All the vulnerabilites related to Linux Kernel - Linux kernel
cve-2019-14835
Vulnerability from cvelistv5
Published
2019-09-17 15:09
Modified
2024-08-05 00:26
Severity ?
EPSS score ?
Summary
A buffer overflow flaw was found, in versions from 2.6.34 to 5.2.x, in the way Linux kernel's vhost functionality that translates virtqueue buffers to IOVs, logged the buffer descriptors during migration. A privileged guest user able to pass descriptors with invalid length to the host when migration is underway, could use this flaw to increase their privileges on the host.
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Linux Kernel | Linux kernel |
Version: from version 2.6.34 to 5.2.x |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-05T00:26:39.157Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14835" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.openwall.com/lists/oss-security/2019/09/17/1" }, { "name": "USN-4135-2", "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "https://usn.ubuntu.com/4135-2/" }, { "name": "FEDORA-2019-e3010166bd", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KQFY6JYFIQ2VFQ7QCSXPWTUL5ZDNCJL5/" }, { "name": "RHSA-2019:2827", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2019:2827" }, { "name": "RHSA-2019:2828", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2019:2828" }, { "name": "RHSA-2019:2830", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2019:2830" }, { "name": "RHSA-2019:2829", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2019:2829" }, { "name": "RHSA-2019:2854", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2019:2854" }, { "name": "RHSA-2019:2862", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2019:2862" }, { "name": "RHSA-2019:2863", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2019:2863" }, { "name": "RHSA-2019:2866", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2019:2866" }, { "name": "RHSA-2019:2864", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2019:2864" }, { "name": "RHSA-2019:2865", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2019:2865" }, { "name": "RHSA-2019:2867", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2019:2867" }, { "name": "RHSA-2019:2869", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2019:2869" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "http://packetstormsecurity.com/files/154572/Kernel-Live-Patch-Security-Notice-LSN-0056-1.html" }, { "name": "[oss-security] 20190924 Re: CVE-2019-14835: QEMU-KVM Guest to Host Kernel Escape Vulnerability: vhost/vhost_net kernel buffer overflow", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2019/09/24/1" }, { "name": "openSUSE-SU-2019:2173", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00064.html" }, { "name": "RHSA-2019:2889", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2019:2889" }, { "name": "openSUSE-SU-2019:2181", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00066.html" }, { "name": "[debian-lts-announce] 20190925 [SECURITY] [DLA 1930-1] linux security update", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00025.html" }, { "name": "20190925 [SECURITY] [DSA 4531-1] linux security update", "tags": [ "mailing-list", "x_refsource_BUGTRAQ", "x_transferred" ], "url": "https://seclists.org/bugtraq/2019/Sep/41" }, { "name": "DSA-4531", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "https://www.debian.org/security/2019/dsa-4531" }, { "name": "RHSA-2019:2900", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2019:2900" }, { "name": "RHSA-2019:2901", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2019:2901" }, { "name": "RHSA-2019:2899", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2019:2899" }, { "name": "RHSA-2019:2924", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2019:2924" }, { "name": "USN-4135-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "https://usn.ubuntu.com/4135-1/" }, { "name": "[debian-lts-announce] 20191001 [SECURITY] [DLA 1940-1] linux-4.9 security update", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2019/10/msg00000.html" }, { "name": "FEDORA-2019-a570a92d5a", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YW3QNMPENPFEGVTOFPSNOBL7JEIJS25P/" }, { "name": "[oss-security] 20191003 Re: CVE-2019-14835: QEMU-KVM Guest to Host Kernel Escape Vulnerability: vhost/vhost_net kernel buffer overflow", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2019/10/03/1" }, { "name": "[oss-security] 20191009 Re: CVE-2019-14835: QEMU-KVM Guest to Host Kernel Escape Vulnerability: vhost/vhost_net kernel buffer overflow", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2019/10/09/3" }, { "name": "[oss-security] 20191009 Re: CVE-2019-14835: QEMU-KVM Guest to Host Kernel Escape Vulnerability: vhost/vhost_net kernel buffer overflow", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2019/10/09/7" }, { "name": "RHBA-2019:2824", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHBA-2019:2824" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "http://packetstormsecurity.com/files/154951/Kernel-Live-Patch-Security-Notice-LSN-0058-1.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20191031-0005/" }, { "name": "20191108 [slackware-security] Slackware 14.2 kernel (SSA:2019-311-01)", "tags": [ "mailing-list", "x_refsource_BUGTRAQ", "x_transferred" ], "url": "https://seclists.org/bugtraq/2019/Nov/11" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "http://packetstormsecurity.com/files/155212/Slackware-Security-Advisory-Slackware-14.2-kernel-Updates.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20200115-01-qemu-en" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Linux kernel", "vendor": "Linux Kernel", "versions": [ { "status": "affected", "version": "from version 2.6.34 to 5.2.x" } ] } ], "descriptions": [ { "lang": "en", "value": "A buffer overflow flaw was found, in versions from 2.6.34 to 5.2.x, in the way Linux kernel\u0027s vhost functionality that translates virtqueue buffers to IOVs, logged the buffer descriptors during migration. A privileged guest user able to pass descriptors with invalid length to the host when migration is underway, could use this flaw to increase their privileges on the host." } ], "metrics": [ { "cvssV3_0": { "attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H", "version": "3.0" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-120", "description": "CWE-120", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2020-01-15T12:06:07", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14835" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.openwall.com/lists/oss-security/2019/09/17/1" }, { "name": "USN-4135-2", "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "https://usn.ubuntu.com/4135-2/" }, { "name": "FEDORA-2019-e3010166bd", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KQFY6JYFIQ2VFQ7QCSXPWTUL5ZDNCJL5/" }, { "name": "RHSA-2019:2827", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2019:2827" }, { "name": "RHSA-2019:2828", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2019:2828" }, { "name": "RHSA-2019:2830", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2019:2830" }, { "name": "RHSA-2019:2829", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2019:2829" }, { "name": "RHSA-2019:2854", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2019:2854" }, { "name": "RHSA-2019:2862", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2019:2862" }, { "name": "RHSA-2019:2863", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2019:2863" }, { "name": "RHSA-2019:2866", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2019:2866" }, { "name": "RHSA-2019:2864", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2019:2864" }, { "name": "RHSA-2019:2865", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2019:2865" }, { "name": "RHSA-2019:2867", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2019:2867" }, { "name": "RHSA-2019:2869", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2019:2869" }, { "tags": [ "x_refsource_MISC" ], "url": "http://packetstormsecurity.com/files/154572/Kernel-Live-Patch-Security-Notice-LSN-0056-1.html" }, { "name": "[oss-security] 20190924 Re: CVE-2019-14835: QEMU-KVM Guest to Host Kernel Escape Vulnerability: vhost/vhost_net kernel buffer overflow", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2019/09/24/1" }, { "name": "openSUSE-SU-2019:2173", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00064.html" }, { "name": "RHSA-2019:2889", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2019:2889" }, { "name": "openSUSE-SU-2019:2181", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00066.html" }, { "name": "[debian-lts-announce] 20190925 [SECURITY] [DLA 1930-1] linux security update", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00025.html" }, { "name": "20190925 [SECURITY] [DSA 4531-1] linux security update", "tags": [ "mailing-list", "x_refsource_BUGTRAQ" ], "url": "https://seclists.org/bugtraq/2019/Sep/41" }, { "name": "DSA-4531", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "https://www.debian.org/security/2019/dsa-4531" }, { "name": "RHSA-2019:2900", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2019:2900" }, { "name": "RHSA-2019:2901", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2019:2901" }, { "name": "RHSA-2019:2899", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2019:2899" }, { "name": "RHSA-2019:2924", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2019:2924" }, { "name": "USN-4135-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "https://usn.ubuntu.com/4135-1/" }, { "name": "[debian-lts-announce] 20191001 [SECURITY] [DLA 1940-1] linux-4.9 security update", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.debian.org/debian-lts-announce/2019/10/msg00000.html" }, { "name": "FEDORA-2019-a570a92d5a", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YW3QNMPENPFEGVTOFPSNOBL7JEIJS25P/" }, { "name": "[oss-security] 20191003 Re: CVE-2019-14835: QEMU-KVM Guest to Host Kernel Escape Vulnerability: vhost/vhost_net kernel buffer overflow", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2019/10/03/1" }, { "name": "[oss-security] 20191009 Re: CVE-2019-14835: QEMU-KVM Guest to Host Kernel Escape Vulnerability: vhost/vhost_net kernel buffer overflow", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2019/10/09/3" }, { "name": "[oss-security] 20191009 Re: CVE-2019-14835: QEMU-KVM Guest to Host Kernel Escape Vulnerability: vhost/vhost_net kernel buffer overflow", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2019/10/09/7" }, { "name": "RHBA-2019:2824", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHBA-2019:2824" }, { "tags": [ "x_refsource_MISC" ], "url": "http://packetstormsecurity.com/files/154951/Kernel-Live-Patch-Security-Notice-LSN-0058-1.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://security.netapp.com/advisory/ntap-20191031-0005/" }, { "name": "20191108 [slackware-security] Slackware 14.2 kernel (SSA:2019-311-01)", "tags": [ "mailing-list", "x_refsource_BUGTRAQ" ], "url": "https://seclists.org/bugtraq/2019/Nov/11" }, { "tags": [ "x_refsource_MISC" ], "url": "http://packetstormsecurity.com/files/155212/Slackware-Security-Advisory-Slackware-14.2-kernel-Updates.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20200115-01-qemu-en" } ] } }, "cveMetadata": { "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2019-14835", "datePublished": "2019-09-17T15:09:37", "dateReserved": "2019-08-10T00:00:00", "dateUpdated": "2024-08-05T00:26:39.157Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-2503
Vulnerability from cvelistv5
Published
2022-08-12 00:00
Modified
2024-08-03 00:39
Severity ?
EPSS score ?
Summary
Dm-verity is used for extending root-of-trust to root filesystems. LoadPin builds on this property to restrict module/firmware loads to just the trusted root filesystem. Device-mapper table reloads currently allow users with root privileges to switch out the target with an equivalent dm-linear target and bypass verification till reboot. This allows root to bypass LoadPin and can be used to load untrusted and unverified kernel modules and firmware, which implies arbitrary kernel execution and persistence for peripherals that do not verify firmware updates. We recommend upgrading past commit 4caae58406f8ceb741603eee460d79bacca9b1b5
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Linux Kernel | Linux Kernel |
Version: unspecified < 4caae58406f8ceb741603eee460d79bacca9b1b5 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T00:39:07.939Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://github.com/google/security-research/security/advisories/GHSA-6vq3-w69p-w63m" }, { "tags": [ "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20230214-0005/" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Linux Kernel", "vendor": "Linux Kernel", "versions": [ { "lessThan": "4caae58406f8ceb741603eee460d79bacca9b1b5", "status": "affected", "version": "unspecified", "versionType": "custom" } ] } ], "descriptions": [ { "lang": "en", "value": "Dm-verity is used for extending root-of-trust to root filesystems. LoadPin builds on this property to restrict module/firmware loads to just the trusted root filesystem. Device-mapper table reloads currently allow users with root privileges to switch out the target with an equivalent dm-linear target and bypass verification till reboot. This allows root to bypass LoadPin and can be used to load untrusted and unverified kernel modules and firmware, which implies arbitrary kernel execution and persistence for peripherals that do not verify firmware updates. We recommend upgrading past commit 4caae58406f8ceb741603eee460d79bacca9b1b5" } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-302", "description": "CWE-302 Authentication Bypass by Assumed-Immutable Data", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2023-02-14T00:00:00", "orgId": "14ed7db2-1595-443d-9d34-6215bf890778", "shortName": "Google" }, "references": [ { "url": "https://github.com/google/security-research/security/advisories/GHSA-6vq3-w69p-w63m" }, { "url": "https://security.netapp.com/advisory/ntap-20230214-0005/" } ], "source": { "discovery": "INTERNAL" }, "title": "Linux Kernel LoadPin bypass via dm-verity table reload", "x_generator": { "engine": "Vulnogram 0.0.9" } } }, "cveMetadata": { "assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778", "assignerShortName": "Google", "cveId": "CVE-2022-2503", "datePublished": "2022-08-12T00:00:00", "dateReserved": "2022-07-21T00:00:00", "dateUpdated": "2024-08-03T00:39:07.939Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-23133
Vulnerability from cvelistv5
Published
2021-04-22 18:00
Modified
2024-09-16 19:04
Severity ?
EPSS score ?
Summary
A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel privilege escalation from the context of a network service or an unprivileged process. If sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock then an element is removed from the auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network service privileges to escalate to root or from the context of an unprivileged user directly if a BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket.
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Linux Kernel | Linux Kernel |
Version: unspecified < 5.12-rc8 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T18:58:26.362Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.openwall.com/lists/oss-security/2021/04/18/2" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b166a20b07382b8bc1dcee2a448715c9c2c81b5b" }, { "name": "FEDORA-2021-8cd093f639", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PAEQ3H6HKNO6KUCGRZVYSFSAGEUX23JL/" }, { "name": "FEDORA-2021-e6b4847979", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CUX2CA63453G34C6KYVBLJXJXEARZI2X/" }, { "name": "FEDORA-2021-a963f04012", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XZASHZVCOFJ4VU2I3BN5W5EPHWJQ7QWX/" }, { "name": "[oss-security] 20210510 Re: CVE-2021-23133: Linux kernel: race condition in sctp sockets", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2021/05/10/1" }, { "name": "[oss-security] 20210510 Re: CVE-2021-23133: Linux kernel: race condition in sctp sockets", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2021/05/10/2" }, { "name": "[oss-security] 20210510 Re: CVE-2021-23133: Linux kernel: race condition in sctp sockets", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2021/05/10/4" }, { "name": "[oss-security] 20210510 Re: CVE-2021-23133: Linux kernel: race condition in sctp sockets", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2021/05/10/3" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20210611-0008/" }, { "name": "[debian-lts-announce] 20210623 [SECURITY] [DLA 2689-1] linux security update", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00020.html" }, { "name": "[debian-lts-announce] 20210623 [SECURITY] [DLA 2690-1] linux-4.19 security update", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00019.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Linux Kernel", "vendor": "Linux Kernel", "versions": [ { "lessThan": "5.12-rc8", "status": "affected", "version": "unspecified", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "value": "Or Cohen from Palo Alto Networks" } ], "datePublic": "2021-04-13T00:00:00", "descriptions": [ { "lang": "en", "value": "A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel privilege escalation from the context of a network service or an unprivileged process. If sctp_destroy_sock is called without sock_net(sk)-\u003esctp.addr_wq_lock then an element is removed from the auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network service privileges to escalate to root or from the context of an unprivileged user directly if a BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-362", "description": "CWE-362 Race Condition (Concurrent Execution using Shared Resource with Improper Synchronization)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2021-06-23T01:08:23", "orgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0", "shortName": "palo_alto" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://www.openwall.com/lists/oss-security/2021/04/18/2" }, { "tags": [ "x_refsource_MISC" ], "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b166a20b07382b8bc1dcee2a448715c9c2c81b5b" }, { "name": "FEDORA-2021-8cd093f639", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PAEQ3H6HKNO6KUCGRZVYSFSAGEUX23JL/" }, { "name": "FEDORA-2021-e6b4847979", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CUX2CA63453G34C6KYVBLJXJXEARZI2X/" }, { "name": "FEDORA-2021-a963f04012", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XZASHZVCOFJ4VU2I3BN5W5EPHWJQ7QWX/" }, { "name": "[oss-security] 20210510 Re: CVE-2021-23133: Linux kernel: race condition in sctp sockets", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2021/05/10/1" }, { "name": "[oss-security] 20210510 Re: CVE-2021-23133: Linux kernel: race condition in sctp sockets", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2021/05/10/2" }, { "name": "[oss-security] 20210510 Re: CVE-2021-23133: Linux kernel: race condition in sctp sockets", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2021/05/10/4" }, { "name": "[oss-security] 20210510 Re: CVE-2021-23133: Linux kernel: race condition in sctp sockets", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2021/05/10/3" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://security.netapp.com/advisory/ntap-20210611-0008/" }, { "name": "[debian-lts-announce] 20210623 [SECURITY] [DLA 2689-1] linux security update", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00020.html" }, { "name": "[debian-lts-announce] 20210623 [SECURITY] [DLA 2690-1] linux-4.19 security update", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00019.html" } ], "solutions": [ { "lang": "en", "value": "This issue is fixed in Linux kernel 5.12-rc8." } ], "source": { "discovery": "EXTERNAL" }, "title": "Linux Kernel sctp_destroy_sock race condition", "x_generator": { "engine": "Vulnogram 0.0.9" }, "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "psirt@paloaltonetworks.com", "DATE_PUBLIC": "2021-04-13T10:25:00.000Z", "ID": "CVE-2021-23133", "STATE": "PUBLIC", "TITLE": "Linux Kernel sctp_destroy_sock race condition" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Linux Kernel", "version": { "version_data": [ { "version_affected": "\u003c", "version_value": "5.12-rc8" } ] } } ] }, "vendor_name": "Linux Kernel" } ] } }, "credit": [ { "lang": "eng", "value": "Or Cohen from Palo Alto Networks" } ], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel privilege escalation from the context of a network service or an unprivileged process. If sctp_destroy_sock is called without sock_net(sk)-\u003esctp.addr_wq_lock then an element is removed from the auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network service privileges to escalate to root or from the context of an unprivileged user directly if a BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket." } ] }, "generator": { "engine": "Vulnogram 0.0.9" }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-362 Race Condition (Concurrent Execution using Shared Resource with Improper Synchronization)" } ] } ] }, "references": { "reference_data": [ { "name": "https://www.openwall.com/lists/oss-security/2021/04/18/2", "refsource": "MISC", "url": "https://www.openwall.com/lists/oss-security/2021/04/18/2" }, { "name": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b166a20b07382b8bc1dcee2a448715c9c2c81b5b", "refsource": "MISC", "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b166a20b07382b8bc1dcee2a448715c9c2c81b5b" }, { "name": "FEDORA-2021-8cd093f639", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PAEQ3H6HKNO6KUCGRZVYSFSAGEUX23JL/" }, { "name": "FEDORA-2021-e6b4847979", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CUX2CA63453G34C6KYVBLJXJXEARZI2X/" }, { "name": "FEDORA-2021-a963f04012", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XZASHZVCOFJ4VU2I3BN5W5EPHWJQ7QWX/" }, { "name": "[oss-security] 20210510 Re: CVE-2021-23133: Linux kernel: race condition in sctp sockets", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2021/05/10/1" }, { "name": "[oss-security] 20210510 Re: CVE-2021-23133: Linux kernel: race condition in sctp sockets", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2021/05/10/2" }, { "name": "[oss-security] 20210510 Re: CVE-2021-23133: Linux kernel: race condition in sctp sockets", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2021/05/10/4" }, { "name": "[oss-security] 20210510 Re: CVE-2021-23133: Linux kernel: race condition in sctp sockets", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2021/05/10/3" }, { "name": "https://security.netapp.com/advisory/ntap-20210611-0008/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20210611-0008/" }, { "name": "[debian-lts-announce] 20210623 [SECURITY] [DLA 2689-1] linux security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00020.html" }, { "name": "[debian-lts-announce] 20210623 [SECURITY] [DLA 2690-1] linux-4.19 security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00019.html" } ] }, "solution": [ { "lang": "en", "value": "This issue is fixed in Linux kernel 5.12-rc8." } ], "source": { "discovery": "EXTERNAL" } } } }, "cveMetadata": { "assignerOrgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0", "assignerShortName": "palo_alto", "cveId": "CVE-2021-23133", "datePublished": "2021-04-22T18:00:18.880759Z", "dateReserved": "2021-01-06T00:00:00", "dateUpdated": "2024-09-16T19:04:20.684Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-22543
Vulnerability from cvelistv5
Published
2021-05-26 10:30
Modified
2024-09-16 23:26
Severity ?
EPSS score ?
Summary
An issue was discovered in Linux: KVM through Improper handling of VM_IO|VM_PFNMAP vmas in KVM can bypass RO checks and can lead to pages being freed while still accessible by the VMM and guest. This allows users with the ability to start and control a VM to read/write random pages of memory and can result in local privilege escalation.
References
▼ | URL | Tags |
---|---|---|
https://github.com/google/security-research/security/advisories/GHSA-7wq5-phmq-m584 | x_refsource_MISC | |
http://www.openwall.com/lists/oss-security/2021/06/26/1 | mailing-list, x_refsource_MLIST | |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4G5YBUVEPHZYXMKNGBZ3S6INFCTEEL4E/ | vendor-advisory, x_refsource_FEDORA | |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ROQIXQB7ZAWI3KSGSHR6H5RDUWZI775S/ | vendor-advisory, x_refsource_FEDORA | |
https://security.netapp.com/advisory/ntap-20210708-0002/ | x_refsource_CONFIRM | |
https://lists.debian.org/debian-lts-announce/2021/10/msg00010.html | mailing-list, x_refsource_MLIST | |
https://lists.debian.org/debian-lts-announce/2021/12/msg00012.html | mailing-list, x_refsource_MLIST |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Linux Kernel | Linux Kernel |
Version: add6a0cd1c5ba51b201e1361b05a5df817083618 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T18:44:14.043Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/google/security-research/security/advisories/GHSA-7wq5-phmq-m584" }, { "name": "[oss-security] 20210626 Re: CVE-2021-22543 - /dev/kvm LPE", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2021/06/26/1" }, { "name": "FEDORA-2021-fe826f202e", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4G5YBUVEPHZYXMKNGBZ3S6INFCTEEL4E/" }, { "name": "FEDORA-2021-95f2f1cfc7", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ROQIXQB7ZAWI3KSGSHR6H5RDUWZI775S/" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20210708-0002/" }, { "name": "[debian-lts-announce] 20211015 [SECURITY] [DLA 2785-1] linux-4.19 security update", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2021/10/msg00010.html" }, { "name": "[debian-lts-announce] 20211216 [SECURITY] [DLA 2843-1] linux security update", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00012.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux Kernel", "repo": "https://github.com/torvalds/linux", "vendor": "Linux Kernel", "versions": [ { "lessThan": "f8be156be163a052a067306417cd0ff679068c97", "status": "affected", "version": "add6a0cd1c5ba51b201e1361b05a5df817083618", "versionType": "git" } ] } ], "credits": [ { "lang": "en", "type": "finder", "value": "David Stevens" }, { "lang": "en", "type": "finder", "value": "Kevin Hamacher" }, { "lang": "en", "type": "finder", "value": "Jann Horn" } ], "datePublic": "2021-05-17T14:00:00.000Z", "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "\u003cp\u003eAn issue was discovered in Linux: KVM through Improper handling of VM_IO|VM_PFNMAP vmas in KVM can bypass RO checks and can lead to pages being freed while still accessible by the VMM and guest. This allows users with the ability to start and control a VM to read/write random pages of memory and can result in local privilege escalation.\u003c/p\u003e" } ], "value": "An issue was discovered in Linux: KVM through Improper handling of VM_IO|VM_PFNMAP vmas in KVM can bypass RO checks and can lead to pages being freed while still accessible by the VMM and guest. This allows users with the ability to start and control a VM to read/write random pages of memory and can result in local privilege escalation." } ], "metrics": [ { "cvssV4_0": { "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "NONE", "attackVector": "LOCAL", "baseScore": 8.7, "baseSeverity": "HIGH", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-119", "description": "CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-05-15T10:21:33.485Z", "orgId": "14ed7db2-1595-443d-9d34-6215bf890778", "shortName": "Google" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/google/security-research/security/advisories/GHSA-7wq5-phmq-m584" }, { "name": "[oss-security] 20210626 Re: CVE-2021-22543 - /dev/kvm LPE", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2021/06/26/1" }, { "name": "FEDORA-2021-fe826f202e", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4G5YBUVEPHZYXMKNGBZ3S6INFCTEEL4E/" }, { "name": "FEDORA-2021-95f2f1cfc7", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ROQIXQB7ZAWI3KSGSHR6H5RDUWZI775S/" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://security.netapp.com/advisory/ntap-20210708-0002/" }, { "name": "[debian-lts-announce] 20211015 [SECURITY] [DLA 2785-1] linux-4.19 security update", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.debian.org/debian-lts-announce/2021/10/msg00010.html" }, { "name": "[debian-lts-announce] 20211216 [SECURITY] [DLA 2843-1] linux security update", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00012.html" } ], "source": { "discovery": "EXTERNAL" }, "title": "Improper memory handling in Linux KVM", "x_generator": { "engine": "Vulnogram 0.0.9" }, "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security@google.com", "DATE_PUBLIC": "2021-05-18T10:00:00.000Z", "ID": "CVE-2021-22543", "STATE": "PUBLIC", "TITLE": "Improper memory handling in Linux KVM" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "credit": [ { "lang": "eng", "value": "David Stevens" }, { "lang": "eng", "value": "Kevin Hamacher" }, { "lang": "eng", "value": "Jann Horn" } ], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "An issue was discovered in Linux: KVM through Improper handling of VM_IO|VM_PFNMAP vmas in KVM can bypass RO checks and can lead to pages being freed while still accessible by the VMM and guest. This allows users with the ability to start and control a VM to read/write random pages of memory and can result in local privilege escalation." } ] }, "generator": { "engine": "Vulnogram 0.0.9" }, "impact": { "cvss": { "attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer" } ] } ] }, "references": { "reference_data": [ { "name": "https://github.com/google/security-research/security/advisories/GHSA-7wq5-phmq-m584", "refsource": "MISC", "url": "https://github.com/google/security-research/security/advisories/GHSA-7wq5-phmq-m584" }, { "name": "[oss-security] 20210626 Re: CVE-2021-22543 - /dev/kvm LPE", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2021/06/26/1" }, { "name": "FEDORA-2021-fe826f202e", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4G5YBUVEPHZYXMKNGBZ3S6INFCTEEL4E/" }, { "name": "FEDORA-2021-95f2f1cfc7", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ROQIXQB7ZAWI3KSGSHR6H5RDUWZI775S/" }, { "name": "https://security.netapp.com/advisory/ntap-20210708-0002/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20210708-0002/" }, { "name": "[debian-lts-announce] 20211015 [SECURITY] [DLA 2785-1] linux-4.19 security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2021/10/msg00010.html" }, { "name": "[debian-lts-announce] 20211216 [SECURITY] [DLA 2843-1] linux security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00012.html" } ] }, "source": { "discovery": "EXTERNAL" } } } }, "cveMetadata": { "assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778", "assignerShortName": "Google", "cveId": "CVE-2021-22543", "datePublished": "2021-05-26T10:30:10.775212Z", "dateReserved": "2021-01-05T00:00:00", "dateUpdated": "2024-09-16T23:26:05.122Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2020-16120
Vulnerability from cvelistv5
Published
2021-02-10 19:45
Modified
2024-09-16 18:49
Severity ?
EPSS score ?
Summary
Overlayfs did not properly perform permission checking when copying up files in an overlayfs and could be exploited from within a user namespace, if, for example, unprivileged user namespaces were allowed. It was possible to have a file not readable by an unprivileged user to be copied to a mountpoint controlled by the user, like a removable device. This was introduced in kernel version 4.19 by commit d1d04ef ("ovl: stack file ops"). This was fixed in kernel version 5.8 by commits 56230d9 ("ovl: verify permissions in ovl_path_open()"), 48bd024 ("ovl: switch to mounter creds in readdir") and 05acefb ("ovl: check permission to open real file"). Additionally, commits 130fdbc ("ovl: pass correct flags for opening real directory") and 292f902 ("ovl: call secutiry hook in ovl_real_ioctl()") in kernel 5.8 might also be desired or necessary. These additional commits introduced a regression in overlay mounts within user namespaces which prevented access to files with ownership outside of the user namespace. This regression was mitigated by subsequent commit b6650da ("ovl: do not fail because of O_NOATIMEi") in kernel 5.11.
References
▼ | URL | Tags |
---|---|---|
https://ubuntu.com/USN-4576-1 | vendor-advisory, x_refsource_UBUNTU | |
https://ubuntu.com/USN-4577-1 | vendor-advisory, x_refsource_UBUNTU | |
https://ubuntu.com/USN-4578-1 | vendor-advisory, x_refsource_UBUNTU | |
https://www.openwall.com/lists/oss-security/2020/10/14/2 | x_refsource_CONFIRM | |
https://launchpad.net/bugs/1894980 | vendor-advisory, x_refsource_UBUNTU | |
https://launchpad.net/bugs/1900141 | vendor-advisory, x_refsource_UBUNTU | |
https://git.kernel.org/linus/56230d956739b9cb1cbde439d76227d77979a04d | x_refsource_CONFIRM | |
https://git.kernel.org/linus/48bd024b8a40d73ad6b086de2615738da0c7004f | x_refsource_CONFIRM | |
https://git.kernel.org/linus/05acefb4872dae89e772729efb194af754c877e8 | x_refsource_CONFIRM | |
https://git.kernel.org/linus/d1d04ef8572bc8c22265057bd3d5a79f223f8f52 | x_refsource_CONFIRM | |
https://git.kernel.org/linus/b6650dab404c701d7fe08a108b746542a934da84 | x_refsource_CONFIRM |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Linux kernel | Linux kernel |
Version: 5.11-stable < 5.11.0 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T13:37:53.989Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "https://ubuntu.com/USN-4576-1" }, { "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "https://ubuntu.com/USN-4577-1" }, { "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "https://ubuntu.com/USN-4578-1" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://www.openwall.com/lists/oss-security/2020/10/14/2" }, { "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "https://launchpad.net/bugs/1894980" }, { "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "https://launchpad.net/bugs/1900141" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://git.kernel.org/linus/56230d956739b9cb1cbde439d76227d77979a04d" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://git.kernel.org/linus/48bd024b8a40d73ad6b086de2615738da0c7004f" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://git.kernel.org/linus/05acefb4872dae89e772729efb194af754c877e8" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://git.kernel.org/linus/d1d04ef8572bc8c22265057bd3d5a79f223f8f52" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://git.kernel.org/linus/b6650dab404c701d7fe08a108b746542a934da84" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Linux kernel", "vendor": "Linux kernel", "versions": [ { "lessThan": "5.11.0", "status": "affected", "version": "5.11-stable", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "value": "Giuseppe Scrivano" } ], "datePublic": "2020-10-13T00:00:00", "descriptions": [ { "lang": "en", "value": "Overlayfs did not properly perform permission checking when copying up files in an overlayfs and could be exploited from within a user namespace, if, for example, unprivileged user namespaces were allowed. It was possible to have a file not readable by an unprivileged user to be copied to a mountpoint controlled by the user, like a removable device. This was introduced in kernel version 4.19 by commit d1d04ef (\"ovl: stack file ops\"). This was fixed in kernel version 5.8 by commits 56230d9 (\"ovl: verify permissions in ovl_path_open()\"), 48bd024 (\"ovl: switch to mounter creds in readdir\") and 05acefb (\"ovl: check permission to open real file\"). Additionally, commits 130fdbc (\"ovl: pass correct flags for opening real directory\") and 292f902 (\"ovl: call secutiry hook in ovl_real_ioctl()\") in kernel 5.8 might also be desired or necessary. These additional commits introduced a regression in overlay mounts within user namespaces which prevented access to files with ownership outside of the user namespace. This regression was mitigated by subsequent commit b6650da (\"ovl: do not fail because of O_NOATIMEi\") in kernel 5.11." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-266", "description": "CWE-266 Incorrect Privilege Assignment", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2021-02-10T19:45:26", "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "shortName": "canonical" }, "references": [ { "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "https://ubuntu.com/USN-4576-1" }, { "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "https://ubuntu.com/USN-4577-1" }, { "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "https://ubuntu.com/USN-4578-1" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://www.openwall.com/lists/oss-security/2020/10/14/2" }, { "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "https://launchpad.net/bugs/1894980" }, { "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "https://launchpad.net/bugs/1900141" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://git.kernel.org/linus/56230d956739b9cb1cbde439d76227d77979a04d" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://git.kernel.org/linus/48bd024b8a40d73ad6b086de2615738da0c7004f" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://git.kernel.org/linus/05acefb4872dae89e772729efb194af754c877e8" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://git.kernel.org/linus/d1d04ef8572bc8c22265057bd3d5a79f223f8f52" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://git.kernel.org/linus/b6650dab404c701d7fe08a108b746542a934da84" } ], "source": { "advisory": "https://ubuntu.com/USN-4576-1", "defect": [ "https://launchpad.net/bugs/1894980" ], "discovery": "EXTERNAL" }, "title": "Unprivileged overlay + shiftfs read access", "x_generator": { "engine": "Vulnogram 0.0.9" }, "x_legacyV4Record": { "CVE_data_meta": { "AKA": "", "ASSIGNER": "security@ubuntu.com", "DATE_PUBLIC": "2020-10-13T16:00:00.000Z", "ID": "CVE-2020-16120", "STATE": "PUBLIC", "TITLE": "Unprivileged overlay + shiftfs read access" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Linux kernel", "version": { "version_data": [ { "platform": "", "version_affected": "\u003c", "version_name": "5.11-stable", "version_value": "5.11.0" } ] } } ] }, "vendor_name": "Linux kernel" } ] } }, "configuration": [], "credit": [ { "lang": "eng", "value": "Giuseppe Scrivano" } ], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Overlayfs did not properly perform permission checking when copying up files in an overlayfs and could be exploited from within a user namespace, if, for example, unprivileged user namespaces were allowed. It was possible to have a file not readable by an unprivileged user to be copied to a mountpoint controlled by the user, like a removable device. This was introduced in kernel version 4.19 by commit d1d04ef (\"ovl: stack file ops\"). This was fixed in kernel version 5.8 by commits 56230d9 (\"ovl: verify permissions in ovl_path_open()\"), 48bd024 (\"ovl: switch to mounter creds in readdir\") and 05acefb (\"ovl: check permission to open real file\"). Additionally, commits 130fdbc (\"ovl: pass correct flags for opening real directory\") and 292f902 (\"ovl: call secutiry hook in ovl_real_ioctl()\") in kernel 5.8 might also be desired or necessary. These additional commits introduced a regression in overlay mounts within user namespaces which prevented access to files with ownership outside of the user namespace. This regression was mitigated by subsequent commit b6650da (\"ovl: do not fail because of O_NOATIMEi\") in kernel 5.11." } ] }, "exploit": [], "generator": { "engine": "Vulnogram 0.0.9" }, "impact": { "cvss": { "attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-266 Incorrect Privilege Assignment" } ] } ] }, "references": { "reference_data": [ { "name": "https://ubuntu.com/USN-4576-1", "refsource": "UBUNTU", "url": "https://ubuntu.com/USN-4576-1" }, { "name": "https://ubuntu.com/USN-4577-1", "refsource": "UBUNTU", "url": "https://ubuntu.com/USN-4577-1" }, { "name": "https://ubuntu.com/USN-4578-1", "refsource": "UBUNTU", "url": "https://ubuntu.com/USN-4578-1" }, { "name": "https://www.openwall.com/lists/oss-security/2020/10/14/2", "refsource": "CONFIRM", "url": "https://www.openwall.com/lists/oss-security/2020/10/14/2" }, { "name": "https://launchpad.net/bugs/1894980", "refsource": "UBUNTU", "url": "https://launchpad.net/bugs/1894980" }, { "name": "https://launchpad.net/bugs/1900141", "refsource": "UBUNTU", "url": "https://launchpad.net/bugs/1900141" }, { "name": "https://git.kernel.org/linus/56230d956739b9cb1cbde439d76227d77979a04d", "refsource": "CONFIRM", "url": "https://git.kernel.org/linus/56230d956739b9cb1cbde439d76227d77979a04d" }, { "name": "https://git.kernel.org/linus/48bd024b8a40d73ad6b086de2615738da0c7004f", "refsource": "CONFIRM", "url": "https://git.kernel.org/linus/48bd024b8a40d73ad6b086de2615738da0c7004f" }, { "name": "https://git.kernel.org/linus/05acefb4872dae89e772729efb194af754c877e8", "refsource": "CONFIRM", "url": "https://git.kernel.org/linus/05acefb4872dae89e772729efb194af754c877e8" }, { "name": "https://git.kernel.org/linus/d1d04ef8572bc8c22265057bd3d5a79f223f8f52", "refsource": "CONFIRM", "url": "https://git.kernel.org/linus/d1d04ef8572bc8c22265057bd3d5a79f223f8f52" }, { "name": "https://git.kernel.org/linus/b6650dab404c701d7fe08a108b746542a934da84", "refsource": "CONFIRM", "url": "https://git.kernel.org/linus/b6650dab404c701d7fe08a108b746542a934da84" } ] }, "solution": [], "source": { "advisory": "https://ubuntu.com/USN-4576-1", "defect": [ "https://launchpad.net/bugs/1894980" ], "discovery": "EXTERNAL" }, "work_around": [] } } }, "cveMetadata": { "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "assignerShortName": "canonical", "cveId": "CVE-2020-16120", "datePublished": "2021-02-10T19:45:26.096560Z", "dateReserved": "2020-07-29T00:00:00", "dateUpdated": "2024-09-16T18:49:11.997Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2020-8835
Vulnerability from cvelistv5
Published
2020-04-02 18:00
Modified
2024-09-17 02:15
Severity ?
EPSS score ?
Summary
In the Linux kernel 5.5.0 and newer, the bpf verifier (kernel/bpf/verifier.c) did not properly restrict the register bounds for 32-bit operations, leading to out-of-bounds reads and writes in kernel memory. The vulnerability also affects the Linux 5.4 stable series, starting with v5.4.7, as the introducing commit was backported to that branch. This vulnerability was fixed in 5.6.1, 5.5.14, and 5.4.29. (issue is aka ZDI-CAN-10780)
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Linux kernel | Linux kernel |
Version: 5.6-stable < 5.6.1 Version: 5.5-stable < 5.5.14 Version: 5.4.7 < 5.4-stable* |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T10:12:10.621Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "USN-4313-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "https://usn.ubuntu.com/4313-1/" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.thezdi.com/blog/2020/3/19/pwn2own-2020-day-one-results" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://lore.kernel.org/bpf/20200330160324.15259-1-daniel%40iogearbox.net/T/" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.openwall.com/lists/oss-security/2020/03/30/3" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://usn.ubuntu.com/usn/usn-4313-1" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git/commit/?id=f2d67fec0b43edce8c416101cdc52e71145b5fef" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f2d67fec0b43edce8c416101cdc52e71145b5fef" }, { "name": "FEDORA-2020-4ef0bcc89c", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F7OONYGMSYBEFHLHZJK3GOI5Z553G4LD/" }, { "name": "FEDORA-2020-666f3b1ac3", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YXBWSHZ6DJIZVXKXGZPK6QPFCY7VKZEG/" }, { "name": "FEDORA-2020-73c00eda1c", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TF4PQZBEPNXDSK5DOBMW54OCLP25FTCD/" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20200430-0004/" }, { "name": "[oss-security] 20210720 CVE-2021-33909: size_t-to-int vulnerability in Linux\u0027s filesystem layer", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2021/07/20/1" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Linux kernel", "vendor": "Linux kernel", "versions": [ { "lessThan": "5.6.1", "status": "affected", "version": "5.6-stable", "versionType": "custom" }, { "lessThan": "5.5.14", "status": "affected", "version": "5.5-stable", "versionType": "custom" }, { "changes": [ { "at": "5.4.29", "status": "unaffected" } ], "lessThan": "5.4-stable*", "status": "affected", "version": "5.4.7", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "value": "Manfred Paul" }, { "lang": "en", "value": "Anatoly Trosinenko" } ], "datePublic": "2020-03-30T00:00:00", "descriptions": [ { "lang": "en", "value": "In the Linux kernel 5.5.0 and newer, the bpf verifier (kernel/bpf/verifier.c) did not properly restrict the register bounds for 32-bit operations, leading to out-of-bounds reads and writes in kernel memory. The vulnerability also affects the Linux 5.4 stable series, starting with v5.4.7, as the introducing commit was backported to that branch. This vulnerability was fixed in 5.6.1, 5.5.14, and 5.4.29. (issue is aka ZDI-CAN-10780)" } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2021-07-20T14:06:18", "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "shortName": "canonical" }, "references": [ { "name": "USN-4313-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "https://usn.ubuntu.com/4313-1/" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.thezdi.com/blog/2020/3/19/pwn2own-2020-day-one-results" }, { "tags": [ "x_refsource_MISC" ], "url": "https://lore.kernel.org/bpf/20200330160324.15259-1-daniel%40iogearbox.net/T/" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.openwall.com/lists/oss-security/2020/03/30/3" }, { "tags": [ "x_refsource_MISC" ], "url": "https://usn.ubuntu.com/usn/usn-4313-1" }, { "tags": [ "x_refsource_MISC" ], "url": "https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git/commit/?id=f2d67fec0b43edce8c416101cdc52e71145b5fef" }, { "tags": [ "x_refsource_MISC" ], "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f2d67fec0b43edce8c416101cdc52e71145b5fef" }, { "name": "FEDORA-2020-4ef0bcc89c", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F7OONYGMSYBEFHLHZJK3GOI5Z553G4LD/" }, { "name": "FEDORA-2020-666f3b1ac3", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YXBWSHZ6DJIZVXKXGZPK6QPFCY7VKZEG/" }, { "name": "FEDORA-2020-73c00eda1c", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TF4PQZBEPNXDSK5DOBMW54OCLP25FTCD/" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://security.netapp.com/advisory/ntap-20200430-0004/" }, { "name": "[oss-security] 20210720 CVE-2021-33909: size_t-to-int vulnerability in Linux\u0027s filesystem layer", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2021/07/20/1" } ], "solutions": [ { "lang": "en", "value": "Revert commit 581738a681b6 (\"bpf: Provide better register bounds after jmp32 instructions\")." } ], "source": { "discovery": "EXTERNAL" }, "title": "Linux kernel bpf verifier vulnerability", "workarounds": [ { "lang": "en", "value": "Mitigation for this vulnerability is available by setting the kernel.unprivileged_bpf_disabled sysctl to 1:\n\n $ sudo sysctl kernel.unprivileged_bpf_disabled=1\n $ echo kernel.unprivileged_bpf_disabled=1 | sudo tee /etc/sysctl.d/90-CVE-2020-8835.conf\n\nThis issue is also mitigated on systems that use secure boot with the kernel lockdown feature which blocks BPF program loading." } ], "x_generator": { "engine": "Vulnogram 0.0.9" }, "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security@ubuntu.com", "DATE_PUBLIC": "2020-03-30T16:00:00.000Z", "ID": "CVE-2020-8835", "STATE": "PUBLIC", "TITLE": "Linux kernel bpf verifier vulnerability" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Linux kernel", "version": { "version_data": [ { "version_affected": "\u003c", "version_name": "5.6-stable", "version_value": "5.6.1" }, { "version_affected": "\u003c", "version_name": "5.5-stable", "version_value": "5.5.14" }, { "version_affected": "\u003e=", "version_name": "5.4-stable", "version_value": "5.4.7" }, { "version_affected": "\u003c", "version_name": "5.4-stable", "version_value": "5.4.29" } ] } } ] }, "vendor_name": "Linux kernel" } ] } }, "credit": [ { "lang": "eng", "value": "Manfred Paul" }, { "lang": "eng", "value": "Anatoly Trosinenko" } ], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "In the Linux kernel 5.5.0 and newer, the bpf verifier (kernel/bpf/verifier.c) did not properly restrict the register bounds for 32-bit operations, leading to out-of-bounds reads and writes in kernel memory. The vulnerability also affects the Linux 5.4 stable series, starting with v5.4.7, as the introducing commit was backported to that branch. This vulnerability was fixed in 5.6.1, 5.5.14, and 5.4.29. (issue is aka ZDI-CAN-10780)" } ] }, "generator": { "engine": "Vulnogram 0.0.9" }, "impact": { "cvss": { "attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "USN-4313-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4313-1/" }, { "name": "https://www.thezdi.com/blog/2020/3/19/pwn2own-2020-day-one-results", "refsource": "MISC", "url": "https://www.thezdi.com/blog/2020/3/19/pwn2own-2020-day-one-results" }, { "name": "https://lore.kernel.org/bpf/20200330160324.15259-1-daniel@iogearbox.net/T/", "refsource": "MISC", "url": "https://lore.kernel.org/bpf/20200330160324.15259-1-daniel@iogearbox.net/T/" }, { "name": "https://www.openwall.com/lists/oss-security/2020/03/30/3", "refsource": "MISC", "url": "https://www.openwall.com/lists/oss-security/2020/03/30/3" }, { "name": "https://usn.ubuntu.com/usn/usn-4313-1", "refsource": "MISC", "url": "https://usn.ubuntu.com/usn/usn-4313-1" }, { "name": "https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git/commit/?id=f2d67fec0b43edce8c416101cdc52e71145b5fef", "refsource": "MISC", "url": "https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git/commit/?id=f2d67fec0b43edce8c416101cdc52e71145b5fef" }, { "name": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f2d67fec0b43edce8c416101cdc52e71145b5fef", "refsource": "MISC", "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f2d67fec0b43edce8c416101cdc52e71145b5fef" }, { "name": "FEDORA-2020-4ef0bcc89c", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F7OONYGMSYBEFHLHZJK3GOI5Z553G4LD/" }, { "name": "FEDORA-2020-666f3b1ac3", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YXBWSHZ6DJIZVXKXGZPK6QPFCY7VKZEG/" }, { "name": "FEDORA-2020-73c00eda1c", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TF4PQZBEPNXDSK5DOBMW54OCLP25FTCD/" }, { "name": "https://security.netapp.com/advisory/ntap-20200430-0004/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20200430-0004/" }, { "name": "[oss-security] 20210720 CVE-2021-33909: size_t-to-int vulnerability in Linux\u0027s filesystem layer", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2021/07/20/1" } ] }, "solution": [ { "lang": "en", "value": "Revert commit 581738a681b6 (\"bpf: Provide better register bounds after jmp32 instructions\")." } ], "source": { "discovery": "EXTERNAL" }, "work_around": [ { "lang": "en", "value": "Mitigation for this vulnerability is available by setting the kernel.unprivileged_bpf_disabled sysctl to 1:\n\n $ sudo sysctl kernel.unprivileged_bpf_disabled=1\n $ echo kernel.unprivileged_bpf_disabled=1 | sudo tee /etc/sysctl.d/90-CVE-2020-8835.conf\n\nThis issue is also mitigated on systems that use secure boot with the kernel lockdown feature which blocks BPF program loading." } ] } } }, "cveMetadata": { "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "assignerShortName": "canonical", "cveId": "CVE-2020-8835", "datePublished": "2020-04-02T18:00:23.885957Z", "dateReserved": "2020-02-10T00:00:00", "dateUpdated": "2024-09-17T02:15:48.820Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-23134
Vulnerability from cvelistv5
Published
2021-05-12 22:45
Modified
2024-09-17 03:38
Severity ?
EPSS score ?
Summary
Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local user with the CAP_NET_RAW capability.
References
▼ | URL | Tags |
---|---|---|
https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=c61760e6940d | x_refsource_MISC | |
https://www.openwall.com/lists/oss-security/2021/05/11/4 | x_refsource_MISC | |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LZYORWNQIHNWRFYRDXBWYWBYM46PDZEN/ | vendor-advisory, x_refsource_FEDORA | |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QALNQT4LJFVSSA3MWCIECVY4AFPP4X77/ | vendor-advisory, x_refsource_FEDORA | |
https://lists.debian.org/debian-lts-announce/2021/06/msg00020.html | mailing-list, x_refsource_MLIST | |
https://lists.debian.org/debian-lts-announce/2021/06/msg00019.html | mailing-list, x_refsource_MLIST | |
https://security.netapp.com/advisory/ntap-20210625-0007/ | x_refsource_CONFIRM |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Linux Kernel | Linux Kernel |
Version: unspecified < 5.12.4 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T18:58:26.357Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=c61760e6940d" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.openwall.com/lists/oss-security/2021/05/11/4" }, { "name": "FEDORA-2021-286375de1e", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LZYORWNQIHNWRFYRDXBWYWBYM46PDZEN/" }, { "name": "FEDORA-2021-05152dbcf5", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QALNQT4LJFVSSA3MWCIECVY4AFPP4X77/" }, { "name": "[debian-lts-announce] 20210623 [SECURITY] [DLA 2689-1] linux security update", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00020.html" }, { "name": "[debian-lts-announce] 20210623 [SECURITY] [DLA 2690-1] linux-4.19 security update", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00019.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20210625-0007/" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Linux Kernel", "vendor": "Linux Kernel", "versions": [ { "lessThan": "5.12.4", "status": "affected", "version": "unspecified", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "value": "Nadav Markus from Palo Alto Networks" }, { "lang": "en", "value": "Or Cohen from Palo Alto Networks" } ], "datePublic": "2021-05-11T00:00:00", "descriptions": [ { "lang": "en", "value": "Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local user with the CAP_NET_RAW capability." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-416", "description": "CWE-416 Use After Free", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2021-06-25T05:06:31", "orgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0", "shortName": "palo_alto" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=c61760e6940d" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.openwall.com/lists/oss-security/2021/05/11/4" }, { "name": "FEDORA-2021-286375de1e", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LZYORWNQIHNWRFYRDXBWYWBYM46PDZEN/" }, { "name": "FEDORA-2021-05152dbcf5", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QALNQT4LJFVSSA3MWCIECVY4AFPP4X77/" }, { "name": "[debian-lts-announce] 20210623 [SECURITY] [DLA 2689-1] linux security update", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00020.html" }, { "name": "[debian-lts-announce] 20210623 [SECURITY] [DLA 2690-1] linux-4.19 security update", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00019.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://security.netapp.com/advisory/ntap-20210625-0007/" } ], "solutions": [ { "lang": "en", "value": "Apply the following patch:\nhttps://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=c61760e6940d" } ], "source": { "discovery": "EXTERNAL" }, "title": "Linux kernel llcp_sock_bind/connect use-after-free", "x_generator": { "engine": "Vulnogram 0.0.9" }, "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "psirt@paloaltonetworks.com", "DATE_PUBLIC": "2021-05-11T11:14:00.000Z", "ID": "CVE-2021-23134", "STATE": "PUBLIC", "TITLE": "Linux kernel llcp_sock_bind/connect use-after-free" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Linux Kernel", "version": { "version_data": [ { "version_affected": "\u003c", "version_value": "5.12.4" } ] } } ] }, "vendor_name": "Linux Kernel" } ] } }, "credit": [ { "lang": "eng", "value": "Nadav Markus from Palo Alto Networks" }, { "lang": "eng", "value": "Or Cohen from Palo Alto Networks" } ], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local user with the CAP_NET_RAW capability." } ] }, "generator": { "engine": "Vulnogram 0.0.9" }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-416 Use After Free" } ] } ] }, "references": { "reference_data": [ { "name": "https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=c61760e6940d", "refsource": "MISC", "url": "https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=c61760e6940d" }, { "name": "https://www.openwall.com/lists/oss-security/2021/05/11/4", "refsource": "MISC", "url": "https://www.openwall.com/lists/oss-security/2021/05/11/4" }, { "name": "FEDORA-2021-286375de1e", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LZYORWNQIHNWRFYRDXBWYWBYM46PDZEN/" }, { "name": "FEDORA-2021-05152dbcf5", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QALNQT4LJFVSSA3MWCIECVY4AFPP4X77/" }, { "name": "[debian-lts-announce] 20210623 [SECURITY] [DLA 2689-1] linux security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00020.html" }, { "name": "[debian-lts-announce] 20210623 [SECURITY] [DLA 2690-1] linux-4.19 security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00019.html" }, { "name": "https://security.netapp.com/advisory/ntap-20210625-0007/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20210625-0007/" } ] }, "solution": [ { "lang": "en", "value": "Apply the following patch:\nhttps://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=c61760e6940d" } ], "source": { "discovery": "EXTERNAL" } } } }, "cveMetadata": { "assignerOrgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0", "assignerShortName": "palo_alto", "cveId": "CVE-2021-23134", "datePublished": "2021-05-12T22:45:13.253535Z", "dateReserved": "2021-01-06T00:00:00", "dateUpdated": "2024-09-17T03:38:10.572Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-2327
Vulnerability from cvelistv5
Published
2022-07-22 00:00
Modified
2024-08-03 00:32
Severity ?
EPSS score ?
Summary
io_uring use work_flags to determine which identity need to grab from the calling process to make sure it is consistent with the calling process when executing IORING_OP. Some operations are missing some types, which can lead to incorrect reference counts which can then lead to a double free. We recommend upgrading the kernel past commit df3f3bb5059d20ef094d6b2f0256c4bf4127a859
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Linux Kernel | Linux Kernel |
Version: unspecified < df3f3bb5059d20ef094d6b2f0256c4bf4127a859 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T00:32:09.619Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-5.10.y\u0026id=df3f3bb5059d20ef094d6b2f0256c4bf4127a859" }, { "tags": [ "x_transferred" ], "url": "https://kernel.dance/#df3f3bb5059d20ef094d6b2f0256c4bf4127a859" }, { "tags": [ "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20230203-0009/" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Linux Kernel", "vendor": "Linux Kernel", "versions": [ { "lessThan": "df3f3bb5059d20ef094d6b2f0256c4bf4127a859", "status": "affected", "version": "unspecified", "versionType": "custom" } ] } ], "descriptions": [ { "lang": "en", "value": "io_uring use work_flags to determine which identity need to grab from the calling process to make sure it is consistent with the calling process when executing IORING_OP. Some operations are missing some types, which can lead to incorrect reference counts which can then lead to a double free. We recommend upgrading the kernel past commit df3f3bb5059d20ef094d6b2f0256c4bf4127a859" } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-416", "description": "CWE-416 Use After Free", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2023-02-03T00:00:00", "orgId": "14ed7db2-1595-443d-9d34-6215bf890778", "shortName": "Google" }, "references": [ { "url": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-5.10.y\u0026id=df3f3bb5059d20ef094d6b2f0256c4bf4127a859" }, { "url": "https://kernel.dance/#df3f3bb5059d20ef094d6b2f0256c4bf4127a859" }, { "url": "https://security.netapp.com/advisory/ntap-20230203-0009/" } ], "source": { "discovery": "EXTERNAL" }, "title": "Use-after-free in io_uring ad work_flags in Linux Kernel", "x_generator": { "engine": "Vulnogram 0.0.9" } } }, "cveMetadata": { "assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778", "assignerShortName": "Google", "cveId": "CVE-2022-2327", "datePublished": "2022-07-22T00:00:00", "dateReserved": "2022-07-06T00:00:00", "dateUpdated": "2024-08-03T00:32:09.619Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2020-8834
Vulnerability from cvelistv5
Published
2020-04-09 22:10
Modified
2024-09-16 22:03
Severity ?
EPSS score ?
Summary
KVM in the Linux kernel on Power8 processors has a conflicting use of HSTATE_HOST_R1 to store r1 state in kvmppc_hv_entry plus in kvmppc_{save,restore}_tm, leading to a stack corruption. Because of this, an attacker with the ability run code in kernel space of a guest VM can cause the host kernel to panic. There were two commits that, according to the reporter, introduced the vulnerability: f024ee098476 ("KVM: PPC: Book3S HV: Pull out TM state save/restore into separate procedures") 87a11bb6a7f7 ("KVM: PPC: Book3S HV: Work around XER[SO] bug in fake suspend mode") The former landed in 4.8, the latter in 4.17. This was fixed without realizing the impact in 4.18 with the following three commits, though it's believed the first is the only strictly necessary commit: 6f597c6b63b6 ("KVM: PPC: Book3S PR: Add guest MSR parameter for kvmppc_save_tm()/kvmppc_restore_tm()") 7b0e827c6970 ("KVM: PPC: Book3S HV: Factor fake-suspend handling out of kvmppc_save/restore_tm") 009c872a8bc4 ("KVM: PPC: Book3S PR: Move kvmppc_save_tm/kvmppc_restore_tm to separate file")
References
▼ | URL | Tags |
---|---|---|
https://www.openwall.com/lists/oss-security/2020/04/06/2 | x_refsource_MISC | |
https://usn.ubuntu.com/usn/usn-4318-1 | x_refsource_MISC | |
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1867717 | x_refsource_MISC | |
https://usn.ubuntu.com/4318-1/ | vendor-advisory, x_refsource_UBUNTU | |
http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00035.html | vendor-advisory, x_refsource_SUSE |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Linux kernel | Linux kernel |
Version: 4.8 < unspecified Version: unspecified < 4.18 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T10:12:10.661Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.openwall.com/lists/oss-security/2020/04/06/2" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://usn.ubuntu.com/usn/usn-4318-1" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1867717" }, { "name": "USN-4318-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "https://usn.ubuntu.com/4318-1/" }, { "name": "openSUSE-SU-2020:0543", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00035.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "platforms": [ "PPC Power8" ], "product": "Linux kernel", "vendor": "Linux kernel", "versions": [ { "lessThan": "unspecified", "status": "affected", "version": "4.8", "versionType": "custom" }, { "lessThan": "4.18", "status": "affected", "version": "unspecified", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "value": "Gustavo Romero" }, { "lang": "en", "value": "Paul Mackerras" } ], "datePublic": "2020-04-06T00:00:00", "descriptions": [ { "lang": "en", "value": "KVM in the Linux kernel on Power8 processors has a conflicting use of HSTATE_HOST_R1 to store r1 state in kvmppc_hv_entry plus in kvmppc_{save,restore}_tm, leading to a stack corruption. Because of this, an attacker with the ability run code in kernel space of a guest VM can cause the host kernel to panic. There were two commits that, according to the reporter, introduced the vulnerability: f024ee098476 (\"KVM: PPC: Book3S HV: Pull out TM state save/restore into separate procedures\") 87a11bb6a7f7 (\"KVM: PPC: Book3S HV: Work around XER[SO] bug in fake suspend mode\") The former landed in 4.8, the latter in 4.17. This was fixed without realizing the impact in 4.18 with the following three commits, though it\u0027s believed the first is the only strictly necessary commit: 6f597c6b63b6 (\"KVM: PPC: Book3S PR: Add guest MSR parameter for kvmppc_save_tm()/kvmppc_restore_tm()\") 7b0e827c6970 (\"KVM: PPC: Book3S HV: Factor fake-suspend handling out of kvmppc_save/restore_tm\") 009c872a8bc4 (\"KVM: PPC: Book3S PR: Move kvmppc_save_tm/kvmppc_restore_tm to separate file\")" } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-368", "description": "CWE-368", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2020-04-23T15:06:26", "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "shortName": "canonical" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://www.openwall.com/lists/oss-security/2020/04/06/2" }, { "tags": [ "x_refsource_MISC" ], "url": "https://usn.ubuntu.com/usn/usn-4318-1" }, { "tags": [ "x_refsource_MISC" ], "url": "https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1867717" }, { "name": "USN-4318-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "https://usn.ubuntu.com/4318-1/" }, { "name": "openSUSE-SU-2020:0543", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00035.html" } ], "solutions": [ { "lang": "en", "value": "Apply the following three Linux kernel commits, though possibly only the first commit is strictly necessary: \n \n 6f597c6b63b6 (\"KVM: PPC: Book3S PR: Add guest MSR parameter for kvmppc_save_tm()/kvmppc_restore_tm()\")\n 7b0e827c6970 (\"KVM: PPC: Book3S HV: Factor fake-suspend handling out of kvmppc_save/restore_tm\")\n 009c872a8bc4 (\"KVM: PPC: Book3S PR: Move kvmppc_save_tm/kvmppc_restore_tm to separate file\")" } ], "source": { "defect": [ "https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1867717" ], "discovery": "EXTERNAL" }, "title": "Linux kernel KVM Power8 conflicting use of HSTATE_HOST_R1", "x_generator": { "engine": "Vulnogram 0.0.9" }, "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security@ubuntu.com", "DATE_PUBLIC": "2020-04-06T16:00:00.000Z", "ID": "CVE-2020-8834", "STATE": "PUBLIC", "TITLE": "Linux kernel KVM Power8 conflicting use of HSTATE_HOST_R1" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Linux kernel", "version": { "version_data": [ { "platform": "PPC Power8", "version_affected": "\u003e=", "version_value": "4.8" }, { "platform": "PPC Power8", "version_affected": "\u003c", "version_value": "4.18" } ] } } ] }, "vendor_name": "Linux kernel" } ] } }, "credit": [ { "lang": "eng", "value": "Gustavo Romero" }, { "lang": "eng", "value": "Paul Mackerras" } ], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "KVM in the Linux kernel on Power8 processors has a conflicting use of HSTATE_HOST_R1 to store r1 state in kvmppc_hv_entry plus in kvmppc_{save,restore}_tm, leading to a stack corruption. Because of this, an attacker with the ability run code in kernel space of a guest VM can cause the host kernel to panic. There were two commits that, according to the reporter, introduced the vulnerability: f024ee098476 (\"KVM: PPC: Book3S HV: Pull out TM state save/restore into separate procedures\") 87a11bb6a7f7 (\"KVM: PPC: Book3S HV: Work around XER[SO] bug in fake suspend mode\") The former landed in 4.8, the latter in 4.17. This was fixed without realizing the impact in 4.18 with the following three commits, though it\u0027s believed the first is the only strictly necessary commit: 6f597c6b63b6 (\"KVM: PPC: Book3S PR: Add guest MSR parameter for kvmppc_save_tm()/kvmppc_restore_tm()\") 7b0e827c6970 (\"KVM: PPC: Book3S HV: Factor fake-suspend handling out of kvmppc_save/restore_tm\") 009c872a8bc4 (\"KVM: PPC: Book3S PR: Move kvmppc_save_tm/kvmppc_restore_tm to separate file\")" } ] }, "generator": { "engine": "Vulnogram 0.0.9" }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-368" } ] } ] }, "references": { "reference_data": [ { "name": "https://www.openwall.com/lists/oss-security/2020/04/06/2", "refsource": "MISC", "url": "https://www.openwall.com/lists/oss-security/2020/04/06/2" }, { "name": "https://usn.ubuntu.com/usn/usn-4318-1", "refsource": "MISC", "url": "https://usn.ubuntu.com/usn/usn-4318-1" }, { "name": "https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1867717", "refsource": "MISC", "url": "https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1867717" }, { "name": "USN-4318-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4318-1/" }, { "name": "openSUSE-SU-2020:0543", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00035.html" } ] }, "solution": [ { "lang": "en", "value": "Apply the following three Linux kernel commits, though possibly only the first commit is strictly necessary: \n \n 6f597c6b63b6 (\"KVM: PPC: Book3S PR: Add guest MSR parameter for kvmppc_save_tm()/kvmppc_restore_tm()\")\n 7b0e827c6970 (\"KVM: PPC: Book3S HV: Factor fake-suspend handling out of kvmppc_save/restore_tm\")\n 009c872a8bc4 (\"KVM: PPC: Book3S PR: Move kvmppc_save_tm/kvmppc_restore_tm to separate file\")" } ], "source": { "defect": [ "https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1867717" ], "discovery": "EXTERNAL" } } } }, "cveMetadata": { "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "assignerShortName": "canonical", "cveId": "CVE-2020-8834", "datePublished": "2020-04-09T22:10:14.975025Z", "dateReserved": "2020-02-10T00:00:00", "dateUpdated": "2024-09-16T22:03:01.562Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2018-6555
Vulnerability from cvelistv5
Published
2018-09-04 18:00
Modified
2024-09-16 23:42
Severity ?
EPSS score ?
Summary
The irda_setsockopt function in net/irda/af_irda.c and later in drivers/staging/irda/net/af_irda.c in the Linux kernel before 4.17 allows local users to cause a denial of service (ias_object use-after-free and system crash) or possibly have unspecified other impact via an AF_IRDA socket.
References
▼ | URL | Tags |
---|---|---|
https://usn.ubuntu.com/3776-1/ | vendor-advisory, x_refsource_UBUNTU | |
https://usn.ubuntu.com/3776-2/ | vendor-advisory, x_refsource_UBUNTU | |
https://www.spinics.net/lists/stable/msg255035.html | mailing-list, x_refsource_MLIST | |
https://usn.ubuntu.com/3777-1/ | vendor-advisory, x_refsource_UBUNTU | |
https://usn.ubuntu.com/3775-1/ | vendor-advisory, x_refsource_UBUNTU | |
https://lists.debian.org/debian-lts-announce/2018/10/msg00003.html | mailing-list, x_refsource_MLIST | |
https://www.debian.org/security/2018/dsa-4308 | vendor-advisory, x_refsource_DEBIAN | |
https://usn.ubuntu.com/3775-2/ | vendor-advisory, x_refsource_UBUNTU | |
http://www.securityfocus.com/bid/105304 | vdb-entry, x_refsource_BID | |
https://usn.ubuntu.com/3777-2/ | vendor-advisory, x_refsource_UBUNTU | |
https://www.spinics.net/lists/stable/msg255031.html | mailing-list, x_refsource_MLIST | |
https://usn.ubuntu.com/3777-3/ | vendor-advisory, x_refsource_UBUNTU |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Linux Kernel | Linux Kernel |
Version: before 4.17 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-05T06:10:10.169Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "USN-3776-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "https://usn.ubuntu.com/3776-1/" }, { "name": "USN-3776-2", "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "https://usn.ubuntu.com/3776-2/" }, { "name": "[stable] 20180904 [PATCH 2/2] irda: Only insert new objects into the global database via setsockopt", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://www.spinics.net/lists/stable/msg255035.html" }, { "name": "USN-3777-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "https://usn.ubuntu.com/3777-1/" }, { "name": "USN-3775-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "https://usn.ubuntu.com/3775-1/" }, { "name": "[debian-lts-announce] 20181003 [SECURITY] [DLA 1531-1] linux-4.9 security update", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2018/10/msg00003.html" }, { "name": "DSA-4308", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "https://www.debian.org/security/2018/dsa-4308" }, { "name": "USN-3775-2", "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "https://usn.ubuntu.com/3775-2/" }, { "name": "105304", "tags": [ "vdb-entry", "x_refsource_BID", "x_transferred" ], "url": "http://www.securityfocus.com/bid/105304" }, { "name": "USN-3777-2", "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "https://usn.ubuntu.com/3777-2/" }, { "name": "[stable] 20180904 [PATCH 2/2] irda: Only insert new objects into the global database via setsockopt", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://www.spinics.net/lists/stable/msg255031.html" }, { "name": "USN-3777-3", "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "https://usn.ubuntu.com/3777-3/" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Linux Kernel", "vendor": "Linux Kernel", "versions": [ { "status": "affected", "version": "before 4.17" } ] } ], "datePublic": "2018-09-04T00:00:00", "descriptions": [ { "lang": "en", "value": "The irda_setsockopt function in net/irda/af_irda.c and later in drivers/staging/irda/net/af_irda.c in the Linux kernel before 4.17 allows local users to cause a denial of service (ias_object use-after-free and system crash) or possibly have unspecified other impact via an AF_IRDA socket." } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-416", "description": "CWE-416: Use After Free", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2018-10-23T09:57:01", "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "shortName": "canonical" }, "references": [ { "name": "USN-3776-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "https://usn.ubuntu.com/3776-1/" }, { "name": "USN-3776-2", "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "https://usn.ubuntu.com/3776-2/" }, { "name": "[stable] 20180904 [PATCH 2/2] irda: Only insert new objects into the global database via setsockopt", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://www.spinics.net/lists/stable/msg255035.html" }, { "name": "USN-3777-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "https://usn.ubuntu.com/3777-1/" }, { "name": "USN-3775-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "https://usn.ubuntu.com/3775-1/" }, { "name": "[debian-lts-announce] 20181003 [SECURITY] [DLA 1531-1] linux-4.9 security update", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.debian.org/debian-lts-announce/2018/10/msg00003.html" }, { "name": "DSA-4308", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "https://www.debian.org/security/2018/dsa-4308" }, { "name": "USN-3775-2", "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "https://usn.ubuntu.com/3775-2/" }, { "name": "105304", "tags": [ "vdb-entry", "x_refsource_BID" ], "url": "http://www.securityfocus.com/bid/105304" }, { "name": "USN-3777-2", "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "https://usn.ubuntu.com/3777-2/" }, { "name": "[stable] 20180904 [PATCH 2/2] irda: Only insert new objects into the global database via setsockopt", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://www.spinics.net/lists/stable/msg255031.html" }, { "name": "USN-3777-3", "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "https://usn.ubuntu.com/3777-3/" } ], "source": { "discovery": "UNKNOWN" }, "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security@ubuntu.com", "DATE_PUBLIC": "2018-09-04T15:00:00.000Z", "ID": "CVE-2018-6555", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Linux Kernel", "version": { "version_data": [ { "version_value": "before 4.17" } ] } } ] }, "vendor_name": "Linux Kernel" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "The irda_setsockopt function in net/irda/af_irda.c and later in drivers/staging/irda/net/af_irda.c in the Linux kernel before 4.17 allows local users to cause a denial of service (ias_object use-after-free and system crash) or possibly have unspecified other impact via an AF_IRDA socket." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-416: Use After Free" } ] } ] }, "references": { "reference_data": [ { "name": "USN-3776-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/3776-1/" }, { "name": "USN-3776-2", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/3776-2/" }, { "name": "[stable] 20180904 [PATCH 2/2] irda: Only insert new objects into the global database via setsockopt", "refsource": "MLIST", "url": "https://www.spinics.net/lists/stable/msg255035.html" }, { "name": "USN-3777-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/3777-1/" }, { "name": "USN-3775-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/3775-1/" }, { "name": "[debian-lts-announce] 20181003 [SECURITY] [DLA 1531-1] linux-4.9 security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2018/10/msg00003.html" }, { "name": "DSA-4308", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2018/dsa-4308" }, { "name": "USN-3775-2", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/3775-2/" }, { "name": "105304", "refsource": "BID", "url": "http://www.securityfocus.com/bid/105304" }, { "name": "USN-3777-2", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/3777-2/" }, { "name": "[stable] 20180904 [PATCH 2/2] irda: Only insert new objects into the global database via setsockopt", "refsource": "MLIST", "url": "https://www.spinics.net/lists/stable/msg255031.html" }, { "name": "USN-3777-3", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/3777-3/" } ] }, "source": { "discovery": "UNKNOWN" } } } }, "cveMetadata": { "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "assignerShortName": "canonical", "cveId": "CVE-2018-6555", "datePublished": "2018-09-04T18:00:00Z", "dateReserved": "2018-02-02T00:00:00", "dateUpdated": "2024-09-16T23:42:04.264Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2018-6554
Vulnerability from cvelistv5
Published
2018-09-04 18:00
Modified
2024-09-17 01:41
Severity ?
EPSS score ?
Summary
Memory leak in the irda_bind function in net/irda/af_irda.c and later in drivers/staging/irda/net/af_irda.c in the Linux kernel before 4.17 allows local users to cause a denial of service (memory consumption) by repeatedly binding an AF_IRDA socket.
References
▼ | URL | Tags |
---|---|---|
https://usn.ubuntu.com/3776-1/ | vendor-advisory, x_refsource_UBUNTU | |
https://usn.ubuntu.com/3776-2/ | vendor-advisory, x_refsource_UBUNTU | |
https://usn.ubuntu.com/3777-1/ | vendor-advisory, x_refsource_UBUNTU | |
https://usn.ubuntu.com/3775-1/ | vendor-advisory, x_refsource_UBUNTU | |
https://lists.debian.org/debian-lts-announce/2018/10/msg00003.html | mailing-list, x_refsource_MLIST | |
https://www.spinics.net/lists/stable/msg255030.html | mailing-list, x_refsource_MLIST | |
https://www.debian.org/security/2018/dsa-4308 | vendor-advisory, x_refsource_DEBIAN | |
http://www.securityfocus.com/bid/105302 | vdb-entry, x_refsource_BID | |
https://usn.ubuntu.com/3775-2/ | vendor-advisory, x_refsource_UBUNTU | |
https://usn.ubuntu.com/3777-2/ | vendor-advisory, x_refsource_UBUNTU | |
https://usn.ubuntu.com/3777-3/ | vendor-advisory, x_refsource_UBUNTU | |
https://lists.debian.org/debian-lts-announce/2019/03/msg00017.html | mailing-list, x_refsource_MLIST | |
https://www.spinics.net/lists/stable/msg255034.html | mailing-list, x_refsource_MLIST |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Linux Kernel | Linux Kernel |
Version: before 4.17 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-05T06:10:10.232Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "USN-3776-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "https://usn.ubuntu.com/3776-1/" }, { "name": "USN-3776-2", "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "https://usn.ubuntu.com/3776-2/" }, { "name": "USN-3777-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "https://usn.ubuntu.com/3777-1/" }, { "name": "USN-3775-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "https://usn.ubuntu.com/3775-1/" }, { "name": "[debian-lts-announce] 20181003 [SECURITY] [DLA 1531-1] linux-4.9 security update", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2018/10/msg00003.html" }, { "name": "[stable] 20180904 [PATCH 1/2] irda: Fix memory leak caused by repeated binds of irda socket", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://www.spinics.net/lists/stable/msg255030.html" }, { "name": "DSA-4308", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "https://www.debian.org/security/2018/dsa-4308" }, { "name": "105302", "tags": [ "vdb-entry", "x_refsource_BID", "x_transferred" ], "url": "http://www.securityfocus.com/bid/105302" }, { "name": "USN-3775-2", "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "https://usn.ubuntu.com/3775-2/" }, { "name": "USN-3777-2", "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "https://usn.ubuntu.com/3777-2/" }, { "name": "USN-3777-3", "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "https://usn.ubuntu.com/3777-3/" }, { "name": "[debian-lts-announce] 20190315 [SECURITY] [DLA 1715-1] linux-4.9 security update", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00017.html" }, { "name": "[stable] 20180904 [PATCH 1/2] irda: Fix memory leak caused by repeated binds of irda socket", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://www.spinics.net/lists/stable/msg255034.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Linux Kernel", "vendor": "Linux Kernel", "versions": [ { "status": "affected", "version": "before 4.17" } ] } ], "datePublic": "2018-09-04T00:00:00", "descriptions": [ { "lang": "en", "value": "Memory leak in the irda_bind function in net/irda/af_irda.c and later in drivers/staging/irda/net/af_irda.c in the Linux kernel before 4.17 allows local users to cause a denial of service (memory consumption) by repeatedly binding an AF_IRDA socket." } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-400", "description": "CWE-400: Uncontrolled Resource Consumption (\u0027Resource Exhaustion\u0027)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2019-03-16T09:57:01", "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "shortName": "canonical" }, "references": [ { "name": "USN-3776-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "https://usn.ubuntu.com/3776-1/" }, { "name": "USN-3776-2", "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "https://usn.ubuntu.com/3776-2/" }, { "name": "USN-3777-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "https://usn.ubuntu.com/3777-1/" }, { "name": "USN-3775-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "https://usn.ubuntu.com/3775-1/" }, { "name": "[debian-lts-announce] 20181003 [SECURITY] [DLA 1531-1] linux-4.9 security update", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.debian.org/debian-lts-announce/2018/10/msg00003.html" }, { "name": "[stable] 20180904 [PATCH 1/2] irda: Fix memory leak caused by repeated binds of irda socket", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://www.spinics.net/lists/stable/msg255030.html" }, { "name": "DSA-4308", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "https://www.debian.org/security/2018/dsa-4308" }, { "name": "105302", "tags": [ "vdb-entry", "x_refsource_BID" ], "url": "http://www.securityfocus.com/bid/105302" }, { "name": "USN-3775-2", "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "https://usn.ubuntu.com/3775-2/" }, { "name": "USN-3777-2", "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "https://usn.ubuntu.com/3777-2/" }, { "name": "USN-3777-3", "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "https://usn.ubuntu.com/3777-3/" }, { "name": "[debian-lts-announce] 20190315 [SECURITY] [DLA 1715-1] linux-4.9 security update", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00017.html" }, { "name": "[stable] 20180904 [PATCH 1/2] irda: Fix memory leak caused by repeated binds of irda socket", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://www.spinics.net/lists/stable/msg255034.html" } ], "source": { "discovery": "UNKNOWN" }, "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security@ubuntu.com", "DATE_PUBLIC": "2018-09-04T15:00:00.000Z", "ID": "CVE-2018-6554", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Linux Kernel", "version": { "version_data": [ { "version_value": "before 4.17" } ] } } ] }, "vendor_name": "Linux Kernel" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Memory leak in the irda_bind function in net/irda/af_irda.c and later in drivers/staging/irda/net/af_irda.c in the Linux kernel before 4.17 allows local users to cause a denial of service (memory consumption) by repeatedly binding an AF_IRDA socket." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-400: Uncontrolled Resource Consumption (\u0027Resource Exhaustion\u0027)" } ] } ] }, "references": { "reference_data": [ { "name": "USN-3776-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/3776-1/" }, { "name": "USN-3776-2", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/3776-2/" }, { "name": "USN-3777-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/3777-1/" }, { "name": "USN-3775-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/3775-1/" }, { "name": "[debian-lts-announce] 20181003 [SECURITY] [DLA 1531-1] linux-4.9 security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2018/10/msg00003.html" }, { "name": "[stable] 20180904 [PATCH 1/2] irda: Fix memory leak caused by repeated binds of irda socket", "refsource": "MLIST", "url": "https://www.spinics.net/lists/stable/msg255030.html" }, { "name": "DSA-4308", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2018/dsa-4308" }, { "name": "105302", "refsource": "BID", "url": "http://www.securityfocus.com/bid/105302" }, { "name": "USN-3775-2", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/3775-2/" }, { "name": "USN-3777-2", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/3777-2/" }, { "name": "USN-3777-3", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/3777-3/" }, { "name": "[debian-lts-announce] 20190315 [SECURITY] [DLA 1715-1] linux-4.9 security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00017.html" }, { "name": "[stable] 20180904 [PATCH 1/2] irda: Fix memory leak caused by repeated binds of irda socket", "refsource": "MLIST", "url": "https://www.spinics.net/lists/stable/msg255034.html" } ] }, "source": { "discovery": "UNKNOWN" } } } }, "cveMetadata": { "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "assignerShortName": "canonical", "cveId": "CVE-2018-6554", "datePublished": "2018-09-04T18:00:00Z", "dateReserved": "2018-02-02T00:00:00", "dateUpdated": "2024-09-17T01:41:05.683Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }