pkt_len(skb)
on the assumption it is invariant between the enqueue()
and dequeue() handlers.
Unfortunately syzbot can crash a host rather easily using
a TBF + SFQ combination, with an STAB on SFQ [1]
We can't support TCA_STAB on arbitrary level, this would
require to maintain per-qdisc storage.
[1]
[ 88.796496] BUG: kernel NULL pointer dereference, address: 0000000000000000
[ 88.798611] #PF: supervisor read access in kernel mode
[ 88.799014] #PF: error_code(0x0000) - not-present page
[ 88.799506] PGD 0 P4D 0
[ 88.799829] Oops: Oops: 0000 [#1] SMP NOPTI
[ 88.800569] CPU: 14 UID: 0 PID: 2053 Comm: b371744477 Not tainted 6.12.0-rc1-virtme #1117
[ 88.801107] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 88.801779] RIP: 0010:sfq_dequeue (net/sched/sch_sfq.c:272 net/sched/sch_sfq.c:499) sch_sfq
[ 88.802544] Code: 0f b7 50 12 48 8d 04 d5 00 00 00 00 48 89 d6 48 29 d0 48 8b 91 c0 01 00 00 48 c1 e0 03 48 01 c2 66 83 7a 1a 00 7e c0 48 8b 3a <4c> 8b 07 4c 89 02 49 89 50 08 48 c7 47 08 00 00 00 00 48 c7 07 00
All code
========
0: 0f b7 50 12 movzwl 0x12(%rax),%edx
4: 48 8d 04 d5 00 00 00 lea 0x0(,%rdx,8),%rax
b: 00
c: 48 89 d6 mov %rdx,%rsi
f: 48 29 d0 sub %rdx,%rax
12: 48 8b 91 c0 01 00 00 mov 0x1c0(%rcx),%rdx
19: 48 c1 e0 03 shl $0x3,%rax
1d: 48 01 c2 add %rax,%rdx
20: 66 83 7a 1a 00 cmpw $0x0,0x1a(%rdx)
25: 7e c0 jle 0xffffffffffffffe7
27: 48 8b 3a mov (%rdx),%rdi
2a:* 4c 8b 07 mov (%rdi),%r8 <-- trapping instruction
2d: 4c 89 02 mov %r8,(%rdx)
30: 49 89 50 08 mov %rdx,0x8(%r8)
34: 48 c7 47 08 00 00 00 movq $0x0,0x8(%rdi)
3b: 00
3c: 48 rex.W
3d: c7 .byte 0xc7
3e: 07 (bad)
...
Code starting with the faulting instruction
===========================================
0: 4c 8b 07 mov (%rdi),%r8
3: 4c 89 02 mov %r8,(%rdx)
6: 49 89 50 08 mov %rdx,0x8(%r8)
a: 48 c7 47 08 00 00 00 movq $0x0,0x8(%rdi)
11: 00
12: 48 rex.W
13: c7 .byte 0xc7
14: 07 (bad)
...
[ 88.803721] RSP: 0018:ffff9a1f892b7d58 EFLAGS: 00000206
[ 88.804032] RAX: 0000000000000000 RBX: ffff9a1f8420c800 RCX: ffff9a1f8420c800
[ 88.804560] RDX: ffff9a1f81bc1440 RSI: 0000000000000000 RDI: 0000000000000000
[ 88.805056] RBP: ffffffffc04bb0e0 R08: 0000000000000001 R09: 00000000ff7f9a1f
[ 88.805473] R10: 000000000001001b R11: 0000000000009a1f R12: 0000000000000140
[ 88.806194] R13: 0000000000000001 R14: ffff9a1f886df400 R15: ffff9a1f886df4ac
[ 88.806734] FS: 00007f445601a740(0000) GS:ffff9a2e7fd80000(0000) knlGS:0000000000000000
[ 88.807225] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 88.807672] CR2: 0000000000000000 CR3: 000000050cc46000 CR4: 00000000000006f0
[ 88.808165] Call Trace:
[ 88.808459] <TASK>
[ 88.808710] ? __die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434)
[ 88.809261] ? page_fault_oops (arch/x86/mm/fault.c:715)
[ 88.809561] ? exc_page_fault (./arch/x86/include/asm/irqflags.h:26 ./arch/x86/include/asm/irqflags.h:87 ./arch/x86/include/asm/irqflags.h:147 arch/x86/mm/fault.c:1489 arch/x86/mm/fault.c:1539)
[ 88.809806] ? asm_exc_page_fault (./arch/x86/include/asm/idtentry.h:623)
[ 88.810074] ? sfq_dequeue (net/sched/sch_sfq.c:272 net/sched/sch_sfq.c:499) sch_sfq
[ 88.810411] sfq_reset (net/sched/sch_sfq.c:525) sch_sfq
[ 88.810671] qdisc_reset (./include/linux/skbuff.h:2135 ./include/linux/skbuff.h:2441 ./include/linux/skbuff.h:3304 ./include/linux/skbuff.h:3310 net/sched/sch_g
---truncated---
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 175f9c1bba9b825d22b142d183c9e175488b260c Version: 175f9c1bba9b825d22b142d183c9e175488b260c Version: 175f9c1bba9b825d22b142d183c9e175488b260c Version: 175f9c1bba9b825d22b142d183c9e175488b260c Version: 175f9c1bba9b825d22b142d183c9e175488b260c Version: 175f9c1bba9b825d22b142d183c9e175488b260c Version: 175f9c1bba9b825d22b142d183c9e175488b260c |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-50039", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:25:02.696853Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:28:44.508Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "include/net/sch_generic.h", "net/sched/sch_api.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "2acbb9539bc2284e30d2aeb789c3d96287014264", status: "affected", version: "175f9c1bba9b825d22b142d183c9e175488b260c", versionType: "git", }, { lessThan: "adbc3eef43fc94c7c8436da832691ae02333a972", status: "affected", version: "175f9c1bba9b825d22b142d183c9e175488b260c", versionType: "git", }, { lessThan: "8fb6503592d39065316f45d267c5527b4e7cd995", status: "affected", version: "175f9c1bba9b825d22b142d183c9e175488b260c", versionType: "git", }, { lessThan: "76feedc74b90270390fbfdf74a2e944e96872363", status: "affected", version: "175f9c1bba9b825d22b142d183c9e175488b260c", versionType: "git", }, { lessThan: "1edf039ee01788ffc25625fe58a903ae2efa213e", status: "affected", version: "175f9c1bba9b825d22b142d183c9e175488b260c", versionType: "git", }, { lessThan: "3dc6ee96473cc2962c6db4297d4631f261be150f", status: "affected", version: "175f9c1bba9b825d22b142d183c9e175488b260c", versionType: "git", }, { lessThan: "3cb7cf1540ddff5473d6baeb530228d19bc97b8a", status: "affected", version: "175f9c1bba9b825d22b142d183c9e175488b260c", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "include/net/sch_generic.h", "net/sched/sch_api.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "2.6.27", }, { lessThan: "2.6.27", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.285", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.57", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.4", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: accept TCA_STAB only for root qdisc\n\nMost qdiscs maintain their backlog using qdisc_pkt_len(skb)\non the assumption it is invariant between the enqueue()\nand dequeue() handlers.\n\nUnfortunately syzbot can crash a host rather easily using\na TBF + SFQ combination, with an STAB on SFQ [1]\n\nWe can't support TCA_STAB on arbitrary level, this would\nrequire to maintain per-qdisc storage.\n\n[1]\n[ 88.796496] BUG: kernel NULL pointer dereference, address: 0000000000000000\n[ 88.798611] #PF: supervisor read access in kernel mode\n[ 88.799014] #PF: error_code(0x0000) - not-present page\n[ 88.799506] PGD 0 P4D 0\n[ 88.799829] Oops: Oops: 0000 [#1] SMP NOPTI\n[ 88.800569] CPU: 14 UID: 0 PID: 2053 Comm: b371744477 Not tainted 6.12.0-rc1-virtme #1117\n[ 88.801107] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[ 88.801779] RIP: 0010:sfq_dequeue (net/sched/sch_sfq.c:272 net/sched/sch_sfq.c:499) sch_sfq\n[ 88.802544] Code: 0f b7 50 12 48 8d 04 d5 00 00 00 00 48 89 d6 48 29 d0 48 8b 91 c0 01 00 00 48 c1 e0 03 48 01 c2 66 83 7a 1a 00 7e c0 48 8b 3a <4c> 8b 07 4c 89 02 49 89 50 08 48 c7 47 08 00 00 00 00 48 c7 07 00\nAll code\n========\n 0:\t0f b7 50 12 \tmovzwl 0x12(%rax),%edx\n 4:\t48 8d 04 d5 00 00 00 \tlea 0x0(,%rdx,8),%rax\n b:\t00\n c:\t48 89 d6 \tmov %rdx,%rsi\n f:\t48 29 d0 \tsub %rdx,%rax\n 12:\t48 8b 91 c0 01 00 00 \tmov 0x1c0(%rcx),%rdx\n 19:\t48 c1 e0 03 \tshl $0x3,%rax\n 1d:\t48 01 c2 \tadd %rax,%rdx\n 20:\t66 83 7a 1a 00 \tcmpw $0x0,0x1a(%rdx)\n 25:\t7e c0 \tjle 0xffffffffffffffe7\n 27:\t48 8b 3a \tmov (%rdx),%rdi\n 2a:*\t4c 8b 07 \tmov (%rdi),%r8\t\t<-- trapping instruction\n 2d:\t4c 89 02 \tmov %r8,(%rdx)\n 30:\t49 89 50 08 \tmov %rdx,0x8(%r8)\n 34:\t48 c7 47 08 00 00 00 \tmovq $0x0,0x8(%rdi)\n 3b:\t00\n 3c:\t48 \trex.W\n 3d:\tc7 \t.byte 0xc7\n 3e:\t07 \t(bad)\n\t...\n\nCode starting with the faulting instruction\n===========================================\n 0:\t4c 8b 07 \tmov (%rdi),%r8\n 3:\t4c 89 02 \tmov %r8,(%rdx)\n 6:\t49 89 50 08 \tmov %rdx,0x8(%r8)\n a:\t48 c7 47 08 00 00 00 \tmovq $0x0,0x8(%rdi)\n 11:\t00\n 12:\t48 \trex.W\n 13:\tc7 \t.byte 0xc7\n 14:\t07 \t(bad)\n\t...\n[ 88.803721] RSP: 0018:ffff9a1f892b7d58 EFLAGS: 00000206\n[ 88.804032] RAX: 0000000000000000 RBX: ffff9a1f8420c800 RCX: ffff9a1f8420c800\n[ 88.804560] RDX: ffff9a1f81bc1440 RSI: 0000000000000000 RDI: 0000000000000000\n[ 88.805056] RBP: ffffffffc04bb0e0 R08: 0000000000000001 R09: 00000000ff7f9a1f\n[ 88.805473] R10: 000000000001001b R11: 0000000000009a1f R12: 0000000000000140\n[ 88.806194] R13: 0000000000000001 R14: ffff9a1f886df400 R15: ffff9a1f886df4ac\n[ 88.806734] FS: 00007f445601a740(0000) GS:ffff9a2e7fd80000(0000) knlGS:0000000000000000\n[ 88.807225] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 88.807672] CR2: 0000000000000000 CR3: 000000050cc46000 CR4: 00000000000006f0\n[ 88.808165] Call Trace:\n[ 88.808459] <TASK>\n[ 88.808710] ? __die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434)\n[ 88.809261] ? page_fault_oops (arch/x86/mm/fault.c:715)\n[ 88.809561] ? exc_page_fault (./arch/x86/include/asm/irqflags.h:26 ./arch/x86/include/asm/irqflags.h:87 ./arch/x86/include/asm/irqflags.h:147 arch/x86/mm/fault.c:1489 arch/x86/mm/fault.c:1539)\n[ 88.809806] ? asm_exc_page_fault (./arch/x86/include/asm/idtentry.h:623)\n[ 88.810074] ? sfq_dequeue (net/sched/sch_sfq.c:272 net/sched/sch_sfq.c:499) sch_sfq\n[ 88.810411] sfq_reset (net/sched/sch_sfq.c:525) sch_sfq\n[ 88.810671] qdisc_reset (./include/linux/skbuff.h:2135 ./include/linux/skbuff.h:2441 ./include/linux/skbuff.h:3304 ./include/linux/skbuff.h:3310 net/sched/sch_g\n---truncated---", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:31:53.542Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/2acbb9539bc2284e30d2aeb789c3d96287014264", }, { url: "https://git.kernel.org/stable/c/adbc3eef43fc94c7c8436da832691ae02333a972", }, { url: "https://git.kernel.org/stable/c/8fb6503592d39065316f45d267c5527b4e7cd995", }, { url: "https://git.kernel.org/stable/c/76feedc74b90270390fbfdf74a2e944e96872363", }, { url: "https://git.kernel.org/stable/c/1edf039ee01788ffc25625fe58a903ae2efa213e", }, { url: "https://git.kernel.org/stable/c/3dc6ee96473cc2962c6db4297d4631f261be150f", }, { url: "https://git.kernel.org/stable/c/3cb7cf1540ddff5473d6baeb530228d19bc97b8a", }, ], title: "net/sched: accept TCA_STAB only for root qdisc", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-50039", datePublished: "2024-10-21T19:39:39.115Z", dateReserved: "2024-10-21T12:17:06.070Z", dateUpdated: "2024-12-19T09:31:53.542Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49871
Vulnerability from cvelistv5
Published
2024-10-21 18:01
Modified
2024-12-19 09:27
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Input: adp5589-keys - fix NULL pointer dereference
We register a devm action to call adp5589_clear_config() and then pass
the i2c client as argument so that we can call i2c_get_clientdata() in
order to get our device object. However, i2c_set_clientdata() is only
being set at the end of the probe function which means that we'll get a
NULL pointer dereference in case the probe function fails early.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 30df385e35a48f773b85117fc490152c2395e45b Version: 30df385e35a48f773b85117fc490152c2395e45b Version: 30df385e35a48f773b85117fc490152c2395e45b Version: 30df385e35a48f773b85117fc490152c2395e45b Version: 30df385e35a48f773b85117fc490152c2395e45b Version: 30df385e35a48f773b85117fc490152c2395e45b |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49871", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:46:56.372776Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:48:51.909Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/input/keyboard/adp5589-keys.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "4449fedb8a710043fc0925409eba844c192d4337", status: "affected", version: "30df385e35a48f773b85117fc490152c2395e45b", versionType: "git", }, { lessThan: "34e304cc53ae5d3c8e3f08b41dd11e0d4f3e01ed", status: "affected", version: "30df385e35a48f773b85117fc490152c2395e45b", versionType: "git", }, { lessThan: "7c3f04223aaf82489472d614c6decee5a1ce8d7f", status: "affected", version: "30df385e35a48f773b85117fc490152c2395e45b", versionType: "git", }, { lessThan: "9a38791ee79bd17d225c15a6d1479448be127a59", status: "affected", version: "30df385e35a48f773b85117fc490152c2395e45b", versionType: "git", }, { lessThan: "122b160561f6429701a0559a0f39b0ae309488c6", status: "affected", version: "30df385e35a48f773b85117fc490152c2395e45b", versionType: "git", }, { lessThan: "fb5cc65f973661241e4a2b7390b429aa7b330c69", status: "affected", version: "30df385e35a48f773b85117fc490152c2395e45b", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/input/keyboard/adp5589-keys.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.11", }, { lessThan: "5.11", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: adp5589-keys - fix NULL pointer dereference\n\nWe register a devm action to call adp5589_clear_config() and then pass\nthe i2c client as argument so that we can call i2c_get_clientdata() in\norder to get our device object. However, i2c_set_clientdata() is only\nbeing set at the end of the probe function which means that we'll get a\nNULL pointer dereference in case the probe function fails early.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:27:58.639Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/4449fedb8a710043fc0925409eba844c192d4337", }, { url: "https://git.kernel.org/stable/c/34e304cc53ae5d3c8e3f08b41dd11e0d4f3e01ed", }, { url: "https://git.kernel.org/stable/c/7c3f04223aaf82489472d614c6decee5a1ce8d7f", }, { url: "https://git.kernel.org/stable/c/9a38791ee79bd17d225c15a6d1479448be127a59", }, { url: "https://git.kernel.org/stable/c/122b160561f6429701a0559a0f39b0ae309488c6", }, { url: "https://git.kernel.org/stable/c/fb5cc65f973661241e4a2b7390b429aa7b330c69", }, ], title: "Input: adp5589-keys - fix NULL pointer dereference", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49871", datePublished: "2024-10-21T18:01:12.711Z", dateReserved: "2024-10-21T12:17:06.019Z", dateUpdated: "2024-12-19T09:27:58.639Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49928
Vulnerability from cvelistv5
Published
2024-10-21 18:01
Modified
2024-12-19 09:29
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: rtw89: avoid reading out of bounds when loading TX power FW elements
Because the loop-expression will do one more time before getting false from
cond-expression, the original code copied one more entry size beyond valid
region.
Fix it by moving the entry copy to loop-body.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49928", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:39:26.927327Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:48:43.678Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/net/wireless/realtek/rtw89/core.h", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "83c84cdb75572048b67d6a3916283aeac865996e", status: "affected", version: "e3ec7017f6a20d12ddd9fe23d345ebb7b8c104dd", versionType: "git", }, { lessThan: "4007c3d2da31d0c755ea3fcf55e395118e5d5621", status: "affected", version: "e3ec7017f6a20d12ddd9fe23d345ebb7b8c104dd", versionType: "git", }, { lessThan: "ed2e4bb17a4884cf29c3347353d8aabb7265b46c", status: "affected", version: "e3ec7017f6a20d12ddd9fe23d345ebb7b8c104dd", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/net/wireless/realtek/rtw89/core.h", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.16", }, { lessThan: "5.16", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw89: avoid reading out of bounds when loading TX power FW elements\n\nBecause the loop-expression will do one more time before getting false from\ncond-expression, the original code copied one more entry size beyond valid\nregion.\n\nFix it by moving the entry copy to loop-body.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:29:13.499Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/83c84cdb75572048b67d6a3916283aeac865996e", }, { url: "https://git.kernel.org/stable/c/4007c3d2da31d0c755ea3fcf55e395118e5d5621", }, { url: "https://git.kernel.org/stable/c/ed2e4bb17a4884cf29c3347353d8aabb7265b46c", }, ], title: "wifi: rtw89: avoid reading out of bounds when loading TX power FW elements", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49928", datePublished: "2024-10-21T18:01:51.782Z", dateReserved: "2024-10-21T12:17:06.039Z", dateUpdated: "2024-12-19T09:29:13.499Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-47707
Vulnerability from cvelistv5
Published
2024-10-21 11:53
Modified
2025-02-02 10:14
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipv6: avoid possible NULL deref in rt6_uncached_list_flush_dev()
Blamed commit accidentally removed a check for rt->rt6i_idev being NULL,
as spotted by syzbot:
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 1 UID: 0 PID: 10998 Comm: syz-executor Not tainted 6.11.0-rc6-syzkaller-00208-g625403177711 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
RIP: 0010:rt6_uncached_list_flush_dev net/ipv6/route.c:177 [inline]
RIP: 0010:rt6_disable_ip+0x33e/0x7e0 net/ipv6/route.c:4914
Code: 41 80 3c 04 00 74 0a e8 90 d0 9b f7 48 8b 7c 24 08 48 8b 07 48 89 44 24 10 4c 89 f0 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 08 4c 89 f7 e8 64 d0 9b f7 48 8b 44 24 18 49 39 06
RSP: 0018:ffffc900047374e0 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 1ffff1100fdf8f33 RCX: dffffc0000000000
RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffff88807efc78c0
RBP: ffffc900047375d0 R08: 0000000000000003 R09: fffff520008e6e8c
R10: dffffc0000000000 R11: fffff520008e6e8c R12: 1ffff1100fdf8f18
R13: ffff88807efc7998 R14: 0000000000000000 R15: ffff88807efc7930
FS: 0000000000000000(0000) GS:ffff8880b8900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020002a80 CR3: 0000000022f62000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
addrconf_ifdown+0x15d/0x1bd0 net/ipv6/addrconf.c:3856
addrconf_notify+0x3cb/0x1020
notifier_call_chain+0x19f/0x3e0 kernel/notifier.c:93
call_netdevice_notifiers_extack net/core/dev.c:2032 [inline]
call_netdevice_notifiers net/core/dev.c:2046 [inline]
unregister_netdevice_many_notify+0xd81/0x1c40 net/core/dev.c:11352
unregister_netdevice_many net/core/dev.c:11414 [inline]
unregister_netdevice_queue+0x303/0x370 net/core/dev.c:11289
unregister_netdevice include/linux/netdevice.h:3129 [inline]
__tun_detach+0x6b9/0x1600 drivers/net/tun.c:685
tun_detach drivers/net/tun.c:701 [inline]
tun_chr_close+0x108/0x1b0 drivers/net/tun.c:3510
__fput+0x24a/0x8a0 fs/file_table.c:422
task_work_run+0x24f/0x310 kernel/task_work.c:228
exit_task_work include/linux/task_work.h:40 [inline]
do_exit+0xa2f/0x27f0 kernel/exit.c:882
do_group_exit+0x207/0x2c0 kernel/exit.c:1031
__do_sys_exit_group kernel/exit.c:1042 [inline]
__se_sys_exit_group kernel/exit.c:1040 [inline]
__x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1040
x64_sys_call+0x2634/0x2640 arch/x86/include/generated/asm/syscalls_64.h:232
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f1acc77def9
Code: Unable to access opcode bytes at 0x7f1acc77decf.
RSP: 002b:00007ffeb26fa738 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f1acc77def9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000043
RBP: 00007f1acc7dd508 R08: 00007ffeb26f84d7 R09: 0000000000000003
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
R13: 0000000000000003 R14: 00000000ffffffff R15: 00007ffeb26fa8e0
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:rt6_uncached_list_flush_dev net/ipv6/route.c:177 [inline]
RIP: 0010:rt6_disable_ip+0x33e/0x7e0 net/ipv6/route.c:4914
Code: 41 80 3c 04 00 74 0a e8 90 d0 9b f7 48 8b 7c 24 08 48 8b 07 48 89 44 24 10 4c 89 f0 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 08 4c 89 f7 e8 64 d0 9b f7 48 8b 44 24 18 49 39 06
RSP: 0018:ffffc900047374e0 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 1ffff1100fdf8f33 RCX: dffffc0000000000
RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffff88807efc78c0
R
---truncated---
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: e332bc67cf5e5e5b71a1aec9750d0791aac65183 Version: e332bc67cf5e5e5b71a1aec9750d0791aac65183 Version: e332bc67cf5e5e5b71a1aec9750d0791aac65183 Version: e332bc67cf5e5e5b71a1aec9750d0791aac65183 Version: e332bc67cf5e5e5b71a1aec9750d0791aac65183 Version: e332bc67cf5e5e5b71a1aec9750d0791aac65183 Version: e332bc67cf5e5e5b71a1aec9750d0791aac65183 Version: e332bc67cf5e5e5b71a1aec9750d0791aac65183 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-47707", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T13:03:46.574363Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T13:04:19.553Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "net/ipv6/route.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "a61a174280dad99f25a7dee920310885daf2552b", status: "affected", version: "e332bc67cf5e5e5b71a1aec9750d0791aac65183", versionType: "git", }, { lessThan: "8a8b83016f06805775db099c8377024b6fa5b975", status: "affected", version: "e332bc67cf5e5e5b71a1aec9750d0791aac65183", versionType: "git", }, { lessThan: "e43dd28405e6b9935279996725ee11e6306547a5", status: "affected", version: "e332bc67cf5e5e5b71a1aec9750d0791aac65183", versionType: "git", }, { lessThan: "f2bd9635543ca41533b870f420872819f8331823", status: "affected", version: "e332bc67cf5e5e5b71a1aec9750d0791aac65183", versionType: "git", }, { lessThan: "0ceb2f2b5c813f932d6e60d3feec5e7e713da783", status: "affected", version: "e332bc67cf5e5e5b71a1aec9750d0791aac65183", versionType: "git", }, { lessThan: "9a0ddc73be37d19dff1ba08290af34e707d18e50", status: "affected", version: "e332bc67cf5e5e5b71a1aec9750d0791aac65183", versionType: "git", }, { lessThan: "08409e401622e2896b4313be9f781bde8a2a6a53", status: "affected", version: "e332bc67cf5e5e5b71a1aec9750d0791aac65183", versionType: "git", }, { lessThan: "04ccecfa959d3b9ae7348780d8e379c6486176ac", status: "affected", version: "e332bc67cf5e5e5b71a1aec9750d0791aac65183", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "net/ipv6/route.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "4.3", }, { lessThan: "4.3", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.290", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.234", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.177", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.54", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.13", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.2", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: avoid possible NULL deref in rt6_uncached_list_flush_dev()\n\nBlamed commit accidentally removed a check for rt->rt6i_idev being NULL,\nas spotted by syzbot:\n\nOops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\nCPU: 1 UID: 0 PID: 10998 Comm: syz-executor Not tainted 6.11.0-rc6-syzkaller-00208-g625403177711 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024\n RIP: 0010:rt6_uncached_list_flush_dev net/ipv6/route.c:177 [inline]\n RIP: 0010:rt6_disable_ip+0x33e/0x7e0 net/ipv6/route.c:4914\nCode: 41 80 3c 04 00 74 0a e8 90 d0 9b f7 48 8b 7c 24 08 48 8b 07 48 89 44 24 10 4c 89 f0 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 08 4c 89 f7 e8 64 d0 9b f7 48 8b 44 24 18 49 39 06\nRSP: 0018:ffffc900047374e0 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: 1ffff1100fdf8f33 RCX: dffffc0000000000\nRDX: 0000000000000000 RSI: 0000000000000004 RDI: ffff88807efc78c0\nRBP: ffffc900047375d0 R08: 0000000000000003 R09: fffff520008e6e8c\nR10: dffffc0000000000 R11: fffff520008e6e8c R12: 1ffff1100fdf8f18\nR13: ffff88807efc7998 R14: 0000000000000000 R15: ffff88807efc7930\nFS: 0000000000000000(0000) GS:ffff8880b8900000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000020002a80 CR3: 0000000022f62000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n <TASK>\n addrconf_ifdown+0x15d/0x1bd0 net/ipv6/addrconf.c:3856\n addrconf_notify+0x3cb/0x1020\n notifier_call_chain+0x19f/0x3e0 kernel/notifier.c:93\n call_netdevice_notifiers_extack net/core/dev.c:2032 [inline]\n call_netdevice_notifiers net/core/dev.c:2046 [inline]\n unregister_netdevice_many_notify+0xd81/0x1c40 net/core/dev.c:11352\n unregister_netdevice_many net/core/dev.c:11414 [inline]\n unregister_netdevice_queue+0x303/0x370 net/core/dev.c:11289\n unregister_netdevice include/linux/netdevice.h:3129 [inline]\n __tun_detach+0x6b9/0x1600 drivers/net/tun.c:685\n tun_detach drivers/net/tun.c:701 [inline]\n tun_chr_close+0x108/0x1b0 drivers/net/tun.c:3510\n __fput+0x24a/0x8a0 fs/file_table.c:422\n task_work_run+0x24f/0x310 kernel/task_work.c:228\n exit_task_work include/linux/task_work.h:40 [inline]\n do_exit+0xa2f/0x27f0 kernel/exit.c:882\n do_group_exit+0x207/0x2c0 kernel/exit.c:1031\n __do_sys_exit_group kernel/exit.c:1042 [inline]\n __se_sys_exit_group kernel/exit.c:1040 [inline]\n __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1040\n x64_sys_call+0x2634/0x2640 arch/x86/include/generated/asm/syscalls_64.h:232\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f1acc77def9\nCode: Unable to access opcode bytes at 0x7f1acc77decf.\nRSP: 002b:00007ffeb26fa738 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f1acc77def9\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000043\nRBP: 00007f1acc7dd508 R08: 00007ffeb26f84d7 R09: 0000000000000003\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001\nR13: 0000000000000003 R14: 00000000ffffffff R15: 00007ffeb26fa8e0\n </TASK>\nModules linked in:\n---[ end trace 0000000000000000 ]---\n RIP: 0010:rt6_uncached_list_flush_dev net/ipv6/route.c:177 [inline]\n RIP: 0010:rt6_disable_ip+0x33e/0x7e0 net/ipv6/route.c:4914\nCode: 41 80 3c 04 00 74 0a e8 90 d0 9b f7 48 8b 7c 24 08 48 8b 07 48 89 44 24 10 4c 89 f0 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 08 4c 89 f7 e8 64 d0 9b f7 48 8b 44 24 18 49 39 06\nRSP: 0018:ffffc900047374e0 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: 1ffff1100fdf8f33 RCX: dffffc0000000000\nRDX: 0000000000000000 RSI: 0000000000000004 RDI: ffff88807efc78c0\nR\n---truncated---", }, ], providerMetadata: { dateUpdated: "2025-02-02T10:14:41.260Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/a61a174280dad99f25a7dee920310885daf2552b", }, { url: "https://git.kernel.org/stable/c/8a8b83016f06805775db099c8377024b6fa5b975", }, { url: "https://git.kernel.org/stable/c/e43dd28405e6b9935279996725ee11e6306547a5", }, { url: "https://git.kernel.org/stable/c/f2bd9635543ca41533b870f420872819f8331823", }, { url: "https://git.kernel.org/stable/c/0ceb2f2b5c813f932d6e60d3feec5e7e713da783", }, { url: "https://git.kernel.org/stable/c/9a0ddc73be37d19dff1ba08290af34e707d18e50", }, { url: "https://git.kernel.org/stable/c/08409e401622e2896b4313be9f781bde8a2a6a53", }, { url: "https://git.kernel.org/stable/c/04ccecfa959d3b9ae7348780d8e379c6486176ac", }, ], title: "ipv6: avoid possible NULL deref in rt6_uncached_list_flush_dev()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-47707", datePublished: "2024-10-21T11:53:41.417Z", dateReserved: "2024-09-30T16:00:12.946Z", dateUpdated: "2025-02-02T10:14:41.260Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-47738
Vulnerability from cvelistv5
Published
2024-10-21 12:14
Modified
2024-12-19 09:27
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: mac80211: don't use rate mask for offchannel TX either
Like the commit ab9177d83c04 ("wifi: mac80211: don't use rate mask for
scanning"), ignore incorrect settings to avoid no supported rate warning
reported by syzbot.
The syzbot did bisect and found cause is commit 9df66d5b9f45 ("cfg80211:
fix default HE tx bitrate mask in 2G band"), which however corrects
bitmask of HE MCS and recognizes correctly settings of empty legacy rate
plus HE MCS rate instead of returning -EINVAL.
As suggestions [1], follow the change of SCAN TX to consider this case of
offchannel TX as well.
[1] https://lore.kernel.org/linux-wireless/6ab2dc9c3afe753ca6fdcdd1421e7a1f47e87b84.camel@sipsolutions.net/T/#m2ac2a6d2be06a37c9c47a3d8a44b4f647ed4f024
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 9df66d5b9f45c39b3925d16e8947cc10009b186d Version: 9df66d5b9f45c39b3925d16e8947cc10009b186d Version: 9df66d5b9f45c39b3925d16e8947cc10009b186d Version: 9df66d5b9f45c39b3925d16e8947cc10009b186d Version: 9df66d5b9f45c39b3925d16e8947cc10009b186d |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-47738", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T12:59:35.373697Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T13:04:14.864Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "include/net/mac80211.h", "net/mac80211/offchannel.c", "net/mac80211/rate.c", "net/mac80211/scan.c", "net/mac80211/tx.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "aafca50e71dc8f3192a5bfb325135a7908f3ef9e", status: "affected", version: "9df66d5b9f45c39b3925d16e8947cc10009b186d", versionType: "git", }, { lessThan: "d54455a3a965feb547711aff7afd2ca5deadb99c", status: "affected", version: "9df66d5b9f45c39b3925d16e8947cc10009b186d", versionType: "git", }, { lessThan: "3565ef215101ffadb5fe5394c70b1fca51376b25", status: "affected", version: "9df66d5b9f45c39b3925d16e8947cc10009b186d", versionType: "git", }, { lessThan: "43897111481b679508711d3ca881c4c6593e9247", status: "affected", version: "9df66d5b9f45c39b3925d16e8947cc10009b186d", versionType: "git", }, { lessThan: "e7a7ef9a0742dbd0818d5b15fba2c5313ace765b", status: "affected", version: "9df66d5b9f45c39b3925d16e8947cc10009b186d", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "include/net/mac80211.h", "net/mac80211/offchannel.c", "net/mac80211/rate.c", "net/mac80211/scan.c", "net/mac80211/tx.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.14", }, { lessThan: "5.14", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.54", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.13", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.2", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: don't use rate mask for offchannel TX either\n\nLike the commit ab9177d83c04 (\"wifi: mac80211: don't use rate mask for\nscanning\"), ignore incorrect settings to avoid no supported rate warning\nreported by syzbot.\n\nThe syzbot did bisect and found cause is commit 9df66d5b9f45 (\"cfg80211:\nfix default HE tx bitrate mask in 2G band\"), which however corrects\nbitmask of HE MCS and recognizes correctly settings of empty legacy rate\nplus HE MCS rate instead of returning -EINVAL.\n\nAs suggestions [1], follow the change of SCAN TX to consider this case of\noffchannel TX as well.\n\n[1] https://lore.kernel.org/linux-wireless/6ab2dc9c3afe753ca6fdcdd1421e7a1f47e87b84.camel@sipsolutions.net/T/#m2ac2a6d2be06a37c9c47a3d8a44b4f647ed4f024", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:27:07.664Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/aafca50e71dc8f3192a5bfb325135a7908f3ef9e", }, { url: "https://git.kernel.org/stable/c/d54455a3a965feb547711aff7afd2ca5deadb99c", }, { url: "https://git.kernel.org/stable/c/3565ef215101ffadb5fe5394c70b1fca51376b25", }, { url: "https://git.kernel.org/stable/c/43897111481b679508711d3ca881c4c6593e9247", }, { url: "https://git.kernel.org/stable/c/e7a7ef9a0742dbd0818d5b15fba2c5313ace765b", }, ], title: "wifi: mac80211: don't use rate mask for offchannel TX either", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-47738", datePublished: "2024-10-21T12:14:07.825Z", dateReserved: "2024-09-30T16:00:12.959Z", dateUpdated: "2024-12-19T09:27:07.664Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-48977
Vulnerability from cvelistv5
Published
2024-10-21 20:05
Modified
2024-12-19 08:11
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
can: af_can: fix NULL pointer dereference in can_rcv_filter
Analogue to commit 8aa59e355949 ("can: af_can: fix NULL pointer
dereference in can_rx_register()") we need to check for a missing
initialization of ml_priv in the receive path of CAN frames.
Since commit 4e096a18867a ("net: introduce CAN specific pointer in the
struct net_device") the check for dev->type to be ARPHRD_CAN is not
sufficient anymore since bonding or tun netdevices claim to be CAN
devices but do not initialize ml_priv accordingly.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 4ac1feff6ea6495cbfd336f4438a6c6d140544a6 Version: 1a5751d58b14195f763b8c1d9ef33fb8a93e95e7 Version: 4e096a18867a5a989b510f6999d9c6b6622e8f7b Version: 4e096a18867a5a989b510f6999d9c6b6622e8f7b Version: 4e096a18867a5a989b510f6999d9c6b6622e8f7b |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-48977", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:18:20.904853Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:18:44.387Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "net/can/af_can.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "3982652957e8d79ac32efcb725450580650a8644", status: "affected", version: "4ac1feff6ea6495cbfd336f4438a6c6d140544a6", versionType: "git", }, { lessThan: "c42221efb1159d6a3c89e96685ee38acdce86b6f", status: "affected", version: "1a5751d58b14195f763b8c1d9ef33fb8a93e95e7", versionType: "git", }, { lessThan: "c142cba37de29f740a3852f01f59876af8ae462a", status: "affected", version: "4e096a18867a5a989b510f6999d9c6b6622e8f7b", versionType: "git", }, { lessThan: "fcc63f2f7ee3038d53216edd0d8291e57c752557", status: "affected", version: "4e096a18867a5a989b510f6999d9c6b6622e8f7b", versionType: "git", }, { lessThan: "0acc442309a0a1b01bcdaa135e56e6398a49439c", status: "affected", version: "4e096a18867a5a989b510f6999d9c6b6622e8f7b", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "net/can/af_can.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.12", }, { lessThan: "5.12", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.227", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.159", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.83", versionType: "semver", }, { lessThanOrEqual: "6.0.*", status: "unaffected", version: "6.0.13", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.1", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: af_can: fix NULL pointer dereference in can_rcv_filter\n\nAnalogue to commit 8aa59e355949 (\"can: af_can: fix NULL pointer\ndereference in can_rx_register()\") we need to check for a missing\ninitialization of ml_priv in the receive path of CAN frames.\n\nSince commit 4e096a18867a (\"net: introduce CAN specific pointer in the\nstruct net_device\") the check for dev->type to be ARPHRD_CAN is not\nsufficient anymore since bonding or tun netdevices claim to be CAN\ndevices but do not initialize ml_priv accordingly.", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:11:46.166Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/3982652957e8d79ac32efcb725450580650a8644", }, { url: "https://git.kernel.org/stable/c/c42221efb1159d6a3c89e96685ee38acdce86b6f", }, { url: "https://git.kernel.org/stable/c/c142cba37de29f740a3852f01f59876af8ae462a", }, { url: "https://git.kernel.org/stable/c/fcc63f2f7ee3038d53216edd0d8291e57c752557", }, { url: "https://git.kernel.org/stable/c/0acc442309a0a1b01bcdaa135e56e6398a49439c", }, ], title: "can: af_can: fix NULL pointer dereference in can_rcv_filter", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-48977", datePublished: "2024-10-21T20:05:56.389Z", dateReserved: "2024-08-22T01:27:53.632Z", dateUpdated: "2024-12-19T08:11:46.166Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49934
Vulnerability from cvelistv5
Published
2024-10-21 18:01
Modified
2024-12-19 09:29
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
fs/inode: Prevent dump_mapping() accessing invalid dentry.d_name.name
It's observed that a crash occurs during hot-remove a memory device,
in which user is accessing the hugetlb. See calltrace as following:
------------[ cut here ]------------
WARNING: CPU: 1 PID: 14045 at arch/x86/mm/fault.c:1278 do_user_addr_fault+0x2a0/0x790
Modules linked in: kmem device_dax cxl_mem cxl_pmem cxl_port cxl_pci dax_hmem dax_pmem nd_pmem cxl_acpi nd_btt cxl_core crc32c_intel nvme virtiofs fuse nvme_core nfit libnvdimm dm_multipath scsi_dh_rdac scsi_dh_emc s
mirror dm_region_hash dm_log dm_mod
CPU: 1 PID: 14045 Comm: daxctl Not tainted 6.10.0-rc2-lizhijian+ #492
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
RIP: 0010:do_user_addr_fault+0x2a0/0x790
Code: 48 8b 00 a8 04 0f 84 b5 fe ff ff e9 1c ff ff ff 4c 89 e9 4c 89 e2 be 01 00 00 00 bf 02 00 00 00 e8 b5 ef 24 00 e9 42 fe ff ff <0f> 0b 48 83 c4 08 4c 89 ea 48 89 ee 4c 89 e7 5b 5d 41 5c 41 5d 41
RSP: 0000:ffffc90000a575f0 EFLAGS: 00010046
RAX: ffff88800c303600 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000001000 RSI: ffffffff82504162 RDI: ffffffff824b2c36
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffffc90000a57658
R13: 0000000000001000 R14: ffff88800bc2e040 R15: 0000000000000000
FS: 00007f51cb57d880(0000) GS:ffff88807fd00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000001000 CR3: 00000000072e2004 CR4: 00000000001706f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
? __warn+0x8d/0x190
? do_user_addr_fault+0x2a0/0x790
? report_bug+0x1c3/0x1d0
? handle_bug+0x3c/0x70
? exc_invalid_op+0x14/0x70
? asm_exc_invalid_op+0x16/0x20
? do_user_addr_fault+0x2a0/0x790
? exc_page_fault+0x31/0x200
exc_page_fault+0x68/0x200
<...snip...>
BUG: unable to handle page fault for address: 0000000000001000
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 800000000ad92067 P4D 800000000ad92067 PUD 7677067 PMD 0
Oops: Oops: 0000 [#1] PREEMPT SMP PTI
---[ end trace 0000000000000000 ]---
BUG: unable to handle page fault for address: 0000000000001000
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 800000000ad92067 P4D 800000000ad92067 PUD 7677067 PMD 0
Oops: Oops: 0000 [#1] PREEMPT SMP PTI
CPU: 1 PID: 14045 Comm: daxctl Kdump: loaded Tainted: G W 6.10.0-rc2-lizhijian+ #492
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
RIP: 0010:dentry_name+0x1f4/0x440
<...snip...>
? dentry_name+0x2fa/0x440
vsnprintf+0x1f3/0x4f0
vprintk_store+0x23a/0x540
vprintk_emit+0x6d/0x330
_printk+0x58/0x80
dump_mapping+0x10b/0x1a0
? __pfx_free_object_rcu+0x10/0x10
__dump_page+0x26b/0x3e0
? vprintk_emit+0xe0/0x330
? _printk+0x58/0x80
? dump_page+0x17/0x50
dump_page+0x17/0x50
do_migrate_range+0x2f7/0x7f0
? do_migrate_range+0x42/0x7f0
? offline_pages+0x2f4/0x8c0
offline_pages+0x60a/0x8c0
memory_subsys_offline+0x9f/0x1c0
? lockdep_hardirqs_on+0x77/0x100
? _raw_spin_unlock_irqrestore+0x38/0x60
device_offline+0xe3/0x110
state_store+0x6e/0xc0
kernfs_fop_write_iter+0x143/0x200
vfs_write+0x39f/0x560
ksys_write+0x65/0xf0
do_syscall_64+0x62/0x130
Previously, some sanity check have been done in dump_mapping() before
the print facility parsing '%pd' though, it's still possible to run into
an invalid dentry.d_name.name.
Since dump_mapping() only needs to dump the filename only, retrieve it
by itself in a safer way to prevent an unnecessary crash.
Note that either retrieving the filename with '%pd' or
strncpy_from_kernel_nofault(), the filename could be unreliable.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49934", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:38:39.445288Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:48:42.703Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "fs/inode.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "1a4159138e718db6199f0abf376ad52f726dcc5c", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "e0f6ee75f50476607ca82fc7c3711c795ce09b52", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "f92b8829c6e75632de4e2b9f70e7a7e6c5c2ba98", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "ef921bc72328b577cb45772ff7921cba4773b74a", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "7f7b850689ac06a62befe26e1fd1806799e7f152", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "fs/inode.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.120", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.64", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/inode: Prevent dump_mapping() accessing invalid dentry.d_name.name\n\nIt's observed that a crash occurs during hot-remove a memory device,\nin which user is accessing the hugetlb. See calltrace as following:\n\n------------[ cut here ]------------\nWARNING: CPU: 1 PID: 14045 at arch/x86/mm/fault.c:1278 do_user_addr_fault+0x2a0/0x790\nModules linked in: kmem device_dax cxl_mem cxl_pmem cxl_port cxl_pci dax_hmem dax_pmem nd_pmem cxl_acpi nd_btt cxl_core crc32c_intel nvme virtiofs fuse nvme_core nfit libnvdimm dm_multipath scsi_dh_rdac scsi_dh_emc s\nmirror dm_region_hash dm_log dm_mod\nCPU: 1 PID: 14045 Comm: daxctl Not tainted 6.10.0-rc2-lizhijian+ #492\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014\nRIP: 0010:do_user_addr_fault+0x2a0/0x790\nCode: 48 8b 00 a8 04 0f 84 b5 fe ff ff e9 1c ff ff ff 4c 89 e9 4c 89 e2 be 01 00 00 00 bf 02 00 00 00 e8 b5 ef 24 00 e9 42 fe ff ff <0f> 0b 48 83 c4 08 4c 89 ea 48 89 ee 4c 89 e7 5b 5d 41 5c 41 5d 41\nRSP: 0000:ffffc90000a575f0 EFLAGS: 00010046\nRAX: ffff88800c303600 RBX: 0000000000000000 RCX: 0000000000000000\nRDX: 0000000000001000 RSI: ffffffff82504162 RDI: ffffffff824b2c36\nRBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: ffffc90000a57658\nR13: 0000000000001000 R14: ffff88800bc2e040 R15: 0000000000000000\nFS: 00007f51cb57d880(0000) GS:ffff88807fd00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000001000 CR3: 00000000072e2004 CR4: 00000000001706f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n <TASK>\n ? __warn+0x8d/0x190\n ? do_user_addr_fault+0x2a0/0x790\n ? report_bug+0x1c3/0x1d0\n ? handle_bug+0x3c/0x70\n ? exc_invalid_op+0x14/0x70\n ? asm_exc_invalid_op+0x16/0x20\n ? do_user_addr_fault+0x2a0/0x790\n ? exc_page_fault+0x31/0x200\n exc_page_fault+0x68/0x200\n<...snip...>\nBUG: unable to handle page fault for address: 0000000000001000\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 800000000ad92067 P4D 800000000ad92067 PUD 7677067 PMD 0\n Oops: Oops: 0000 [#1] PREEMPT SMP PTI\n ---[ end trace 0000000000000000 ]---\n BUG: unable to handle page fault for address: 0000000000001000\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 800000000ad92067 P4D 800000000ad92067 PUD 7677067 PMD 0\n Oops: Oops: 0000 [#1] PREEMPT SMP PTI\n CPU: 1 PID: 14045 Comm: daxctl Kdump: loaded Tainted: G W 6.10.0-rc2-lizhijian+ #492\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014\n RIP: 0010:dentry_name+0x1f4/0x440\n<...snip...>\n? dentry_name+0x2fa/0x440\nvsnprintf+0x1f3/0x4f0\nvprintk_store+0x23a/0x540\nvprintk_emit+0x6d/0x330\n_printk+0x58/0x80\ndump_mapping+0x10b/0x1a0\n? __pfx_free_object_rcu+0x10/0x10\n__dump_page+0x26b/0x3e0\n? vprintk_emit+0xe0/0x330\n? _printk+0x58/0x80\n? dump_page+0x17/0x50\ndump_page+0x17/0x50\ndo_migrate_range+0x2f7/0x7f0\n? do_migrate_range+0x42/0x7f0\n? offline_pages+0x2f4/0x8c0\noffline_pages+0x60a/0x8c0\nmemory_subsys_offline+0x9f/0x1c0\n? lockdep_hardirqs_on+0x77/0x100\n? _raw_spin_unlock_irqrestore+0x38/0x60\ndevice_offline+0xe3/0x110\nstate_store+0x6e/0xc0\nkernfs_fop_write_iter+0x143/0x200\nvfs_write+0x39f/0x560\nksys_write+0x65/0xf0\ndo_syscall_64+0x62/0x130\n\nPreviously, some sanity check have been done in dump_mapping() before\nthe print facility parsing '%pd' though, it's still possible to run into\nan invalid dentry.d_name.name.\n\nSince dump_mapping() only needs to dump the filename only, retrieve it\nby itself in a safer way to prevent an unnecessary crash.\n\nNote that either retrieving the filename with '%pd' or\nstrncpy_from_kernel_nofault(), the filename could be unreliable.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:29:20.775Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/1a4159138e718db6199f0abf376ad52f726dcc5c", }, { url: "https://git.kernel.org/stable/c/e0f6ee75f50476607ca82fc7c3711c795ce09b52", }, { url: "https://git.kernel.org/stable/c/f92b8829c6e75632de4e2b9f70e7a7e6c5c2ba98", }, { url: "https://git.kernel.org/stable/c/ef921bc72328b577cb45772ff7921cba4773b74a", }, { url: "https://git.kernel.org/stable/c/7f7b850689ac06a62befe26e1fd1806799e7f152", }, ], title: "fs/inode: Prevent dump_mapping() accessing invalid dentry.d_name.name", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49934", datePublished: "2024-10-21T18:01:55.752Z", dateReserved: "2024-10-21T12:17:06.040Z", dateUpdated: "2024-12-19T09:29:20.775Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49938
Vulnerability from cvelistv5
Published
2024-10-21 18:01
Modified
2024-12-19 09:29
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath9k_htc: Use __skb_set_length() for resetting urb before resubmit
Syzbot points out that skb_trim() has a sanity check on the existing length of
the skb, which can be uninitialised in some error paths. The intent here is
clearly just to reset the length to zero before resubmitting, so switch to
calling __skb_set_length(skb, 0) directly. In addition, __skb_set_length()
already contains a call to skb_reset_tail_pointer(), so remove the redundant
call.
The syzbot report came from ath9k_hif_usb_reg_in_cb(), but there's a similar
usage of skb_trim() in ath9k_hif_usb_rx_cb(), change both while we're at it.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49938", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:38:08.567983Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:38:50.969Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/net/wireless/ath/ath9k/hif_usb.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "e6b9bf32e0695e4f374674002de0527d2a6768eb", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "d1f2fbc6a769081503f6ffedbb5cd1ac497f0e77", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "b02eb7c86ff2ef1411c3095ec8a52b13f68db04f", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "012ae530afa0785102360de452745d33c99a321b", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "6a875220670475d9247e576c15dc29823100a4e4", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "e37e348835032d6940ec89308cc8996ded691d2d", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "2c230210ec0ae6ed08306ac70dc21c24b817bb95", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "a9f4e28e8adaf0715bd4e01462af0a52ee46b01f", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "94745807f3ebd379f23865e6dab196f220664179", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/net/wireless/ath/ath9k/hif_usb.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.323", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.285", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath9k_htc: Use __skb_set_length() for resetting urb before resubmit\n\nSyzbot points out that skb_trim() has a sanity check on the existing length of\nthe skb, which can be uninitialised in some error paths. The intent here is\nclearly just to reset the length to zero before resubmitting, so switch to\ncalling __skb_set_length(skb, 0) directly. In addition, __skb_set_length()\nalready contains a call to skb_reset_tail_pointer(), so remove the redundant\ncall.\n\nThe syzbot report came from ath9k_hif_usb_reg_in_cb(), but there's a similar\nusage of skb_trim() in ath9k_hif_usb_rx_cb(), change both while we're at it.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:29:25.513Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/e6b9bf32e0695e4f374674002de0527d2a6768eb", }, { url: "https://git.kernel.org/stable/c/d1f2fbc6a769081503f6ffedbb5cd1ac497f0e77", }, { url: "https://git.kernel.org/stable/c/b02eb7c86ff2ef1411c3095ec8a52b13f68db04f", }, { url: "https://git.kernel.org/stable/c/012ae530afa0785102360de452745d33c99a321b", }, { url: "https://git.kernel.org/stable/c/6a875220670475d9247e576c15dc29823100a4e4", }, { url: "https://git.kernel.org/stable/c/e37e348835032d6940ec89308cc8996ded691d2d", }, { url: "https://git.kernel.org/stable/c/2c230210ec0ae6ed08306ac70dc21c24b817bb95", }, { url: "https://git.kernel.org/stable/c/a9f4e28e8adaf0715bd4e01462af0a52ee46b01f", }, { url: "https://git.kernel.org/stable/c/94745807f3ebd379f23865e6dab196f220664179", }, ], title: "wifi: ath9k_htc: Use __skb_set_length() for resetting urb before resubmit", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49938", datePublished: "2024-10-21T18:01:58.359Z", dateReserved: "2024-10-21T12:17:06.042Z", dateUpdated: "2024-12-19T09:29:25.513Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-49006
Vulnerability from cvelistv5
Published
2024-10-21 20:06
Modified
2024-12-19 08:12
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tracing: Free buffers when a used dynamic event is removed
After 65536 dynamic events have been added and removed, the "type" field
of the event then uses the first type number that is available (not
currently used by other events). A type number is the identifier of the
binary blobs in the tracing ring buffer (known as events) to map them to
logic that can parse the binary blob.
The issue is that if a dynamic event (like a kprobe event) is traced and
is in the ring buffer, and then that event is removed (because it is
dynamic, which means it can be created and destroyed), if another dynamic
event is created that has the same number that new event's logic on
parsing the binary blob will be used.
To show how this can be an issue, the following can crash the kernel:
# cd /sys/kernel/tracing
# for i in `seq 65536`; do
echo 'p:kprobes/foo do_sys_openat2 $arg1:u32' > kprobe_events
# done
For every iteration of the above, the writing to the kprobe_events will
remove the old event and create a new one (with the same format) and
increase the type number to the next available on until the type number
reaches over 65535 which is the max number for the 16 bit type. After it
reaches that number, the logic to allocate a new number simply looks for
the next available number. When an dynamic event is removed, that number
is then available to be reused by the next dynamic event created. That is,
once the above reaches the max number, the number assigned to the event in
that loop will remain the same.
Now that means deleting one dynamic event and created another will reuse
the previous events type number. This is where bad things can happen.
After the above loop finishes, the kprobes/foo event which reads the
do_sys_openat2 function call's first parameter as an integer.
# echo 1 > kprobes/foo/enable
# cat /etc/passwd > /dev/null
# cat trace
cat-2211 [005] .... 2007.849603: foo: (do_sys_openat2+0x0/0x130) arg1=4294967196
cat-2211 [005] .... 2007.849620: foo: (do_sys_openat2+0x0/0x130) arg1=4294967196
cat-2211 [005] .... 2007.849838: foo: (do_sys_openat2+0x0/0x130) arg1=4294967196
cat-2211 [005] .... 2007.849880: foo: (do_sys_openat2+0x0/0x130) arg1=4294967196
# echo 0 > kprobes/foo/enable
Now if we delete the kprobe and create a new one that reads a string:
# echo 'p:kprobes/foo do_sys_openat2 +0($arg2):string' > kprobe_events
And now we can the trace:
# cat trace
sendmail-1942 [002] ..... 530.136320: foo: (do_sys_openat2+0x0/0x240) arg1= cat-2046 [004] ..... 530.930817: foo: (do_sys_openat2+0x0/0x240) arg1="������������������������������������������������������������������������������������������������"
cat-2046 [004] ..... 530.930961: foo: (do_sys_openat2+0x0/0x240) arg1="������������������������������������������������������������������������������������������������"
cat-2046 [004] ..... 530.934278: foo: (do_sys_openat2+0x0/0x240) arg1="������������������������������������������������������������������������������������������������"
cat-2046 [004] ..... 530.934563: foo: (do_sys_openat2+0x0/0x240) arg1="���������������������������������������
---truncated---
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 77b44d1b7c28360910cdbd427fb62d485c08674c Version: 77b44d1b7c28360910cdbd427fb62d485c08674c Version: 77b44d1b7c28360910cdbd427fb62d485c08674c Version: 77b44d1b7c28360910cdbd427fb62d485c08674c Version: 77b44d1b7c28360910cdbd427fb62d485c08674c |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-49006", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:14:29.482108Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:18:39.780Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "kernel/trace/trace_dynevent.c", "kernel/trace/trace_events.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "1603feac154ff38514e8354e3079a455eb4801e2", status: "affected", version: "77b44d1b7c28360910cdbd427fb62d485c08674c", versionType: "git", }, { lessThan: "be111ebd8868d4b7c041cb3c6102e1ae27d6dc1d", status: "affected", version: "77b44d1b7c28360910cdbd427fb62d485c08674c", versionType: "git", }, { lessThan: "417d5ea6e735e5d88ffb6c436cf2938f3f476dd1", status: "affected", version: "77b44d1b7c28360910cdbd427fb62d485c08674c", versionType: "git", }, { lessThan: "c52d0c8c4f38f7580cff61c4dfe1034c580cedfd", status: "affected", version: "77b44d1b7c28360910cdbd427fb62d485c08674c", versionType: "git", }, { lessThan: "4313e5a613049dfc1819a6dfb5f94cf2caff9452", status: "affected", version: "77b44d1b7c28360910cdbd427fb62d485c08674c", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "kernel/trace/trace_dynevent.c", "kernel/trace/trace_events.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "2.6.33", }, { lessThan: "2.6.33", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.226", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.158", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.82", versionType: "semver", }, { lessThanOrEqual: "6.0.*", status: "unaffected", version: "6.0.12", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.1", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Free buffers when a used dynamic event is removed\n\nAfter 65536 dynamic events have been added and removed, the \"type\" field\nof the event then uses the first type number that is available (not\ncurrently used by other events). A type number is the identifier of the\nbinary blobs in the tracing ring buffer (known as events) to map them to\nlogic that can parse the binary blob.\n\nThe issue is that if a dynamic event (like a kprobe event) is traced and\nis in the ring buffer, and then that event is removed (because it is\ndynamic, which means it can be created and destroyed), if another dynamic\nevent is created that has the same number that new event's logic on\nparsing the binary blob will be used.\n\nTo show how this can be an issue, the following can crash the kernel:\n\n # cd /sys/kernel/tracing\n # for i in `seq 65536`; do\n echo 'p:kprobes/foo do_sys_openat2 $arg1:u32' > kprobe_events\n # done\n\nFor every iteration of the above, the writing to the kprobe_events will\nremove the old event and create a new one (with the same format) and\nincrease the type number to the next available on until the type number\nreaches over 65535 which is the max number for the 16 bit type. After it\nreaches that number, the logic to allocate a new number simply looks for\nthe next available number. When an dynamic event is removed, that number\nis then available to be reused by the next dynamic event created. That is,\nonce the above reaches the max number, the number assigned to the event in\nthat loop will remain the same.\n\nNow that means deleting one dynamic event and created another will reuse\nthe previous events type number. This is where bad things can happen.\nAfter the above loop finishes, the kprobes/foo event which reads the\ndo_sys_openat2 function call's first parameter as an integer.\n\n # echo 1 > kprobes/foo/enable\n # cat /etc/passwd > /dev/null\n # cat trace\n cat-2211 [005] .... 2007.849603: foo: (do_sys_openat2+0x0/0x130) arg1=4294967196\n cat-2211 [005] .... 2007.849620: foo: (do_sys_openat2+0x0/0x130) arg1=4294967196\n cat-2211 [005] .... 2007.849838: foo: (do_sys_openat2+0x0/0x130) arg1=4294967196\n cat-2211 [005] .... 2007.849880: foo: (do_sys_openat2+0x0/0x130) arg1=4294967196\n # echo 0 > kprobes/foo/enable\n\nNow if we delete the kprobe and create a new one that reads a string:\n\n # echo 'p:kprobes/foo do_sys_openat2 +0($arg2):string' > kprobe_events\n\nAnd now we can the trace:\n\n # cat trace\n sendmail-1942 [002] ..... 530.136320: foo: (do_sys_openat2+0x0/0x240) arg1= cat-2046 [004] ..... 530.930817: foo: (do_sys_openat2+0x0/0x240) arg1=\"������������������������������������������������������������������������������������������������\"\n cat-2046 [004] ..... 530.930961: foo: (do_sys_openat2+0x0/0x240) arg1=\"������������������������������������������������������������������������������������������������\"\n cat-2046 [004] ..... 530.934278: foo: (do_sys_openat2+0x0/0x240) arg1=\"������������������������������������������������������������������������������������������������\"\n cat-2046 [004] ..... 530.934563: foo: (do_sys_openat2+0x0/0x240) arg1=\"���������������������������������������\n---truncated---", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:12:18.685Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/1603feac154ff38514e8354e3079a455eb4801e2", }, { url: "https://git.kernel.org/stable/c/be111ebd8868d4b7c041cb3c6102e1ae27d6dc1d", }, { url: "https://git.kernel.org/stable/c/417d5ea6e735e5d88ffb6c436cf2938f3f476dd1", }, { url: "https://git.kernel.org/stable/c/c52d0c8c4f38f7580cff61c4dfe1034c580cedfd", }, { url: "https://git.kernel.org/stable/c/4313e5a613049dfc1819a6dfb5f94cf2caff9452", }, ], title: "tracing: Free buffers when a used dynamic event is removed", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-49006", datePublished: "2024-10-21T20:06:18.840Z", dateReserved: "2024-08-22T01:27:53.643Z", dateUpdated: "2024-12-19T08:12:18.685Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-47736
Vulnerability from cvelistv5
Published
2024-10-21 12:14
Modified
2025-01-17 13:26
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
erofs: handle overlapped pclusters out of crafted images properly
syzbot reported a task hang issue due to a deadlock case where it is
waiting for the folio lock of a cached folio that will be used for
cache I/Os.
After looking into the crafted fuzzed image, I found it's formed with
several overlapped big pclusters as below:
Ext: logical offset | length : physical offset | length
0: 0.. 16384 | 16384 : 151552.. 167936 | 16384
1: 16384.. 32768 | 16384 : 155648.. 172032 | 16384
2: 32768.. 49152 | 16384 : 537223168.. 537239552 | 16384
...
Here, extent 0/1 are physically overlapped although it's entirely
_impossible_ for normal filesystem images generated by mkfs.
First, managed folios containing compressed data will be marked as
up-to-date and then unlocked immediately (unlike in-place folios) when
compressed I/Os are complete. If physical blocks are not submitted in
the incremental order, there should be separate BIOs to avoid dependency
issues. However, the current code mis-arranges z_erofs_fill_bio_vec()
and BIO submission which causes unexpected BIO waits.
Second, managed folios will be connected to their own pclusters for
efficient inter-queries. However, this is somewhat hard to implement
easily if overlapped big pclusters exist. Again, these only appear in
fuzzed images so let's simply fall back to temporary short-lived pages
for correctness.
Additionally, it justifies that referenced managed folios cannot be
truncated for now and reverts part of commit 2080ca1ed3e4 ("erofs: tidy
up `struct z_erofs_bvec`") for simplicity although it shouldn't be any
difference.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-47736", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T12:59:50.164921Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T13:04:15.151Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "fs/erofs/zdata.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "1bf7e414cac303c9aec1be67872e19be8b64980c", status: "affected", version: "8e6c8fa9f2e95c88a642521a5da19a8e31748846", versionType: "git", }, { lessThan: "b9b30af0e86ffb485301ecd83b9129c9dfb7ebf8", status: "affected", version: "8e6c8fa9f2e95c88a642521a5da19a8e31748846", versionType: "git", }, { lessThan: "9cfa199bcbbbba31cbf97b2786f44f4464f3f29a", status: "affected", version: "8e6c8fa9f2e95c88a642521a5da19a8e31748846", versionType: "git", }, { lessThan: "9e2f9d34dd12e6e5b244ec488bcebd0c2d566c50", status: "affected", version: "8e6c8fa9f2e95c88a642521a5da19a8e31748846", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "fs/erofs/zdata.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.13", }, { lessThan: "5.13", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.72", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.13", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.2", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: handle overlapped pclusters out of crafted images properly\n\nsyzbot reported a task hang issue due to a deadlock case where it is\nwaiting for the folio lock of a cached folio that will be used for\ncache I/Os.\n\nAfter looking into the crafted fuzzed image, I found it's formed with\nseveral overlapped big pclusters as below:\n\n Ext: logical offset | length : physical offset | length\n 0: 0.. 16384 | 16384 : 151552.. 167936 | 16384\n 1: 16384.. 32768 | 16384 : 155648.. 172032 | 16384\n 2: 32768.. 49152 | 16384 : 537223168.. 537239552 | 16384\n...\n\nHere, extent 0/1 are physically overlapped although it's entirely\n_impossible_ for normal filesystem images generated by mkfs.\n\nFirst, managed folios containing compressed data will be marked as\nup-to-date and then unlocked immediately (unlike in-place folios) when\ncompressed I/Os are complete. If physical blocks are not submitted in\nthe incremental order, there should be separate BIOs to avoid dependency\nissues. However, the current code mis-arranges z_erofs_fill_bio_vec()\nand BIO submission which causes unexpected BIO waits.\n\nSecond, managed folios will be connected to their own pclusters for\nefficient inter-queries. However, this is somewhat hard to implement\neasily if overlapped big pclusters exist. Again, these only appear in\nfuzzed images so let's simply fall back to temporary short-lived pages\nfor correctness.\n\nAdditionally, it justifies that referenced managed folios cannot be\ntruncated for now and reverts part of commit 2080ca1ed3e4 (\"erofs: tidy\nup `struct z_erofs_bvec`\") for simplicity although it shouldn't be any\ndifference.", }, ], providerMetadata: { dateUpdated: "2025-01-17T13:26:59.000Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/1bf7e414cac303c9aec1be67872e19be8b64980c", }, { url: "https://git.kernel.org/stable/c/b9b30af0e86ffb485301ecd83b9129c9dfb7ebf8", }, { url: "https://git.kernel.org/stable/c/9cfa199bcbbbba31cbf97b2786f44f4464f3f29a", }, { url: "https://git.kernel.org/stable/c/9e2f9d34dd12e6e5b244ec488bcebd0c2d566c50", }, ], title: "erofs: handle overlapped pclusters out of crafted images properly", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-47736", datePublished: "2024-10-21T12:14:06.530Z", dateReserved: "2024-09-30T16:00:12.958Z", dateUpdated: "2025-01-17T13:26:59.000Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-49004
Vulnerability from cvelistv5
Published
2024-10-21 20:06
Modified
2024-12-19 08:12
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
riscv: Sync efi page table's kernel mappings before switching
The EFI page table is initially created as a copy of the kernel page table.
With VMAP_STACK enabled, kernel stacks are allocated in the vmalloc area:
if the stack is allocated in a new PGD (one that was not present at the
moment of the efi page table creation or not synced in a previous vmalloc
fault), the kernel will take a trap when switching to the efi page table
when the vmalloc kernel stack is accessed, resulting in a kernel panic.
Fix that by updating the efi kernel mappings before switching to the efi
page table.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-49004", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:14:45.523737Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:18:40.145Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "arch/riscv/include/asm/efi.h", "arch/riscv/include/asm/pgalloc.h", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "fa7a7d185ef380546b4b1fed6f84f31dbae8cec7", status: "affected", version: "b91540d52a08b65eb6a2b09132e1bd54fa82754c", versionType: "git", }, { lessThan: "96f479383d92944406d4b3f2bc03c2f640def9f1", status: "affected", version: "b91540d52a08b65eb6a2b09132e1bd54fa82754c", versionType: "git", }, { lessThan: "3f105a742725a1b78766a55169f1d827732e62b8", status: "affected", version: "b91540d52a08b65eb6a2b09132e1bd54fa82754c", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "arch/riscv/include/asm/efi.h", "arch/riscv/include/asm/pgalloc.h", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.10", }, { lessThan: "5.10", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.82", versionType: "semver", }, { lessThanOrEqual: "6.0.*", status: "unaffected", version: "6.0.12", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.1", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: Sync efi page table's kernel mappings before switching\n\nThe EFI page table is initially created as a copy of the kernel page table.\nWith VMAP_STACK enabled, kernel stacks are allocated in the vmalloc area:\nif the stack is allocated in a new PGD (one that was not present at the\nmoment of the efi page table creation or not synced in a previous vmalloc\nfault), the kernel will take a trap when switching to the efi page table\nwhen the vmalloc kernel stack is accessed, resulting in a kernel panic.\n\nFix that by updating the efi kernel mappings before switching to the efi\npage table.", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:12:16.402Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/fa7a7d185ef380546b4b1fed6f84f31dbae8cec7", }, { url: "https://git.kernel.org/stable/c/96f479383d92944406d4b3f2bc03c2f640def9f1", }, { url: "https://git.kernel.org/stable/c/3f105a742725a1b78766a55169f1d827732e62b8", }, ], title: "riscv: Sync efi page table's kernel mappings before switching", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-49004", datePublished: "2024-10-21T20:06:17.410Z", dateReserved: "2024-08-22T01:27:53.643Z", dateUpdated: "2024-12-19T08:12:16.402Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-52919
Vulnerability from cvelistv5
Published
2024-10-22 07:37
Modified
2024-12-19 08:28
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
nfc: nci: fix possible NULL pointer dereference in send_acknowledge()
Handle memory allocation failure from nci_skb_alloc() (calling
alloc_skb()) to avoid possible NULL pointer dereference.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 391d8a2da787257aeaf952c974405b53926e3fb3 Version: 391d8a2da787257aeaf952c974405b53926e3fb3 Version: 391d8a2da787257aeaf952c974405b53926e3fb3 Version: 391d8a2da787257aeaf952c974405b53926e3fb3 Version: 391d8a2da787257aeaf952c974405b53926e3fb3 Version: 391d8a2da787257aeaf952c974405b53926e3fb3 Version: 391d8a2da787257aeaf952c974405b53926e3fb3 Version: 391d8a2da787257aeaf952c974405b53926e3fb3 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2023-52919", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:10:43.843732Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:18:35.125Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "net/nfc/nci/spi.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "2b2edf089df3a69f0072c6e71563394c5a94e62e", status: "affected", version: "391d8a2da787257aeaf952c974405b53926e3fb3", versionType: "git", }, { lessThan: "5622592f8f74ae3e594379af02e64ea84772d0dd", status: "affected", version: "391d8a2da787257aeaf952c974405b53926e3fb3", versionType: "git", }, { lessThan: "76050b0cc5a72e0c7493287b7e18e1cb9e3c4612", status: "affected", version: "391d8a2da787257aeaf952c974405b53926e3fb3", versionType: "git", }, { lessThan: "c95fa5b20fe03609e0894656fa43c18045b5097e", status: "affected", version: "391d8a2da787257aeaf952c974405b53926e3fb3", versionType: "git", }, { lessThan: "ffdc881f68073ff86bf21afb9bb954812e8278be", status: "affected", version: "391d8a2da787257aeaf952c974405b53926e3fb3", versionType: "git", }, { lessThan: "d7dbdbe3800a908eecd4975c31be47dd45e2104a", status: "affected", version: "391d8a2da787257aeaf952c974405b53926e3fb3", versionType: "git", }, { lessThan: "bb6cacc439ddd2cd51227ab193f4f91cfc7f014f", status: "affected", version: "391d8a2da787257aeaf952c974405b53926e3fb3", versionType: "git", }, { lessThan: "7937609cd387246aed994e81aa4fa951358fba41", status: "affected", version: "391d8a2da787257aeaf952c974405b53926e3fb3", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "net/nfc/nci/spi.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "3.11", }, { lessThan: "3.11", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.14.*", status: "unaffected", version: "4.14.328", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.297", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.259", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.199", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.137", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.60", versionType: "semver", }, { lessThanOrEqual: "6.5.*", status: "unaffected", version: "6.5.9", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.6", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: nci: fix possible NULL pointer dereference in send_acknowledge()\n\nHandle memory allocation failure from nci_skb_alloc() (calling\nalloc_skb()) to avoid possible NULL pointer dereference.", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:28:33.777Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/2b2edf089df3a69f0072c6e71563394c5a94e62e", }, { url: "https://git.kernel.org/stable/c/5622592f8f74ae3e594379af02e64ea84772d0dd", }, { url: "https://git.kernel.org/stable/c/76050b0cc5a72e0c7493287b7e18e1cb9e3c4612", }, { url: "https://git.kernel.org/stable/c/c95fa5b20fe03609e0894656fa43c18045b5097e", }, { url: "https://git.kernel.org/stable/c/ffdc881f68073ff86bf21afb9bb954812e8278be", }, { url: "https://git.kernel.org/stable/c/d7dbdbe3800a908eecd4975c31be47dd45e2104a", }, { url: "https://git.kernel.org/stable/c/bb6cacc439ddd2cd51227ab193f4f91cfc7f014f", }, { url: "https://git.kernel.org/stable/c/7937609cd387246aed994e81aa4fa951358fba41", }, ], title: "nfc: nci: fix possible NULL pointer dereference in send_acknowledge()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2023-52919", datePublished: "2024-10-22T07:37:28.091Z", dateReserved: "2024-08-21T06:07:11.017Z", dateUpdated: "2024-12-19T08:28:33.777Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-47678
Vulnerability from cvelistv5
Published
2024-10-21 11:53
Modified
2024-12-19 09:25
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
icmp: change the order of rate limits
ICMP messages are ratelimited :
After the blamed commits, the two rate limiters are applied in this order:
1) host wide ratelimit (icmp_global_allow())
2) Per destination ratelimit (inetpeer based)
In order to avoid side-channels attacks, we need to apply
the per destination check first.
This patch makes the following change :
1) icmp_global_allow() checks if the host wide limit is reached.
But credits are not yet consumed. This is deferred to 3)
2) The per destination limit is checked/updated.
This might add a new node in inetpeer tree.
3) icmp_global_consume() consumes tokens if prior operations succeeded.
This means that host wide ratelimit is still effective
in keeping inetpeer tree small even under DDOS.
As a bonus, I removed icmp_global.lock as the fast path
can use a lock-free operation.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 4cdf507d54525842dfd9f6313fdafba039084046 Version: 4cdf507d54525842dfd9f6313fdafba039084046 Version: 4cdf507d54525842dfd9f6313fdafba039084046 Version: 4cdf507d54525842dfd9f6313fdafba039084046 Version: 4cdf507d54525842dfd9f6313fdafba039084046 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-47678", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T13:07:41.965400Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T13:14:17.106Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "include/net/ip.h", "net/ipv4/icmp.c", "net/ipv6/icmp.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "997ba8889611891f91e8ad83583466aeab6239a3", status: "affected", version: "4cdf507d54525842dfd9f6313fdafba039084046", versionType: "git", }, { lessThan: "662ec52260cc07b9ae53ecd3925183c29d34288b", status: "affected", version: "4cdf507d54525842dfd9f6313fdafba039084046", versionType: "git", }, { lessThan: "a7722921adb046e3836eb84372241f32584bdb07", status: "affected", version: "4cdf507d54525842dfd9f6313fdafba039084046", versionType: "git", }, { lessThan: "483397b4ba280813e4a9c161a0a85172ddb43d19", status: "affected", version: "4cdf507d54525842dfd9f6313fdafba039084046", versionType: "git", }, { lessThan: "8c2bd38b95f75f3d2a08c93e35303e26d480d24e", status: "affected", version: "4cdf507d54525842dfd9f6313fdafba039084046", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "include/net/ip.h", "net/ipv4/icmp.c", "net/ipv6/icmp.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "3.18", }, { lessThan: "3.18", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.54", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.13", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.2", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nicmp: change the order of rate limits\n\nICMP messages are ratelimited :\n\nAfter the blamed commits, the two rate limiters are applied in this order:\n\n1) host wide ratelimit (icmp_global_allow())\n\n2) Per destination ratelimit (inetpeer based)\n\nIn order to avoid side-channels attacks, we need to apply\nthe per destination check first.\n\nThis patch makes the following change :\n\n1) icmp_global_allow() checks if the host wide limit is reached.\n But credits are not yet consumed. This is deferred to 3)\n\n2) The per destination limit is checked/updated.\n This might add a new node in inetpeer tree.\n\n3) icmp_global_consume() consumes tokens if prior operations succeeded.\n\nThis means that host wide ratelimit is still effective\nin keeping inetpeer tree small even under DDOS.\n\nAs a bonus, I removed icmp_global.lock as the fast path\ncan use a lock-free operation.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:25:44.135Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/997ba8889611891f91e8ad83583466aeab6239a3", }, { url: "https://git.kernel.org/stable/c/662ec52260cc07b9ae53ecd3925183c29d34288b", }, { url: "https://git.kernel.org/stable/c/a7722921adb046e3836eb84372241f32584bdb07", }, { url: "https://git.kernel.org/stable/c/483397b4ba280813e4a9c161a0a85172ddb43d19", }, { url: "https://git.kernel.org/stable/c/8c2bd38b95f75f3d2a08c93e35303e26d480d24e", }, ], title: "icmp: change the order of rate limits", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-47678", datePublished: "2024-10-21T11:53:21.814Z", dateReserved: "2024-09-30T16:00:12.939Z", dateUpdated: "2024-12-19T09:25:44.135Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-50035
Vulnerability from cvelistv5
Published
2024-10-21 19:39
Modified
2024-12-19 09:31
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ppp: fix ppp_async_encode() illegal access
syzbot reported an issue in ppp_async_encode() [1]
In this case, pppoe_sendmsg() is called with a zero size.
Then ppp_async_encode() is called with an empty skb.
BUG: KMSAN: uninit-value in ppp_async_encode drivers/net/ppp/ppp_async.c:545 [inline]
BUG: KMSAN: uninit-value in ppp_async_push+0xb4f/0x2660 drivers/net/ppp/ppp_async.c:675
ppp_async_encode drivers/net/ppp/ppp_async.c:545 [inline]
ppp_async_push+0xb4f/0x2660 drivers/net/ppp/ppp_async.c:675
ppp_async_send+0x130/0x1b0 drivers/net/ppp/ppp_async.c:634
ppp_channel_bridge_input drivers/net/ppp/ppp_generic.c:2280 [inline]
ppp_input+0x1f1/0xe60 drivers/net/ppp/ppp_generic.c:2304
pppoe_rcv_core+0x1d3/0x720 drivers/net/ppp/pppoe.c:379
sk_backlog_rcv+0x13b/0x420 include/net/sock.h:1113
__release_sock+0x1da/0x330 net/core/sock.c:3072
release_sock+0x6b/0x250 net/core/sock.c:3626
pppoe_sendmsg+0x2b8/0xb90 drivers/net/ppp/pppoe.c:903
sock_sendmsg_nosec net/socket.c:729 [inline]
__sock_sendmsg+0x30f/0x380 net/socket.c:744
____sys_sendmsg+0x903/0xb60 net/socket.c:2602
___sys_sendmsg+0x28d/0x3c0 net/socket.c:2656
__sys_sendmmsg+0x3c1/0x960 net/socket.c:2742
__do_sys_sendmmsg net/socket.c:2771 [inline]
__se_sys_sendmmsg net/socket.c:2768 [inline]
__x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2768
x64_sys_call+0xb6e/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:308
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Uninit was created at:
slab_post_alloc_hook mm/slub.c:4092 [inline]
slab_alloc_node mm/slub.c:4135 [inline]
kmem_cache_alloc_node_noprof+0x6bf/0xb80 mm/slub.c:4187
kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:587
__alloc_skb+0x363/0x7b0 net/core/skbuff.c:678
alloc_skb include/linux/skbuff.h:1322 [inline]
sock_wmalloc+0xfe/0x1a0 net/core/sock.c:2732
pppoe_sendmsg+0x3a7/0xb90 drivers/net/ppp/pppoe.c:867
sock_sendmsg_nosec net/socket.c:729 [inline]
__sock_sendmsg+0x30f/0x380 net/socket.c:744
____sys_sendmsg+0x903/0xb60 net/socket.c:2602
___sys_sendmsg+0x28d/0x3c0 net/socket.c:2656
__sys_sendmmsg+0x3c1/0x960 net/socket.c:2742
__do_sys_sendmmsg net/socket.c:2771 [inline]
__se_sys_sendmmsg net/socket.c:2768 [inline]
__x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2768
x64_sys_call+0xb6e/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:308
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
CPU: 1 UID: 0 PID: 5411 Comm: syz.1.14 Not tainted 6.12.0-rc1-syzkaller-00165-g360c1f1f24c6 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-50035", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:25:33.483652Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:28:45.143Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/net/ppp/ppp_async.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "4151ec65abd755133ebec687218fadd2d2631167", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "8dfe93901b410ae41264087427f3b9f389388f83", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "30d91a478d58cbae3dbaa8224d17d0d839f0d71b", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "fadf8fdb3110d3138e05c3765f645535434f8d76", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "ce249a4c68d0ce27a8c5d853338d502e2711a314", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "8fe992ff3df493d1949922ca234419f3ede08dff", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "c007a14797240607038bd3464501109f408940e2", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "40dddd4b8bd08a69471efd96107a4e1c73fabefc", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/net/ppp/ppp_async.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "2.6.12", }, { lessThan: "2.6.12", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.323", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.285", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.57", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.4", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nppp: fix ppp_async_encode() illegal access\n\nsyzbot reported an issue in ppp_async_encode() [1]\n\nIn this case, pppoe_sendmsg() is called with a zero size.\nThen ppp_async_encode() is called with an empty skb.\n\nBUG: KMSAN: uninit-value in ppp_async_encode drivers/net/ppp/ppp_async.c:545 [inline]\n BUG: KMSAN: uninit-value in ppp_async_push+0xb4f/0x2660 drivers/net/ppp/ppp_async.c:675\n ppp_async_encode drivers/net/ppp/ppp_async.c:545 [inline]\n ppp_async_push+0xb4f/0x2660 drivers/net/ppp/ppp_async.c:675\n ppp_async_send+0x130/0x1b0 drivers/net/ppp/ppp_async.c:634\n ppp_channel_bridge_input drivers/net/ppp/ppp_generic.c:2280 [inline]\n ppp_input+0x1f1/0xe60 drivers/net/ppp/ppp_generic.c:2304\n pppoe_rcv_core+0x1d3/0x720 drivers/net/ppp/pppoe.c:379\n sk_backlog_rcv+0x13b/0x420 include/net/sock.h:1113\n __release_sock+0x1da/0x330 net/core/sock.c:3072\n release_sock+0x6b/0x250 net/core/sock.c:3626\n pppoe_sendmsg+0x2b8/0xb90 drivers/net/ppp/pppoe.c:903\n sock_sendmsg_nosec net/socket.c:729 [inline]\n __sock_sendmsg+0x30f/0x380 net/socket.c:744\n ____sys_sendmsg+0x903/0xb60 net/socket.c:2602\n ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2656\n __sys_sendmmsg+0x3c1/0x960 net/socket.c:2742\n __do_sys_sendmmsg net/socket.c:2771 [inline]\n __se_sys_sendmmsg net/socket.c:2768 [inline]\n __x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2768\n x64_sys_call+0xb6e/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:308\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nUninit was created at:\n slab_post_alloc_hook mm/slub.c:4092 [inline]\n slab_alloc_node mm/slub.c:4135 [inline]\n kmem_cache_alloc_node_noprof+0x6bf/0xb80 mm/slub.c:4187\n kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:587\n __alloc_skb+0x363/0x7b0 net/core/skbuff.c:678\n alloc_skb include/linux/skbuff.h:1322 [inline]\n sock_wmalloc+0xfe/0x1a0 net/core/sock.c:2732\n pppoe_sendmsg+0x3a7/0xb90 drivers/net/ppp/pppoe.c:867\n sock_sendmsg_nosec net/socket.c:729 [inline]\n __sock_sendmsg+0x30f/0x380 net/socket.c:744\n ____sys_sendmsg+0x903/0xb60 net/socket.c:2602\n ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2656\n __sys_sendmmsg+0x3c1/0x960 net/socket.c:2742\n __do_sys_sendmmsg net/socket.c:2771 [inline]\n __se_sys_sendmmsg net/socket.c:2768 [inline]\n __x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2768\n x64_sys_call+0xb6e/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:308\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nCPU: 1 UID: 0 PID: 5411 Comm: syz.1.14 Not tainted 6.12.0-rc1-syzkaller-00165-g360c1f1f24c6 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:31:48.562Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/4151ec65abd755133ebec687218fadd2d2631167", }, { url: "https://git.kernel.org/stable/c/8dfe93901b410ae41264087427f3b9f389388f83", }, { url: "https://git.kernel.org/stable/c/30d91a478d58cbae3dbaa8224d17d0d839f0d71b", }, { url: "https://git.kernel.org/stable/c/fadf8fdb3110d3138e05c3765f645535434f8d76", }, { url: "https://git.kernel.org/stable/c/ce249a4c68d0ce27a8c5d853338d502e2711a314", }, { url: "https://git.kernel.org/stable/c/8fe992ff3df493d1949922ca234419f3ede08dff", }, { url: "https://git.kernel.org/stable/c/c007a14797240607038bd3464501109f408940e2", }, { url: "https://git.kernel.org/stable/c/40dddd4b8bd08a69471efd96107a4e1c73fabefc", }, ], title: "ppp: fix ppp_async_encode() illegal access", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-50035", datePublished: "2024-10-21T19:39:36.460Z", dateReserved: "2024-10-21T12:17:06.070Z", dateUpdated: "2024-12-19T09:31:48.562Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49926
Vulnerability from cvelistv5
Published
2024-10-21 18:01
Modified
2025-01-24 16:01
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
rcu-tasks: Fix access non-existent percpu rtpcp variable in rcu_tasks_need_gpcb()
For kernels built with CONFIG_FORCE_NR_CPUS=y, the nr_cpu_ids is
defined as NR_CPUS instead of the number of possible cpus, this
will cause the following system panic:
smpboot: Allowing 4 CPUs, 0 hotplug CPUs
...
setup_percpu: NR_CPUS:512 nr_cpumask_bits:512 nr_cpu_ids:512 nr_node_ids:1
...
BUG: unable to handle page fault for address: ffffffff9911c8c8
Oops: 0000 [#1] PREEMPT SMP PTI
CPU: 0 PID: 15 Comm: rcu_tasks_trace Tainted: G W
6.6.21 #1 5dc7acf91a5e8e9ac9dcfc35bee0245691283ea6
RIP: 0010:rcu_tasks_need_gpcb+0x25d/0x2c0
RSP: 0018:ffffa371c00a3e60 EFLAGS: 00010082
CR2: ffffffff9911c8c8 CR3: 000000040fa20005 CR4: 00000000001706f0
Call Trace:
<TASK>
? __die+0x23/0x80
? page_fault_oops+0xa4/0x180
? exc_page_fault+0x152/0x180
? asm_exc_page_fault+0x26/0x40
? rcu_tasks_need_gpcb+0x25d/0x2c0
? __pfx_rcu_tasks_kthread+0x40/0x40
rcu_tasks_one_gp+0x69/0x180
rcu_tasks_kthread+0x94/0xc0
kthread+0xe8/0x140
? __pfx_kthread+0x40/0x40
ret_from_fork+0x34/0x80
? __pfx_kthread+0x40/0x40
ret_from_fork_asm+0x1b/0x80
</TASK>
Considering that there may be holes in the CPU numbers, use the
maximum possible cpu number, instead of nr_cpu_ids, for configuring
enqueue and dequeue limits.
[ neeraj.upadhyay: Fix htmldocs build error reported by Stephen Rothwell ]
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49926", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:39:42.362013Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:48:43.951Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "kernel/rcu/tasks.h", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "b3b2431ed27f4ebc28e26cdf005c1de42dc60bdf", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "3104bddc666ff64b90491868bbc4c7ebdd90aedf", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "05095271a4fb0f6497121a057f9a2edf386d5d96", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "fd70e9f1d85f5323096ad313ba73f5fe3d15ea41", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "kernel/rcu/tasks.h", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.60", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nrcu-tasks: Fix access non-existent percpu rtpcp variable in rcu_tasks_need_gpcb()\n\nFor kernels built with CONFIG_FORCE_NR_CPUS=y, the nr_cpu_ids is\ndefined as NR_CPUS instead of the number of possible cpus, this\nwill cause the following system panic:\n\nsmpboot: Allowing 4 CPUs, 0 hotplug CPUs\n...\nsetup_percpu: NR_CPUS:512 nr_cpumask_bits:512 nr_cpu_ids:512 nr_node_ids:1\n...\nBUG: unable to handle page fault for address: ffffffff9911c8c8\nOops: 0000 [#1] PREEMPT SMP PTI\nCPU: 0 PID: 15 Comm: rcu_tasks_trace Tainted: G W\n6.6.21 #1 5dc7acf91a5e8e9ac9dcfc35bee0245691283ea6\nRIP: 0010:rcu_tasks_need_gpcb+0x25d/0x2c0\nRSP: 0018:ffffa371c00a3e60 EFLAGS: 00010082\nCR2: ffffffff9911c8c8 CR3: 000000040fa20005 CR4: 00000000001706f0\nCall Trace:\n<TASK>\n? __die+0x23/0x80\n? page_fault_oops+0xa4/0x180\n? exc_page_fault+0x152/0x180\n? asm_exc_page_fault+0x26/0x40\n? rcu_tasks_need_gpcb+0x25d/0x2c0\n? __pfx_rcu_tasks_kthread+0x40/0x40\nrcu_tasks_one_gp+0x69/0x180\nrcu_tasks_kthread+0x94/0xc0\nkthread+0xe8/0x140\n? __pfx_kthread+0x40/0x40\nret_from_fork+0x34/0x80\n? __pfx_kthread+0x40/0x40\nret_from_fork_asm+0x1b/0x80\n</TASK>\n\nConsidering that there may be holes in the CPU numbers, use the\nmaximum possible cpu number, instead of nr_cpu_ids, for configuring\nenqueue and dequeue limits.\n\n[ neeraj.upadhyay: Fix htmldocs build error reported by Stephen Rothwell ]", }, ], providerMetadata: { dateUpdated: "2025-01-24T16:01:33.369Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/b3b2431ed27f4ebc28e26cdf005c1de42dc60bdf", }, { url: "https://git.kernel.org/stable/c/3104bddc666ff64b90491868bbc4c7ebdd90aedf", }, { url: "https://git.kernel.org/stable/c/05095271a4fb0f6497121a057f9a2edf386d5d96", }, { url: "https://git.kernel.org/stable/c/fd70e9f1d85f5323096ad313ba73f5fe3d15ea41", }, ], title: "rcu-tasks: Fix access non-existent percpu rtpcp variable in rcu_tasks_need_gpcb()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49926", datePublished: "2024-10-21T18:01:50.405Z", dateReserved: "2024-10-21T12:17:06.038Z", dateUpdated: "2025-01-24T16:01:33.369Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-47728
Vulnerability from cvelistv5
Published
2024-10-21 12:14
Modified
2024-12-19 09:26
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Zero former ARG_PTR_TO_{LONG,INT} args in case of error
For all non-tracing helpers which formerly had ARG_PTR_TO_{LONG,INT} as input
arguments, zero the value for the case of an error as otherwise it could leak
memory. For tracing, it is not needed given CAP_PERFMON can already read all
kernel memory anyway hence bpf_get_func_arg() and bpf_get_func_ret() is skipped
in here.
Also, the MTU helpers mtu_len pointer value is being written but also read.
Technically, the MEM_UNINIT should not be there in order to always force init.
Removing MEM_UNINIT needs more verifier rework though: MEM_UNINIT right now
implies two things actually: i) write into memory, ii) memory does not have
to be initialized. If we lift MEM_UNINIT, it then becomes: i) read into memory,
ii) memory must be initialized. This means that for bpf_*_check_mtu() we're
readding the issue we're trying to fix, that is, it would then be able to
write back into things like .rodata BPF maps. Follow-up work will rework the
MEM_UNINIT semantics such that the intent can be better expressed. For now
just clear the *mtu_len on error path which can be lifted later again.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: d7a4cb9b6705a89937d12c8158a35a3145dc967a Version: d7a4cb9b6705a89937d12c8158a35a3145dc967a Version: d7a4cb9b6705a89937d12c8158a35a3145dc967a Version: d7a4cb9b6705a89937d12c8158a35a3145dc967a Version: d7a4cb9b6705a89937d12c8158a35a3145dc967a |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-47728", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T13:00:53.440960Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T13:04:16.325Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "kernel/bpf/helpers.c", "kernel/bpf/syscall.c", "net/core/filter.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "8397bf78988f3ae9dbebb0200189a62a57264980", status: "affected", version: "d7a4cb9b6705a89937d12c8158a35a3145dc967a", versionType: "git", }, { lessThan: "a634fa8e480ac2423f86311a602f6295df2c8ed0", status: "affected", version: "d7a4cb9b6705a89937d12c8158a35a3145dc967a", versionType: "git", }, { lessThan: "599d15b6d03356a97bff7a76155c5604c42a2962", status: "affected", version: "d7a4cb9b6705a89937d12c8158a35a3145dc967a", versionType: "git", }, { lessThan: "594a9f5a8d2de2573a856e506f77ba7dd2cefc6a", status: "affected", version: "d7a4cb9b6705a89937d12c8158a35a3145dc967a", versionType: "git", }, { lessThan: "4b3786a6c5397dc220b1483d8e2f4867743e966f", status: "affected", version: "d7a4cb9b6705a89937d12c8158a35a3145dc967a", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "kernel/bpf/helpers.c", "kernel/bpf/syscall.c", "net/core/filter.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.2", }, { lessThan: "5.2", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.54", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.13", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.2", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Zero former ARG_PTR_TO_{LONG,INT} args in case of error\n\nFor all non-tracing helpers which formerly had ARG_PTR_TO_{LONG,INT} as input\narguments, zero the value for the case of an error as otherwise it could leak\nmemory. For tracing, it is not needed given CAP_PERFMON can already read all\nkernel memory anyway hence bpf_get_func_arg() and bpf_get_func_ret() is skipped\nin here.\n\nAlso, the MTU helpers mtu_len pointer value is being written but also read.\nTechnically, the MEM_UNINIT should not be there in order to always force init.\nRemoving MEM_UNINIT needs more verifier rework though: MEM_UNINIT right now\nimplies two things actually: i) write into memory, ii) memory does not have\nto be initialized. If we lift MEM_UNINIT, it then becomes: i) read into memory,\nii) memory must be initialized. This means that for bpf_*_check_mtu() we're\nreadding the issue we're trying to fix, that is, it would then be able to\nwrite back into things like .rodata BPF maps. Follow-up work will rework the\nMEM_UNINIT semantics such that the intent can be better expressed. For now\njust clear the *mtu_len on error path which can be lifted later again.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:26:54.254Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/8397bf78988f3ae9dbebb0200189a62a57264980", }, { url: "https://git.kernel.org/stable/c/a634fa8e480ac2423f86311a602f6295df2c8ed0", }, { url: "https://git.kernel.org/stable/c/599d15b6d03356a97bff7a76155c5604c42a2962", }, { url: "https://git.kernel.org/stable/c/594a9f5a8d2de2573a856e506f77ba7dd2cefc6a", }, { url: "https://git.kernel.org/stable/c/4b3786a6c5397dc220b1483d8e2f4867743e966f", }, ], title: "bpf: Zero former ARG_PTR_TO_{LONG,INT} args in case of error", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-47728", datePublished: "2024-10-21T12:14:01.012Z", dateReserved: "2024-09-30T16:00:12.957Z", dateUpdated: "2024-12-19T09:26:54.254Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-50016
Vulnerability from cvelistv5
Published
2024-10-21 18:54
Modified
2024-12-19 09:31
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Avoid overflow assignment in link_dp_cts
sampling_rate is an uint8_t but is assigned an unsigned int, and thus it
can overflow. As a result, sampling_rate is changed to uint32_t.
Similarly, LINK_QUAL_PATTERN_SET has a size of 2 bits, and it should
only be assigned to a value less or equal than 4.
This fixes 2 INTEGER_OVERFLOW issues reported by Coverity.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-50016", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:28:00.847715Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:28:47.946Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/gpu/drm/amd/display/dc/dc_dp_types.h", "drivers/gpu/drm/amd/display/dc/link/accessories/link_dp_cts.c", "drivers/gpu/drm/amd/display/include/dpcd_defs.h", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "a1495acc6234fa79b775599d3f49009afd53299f", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "26ced9d86240868f5b41708ceee02e6ec2924498", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "adeed800bc30ef718478b28c08f79231e5980e3d", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "a15268787b79fd183dd526cc16bec9af4f4e49a1", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/gpu/drm/amd/display/dc/dc_dp_types.h", "drivers/gpu/drm/amd/display/dc/link/accessories/link_dp_cts.c", "drivers/gpu/drm/amd/display/include/dpcd_defs.h", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Avoid overflow assignment in link_dp_cts\n\nsampling_rate is an uint8_t but is assigned an unsigned int, and thus it\ncan overflow. As a result, sampling_rate is changed to uint32_t.\n\nSimilarly, LINK_QUAL_PATTERN_SET has a size of 2 bits, and it should\nonly be assigned to a value less or equal than 4.\n\nThis fixes 2 INTEGER_OVERFLOW issues reported by Coverity.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:31:26.230Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/a1495acc6234fa79b775599d3f49009afd53299f", }, { url: "https://git.kernel.org/stable/c/26ced9d86240868f5b41708ceee02e6ec2924498", }, { url: "https://git.kernel.org/stable/c/adeed800bc30ef718478b28c08f79231e5980e3d", }, { url: "https://git.kernel.org/stable/c/a15268787b79fd183dd526cc16bec9af4f4e49a1", }, ], title: "drm/amd/display: Avoid overflow assignment in link_dp_cts", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-50016", datePublished: "2024-10-21T18:54:07.173Z", dateReserved: "2024-10-21T12:17:06.062Z", dateUpdated: "2024-12-19T09:31:26.230Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49983
Vulnerability from cvelistv5
Published
2024-10-21 18:02
Modified
2024-12-19 09:30
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: drop ppath from ext4_ext_replay_update_ex() to avoid double-free
When calling ext4_force_split_extent_at() in ext4_ext_replay_update_ex(),
the 'ppath' is updated but it is the 'path' that is freed, thus potentially
triggering a double-free in the following process:
ext4_ext_replay_update_ex
ppath = path
ext4_force_split_extent_at(&ppath)
ext4_split_extent_at
ext4_ext_insert_extent
ext4_ext_create_new_leaf
ext4_ext_grow_indepth
ext4_find_extent
if (depth > path[0].p_maxdepth)
kfree(path) ---> path First freed
*orig_path = path = NULL ---> null ppath
kfree(path) ---> path double-free !!!
So drop the unnecessary ppath and use path directly to avoid this problem.
And use ext4_find_extent() directly to update path, avoiding unnecessary
memory allocation and freeing. Also, propagate the error returned by
ext4_find_extent() instead of using strange error codes.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 8016e29f4362e285f0f7e38fadc61a5b7bdfdfa2 Version: 8016e29f4362e285f0f7e38fadc61a5b7bdfdfa2 Version: 8016e29f4362e285f0f7e38fadc61a5b7bdfdfa2 Version: 8016e29f4362e285f0f7e38fadc61a5b7bdfdfa2 Version: 8016e29f4362e285f0f7e38fadc61a5b7bdfdfa2 Version: 8016e29f4362e285f0f7e38fadc61a5b7bdfdfa2 Version: 8016e29f4362e285f0f7e38fadc61a5b7bdfdfa2 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49983", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:32:15.569255Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:38:44.023Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "fs/ext4/extents.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "8c26d9e53e5fbacda0732a577e97c5a5b7882aaf", status: "affected", version: "8016e29f4362e285f0f7e38fadc61a5b7bdfdfa2", versionType: "git", }, { lessThan: "a34bed978364114390162c27e50fca50791c568d", status: "affected", version: "8016e29f4362e285f0f7e38fadc61a5b7bdfdfa2", versionType: "git", }, { lessThan: "6367d3f04c69e2b8770b8137bd800e0784b0abbc", status: "affected", version: "8016e29f4362e285f0f7e38fadc61a5b7bdfdfa2", versionType: "git", }, { lessThan: "1b558006d98b7b0b730027be0ee98973dd10ee0d", status: "affected", version: "8016e29f4362e285f0f7e38fadc61a5b7bdfdfa2", versionType: "git", }, { lessThan: "3ff710662e8d86a63a39b334e9ca0cb10e5c14b0", status: "affected", version: "8016e29f4362e285f0f7e38fadc61a5b7bdfdfa2", versionType: "git", }, { lessThan: "63adc9016917e6970fb0104ee5fd6770f02b2d80", status: "affected", version: "8016e29f4362e285f0f7e38fadc61a5b7bdfdfa2", versionType: "git", }, { lessThan: "5c0f4cc84d3a601c99bc5e6e6eb1cbda542cce95", status: "affected", version: "8016e29f4362e285f0f7e38fadc61a5b7bdfdfa2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "fs/ext4/extents.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.10", }, { lessThan: "5.10", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\next4: drop ppath from ext4_ext_replay_update_ex() to avoid double-free\n\nWhen calling ext4_force_split_extent_at() in ext4_ext_replay_update_ex(),\nthe 'ppath' is updated but it is the 'path' that is freed, thus potentially\ntriggering a double-free in the following process:\n\next4_ext_replay_update_ex\n ppath = path\n ext4_force_split_extent_at(&ppath)\n ext4_split_extent_at\n ext4_ext_insert_extent\n ext4_ext_create_new_leaf\n ext4_ext_grow_indepth\n ext4_find_extent\n if (depth > path[0].p_maxdepth)\n kfree(path) ---> path First freed\n *orig_path = path = NULL ---> null ppath\n kfree(path) ---> path double-free !!!\n\nSo drop the unnecessary ppath and use path directly to avoid this problem.\nAnd use ext4_find_extent() directly to update path, avoiding unnecessary\nmemory allocation and freeing. Also, propagate the error returned by\next4_find_extent() instead of using strange error codes.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:30:40.740Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/8c26d9e53e5fbacda0732a577e97c5a5b7882aaf", }, { url: "https://git.kernel.org/stable/c/a34bed978364114390162c27e50fca50791c568d", }, { url: "https://git.kernel.org/stable/c/6367d3f04c69e2b8770b8137bd800e0784b0abbc", }, { url: "https://git.kernel.org/stable/c/1b558006d98b7b0b730027be0ee98973dd10ee0d", }, { url: "https://git.kernel.org/stable/c/3ff710662e8d86a63a39b334e9ca0cb10e5c14b0", }, { url: "https://git.kernel.org/stable/c/63adc9016917e6970fb0104ee5fd6770f02b2d80", }, { url: "https://git.kernel.org/stable/c/5c0f4cc84d3a601c99bc5e6e6eb1cbda542cce95", }, ], title: "ext4: drop ppath from ext4_ext_replay_update_ex() to avoid double-free", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49983", datePublished: "2024-10-21T18:02:28.474Z", dateReserved: "2024-10-21T12:17:06.053Z", dateUpdated: "2024-12-19T09:30:40.740Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49977
Vulnerability from cvelistv5
Published
2024-10-21 18:02
Modified
2024-12-19 09:30
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: stmmac: Fix zero-division error when disabling tc cbs
The commit b8c43360f6e4 ("net: stmmac: No need to calculate speed divider
when offload is disabled") allows the "port_transmit_rate_kbps" to be
set to a value of 0, which is then passed to the "div_s64" function when
tc-cbs is disabled. This leads to a zero-division error.
When tc-cbs is disabled, the idleslope, sendslope, and credit values the
credit values are not required to be configured. Therefore, adding a return
statement after setting the txQ mode to DCB when tc-cbs is disabled would
prevent a zero-division error.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: b4bca4722fda928810d024350493990de39f1e40 Version: 2145583e5995598f50d66f8710c86bb1e910ac46 Version: 521d42a1c24d638241220d4b9fa7e7a0ed02b88e Version: a71b686418ee6bcb6d6365f7f6d838d9874d9c64 Version: b8c43360f6e424131fa81d3ba8792ad8ff25a09e Version: b8c43360f6e424131fa81d3ba8792ad8ff25a09e Version: b8c43360f6e424131fa81d3ba8792ad8ff25a09e |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49977", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:33:01.213521Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:38:45.017Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "e33fe25b1efe4f2e6a5858786dbc82ae4c44ed4c", status: "affected", version: "b4bca4722fda928810d024350493990de39f1e40", versionType: "git", }, { lessThan: "b0da9504a528f05f97d926b4db74ff21917a33e9", status: "affected", version: "2145583e5995598f50d66f8710c86bb1e910ac46", versionType: "git", }, { lessThan: "5d43e1ad4567d67af2b42d3ab7c14152ffed25c6", status: "affected", version: "521d42a1c24d638241220d4b9fa7e7a0ed02b88e", versionType: "git", }, { lessThan: "03582f4752427f60817d896f1a827aff772bd31e", status: "affected", version: "a71b686418ee6bcb6d6365f7f6d838d9874d9c64", versionType: "git", }, { lessThan: "e297a2bf56d12fd7f91a0c209eb6ea84361f3368", status: "affected", version: "b8c43360f6e424131fa81d3ba8792ad8ff25a09e", versionType: "git", }, { lessThan: "837d9df9c0792902710149d1a5e0991520af0f93", status: "affected", version: "b8c43360f6e424131fa81d3ba8792ad8ff25a09e", versionType: "git", }, { lessThan: "675faf5a14c14a2be0b870db30a70764df81e2df", status: "affected", version: "b8c43360f6e424131fa81d3ba8792ad8ff25a09e", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.10", }, { lessThan: "6.10", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: stmmac: Fix zero-division error when disabling tc cbs\n\nThe commit b8c43360f6e4 (\"net: stmmac: No need to calculate speed divider\nwhen offload is disabled\") allows the \"port_transmit_rate_kbps\" to be\nset to a value of 0, which is then passed to the \"div_s64\" function when\ntc-cbs is disabled. This leads to a zero-division error.\n\nWhen tc-cbs is disabled, the idleslope, sendslope, and credit values the\ncredit values are not required to be configured. Therefore, adding a return\nstatement after setting the txQ mode to DCB when tc-cbs is disabled would\nprevent a zero-division error.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:30:33.179Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/e33fe25b1efe4f2e6a5858786dbc82ae4c44ed4c", }, { url: "https://git.kernel.org/stable/c/b0da9504a528f05f97d926b4db74ff21917a33e9", }, { url: "https://git.kernel.org/stable/c/5d43e1ad4567d67af2b42d3ab7c14152ffed25c6", }, { url: "https://git.kernel.org/stable/c/03582f4752427f60817d896f1a827aff772bd31e", }, { url: "https://git.kernel.org/stable/c/e297a2bf56d12fd7f91a0c209eb6ea84361f3368", }, { url: "https://git.kernel.org/stable/c/837d9df9c0792902710149d1a5e0991520af0f93", }, { url: "https://git.kernel.org/stable/c/675faf5a14c14a2be0b870db30a70764df81e2df", }, ], title: "net: stmmac: Fix zero-division error when disabling tc cbs", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49977", datePublished: "2024-10-21T18:02:24.480Z", dateReserved: "2024-10-21T12:17:06.052Z", dateUpdated: "2024-12-19T09:30:33.179Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49920
Vulnerability from cvelistv5
Published
2024-10-21 18:01
Modified
2024-12-19 09:29
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Check null pointers before multiple uses
[WHAT & HOW]
Poniters, such as stream_enc and dc->bw_vbios, are null checked previously
in the same function, so Coverity warns "implies that stream_enc and
dc->bw_vbios might be null". They are used multiple times in the
subsequent code and need to be checked.
This fixes 10 FORWARD_NULL issues reported by Coverity.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49920", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:40:29.310714Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:48:44.735Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/gpu/drm/amd/display/dc/core/dc_hw_sequencer.c", "drivers/gpu/drm/amd/display/dc/hwss/dcn20/dcn20_hwseq.c", "drivers/gpu/drm/amd/display/dc/link/accessories/link_dp_cts.c", "drivers/gpu/drm/amd/display/dc/link/hwss/link_hwss_dio.c", "drivers/gpu/drm/amd/display/dc/resource/dce112/dce112_resource.c", "drivers/gpu/drm/amd/display/dc/resource/dcn32/dcn32_resource.c", "drivers/gpu/drm/amd/display/dc/resource/dcn32/dcn32_resource_helpers.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "26787fb6c2b2ee0d1a7e1574b36f4711ae40fe27", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "fdd5ecbbff751c3b9061d8ebb08e5c96119915b4", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/gpu/drm/amd/display/dc/core/dc_hw_sequencer.c", "drivers/gpu/drm/amd/display/dc/hwss/dcn20/dcn20_hwseq.c", "drivers/gpu/drm/amd/display/dc/link/accessories/link_dp_cts.c", "drivers/gpu/drm/amd/display/dc/link/hwss/link_hwss_dio.c", "drivers/gpu/drm/amd/display/dc/resource/dce112/dce112_resource.c", "drivers/gpu/drm/amd/display/dc/resource/dcn32/dcn32_resource.c", "drivers/gpu/drm/amd/display/dc/resource/dcn32/dcn32_resource_helpers.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Check null pointers before multiple uses\n\n[WHAT & HOW]\nPoniters, such as stream_enc and dc->bw_vbios, are null checked previously\nin the same function, so Coverity warns \"implies that stream_enc and\ndc->bw_vbios might be null\". They are used multiple times in the\nsubsequent code and need to be checked.\n\nThis fixes 10 FORWARD_NULL issues reported by Coverity.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:29:04.019Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/26787fb6c2b2ee0d1a7e1574b36f4711ae40fe27", }, { url: "https://git.kernel.org/stable/c/fdd5ecbbff751c3b9061d8ebb08e5c96119915b4", }, ], title: "drm/amd/display: Check null pointers before multiple uses", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49920", datePublished: "2024-10-21T18:01:46.437Z", dateReserved: "2024-10-21T12:17:06.034Z", dateUpdated: "2024-12-19T09:29:04.019Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-50005
Vulnerability from cvelistv5
Published
2024-10-21 18:53
Modified
2024-12-19 09:31
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mac802154: Fix potential RCU dereference issue in mac802154_scan_worker
In the `mac802154_scan_worker` function, the `scan_req->type` field was
accessed after the RCU read-side critical section was unlocked. According
to RCU usage rules, this is illegal and can lead to unpredictable
behavior, such as accessing memory that has been updated or causing
use-after-free issues.
This possible bug was identified using a static analysis tool developed
by myself, specifically designed to detect RCU-related issues.
To address this, the `scan_req->type` value is now stored in a local
variable `scan_req_type` while still within the RCU read-side critical
section. The `scan_req_type` is then used after the RCU lock is released,
ensuring that the type value is safely accessed without violating RCU
rules.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-50005", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:29:26.338058Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:38:40.499Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "net/mac802154/scan.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "e676e4ea76bbe7f1156d8c326b9b6753849481c2", status: "affected", version: "e2c3e6f53a7a8a00ffeed127cfd1b397c3b016f8", versionType: "git", }, { lessThan: "540138377b22f601f06f55ebfa3ca171dcab471a", status: "affected", version: "e2c3e6f53a7a8a00ffeed127cfd1b397c3b016f8", versionType: "git", }, { lessThan: "d18f669461811dfe2915d5554ab2a9834f810013", status: "affected", version: "e2c3e6f53a7a8a00ffeed127cfd1b397c3b016f8", versionType: "git", }, { lessThan: "bff1709b3980bd7f80be6786f64cc9a9ee9e56da", status: "affected", version: "e2c3e6f53a7a8a00ffeed127cfd1b397c3b016f8", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "net/mac802154/scan.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.5", }, { lessThan: "6.5", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nmac802154: Fix potential RCU dereference issue in mac802154_scan_worker\n\nIn the `mac802154_scan_worker` function, the `scan_req->type` field was\naccessed after the RCU read-side critical section was unlocked. According\nto RCU usage rules, this is illegal and can lead to unpredictable\nbehavior, such as accessing memory that has been updated or causing\nuse-after-free issues.\n\nThis possible bug was identified using a static analysis tool developed\nby myself, specifically designed to detect RCU-related issues.\n\nTo address this, the `scan_req->type` value is now stored in a local\nvariable `scan_req_type` while still within the RCU read-side critical\nsection. The `scan_req_type` is then used after the RCU lock is released,\nensuring that the type value is safely accessed without violating RCU\nrules.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:31:07.474Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/e676e4ea76bbe7f1156d8c326b9b6753849481c2", }, { url: "https://git.kernel.org/stable/c/540138377b22f601f06f55ebfa3ca171dcab471a", }, { url: "https://git.kernel.org/stable/c/d18f669461811dfe2915d5554ab2a9834f810013", }, { url: "https://git.kernel.org/stable/c/bff1709b3980bd7f80be6786f64cc9a9ee9e56da", }, ], title: "mac802154: Fix potential RCU dereference issue in mac802154_scan_worker", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-50005", datePublished: "2024-10-21T18:53:59.259Z", dateReserved: "2024-10-21T12:17:06.059Z", dateUpdated: "2024-12-19T09:31:07.474Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49889
Vulnerability from cvelistv5
Published
2024-10-21 18:01
Modified
2024-12-19 09:28
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: avoid use-after-free in ext4_ext_show_leaf()
In ext4_find_extent(), path may be freed by error or be reallocated, so
using a previously saved *ppath may have been freed and thus may trigger
use-after-free, as follows:
ext4_split_extent
path = *ppath;
ext4_split_extent_at(ppath)
path = ext4_find_extent(ppath)
ext4_split_extent_at(ppath)
// ext4_find_extent fails to free path
// but zeroout succeeds
ext4_ext_show_leaf(inode, path)
eh = path[depth].p_hdr
// path use-after-free !!!
Similar to ext4_split_extent_at(), we use *ppath directly as an input to
ext4_ext_show_leaf(). Fix a spelling error by the way.
Same problem in ext4_ext_handle_unwritten_extents(). Since 'path' is only
used in ext4_ext_show_leaf(), remove 'path' and use *ppath directly.
This issue is triggered only when EXT_DEBUG is defined and therefore does
not affect functionality.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49889", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:44:36.395156Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:48:49.316Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "fs/ext4/extents.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "b0cb4561fc4284d04e69c8a66c8504928ab2484e", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "4999fed877bb64e3e7f9ab9996de2ca983c41928", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "2eba3b0cc5b8de624918d21f32b5b8db59a90b39", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "34b2096380ba475771971a778a478661a791aa15", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "8b114f2cc7dd5d36729d040b68432fbd0f0a8868", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "d483c7cc1796bd6a80e7b3a8fd494996260f6b67", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "4e2524ba2ca5f54bdbb9e5153bea00421ef653f5", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "fs/ext4/extents.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\next4: avoid use-after-free in ext4_ext_show_leaf()\n\nIn ext4_find_extent(), path may be freed by error or be reallocated, so\nusing a previously saved *ppath may have been freed and thus may trigger\nuse-after-free, as follows:\n\next4_split_extent\n path = *ppath;\n ext4_split_extent_at(ppath)\n path = ext4_find_extent(ppath)\n ext4_split_extent_at(ppath)\n // ext4_find_extent fails to free path\n // but zeroout succeeds\n ext4_ext_show_leaf(inode, path)\n eh = path[depth].p_hdr\n // path use-after-free !!!\n\nSimilar to ext4_split_extent_at(), we use *ppath directly as an input to\next4_ext_show_leaf(). Fix a spelling error by the way.\n\nSame problem in ext4_ext_handle_unwritten_extents(). Since 'path' is only\nused in ext4_ext_show_leaf(), remove 'path' and use *ppath directly.\n\nThis issue is triggered only when EXT_DEBUG is defined and therefore does\nnot affect functionality.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:28:26.269Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/b0cb4561fc4284d04e69c8a66c8504928ab2484e", }, { url: "https://git.kernel.org/stable/c/4999fed877bb64e3e7f9ab9996de2ca983c41928", }, { url: "https://git.kernel.org/stable/c/2eba3b0cc5b8de624918d21f32b5b8db59a90b39", }, { url: "https://git.kernel.org/stable/c/34b2096380ba475771971a778a478661a791aa15", }, { url: "https://git.kernel.org/stable/c/8b114f2cc7dd5d36729d040b68432fbd0f0a8868", }, { url: "https://git.kernel.org/stable/c/d483c7cc1796bd6a80e7b3a8fd494996260f6b67", }, { url: "https://git.kernel.org/stable/c/4e2524ba2ca5f54bdbb9e5153bea00421ef653f5", }, ], title: "ext4: avoid use-after-free in ext4_ext_show_leaf()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49889", datePublished: "2024-10-21T18:01:24.941Z", dateReserved: "2024-10-21T12:17:06.022Z", dateUpdated: "2024-12-19T09:28:26.269Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-47724
Vulnerability from cvelistv5
Published
2024-10-21 12:13
Modified
2024-12-19 09:26
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath11k: use work queue to process beacon tx event
Commit 3a415daa3e8b ("wifi: ath11k: add P2P IE in beacon template")
from Feb 28, 2024 (linux-next), leads to the following Smatch static
checker warning:
drivers/net/wireless/ath/ath11k/wmi.c:1742 ath11k_wmi_p2p_go_bcn_ie()
warn: sleeping in atomic context
The reason is that ath11k_bcn_tx_status_event() will directly call might
sleep function ath11k_wmi_cmd_send() during RCU read-side critical
sections. The call trace is like:
ath11k_bcn_tx_status_event()
-> rcu_read_lock()
-> ath11k_mac_bcn_tx_event()
-> ath11k_mac_setup_bcn_tmpl()
……
-> ath11k_wmi_bcn_tmpl()
-> ath11k_wmi_cmd_send()
-> rcu_read_unlock()
Commit 886433a98425 ("ath11k: add support for BSS color change") added the
ath11k_mac_bcn_tx_event(), commit 01e782c89108 ("ath11k: fix warning
of RCU usage for ath11k_mac_get_arvif_by_vdev_id()") added the RCU lock
to avoid warning but also introduced this BUG.
Use work queue to avoid directly calling ath11k_mac_bcn_tx_event()
during RCU critical sections. No need to worry about the deletion of vif
because cancel_work_sync() will drop the work if it doesn't start or
block vif deletion until the running work is done.
Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.30
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-47724", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T13:01:30.955907Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T13:04:16.907Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/net/wireless/ath/ath11k/core.h", "drivers/net/wireless/ath/ath11k/mac.c", "drivers/net/wireless/ath/ath11k/wmi.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "dbd51da69dda1137723b8f66460bf99a9dac8dd2", status: "affected", version: "3a415daa3e8ba65f1cc976c172a5ab69bdc17e69", versionType: "git", }, { lessThan: "6db232905e094e64abff1f18249905d068285e09", status: "affected", version: "3a415daa3e8ba65f1cc976c172a5ab69bdc17e69", versionType: "git", }, { lessThan: "177b49dbf9c1d8f9f25a22ffafa416fc2c8aa6a3", status: "affected", version: "3a415daa3e8ba65f1cc976c172a5ab69bdc17e69", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/net/wireless/ath/ath11k/core.h", "drivers/net/wireless/ath/ath11k/mac.c", "drivers/net/wireless/ath/ath11k/wmi.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.10", }, { lessThan: "6.10", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.13", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.2", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath11k: use work queue to process beacon tx event\n\nCommit 3a415daa3e8b (\"wifi: ath11k: add P2P IE in beacon template\")\nfrom Feb 28, 2024 (linux-next), leads to the following Smatch static\nchecker warning:\n\ndrivers/net/wireless/ath/ath11k/wmi.c:1742 ath11k_wmi_p2p_go_bcn_ie()\nwarn: sleeping in atomic context\n\nThe reason is that ath11k_bcn_tx_status_event() will directly call might\nsleep function ath11k_wmi_cmd_send() during RCU read-side critical\nsections. The call trace is like:\n\nath11k_bcn_tx_status_event()\n-> rcu_read_lock()\n-> ath11k_mac_bcn_tx_event()\n\t-> ath11k_mac_setup_bcn_tmpl()\n\t……\n\t\t-> ath11k_wmi_bcn_tmpl()\n\t\t\t-> ath11k_wmi_cmd_send()\n-> rcu_read_unlock()\n\nCommit 886433a98425 (\"ath11k: add support for BSS color change\") added the\nath11k_mac_bcn_tx_event(), commit 01e782c89108 (\"ath11k: fix warning\nof RCU usage for ath11k_mac_get_arvif_by_vdev_id()\") added the RCU lock\nto avoid warning but also introduced this BUG.\n\nUse work queue to avoid directly calling ath11k_mac_bcn_tx_event()\nduring RCU critical sections. No need to worry about the deletion of vif\nbecause cancel_work_sync() will drop the work if it doesn't start or\nblock vif deletion until the running work is done.\n\nTested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.30", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:26:50.491Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/dbd51da69dda1137723b8f66460bf99a9dac8dd2", }, { url: "https://git.kernel.org/stable/c/6db232905e094e64abff1f18249905d068285e09", }, { url: "https://git.kernel.org/stable/c/177b49dbf9c1d8f9f25a22ffafa416fc2c8aa6a3", }, ], title: "wifi: ath11k: use work queue to process beacon tx event", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-47724", datePublished: "2024-10-21T12:13:58.267Z", dateReserved: "2024-09-30T16:00:12.956Z", dateUpdated: "2024-12-19T09:26:50.491Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-47682
Vulnerability from cvelistv5
Published
2024-10-21 11:53
Modified
2024-12-19 09:25
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: sd: Fix off-by-one error in sd_read_block_characteristics()
Ff the device returns page 0xb1 with length 8 (happens with qemu v2.x, for
example), sd_read_block_characteristics() may attempt an out-of-bounds
memory access when accessing the zoned field at offset 8.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 7fb019c46eeea4e3cc3ddfd3e01a24e610f34fac Version: 7fb019c46eeea4e3cc3ddfd3e01a24e610f34fac Version: 7fb019c46eeea4e3cc3ddfd3e01a24e610f34fac Version: 7fb019c46eeea4e3cc3ddfd3e01a24e610f34fac Version: 7fb019c46eeea4e3cc3ddfd3e01a24e610f34fac |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-47682", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T13:07:09.255382Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T13:14:16.478Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/scsi/sd.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "60312ae7392f9c75c6591a52fc359cf7f810d48f", status: "affected", version: "7fb019c46eeea4e3cc3ddfd3e01a24e610f34fac", versionType: "git", }, { lessThan: "568c7c4c77eee6df7677bb861b7cee7398a3255d", status: "affected", version: "7fb019c46eeea4e3cc3ddfd3e01a24e610f34fac", versionType: "git", }, { lessThan: "a776050373893e4c847a49abeae2ccb581153df0", status: "affected", version: "7fb019c46eeea4e3cc3ddfd3e01a24e610f34fac", versionType: "git", }, { lessThan: "413df704f149dec585df07466d2401bbd1f490a0", status: "affected", version: "7fb019c46eeea4e3cc3ddfd3e01a24e610f34fac", versionType: "git", }, { lessThan: "f81eaf08385ddd474a2f41595a7757502870c0eb", status: "affected", version: "7fb019c46eeea4e3cc3ddfd3e01a24e610f34fac", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/scsi/sd.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.19", }, { lessThan: "5.19", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.54", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.13", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.2", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: sd: Fix off-by-one error in sd_read_block_characteristics()\n\nFf the device returns page 0xb1 with length 8 (happens with qemu v2.x, for\nexample), sd_read_block_characteristics() may attempt an out-of-bounds\nmemory access when accessing the zoned field at offset 8.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:25:54.170Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/60312ae7392f9c75c6591a52fc359cf7f810d48f", }, { url: "https://git.kernel.org/stable/c/568c7c4c77eee6df7677bb861b7cee7398a3255d", }, { url: "https://git.kernel.org/stable/c/a776050373893e4c847a49abeae2ccb581153df0", }, { url: "https://git.kernel.org/stable/c/413df704f149dec585df07466d2401bbd1f490a0", }, { url: "https://git.kernel.org/stable/c/f81eaf08385ddd474a2f41595a7757502870c0eb", }, ], title: "scsi: sd: Fix off-by-one error in sd_read_block_characteristics()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-47682", datePublished: "2024-10-21T11:53:24.460Z", dateReserved: "2024-09-30T16:00:12.941Z", dateUpdated: "2024-12-19T09:25:54.170Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49935
Vulnerability from cvelistv5
Published
2024-10-21 18:01
Modified
2024-12-19 09:29
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ACPI: PAD: fix crash in exit_round_robin()
The kernel occasionally crashes in cpumask_clear_cpu(), which is called
within exit_round_robin(), because when executing clear_bit(nr, addr) with
nr set to 0xffffffff, the address calculation may cause misalignment within
the memory, leading to access to an invalid memory address.
----------
BUG: unable to handle kernel paging request at ffffffffe0740618
...
CPU: 3 PID: 2919323 Comm: acpi_pad/14 Kdump: loaded Tainted: G OE X --------- - - 4.18.0-425.19.2.el8_7.x86_64 #1
...
RIP: 0010:power_saving_thread+0x313/0x411 [acpi_pad]
Code: 89 cd 48 89 d3 eb d1 48 c7 c7 55 70 72 c0 e8 64 86 b0 e4 c6 05 0d a1 02 00 01 e9 bc fd ff ff 45 89 e4 42 8b 04 a5 20 82 72 c0 <f0> 48 0f b3 05 f4 9c 01 00 42 c7 04 a5 20 82 72 c0 ff ff ff ff 31
RSP: 0018:ff72a5d51fa77ec8 EFLAGS: 00010202
RAX: 00000000ffffffff RBX: ff462981e5d8cb80 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000246 RDI: 0000000000000246
RBP: ff46297556959d80 R08: 0000000000000382 R09: ff46297c8d0f38d8
R10: 0000000000000000 R11: 0000000000000001 R12: 000000000000000e
R13: 0000000000000000 R14: ffffffffffffffff R15: 000000000000000e
FS: 0000000000000000(0000) GS:ff46297a800c0000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffe0740618 CR3: 0000007e20410004 CR4: 0000000000771ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
? acpi_pad_add+0x120/0x120 [acpi_pad]
kthread+0x10b/0x130
? set_kthread_struct+0x50/0x50
ret_from_fork+0x1f/0x40
...
CR2: ffffffffe0740618
crash> dis -lr ffffffffc0726923
...
/usr/src/debug/kernel-4.18.0-425.19.2.el8_7/linux-4.18.0-425.19.2.el8_7.x86_64/./include/linux/cpumask.h: 114
0xffffffffc0726918 <power_saving_thread+776>: mov %r12d,%r12d
/usr/src/debug/kernel-4.18.0-425.19.2.el8_7/linux-4.18.0-425.19.2.el8_7.x86_64/./include/linux/cpumask.h: 325
0xffffffffc072691b <power_saving_thread+779>: mov -0x3f8d7de0(,%r12,4),%eax
/usr/src/debug/kernel-4.18.0-425.19.2.el8_7/linux-4.18.0-425.19.2.el8_7.x86_64/./arch/x86/include/asm/bitops.h: 80
0xffffffffc0726923 <power_saving_thread+787>: lock btr %rax,0x19cf4(%rip) # 0xffffffffc0740620 <pad_busy_cpus_bits>
crash> px tsk_in_cpu[14]
$66 = 0xffffffff
crash> px 0xffffffffc072692c+0x19cf4
$99 = 0xffffffffc0740620
crash> sym 0xffffffffc0740620
ffffffffc0740620 (b) pad_busy_cpus_bits [acpi_pad]
crash> px pad_busy_cpus_bits[0]
$42 = 0xfffc0
----------
To fix this, ensure that tsk_in_cpu[tsk_index] != -1 before calling
cpumask_clear_cpu() in exit_round_robin(), just as it is done in
round_robin_cpu().
[ rjw: Subject edit, avoid updates to the same value ]
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49935", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:38:31.252329Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:38:51.383Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/acpi/acpi_pad.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "92e5661b7d0727ab912b76625a88b33fdb9b609a", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "68a599da16ebad442ce295d8d2d5c488e3992822", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "68a8e45743d6a120f863fb14b72dc59616597019", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "03593dbb0b272ef7b0358b099841e65735422aca", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "27c045f868f0e5052c6b532868a65e0cd250c8fc", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "0a2ed70a549e61c5181bad5db418d223b68ae932", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/acpi/acpi_pad.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: PAD: fix crash in exit_round_robin()\n\nThe kernel occasionally crashes in cpumask_clear_cpu(), which is called\nwithin exit_round_robin(), because when executing clear_bit(nr, addr) with\nnr set to 0xffffffff, the address calculation may cause misalignment within\nthe memory, leading to access to an invalid memory address.\n\n----------\nBUG: unable to handle kernel paging request at ffffffffe0740618\n ...\nCPU: 3 PID: 2919323 Comm: acpi_pad/14 Kdump: loaded Tainted: G OE X --------- - - 4.18.0-425.19.2.el8_7.x86_64 #1\n ...\nRIP: 0010:power_saving_thread+0x313/0x411 [acpi_pad]\nCode: 89 cd 48 89 d3 eb d1 48 c7 c7 55 70 72 c0 e8 64 86 b0 e4 c6 05 0d a1 02 00 01 e9 bc fd ff ff 45 89 e4 42 8b 04 a5 20 82 72 c0 <f0> 48 0f b3 05 f4 9c 01 00 42 c7 04 a5 20 82 72 c0 ff ff ff ff 31\nRSP: 0018:ff72a5d51fa77ec8 EFLAGS: 00010202\nRAX: 00000000ffffffff RBX: ff462981e5d8cb80 RCX: 0000000000000000\nRDX: 0000000000000000 RSI: 0000000000000246 RDI: 0000000000000246\nRBP: ff46297556959d80 R08: 0000000000000382 R09: ff46297c8d0f38d8\nR10: 0000000000000000 R11: 0000000000000001 R12: 000000000000000e\nR13: 0000000000000000 R14: ffffffffffffffff R15: 000000000000000e\nFS: 0000000000000000(0000) GS:ff46297a800c0000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: ffffffffe0740618 CR3: 0000007e20410004 CR4: 0000000000771ee0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nPKRU: 55555554\nCall Trace:\n ? acpi_pad_add+0x120/0x120 [acpi_pad]\n kthread+0x10b/0x130\n ? set_kthread_struct+0x50/0x50\n ret_from_fork+0x1f/0x40\n ...\nCR2: ffffffffe0740618\n\ncrash> dis -lr ffffffffc0726923\n ...\n/usr/src/debug/kernel-4.18.0-425.19.2.el8_7/linux-4.18.0-425.19.2.el8_7.x86_64/./include/linux/cpumask.h: 114\n0xffffffffc0726918 <power_saving_thread+776>:\tmov %r12d,%r12d\n/usr/src/debug/kernel-4.18.0-425.19.2.el8_7/linux-4.18.0-425.19.2.el8_7.x86_64/./include/linux/cpumask.h: 325\n0xffffffffc072691b <power_saving_thread+779>:\tmov -0x3f8d7de0(,%r12,4),%eax\n/usr/src/debug/kernel-4.18.0-425.19.2.el8_7/linux-4.18.0-425.19.2.el8_7.x86_64/./arch/x86/include/asm/bitops.h: 80\n0xffffffffc0726923 <power_saving_thread+787>:\tlock btr %rax,0x19cf4(%rip) # 0xffffffffc0740620 <pad_busy_cpus_bits>\n\ncrash> px tsk_in_cpu[14]\n$66 = 0xffffffff\n\ncrash> px 0xffffffffc072692c+0x19cf4\n$99 = 0xffffffffc0740620\n\ncrash> sym 0xffffffffc0740620\nffffffffc0740620 (b) pad_busy_cpus_bits [acpi_pad]\n\ncrash> px pad_busy_cpus_bits[0]\n$42 = 0xfffc0\n----------\n\nTo fix this, ensure that tsk_in_cpu[tsk_index] != -1 before calling\ncpumask_clear_cpu() in exit_round_robin(), just as it is done in\nround_robin_cpu().\n\n[ rjw: Subject edit, avoid updates to the same value ]", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:29:21.917Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/92e5661b7d0727ab912b76625a88b33fdb9b609a", }, { url: "https://git.kernel.org/stable/c/68a599da16ebad442ce295d8d2d5c488e3992822", }, { url: "https://git.kernel.org/stable/c/68a8e45743d6a120f863fb14b72dc59616597019", }, { url: "https://git.kernel.org/stable/c/03593dbb0b272ef7b0358b099841e65735422aca", }, { url: "https://git.kernel.org/stable/c/27c045f868f0e5052c6b532868a65e0cd250c8fc", }, { url: "https://git.kernel.org/stable/c/0a2ed70a549e61c5181bad5db418d223b68ae932", }, ], title: "ACPI: PAD: fix crash in exit_round_robin()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49935", datePublished: "2024-10-21T18:01:56.404Z", dateReserved: "2024-10-21T12:17:06.042Z", dateUpdated: "2024-12-19T09:29:21.917Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49895
Vulnerability from cvelistv5
Published
2024-10-21 18:01
Modified
2024-12-19 09:28
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Fix index out of bounds in DCN30 degamma hardware format translation
This commit addresses a potential index out of bounds issue in the
`cm3_helper_translate_curve_to_degamma_hw_format` function in the DCN30
color management module. The issue could occur when the index 'i'
exceeds the number of transfer function points (TRANSFER_FUNC_POINTS).
The fix adds a check to ensure 'i' is within bounds before accessing the
transfer function points. If 'i' is out of bounds, the function returns
false to indicate an error.
Reported by smatch:
drivers/gpu/drm/amd/amdgpu/../display/dc/dcn30/dcn30_cm_common.c:338 cm3_helper_translate_curve_to_degamma_hw_format() error: buffer overflow 'output_tf->tf_pts.red' 1025 <= s32max
drivers/gpu/drm/amd/amdgpu/../display/dc/dcn30/dcn30_cm_common.c:339 cm3_helper_translate_curve_to_degamma_hw_format() error: buffer overflow 'output_tf->tf_pts.green' 1025 <= s32max
drivers/gpu/drm/amd/amdgpu/../display/dc/dcn30/dcn30_cm_common.c:340 cm3_helper_translate_curve_to_degamma_hw_format() error: buffer overflow 'output_tf->tf_pts.blue' 1025 <= s32max
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49895", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:43:41.739795Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:48:48.513Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/gpu/drm/amd/display/dc/dcn30/dcn30_cm_common.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "ad89f83343a501890cf082c8a584e96b59fe4015", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "de6ee4f9e6b1c36b4fdc7c345c1a6de9e246093e", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "f3ccd855b4395ce65f10dd37847167f52e122b70", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "0d38a0751143afc03faef02d55d31f70374ff843", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "f5c3d306de91a4b69cfe3eedb72b42d452593e42", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "c4fdc2d6fea129684b82bab90bb52fbace494a58", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "bc50b614d59990747dd5aeced9ec22f9258991ff", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/gpu/drm/amd/display/dc/dcn30/dcn30_cm_common.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix index out of bounds in DCN30 degamma hardware format translation\n\nThis commit addresses a potential index out of bounds issue in the\n`cm3_helper_translate_curve_to_degamma_hw_format` function in the DCN30\ncolor management module. The issue could occur when the index 'i'\nexceeds the number of transfer function points (TRANSFER_FUNC_POINTS).\n\nThe fix adds a check to ensure 'i' is within bounds before accessing the\ntransfer function points. If 'i' is out of bounds, the function returns\nfalse to indicate an error.\n\nReported by smatch:\ndrivers/gpu/drm/amd/amdgpu/../display/dc/dcn30/dcn30_cm_common.c:338 cm3_helper_translate_curve_to_degamma_hw_format() error: buffer overflow 'output_tf->tf_pts.red' 1025 <= s32max\ndrivers/gpu/drm/amd/amdgpu/../display/dc/dcn30/dcn30_cm_common.c:339 cm3_helper_translate_curve_to_degamma_hw_format() error: buffer overflow 'output_tf->tf_pts.green' 1025 <= s32max\ndrivers/gpu/drm/amd/amdgpu/../display/dc/dcn30/dcn30_cm_common.c:340 cm3_helper_translate_curve_to_degamma_hw_format() error: buffer overflow 'output_tf->tf_pts.blue' 1025 <= s32max", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:28:33.504Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/ad89f83343a501890cf082c8a584e96b59fe4015", }, { url: "https://git.kernel.org/stable/c/de6ee4f9e6b1c36b4fdc7c345c1a6de9e246093e", }, { url: "https://git.kernel.org/stable/c/f3ccd855b4395ce65f10dd37847167f52e122b70", }, { url: "https://git.kernel.org/stable/c/0d38a0751143afc03faef02d55d31f70374ff843", }, { url: "https://git.kernel.org/stable/c/f5c3d306de91a4b69cfe3eedb72b42d452593e42", }, { url: "https://git.kernel.org/stable/c/c4fdc2d6fea129684b82bab90bb52fbace494a58", }, { url: "https://git.kernel.org/stable/c/bc50b614d59990747dd5aeced9ec22f9258991ff", }, ], title: "drm/amd/display: Fix index out of bounds in DCN30 degamma hardware format translation", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49895", datePublished: "2024-10-21T18:01:29.028Z", dateReserved: "2024-10-21T12:17:06.026Z", dateUpdated: "2024-12-19T09:28:33.504Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49970
Vulnerability from cvelistv5
Published
2024-10-21 18:02
Modified
2024-12-19 09:30
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Implement bounds check for stream encoder creation in DCN401
'stream_enc_regs' array is an array of dcn10_stream_enc_registers
structures. The array is initialized with four elements, corresponding
to the four calls to stream_enc_regs() in the array initializer. This
means that valid indices for this array are 0, 1, 2, and 3.
The error message 'stream_enc_regs' 4 <= 5 below, is indicating that
there is an attempt to access this array with an index of 5, which is
out of bounds. This could lead to undefined behavior
Here, eng_id is used as an index to access the stream_enc_regs array. If
eng_id is 5, this would result in an out-of-bounds access on the
stream_enc_regs array.
Thus fixing Buffer overflow error in dcn401_stream_encoder_create
Found by smatch:
drivers/gpu/drm/amd/amdgpu/../display/dc/resource/dcn401/dcn401_resource.c:1209 dcn401_stream_encoder_create() error: buffer overflow 'stream_enc_regs' 4 <= 5
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49970", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:33:55.440679Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:38:46.352Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/gpu/drm/amd/display/dc/resource/dcn401/dcn401_resource.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "b219b46ad42df1dea9258788bcfea37181f3ccb2", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "bdf606810210e8e07a0cdf1af3c467291363b295", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/gpu/drm/amd/display/dc/resource/dcn401/dcn401_resource.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Implement bounds check for stream encoder creation in DCN401\n\n'stream_enc_regs' array is an array of dcn10_stream_enc_registers\nstructures. The array is initialized with four elements, corresponding\nto the four calls to stream_enc_regs() in the array initializer. This\nmeans that valid indices for this array are 0, 1, 2, and 3.\n\nThe error message 'stream_enc_regs' 4 <= 5 below, is indicating that\nthere is an attempt to access this array with an index of 5, which is\nout of bounds. This could lead to undefined behavior\n\nHere, eng_id is used as an index to access the stream_enc_regs array. If\neng_id is 5, this would result in an out-of-bounds access on the\nstream_enc_regs array.\n\nThus fixing Buffer overflow error in dcn401_stream_encoder_create\n\nFound by smatch:\ndrivers/gpu/drm/amd/amdgpu/../display/dc/resource/dcn401/dcn401_resource.c:1209 dcn401_stream_encoder_create() error: buffer overflow 'stream_enc_regs' 4 <= 5", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:30:24.673Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/b219b46ad42df1dea9258788bcfea37181f3ccb2", }, { url: "https://git.kernel.org/stable/c/bdf606810210e8e07a0cdf1af3c467291363b295", }, ], title: "drm/amd/display: Implement bounds check for stream encoder creation in DCN401", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49970", datePublished: "2024-10-21T18:02:19.694Z", dateReserved: "2024-10-21T12:17:06.051Z", dateUpdated: "2024-12-19T09:30:24.673Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-47757
Vulnerability from cvelistv5
Published
2024-10-21 12:14
Modified
2024-12-19 09:27
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
nilfs2: fix potential oob read in nilfs_btree_check_delete()
The function nilfs_btree_check_delete(), which checks whether degeneration
to direct mapping occurs before deleting a b-tree entry, causes memory
access outside the block buffer when retrieving the maximum key if the
root node has no entries.
This does not usually happen because b-tree mappings with 0 child nodes
are never created by mkfs.nilfs2 or nilfs2 itself. However, it can happen
if the b-tree root node read from a device is configured that way, so fix
this potential issue by adding a check for that case.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 17c76b0104e4a6513983777e1a17e0297a12b0c4 Version: 17c76b0104e4a6513983777e1a17e0297a12b0c4 Version: 17c76b0104e4a6513983777e1a17e0297a12b0c4 Version: 17c76b0104e4a6513983777e1a17e0297a12b0c4 Version: 17c76b0104e4a6513983777e1a17e0297a12b0c4 Version: 17c76b0104e4a6513983777e1a17e0297a12b0c4 Version: 17c76b0104e4a6513983777e1a17e0297a12b0c4 Version: 17c76b0104e4a6513983777e1a17e0297a12b0c4 Version: 17c76b0104e4a6513983777e1a17e0297a12b0c4 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-47757", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T12:57:10.388189Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T13:04:12.179Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "fs/nilfs2/btree.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "f3a9859767c7aea758976f5523903d247e585129", status: "affected", version: "17c76b0104e4a6513983777e1a17e0297a12b0c4", versionType: "git", }, { lessThan: "ed76d381dae125b81d09934e365391a656249da8", status: "affected", version: "17c76b0104e4a6513983777e1a17e0297a12b0c4", versionType: "git", }, { lessThan: "d20674f31626e0596ae4c1d9401dfb6739b81b58", status: "affected", version: "17c76b0104e4a6513983777e1a17e0297a12b0c4", versionType: "git", }, { lessThan: "c4f8554996e8ada3be872dfb8f60e93bcf15fb27", status: "affected", version: "17c76b0104e4a6513983777e1a17e0297a12b0c4", versionType: "git", }, { lessThan: "a8abfda768b9f33630cfbc4af6c4214f1e5681b0", status: "affected", version: "17c76b0104e4a6513983777e1a17e0297a12b0c4", versionType: "git", }, { lessThan: "257f9e5185eb6de83377caea686c306e22e871f2", status: "affected", version: "17c76b0104e4a6513983777e1a17e0297a12b0c4", versionType: "git", }, { lessThan: "a33e967b681e088a125b979975c93e3453e686cd", status: "affected", version: "17c76b0104e4a6513983777e1a17e0297a12b0c4", versionType: "git", }, { lessThan: "c4cbcc64bb31e67e02940ce060cc77f7180564cf", status: "affected", version: "17c76b0104e4a6513983777e1a17e0297a12b0c4", versionType: "git", }, { lessThan: "f9c96351aa6718b42a9f42eaf7adce0356bdb5e8", status: "affected", version: "17c76b0104e4a6513983777e1a17e0297a12b0c4", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "fs/nilfs2/btree.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "2.6.30", }, { lessThan: "2.6.30", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.323", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.285", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.54", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.13", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.2", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix potential oob read in nilfs_btree_check_delete()\n\nThe function nilfs_btree_check_delete(), which checks whether degeneration\nto direct mapping occurs before deleting a b-tree entry, causes memory\naccess outside the block buffer when retrieving the maximum key if the\nroot node has no entries.\n\nThis does not usually happen because b-tree mappings with 0 child nodes\nare never created by mkfs.nilfs2 or nilfs2 itself. However, it can happen\nif the b-tree root node read from a device is configured that way, so fix\nthis potential issue by adding a check for that case.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:27:30.528Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/f3a9859767c7aea758976f5523903d247e585129", }, { url: "https://git.kernel.org/stable/c/ed76d381dae125b81d09934e365391a656249da8", }, { url: "https://git.kernel.org/stable/c/d20674f31626e0596ae4c1d9401dfb6739b81b58", }, { url: "https://git.kernel.org/stable/c/c4f8554996e8ada3be872dfb8f60e93bcf15fb27", }, { url: "https://git.kernel.org/stable/c/a8abfda768b9f33630cfbc4af6c4214f1e5681b0", }, { url: "https://git.kernel.org/stable/c/257f9e5185eb6de83377caea686c306e22e871f2", }, { url: "https://git.kernel.org/stable/c/a33e967b681e088a125b979975c93e3453e686cd", }, { url: "https://git.kernel.org/stable/c/c4cbcc64bb31e67e02940ce060cc77f7180564cf", }, { url: "https://git.kernel.org/stable/c/f9c96351aa6718b42a9f42eaf7adce0356bdb5e8", }, ], title: "nilfs2: fix potential oob read in nilfs_btree_check_delete()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-47757", datePublished: "2024-10-21T12:14:20.419Z", dateReserved: "2024-09-30T16:00:12.962Z", dateUpdated: "2024-12-19T09:27:30.528Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49945
Vulnerability from cvelistv5
Published
2024-10-21 18:02
Modified
2024-12-19 09:29
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/ncsi: Disable the ncsi work before freeing the associated structure
The work function can run after the ncsi device is freed, resulting
in use-after-free bugs or kernel panic.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49945", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:37:11.616552Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:38:50.011Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "net/ncsi/ncsi-manage.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "f6ca58696749268181f43150b3553f2bafd71e42", status: "affected", version: "2d283bdd079c0ad4da020bbc9e9c2a4280823098", versionType: "git", }, { lessThan: "dd41dab62f32d9e9e0669af8459d12a93834b238", status: "affected", version: "2d283bdd079c0ad4da020bbc9e9c2a4280823098", versionType: "git", }, { lessThan: "a0ffa68c70b367358b2672cdab6fa5bc4c40de2c", status: "affected", version: "2d283bdd079c0ad4da020bbc9e9c2a4280823098", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "net/ncsi/ncsi-manage.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "4.8", }, { lessThan: "4.8", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/ncsi: Disable the ncsi work before freeing the associated structure\n\nThe work function can run after the ncsi device is freed, resulting\nin use-after-free bugs or kernel panic.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:29:51.705Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/f6ca58696749268181f43150b3553f2bafd71e42", }, { url: "https://git.kernel.org/stable/c/dd41dab62f32d9e9e0669af8459d12a93834b238", }, { url: "https://git.kernel.org/stable/c/a0ffa68c70b367358b2672cdab6fa5bc4c40de2c", }, ], title: "net/ncsi: Disable the ncsi work before freeing the associated structure", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49945", datePublished: "2024-10-21T18:02:03.106Z", dateReserved: "2024-10-21T12:17:06.044Z", dateUpdated: "2024-12-19T09:29:51.705Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-48948
Vulnerability from cvelistv5
Published
2024-10-21 20:05
Modified
2024-12-19 08:11
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: gadget: uvc: Prevent buffer overflow in setup handler
Setup function uvc_function_setup permits control transfer
requests with up to 64 bytes of payload (UVC_MAX_REQUEST_SIZE),
data stage handler for OUT transfer uses memcpy to copy req->actual
bytes to uvc_event->data.data array of size 60. This may result
in an overflow of 4 bytes.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: cdda479f15cd13fa50a913ca85129c0437cc7b91 Version: cdda479f15cd13fa50a913ca85129c0437cc7b91 Version: cdda479f15cd13fa50a913ca85129c0437cc7b91 Version: cdda479f15cd13fa50a913ca85129c0437cc7b91 Version: cdda479f15cd13fa50a913ca85129c0437cc7b91 Version: cdda479f15cd13fa50a913ca85129c0437cc7b91 Version: cdda479f15cd13fa50a913ca85129c0437cc7b91 Version: cdda479f15cd13fa50a913ca85129c0437cc7b91 Version: cdda479f15cd13fa50a913ca85129c0437cc7b91 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-48948", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:22:00.601644Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:28:41.126Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/usb/gadget/function/f_uvc.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "4972e3528b968665b596b5434764ff8fd9446d35", status: "affected", version: "cdda479f15cd13fa50a913ca85129c0437cc7b91", versionType: "git", }, { lessThan: "06fd17ee92c8f1704c7e54ec0fd50ae0542a49a5", status: "affected", version: "cdda479f15cd13fa50a913ca85129c0437cc7b91", versionType: "git", }, { lessThan: "bc8380fe5768c564f921f7b4eaba932e330b9e4b", status: "affected", version: "cdda479f15cd13fa50a913ca85129c0437cc7b91", versionType: "git", }, { lessThan: "b8fb1cba934ea122b50f13a4f9d6fc4fdc43d2be", status: "affected", version: "cdda479f15cd13fa50a913ca85129c0437cc7b91", versionType: "git", }, { lessThan: "c79538f32df12887f110dcd6b9c825b482905f24", status: "affected", version: "cdda479f15cd13fa50a913ca85129c0437cc7b91", versionType: "git", }, { lessThan: "6b41a35b41f77821db24f2d8f66794b390a585c5", status: "affected", version: "cdda479f15cd13fa50a913ca85129c0437cc7b91", versionType: "git", }, { lessThan: "7b1f773277a72f9756d47a41b94e43506cce1954", status: "affected", version: "cdda479f15cd13fa50a913ca85129c0437cc7b91", versionType: "git", }, { lessThan: "d1a92bb8d697f170d93fe922da763d7d156b8841", status: "affected", version: "cdda479f15cd13fa50a913ca85129c0437cc7b91", versionType: "git", }, { lessThan: "4c92670b16727365699fe4b19ed32013bab2c107", status: "affected", version: "cdda479f15cd13fa50a913ca85129c0437cc7b91", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/usb/gadget/function/f_uvc.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "2.6.35", }, { lessThan: "2.6.35", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.9.*", status: "unaffected", version: "4.9.337", versionType: "semver", }, { lessThanOrEqual: "4.14.*", status: "unaffected", version: "4.14.303", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.270", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.229", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.161", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.85", versionType: "semver", }, { lessThanOrEqual: "6.0.*", status: "unaffected", version: "6.0.15", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.1", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.2", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: uvc: Prevent buffer overflow in setup handler\n\nSetup function uvc_function_setup permits control transfer\nrequests with up to 64 bytes of payload (UVC_MAX_REQUEST_SIZE),\ndata stage handler for OUT transfer uses memcpy to copy req->actual\nbytes to uvc_event->data.data array of size 60. This may result\nin an overflow of 4 bytes.", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:11:04.617Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/4972e3528b968665b596b5434764ff8fd9446d35", }, { url: "https://git.kernel.org/stable/c/06fd17ee92c8f1704c7e54ec0fd50ae0542a49a5", }, { url: "https://git.kernel.org/stable/c/bc8380fe5768c564f921f7b4eaba932e330b9e4b", }, { url: "https://git.kernel.org/stable/c/b8fb1cba934ea122b50f13a4f9d6fc4fdc43d2be", }, { url: "https://git.kernel.org/stable/c/c79538f32df12887f110dcd6b9c825b482905f24", }, { url: "https://git.kernel.org/stable/c/6b41a35b41f77821db24f2d8f66794b390a585c5", }, { url: "https://git.kernel.org/stable/c/7b1f773277a72f9756d47a41b94e43506cce1954", }, { url: "https://git.kernel.org/stable/c/d1a92bb8d697f170d93fe922da763d7d156b8841", }, { url: "https://git.kernel.org/stable/c/4c92670b16727365699fe4b19ed32013bab2c107", }, ], title: "usb: gadget: uvc: Prevent buffer overflow in setup handler", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-48948", datePublished: "2024-10-21T20:05:37.122Z", dateReserved: "2024-08-22T01:27:53.625Z", dateUpdated: "2024-12-19T08:11:04.617Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-47729
Vulnerability from cvelistv5
Published
2024-10-21 12:14
Modified
2024-12-19 09:26
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/xe: Use reserved copy engine for user binds on faulting devices
User binds map to engines with can fault, faults depend on user binds
completion, thus we can deadlock. Avoid this by using reserved copy
engine for user binds on faulting devices.
While we are here, normalize bind queue creation with a helper.
v2:
- Pass in extensions to bind queue creation (CI)
v3:
- s/resevered/reserved (Lucas)
- Fix NULL hwe check (Jonathan)
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-47729", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T13:00:45.946245Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T13:04:16.192Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/gpu/drm/xe/xe_exec_queue.c", "drivers/gpu/drm/xe/xe_exec_queue.h", "drivers/gpu/drm/xe/xe_migrate.c", "drivers/gpu/drm/xe/xe_vm.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "439fc1e569c57669dbb842d0a77c7ba0a82a9f5d", status: "affected", version: "dd08ebf6c3525a7ea2186e636df064ea47281987", versionType: "git", }, { lessThan: "852856e3b6f679c694dd5ec41e5a3c11aa46640b", status: "affected", version: "dd08ebf6c3525a7ea2186e636df064ea47281987", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/gpu/drm/xe/xe_exec_queue.c", "drivers/gpu/drm/xe/xe_exec_queue.h", "drivers/gpu/drm/xe/xe_migrate.c", "drivers/gpu/drm/xe/xe_vm.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.8", }, { lessThan: "6.8", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.2", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: Use reserved copy engine for user binds on faulting devices\n\nUser binds map to engines with can fault, faults depend on user binds\ncompletion, thus we can deadlock. Avoid this by using reserved copy\nengine for user binds on faulting devices.\n\nWhile we are here, normalize bind queue creation with a helper.\n\nv2:\n - Pass in extensions to bind queue creation (CI)\nv3:\n - s/resevered/reserved (Lucas)\n - Fix NULL hwe check (Jonathan)", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:26:55.727Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/439fc1e569c57669dbb842d0a77c7ba0a82a9f5d", }, { url: "https://git.kernel.org/stable/c/852856e3b6f679c694dd5ec41e5a3c11aa46640b", }, ], title: "drm/xe: Use reserved copy engine for user binds on faulting devices", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-47729", datePublished: "2024-10-21T12:14:01.685Z", dateReserved: "2024-09-30T16:00:12.957Z", dateUpdated: "2024-12-19T09:26:55.727Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-47695
Vulnerability from cvelistv5
Published
2024-10-21 11:53
Modified
2024-12-19 09:26
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/rtrs-clt: Reset cid to con_num - 1 to stay in bounds
In the function init_conns(), after the create_con() and create_cm() for
loop if something fails. In the cleanup for loop after the destroy tag, we
access out of bound memory because cid is set to clt_path->s.con_num.
This commits resets the cid to clt_path->s.con_num - 1, to stay in bounds
in the cleanup loop later.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 6a98d71daea186247005099758af549e6afdd244 Version: 6a98d71daea186247005099758af549e6afdd244 Version: 6a98d71daea186247005099758af549e6afdd244 Version: 6a98d71daea186247005099758af549e6afdd244 Version: 6a98d71daea186247005099758af549e6afdd244 Version: 6a98d71daea186247005099758af549e6afdd244 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-47695", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T13:05:20.037863Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T13:14:14.534Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/infiniband/ulp/rtrs/rtrs-clt.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "0429a4e972082e3a2351da414b1c017daaf8aed2", status: "affected", version: "6a98d71daea186247005099758af549e6afdd244", versionType: "git", }, { lessThan: "5ac73f8191f3de41fef4f934d84d97f3aadb301f", status: "affected", version: "6a98d71daea186247005099758af549e6afdd244", versionType: "git", }, { lessThan: "01b9be936ee8839ab9f83a7e84ee02ac6c8303c4", status: "affected", version: "6a98d71daea186247005099758af549e6afdd244", versionType: "git", }, { lessThan: "1c50e0265fa332c94a4a182e4efa0fc70d8fad94", status: "affected", version: "6a98d71daea186247005099758af549e6afdd244", versionType: "git", }, { lessThan: "c8b7f3d9fada0d4b4b7db86bf7345cd61f1d972e", status: "affected", version: "6a98d71daea186247005099758af549e6afdd244", versionType: "git", }, { lessThan: "3e4289b29e216a55d08a89e126bc0b37cbad9f38", status: "affected", version: "6a98d71daea186247005099758af549e6afdd244", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/infiniband/ulp/rtrs/rtrs-clt.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.8", }, { lessThan: "5.8", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.54", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.13", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.2", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rtrs-clt: Reset cid to con_num - 1 to stay in bounds\n\nIn the function init_conns(), after the create_con() and create_cm() for\nloop if something fails. In the cleanup for loop after the destroy tag, we\naccess out of bound memory because cid is set to clt_path->s.con_num.\n\nThis commits resets the cid to clt_path->s.con_num - 1, to stay in bounds\nin the cleanup loop later.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:26:15.703Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/0429a4e972082e3a2351da414b1c017daaf8aed2", }, { url: "https://git.kernel.org/stable/c/5ac73f8191f3de41fef4f934d84d97f3aadb301f", }, { url: "https://git.kernel.org/stable/c/01b9be936ee8839ab9f83a7e84ee02ac6c8303c4", }, { url: "https://git.kernel.org/stable/c/1c50e0265fa332c94a4a182e4efa0fc70d8fad94", }, { url: "https://git.kernel.org/stable/c/c8b7f3d9fada0d4b4b7db86bf7345cd61f1d972e", }, { url: "https://git.kernel.org/stable/c/3e4289b29e216a55d08a89e126bc0b37cbad9f38", }, ], title: "RDMA/rtrs-clt: Reset cid to con_num - 1 to stay in bounds", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-47695", datePublished: "2024-10-21T11:53:33.266Z", dateReserved: "2024-09-30T16:00:12.942Z", dateUpdated: "2024-12-19T09:26:15.703Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-47726
Vulnerability from cvelistv5
Published
2024-10-21 12:13
Modified
2025-01-09 15:35
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
f2fs: fix to wait dio completion
It should wait all existing dio write IOs before block removal,
otherwise, previous direct write IO may overwrite data in the
block which may be reused by other inode.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-47726", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T13:01:14.779323Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T13:04:16.612Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "fs/f2fs/file.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "c2a7fc514637f640ff55c3f3e3ed879970814a3f", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "e3db757ff9b7101ae68650ac5f6dd5743b68164e", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "96cfeb0389530ae32ade8a48ae3ae1ac3b6c009d", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "fs/f2fs/file.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.70", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.2", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to wait dio completion\n\nIt should wait all existing dio write IOs before block removal,\notherwise, previous direct write IO may overwrite data in the\nblock which may be reused by other inode.", }, ], providerMetadata: { dateUpdated: "2025-01-09T15:35:27.288Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/c2a7fc514637f640ff55c3f3e3ed879970814a3f", }, { url: "https://git.kernel.org/stable/c/e3db757ff9b7101ae68650ac5f6dd5743b68164e", }, { url: "https://git.kernel.org/stable/c/96cfeb0389530ae32ade8a48ae3ae1ac3b6c009d", }, ], title: "f2fs: fix to wait dio completion", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-47726", datePublished: "2024-10-21T12:13:59.615Z", dateReserved: "2024-09-30T16:00:12.957Z", dateUpdated: "2025-01-09T15:35:27.288Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-47685
Vulnerability from cvelistv5
Published
2024-10-21 11:53
Modified
2024-12-19 09:25
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_reject_ipv6: fix nf_reject_ip6_tcphdr_put()
syzbot reported that nf_reject_ip6_tcphdr_put() was possibly sending
garbage on the four reserved tcp bits (th->res1)
Use skb_put_zero() to clear the whole TCP header,
as done in nf_reject_ip_tcphdr_put()
BUG: KMSAN: uninit-value in nf_reject_ip6_tcphdr_put+0x688/0x6c0 net/ipv6/netfilter/nf_reject_ipv6.c:255
nf_reject_ip6_tcphdr_put+0x688/0x6c0 net/ipv6/netfilter/nf_reject_ipv6.c:255
nf_send_reset6+0xd84/0x15b0 net/ipv6/netfilter/nf_reject_ipv6.c:344
nft_reject_inet_eval+0x3c1/0x880 net/netfilter/nft_reject_inet.c:48
expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline]
nft_do_chain+0x438/0x22a0 net/netfilter/nf_tables_core.c:288
nft_do_chain_inet+0x41a/0x4f0 net/netfilter/nft_chain_filter.c:161
nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]
nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626
nf_hook include/linux/netfilter.h:269 [inline]
NF_HOOK include/linux/netfilter.h:312 [inline]
ipv6_rcv+0x29b/0x390 net/ipv6/ip6_input.c:310
__netif_receive_skb_one_core net/core/dev.c:5661 [inline]
__netif_receive_skb+0x1da/0xa00 net/core/dev.c:5775
process_backlog+0x4ad/0xa50 net/core/dev.c:6108
__napi_poll+0xe7/0x980 net/core/dev.c:6772
napi_poll net/core/dev.c:6841 [inline]
net_rx_action+0xa5a/0x19b0 net/core/dev.c:6963
handle_softirqs+0x1ce/0x800 kernel/softirq.c:554
__do_softirq+0x14/0x1a kernel/softirq.c:588
do_softirq+0x9a/0x100 kernel/softirq.c:455
__local_bh_enable_ip+0x9f/0xb0 kernel/softirq.c:382
local_bh_enable include/linux/bottom_half.h:33 [inline]
rcu_read_unlock_bh include/linux/rcupdate.h:908 [inline]
__dev_queue_xmit+0x2692/0x5610 net/core/dev.c:4450
dev_queue_xmit include/linux/netdevice.h:3105 [inline]
neigh_resolve_output+0x9ca/0xae0 net/core/neighbour.c:1565
neigh_output include/net/neighbour.h:542 [inline]
ip6_finish_output2+0x2347/0x2ba0 net/ipv6/ip6_output.c:141
__ip6_finish_output net/ipv6/ip6_output.c:215 [inline]
ip6_finish_output+0xbb8/0x14b0 net/ipv6/ip6_output.c:226
NF_HOOK_COND include/linux/netfilter.h:303 [inline]
ip6_output+0x356/0x620 net/ipv6/ip6_output.c:247
dst_output include/net/dst.h:450 [inline]
NF_HOOK include/linux/netfilter.h:314 [inline]
ip6_xmit+0x1ba6/0x25d0 net/ipv6/ip6_output.c:366
inet6_csk_xmit+0x442/0x530 net/ipv6/inet6_connection_sock.c:135
__tcp_transmit_skb+0x3b07/0x4880 net/ipv4/tcp_output.c:1466
tcp_transmit_skb net/ipv4/tcp_output.c:1484 [inline]
tcp_connect+0x35b6/0x7130 net/ipv4/tcp_output.c:4143
tcp_v6_connect+0x1bcc/0x1e40 net/ipv6/tcp_ipv6.c:333
__inet_stream_connect+0x2ef/0x1730 net/ipv4/af_inet.c:679
inet_stream_connect+0x6a/0xd0 net/ipv4/af_inet.c:750
__sys_connect_file net/socket.c:2061 [inline]
__sys_connect+0x606/0x690 net/socket.c:2078
__do_sys_connect net/socket.c:2088 [inline]
__se_sys_connect net/socket.c:2085 [inline]
__x64_sys_connect+0x91/0xe0 net/socket.c:2085
x64_sys_call+0x27a5/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:43
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Uninit was stored to memory at:
nf_reject_ip6_tcphdr_put+0x60c/0x6c0 net/ipv6/netfilter/nf_reject_ipv6.c:249
nf_send_reset6+0xd84/0x15b0 net/ipv6/netfilter/nf_reject_ipv6.c:344
nft_reject_inet_eval+0x3c1/0x880 net/netfilter/nft_reject_inet.c:48
expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline]
nft_do_chain+0x438/0x22a0 net/netfilter/nf_tables_core.c:288
nft_do_chain_inet+0x41a/0x4f0 net/netfilter/nft_chain_filter.c:161
nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]
nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626
nf_hook include/linux/netfilter.h:269 [inline]
NF_HOOK include/linux/netfilter.h:312 [inline]
ipv6_rcv+0x29b/0x390 net/ipv6/ip6_input.c:310
__netif_receive_skb_one_core
---truncated---
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: c8d7b98bec43faaa6583c3135030be5eb4693acb Version: c8d7b98bec43faaa6583c3135030be5eb4693acb Version: c8d7b98bec43faaa6583c3135030be5eb4693acb Version: c8d7b98bec43faaa6583c3135030be5eb4693acb Version: c8d7b98bec43faaa6583c3135030be5eb4693acb Version: c8d7b98bec43faaa6583c3135030be5eb4693acb Version: c8d7b98bec43faaa6583c3135030be5eb4693acb Version: c8d7b98bec43faaa6583c3135030be5eb4693acb Version: c8d7b98bec43faaa6583c3135030be5eb4693acb |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-47685", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T13:06:45.955918Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T13:14:16.073Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "net/ipv6/netfilter/nf_reject_ipv6.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "872eca64c3267dbc5836b715716fc6c03a18eda7", status: "affected", version: "c8d7b98bec43faaa6583c3135030be5eb4693acb", versionType: "git", }, { lessThan: "7bcbc4cda777d26c88500d973fad0d497fc8a82e", status: "affected", version: "c8d7b98bec43faaa6583c3135030be5eb4693acb", versionType: "git", }, { lessThan: "dcf48ab3ca2c55b09c8f9c8de0df01c1943bc4e5", status: "affected", version: "c8d7b98bec43faaa6583c3135030be5eb4693acb", versionType: "git", }, { lessThan: "fbff87d682e57ddbbe82abf6d0a1a4a36a98afcd", status: "affected", version: "c8d7b98bec43faaa6583c3135030be5eb4693acb", versionType: "git", }, { lessThan: "7ea2bcfd9bf4c3dbbf22546162226fd1c14d8ad2", status: "affected", version: "c8d7b98bec43faaa6583c3135030be5eb4693acb", versionType: "git", }, { lessThan: "af4b8a704f26f38310655bad67fd8096293275a2", status: "affected", version: "c8d7b98bec43faaa6583c3135030be5eb4693acb", versionType: "git", }, { lessThan: "7a7b5a27c53b55e91eecf646d1b204e73fa4af93", status: "affected", version: "c8d7b98bec43faaa6583c3135030be5eb4693acb", versionType: "git", }, { lessThan: "10210658f827ad45061581cbfc05924b723e8922", status: "affected", version: "c8d7b98bec43faaa6583c3135030be5eb4693acb", versionType: "git", }, { lessThan: "9c778fe48d20ef362047e3376dee56d77f8500d4", status: "affected", version: "c8d7b98bec43faaa6583c3135030be5eb4693acb", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "net/ipv6/netfilter/nf_reject_ipv6.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "3.18", }, { lessThan: "3.18", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.323", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.285", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.54", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.13", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.2", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_reject_ipv6: fix nf_reject_ip6_tcphdr_put()\n\nsyzbot reported that nf_reject_ip6_tcphdr_put() was possibly sending\ngarbage on the four reserved tcp bits (th->res1)\n\nUse skb_put_zero() to clear the whole TCP header,\nas done in nf_reject_ip_tcphdr_put()\n\nBUG: KMSAN: uninit-value in nf_reject_ip6_tcphdr_put+0x688/0x6c0 net/ipv6/netfilter/nf_reject_ipv6.c:255\n nf_reject_ip6_tcphdr_put+0x688/0x6c0 net/ipv6/netfilter/nf_reject_ipv6.c:255\n nf_send_reset6+0xd84/0x15b0 net/ipv6/netfilter/nf_reject_ipv6.c:344\n nft_reject_inet_eval+0x3c1/0x880 net/netfilter/nft_reject_inet.c:48\n expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline]\n nft_do_chain+0x438/0x22a0 net/netfilter/nf_tables_core.c:288\n nft_do_chain_inet+0x41a/0x4f0 net/netfilter/nft_chain_filter.c:161\n nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]\n nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626\n nf_hook include/linux/netfilter.h:269 [inline]\n NF_HOOK include/linux/netfilter.h:312 [inline]\n ipv6_rcv+0x29b/0x390 net/ipv6/ip6_input.c:310\n __netif_receive_skb_one_core net/core/dev.c:5661 [inline]\n __netif_receive_skb+0x1da/0xa00 net/core/dev.c:5775\n process_backlog+0x4ad/0xa50 net/core/dev.c:6108\n __napi_poll+0xe7/0x980 net/core/dev.c:6772\n napi_poll net/core/dev.c:6841 [inline]\n net_rx_action+0xa5a/0x19b0 net/core/dev.c:6963\n handle_softirqs+0x1ce/0x800 kernel/softirq.c:554\n __do_softirq+0x14/0x1a kernel/softirq.c:588\n do_softirq+0x9a/0x100 kernel/softirq.c:455\n __local_bh_enable_ip+0x9f/0xb0 kernel/softirq.c:382\n local_bh_enable include/linux/bottom_half.h:33 [inline]\n rcu_read_unlock_bh include/linux/rcupdate.h:908 [inline]\n __dev_queue_xmit+0x2692/0x5610 net/core/dev.c:4450\n dev_queue_xmit include/linux/netdevice.h:3105 [inline]\n neigh_resolve_output+0x9ca/0xae0 net/core/neighbour.c:1565\n neigh_output include/net/neighbour.h:542 [inline]\n ip6_finish_output2+0x2347/0x2ba0 net/ipv6/ip6_output.c:141\n __ip6_finish_output net/ipv6/ip6_output.c:215 [inline]\n ip6_finish_output+0xbb8/0x14b0 net/ipv6/ip6_output.c:226\n NF_HOOK_COND include/linux/netfilter.h:303 [inline]\n ip6_output+0x356/0x620 net/ipv6/ip6_output.c:247\n dst_output include/net/dst.h:450 [inline]\n NF_HOOK include/linux/netfilter.h:314 [inline]\n ip6_xmit+0x1ba6/0x25d0 net/ipv6/ip6_output.c:366\n inet6_csk_xmit+0x442/0x530 net/ipv6/inet6_connection_sock.c:135\n __tcp_transmit_skb+0x3b07/0x4880 net/ipv4/tcp_output.c:1466\n tcp_transmit_skb net/ipv4/tcp_output.c:1484 [inline]\n tcp_connect+0x35b6/0x7130 net/ipv4/tcp_output.c:4143\n tcp_v6_connect+0x1bcc/0x1e40 net/ipv6/tcp_ipv6.c:333\n __inet_stream_connect+0x2ef/0x1730 net/ipv4/af_inet.c:679\n inet_stream_connect+0x6a/0xd0 net/ipv4/af_inet.c:750\n __sys_connect_file net/socket.c:2061 [inline]\n __sys_connect+0x606/0x690 net/socket.c:2078\n __do_sys_connect net/socket.c:2088 [inline]\n __se_sys_connect net/socket.c:2085 [inline]\n __x64_sys_connect+0x91/0xe0 net/socket.c:2085\n x64_sys_call+0x27a5/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:43\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nUninit was stored to memory at:\n nf_reject_ip6_tcphdr_put+0x60c/0x6c0 net/ipv6/netfilter/nf_reject_ipv6.c:249\n nf_send_reset6+0xd84/0x15b0 net/ipv6/netfilter/nf_reject_ipv6.c:344\n nft_reject_inet_eval+0x3c1/0x880 net/netfilter/nft_reject_inet.c:48\n expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline]\n nft_do_chain+0x438/0x22a0 net/netfilter/nf_tables_core.c:288\n nft_do_chain_inet+0x41a/0x4f0 net/netfilter/nft_chain_filter.c:161\n nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]\n nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626\n nf_hook include/linux/netfilter.h:269 [inline]\n NF_HOOK include/linux/netfilter.h:312 [inline]\n ipv6_rcv+0x29b/0x390 net/ipv6/ip6_input.c:310\n __netif_receive_skb_one_core\n---truncated---", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:25:58.578Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/872eca64c3267dbc5836b715716fc6c03a18eda7", }, { url: "https://git.kernel.org/stable/c/7bcbc4cda777d26c88500d973fad0d497fc8a82e", }, { url: "https://git.kernel.org/stable/c/dcf48ab3ca2c55b09c8f9c8de0df01c1943bc4e5", }, { url: "https://git.kernel.org/stable/c/fbff87d682e57ddbbe82abf6d0a1a4a36a98afcd", }, { url: "https://git.kernel.org/stable/c/7ea2bcfd9bf4c3dbbf22546162226fd1c14d8ad2", }, { url: "https://git.kernel.org/stable/c/af4b8a704f26f38310655bad67fd8096293275a2", }, { url: "https://git.kernel.org/stable/c/7a7b5a27c53b55e91eecf646d1b204e73fa4af93", }, { url: "https://git.kernel.org/stable/c/10210658f827ad45061581cbfc05924b723e8922", }, { url: "https://git.kernel.org/stable/c/9c778fe48d20ef362047e3376dee56d77f8500d4", }, ], title: "netfilter: nf_reject_ipv6: fix nf_reject_ip6_tcphdr_put()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-47685", datePublished: "2024-10-21T11:53:26.486Z", dateReserved: "2024-09-30T16:00:12.941Z", dateUpdated: "2024-12-19T09:25:58.578Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-48986
Vulnerability from cvelistv5
Published
2024-10-21 20:06
Modified
2024-12-19 08:11
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/gup: fix gup_pud_range() for dax
For dax pud, pud_huge() returns true on x86. So the function works as long
as hugetlb is configured. However, dax doesn't depend on hugetlb.
Commit 414fd080d125 ("mm/gup: fix gup_pmd_range() for dax") fixed
devmap-backed huge PMDs, but missed devmap-backed huge PUDs. Fix this as
well.
This fixes the below kernel panic:
general protection fault, probably for non-canonical address 0x69e7c000cc478: 0000 [#1] SMP
< snip >
Call Trace:
<TASK>
get_user_pages_fast+0x1f/0x40
iov_iter_get_pages+0xc6/0x3b0
? mempool_alloc+0x5d/0x170
bio_iov_iter_get_pages+0x82/0x4e0
? bvec_alloc+0x91/0xc0
? bio_alloc_bioset+0x19a/0x2a0
blkdev_direct_IO+0x282/0x480
? __io_complete_rw_common+0xc0/0xc0
? filemap_range_has_page+0x82/0xc0
generic_file_direct_write+0x9d/0x1a0
? inode_update_time+0x24/0x30
__generic_file_write_iter+0xbd/0x1e0
blkdev_write_iter+0xb4/0x150
? io_import_iovec+0x8d/0x340
io_write+0xf9/0x300
io_issue_sqe+0x3c3/0x1d30
? sysvec_reschedule_ipi+0x6c/0x80
__io_queue_sqe+0x33/0x240
? fget+0x76/0xa0
io_submit_sqes+0xe6a/0x18d0
? __fget_light+0xd1/0x100
__x64_sys_io_uring_enter+0x199/0x880
? __context_tracking_enter+0x1f/0x70
? irqentry_exit_to_user_mode+0x24/0x30
? irqentry_exit+0x1d/0x30
? __context_tracking_exit+0xe/0x70
do_syscall_64+0x3b/0x90
entry_SYSCALL_64_after_hwframe+0x61/0xcb
RIP: 0033:0x7fc97c11a7be
< snip >
</TASK>
---[ end trace 48b2e0e67debcaeb ]---
RIP: 0010:internal_get_user_pages_fast+0x340/0x990
< snip >
Kernel panic - not syncing: Fatal exception
Kernel Offset: disabled
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 414fd080d125408cb15d04ff4907e1dd8145c8c7 Version: 414fd080d125408cb15d04ff4907e1dd8145c8c7 Version: 414fd080d125408cb15d04ff4907e1dd8145c8c7 Version: 414fd080d125408cb15d04ff4907e1dd8145c8c7 Version: 414fd080d125408cb15d04ff4907e1dd8145c8c7 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-48986", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:17:13.077740Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:18:42.957Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "mm/gup.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "04edfa3dc06ecfc6133a33bc7271298782dee875", status: "affected", version: "414fd080d125408cb15d04ff4907e1dd8145c8c7", versionType: "git", }, { lessThan: "f1cf856123ceb766c49967ec79b841030fa1741f", status: "affected", version: "414fd080d125408cb15d04ff4907e1dd8145c8c7", versionType: "git", }, { lessThan: "3ac29732a2ffa64c7de13a072b0f2848b9c11037", status: "affected", version: "414fd080d125408cb15d04ff4907e1dd8145c8c7", versionType: "git", }, { lessThan: "e06d13c36ded750c72521b600293befebb4e56c5", status: "affected", version: "414fd080d125408cb15d04ff4907e1dd8145c8c7", versionType: "git", }, { lessThan: "fcd0ccd836ffad73d98a66f6fea7b16f735ea920", status: "affected", version: "414fd080d125408cb15d04ff4907e1dd8145c8c7", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "mm/gup.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.0", }, { lessThan: "5.0", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.227", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.159", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.83", versionType: "semver", }, { lessThanOrEqual: "6.0.*", status: "unaffected", version: "6.0.13", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.1", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/gup: fix gup_pud_range() for dax\n\nFor dax pud, pud_huge() returns true on x86. So the function works as long\nas hugetlb is configured. However, dax doesn't depend on hugetlb.\nCommit 414fd080d125 (\"mm/gup: fix gup_pmd_range() for dax\") fixed\ndevmap-backed huge PMDs, but missed devmap-backed huge PUDs. Fix this as\nwell.\n\nThis fixes the below kernel panic:\n\ngeneral protection fault, probably for non-canonical address 0x69e7c000cc478: 0000 [#1] SMP\n\t< snip >\nCall Trace:\n<TASK>\nget_user_pages_fast+0x1f/0x40\niov_iter_get_pages+0xc6/0x3b0\n? mempool_alloc+0x5d/0x170\nbio_iov_iter_get_pages+0x82/0x4e0\n? bvec_alloc+0x91/0xc0\n? bio_alloc_bioset+0x19a/0x2a0\nblkdev_direct_IO+0x282/0x480\n? __io_complete_rw_common+0xc0/0xc0\n? filemap_range_has_page+0x82/0xc0\ngeneric_file_direct_write+0x9d/0x1a0\n? inode_update_time+0x24/0x30\n__generic_file_write_iter+0xbd/0x1e0\nblkdev_write_iter+0xb4/0x150\n? io_import_iovec+0x8d/0x340\nio_write+0xf9/0x300\nio_issue_sqe+0x3c3/0x1d30\n? sysvec_reschedule_ipi+0x6c/0x80\n__io_queue_sqe+0x33/0x240\n? fget+0x76/0xa0\nio_submit_sqes+0xe6a/0x18d0\n? __fget_light+0xd1/0x100\n__x64_sys_io_uring_enter+0x199/0x880\n? __context_tracking_enter+0x1f/0x70\n? irqentry_exit_to_user_mode+0x24/0x30\n? irqentry_exit+0x1d/0x30\n? __context_tracking_exit+0xe/0x70\ndo_syscall_64+0x3b/0x90\nentry_SYSCALL_64_after_hwframe+0x61/0xcb\nRIP: 0033:0x7fc97c11a7be\n\t< snip >\n</TASK>\n---[ end trace 48b2e0e67debcaeb ]---\nRIP: 0010:internal_get_user_pages_fast+0x340/0x990\n\t< snip >\nKernel panic - not syncing: Fatal exception\nKernel Offset: disabled", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:11:56.744Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/04edfa3dc06ecfc6133a33bc7271298782dee875", }, { url: "https://git.kernel.org/stable/c/f1cf856123ceb766c49967ec79b841030fa1741f", }, { url: "https://git.kernel.org/stable/c/3ac29732a2ffa64c7de13a072b0f2848b9c11037", }, { url: "https://git.kernel.org/stable/c/e06d13c36ded750c72521b600293befebb4e56c5", }, { url: "https://git.kernel.org/stable/c/fcd0ccd836ffad73d98a66f6fea7b16f735ea920", }, ], title: "mm/gup: fix gup_pud_range() for dax", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-48986", datePublished: "2024-10-21T20:06:02.502Z", dateReserved: "2024-08-22T01:27:53.634Z", dateUpdated: "2024-12-19T08:11:56.744Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49931
Vulnerability from cvelistv5
Published
2024-10-21 18:01
Modified
2024-12-19 09:29
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath12k: fix array out-of-bound access in SoC stats
Currently, the ath12k_soc_dp_stats::hal_reo_error array is defined with a
maximum size of DP_REO_DST_RING_MAX. However, the ath12k_dp_rx_process()
function access ath12k_soc_dp_stats::hal_reo_error using the REO
destination SRNG ring ID, which is incorrect. SRNG ring ID differ from
normal ring ID, and this usage leads to out-of-bounds array access. To
fix this issue, modify ath12k_dp_rx_process() to use the normal ring ID
directly instead of the SRNG ring ID to avoid out-of-bounds array access.
Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.0.1-00029-QCAHKSWPL_SILICONZ-1
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49931", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:39:04.073655Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:48:43.213Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/net/wireless/ath/ath12k/dp_rx.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "d0e4274d9dc9f8409d56d622cd3ecf7b6fd49e2f", status: "affected", version: "d889913205cf7ebda905b1e62c5867ed4e39f6c2", versionType: "git", }, { lessThan: "a4aef827a41cdaf6201bbaf773c1eae4e20e967b", status: "affected", version: "d889913205cf7ebda905b1e62c5867ed4e39f6c2", versionType: "git", }, { lessThan: "ad791e3ec60cb66c1e4dc121ffbf872df312427d", status: "affected", version: "d889913205cf7ebda905b1e62c5867ed4e39f6c2", versionType: "git", }, { lessThan: "e106b7ad13c1d246adaa57df73edb8f8b8acb240", status: "affected", version: "d889913205cf7ebda905b1e62c5867ed4e39f6c2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/net/wireless/ath/ath12k/dp_rx.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.3", }, { lessThan: "6.3", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: fix array out-of-bound access in SoC stats\n\nCurrently, the ath12k_soc_dp_stats::hal_reo_error array is defined with a\nmaximum size of DP_REO_DST_RING_MAX. However, the ath12k_dp_rx_process()\nfunction access ath12k_soc_dp_stats::hal_reo_error using the REO\ndestination SRNG ring ID, which is incorrect. SRNG ring ID differ from\nnormal ring ID, and this usage leads to out-of-bounds array access. To\nfix this issue, modify ath12k_dp_rx_process() to use the normal ring ID\ndirectly instead of the SRNG ring ID to avoid out-of-bounds array access.\n\nTested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.0.1-00029-QCAHKSWPL_SILICONZ-1", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:29:17.188Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/d0e4274d9dc9f8409d56d622cd3ecf7b6fd49e2f", }, { url: "https://git.kernel.org/stable/c/a4aef827a41cdaf6201bbaf773c1eae4e20e967b", }, { url: "https://git.kernel.org/stable/c/ad791e3ec60cb66c1e4dc121ffbf872df312427d", }, { url: "https://git.kernel.org/stable/c/e106b7ad13c1d246adaa57df73edb8f8b8acb240", }, ], title: "wifi: ath12k: fix array out-of-bound access in SoC stats", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49931", datePublished: "2024-10-21T18:01:53.756Z", dateReserved: "2024-10-21T12:17:06.040Z", dateUpdated: "2024-12-19T09:29:17.188Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-48988
Vulnerability from cvelistv5
Published
2024-10-21 20:06
Modified
2024-12-19 08:11
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
memcg: fix possible use-after-free in memcg_write_event_control()
memcg_write_event_control() accesses the dentry->d_name of the specified
control fd to route the write call. As a cgroup interface file can't be
renamed, it's safe to access d_name as long as the specified file is a
regular cgroup file. Also, as these cgroup interface files can't be
removed before the directory, it's safe to access the parent too.
Prior to 347c4a874710 ("memcg: remove cgroup_event->cft"), there was a
call to __file_cft() which verified that the specified file is a regular
cgroupfs file before further accesses. The cftype pointer returned from
__file_cft() was no longer necessary and the commit inadvertently dropped
the file type check with it allowing any file to slip through. With the
invarients broken, the d_name and parent accesses can now race against
renames and removals of arbitrary files and cause use-after-free's.
Fix the bug by resurrecting the file type check in __file_cft(). Now that
cgroupfs is implemented through kernfs, checking the file operations needs
to go through a layer of indirection. Instead, let's check the superblock
and dentry type.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 347c4a8747104a945ecced358944e42879176ca5 Version: 347c4a8747104a945ecced358944e42879176ca5 Version: 347c4a8747104a945ecced358944e42879176ca5 Version: 347c4a8747104a945ecced358944e42879176ca5 Version: 347c4a8747104a945ecced358944e42879176ca5 Version: 347c4a8747104a945ecced358944e42879176ca5 Version: 347c4a8747104a945ecced358944e42879176ca5 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-48988", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:16:57.577077Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:18:42.631Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "include/linux/cgroup.h", "kernel/cgroup/cgroup-internal.h", "mm/memcontrol.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "b77600e26fd48727a95ffd50ba1e937efb548125", status: "affected", version: "347c4a8747104a945ecced358944e42879176ca5", versionType: "git", }, { lessThan: "e1ae97624ecf400ea56c238bff23e5cd139df0b8", status: "affected", version: "347c4a8747104a945ecced358944e42879176ca5", versionType: "git", }, { lessThan: "35963b31821920908e397146502066f6b032c917", status: "affected", version: "347c4a8747104a945ecced358944e42879176ca5", versionType: "git", }, { lessThan: "f1f7f36cf682fa59db15e2089039a2eeb58ff2ad", status: "affected", version: "347c4a8747104a945ecced358944e42879176ca5", versionType: "git", }, { lessThan: "aad8bbd17a1d586005feb9226c2e9cfce1432e13", status: "affected", version: "347c4a8747104a945ecced358944e42879176ca5", versionType: "git", }, { lessThan: "0ed074317b835caa6c03bcfa8f133365324673dc", status: "affected", version: "347c4a8747104a945ecced358944e42879176ca5", versionType: "git", }, { lessThan: "4a7ba45b1a435e7097ca0f79a847d0949d0eb088", status: "affected", version: "347c4a8747104a945ecced358944e42879176ca5", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "include/linux/cgroup.h", "kernel/cgroup/cgroup-internal.h", "mm/memcontrol.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "3.14", }, { lessThan: "3.14", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.14.*", status: "unaffected", version: "4.14.302", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.269", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.227", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.159", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.83", versionType: "semver", }, { lessThanOrEqual: "6.0.*", status: "unaffected", version: "6.0.13", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.1", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nmemcg: fix possible use-after-free in memcg_write_event_control()\n\nmemcg_write_event_control() accesses the dentry->d_name of the specified\ncontrol fd to route the write call. As a cgroup interface file can't be\nrenamed, it's safe to access d_name as long as the specified file is a\nregular cgroup file. Also, as these cgroup interface files can't be\nremoved before the directory, it's safe to access the parent too.\n\nPrior to 347c4a874710 (\"memcg: remove cgroup_event->cft\"), there was a\ncall to __file_cft() which verified that the specified file is a regular\ncgroupfs file before further accesses. The cftype pointer returned from\n__file_cft() was no longer necessary and the commit inadvertently dropped\nthe file type check with it allowing any file to slip through. With the\ninvarients broken, the d_name and parent accesses can now race against\nrenames and removals of arbitrary files and cause use-after-free's.\n\nFix the bug by resurrecting the file type check in __file_cft(). Now that\ncgroupfs is implemented through kernfs, checking the file operations needs\nto go through a layer of indirection. Instead, let's check the superblock\nand dentry type.", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:11:59.021Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/b77600e26fd48727a95ffd50ba1e937efb548125", }, { url: "https://git.kernel.org/stable/c/e1ae97624ecf400ea56c238bff23e5cd139df0b8", }, { url: "https://git.kernel.org/stable/c/35963b31821920908e397146502066f6b032c917", }, { url: "https://git.kernel.org/stable/c/f1f7f36cf682fa59db15e2089039a2eeb58ff2ad", }, { url: "https://git.kernel.org/stable/c/aad8bbd17a1d586005feb9226c2e9cfce1432e13", }, { url: "https://git.kernel.org/stable/c/0ed074317b835caa6c03bcfa8f133365324673dc", }, { url: "https://git.kernel.org/stable/c/4a7ba45b1a435e7097ca0f79a847d0949d0eb088", }, ], title: "memcg: fix possible use-after-free in memcg_write_event_control()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-48988", datePublished: "2024-10-21T20:06:04.601Z", dateReserved: "2024-08-22T01:27:53.634Z", dateUpdated: "2024-12-19T08:11:59.021Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49897
Vulnerability from cvelistv5
Published
2024-10-21 18:01
Modified
2024-12-19 09:28
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Check phantom_stream before it is used
dcn32_enable_phantom_stream can return null, so returned value
must be checked before used.
This fixes 1 NULL_RETURNS issue reported by Coverity.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49897", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:43:25.394828Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:48:48.184Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/gpu/drm/amd/display/dc/resource/dcn32/dcn32_resource.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "db1d7e1794fed62ee16d6a72a85997bb069e2e27", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "d247af7c5dbf143ad6be8179bb1550e76d6af57e", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "1decf695ce08e23d9ded6ce83d121b2282ce9899", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "3ba1219e299ab5462b5cb374c2fa2a67af0ea190", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "3718a619a8c0a53152e76bb6769b6c414e1e83f4", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/gpu/drm/amd/display/dc/resource/dcn32/dcn32_resource.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.120", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.64", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Check phantom_stream before it is used\n\ndcn32_enable_phantom_stream can return null, so returned value\nmust be checked before used.\n\nThis fixes 1 NULL_RETURNS issue reported by Coverity.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:28:35.863Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/db1d7e1794fed62ee16d6a72a85997bb069e2e27", }, { url: "https://git.kernel.org/stable/c/d247af7c5dbf143ad6be8179bb1550e76d6af57e", }, { url: "https://git.kernel.org/stable/c/1decf695ce08e23d9ded6ce83d121b2282ce9899", }, { url: "https://git.kernel.org/stable/c/3ba1219e299ab5462b5cb374c2fa2a67af0ea190", }, { url: "https://git.kernel.org/stable/c/3718a619a8c0a53152e76bb6769b6c414e1e83f4", }, ], title: "drm/amd/display: Check phantom_stream before it is used", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49897", datePublished: "2024-10-21T18:01:30.384Z", dateReserved: "2024-10-21T12:17:06.026Z", dateUpdated: "2024-12-19T09:28:35.863Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-47694
Vulnerability from cvelistv5
Published
2024-10-21 11:53
Modified
2024-12-19 09:26
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
IB/mlx5: Fix UMR pd cleanup on error flow of driver init
The cited commit moves the pd allocation from function
mlx5r_umr_resource_cleanup() to a new function mlx5r_umr_cleanup().
So the fix in commit [1] is broken. In error flow, will hit panic [2].
Fix it by checking pd pointer to avoid panic if it is NULL;
[1] RDMA/mlx5: Fix UMR cleanup on error flow of driver init
[2]
[ 347.567063] infiniband mlx5_0: Couldn't register device with driver model
[ 347.591382] BUG: kernel NULL pointer dereference, address: 0000000000000020
[ 347.593438] #PF: supervisor read access in kernel mode
[ 347.595176] #PF: error_code(0x0000) - not-present page
[ 347.596962] PGD 0 P4D 0
[ 347.601361] RIP: 0010:ib_dealloc_pd_user+0x12/0xc0 [ib_core]
[ 347.604171] RSP: 0018:ffff888106293b10 EFLAGS: 00010282
[ 347.604834] RAX: 0000000000000000 RBX: 000000000000000e RCX: 0000000000000000
[ 347.605672] RDX: ffff888106293ad0 RSI: 0000000000000000 RDI: 0000000000000000
[ 347.606529] RBP: 0000000000000000 R08: ffff888106293ae0 R09: ffff888106293ae0
[ 347.607379] R10: 0000000000000a06 R11: 0000000000000000 R12: 0000000000000000
[ 347.608224] R13: ffffffffa0704dc0 R14: 0000000000000001 R15: 0000000000000001
[ 347.609067] FS: 00007fdc720cd9c0(0000) GS:ffff88852c880000(0000) knlGS:0000000000000000
[ 347.610094] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 347.610727] CR2: 0000000000000020 CR3: 0000000103012003 CR4: 0000000000370eb0
[ 347.611421] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 347.612113] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 347.612804] Call Trace:
[ 347.613130] <TASK>
[ 347.613417] ? __die+0x20/0x60
[ 347.613793] ? page_fault_oops+0x150/0x3e0
[ 347.614243] ? free_msg+0x68/0x80 [mlx5_core]
[ 347.614840] ? cmd_exec+0x48f/0x11d0 [mlx5_core]
[ 347.615359] ? exc_page_fault+0x74/0x130
[ 347.615808] ? asm_exc_page_fault+0x22/0x30
[ 347.616273] ? ib_dealloc_pd_user+0x12/0xc0 [ib_core]
[ 347.616801] mlx5r_umr_cleanup+0x23/0x90 [mlx5_ib]
[ 347.617365] mlx5_ib_stage_pre_ib_reg_umr_cleanup+0x36/0x40 [mlx5_ib]
[ 347.618025] __mlx5_ib_add+0x96/0xd0 [mlx5_ib]
[ 347.618539] mlx5r_probe+0xe9/0x310 [mlx5_ib]
[ 347.619032] ? kernfs_add_one+0x107/0x150
[ 347.619478] ? __mlx5_ib_add+0xd0/0xd0 [mlx5_ib]
[ 347.619984] auxiliary_bus_probe+0x3e/0x90
[ 347.620448] really_probe+0xc5/0x3a0
[ 347.620857] __driver_probe_device+0x80/0x160
[ 347.621325] driver_probe_device+0x1e/0x90
[ 347.621770] __driver_attach+0xec/0x1c0
[ 347.622213] ? __device_attach_driver+0x100/0x100
[ 347.622724] bus_for_each_dev+0x71/0xc0
[ 347.623151] bus_add_driver+0xed/0x240
[ 347.623570] driver_register+0x58/0x100
[ 347.623998] __auxiliary_driver_register+0x6a/0xc0
[ 347.624499] ? driver_register+0xae/0x100
[ 347.624940] ? 0xffffffffa0893000
[ 347.625329] mlx5_ib_init+0x16a/0x1e0 [mlx5_ib]
[ 347.625845] do_one_initcall+0x4a/0x2a0
[ 347.626273] ? gcov_event+0x2e2/0x3a0
[ 347.626706] do_init_module+0x8a/0x260
[ 347.627126] init_module_from_file+0x8b/0xd0
[ 347.627596] __x64_sys_finit_module+0x1ca/0x2f0
[ 347.628089] do_syscall_64+0x4c/0x100
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-47694", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T13:05:28.995740Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T13:14:14.649Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/infiniband/hw/mlx5/umr.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "99e2de5942b0390ddc24efada71edc6593e23f05", status: "affected", version: "638420115cc4ad6c3a2683bf46a052b505abb202", versionType: "git", }, { lessThan: "112e6e83a894260cc7efe79a1fc47d4d51461742", status: "affected", version: "638420115cc4ad6c3a2683bf46a052b505abb202", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/infiniband/hw/mlx5/umr.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.11", }, { lessThan: "6.11", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.2", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nIB/mlx5: Fix UMR pd cleanup on error flow of driver init\n\nThe cited commit moves the pd allocation from function\nmlx5r_umr_resource_cleanup() to a new function mlx5r_umr_cleanup().\nSo the fix in commit [1] is broken. In error flow, will hit panic [2].\n\nFix it by checking pd pointer to avoid panic if it is NULL;\n\n[1] RDMA/mlx5: Fix UMR cleanup on error flow of driver init\n[2]\n [ 347.567063] infiniband mlx5_0: Couldn't register device with driver model\n [ 347.591382] BUG: kernel NULL pointer dereference, address: 0000000000000020\n [ 347.593438] #PF: supervisor read access in kernel mode\n [ 347.595176] #PF: error_code(0x0000) - not-present page\n [ 347.596962] PGD 0 P4D 0\n [ 347.601361] RIP: 0010:ib_dealloc_pd_user+0x12/0xc0 [ib_core]\n [ 347.604171] RSP: 0018:ffff888106293b10 EFLAGS: 00010282\n [ 347.604834] RAX: 0000000000000000 RBX: 000000000000000e RCX: 0000000000000000\n [ 347.605672] RDX: ffff888106293ad0 RSI: 0000000000000000 RDI: 0000000000000000\n [ 347.606529] RBP: 0000000000000000 R08: ffff888106293ae0 R09: ffff888106293ae0\n [ 347.607379] R10: 0000000000000a06 R11: 0000000000000000 R12: 0000000000000000\n [ 347.608224] R13: ffffffffa0704dc0 R14: 0000000000000001 R15: 0000000000000001\n [ 347.609067] FS: 00007fdc720cd9c0(0000) GS:ffff88852c880000(0000) knlGS:0000000000000000\n [ 347.610094] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n [ 347.610727] CR2: 0000000000000020 CR3: 0000000103012003 CR4: 0000000000370eb0\n [ 347.611421] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n [ 347.612113] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n [ 347.612804] Call Trace:\n [ 347.613130] <TASK>\n [ 347.613417] ? __die+0x20/0x60\n [ 347.613793] ? page_fault_oops+0x150/0x3e0\n [ 347.614243] ? free_msg+0x68/0x80 [mlx5_core]\n [ 347.614840] ? cmd_exec+0x48f/0x11d0 [mlx5_core]\n [ 347.615359] ? exc_page_fault+0x74/0x130\n [ 347.615808] ? asm_exc_page_fault+0x22/0x30\n [ 347.616273] ? ib_dealloc_pd_user+0x12/0xc0 [ib_core]\n [ 347.616801] mlx5r_umr_cleanup+0x23/0x90 [mlx5_ib]\n [ 347.617365] mlx5_ib_stage_pre_ib_reg_umr_cleanup+0x36/0x40 [mlx5_ib]\n [ 347.618025] __mlx5_ib_add+0x96/0xd0 [mlx5_ib]\n [ 347.618539] mlx5r_probe+0xe9/0x310 [mlx5_ib]\n [ 347.619032] ? kernfs_add_one+0x107/0x150\n [ 347.619478] ? __mlx5_ib_add+0xd0/0xd0 [mlx5_ib]\n [ 347.619984] auxiliary_bus_probe+0x3e/0x90\n [ 347.620448] really_probe+0xc5/0x3a0\n [ 347.620857] __driver_probe_device+0x80/0x160\n [ 347.621325] driver_probe_device+0x1e/0x90\n [ 347.621770] __driver_attach+0xec/0x1c0\n [ 347.622213] ? __device_attach_driver+0x100/0x100\n [ 347.622724] bus_for_each_dev+0x71/0xc0\n [ 347.623151] bus_add_driver+0xed/0x240\n [ 347.623570] driver_register+0x58/0x100\n [ 347.623998] __auxiliary_driver_register+0x6a/0xc0\n [ 347.624499] ? driver_register+0xae/0x100\n [ 347.624940] ? 0xffffffffa0893000\n [ 347.625329] mlx5_ib_init+0x16a/0x1e0 [mlx5_ib]\n [ 347.625845] do_one_initcall+0x4a/0x2a0\n [ 347.626273] ? gcov_event+0x2e2/0x3a0\n [ 347.626706] do_init_module+0x8a/0x260\n [ 347.627126] init_module_from_file+0x8b/0xd0\n [ 347.627596] __x64_sys_finit_module+0x1ca/0x2f0\n [ 347.628089] do_syscall_64+0x4c/0x100", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:26:14.478Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/99e2de5942b0390ddc24efada71edc6593e23f05", }, { url: "https://git.kernel.org/stable/c/112e6e83a894260cc7efe79a1fc47d4d51461742", }, ], title: "IB/mlx5: Fix UMR pd cleanup on error flow of driver init", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-47694", datePublished: "2024-10-21T11:53:32.611Z", dateReserved: "2024-09-30T16:00:12.942Z", dateUpdated: "2024-12-19T09:26:14.478Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49901
Vulnerability from cvelistv5
Published
2024-10-21 18:01
Modified
2024-12-19 09:28
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/msm/adreno: Assign msm_gpu->pdev earlier to avoid nullptrs
There are some cases, such as the one uncovered by Commit 46d4efcccc68
("drm/msm/a6xx: Avoid a nullptr dereference when speedbin setting fails")
where
msm_gpu_cleanup() : platform_set_drvdata(gpu->pdev, NULL);
is called on gpu->pdev == NULL, as the GPU device has not been fully
initialized yet.
Turns out that there's more than just the aforementioned path that
causes this to happen (e.g. the case when there's speedbin data in the
catalog, but opp-supported-hw is missing in DT).
Assigning msm_gpu->pdev earlier seems like the least painful solution
to this, therefore do so.
Patchwork: https://patchwork.freedesktop.org/patch/602742/
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49901", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:42:53.218810Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:48:47.606Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/gpu/drm/msm/adreno/adreno_gpu.c", "drivers/gpu/drm/msm/msm_gpu.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "9288a9676c529ad9c856096db68fad812499bc4a", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "9773737375b20070ea935203fd66cb9fa17c5acb", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "e8ac2060597a5768e4699bb61d604b4c09927b85", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, { lessThan: "16007768551d5bfe53426645401435ca8d2ef54f", status: "affected", version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/gpu/drm/msm/adreno/adreno_gpu.c", "drivers/gpu/drm/msm/msm_gpu.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/adreno: Assign msm_gpu->pdev earlier to avoid nullptrs\n\nThere are some cases, such as the one uncovered by Commit 46d4efcccc68\n(\"drm/msm/a6xx: Avoid a nullptr dereference when speedbin setting fails\")\nwhere\n\nmsm_gpu_cleanup() : platform_set_drvdata(gpu->pdev, NULL);\n\nis called on gpu->pdev == NULL, as the GPU device has not been fully\ninitialized yet.\n\nTurns out that there's more than just the aforementioned path that\ncauses this to happen (e.g. the case when there's speedbin data in the\ncatalog, but opp-supported-hw is missing in DT).\n\nAssigning msm_gpu->pdev earlier seems like the least painful solution\nto this, therefore do so.\n\nPatchwork: https://patchwork.freedesktop.org/patch/602742/", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:28:40.728Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/9288a9676c529ad9c856096db68fad812499bc4a", }, { url: "https://git.kernel.org/stable/c/9773737375b20070ea935203fd66cb9fa17c5acb", }, { url: "https://git.kernel.org/stable/c/e8ac2060597a5768e4699bb61d604b4c09927b85", }, { url: "https://git.kernel.org/stable/c/16007768551d5bfe53426645401435ca8d2ef54f", }, ], title: "drm/msm/adreno: Assign msm_gpu->pdev earlier to avoid nullptrs", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49901", datePublished: "2024-10-21T18:01:33.258Z", dateReserved: "2024-10-21T12:17:06.026Z", dateUpdated: "2024-12-19T09:28:40.728Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49961
Vulnerability from cvelistv5
Published
2024-10-21 18:02
Modified
2024-12-19 09:30
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: i2c: ar0521: Use cansleep version of gpiod_set_value()
If we use GPIO reset from I2C port expander, we must use *_cansleep()
variant of GPIO functions.
This was not done in ar0521_power_on()/ar0521_power_off() functions.
Let's fix that.
------------[ cut here ]------------
WARNING: CPU: 0 PID: 11 at drivers/gpio/gpiolib.c:3496 gpiod_set_value+0x74/0x7c
Modules linked in:
CPU: 0 PID: 11 Comm: kworker/u16:0 Not tainted 6.10.0 #53
Hardware name: Diasom DS-RK3568-SOM-EVB (DT)
Workqueue: events_unbound deferred_probe_work_func
pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : gpiod_set_value+0x74/0x7c
lr : ar0521_power_on+0xcc/0x290
sp : ffffff8001d7ab70
x29: ffffff8001d7ab70 x28: ffffff80027dcc90 x27: ffffff8003c82000
x26: ffffff8003ca9250 x25: ffffffc080a39c60 x24: ffffff8003ca9088
x23: ffffff8002402720 x22: ffffff8003ca9080 x21: ffffff8003ca9088
x20: 0000000000000000 x19: ffffff8001eb2a00 x18: ffffff80efeeac80
x17: 756d2d6332692f30 x16: 0000000000000000 x15: 0000000000000000
x14: ffffff8001d91d40 x13: 0000000000000016 x12: ffffffc080e98930
x11: ffffff8001eb2880 x10: 0000000000000890 x9 : ffffff8001d7a9f0
x8 : ffffff8001d92570 x7 : ffffff80efeeac80 x6 : 000000003fc6e780
x5 : ffffff8001d91c80 x4 : 0000000000000002 x3 : 0000000000000000
x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000001
Call trace:
gpiod_set_value+0x74/0x7c
ar0521_power_on+0xcc/0x290
...
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 852b50aeed153b513c0b36298559114fab0fab80 Version: 852b50aeed153b513c0b36298559114fab0fab80 Version: 852b50aeed153b513c0b36298559114fab0fab80 Version: 852b50aeed153b513c0b36298559114fab0fab80 Version: 852b50aeed153b513c0b36298559114fab0fab80 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49961", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:35:06.681445Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:38:47.661Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/media/i2c/ar0521.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "9f08876d766755a92f1b9543ae3ee21bfc596fb8", status: "affected", version: "852b50aeed153b513c0b36298559114fab0fab80", versionType: "git", }, { lessThan: "625a77b68c96349c16fcc1faa42784313e0b1a85", status: "affected", version: "852b50aeed153b513c0b36298559114fab0fab80", versionType: "git", }, { lessThan: "2423b60a2d6d27e5f66c5021b494463aef2db212", status: "affected", version: "852b50aeed153b513c0b36298559114fab0fab80", versionType: "git", }, { lessThan: "3cf00ecfbf11ee8e6afff306a5bdcff4bf95d2cf", status: "affected", version: "852b50aeed153b513c0b36298559114fab0fab80", versionType: "git", }, { lessThan: "bee1aed819a8cda47927436685d216906ed17f62", status: "affected", version: "852b50aeed153b513c0b36298559114fab0fab80", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/media/i2c/ar0521.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.0", }, { lessThan: "6.0", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: i2c: ar0521: Use cansleep version of gpiod_set_value()\n\nIf we use GPIO reset from I2C port expander, we must use *_cansleep()\nvariant of GPIO functions.\nThis was not done in ar0521_power_on()/ar0521_power_off() functions.\nLet's fix that.\n\n------------[ cut here ]------------\nWARNING: CPU: 0 PID: 11 at drivers/gpio/gpiolib.c:3496 gpiod_set_value+0x74/0x7c\nModules linked in:\nCPU: 0 PID: 11 Comm: kworker/u16:0 Not tainted 6.10.0 #53\nHardware name: Diasom DS-RK3568-SOM-EVB (DT)\nWorkqueue: events_unbound deferred_probe_work_func\npstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : gpiod_set_value+0x74/0x7c\nlr : ar0521_power_on+0xcc/0x290\nsp : ffffff8001d7ab70\nx29: ffffff8001d7ab70 x28: ffffff80027dcc90 x27: ffffff8003c82000\nx26: ffffff8003ca9250 x25: ffffffc080a39c60 x24: ffffff8003ca9088\nx23: ffffff8002402720 x22: ffffff8003ca9080 x21: ffffff8003ca9088\nx20: 0000000000000000 x19: ffffff8001eb2a00 x18: ffffff80efeeac80\nx17: 756d2d6332692f30 x16: 0000000000000000 x15: 0000000000000000\nx14: ffffff8001d91d40 x13: 0000000000000016 x12: ffffffc080e98930\nx11: ffffff8001eb2880 x10: 0000000000000890 x9 : ffffff8001d7a9f0\nx8 : ffffff8001d92570 x7 : ffffff80efeeac80 x6 : 000000003fc6e780\nx5 : ffffff8001d91c80 x4 : 0000000000000002 x3 : 0000000000000000\nx2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000001\nCall trace:\n gpiod_set_value+0x74/0x7c\n ar0521_power_on+0xcc/0x290\n...", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:30:13.711Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/9f08876d766755a92f1b9543ae3ee21bfc596fb8", }, { url: "https://git.kernel.org/stable/c/625a77b68c96349c16fcc1faa42784313e0b1a85", }, { url: "https://git.kernel.org/stable/c/2423b60a2d6d27e5f66c5021b494463aef2db212", }, { url: "https://git.kernel.org/stable/c/3cf00ecfbf11ee8e6afff306a5bdcff4bf95d2cf", }, { url: "https://git.kernel.org/stable/c/bee1aed819a8cda47927436685d216906ed17f62", }, ], title: "media: i2c: ar0521: Use cansleep version of gpiod_set_value()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49961", datePublished: "2024-10-21T18:02:13.772Z", dateReserved: "2024-10-21T12:17:06.049Z", dateUpdated: "2024-12-19T09:30:13.711Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-48975
Vulnerability from cvelistv5
Published
2024-10-21 20:05
Modified
2024-12-19 08:11
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
gpiolib: fix memory leak in gpiochip_setup_dev()
Here is a backtrace report about memory leak detected in
gpiochip_setup_dev():
unreferenced object 0xffff88810b406400 (size 512):
comm "python3", pid 1682, jiffies 4295346908 (age 24.090s)
backtrace:
kmalloc_trace
device_add device_private_init at drivers/base/core.c:3361
(inlined by) device_add at drivers/base/core.c:3411
cdev_device_add
gpiolib_cdev_register
gpiochip_setup_dev
gpiochip_add_data_with_key
gcdev_register() & gcdev_unregister() would call device_add() &
device_del() (no matter CONFIG_GPIO_CDEV is enabled or not) to
register/unregister device.
However, if device_add() succeeds, some resource (like
struct device_private allocated by device_private_init())
is not released by device_del().
Therefore, after device_add() succeeds by gcdev_register(), it
needs to call put_device() to release resource in the error handle
path.
Here we move forward the register of release function, and let it
release every piece of resource by put_device() instead of kfree().
While at it, fix another subtle issue, i.e. when gc->ngpio is equal
to 0, we still call kcalloc() and, in case of further error, kfree()
on the ZERO_PTR pointer, which is not NULL. It's not a bug per se,
but rather waste of the resources and potentially wrong expectation
about contents of the gdev->descs variable.
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-48975", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:18:35.922105Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:28:37.208Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/gpio/gpiolib.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "6daaa84b621485fe28c401be18debf92ae8ef04a", status: "affected", version: "159f3cd92f17c61a4e2a47456de5865b114ef88e", versionType: "git", }, { lessThan: "371363716398ed718e389bea8c5e9843a79dde4e", status: "affected", version: "159f3cd92f17c61a4e2a47456de5865b114ef88e", versionType: "git", }, { lessThan: "ec851b23084b3a0af8bf0f5e51d33a8d678bdc49", status: "affected", version: "159f3cd92f17c61a4e2a47456de5865b114ef88e", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/gpio/gpiolib.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "4.6", }, { lessThan: "4.6", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.83", versionType: "semver", }, { lessThanOrEqual: "6.0.*", status: "unaffected", version: "6.0.13", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.1", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ngpiolib: fix memory leak in gpiochip_setup_dev()\n\nHere is a backtrace report about memory leak detected in\ngpiochip_setup_dev():\n\nunreferenced object 0xffff88810b406400 (size 512):\n comm \"python3\", pid 1682, jiffies 4295346908 (age 24.090s)\n backtrace:\n kmalloc_trace\n device_add\t\tdevice_private_init at drivers/base/core.c:3361\n\t\t\t(inlined by) device_add at drivers/base/core.c:3411\n cdev_device_add\n gpiolib_cdev_register\n gpiochip_setup_dev\n gpiochip_add_data_with_key\n\ngcdev_register() & gcdev_unregister() would call device_add() &\ndevice_del() (no matter CONFIG_GPIO_CDEV is enabled or not) to\nregister/unregister device.\n\nHowever, if device_add() succeeds, some resource (like\nstruct device_private allocated by device_private_init())\nis not released by device_del().\n\nTherefore, after device_add() succeeds by gcdev_register(), it\nneeds to call put_device() to release resource in the error handle\npath.\n\nHere we move forward the register of release function, and let it\nrelease every piece of resource by put_device() instead of kfree().\n\nWhile at it, fix another subtle issue, i.e. when gc->ngpio is equal\nto 0, we still call kcalloc() and, in case of further error, kfree()\non the ZERO_PTR pointer, which is not NULL. It's not a bug per se,\nbut rather waste of the resources and potentially wrong expectation\nabout contents of the gdev->descs variable.", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:11:43.261Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/6daaa84b621485fe28c401be18debf92ae8ef04a", }, { url: "https://git.kernel.org/stable/c/371363716398ed718e389bea8c5e9843a79dde4e", }, { url: "https://git.kernel.org/stable/c/ec851b23084b3a0af8bf0f5e51d33a8d678bdc49", }, ], title: "gpiolib: fix memory leak in gpiochip_setup_dev()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-48975", datePublished: "2024-10-21T20:05:55.091Z", dateReserved: "2024-08-22T01:27:53.631Z", dateUpdated: "2024-12-19T08:11:43.261Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-48949
Vulnerability from cvelistv5
Published
2024-10-21 20:05
Modified
2024-12-19 08:11
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
igb: Initialize mailbox message for VF reset
When a MAC address is not assigned to the VF, that portion of the message
sent to the VF is not set. The memory, however, is allocated from the
stack meaning that information may be leaked to the VM. Initialize the
message buffer to 0 so that no information is passed to the VM in this
case.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 6ddbc4cf1f4d5a3a58b4223c80881f299dae3774 Version: 6ddbc4cf1f4d5a3a58b4223c80881f299dae3774 Version: 6ddbc4cf1f4d5a3a58b4223c80881f299dae3774 Version: 6ddbc4cf1f4d5a3a58b4223c80881f299dae3774 Version: 6ddbc4cf1f4d5a3a58b4223c80881f299dae3774 Version: 6ddbc4cf1f4d5a3a58b4223c80881f299dae3774 Version: 6ddbc4cf1f4d5a3a58b4223c80881f299dae3774 Version: 6ddbc4cf1f4d5a3a58b4223c80881f299dae3774 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-48949", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:21:53.220754Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:28:40.995Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/net/ethernet/intel/igb/igb_main.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "a6629659af3f5c6a91e3914ea62554c975ab77f4", status: "affected", version: "6ddbc4cf1f4d5a3a58b4223c80881f299dae3774", versionType: "git", }, { lessThan: "ef1d739dd1f362aec081278ff92f943c31eb177a", status: "affected", version: "6ddbc4cf1f4d5a3a58b4223c80881f299dae3774", versionType: "git", }, { lessThan: "c581439a977545d61849a72e8ed631cfc8a2a3c1", status: "affected", version: "6ddbc4cf1f4d5a3a58b4223c80881f299dae3774", versionType: "git", }, { lessThan: "f2479c3daaabccbac6c343a737615d0c595c6dc4", status: "affected", version: "6ddbc4cf1f4d5a3a58b4223c80881f299dae3774", versionType: "git", }, { lessThan: "367e1e3399dbc56fc669740c4ab60e35da632b0e", status: "affected", version: "6ddbc4cf1f4d5a3a58b4223c80881f299dae3774", versionType: "git", }, { lessThan: "51fd5ede7ed42f272682a0c33d6f0767b3484a3d", status: "affected", version: "6ddbc4cf1f4d5a3a58b4223c80881f299dae3774", versionType: "git", }, { lessThan: "c383c7c35c7bc15e07a04eefa060a8a80cbeae29", status: "affected", version: "6ddbc4cf1f4d5a3a58b4223c80881f299dae3774", versionType: "git", }, { lessThan: "de5dc44370fbd6b46bd7f1a1e00369be54a041c8", status: "affected", version: "6ddbc4cf1f4d5a3a58b4223c80881f299dae3774", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/net/ethernet/intel/igb/igb_main.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "4.0", }, { lessThan: "4.0", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.14.*", status: "unaffected", version: "4.14.303", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.270", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.229", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.161", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.85", versionType: "semver", }, { lessThanOrEqual: "6.0.*", status: "unaffected", version: "6.0.15", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.1", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.2", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nigb: Initialize mailbox message for VF reset\n\nWhen a MAC address is not assigned to the VF, that portion of the message\nsent to the VF is not set. The memory, however, is allocated from the\nstack meaning that information may be leaked to the VM. Initialize the\nmessage buffer to 0 so that no information is passed to the VM in this\ncase.", }, ], providerMetadata: { dateUpdated: "2024-12-19T08:11:05.842Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/a6629659af3f5c6a91e3914ea62554c975ab77f4", }, { url: "https://git.kernel.org/stable/c/ef1d739dd1f362aec081278ff92f943c31eb177a", }, { url: "https://git.kernel.org/stable/c/c581439a977545d61849a72e8ed631cfc8a2a3c1", }, { url: "https://git.kernel.org/stable/c/f2479c3daaabccbac6c343a737615d0c595c6dc4", }, { url: "https://git.kernel.org/stable/c/367e1e3399dbc56fc669740c4ab60e35da632b0e", }, { url: "https://git.kernel.org/stable/c/51fd5ede7ed42f272682a0c33d6f0767b3484a3d", }, { url: "https://git.kernel.org/stable/c/c383c7c35c7bc15e07a04eefa060a8a80cbeae29", }, { url: "https://git.kernel.org/stable/c/de5dc44370fbd6b46bd7f1a1e00369be54a041c8", }, ], title: "igb: Initialize mailbox message for VF reset", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-48949", datePublished: "2024-10-21T20:05:37.782Z", dateReserved: "2024-08-22T01:27:53.625Z", dateUpdated: "2024-12-19T08:11:05.842Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49975
Vulnerability from cvelistv5
Published
2024-10-21 18:02
Modified
2024-12-19 09:30
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
uprobes: fix kernel info leak via "[uprobes]" vma
xol_add_vma() maps the uninitialized page allocated by __create_xol_area()
into userspace. On some architectures (x86) this memory is readable even
without VM_READ, VM_EXEC results in the same pgprot_t as VM_EXEC|VM_READ,
although this doesn't really matter, debugger can read this memory anyway.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: d4b3b6384f98f8692ad0209891ccdbc7e78bbefe Version: d4b3b6384f98f8692ad0209891ccdbc7e78bbefe Version: d4b3b6384f98f8692ad0209891ccdbc7e78bbefe Version: d4b3b6384f98f8692ad0209891ccdbc7e78bbefe Version: d4b3b6384f98f8692ad0209891ccdbc7e78bbefe Version: d4b3b6384f98f8692ad0209891ccdbc7e78bbefe Version: d4b3b6384f98f8692ad0209891ccdbc7e78bbefe Version: d4b3b6384f98f8692ad0209891ccdbc7e78bbefe Version: d4b3b6384f98f8692ad0209891ccdbc7e78bbefe |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49975", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:33:15.927112Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:38:45.577Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "kernel/events/uprobes.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "f31f92107e5a8ecc8902705122c594e979a351fe", status: "affected", version: "d4b3b6384f98f8692ad0209891ccdbc7e78bbefe", versionType: "git", }, { lessThan: "fe5e9182d3e227476642ae2b312e2356c4d326a3", status: "affected", version: "d4b3b6384f98f8692ad0209891ccdbc7e78bbefe", versionType: "git", }, { lessThan: "f561b48d633ac2e7d0d667020fc634a96ade33a0", status: "affected", version: "d4b3b6384f98f8692ad0209891ccdbc7e78bbefe", versionType: "git", }, { lessThan: "21cb47db1ec9765f91304763a24565ddc22d2492", status: "affected", version: "d4b3b6384f98f8692ad0209891ccdbc7e78bbefe", versionType: "git", }, { lessThan: "24141df5a8615790950deedd926a44ddf1dfd6d8", status: "affected", version: "d4b3b6384f98f8692ad0209891ccdbc7e78bbefe", versionType: "git", }, { lessThan: "5b981d8335e18aef7908a068529a3287258ff6d8", status: "affected", version: "d4b3b6384f98f8692ad0209891ccdbc7e78bbefe", versionType: "git", }, { lessThan: "2aa45f43709ba2082917bd2973d02687075b6eee", status: "affected", version: "d4b3b6384f98f8692ad0209891ccdbc7e78bbefe", versionType: "git", }, { lessThan: "9634e8dc964a4adafa7e1535147abd7ec29441a6", status: "affected", version: "d4b3b6384f98f8692ad0209891ccdbc7e78bbefe", versionType: "git", }, { lessThan: "34820304cc2cd1804ee1f8f3504ec77813d29c8e", status: "affected", version: "d4b3b6384f98f8692ad0209891ccdbc7e78bbefe", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "kernel/events/uprobes.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "3.5", }, { lessThan: "3.5", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "4.19.*", status: "unaffected", version: "4.19.323", versionType: "semver", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.285", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.55", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nuprobes: fix kernel info leak via \"[uprobes]\" vma\n\nxol_add_vma() maps the uninitialized page allocated by __create_xol_area()\ninto userspace. On some architectures (x86) this memory is readable even\nwithout VM_READ, VM_EXEC results in the same pgprot_t as VM_EXEC|VM_READ,\nalthough this doesn't really matter, debugger can read this memory anyway.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:30:30.698Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/f31f92107e5a8ecc8902705122c594e979a351fe", }, { url: "https://git.kernel.org/stable/c/fe5e9182d3e227476642ae2b312e2356c4d326a3", }, { url: "https://git.kernel.org/stable/c/f561b48d633ac2e7d0d667020fc634a96ade33a0", }, { url: "https://git.kernel.org/stable/c/21cb47db1ec9765f91304763a24565ddc22d2492", }, { url: "https://git.kernel.org/stable/c/24141df5a8615790950deedd926a44ddf1dfd6d8", }, { url: "https://git.kernel.org/stable/c/5b981d8335e18aef7908a068529a3287258ff6d8", }, { url: "https://git.kernel.org/stable/c/2aa45f43709ba2082917bd2973d02687075b6eee", }, { url: "https://git.kernel.org/stable/c/9634e8dc964a4adafa7e1535147abd7ec29441a6", }, { url: "https://git.kernel.org/stable/c/34820304cc2cd1804ee1f8f3504ec77813d29c8e", }, ], title: "uprobes: fix kernel info leak via \"[uprobes]\" vma", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49975", datePublished: "2024-10-21T18:02:23.099Z", dateReserved: "2024-10-21T12:17:06.052Z", dateUpdated: "2024-12-19T09:30:30.698Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-47735
Vulnerability from cvelistv5
Published
2024-10-21 12:14
Modified
2024-12-19 09:27
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/hns: Fix spin_unlock_irqrestore() called with IRQs enabled
Fix missuse of spin_lock_irq()/spin_unlock_irq() when
spin_lock_irqsave()/spin_lock_irqrestore() was hold.
This was discovered through the lock debugging, and the corresponding
log is as follows:
raw_local_irq_restore() called with IRQs enabled
WARNING: CPU: 96 PID: 2074 at kernel/locking/irqflag-debug.c:10 warn_bogus_irq_restore+0x30/0x40
...
Call trace:
warn_bogus_irq_restore+0x30/0x40
_raw_spin_unlock_irqrestore+0x84/0xc8
add_qp_to_list+0x11c/0x148 [hns_roce_hw_v2]
hns_roce_create_qp_common.constprop.0+0x240/0x780 [hns_roce_hw_v2]
hns_roce_create_qp+0x98/0x160 [hns_roce_hw_v2]
create_qp+0x138/0x258
ib_create_qp_kernel+0x50/0xe8
create_mad_qp+0xa8/0x128
ib_mad_port_open+0x218/0x448
ib_mad_init_device+0x70/0x1f8
add_client_context+0xfc/0x220
enable_device_and_get+0xd0/0x140
ib_register_device.part.0+0xf4/0x1c8
ib_register_device+0x34/0x50
hns_roce_register_device+0x174/0x3d0 [hns_roce_hw_v2]
hns_roce_init+0xfc/0x2c0 [hns_roce_hw_v2]
__hns_roce_hw_v2_init_instance+0x7c/0x1d0 [hns_roce_hw_v2]
hns_roce_hw_v2_init_instance+0x9c/0x180 [hns_roce_hw_v2]
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 9a4435375cd151e07c0c38fa601b00115986091b Version: 9a4435375cd151e07c0c38fa601b00115986091b Version: 9a4435375cd151e07c0c38fa601b00115986091b Version: 9a4435375cd151e07c0c38fa601b00115986091b Version: 9a4435375cd151e07c0c38fa601b00115986091b Version: 9a4435375cd151e07c0c38fa601b00115986091b Version: 9a4435375cd151e07c0c38fa601b00115986091b |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-47735", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T12:59:57.677353Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T13:04:15.337Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/infiniband/hw/hns/hns_roce_qp.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "07f0f643d7e570dbe8ef6f5c3367a43e3086a335", status: "affected", version: "9a4435375cd151e07c0c38fa601b00115986091b", versionType: "git", }, { lessThan: "29c0f546d3fd66238b42cf25bcd5f193bb1cf794", status: "affected", version: "9a4435375cd151e07c0c38fa601b00115986091b", versionType: "git", }, { lessThan: "425589d4af09c49574bd71ac31f811362a5126c3", status: "affected", version: "9a4435375cd151e07c0c38fa601b00115986091b", versionType: "git", }, { lessThan: "094a1821903f33fb91de4b71087773ee16aeb3a0", status: "affected", version: "9a4435375cd151e07c0c38fa601b00115986091b", versionType: "git", }, { lessThan: "2656336a84fcb6802f6e6c233f4661891deea24f", status: "affected", version: "9a4435375cd151e07c0c38fa601b00115986091b", versionType: "git", }, { lessThan: "a1a3403bb1826c8ec787f0d60c3e7b54f419129e", status: "affected", version: "9a4435375cd151e07c0c38fa601b00115986091b", versionType: "git", }, { lessThan: "74d315b5af180220d561684d15897730135733a6", status: "affected", version: "9a4435375cd151e07c0c38fa601b00115986091b", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/infiniband/hw/hns/hns_roce_qp.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "4.9", }, { lessThan: "4.9", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.227", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.168", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.54", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.13", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.2", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/hns: Fix spin_unlock_irqrestore() called with IRQs enabled\n\nFix missuse of spin_lock_irq()/spin_unlock_irq() when\nspin_lock_irqsave()/spin_lock_irqrestore() was hold.\n\nThis was discovered through the lock debugging, and the corresponding\nlog is as follows:\n\nraw_local_irq_restore() called with IRQs enabled\nWARNING: CPU: 96 PID: 2074 at kernel/locking/irqflag-debug.c:10 warn_bogus_irq_restore+0x30/0x40\n...\nCall trace:\n warn_bogus_irq_restore+0x30/0x40\n _raw_spin_unlock_irqrestore+0x84/0xc8\n add_qp_to_list+0x11c/0x148 [hns_roce_hw_v2]\n hns_roce_create_qp_common.constprop.0+0x240/0x780 [hns_roce_hw_v2]\n hns_roce_create_qp+0x98/0x160 [hns_roce_hw_v2]\n create_qp+0x138/0x258\n ib_create_qp_kernel+0x50/0xe8\n create_mad_qp+0xa8/0x128\n ib_mad_port_open+0x218/0x448\n ib_mad_init_device+0x70/0x1f8\n add_client_context+0xfc/0x220\n enable_device_and_get+0xd0/0x140\n ib_register_device.part.0+0xf4/0x1c8\n ib_register_device+0x34/0x50\n hns_roce_register_device+0x174/0x3d0 [hns_roce_hw_v2]\n hns_roce_init+0xfc/0x2c0 [hns_roce_hw_v2]\n __hns_roce_hw_v2_init_instance+0x7c/0x1d0 [hns_roce_hw_v2]\n hns_roce_hw_v2_init_instance+0x9c/0x180 [hns_roce_hw_v2]", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:27:03.906Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/07f0f643d7e570dbe8ef6f5c3367a43e3086a335", }, { url: "https://git.kernel.org/stable/c/29c0f546d3fd66238b42cf25bcd5f193bb1cf794", }, { url: "https://git.kernel.org/stable/c/425589d4af09c49574bd71ac31f811362a5126c3", }, { url: "https://git.kernel.org/stable/c/094a1821903f33fb91de4b71087773ee16aeb3a0", }, { url: "https://git.kernel.org/stable/c/2656336a84fcb6802f6e6c233f4661891deea24f", }, { url: "https://git.kernel.org/stable/c/a1a3403bb1826c8ec787f0d60c3e7b54f419129e", }, { url: "https://git.kernel.org/stable/c/74d315b5af180220d561684d15897730135733a6", }, ], title: "RDMA/hns: Fix spin_unlock_irqrestore() called with IRQs enabled", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-47735", datePublished: "2024-10-21T12:14:05.876Z", dateReserved: "2024-09-30T16:00:12.958Z", dateUpdated: "2024-12-19T09:27:03.906Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-47730
Vulnerability from cvelistv5
Published
2024-10-21 12:14
Modified
2024-12-19 09:26
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: hisilicon/qm - inject error before stopping queue
The master ooo cannot be completely closed when the
accelerator core reports memory error. Therefore, the driver
needs to inject the qm error to close the master ooo. Currently,
the qm error is injected after stopping queue, memory may be
released immediately after stopping queue, causing the device to
access the released memory. Therefore, error is injected to close master
ooo before stopping queue to ensure that the device does not access
the released memory.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 6c6dd5802c2d6769fa589c0e8de54299def199a7 Version: 6c6dd5802c2d6769fa589c0e8de54299def199a7 Version: 6c6dd5802c2d6769fa589c0e8de54299def199a7 Version: 6c6dd5802c2d6769fa589c0e8de54299def199a7 Version: 6c6dd5802c2d6769fa589c0e8de54299def199a7 Version: 6c6dd5802c2d6769fa589c0e8de54299def199a7 |
||||||
|
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-47730", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-21T13:00:38.367655Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-21T13:04:16.049Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/crypto/hisilicon/qm.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "801d64177faaec184cee1e1aa4d8487df1364a54", status: "affected", version: "6c6dd5802c2d6769fa589c0e8de54299def199a7", versionType: "git", }, { lessThan: "98d3be34c9153eceadb56de50d9f9347e88d86e4", status: "affected", version: "6c6dd5802c2d6769fa589c0e8de54299def199a7", versionType: "git", }, { lessThan: "aa3e0db35a60002fb34ef0e4ad203aa59fd00203", status: "affected", version: "6c6dd5802c2d6769fa589c0e8de54299def199a7", versionType: "git", }, { lessThan: "f8024f12752e32ffbbf59e1c09d949f977ff743f", status: "affected", version: "6c6dd5802c2d6769fa589c0e8de54299def199a7", versionType: "git", }, { lessThan: "c5f5b813e546f7fe133539c3d7a5086cc8dd2aa1", status: "affected", version: "6c6dd5802c2d6769fa589c0e8de54299def199a7", versionType: "git", }, { lessThan: "b04f06fc0243600665b3b50253869533b7938468", status: "affected", version: "6c6dd5802c2d6769fa589c0e8de54299def199a7", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/crypto/hisilicon/qm.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.8", }, { lessThan: "5.8", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.174", versionType: "semver", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.113", versionType: "semver", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.54", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.13", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.2", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: hisilicon/qm - inject error before stopping queue\n\nThe master ooo cannot be completely closed when the\naccelerator core reports memory error. Therefore, the driver\nneeds to inject the qm error to close the master ooo. Currently,\nthe qm error is injected after stopping queue, memory may be\nreleased immediately after stopping queue, causing the device to\naccess the released memory. Therefore, error is injected to close master\nooo before stopping queue to ensure that the device does not access\nthe released memory.", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:26:56.953Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/801d64177faaec184cee1e1aa4d8487df1364a54", }, { url: "https://git.kernel.org/stable/c/98d3be34c9153eceadb56de50d9f9347e88d86e4", }, { url: "https://git.kernel.org/stable/c/aa3e0db35a60002fb34ef0e4ad203aa59fd00203", }, { url: "https://git.kernel.org/stable/c/f8024f12752e32ffbbf59e1c09d949f977ff743f", }, { url: "https://git.kernel.org/stable/c/c5f5b813e546f7fe133539c3d7a5086cc8dd2aa1", }, { url: "https://git.kernel.org/stable/c/b04f06fc0243600665b3b50253869533b7938468", }, ], title: "crypto: hisilicon/qm - inject error before stopping queue", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-47730", datePublished: "2024-10-21T12:14:02.378Z", dateReserved: "2024-09-30T16:00:12.957Z", dateUpdated: "2024-12-19T09:26:56.953Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-49942
Vulnerability from cvelistv5
Published
2024-10-21 18:02
Modified
2024-12-19 09:29
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/xe: Prevent null pointer access in xe_migrate_copy
xe_migrate_copy designed to copy content of TTM resources. When source
resource is null, it will trigger a NULL pointer dereference in
xe_migrate_copy. To avoid this situation, update lacks source flag to
true for this case, the flag will trigger xe_migrate_clear rather than
xe_migrate_copy.
Issue trace:
<7> [317.089847] xe 0000:00:02.0: [drm:xe_migrate_copy [xe]] Pass 14,
sizes: 4194304 & 4194304
<7> [317.089945] xe 0000:00:02.0: [drm:xe_migrate_copy [xe]] Pass 15,
sizes: 4194304 & 4194304
<1> [317.128055] BUG: kernel NULL pointer dereference, address:
0000000000000010
<1> [317.128064] #PF: supervisor read access in kernel mode
<1> [317.128066] #PF: error_code(0x0000) - not-present page
<6> [317.128069] PGD 0 P4D 0
<4> [317.128071] Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI
<4> [317.128074] CPU: 1 UID: 0 PID: 1440 Comm: kunit_try_catch Tainted:
G U N 6.11.0-rc7-xe #1
<4> [317.128078] Tainted: [U]=USER, [N]=TEST
<4> [317.128080] Hardware name: Intel Corporation Lunar Lake Client
Platform/LNL-M LP5 RVP1, BIOS LNLMFWI1.R00.3221.D80.2407291239 07/29/2024
<4> [317.128082] RIP: 0010:xe_migrate_copy+0x66/0x13e0 [xe]
<4> [317.128158] Code: 00 00 48 89 8d e0 fe ff ff 48 8b 40 10 4c 89 85 c8
fe ff ff 44 88 8d bd fe ff ff 65 48 8b 3c 25 28 00 00 00 48 89 7d d0 31
ff <8b> 79 10 48 89 85 a0 fe ff ff 48 8b 00 48 89 b5 d8 fe ff ff 83 ff
<4> [317.128162] RSP: 0018:ffffc9000167f9f0 EFLAGS: 00010246
<4> [317.128164] RAX: ffff8881120d8028 RBX: ffff88814d070428 RCX:
0000000000000000
<4> [317.128166] RDX: ffff88813cb99c00 RSI: 0000000004000000 RDI:
0000000000000000
<4> [317.128168] RBP: ffffc9000167fbb8 R08: ffff88814e7b1f08 R09:
0000000000000001
<4> [317.128170] R10: 0000000000000001 R11: 0000000000000001 R12:
ffff88814e7b1f08
<4> [317.128172] R13: ffff88814e7b1f08 R14: ffff88813cb99c00 R15:
0000000000000001
<4> [317.128174] FS: 0000000000000000(0000) GS:ffff88846f280000(0000)
knlGS:0000000000000000
<4> [317.128176] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
<4> [317.128178] CR2: 0000000000000010 CR3: 000000011f676004 CR4:
0000000000770ef0
<4> [317.128180] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
0000000000000000
<4> [317.128182] DR3: 0000000000000000 DR6: 00000000ffff07f0 DR7:
0000000000000400
<4> [317.128184] PKRU: 55555554
<4> [317.128185] Call Trace:
<4> [317.128187] <TASK>
<4> [317.128189] ? show_regs+0x67/0x70
<4> [317.128194] ? __die_body+0x20/0x70
<4> [317.128196] ? __die+0x2b/0x40
<4> [317.128198] ? page_fault_oops+0x15f/0x4e0
<4> [317.128203] ? do_user_addr_fault+0x3fb/0x970
<4> [317.128205] ? lock_acquire+0xc7/0x2e0
<4> [317.128209] ? exc_page_fault+0x87/0x2b0
<4> [317.128212] ? asm_exc_page_fault+0x27/0x30
<4> [317.128216] ? xe_migrate_copy+0x66/0x13e0 [xe]
<4> [317.128263] ? __lock_acquire+0xb9d/0x26f0
<4> [317.128265] ? __lock_acquire+0xb9d/0x26f0
<4> [317.128267] ? sg_free_append_table+0x20/0x80
<4> [317.128271] ? lock_acquire+0xc7/0x2e0
<4> [317.128273] ? mark_held_locks+0x4d/0x80
<4> [317.128275] ? trace_hardirqs_on+0x1e/0xd0
<4> [317.128278] ? _raw_spin_unlock_irqrestore+0x31/0x60
<4> [317.128281] ? __pm_runtime_resume+0x60/0xa0
<4> [317.128284] xe_bo_move+0x682/0xc50 [xe]
<4> [317.128315] ? lock_is_held_type+0xaa/0x120
<4> [317.128318] ttm_bo_handle_move_mem+0xe5/0x1a0 [ttm]
<4> [317.128324] ttm_bo_validate+0xd1/0x1a0 [ttm]
<4> [317.128328] shrink_test_run_device+0x721/0xc10 [xe]
<4> [317.128360] ? find_held_lock+0x31/0x90
<4> [317.128363] ? lock_release+0xd1/0x2a0
<4> [317.128365] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[kunit]
<4> [317.128370] xe_bo_shrink_kunit+0x11/0x20 [xe]
<4> [317.128397] kunit_try_run_case+0x6e/0x150 [kunit]
<4> [317.128400] ? trace_hardirqs_on+0x1e/0xd0
<4> [317.128402] ? _raw_spin_unlock_irqrestore+0x31/0x60
<4> [317.128404] kunit_generic_run_threadfn_adapter+0x1e/0x40 [ku
---truncated---
References
Impacted products
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-49942", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-22T13:37:35.995773Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-22T13:38:50.373Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/gpu/drm/xe/xe_bo.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "16e0267db156f8a4ea16bfb3ac3f5743c9698df3", status: "affected", version: "266c85885263022954928b125d46ab7a78c77a69", versionType: "git", }, { lessThan: "8f5199b6971f0717c2d31685953971fa2e1b9e1a", status: "affected", version: "266c85885263022954928b125d46ab7a78c77a69", versionType: "git", }, { lessThan: "7257d9c9a3c6cfe26c428e9b7ae21d61f2f55a79", status: "affected", version: "266c85885263022954928b125d46ab7a78c77a69", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/gpu/drm/xe/xe_bo.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "6.8", }, { lessThan: "6.8", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "6.10.*", status: "unaffected", version: "6.10.14", versionType: "semver", }, { lessThanOrEqual: "6.11.*", status: "unaffected", version: "6.11.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.12", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: Prevent null pointer access in xe_migrate_copy\n\nxe_migrate_copy designed to copy content of TTM resources. When source\nresource is null, it will trigger a NULL pointer dereference in\nxe_migrate_copy. To avoid this situation, update lacks source flag to\ntrue for this case, the flag will trigger xe_migrate_clear rather than\nxe_migrate_copy.\n\nIssue trace:\n<7> [317.089847] xe 0000:00:02.0: [drm:xe_migrate_copy [xe]] Pass 14,\n sizes: 4194304 & 4194304\n<7> [317.089945] xe 0000:00:02.0: [drm:xe_migrate_copy [xe]] Pass 15,\n sizes: 4194304 & 4194304\n<1> [317.128055] BUG: kernel NULL pointer dereference, address:\n 0000000000000010\n<1> [317.128064] #PF: supervisor read access in kernel mode\n<1> [317.128066] #PF: error_code(0x0000) - not-present page\n<6> [317.128069] PGD 0 P4D 0\n<4> [317.128071] Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI\n<4> [317.128074] CPU: 1 UID: 0 PID: 1440 Comm: kunit_try_catch Tainted:\n G U N 6.11.0-rc7-xe #1\n<4> [317.128078] Tainted: [U]=USER, [N]=TEST\n<4> [317.128080] Hardware name: Intel Corporation Lunar Lake Client\n Platform/LNL-M LP5 RVP1, BIOS LNLMFWI1.R00.3221.D80.2407291239 07/29/2024\n<4> [317.128082] RIP: 0010:xe_migrate_copy+0x66/0x13e0 [xe]\n<4> [317.128158] Code: 00 00 48 89 8d e0 fe ff ff 48 8b 40 10 4c 89 85 c8\n fe ff ff 44 88 8d bd fe ff ff 65 48 8b 3c 25 28 00 00 00 48 89 7d d0 31\n ff <8b> 79 10 48 89 85 a0 fe ff ff 48 8b 00 48 89 b5 d8 fe ff ff 83 ff\n<4> [317.128162] RSP: 0018:ffffc9000167f9f0 EFLAGS: 00010246\n<4> [317.128164] RAX: ffff8881120d8028 RBX: ffff88814d070428 RCX:\n 0000000000000000\n<4> [317.128166] RDX: ffff88813cb99c00 RSI: 0000000004000000 RDI:\n 0000000000000000\n<4> [317.128168] RBP: ffffc9000167fbb8 R08: ffff88814e7b1f08 R09:\n 0000000000000001\n<4> [317.128170] R10: 0000000000000001 R11: 0000000000000001 R12:\n ffff88814e7b1f08\n<4> [317.128172] R13: ffff88814e7b1f08 R14: ffff88813cb99c00 R15:\n 0000000000000001\n<4> [317.128174] FS: 0000000000000000(0000) GS:ffff88846f280000(0000)\n knlGS:0000000000000000\n<4> [317.128176] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n<4> [317.128178] CR2: 0000000000000010 CR3: 000000011f676004 CR4:\n 0000000000770ef0\n<4> [317.128180] DR0: 0000000000000000 DR1: 0000000000000000 DR2:\n 0000000000000000\n<4> [317.128182] DR3: 0000000000000000 DR6: 00000000ffff07f0 DR7:\n 0000000000000400\n<4> [317.128184] PKRU: 55555554\n<4> [317.128185] Call Trace:\n<4> [317.128187] <TASK>\n<4> [317.128189] ? show_regs+0x67/0x70\n<4> [317.128194] ? __die_body+0x20/0x70\n<4> [317.128196] ? __die+0x2b/0x40\n<4> [317.128198] ? page_fault_oops+0x15f/0x4e0\n<4> [317.128203] ? do_user_addr_fault+0x3fb/0x970\n<4> [317.128205] ? lock_acquire+0xc7/0x2e0\n<4> [317.128209] ? exc_page_fault+0x87/0x2b0\n<4> [317.128212] ? asm_exc_page_fault+0x27/0x30\n<4> [317.128216] ? xe_migrate_copy+0x66/0x13e0 [xe]\n<4> [317.128263] ? __lock_acquire+0xb9d/0x26f0\n<4> [317.128265] ? __lock_acquire+0xb9d/0x26f0\n<4> [317.128267] ? sg_free_append_table+0x20/0x80\n<4> [317.128271] ? lock_acquire+0xc7/0x2e0\n<4> [317.128273] ? mark_held_locks+0x4d/0x80\n<4> [317.128275] ? trace_hardirqs_on+0x1e/0xd0\n<4> [317.128278] ? _raw_spin_unlock_irqrestore+0x31/0x60\n<4> [317.128281] ? __pm_runtime_resume+0x60/0xa0\n<4> [317.128284] xe_bo_move+0x682/0xc50 [xe]\n<4> [317.128315] ? lock_is_held_type+0xaa/0x120\n<4> [317.128318] ttm_bo_handle_move_mem+0xe5/0x1a0 [ttm]\n<4> [317.128324] ttm_bo_validate+0xd1/0x1a0 [ttm]\n<4> [317.128328] shrink_test_run_device+0x721/0xc10 [xe]\n<4> [317.128360] ? find_held_lock+0x31/0x90\n<4> [317.128363] ? lock_release+0xd1/0x2a0\n<4> [317.128365] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10\n [kunit]\n<4> [317.128370] xe_bo_shrink_kunit+0x11/0x20 [xe]\n<4> [317.128397] kunit_try_run_case+0x6e/0x150 [kunit]\n<4> [317.128400] ? trace_hardirqs_on+0x1e/0xd0\n<4> [317.128402] ? _raw_spin_unlock_irqrestore+0x31/0x60\n<4> [317.128404] kunit_generic_run_threadfn_adapter+0x1e/0x40 [ku\n---truncated---", }, ], providerMetadata: { dateUpdated: "2024-12-19T09:29:48.033Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/16e0267db156f8a4ea16bfb3ac3f5743c9698df3", }, { url: "https://git.kernel.org/stable/c/8f5199b6971f0717c2d31685953971fa2e1b9e1a", }, { url: "https://git.kernel.org/stable/c/7257d9c9a3c6cfe26c428e9b7ae21d61f2f55a79", }, ], title: "drm/xe: Prevent null pointer access in xe_migrate_copy", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2024-49942", datePublished: "2024-10-21T18:02:01.043Z", dateReserved: "2024-10-21T12:17:06.043Z", dateUpdated: "2024-12-19T09:29:48.033Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
Log in or create an account to share your comment.
Security Advisory comment format.
This schema specifies the format of a comment related to a security advisory.
UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).
Loading…
Loading…
Loading…
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.