Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CERTFR-2024-AVI-1050
Vulnerability from certfr_avis
De multiples vulnérabilités ont été découvertes dans le noyau Linux de Red Hat. Certaines d'entre elles permettent à un attaquant de provoquer une atteinte à la confidentialité des données, une atteinte à l'intégrité des données et un contournement de la politique de sécurité.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for Real Time for x86_64 - 4 years of updates 9.2 x86_64 | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat CodeReady Linux Builder for ARM 64 - Extended Update Support 9.4 aarch64 | ||
| Red Hat | Red Hat Enterprise Linux Server | Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.4 ppc64le | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.2 x86_64 | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.4 x86_64 | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat CodeReady Linux Builder for IBM z Systems - Extended Update Support 9.4 s390x | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat CodeReady Linux Builder for x86_64 - Extended Update Support 9.2 x86_64 | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat CodeReady Linux Builder for Power, little endian - Extended Update Support 9.4 ppc64le | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for Real Time for NFV for x86_64 - 4 years of updates 9.2 x86_64 | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.4 s390x | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.4 aarch64 | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.2 s390x | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.4 aarch64 | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.2 x86_64 | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.4 s390x | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat CodeReady Linux Builder for Power, little endian - Extended Update Support 9.2 ppc64le | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.2 aarch64 | ||
| Red Hat | Red Hat Enterprise Linux Server | Red Hat Enterprise Linux Server - AUS 9.4 x86_64 | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for Real Time for x86_64 - 4 years of updates 9.4 x86_64 | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat CodeReady Linux Builder for ARM 64 - Extended Update Support 9.2 aarch64 | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.2 s390x | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for Real Time for NFV for x86_64 - 4 years of updates 9.4 x86_64 | ||
| Red Hat | Red Hat Enterprise Linux Server | Red Hat Enterprise Linux Server - AUS 9.2 x86_64 | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.2 ppc64le | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat CodeReady Linux Builder for x86_64 - Extended Update Support 9.4 x86_64 | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.4 ppc64le | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.2 aarch64 | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.4 x86_64 | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat CodeReady Linux Builder for IBM z Systems - Extended Update Support 9.2 s390x | ||
| Red Hat | Red Hat Enterprise Linux Server | Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.2 ppc64le |
References
| Title | Publication Time | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Red Hat Enterprise Linux for Real Time for x86_64 - 4 years of updates 9.2 x86_64",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for ARM 64 - Extended Update Support 9.4 aarch64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.4 ppc64le",
"product": {
"name": "Red Hat Enterprise Linux Server",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.2 x86_64",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.4 x86_64",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for IBM z Systems - Extended Update Support 9.4 s390x",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for x86_64 - Extended Update Support 9.2 x86_64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for Power, little endian - Extended Update Support 9.4 ppc64le",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for Real Time for NFV for x86_64 - 4 years of updates 9.2 x86_64",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.4 s390x",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.4 aarch64",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.2 s390x",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.4 aarch64",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.2 x86_64",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.4 s390x",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for Power, little endian - Extended Update Support 9.2 ppc64le",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.2 aarch64",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux Server - AUS 9.4 x86_64",
"product": {
"name": "Red Hat Enterprise Linux Server",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for Real Time for x86_64 - 4 years of updates 9.4 x86_64",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for ARM 64 - Extended Update Support 9.2 aarch64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.2 s390x",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for Real Time for NFV for x86_64 - 4 years of updates 9.4 x86_64",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux Server - AUS 9.2 x86_64",
"product": {
"name": "Red Hat Enterprise Linux Server",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.2 ppc64le",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for x86_64 - Extended Update Support 9.4 x86_64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.4 ppc64le",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.2 aarch64",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.4 x86_64",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for IBM z Systems - Extended Update Support 9.2 s390x",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.2 ppc64le",
"product": {
"name": "Red Hat Enterprise Linux Server",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2024-26601",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26601"
},
{
"name": "CVE-2024-41031",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-41031"
},
{
"name": "CVE-2024-41093",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-41093"
},
{
"name": "CVE-2024-38555",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-38555"
},
{
"name": "CVE-2024-41009",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-41009"
},
{
"name": "CVE-2024-40988",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-40988"
},
{
"name": "CVE-2024-26984",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26984"
},
{
"name": "CVE-2024-42241",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-42241"
},
{
"name": "CVE-2024-38384",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-38384"
},
{
"name": "CVE-2024-41038",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-41038"
},
{
"name": "CVE-2024-37356",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-37356"
},
{
"name": "CVE-2024-26704",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26704"
},
{
"name": "CVE-2023-52635",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52635"
},
{
"name": "CVE-2024-40997",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-40997"
},
{
"name": "CVE-2024-42154",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-42154"
},
{
"name": "CVE-2024-42228",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-42228"
},
{
"name": "CVE-2024-41007",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-41007"
},
{
"name": "CVE-2024-26686",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26686"
},
{
"name": "CVE-2024-42240",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-42240"
},
{
"name": "CVE-2024-26615",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26615"
},
{
"name": "CVE-2024-41056",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-41056"
},
{
"name": "CVE-2024-36928",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-36928"
},
{
"name": "CVE-2023-52775",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52775"
},
{
"name": "CVE-2024-36960",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-36960"
},
{
"name": "CVE-2023-52619",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52619"
},
{
"name": "CVE-2024-41008",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-41008"
},
{
"name": "CVE-2024-41041",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-41041"
},
{
"name": "CVE-2024-27399",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-27399"
},
{
"name": "CVE-2024-43854",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-43854"
},
{
"name": "CVE-2024-39507",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-39507"
},
{
"name": "CVE-2024-42244",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-42244"
},
{
"name": "CVE-2024-42238",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-42238"
},
{
"name": "CVE-2023-52749",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52749"
},
{
"name": "CVE-2023-52881",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52881"
},
{
"name": "CVE-2022-48804",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-48804"
},
{
"name": "CVE-2024-41014",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-41014"
},
{
"name": "CVE-2024-38541",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-38541"
},
{
"name": "CVE-2023-52811",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52811"
},
{
"name": "CVE-2023-0597",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0597"
},
{
"name": "CVE-2024-36920",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-36920"
},
{
"name": "CVE-2024-42271",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-42271"
},
{
"name": "CVE-2024-42237",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-42237"
},
{
"name": "CVE-2024-42243",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-42243"
},
{
"name": "CVE-2024-44989",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-44989"
}
],
"initial_release_date": "2024-12-06T00:00:00",
"last_revision_date": "2024-12-06T00:00:00",
"links": [],
"reference": "CERTFR-2024-AVI-1050",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2024-12-06T00:00:00.000000"
}
],
"risks": [
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "D\u00e9ni de service"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans le noyau Linux de Red Hat. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es, une atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es et un contournement de la politique de s\u00e9curit\u00e9.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans le noyau Linux de Red Hat",
"vendor_advisories": [
{
"published_at": "2024-12-04",
"title": "Bulletin de s\u00e9curit\u00e9 Red Hat RHSA-2024:10773",
"url": "https://access.redhat.com/errata/RHSA-2024:10773"
},
{
"published_at": "2024-12-04",
"title": "Bulletin de s\u00e9curit\u00e9 Red Hat RHSA-2024:10772",
"url": "https://access.redhat.com/errata/RHSA-2024:10772"
},
{
"published_at": "2024-12-04",
"title": "Bulletin de s\u00e9curit\u00e9 Red Hat RHSA-2024:10771",
"url": "https://access.redhat.com/errata/RHSA-2024:10771"
}
]
}
CVE-2024-26615 (GCVE-0-2024-26615)
Vulnerability from cvelistv5
Published
2024-02-29 15:52
Modified
2025-05-04 08:52
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/smc: fix illegal rmb_desc access in SMC-D connection dump
A crash was found when dumping SMC-D connections. It can be reproduced
by following steps:
- run nginx/wrk test:
smc_run nginx
smc_run wrk -t 16 -c 1000 -d <duration> -H 'Connection: Close' <URL>
- continuously dump SMC-D connections in parallel:
watch -n 1 'smcss -D'
BUG: kernel NULL pointer dereference, address: 0000000000000030
CPU: 2 PID: 7204 Comm: smcss Kdump: loaded Tainted: G E 6.7.0+ #55
RIP: 0010:__smc_diag_dump.constprop.0+0x5e5/0x620 [smc_diag]
Call Trace:
<TASK>
? __die+0x24/0x70
? page_fault_oops+0x66/0x150
? exc_page_fault+0x69/0x140
? asm_exc_page_fault+0x26/0x30
? __smc_diag_dump.constprop.0+0x5e5/0x620 [smc_diag]
? __kmalloc_node_track_caller+0x35d/0x430
? __alloc_skb+0x77/0x170
smc_diag_dump_proto+0xd0/0xf0 [smc_diag]
smc_diag_dump+0x26/0x60 [smc_diag]
netlink_dump+0x19f/0x320
__netlink_dump_start+0x1dc/0x300
smc_diag_handler_dump+0x6a/0x80 [smc_diag]
? __pfx_smc_diag_dump+0x10/0x10 [smc_diag]
sock_diag_rcv_msg+0x121/0x140
? __pfx_sock_diag_rcv_msg+0x10/0x10
netlink_rcv_skb+0x5a/0x110
sock_diag_rcv+0x28/0x40
netlink_unicast+0x22a/0x330
netlink_sendmsg+0x1f8/0x420
__sock_sendmsg+0xb0/0xc0
____sys_sendmsg+0x24e/0x300
? copy_msghdr_from_user+0x62/0x80
___sys_sendmsg+0x7c/0xd0
? __do_fault+0x34/0x160
? do_read_fault+0x5f/0x100
? do_fault+0xb0/0x110
? __handle_mm_fault+0x2b0/0x6c0
__sys_sendmsg+0x4d/0x80
do_syscall_64+0x69/0x180
entry_SYSCALL_64_after_hwframe+0x6e/0x76
It is possible that the connection is in process of being established
when we dump it. Assumed that the connection has been registered in a
link group by smc_conn_create() but the rmb_desc has not yet been
initialized by smc_buf_create(), thus causing the illegal access to
conn->rmb_desc. So fix it by checking before dump.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 4b1b7d3b30a6d32ac1a1dcede284e76ef8a8542d Version: 4b1b7d3b30a6d32ac1a1dcede284e76ef8a8542d Version: 4b1b7d3b30a6d32ac1a1dcede284e76ef8a8542d Version: 4b1b7d3b30a6d32ac1a1dcede284e76ef8a8542d Version: 4b1b7d3b30a6d32ac1a1dcede284e76ef8a8542d Version: 4b1b7d3b30a6d32ac1a1dcede284e76ef8a8542d Version: 4b1b7d3b30a6d32ac1a1dcede284e76ef8a8542d Version: 4b1b7d3b30a6d32ac1a1dcede284e76ef8a8542d |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:07:19.717Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/27aea64838914c6122db5b8bd4bed865c9736f22"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/1fea9969b81c67d0cb1611d1b8b7d19049d937be"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/5fed92ca32eafbfae8b6bee8ca34cca71c6a8b6d"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/68b888d51ac82f2b96bf5e077a31d76afcdef25a"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/6994dba06321e3c48fdad0ba796a063d9d82183a"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/a164c2922675d7051805cdaf2b07daffe44f20d9"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/8f3f9186e5bb96a9c9654c41653210e3ea7e48a6"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/dbc153fd3c142909e564bb256da087e13fbf239c"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-26615",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T15:57:17.586367Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T17:33:50.241Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/smc/smc_diag.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "27aea64838914c6122db5b8bd4bed865c9736f22",
"status": "affected",
"version": "4b1b7d3b30a6d32ac1a1dcede284e76ef8a8542d",
"versionType": "git"
},
{
"lessThan": "1fea9969b81c67d0cb1611d1b8b7d19049d937be",
"status": "affected",
"version": "4b1b7d3b30a6d32ac1a1dcede284e76ef8a8542d",
"versionType": "git"
},
{
"lessThan": "5fed92ca32eafbfae8b6bee8ca34cca71c6a8b6d",
"status": "affected",
"version": "4b1b7d3b30a6d32ac1a1dcede284e76ef8a8542d",
"versionType": "git"
},
{
"lessThan": "68b888d51ac82f2b96bf5e077a31d76afcdef25a",
"status": "affected",
"version": "4b1b7d3b30a6d32ac1a1dcede284e76ef8a8542d",
"versionType": "git"
},
{
"lessThan": "6994dba06321e3c48fdad0ba796a063d9d82183a",
"status": "affected",
"version": "4b1b7d3b30a6d32ac1a1dcede284e76ef8a8542d",
"versionType": "git"
},
{
"lessThan": "a164c2922675d7051805cdaf2b07daffe44f20d9",
"status": "affected",
"version": "4b1b7d3b30a6d32ac1a1dcede284e76ef8a8542d",
"versionType": "git"
},
{
"lessThan": "8f3f9186e5bb96a9c9654c41653210e3ea7e48a6",
"status": "affected",
"version": "4b1b7d3b30a6d32ac1a1dcede284e76ef8a8542d",
"versionType": "git"
},
{
"lessThan": "dbc153fd3c142909e564bb256da087e13fbf239c",
"status": "affected",
"version": "4b1b7d3b30a6d32ac1a1dcede284e76ef8a8542d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/smc/smc_diag.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.19"
},
{
"lessThan": "4.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.307",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.269",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.76",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.7.*",
"status": "unaffected",
"version": "6.7.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.8",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.307",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.269",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.210",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.149",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.76",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.15",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.7.3",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8",
"versionStartIncluding": "4.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: fix illegal rmb_desc access in SMC-D connection dump\n\nA crash was found when dumping SMC-D connections. It can be reproduced\nby following steps:\n\n- run nginx/wrk test:\n smc_run nginx\n smc_run wrk -t 16 -c 1000 -d \u003cduration\u003e -H \u0027Connection: Close\u0027 \u003cURL\u003e\n\n- continuously dump SMC-D connections in parallel:\n watch -n 1 \u0027smcss -D\u0027\n\n BUG: kernel NULL pointer dereference, address: 0000000000000030\n CPU: 2 PID: 7204 Comm: smcss Kdump: loaded Tainted: G\tE 6.7.0+ #55\n RIP: 0010:__smc_diag_dump.constprop.0+0x5e5/0x620 [smc_diag]\n Call Trace:\n \u003cTASK\u003e\n ? __die+0x24/0x70\n ? page_fault_oops+0x66/0x150\n ? exc_page_fault+0x69/0x140\n ? asm_exc_page_fault+0x26/0x30\n ? __smc_diag_dump.constprop.0+0x5e5/0x620 [smc_diag]\n ? __kmalloc_node_track_caller+0x35d/0x430\n ? __alloc_skb+0x77/0x170\n smc_diag_dump_proto+0xd0/0xf0 [smc_diag]\n smc_diag_dump+0x26/0x60 [smc_diag]\n netlink_dump+0x19f/0x320\n __netlink_dump_start+0x1dc/0x300\n smc_diag_handler_dump+0x6a/0x80 [smc_diag]\n ? __pfx_smc_diag_dump+0x10/0x10 [smc_diag]\n sock_diag_rcv_msg+0x121/0x140\n ? __pfx_sock_diag_rcv_msg+0x10/0x10\n netlink_rcv_skb+0x5a/0x110\n sock_diag_rcv+0x28/0x40\n netlink_unicast+0x22a/0x330\n netlink_sendmsg+0x1f8/0x420\n __sock_sendmsg+0xb0/0xc0\n ____sys_sendmsg+0x24e/0x300\n ? copy_msghdr_from_user+0x62/0x80\n ___sys_sendmsg+0x7c/0xd0\n ? __do_fault+0x34/0x160\n ? do_read_fault+0x5f/0x100\n ? do_fault+0xb0/0x110\n ? __handle_mm_fault+0x2b0/0x6c0\n __sys_sendmsg+0x4d/0x80\n do_syscall_64+0x69/0x180\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\n\nIt is possible that the connection is in process of being established\nwhen we dump it. Assumed that the connection has been registered in a\nlink group by smc_conn_create() but the rmb_desc has not yet been\ninitialized by smc_buf_create(), thus causing the illegal access to\nconn-\u003ermb_desc. So fix it by checking before dump."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:52:21.717Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/27aea64838914c6122db5b8bd4bed865c9736f22"
},
{
"url": "https://git.kernel.org/stable/c/1fea9969b81c67d0cb1611d1b8b7d19049d937be"
},
{
"url": "https://git.kernel.org/stable/c/5fed92ca32eafbfae8b6bee8ca34cca71c6a8b6d"
},
{
"url": "https://git.kernel.org/stable/c/68b888d51ac82f2b96bf5e077a31d76afcdef25a"
},
{
"url": "https://git.kernel.org/stable/c/6994dba06321e3c48fdad0ba796a063d9d82183a"
},
{
"url": "https://git.kernel.org/stable/c/a164c2922675d7051805cdaf2b07daffe44f20d9"
},
{
"url": "https://git.kernel.org/stable/c/8f3f9186e5bb96a9c9654c41653210e3ea7e48a6"
},
{
"url": "https://git.kernel.org/stable/c/dbc153fd3c142909e564bb256da087e13fbf239c"
}
],
"title": "net/smc: fix illegal rmb_desc access in SMC-D connection dump",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-26615",
"datePublished": "2024-02-29T15:52:18.843Z",
"dateReserved": "2024-02-19T14:20:24.131Z",
"dateUpdated": "2025-05-04T08:52:21.717Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-52881 (GCVE-0-2023-52881)
Vulnerability from cvelistv5
Published
2024-05-29 10:15
Modified
2025-05-04 12:49
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tcp: do not accept ACK of bytes we never sent
This patch is based on a detailed report and ideas from Yepeng Pan
and Christian Rossow.
ACK seq validation is currently following RFC 5961 5.2 guidelines:
The ACK value is considered acceptable only if
it is in the range of ((SND.UNA - MAX.SND.WND) <= SEG.ACK <=
SND.NXT). All incoming segments whose ACK value doesn't satisfy the
above condition MUST be discarded and an ACK sent back. It needs to
be noted that RFC 793 on page 72 (fifth check) says: "If the ACK is a
duplicate (SEG.ACK < SND.UNA), it can be ignored. If the ACK
acknowledges something not yet sent (SEG.ACK > SND.NXT) then send an
ACK, drop the segment, and return". The "ignored" above implies that
the processing of the incoming data segment continues, which means
the ACK value is treated as acceptable. This mitigation makes the
ACK check more stringent since any ACK < SND.UNA wouldn't be
accepted, instead only ACKs that are in the range ((SND.UNA -
MAX.SND.WND) <= SEG.ACK <= SND.NXT) get through.
This can be refined for new (and possibly spoofed) flows,
by not accepting ACK for bytes that were never sent.
This greatly improves TCP security at a little cost.
I added a Fixes: tag to make sure this patch will reach stable trees,
even if the 'blamed' patch was adhering to the RFC.
tp->bytes_acked was added in linux-4.2
Following packetdrill test (courtesy of Yepeng Pan) shows
the issue at hand:
0 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3
+0 setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
+0 bind(3, ..., ...) = 0
+0 listen(3, 1024) = 0
// ---------------- Handshake ------------------- //
// when window scale is set to 14 the window size can be extended to
// 65535 * (2^14) = 1073725440. Linux would accept an ACK packet
// with ack number in (Server_ISN+1-1073725440. Server_ISN+1)
// ,though this ack number acknowledges some data never
// sent by the server.
+0 < S 0:0(0) win 65535 <mss 1400,nop,wscale 14>
+0 > S. 0:0(0) ack 1 <...>
+0 < . 1:1(0) ack 1 win 65535
+0 accept(3, ..., ...) = 4
// For the established connection, we send an ACK packet,
// the ack packet uses ack number 1 - 1073725300 + 2^32,
// where 2^32 is used to wrap around.
// Note: we used 1073725300 instead of 1073725440 to avoid possible
// edge cases.
// 1 - 1073725300 + 2^32 = 3221241997
// Oops, old kernels happily accept this packet.
+0 < . 1:1001(1000) ack 3221241997 win 65535
// After the kernel fix the following will be replaced by a challenge ACK,
// and prior malicious frame would be dropped.
+0 > . 1:1(0) ack 1001
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 354e4aa391ed50a4d827ff6fc11e0667d0859b25 Version: 354e4aa391ed50a4d827ff6fc11e0667d0859b25 Version: 354e4aa391ed50a4d827ff6fc11e0667d0859b25 Version: 354e4aa391ed50a4d827ff6fc11e0667d0859b25 Version: 354e4aa391ed50a4d827ff6fc11e0667d0859b25 Version: 354e4aa391ed50a4d827ff6fc11e0667d0859b25 Version: 354e4aa391ed50a4d827ff6fc11e0667d0859b25 Version: 354e4aa391ed50a4d827ff6fc11e0667d0859b25 Version: 8d15569e14cfcf9151e9e3b4c0cb98369943a2bb Version: e252bbd8c87b95e9cecdc01350fbb0b46a0f9bf1 Version: 2ee4432e82437a7c051c254b065fbf5d4581e1a3 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:18:41.169Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/69eae75ca5255e876628ac5cee9eaab31f644b57"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/458f07ffeccd17f99942311e09ef574ddf4a414a"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/7ffff0cc929fdfc62a74b384c4903d6496c910f0"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/b17a886ed29f3b70b78ccf632dad03e0c69e3c1a"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/0d4e0afdd6658cd21dd5be61880411a2553fd1fc"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/008b807fe487e0b15a3a6c39add4eb477f73e440"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/2087d53a66e97a5eb5d1bf558d5bef9e5f891757"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/3d501dd326fb1c73f1b8206d4c6e1d7b15c07e27"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-52881",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-03T16:46:40.495686Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-15T15:11:03.358Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/tcp_input.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "69eae75ca5255e876628ac5cee9eaab31f644b57",
"status": "affected",
"version": "354e4aa391ed50a4d827ff6fc11e0667d0859b25",
"versionType": "git"
},
{
"lessThan": "458f07ffeccd17f99942311e09ef574ddf4a414a",
"status": "affected",
"version": "354e4aa391ed50a4d827ff6fc11e0667d0859b25",
"versionType": "git"
},
{
"lessThan": "7ffff0cc929fdfc62a74b384c4903d6496c910f0",
"status": "affected",
"version": "354e4aa391ed50a4d827ff6fc11e0667d0859b25",
"versionType": "git"
},
{
"lessThan": "b17a886ed29f3b70b78ccf632dad03e0c69e3c1a",
"status": "affected",
"version": "354e4aa391ed50a4d827ff6fc11e0667d0859b25",
"versionType": "git"
},
{
"lessThan": "0d4e0afdd6658cd21dd5be61880411a2553fd1fc",
"status": "affected",
"version": "354e4aa391ed50a4d827ff6fc11e0667d0859b25",
"versionType": "git"
},
{
"lessThan": "008b807fe487e0b15a3a6c39add4eb477f73e440",
"status": "affected",
"version": "354e4aa391ed50a4d827ff6fc11e0667d0859b25",
"versionType": "git"
},
{
"lessThan": "2087d53a66e97a5eb5d1bf558d5bef9e5f891757",
"status": "affected",
"version": "354e4aa391ed50a4d827ff6fc11e0667d0859b25",
"versionType": "git"
},
{
"lessThan": "3d501dd326fb1c73f1b8206d4c6e1d7b15c07e27",
"status": "affected",
"version": "354e4aa391ed50a4d827ff6fc11e0667d0859b25",
"versionType": "git"
},
{
"status": "affected",
"version": "8d15569e14cfcf9151e9e3b4c0cb98369943a2bb",
"versionType": "git"
},
{
"status": "affected",
"version": "e252bbd8c87b95e9cecdc01350fbb0b46a0f9bf1",
"versionType": "git"
},
{
"status": "affected",
"version": "2ee4432e82437a7c051c254b065fbf5d4581e1a3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/tcp_input.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.8"
},
{
"lessThan": "3.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.333",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.264",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.204",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.7",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.333",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.302",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.264",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.204",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.143",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.68",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.7",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.7",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.0.58",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.2.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.4.25",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: do not accept ACK of bytes we never sent\n\nThis patch is based on a detailed report and ideas from Yepeng Pan\nand Christian Rossow.\n\nACK seq validation is currently following RFC 5961 5.2 guidelines:\n\n The ACK value is considered acceptable only if\n it is in the range of ((SND.UNA - MAX.SND.WND) \u003c= SEG.ACK \u003c=\n SND.NXT). All incoming segments whose ACK value doesn\u0027t satisfy the\n above condition MUST be discarded and an ACK sent back. It needs to\n be noted that RFC 793 on page 72 (fifth check) says: \"If the ACK is a\n duplicate (SEG.ACK \u003c SND.UNA), it can be ignored. If the ACK\n acknowledges something not yet sent (SEG.ACK \u003e SND.NXT) then send an\n ACK, drop the segment, and return\". The \"ignored\" above implies that\n the processing of the incoming data segment continues, which means\n the ACK value is treated as acceptable. This mitigation makes the\n ACK check more stringent since any ACK \u003c SND.UNA wouldn\u0027t be\n accepted, instead only ACKs that are in the range ((SND.UNA -\n MAX.SND.WND) \u003c= SEG.ACK \u003c= SND.NXT) get through.\n\nThis can be refined for new (and possibly spoofed) flows,\nby not accepting ACK for bytes that were never sent.\n\nThis greatly improves TCP security at a little cost.\n\nI added a Fixes: tag to make sure this patch will reach stable trees,\neven if the \u0027blamed\u0027 patch was adhering to the RFC.\n\ntp-\u003ebytes_acked was added in linux-4.2\n\nFollowing packetdrill test (courtesy of Yepeng Pan) shows\nthe issue at hand:\n\n0 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3\n+0 setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0\n+0 bind(3, ..., ...) = 0\n+0 listen(3, 1024) = 0\n\n// ---------------- Handshake ------------------- //\n\n// when window scale is set to 14 the window size can be extended to\n// 65535 * (2^14) = 1073725440. Linux would accept an ACK packet\n// with ack number in (Server_ISN+1-1073725440. Server_ISN+1)\n// ,though this ack number acknowledges some data never\n// sent by the server.\n\n+0 \u003c S 0:0(0) win 65535 \u003cmss 1400,nop,wscale 14\u003e\n+0 \u003e S. 0:0(0) ack 1 \u003c...\u003e\n+0 \u003c . 1:1(0) ack 1 win 65535\n+0 accept(3, ..., ...) = 4\n\n// For the established connection, we send an ACK packet,\n// the ack packet uses ack number 1 - 1073725300 + 2^32,\n// where 2^32 is used to wrap around.\n// Note: we used 1073725300 instead of 1073725440 to avoid possible\n// edge cases.\n// 1 - 1073725300 + 2^32 = 3221241997\n\n// Oops, old kernels happily accept this packet.\n+0 \u003c . 1:1001(1000) ack 3221241997 win 65535\n\n// After the kernel fix the following will be replaced by a challenge ACK,\n// and prior malicious frame would be dropped.\n+0 \u003e . 1:1(0) ack 1001"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T12:49:46.197Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/69eae75ca5255e876628ac5cee9eaab31f644b57"
},
{
"url": "https://git.kernel.org/stable/c/458f07ffeccd17f99942311e09ef574ddf4a414a"
},
{
"url": "https://git.kernel.org/stable/c/7ffff0cc929fdfc62a74b384c4903d6496c910f0"
},
{
"url": "https://git.kernel.org/stable/c/b17a886ed29f3b70b78ccf632dad03e0c69e3c1a"
},
{
"url": "https://git.kernel.org/stable/c/0d4e0afdd6658cd21dd5be61880411a2553fd1fc"
},
{
"url": "https://git.kernel.org/stable/c/008b807fe487e0b15a3a6c39add4eb477f73e440"
},
{
"url": "https://git.kernel.org/stable/c/2087d53a66e97a5eb5d1bf558d5bef9e5f891757"
},
{
"url": "https://git.kernel.org/stable/c/3d501dd326fb1c73f1b8206d4c6e1d7b15c07e27"
}
],
"title": "tcp: do not accept ACK of bytes we never sent",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-52881",
"datePublished": "2024-05-29T10:15:14.186Z",
"dateReserved": "2024-05-21T15:35:00.781Z",
"dateUpdated": "2025-05-04T12:49:46.197Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-0597 (GCVE-0-2023-0597)
Vulnerability from cvelistv5
Published
2023-02-23 00:00
Modified
2025-03-12 19:17
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
A flaw possibility of memory leak in the Linux kernel cpu_entry_area mapping of X86 CPU data to memory was found in the way user can guess location of exception stack(s) or other important data. A local user could use this flaw to get access to some important data with expected location in memory.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T05:17:50.079Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/linus/97e3d26b5e5f371b3ee223d94dd123e6c442ba80"
},
{
"name": "[oss-security] 20230728 Re: StackRot (CVE-2023-3269): Linux kernel privilege escalation vulnerability",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2023/07/28/1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-0597",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-12T19:17:29.115979Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401 Missing Release of Memory after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-12T19:17:33.462Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://www.openwall.com/lists/oss-security/2023/07/28/1"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Kernel",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Linux kernel 6.2-rc1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw possibility of memory leak in the Linux kernel cpu_entry_area mapping of X86 CPU data to memory was found in the way user can guess location of exception stack(s) or other important data. A local user could use this flaw to get access to some important data with expected location in memory."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-28T00:00:00.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"url": "https://git.kernel.org/linus/97e3d26b5e5f371b3ee223d94dd123e6c442ba80"
},
{
"name": "[oss-security] 20230728 Re: StackRot (CVE-2023-3269): Linux kernel privilege escalation vulnerability",
"tags": [
"mailing-list"
],
"url": "http://www.openwall.com/lists/oss-security/2023/07/28/1"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2023-0597",
"datePublished": "2023-02-23T00:00:00.000Z",
"dateReserved": "2023-01-31T00:00:00.000Z",
"dateUpdated": "2025-03-12T19:17:33.462Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-36928 (GCVE-0-2024-36928)
Vulnerability from cvelistv5
Published
2024-05-30 15:29
Modified
2025-05-04 12:56
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
s390/qeth: Fix kernel panic after setting hsuid
Symptom:
When the hsuid attribute is set for the first time on an IQD Layer3
device while the corresponding network interface is already UP,
the kernel will try to execute a napi function pointer that is NULL.
Example:
---------------------------------------------------------------------------
[ 2057.572696] illegal operation: 0001 ilc:1 [#1] SMP
[ 2057.572702] Modules linked in: af_iucv qeth_l3 zfcp scsi_transport_fc sunrpc nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6
nft_reject nft_ct nf_tables_set nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables libcrc32c nfnetlink ghash_s390 prng xts aes_s390 des_s390 de
s_generic sha3_512_s390 sha3_256_s390 sha512_s390 vfio_ccw vfio_mdev mdev vfio_iommu_type1 eadm_sch vfio ext4 mbcache jbd2 qeth_l2 bridge stp llc dasd_eckd_mod qeth dasd_mod
qdio ccwgroup pkey zcrypt
[ 2057.572739] CPU: 6 PID: 60182 Comm: stress_client Kdump: loaded Not tainted 4.18.0-541.el8.s390x #1
[ 2057.572742] Hardware name: IBM 3931 A01 704 (LPAR)
[ 2057.572744] Krnl PSW : 0704f00180000000 0000000000000002 (0x2)
[ 2057.572748] R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:3 PM:0 RI:0 EA:3
[ 2057.572751] Krnl GPRS: 0000000000000004 0000000000000000 00000000a3b008d8 0000000000000000
[ 2057.572754] 00000000a3b008d8 cb923a29c779abc5 0000000000000000 00000000814cfd80
[ 2057.572756] 000000000000012c 0000000000000000 00000000a3b008d8 00000000a3b008d8
[ 2057.572758] 00000000bab6d500 00000000814cfd80 0000000091317e46 00000000814cfc68
[ 2057.572762] Krnl Code:#0000000000000000: 0000 illegal
>0000000000000002: 0000 illegal
0000000000000004: 0000 illegal
0000000000000006: 0000 illegal
0000000000000008: 0000 illegal
000000000000000a: 0000 illegal
000000000000000c: 0000 illegal
000000000000000e: 0000 illegal
[ 2057.572800] Call Trace:
[ 2057.572801] ([<00000000ec639700>] 0xec639700)
[ 2057.572803] [<00000000913183e2>] net_rx_action+0x2ba/0x398
[ 2057.572809] [<0000000091515f76>] __do_softirq+0x11e/0x3a0
[ 2057.572813] [<0000000090ce160c>] do_softirq_own_stack+0x3c/0x58
[ 2057.572817] ([<0000000090d2cbd6>] do_softirq.part.1+0x56/0x60)
[ 2057.572822] [<0000000090d2cc60>] __local_bh_enable_ip+0x80/0x98
[ 2057.572825] [<0000000091314706>] __dev_queue_xmit+0x2be/0xd70
[ 2057.572827] [<000003ff803dd6d6>] afiucv_hs_send+0x24e/0x300 [af_iucv]
[ 2057.572830] [<000003ff803dd88a>] iucv_send_ctrl+0x102/0x138 [af_iucv]
[ 2057.572833] [<000003ff803de72a>] iucv_sock_connect+0x37a/0x468 [af_iucv]
[ 2057.572835] [<00000000912e7e90>] __sys_connect+0xa0/0xd8
[ 2057.572839] [<00000000912e9580>] sys_socketcall+0x228/0x348
[ 2057.572841] [<0000000091514e1a>] system_call+0x2a6/0x2c8
[ 2057.572843] Last Breaking-Event-Address:
[ 2057.572844] [<0000000091317e44>] __napi_poll+0x4c/0x1d8
[ 2057.572846]
[ 2057.572847] Kernel panic - not syncing: Fatal exception in interrupt
-------------------------------------------------------------------------------------------
Analysis:
There is one napi structure per out_q: card->qdio.out_qs[i].napi
The napi.poll functions are set during qeth_open().
Since
commit 1cfef80d4c2b ("s390/qeth: Don't call dev_close/dev_open (DOWN/UP)")
qeth_set_offline()/qeth_set_online() no longer call dev_close()/
dev_open(). So if qeth_free_qdio_queues() cleared
card->qdio.out_qs[i].napi.poll while the network interface was UP and the
card was offline, they are not set again.
Reproduction:
chzdev -e $devno layer2=0
ip link set dev $network_interface up
echo 0 > /sys/bus/ccw
---truncated---
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 64e3affee2881bb22df7ce45dd1f1fd7990e382b Version: 86818409f989fee29c38528ed8fb085655603356 Version: 1cfef80d4c2b2c599189f36f36320b205d9447d9 Version: 1cfef80d4c2b2c599189f36f36320b205d9447d9 Version: 1cfef80d4c2b2c599189f36f36320b205d9447d9 Version: c33d5a5c5b2c79326190885040f1643793c67b29 Version: 29d6fe395087710280f8e11d4ae79569c4cb14b7 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-36928",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-31T18:29:03.569739Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-06T15:55:40.336Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:43:50.063Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/8792b557eb50b986f2496156d486d0c7c85a1524"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/10cb803aff3b11fe0bd5f274fc1c231a43e88df6"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/e28dd1e1bf3ebb52cdb877fb359e8978a51576e3"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/eae0aec245712c52a3ce9c05575b541a9eef5282"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/8a2e4d37afb8500b276e5ee903dee06f50ab0494"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/s390/net/qeth_core_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8792b557eb50b986f2496156d486d0c7c85a1524",
"status": "affected",
"version": "64e3affee2881bb22df7ce45dd1f1fd7990e382b",
"versionType": "git"
},
{
"lessThan": "10cb803aff3b11fe0bd5f274fc1c231a43e88df6",
"status": "affected",
"version": "86818409f989fee29c38528ed8fb085655603356",
"versionType": "git"
},
{
"lessThan": "e28dd1e1bf3ebb52cdb877fb359e8978a51576e3",
"status": "affected",
"version": "1cfef80d4c2b2c599189f36f36320b205d9447d9",
"versionType": "git"
},
{
"lessThan": "eae0aec245712c52a3ce9c05575b541a9eef5282",
"status": "affected",
"version": "1cfef80d4c2b2c599189f36f36320b205d9447d9",
"versionType": "git"
},
{
"lessThan": "8a2e4d37afb8500b276e5ee903dee06f50ab0494",
"status": "affected",
"version": "1cfef80d4c2b2c599189f36f36320b205d9447d9",
"versionType": "git"
},
{
"status": "affected",
"version": "c33d5a5c5b2c79326190885040f1643793c67b29",
"versionType": "git"
},
{
"status": "affected",
"version": "29d6fe395087710280f8e11d4ae79569c4cb14b7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/s390/net/qeth_core_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.5"
},
{
"lessThan": "6.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.31",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.8.*",
"status": "unaffected",
"version": "6.8.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.9",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.159",
"versionStartIncluding": "5.15.126",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.91",
"versionStartIncluding": "6.1.45",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.31",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8.10",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.10.190",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.4.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/qeth: Fix kernel panic after setting hsuid\n\nSymptom:\nWhen the hsuid attribute is set for the first time on an IQD Layer3\ndevice while the corresponding network interface is already UP,\nthe kernel will try to execute a napi function pointer that is NULL.\n\nExample:\n---------------------------------------------------------------------------\n[ 2057.572696] illegal operation: 0001 ilc:1 [#1] SMP\n[ 2057.572702] Modules linked in: af_iucv qeth_l3 zfcp scsi_transport_fc sunrpc nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6\nnft_reject nft_ct nf_tables_set nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables libcrc32c nfnetlink ghash_s390 prng xts aes_s390 des_s390 de\ns_generic sha3_512_s390 sha3_256_s390 sha512_s390 vfio_ccw vfio_mdev mdev vfio_iommu_type1 eadm_sch vfio ext4 mbcache jbd2 qeth_l2 bridge stp llc dasd_eckd_mod qeth dasd_mod\n qdio ccwgroup pkey zcrypt\n[ 2057.572739] CPU: 6 PID: 60182 Comm: stress_client Kdump: loaded Not tainted 4.18.0-541.el8.s390x #1\n[ 2057.572742] Hardware name: IBM 3931 A01 704 (LPAR)\n[ 2057.572744] Krnl PSW : 0704f00180000000 0000000000000002 (0x2)\n[ 2057.572748] R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:3 PM:0 RI:0 EA:3\n[ 2057.572751] Krnl GPRS: 0000000000000004 0000000000000000 00000000a3b008d8 0000000000000000\n[ 2057.572754] 00000000a3b008d8 cb923a29c779abc5 0000000000000000 00000000814cfd80\n[ 2057.572756] 000000000000012c 0000000000000000 00000000a3b008d8 00000000a3b008d8\n[ 2057.572758] 00000000bab6d500 00000000814cfd80 0000000091317e46 00000000814cfc68\n[ 2057.572762] Krnl Code:#0000000000000000: 0000 illegal\n \u003e0000000000000002: 0000 illegal\n 0000000000000004: 0000 illegal\n 0000000000000006: 0000 illegal\n 0000000000000008: 0000 illegal\n 000000000000000a: 0000 illegal\n 000000000000000c: 0000 illegal\n 000000000000000e: 0000 illegal\n[ 2057.572800] Call Trace:\n[ 2057.572801] ([\u003c00000000ec639700\u003e] 0xec639700)\n[ 2057.572803] [\u003c00000000913183e2\u003e] net_rx_action+0x2ba/0x398\n[ 2057.572809] [\u003c0000000091515f76\u003e] __do_softirq+0x11e/0x3a0\n[ 2057.572813] [\u003c0000000090ce160c\u003e] do_softirq_own_stack+0x3c/0x58\n[ 2057.572817] ([\u003c0000000090d2cbd6\u003e] do_softirq.part.1+0x56/0x60)\n[ 2057.572822] [\u003c0000000090d2cc60\u003e] __local_bh_enable_ip+0x80/0x98\n[ 2057.572825] [\u003c0000000091314706\u003e] __dev_queue_xmit+0x2be/0xd70\n[ 2057.572827] [\u003c000003ff803dd6d6\u003e] afiucv_hs_send+0x24e/0x300 [af_iucv]\n[ 2057.572830] [\u003c000003ff803dd88a\u003e] iucv_send_ctrl+0x102/0x138 [af_iucv]\n[ 2057.572833] [\u003c000003ff803de72a\u003e] iucv_sock_connect+0x37a/0x468 [af_iucv]\n[ 2057.572835] [\u003c00000000912e7e90\u003e] __sys_connect+0xa0/0xd8\n[ 2057.572839] [\u003c00000000912e9580\u003e] sys_socketcall+0x228/0x348\n[ 2057.572841] [\u003c0000000091514e1a\u003e] system_call+0x2a6/0x2c8\n[ 2057.572843] Last Breaking-Event-Address:\n[ 2057.572844] [\u003c0000000091317e44\u003e] __napi_poll+0x4c/0x1d8\n[ 2057.572846]\n[ 2057.572847] Kernel panic - not syncing: Fatal exception in interrupt\n-------------------------------------------------------------------------------------------\n\nAnalysis:\nThere is one napi structure per out_q: card-\u003eqdio.out_qs[i].napi\nThe napi.poll functions are set during qeth_open().\n\nSince\ncommit 1cfef80d4c2b (\"s390/qeth: Don\u0027t call dev_close/dev_open (DOWN/UP)\")\nqeth_set_offline()/qeth_set_online() no longer call dev_close()/\ndev_open(). So if qeth_free_qdio_queues() cleared\ncard-\u003eqdio.out_qs[i].napi.poll while the network interface was UP and the\ncard was offline, they are not set again.\n\nReproduction:\nchzdev -e $devno layer2=0\nip link set dev $network_interface up\necho 0 \u003e /sys/bus/ccw\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T12:56:31.287Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8792b557eb50b986f2496156d486d0c7c85a1524"
},
{
"url": "https://git.kernel.org/stable/c/10cb803aff3b11fe0bd5f274fc1c231a43e88df6"
},
{
"url": "https://git.kernel.org/stable/c/e28dd1e1bf3ebb52cdb877fb359e8978a51576e3"
},
{
"url": "https://git.kernel.org/stable/c/eae0aec245712c52a3ce9c05575b541a9eef5282"
},
{
"url": "https://git.kernel.org/stable/c/8a2e4d37afb8500b276e5ee903dee06f50ab0494"
}
],
"title": "s390/qeth: Fix kernel panic after setting hsuid",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-36928",
"datePublished": "2024-05-30T15:29:20.854Z",
"dateReserved": "2024-05-30T15:25:07.069Z",
"dateUpdated": "2025-05-04T12:56:31.287Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-39507 (GCVE-0-2024-39507)
Vulnerability from cvelistv5
Published
2024-07-12 12:20
Modified
2025-05-04 09:17
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: hns3: fix kernel crash problem in concurrent scenario
When link status change, the nic driver need to notify the roce
driver to handle this event, but at this time, the roce driver
may uninit, then cause kernel crash.
To fix the problem, when link status change, need to check
whether the roce registered, and when uninit, need to wait link
update finish.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:26:15.929Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/62b5dfb67bfa8bd0301bf3442004563495f9ee48"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/6d0007f7b69d684879a0f598a042e40244d3cf63"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/689de7c3bfc7d47e0eacc641c4ce4a0f579aeefa"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/b2c5024b771cd1dd8175d5f6949accfadbab7edd"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/12cda920212a49fa22d9e8b9492ac4ea013310a4"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-39507",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T17:06:51.352211Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T17:34:39.150Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "62b5dfb67bfa8bd0301bf3442004563495f9ee48",
"status": "affected",
"version": "45e92b7e4e27a427de7e87d5c4d63d4ce7ba02ab",
"versionType": "git"
},
{
"lessThan": "6d0007f7b69d684879a0f598a042e40244d3cf63",
"status": "affected",
"version": "45e92b7e4e27a427de7e87d5c4d63d4ce7ba02ab",
"versionType": "git"
},
{
"lessThan": "689de7c3bfc7d47e0eacc641c4ce4a0f579aeefa",
"status": "affected",
"version": "45e92b7e4e27a427de7e87d5c4d63d4ce7ba02ab",
"versionType": "git"
},
{
"lessThan": "b2c5024b771cd1dd8175d5f6949accfadbab7edd",
"status": "affected",
"version": "45e92b7e4e27a427de7e87d5c4d63d4ce7ba02ab",
"versionType": "git"
},
{
"lessThan": "12cda920212a49fa22d9e8b9492ac4ea013310a4",
"status": "affected",
"version": "45e92b7e4e27a427de7e87d5c4d63d4ce7ba02ab",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.1"
},
{
"lessThan": "5.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.95",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.35",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.9.*",
"status": "unaffected",
"version": "6.9.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.10",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.162",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.95",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.35",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9.6",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.10",
"versionStartIncluding": "5.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hns3: fix kernel crash problem in concurrent scenario\n\nWhen link status change, the nic driver need to notify the roce\ndriver to handle this event, but at this time, the roce driver\nmay uninit, then cause kernel crash.\n\nTo fix the problem, when link status change, need to check\nwhether the roce registered, and when uninit, need to wait link\nupdate finish."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:17:17.593Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/62b5dfb67bfa8bd0301bf3442004563495f9ee48"
},
{
"url": "https://git.kernel.org/stable/c/6d0007f7b69d684879a0f598a042e40244d3cf63"
},
{
"url": "https://git.kernel.org/stable/c/689de7c3bfc7d47e0eacc641c4ce4a0f579aeefa"
},
{
"url": "https://git.kernel.org/stable/c/b2c5024b771cd1dd8175d5f6949accfadbab7edd"
},
{
"url": "https://git.kernel.org/stable/c/12cda920212a49fa22d9e8b9492ac4ea013310a4"
}
],
"title": "net: hns3: fix kernel crash problem in concurrent scenario",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-39507",
"datePublished": "2024-07-12T12:20:38.954Z",
"dateReserved": "2024-06-25T14:23:23.752Z",
"dateUpdated": "2025-05-04T09:17:17.593Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-42154 (GCVE-0-2024-42154)
Vulnerability from cvelistv5
Published
2024-07-30 07:46
Modified
2025-05-04 09:24
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tcp_metrics: validate source addr length
I don't see anything checking that TCP_METRICS_ATTR_SADDR_IPV4
is at least 4 bytes long, and the policy doesn't have an entry
for this attribute at all (neither does it for IPv6 but v6 is
manually validated).
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 3e7013ddf55af7bc191792b8aea0c2b94fb0fef5 Version: 3e7013ddf55af7bc191792b8aea0c2b94fb0fef5 Version: 3e7013ddf55af7bc191792b8aea0c2b94fb0fef5 Version: 3e7013ddf55af7bc191792b8aea0c2b94fb0fef5 Version: 3e7013ddf55af7bc191792b8aea0c2b94fb0fef5 Version: 3e7013ddf55af7bc191792b8aea0c2b94fb0fef5 Version: 3e7013ddf55af7bc191792b8aea0c2b94fb0fef5 Version: 3e7013ddf55af7bc191792b8aea0c2b94fb0fef5 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-09-25T17:02:32.529Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/19d997b59fa1fd7a02e770ee0881c0652b9c32c9"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/2a2e79dbe2236a1289412d2044994f7ab419b44c"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/cdffc358717e436bb67122bb82c1a2a26e050f98"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/ef7c428b425beeb52b894e16f1c4b629d6cebfb6"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/31f03bb04146c1c6df6c03e9f45401f5f5a985d3"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/8c2debdd170e395934ac0e039748576dfde14e99"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/3d550dd5418729a6e77fe7721d27adea7152e321"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/66be40e622e177316ae81717aa30057ba9e61dff"
},
{
"url": "https://security.netapp.com/advisory/ntap-20240828-0010/"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/09/24/3"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/09/24/4"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/09/25/3"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-42154",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T16:15:15.159948Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T17:34:34.227Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/tcp_metrics.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "19d997b59fa1fd7a02e770ee0881c0652b9c32c9",
"status": "affected",
"version": "3e7013ddf55af7bc191792b8aea0c2b94fb0fef5",
"versionType": "git"
},
{
"lessThan": "2a2e79dbe2236a1289412d2044994f7ab419b44c",
"status": "affected",
"version": "3e7013ddf55af7bc191792b8aea0c2b94fb0fef5",
"versionType": "git"
},
{
"lessThan": "cdffc358717e436bb67122bb82c1a2a26e050f98",
"status": "affected",
"version": "3e7013ddf55af7bc191792b8aea0c2b94fb0fef5",
"versionType": "git"
},
{
"lessThan": "ef7c428b425beeb52b894e16f1c4b629d6cebfb6",
"status": "affected",
"version": "3e7013ddf55af7bc191792b8aea0c2b94fb0fef5",
"versionType": "git"
},
{
"lessThan": "31f03bb04146c1c6df6c03e9f45401f5f5a985d3",
"status": "affected",
"version": "3e7013ddf55af7bc191792b8aea0c2b94fb0fef5",
"versionType": "git"
},
{
"lessThan": "8c2debdd170e395934ac0e039748576dfde14e99",
"status": "affected",
"version": "3e7013ddf55af7bc191792b8aea0c2b94fb0fef5",
"versionType": "git"
},
{
"lessThan": "3d550dd5418729a6e77fe7721d27adea7152e321",
"status": "affected",
"version": "3e7013ddf55af7bc191792b8aea0c2b94fb0fef5",
"versionType": "git"
},
{
"lessThan": "66be40e622e177316ae81717aa30057ba9e61dff",
"status": "affected",
"version": "3e7013ddf55af7bc191792b8aea0c2b94fb0fef5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/tcp_metrics.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.14"
},
{
"lessThan": "3.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.318",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.280",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.222",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.98",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.9.*",
"status": "unaffected",
"version": "6.9.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.10",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.318",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.280",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.222",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.163",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.98",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.39",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9.9",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.10",
"versionStartIncluding": "3.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp_metrics: validate source addr length\n\nI don\u0027t see anything checking that TCP_METRICS_ATTR_SADDR_IPV4\nis at least 4 bytes long, and the policy doesn\u0027t have an entry\nfor this attribute at all (neither does it for IPv6 but v6 is\nmanually validated)."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:24:17.764Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/19d997b59fa1fd7a02e770ee0881c0652b9c32c9"
},
{
"url": "https://git.kernel.org/stable/c/2a2e79dbe2236a1289412d2044994f7ab419b44c"
},
{
"url": "https://git.kernel.org/stable/c/cdffc358717e436bb67122bb82c1a2a26e050f98"
},
{
"url": "https://git.kernel.org/stable/c/ef7c428b425beeb52b894e16f1c4b629d6cebfb6"
},
{
"url": "https://git.kernel.org/stable/c/31f03bb04146c1c6df6c03e9f45401f5f5a985d3"
},
{
"url": "https://git.kernel.org/stable/c/8c2debdd170e395934ac0e039748576dfde14e99"
},
{
"url": "https://git.kernel.org/stable/c/3d550dd5418729a6e77fe7721d27adea7152e321"
},
{
"url": "https://git.kernel.org/stable/c/66be40e622e177316ae81717aa30057ba9e61dff"
}
],
"title": "tcp_metrics: validate source addr length",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-42154",
"datePublished": "2024-07-30T07:46:51.456Z",
"dateReserved": "2024-07-29T15:50:41.194Z",
"dateUpdated": "2025-05-04T09:24:17.764Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-42228 (GCVE-0-2024-42228)
Vulnerability from cvelistv5
Published
2024-07-30 07:47
Modified
2025-09-16 08:02
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc
Initialize the size before calling amdgpu_vce_cs_reloc, such as case 0x03000001.
V2: To really improve the handling we would actually
need to have a separate value of 0xffffffff.(Christian)
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 Version: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 Version: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 Version: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 Version: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 Version: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 Version: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 Version: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:54:32.577Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/855ae72c20310e5402b2317fc537d911e87537ef"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/f8f120b3de48b8b6bdf8988a9b334c2d61c17440"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/88a9a467c548d0b3c7761b4fd54a68e70f9c0944"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-42228",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T16:14:31.551012Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T17:34:33.081Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d35cf41c8eb5d9fe95b21ae6ee2910f9ba4878e8",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
},
{
"lessThan": "3b505759447637dcccb50cbd98ec6f8d2a04fc46",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
},
{
"lessThan": "df02642c21c984303fe34c3f7d72965792fb1a15",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
},
{
"lessThan": "da6a85d197888067e8d38b5d22c986b5b5cab712",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
},
{
"lessThan": "9ee1534ecdd5b4c013064663502d7fde824d2144",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
},
{
"lessThan": "855ae72c20310e5402b2317fc537d911e87537ef",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
},
{
"lessThan": "f8f120b3de48b8b6bdf8988a9b334c2d61c17440",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
},
{
"lessThan": "88a9a467c548d0b3c7761b4fd54a68e70f9c0944",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.2"
},
{
"lessThan": "4.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.321",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.225",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.166",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.108",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.9.*",
"status": "unaffected",
"version": "6.9.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.10",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.321",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.283",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.225",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.166",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.108",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.39",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9.9",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.10",
"versionStartIncluding": "4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc\n\nInitialize the size before calling amdgpu_vce_cs_reloc, such as case 0x03000001.\nV2: To really improve the handling we would actually\n need to have a separate value of 0xffffffff.(Christian)"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T08:02:43.325Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d35cf41c8eb5d9fe95b21ae6ee2910f9ba4878e8"
},
{
"url": "https://git.kernel.org/stable/c/3b505759447637dcccb50cbd98ec6f8d2a04fc46"
},
{
"url": "https://git.kernel.org/stable/c/df02642c21c984303fe34c3f7d72965792fb1a15"
},
{
"url": "https://git.kernel.org/stable/c/da6a85d197888067e8d38b5d22c986b5b5cab712"
},
{
"url": "https://git.kernel.org/stable/c/9ee1534ecdd5b4c013064663502d7fde824d2144"
},
{
"url": "https://git.kernel.org/stable/c/855ae72c20310e5402b2317fc537d911e87537ef"
},
{
"url": "https://git.kernel.org/stable/c/f8f120b3de48b8b6bdf8988a9b334c2d61c17440"
},
{
"url": "https://git.kernel.org/stable/c/88a9a467c548d0b3c7761b4fd54a68e70f9c0944"
}
],
"title": "drm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-42228",
"datePublished": "2024-07-30T07:47:08.955Z",
"dateReserved": "2024-07-30T07:40:12.250Z",
"dateUpdated": "2025-09-16T08:02:43.325Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-52635 (GCVE-0-2023-52635)
Vulnerability from cvelistv5
Published
2024-04-02 06:49
Modified
2025-05-04 07:40
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
PM / devfreq: Synchronize devfreq_monitor_[start/stop]
There is a chance if a frequent switch of the governor
done in a loop result in timer list corruption where
timer cancel being done from two place one from
cancel_delayed_work_sync() and followed by expire_timers()
can be seen from the traces[1].
while true
do
echo "simple_ondemand" > /sys/class/devfreq/1d84000.ufshc/governor
echo "performance" > /sys/class/devfreq/1d84000.ufshc/governor
done
It looks to be issue with devfreq driver where
device_monitor_[start/stop] need to synchronized so that
delayed work should get corrupted while it is either
being queued or running or being cancelled.
Let's use polling flag and devfreq lock to synchronize the
queueing the timer instance twice and work data being
corrupted.
[1]
...
..
<idle>-0 [003] 9436.209662: timer_cancel timer=0xffffff80444f0428
<idle>-0 [003] 9436.209664: timer_expire_entry timer=0xffffff80444f0428 now=0x10022da1c function=__typeid__ZTSFvP10timer_listE_global_addr baseclk=0x10022da1c
<idle>-0 [003] 9436.209718: timer_expire_exit timer=0xffffff80444f0428
kworker/u16:6-14217 [003] 9436.209863: timer_start timer=0xffffff80444f0428 function=__typeid__ZTSFvP10timer_listE_global_addr expires=0x10022da2b now=0x10022da1c flags=182452227
vendor.xxxyyy.ha-1593 [004] 9436.209888: timer_cancel timer=0xffffff80444f0428
vendor.xxxyyy.ha-1593 [004] 9436.216390: timer_init timer=0xffffff80444f0428
vendor.xxxyyy.ha-1593 [004] 9436.216392: timer_start timer=0xffffff80444f0428 function=__typeid__ZTSFvP10timer_listE_global_addr expires=0x10022da2c now=0x10022da1d flags=186646532
vendor.xxxyyy.ha-1593 [005] 9436.220992: timer_cancel timer=0xffffff80444f0428
xxxyyyTraceManag-7795 [004] 9436.261641: timer_cancel timer=0xffffff80444f0428
[2]
9436.261653][ C4] Unable to handle kernel paging request at virtual address dead00000000012a
[ 9436.261664][ C4] Mem abort info:
[ 9436.261666][ C4] ESR = 0x96000044
[ 9436.261669][ C4] EC = 0x25: DABT (current EL), IL = 32 bits
[ 9436.261671][ C4] SET = 0, FnV = 0
[ 9436.261673][ C4] EA = 0, S1PTW = 0
[ 9436.261675][ C4] Data abort info:
[ 9436.261677][ C4] ISV = 0, ISS = 0x00000044
[ 9436.261680][ C4] CM = 0, WnR = 1
[ 9436.261682][ C4] [dead00000000012a] address between user and kernel address ranges
[ 9436.261685][ C4] Internal error: Oops: 96000044 [#1] PREEMPT SMP
[ 9436.261701][ C4] Skip md ftrace buffer dump for: 0x3a982d0
...
[ 9436.262138][ C4] CPU: 4 PID: 7795 Comm: TraceManag Tainted: G S W O 5.10.149-android12-9-o-g17f915d29d0c #1
[ 9436.262141][ C4] Hardware name: Qualcomm Technologies, Inc. (DT)
[ 9436.262144][ C4] pstate: 22400085 (nzCv daIf +PAN -UAO +TCO BTYPE=--)
[ 9436.262161][ C4] pc : expire_timers+0x9c/0x438
[ 9436.262164][ C4] lr : expire_timers+0x2a4/0x438
[ 9436.262168][ C4] sp : ffffffc010023dd0
[ 9436.262171][ C4] x29: ffffffc010023df0 x28: ffffffd0636fdc18
[ 9436.262178][ C4] x27: ffffffd063569dd0 x26: ffffffd063536008
[ 9436.262182][ C4] x25: 0000000000000001 x24: ffffff88f7c69280
[ 9436.262185][ C4] x23: 00000000000000e0 x22: dead000000000122
[ 9436.262188][ C4] x21: 000000010022da29 x20: ffffff8af72b4e80
[ 9436.262191][ C4] x19: ffffffc010023e50 x18: ffffffc010025038
[ 9436.262195][ C4] x17: 0000000000000240 x16: 0000000000000201
[ 9436.262199][ C4] x15: ffffffffffffffff x14: ffffff889f3c3100
[ 9436.262203][ C4] x13: ffffff889f3c3100 x12: 00000000049f56b8
[ 9436.262207][ C4] x11: 00000000049f56b8 x10: 00000000ffffffff
[ 9436.262212][ C4] x9 : ffffffc010023e50 x8 : dead000000000122
[ 9436.262216][ C4] x7 : ffffffffffffffff x6 : ffffffc0100239d8
[ 9436.262220][ C4] x5 : 0000000000000000 x4 : 0000000000000101
[ 9436.262223][ C4] x3 : 0000000000000080 x2 : ffffff8
---truncated---
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-52635",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-17T19:30:55.797428Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-17T19:31:03.162Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:03:21.345Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/3399cc7013e761fee9d6eec795e9b31ab0cbe475"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/099f6a9edbe30b142c1d97fe9a4748601d995675"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/31569995fc65007b73a3fff605ec2b3401b435e9"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/0aedb319ef3ed39e9e5a7b7726c8264ca627bbd9"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/ae815e2fdc284ab31651d52460698bd89c0fce22"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/aed5ed595960c6d301dcd4ed31aeaa7a8054c0c6"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/devfreq/devfreq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3399cc7013e761fee9d6eec795e9b31ab0cbe475",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "099f6a9edbe30b142c1d97fe9a4748601d995675",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "31569995fc65007b73a3fff605ec2b3401b435e9",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0aedb319ef3ed39e9e5a7b7726c8264ca627bbd9",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ae815e2fdc284ab31651d52460698bd89c0fce22",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "aed5ed595960c6d301dcd4ed31aeaa7a8054c0c6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/devfreq/devfreq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.7.*",
"status": "unaffected",
"version": "6.7.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.8",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.210",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.149",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.77",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.7.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nPM / devfreq: Synchronize devfreq_monitor_[start/stop]\n\nThere is a chance if a frequent switch of the governor\ndone in a loop result in timer list corruption where\ntimer cancel being done from two place one from\ncancel_delayed_work_sync() and followed by expire_timers()\ncan be seen from the traces[1].\n\nwhile true\ndo\n echo \"simple_ondemand\" \u003e /sys/class/devfreq/1d84000.ufshc/governor\n echo \"performance\" \u003e /sys/class/devfreq/1d84000.ufshc/governor\ndone\n\nIt looks to be issue with devfreq driver where\ndevice_monitor_[start/stop] need to synchronized so that\ndelayed work should get corrupted while it is either\nbeing queued or running or being cancelled.\n\nLet\u0027s use polling flag and devfreq lock to synchronize the\nqueueing the timer instance twice and work data being\ncorrupted.\n\n[1]\n...\n..\n\u003cidle\u003e-0 [003] 9436.209662: timer_cancel timer=0xffffff80444f0428\n\u003cidle\u003e-0 [003] 9436.209664: timer_expire_entry timer=0xffffff80444f0428 now=0x10022da1c function=__typeid__ZTSFvP10timer_listE_global_addr baseclk=0x10022da1c\n\u003cidle\u003e-0 [003] 9436.209718: timer_expire_exit timer=0xffffff80444f0428\nkworker/u16:6-14217 [003] 9436.209863: timer_start timer=0xffffff80444f0428 function=__typeid__ZTSFvP10timer_listE_global_addr expires=0x10022da2b now=0x10022da1c flags=182452227\nvendor.xxxyyy.ha-1593 [004] 9436.209888: timer_cancel timer=0xffffff80444f0428\nvendor.xxxyyy.ha-1593 [004] 9436.216390: timer_init timer=0xffffff80444f0428\nvendor.xxxyyy.ha-1593 [004] 9436.216392: timer_start timer=0xffffff80444f0428 function=__typeid__ZTSFvP10timer_listE_global_addr expires=0x10022da2c now=0x10022da1d flags=186646532\nvendor.xxxyyy.ha-1593 [005] 9436.220992: timer_cancel timer=0xffffff80444f0428\nxxxyyyTraceManag-7795 [004] 9436.261641: timer_cancel timer=0xffffff80444f0428\n\n[2]\n\n 9436.261653][ C4] Unable to handle kernel paging request at virtual address dead00000000012a\n[ 9436.261664][ C4] Mem abort info:\n[ 9436.261666][ C4] ESR = 0x96000044\n[ 9436.261669][ C4] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 9436.261671][ C4] SET = 0, FnV = 0\n[ 9436.261673][ C4] EA = 0, S1PTW = 0\n[ 9436.261675][ C4] Data abort info:\n[ 9436.261677][ C4] ISV = 0, ISS = 0x00000044\n[ 9436.261680][ C4] CM = 0, WnR = 1\n[ 9436.261682][ C4] [dead00000000012a] address between user and kernel address ranges\n[ 9436.261685][ C4] Internal error: Oops: 96000044 [#1] PREEMPT SMP\n[ 9436.261701][ C4] Skip md ftrace buffer dump for: 0x3a982d0\n...\n\n[ 9436.262138][ C4] CPU: 4 PID: 7795 Comm: TraceManag Tainted: G S W O 5.10.149-android12-9-o-g17f915d29d0c #1\n[ 9436.262141][ C4] Hardware name: Qualcomm Technologies, Inc. (DT)\n[ 9436.262144][ C4] pstate: 22400085 (nzCv daIf +PAN -UAO +TCO BTYPE=--)\n[ 9436.262161][ C4] pc : expire_timers+0x9c/0x438\n[ 9436.262164][ C4] lr : expire_timers+0x2a4/0x438\n[ 9436.262168][ C4] sp : ffffffc010023dd0\n[ 9436.262171][ C4] x29: ffffffc010023df0 x28: ffffffd0636fdc18\n[ 9436.262178][ C4] x27: ffffffd063569dd0 x26: ffffffd063536008\n[ 9436.262182][ C4] x25: 0000000000000001 x24: ffffff88f7c69280\n[ 9436.262185][ C4] x23: 00000000000000e0 x22: dead000000000122\n[ 9436.262188][ C4] x21: 000000010022da29 x20: ffffff8af72b4e80\n[ 9436.262191][ C4] x19: ffffffc010023e50 x18: ffffffc010025038\n[ 9436.262195][ C4] x17: 0000000000000240 x16: 0000000000000201\n[ 9436.262199][ C4] x15: ffffffffffffffff x14: ffffff889f3c3100\n[ 9436.262203][ C4] x13: ffffff889f3c3100 x12: 00000000049f56b8\n[ 9436.262207][ C4] x11: 00000000049f56b8 x10: 00000000ffffffff\n[ 9436.262212][ C4] x9 : ffffffc010023e50 x8 : dead000000000122\n[ 9436.262216][ C4] x7 : ffffffffffffffff x6 : ffffffc0100239d8\n[ 9436.262220][ C4] x5 : 0000000000000000 x4 : 0000000000000101\n[ 9436.262223][ C4] x3 : 0000000000000080 x2 : ffffff8\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:40:26.466Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3399cc7013e761fee9d6eec795e9b31ab0cbe475"
},
{
"url": "https://git.kernel.org/stable/c/099f6a9edbe30b142c1d97fe9a4748601d995675"
},
{
"url": "https://git.kernel.org/stable/c/31569995fc65007b73a3fff605ec2b3401b435e9"
},
{
"url": "https://git.kernel.org/stable/c/0aedb319ef3ed39e9e5a7b7726c8264ca627bbd9"
},
{
"url": "https://git.kernel.org/stable/c/ae815e2fdc284ab31651d52460698bd89c0fce22"
},
{
"url": "https://git.kernel.org/stable/c/aed5ed595960c6d301dcd4ed31aeaa7a8054c0c6"
}
],
"title": "PM / devfreq: Synchronize devfreq_monitor_[start/stop]",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-52635",
"datePublished": "2024-04-02T06:49:13.143Z",
"dateReserved": "2024-03-06T09:52:12.092Z",
"dateUpdated": "2025-05-04T07:40:26.466Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-36960 (GCVE-0-2024-36960)
Vulnerability from cvelistv5
Published
2024-06-03 07:49
Modified
2025-05-04 09:12
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/vmwgfx: Fix invalid reads in fence signaled events
Correctly set the length of the drm_event to the size of the structure
that's actually used.
The length of the drm_event was set to the parent structure instead of
to the drm_vmw_event_fence which is supposed to be read. drm_read
uses the length parameter to copy the event to the user space thus
resuling in oob reads.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 8b7de6aa84682a3396544fd88cd457f95484573a Version: 8b7de6aa84682a3396544fd88cd457f95484573a Version: 8b7de6aa84682a3396544fd88cd457f95484573a Version: 8b7de6aa84682a3396544fd88cd457f95484573a Version: 8b7de6aa84682a3396544fd88cd457f95484573a Version: 8b7de6aa84682a3396544fd88cd457f95484573a Version: 8b7de6aa84682a3396544fd88cd457f95484573a Version: 8b7de6aa84682a3396544fd88cd457f95484573a |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-36960",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-03T13:45:10.318634Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125 Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:47:40.946Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:43:50.585Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/2f527e3efd37c7c5e85e8aa86308856b619fa59f"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/cef0962f2d3e5fd0660c8efb72321083a1b531a9"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/3cd682357c6167f636aec8ac0efaa8ba61144d36"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/b7bab33c4623c66e3398d5253870d4e88c52dfc0"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/0dbfc73670b357456196130551e586345ca48e1b"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/7b5fd3af4a250dd0a2a558e07b43478748eb5d22"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/deab66596dfad14f1c54eeefdb72428340d72a77"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/a37ef7613c00f2d72c8fc08bd83fb6cc76926c8c"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/vmwgfx/vmwgfx_fence.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2f527e3efd37c7c5e85e8aa86308856b619fa59f",
"status": "affected",
"version": "8b7de6aa84682a3396544fd88cd457f95484573a",
"versionType": "git"
},
{
"lessThan": "cef0962f2d3e5fd0660c8efb72321083a1b531a9",
"status": "affected",
"version": "8b7de6aa84682a3396544fd88cd457f95484573a",
"versionType": "git"
},
{
"lessThan": "3cd682357c6167f636aec8ac0efaa8ba61144d36",
"status": "affected",
"version": "8b7de6aa84682a3396544fd88cd457f95484573a",
"versionType": "git"
},
{
"lessThan": "b7bab33c4623c66e3398d5253870d4e88c52dfc0",
"status": "affected",
"version": "8b7de6aa84682a3396544fd88cd457f95484573a",
"versionType": "git"
},
{
"lessThan": "0dbfc73670b357456196130551e586345ca48e1b",
"status": "affected",
"version": "8b7de6aa84682a3396544fd88cd457f95484573a",
"versionType": "git"
},
{
"lessThan": "7b5fd3af4a250dd0a2a558e07b43478748eb5d22",
"status": "affected",
"version": "8b7de6aa84682a3396544fd88cd457f95484573a",
"versionType": "git"
},
{
"lessThan": "deab66596dfad14f1c54eeefdb72428340d72a77",
"status": "affected",
"version": "8b7de6aa84682a3396544fd88cd457f95484573a",
"versionType": "git"
},
{
"lessThan": "a37ef7613c00f2d72c8fc08bd83fb6cc76926c8c",
"status": "affected",
"version": "8b7de6aa84682a3396544fd88cd457f95484573a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/vmwgfx/vmwgfx_fence.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.4"
},
{
"lessThan": "3.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.314",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.217",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.31",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.8.*",
"status": "unaffected",
"version": "6.8.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.9",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.314",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.276",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.217",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.159",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.91",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.31",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8.10",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9",
"versionStartIncluding": "3.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vmwgfx: Fix invalid reads in fence signaled events\n\nCorrectly set the length of the drm_event to the size of the structure\nthat\u0027s actually used.\n\nThe length of the drm_event was set to the parent structure instead of\nto the drm_vmw_event_fence which is supposed to be read. drm_read\nuses the length parameter to copy the event to the user space thus\nresuling in oob reads."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:12:52.237Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2f527e3efd37c7c5e85e8aa86308856b619fa59f"
},
{
"url": "https://git.kernel.org/stable/c/cef0962f2d3e5fd0660c8efb72321083a1b531a9"
},
{
"url": "https://git.kernel.org/stable/c/3cd682357c6167f636aec8ac0efaa8ba61144d36"
},
{
"url": "https://git.kernel.org/stable/c/b7bab33c4623c66e3398d5253870d4e88c52dfc0"
},
{
"url": "https://git.kernel.org/stable/c/0dbfc73670b357456196130551e586345ca48e1b"
},
{
"url": "https://git.kernel.org/stable/c/7b5fd3af4a250dd0a2a558e07b43478748eb5d22"
},
{
"url": "https://git.kernel.org/stable/c/deab66596dfad14f1c54eeefdb72428340d72a77"
},
{
"url": "https://git.kernel.org/stable/c/a37ef7613c00f2d72c8fc08bd83fb6cc76926c8c"
}
],
"title": "drm/vmwgfx: Fix invalid reads in fence signaled events",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-36960",
"datePublished": "2024-06-03T07:49:58.951Z",
"dateReserved": "2024-05-30T15:25:07.081Z",
"dateUpdated": "2025-05-04T09:12:52.237Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-36920 (GCVE-0-2024-36920)
Vulnerability from cvelistv5
Published
2024-05-30 15:29
Modified
2025-05-04 09:12
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: mpi3mr: Avoid memcpy field-spanning write WARNING
When the "storcli2 show" command is executed for eHBA-9600, mpi3mr driver
prints this WARNING message:
memcpy: detected field-spanning write (size 128) of single field "bsg_reply_buf->reply_buf" at drivers/scsi/mpi3mr/mpi3mr_app.c:1658 (size 1)
WARNING: CPU: 0 PID: 12760 at drivers/scsi/mpi3mr/mpi3mr_app.c:1658 mpi3mr_bsg_request+0x6b12/0x7f10 [mpi3mr]
The cause of the WARN is 128 bytes memcpy to the 1 byte size array "__u8
replay_buf[1]" in the struct mpi3mr_bsg_in_reply_buf. The array is intended
to be a flexible length array, so the WARN is a false positive.
To suppress the WARN, remove the constant number '1' from the array
declaration and clarify that it has flexible length. Also, adjust the
memory allocation size to match the change.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-36920",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-05T18:22:06.427418Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-05T18:22:15.903Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:43:49.112Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/5f0266044dc611563539705bff0b3e1545fbb6aa"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/f09318244c6cafd10aca741b9c01e0a2c362d43a"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/4d2772324f43cf5674ac3dbe3f74a7e656396716"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/429846b4b6ce9853e0d803a2357bb2e55083adf0"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/mpi3mr/mpi3mr_app.c",
"include/uapi/scsi/scsi_bsg_mpi3mr.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5f0266044dc611563539705bff0b3e1545fbb6aa",
"status": "affected",
"version": "c4f7ac64616ee513f9ac4ae6c4d8c3cccb6974df",
"versionType": "git"
},
{
"lessThan": "f09318244c6cafd10aca741b9c01e0a2c362d43a",
"status": "affected",
"version": "c4f7ac64616ee513f9ac4ae6c4d8c3cccb6974df",
"versionType": "git"
},
{
"lessThan": "4d2772324f43cf5674ac3dbe3f74a7e656396716",
"status": "affected",
"version": "c4f7ac64616ee513f9ac4ae6c4d8c3cccb6974df",
"versionType": "git"
},
{
"lessThan": "429846b4b6ce9853e0d803a2357bb2e55083adf0",
"status": "affected",
"version": "c4f7ac64616ee513f9ac4ae6c4d8c3cccb6974df",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/mpi3mr/mpi3mr_app.c",
"include/uapi/scsi/scsi_bsg_mpi3mr.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.31",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.8.*",
"status": "unaffected",
"version": "6.8.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.9",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.91",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.31",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8.10",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: mpi3mr: Avoid memcpy field-spanning write WARNING\n\nWhen the \"storcli2 show\" command is executed for eHBA-9600, mpi3mr driver\nprints this WARNING message:\n\n memcpy: detected field-spanning write (size 128) of single field \"bsg_reply_buf-\u003ereply_buf\" at drivers/scsi/mpi3mr/mpi3mr_app.c:1658 (size 1)\n WARNING: CPU: 0 PID: 12760 at drivers/scsi/mpi3mr/mpi3mr_app.c:1658 mpi3mr_bsg_request+0x6b12/0x7f10 [mpi3mr]\n\nThe cause of the WARN is 128 bytes memcpy to the 1 byte size array \"__u8\nreplay_buf[1]\" in the struct mpi3mr_bsg_in_reply_buf. The array is intended\nto be a flexible length array, so the WARN is a false positive.\n\nTo suppress the WARN, remove the constant number \u00271\u0027 from the array\ndeclaration and clarify that it has flexible length. Also, adjust the\nmemory allocation size to match the change."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:12:05.941Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5f0266044dc611563539705bff0b3e1545fbb6aa"
},
{
"url": "https://git.kernel.org/stable/c/f09318244c6cafd10aca741b9c01e0a2c362d43a"
},
{
"url": "https://git.kernel.org/stable/c/4d2772324f43cf5674ac3dbe3f74a7e656396716"
},
{
"url": "https://git.kernel.org/stable/c/429846b4b6ce9853e0d803a2357bb2e55083adf0"
}
],
"title": "scsi: mpi3mr: Avoid memcpy field-spanning write WARNING",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-36920",
"datePublished": "2024-05-30T15:29:15.121Z",
"dateReserved": "2024-05-30T15:25:07.068Z",
"dateUpdated": "2025-05-04T09:12:05.941Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-42271 (GCVE-0-2024-42271)
Vulnerability from cvelistv5
Published
2024-08-17 08:54
Modified
2025-05-04 09:25
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/iucv: fix use after free in iucv_sock_close()
iucv_sever_path() is called from process context and from bh context.
iucv->path is used as indicator whether somebody else is taking care of
severing the path (or it is already removed / never existed).
This needs to be done with atomic compare and swap, otherwise there is a
small window where iucv_sock_close() will try to work with a path that has
already been severed and freed by iucv_callback_connrej() called by
iucv_tasklet_fn().
Example:
[452744.123844] Call Trace:
[452744.123845] ([<0000001e87f03880>] 0x1e87f03880)
[452744.123966] [<00000000d593001e>] iucv_path_sever+0x96/0x138
[452744.124330] [<000003ff801ddbca>] iucv_sever_path+0xc2/0xd0 [af_iucv]
[452744.124336] [<000003ff801e01b6>] iucv_sock_close+0xa6/0x310 [af_iucv]
[452744.124341] [<000003ff801e08cc>] iucv_sock_release+0x3c/0xd0 [af_iucv]
[452744.124345] [<00000000d574794e>] __sock_release+0x5e/0xe8
[452744.124815] [<00000000d5747a0c>] sock_close+0x34/0x48
[452744.124820] [<00000000d5421642>] __fput+0xba/0x268
[452744.124826] [<00000000d51b382c>] task_work_run+0xbc/0xf0
[452744.124832] [<00000000d5145710>] do_notify_resume+0x88/0x90
[452744.124841] [<00000000d5978096>] system_call+0xe2/0x2c8
[452744.125319] Last Breaking-Event-Address:
[452744.125321] [<00000000d5930018>] iucv_path_sever+0x90/0x138
[452744.125324]
[452744.125325] Kernel panic - not syncing: Fatal exception in interrupt
Note that bh_lock_sock() is not serializing the tasklet context against
process context, because the check for sock_owned_by_user() and
corresponding handling is missing.
Ideas for a future clean-up patch:
A) Correct usage of bh_lock_sock() in tasklet context, as described in
Re-enqueue, if needed. This may require adding return values to the
tasklet functions and thus changes to all users of iucv.
B) Change iucv tasklet into worker and use only lock_sock() in af_iucv.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 7d316b9453523498246e9e19a659c423d4c5081e Version: 7d316b9453523498246e9e19a659c423d4c5081e Version: 7d316b9453523498246e9e19a659c423d4c5081e Version: 7d316b9453523498246e9e19a659c423d4c5081e Version: 7d316b9453523498246e9e19a659c423d4c5081e Version: 7d316b9453523498246e9e19a659c423d4c5081e Version: 7d316b9453523498246e9e19a659c423d4c5081e Version: 7d316b9453523498246e9e19a659c423d4c5081e |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-42271",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T16:12:11.442193Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-12T17:33:32.331Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/iucv/af_iucv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "84f40b46787ecb67c7ad08a5bb1376141fa10c01",
"status": "affected",
"version": "7d316b9453523498246e9e19a659c423d4c5081e",
"versionType": "git"
},
{
"lessThan": "37652fbef9809411cea55ea5fa1a170e299efcd0",
"status": "affected",
"version": "7d316b9453523498246e9e19a659c423d4c5081e",
"versionType": "git"
},
{
"lessThan": "c65f72eec60a34ace031426e04e9aff8e5f04895",
"status": "affected",
"version": "7d316b9453523498246e9e19a659c423d4c5081e",
"versionType": "git"
},
{
"lessThan": "ac758e1f663fe9bc64f6b47212a2aa18697524f5",
"status": "affected",
"version": "7d316b9453523498246e9e19a659c423d4c5081e",
"versionType": "git"
},
{
"lessThan": "8b424c9e44111c5a76f41c6b741f8d4c4179d876",
"status": "affected",
"version": "7d316b9453523498246e9e19a659c423d4c5081e",
"versionType": "git"
},
{
"lessThan": "01437282fd3904810603f3dc98d2cac6b8b6fc84",
"status": "affected",
"version": "7d316b9453523498246e9e19a659c423d4c5081e",
"versionType": "git"
},
{
"lessThan": "69620522c48ce8215e5eb55ffbab8cafee8f407d",
"status": "affected",
"version": "7d316b9453523498246e9e19a659c423d4c5081e",
"versionType": "git"
},
{
"lessThan": "f558120cd709682b739207b48cf7479fd9568431",
"status": "affected",
"version": "7d316b9453523498246e9e19a659c423d4c5081e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/iucv/af_iucv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.4"
},
{
"lessThan": "3.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.320",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.282",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.224",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.165",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.104",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.10.*",
"status": "unaffected",
"version": "6.10.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.11",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.320",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.282",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.224",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.165",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.104",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.45",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.10.4",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.11",
"versionStartIncluding": "3.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/iucv: fix use after free in iucv_sock_close()\n\niucv_sever_path() is called from process context and from bh context.\niucv-\u003epath is used as indicator whether somebody else is taking care of\nsevering the path (or it is already removed / never existed).\nThis needs to be done with atomic compare and swap, otherwise there is a\nsmall window where iucv_sock_close() will try to work with a path that has\nalready been severed and freed by iucv_callback_connrej() called by\niucv_tasklet_fn().\n\nExample:\n[452744.123844] Call Trace:\n[452744.123845] ([\u003c0000001e87f03880\u003e] 0x1e87f03880)\n[452744.123966] [\u003c00000000d593001e\u003e] iucv_path_sever+0x96/0x138\n[452744.124330] [\u003c000003ff801ddbca\u003e] iucv_sever_path+0xc2/0xd0 [af_iucv]\n[452744.124336] [\u003c000003ff801e01b6\u003e] iucv_sock_close+0xa6/0x310 [af_iucv]\n[452744.124341] [\u003c000003ff801e08cc\u003e] iucv_sock_release+0x3c/0xd0 [af_iucv]\n[452744.124345] [\u003c00000000d574794e\u003e] __sock_release+0x5e/0xe8\n[452744.124815] [\u003c00000000d5747a0c\u003e] sock_close+0x34/0x48\n[452744.124820] [\u003c00000000d5421642\u003e] __fput+0xba/0x268\n[452744.124826] [\u003c00000000d51b382c\u003e] task_work_run+0xbc/0xf0\n[452744.124832] [\u003c00000000d5145710\u003e] do_notify_resume+0x88/0x90\n[452744.124841] [\u003c00000000d5978096\u003e] system_call+0xe2/0x2c8\n[452744.125319] Last Breaking-Event-Address:\n[452744.125321] [\u003c00000000d5930018\u003e] iucv_path_sever+0x90/0x138\n[452744.125324]\n[452744.125325] Kernel panic - not syncing: Fatal exception in interrupt\n\nNote that bh_lock_sock() is not serializing the tasklet context against\nprocess context, because the check for sock_owned_by_user() and\ncorresponding handling is missing.\n\nIdeas for a future clean-up patch:\nA) Correct usage of bh_lock_sock() in tasklet context, as described in\nRe-enqueue, if needed. This may require adding return values to the\ntasklet functions and thus changes to all users of iucv.\n\nB) Change iucv tasklet into worker and use only lock_sock() in af_iucv."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:25:37.701Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/84f40b46787ecb67c7ad08a5bb1376141fa10c01"
},
{
"url": "https://git.kernel.org/stable/c/37652fbef9809411cea55ea5fa1a170e299efcd0"
},
{
"url": "https://git.kernel.org/stable/c/c65f72eec60a34ace031426e04e9aff8e5f04895"
},
{
"url": "https://git.kernel.org/stable/c/ac758e1f663fe9bc64f6b47212a2aa18697524f5"
},
{
"url": "https://git.kernel.org/stable/c/8b424c9e44111c5a76f41c6b741f8d4c4179d876"
},
{
"url": "https://git.kernel.org/stable/c/01437282fd3904810603f3dc98d2cac6b8b6fc84"
},
{
"url": "https://git.kernel.org/stable/c/69620522c48ce8215e5eb55ffbab8cafee8f407d"
},
{
"url": "https://git.kernel.org/stable/c/f558120cd709682b739207b48cf7479fd9568431"
}
],
"title": "net/iucv: fix use after free in iucv_sock_close()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-42271",
"datePublished": "2024-08-17T08:54:26.048Z",
"dateReserved": "2024-07-30T07:40:12.260Z",
"dateUpdated": "2025-05-04T09:25:37.701Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-41008 (GCVE-0-2024-41008)
Vulnerability from cvelistv5
Published
2024-07-16 08:03
Modified
2025-09-16 08:02
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu: change vm->task_info handling
This patch changes the handling and lifecycle of vm->task_info object.
The major changes are:
- vm->task_info is a dynamically allocated ptr now, and its uasge is
reference counted.
- introducing two new helper funcs for task_info lifecycle management
- amdgpu_vm_get_task_info: reference counts up task_info before
returning this info
- amdgpu_vm_put_task_info: reference counts down task_info
- last put to task_info() frees task_info from the vm.
This patch also does logistical changes required for existing usage
of vm->task_info.
V2: Do not block all the prints when task_info not found (Felix)
V3: Fixed review comments from Felix
- Fix wrong indentation
- No debug message for -ENOMEM
- Add NULL check for task_info
- Do not duplicate the debug messages (ti vs no ti)
- Get first reference of task_info in vm_init(), put last
in vm_fini()
V4: Fixed review comments from Felix
- fix double reference increment in create_task_info
- change amdgpu_vm_get_task_info_pasid
- additional changes in amdgpu_gem.c while porting
References
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:39:56.069Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/b8f67b9ddf4f8fe6dd536590712b5912ad78f99c"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41008",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T17:00:49.381223Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T17:34:18.174Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c",
"drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c",
"drivers/gpu/drm/amd/amdgpu/amdgpu_job.c",
"drivers/gpu/drm/amd/amdgpu/amdgpu_reset.c",
"drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c",
"drivers/gpu/drm/amd/amdgpu/amdgpu_vm.h",
"drivers/gpu/drm/amd/amdgpu/amdgpu_vm_pt.c",
"drivers/gpu/drm/amd/amdgpu/gmc_v10_0.c",
"drivers/gpu/drm/amd/amdgpu/gmc_v11_0.c",
"drivers/gpu/drm/amd/amdgpu/gmc_v8_0.c",
"drivers/gpu/drm/amd/amdgpu/gmc_v9_0.c",
"drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c",
"drivers/gpu/drm/amd/amdgpu/sdma_v4_4_2.c",
"drivers/gpu/drm/amd/amdkfd/kfd_smi_events.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b8f67b9ddf4f8fe6dd536590712b5912ad78f99c",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c",
"drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c",
"drivers/gpu/drm/amd/amdgpu/amdgpu_job.c",
"drivers/gpu/drm/amd/amdgpu/amdgpu_reset.c",
"drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c",
"drivers/gpu/drm/amd/amdgpu/amdgpu_vm.h",
"drivers/gpu/drm/amd/amdgpu/amdgpu_vm_pt.c",
"drivers/gpu/drm/amd/amdgpu/gmc_v10_0.c",
"drivers/gpu/drm/amd/amdgpu/gmc_v11_0.c",
"drivers/gpu/drm/amd/amdgpu/gmc_v8_0.c",
"drivers/gpu/drm/amd/amdgpu/gmc_v9_0.c",
"drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c",
"drivers/gpu/drm/amd/amdgpu/sdma_v4_4_2.c",
"drivers/gpu/drm/amd/amdkfd/kfd_smi_events.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.2"
},
{
"lessThan": "4.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.9",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9",
"versionStartIncluding": "4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: change vm-\u003etask_info handling\n\nThis patch changes the handling and lifecycle of vm-\u003etask_info object.\nThe major changes are:\n- vm-\u003etask_info is a dynamically allocated ptr now, and its uasge is\n reference counted.\n- introducing two new helper funcs for task_info lifecycle management\n - amdgpu_vm_get_task_info: reference counts up task_info before\n returning this info\n - amdgpu_vm_put_task_info: reference counts down task_info\n- last put to task_info() frees task_info from the vm.\n\nThis patch also does logistical changes required for existing usage\nof vm-\u003etask_info.\n\nV2: Do not block all the prints when task_info not found (Felix)\n\nV3: Fixed review comments from Felix\n - Fix wrong indentation\n - No debug message for -ENOMEM\n - Add NULL check for task_info\n - Do not duplicate the debug messages (ti vs no ti)\n - Get first reference of task_info in vm_init(), put last\n in vm_fini()\n\nV4: Fixed review comments from Felix\n - fix double reference increment in create_task_info\n - change amdgpu_vm_get_task_info_pasid\n - additional changes in amdgpu_gem.c while porting"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T08:02:39.206Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b8f67b9ddf4f8fe6dd536590712b5912ad78f99c"
}
],
"title": "drm/amdgpu: change vm-\u003etask_info handling",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-41008",
"datePublished": "2024-07-16T08:03:47.091Z",
"dateReserved": "2024-07-12T12:17:45.610Z",
"dateUpdated": "2025-09-16T08:02:39.206Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-26984 (GCVE-0-2024-26984)
Vulnerability from cvelistv5
Published
2024-05-01 05:27
Modified
2025-05-04 09:01
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
nouveau: fix instmem race condition around ptr stores
Running a lot of VK CTS in parallel against nouveau, once every
few hours you might see something like this crash.
BUG: kernel NULL pointer dereference, address: 0000000000000008
PGD 8000000114e6e067 P4D 8000000114e6e067 PUD 109046067 PMD 0
Oops: 0000 [#1] PREEMPT SMP PTI
CPU: 7 PID: 53891 Comm: deqp-vk Not tainted 6.8.0-rc6+ #27
Hardware name: Gigabyte Technology Co., Ltd. Z390 I AORUS PRO WIFI/Z390 I AORUS PRO WIFI-CF, BIOS F8 11/05/2021
RIP: 0010:gp100_vmm_pgt_mem+0xe3/0x180 [nouveau]
Code: c7 48 01 c8 49 89 45 58 85 d2 0f 84 95 00 00 00 41 0f b7 46 12 49 8b 7e 08 89 da 42 8d 2c f8 48 8b 47 08 41 83 c7 01 48 89 ee <48> 8b 40 08 ff d0 0f 1f 00 49 8b 7e 08 48 89 d9 48 8d 75 04 48 c1
RSP: 0000:ffffac20c5857838 EFLAGS: 00010202
RAX: 0000000000000000 RBX: 00000000004d8001 RCX: 0000000000000001
RDX: 00000000004d8001 RSI: 00000000000006d8 RDI: ffffa07afe332180
RBP: 00000000000006d8 R08: ffffac20c5857ad0 R09: 0000000000ffff10
R10: 0000000000000001 R11: ffffa07af27e2de0 R12: 000000000000001c
R13: ffffac20c5857ad0 R14: ffffa07a96fe9040 R15: 000000000000001c
FS: 00007fe395eed7c0(0000) GS:ffffa07e2c980000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000008 CR3: 000000011febe001 CR4: 00000000003706f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
...
? gp100_vmm_pgt_mem+0xe3/0x180 [nouveau]
? gp100_vmm_pgt_mem+0x37/0x180 [nouveau]
nvkm_vmm_iter+0x351/0xa20 [nouveau]
? __pfx_nvkm_vmm_ref_ptes+0x10/0x10 [nouveau]
? __pfx_gp100_vmm_pgt_mem+0x10/0x10 [nouveau]
? __pfx_gp100_vmm_pgt_mem+0x10/0x10 [nouveau]
? __lock_acquire+0x3ed/0x2170
? __pfx_gp100_vmm_pgt_mem+0x10/0x10 [nouveau]
nvkm_vmm_ptes_get_map+0xc2/0x100 [nouveau]
? __pfx_nvkm_vmm_ref_ptes+0x10/0x10 [nouveau]
? __pfx_gp100_vmm_pgt_mem+0x10/0x10 [nouveau]
nvkm_vmm_map_locked+0x224/0x3a0 [nouveau]
Adding any sort of useful debug usually makes it go away, so I hand
wrote the function in a line, and debugged the asm.
Every so often pt->memory->ptrs is NULL. This ptrs ptr is set in
the nv50_instobj_acquire called from nvkm_kmap.
If Thread A and Thread B both get to nv50_instobj_acquire around
the same time, and Thread A hits the refcount_set line, and in
lockstep thread B succeeds at refcount_inc_not_zero, there is a
chance the ptrs value won't have been stored since refcount_set
is unordered. Force a memory barrier here, I picked smp_mb, since
we want it on all CPUs and it's write followed by a read.
v2: use paired smp_rmb/smp_wmb.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: be55287aa5ba6895e9d4d3ed2f08a1be7a065957 Version: be55287aa5ba6895e9d4d3ed2f08a1be7a065957 Version: be55287aa5ba6895e9d4d3ed2f08a1be7a065957 Version: be55287aa5ba6895e9d4d3ed2f08a1be7a065957 Version: be55287aa5ba6895e9d4d3ed2f08a1be7a065957 Version: be55287aa5ba6895e9d4d3ed2f08a1be7a065957 Version: be55287aa5ba6895e9d4d3ed2f08a1be7a065957 Version: be55287aa5ba6895e9d4d3ed2f08a1be7a065957 |
||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"lessThan": "bba8ec5e9b16",
"status": "affected",
"version": "be55287aa5ba",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"lessThan": "1bc4825d4c3e",
"status": "affected",
"version": "be55287aa5ba",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"lessThan": "13d76b2f443d",
"status": "affected",
"version": "be55287aa5ba",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"lessThan": "3ab056814cd8",
"status": "affected",
"version": "be55287aa5ba",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"lessThan": "ad74d208f213",
"status": "affected",
"version": "be55287aa5ba",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"lessThan": "a019b44b1bc6",
"status": "affected",
"version": "be55287aa5ba",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"lessThan": "21ca9539f093",
"status": "affected",
"version": "be55287aa5ba",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"lessThan": "fff1386cc889",
"status": "affected",
"version": "be55287aa5ba",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"lessThan": "4.20",
"status": "unaffected",
"version": "4.19.313",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"lessThan": "5.5",
"status": "unaffected",
"version": "5.4.275",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"lessThan": "5.16",
"status": "unaffected",
"version": "5.15.157",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"lessThan": "6.2",
"status": "unaffected",
"version": "6.1.88",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"lessThan": "6.7",
"status": "unaffected",
"version": "6.6.29",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"lessThan": "6.9",
"status": "unaffected",
"version": "6.8.8",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"status": "unaffected",
"version": "6.9"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:4.15:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"status": "affected",
"version": "4.15"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"lessThan": "5.11",
"status": "unaffected",
"version": "5.10.216",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-26984",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-05T20:59:23.585345Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-362",
"description": "CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-05T20:59:40.867Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:21:05.854Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/bba8ec5e9b16649d85bc9e9086bf7ae5b5716ff9"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/1bc4825d4c3ec6abe43cf06c3c39d664d044cbf7"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/13d76b2f443dc371842916dd8768009ff1594716"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/3ab056814cd8ab84744c9a19ef51360b2271c572"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/ad74d208f213c06d860916ad40f609ade8c13039"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/a019b44b1bc6ed224c46fb5f88a8a10dd116e525"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/21ca9539f09360fd83654f78f2c361f2f5ddcb52"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/fff1386cc889d8fb4089d285f883f8cba62d82ce"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/nouveau/nvkm/subdev/instmem/nv50.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bba8ec5e9b16649d85bc9e9086bf7ae5b5716ff9",
"status": "affected",
"version": "be55287aa5ba6895e9d4d3ed2f08a1be7a065957",
"versionType": "git"
},
{
"lessThan": "1bc4825d4c3ec6abe43cf06c3c39d664d044cbf7",
"status": "affected",
"version": "be55287aa5ba6895e9d4d3ed2f08a1be7a065957",
"versionType": "git"
},
{
"lessThan": "13d76b2f443dc371842916dd8768009ff1594716",
"status": "affected",
"version": "be55287aa5ba6895e9d4d3ed2f08a1be7a065957",
"versionType": "git"
},
{
"lessThan": "3ab056814cd8ab84744c9a19ef51360b2271c572",
"status": "affected",
"version": "be55287aa5ba6895e9d4d3ed2f08a1be7a065957",
"versionType": "git"
},
{
"lessThan": "ad74d208f213c06d860916ad40f609ade8c13039",
"status": "affected",
"version": "be55287aa5ba6895e9d4d3ed2f08a1be7a065957",
"versionType": "git"
},
{
"lessThan": "a019b44b1bc6ed224c46fb5f88a8a10dd116e525",
"status": "affected",
"version": "be55287aa5ba6895e9d4d3ed2f08a1be7a065957",
"versionType": "git"
},
{
"lessThan": "21ca9539f09360fd83654f78f2c361f2f5ddcb52",
"status": "affected",
"version": "be55287aa5ba6895e9d4d3ed2f08a1be7a065957",
"versionType": "git"
},
{
"lessThan": "fff1386cc889d8fb4089d285f883f8cba62d82ce",
"status": "affected",
"version": "be55287aa5ba6895e9d4d3ed2f08a1be7a065957",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/nouveau/nvkm/subdev/instmem/nv50.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.313",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.275",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.216",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.157",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.88",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.29",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.8.*",
"status": "unaffected",
"version": "6.8.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.9",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.313",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.275",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.216",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.157",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.88",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.29",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8.8",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnouveau: fix instmem race condition around ptr stores\n\nRunning a lot of VK CTS in parallel against nouveau, once every\nfew hours you might see something like this crash.\n\nBUG: kernel NULL pointer dereference, address: 0000000000000008\nPGD 8000000114e6e067 P4D 8000000114e6e067 PUD 109046067 PMD 0\nOops: 0000 [#1] PREEMPT SMP PTI\nCPU: 7 PID: 53891 Comm: deqp-vk Not tainted 6.8.0-rc6+ #27\nHardware name: Gigabyte Technology Co., Ltd. Z390 I AORUS PRO WIFI/Z390 I AORUS PRO WIFI-CF, BIOS F8 11/05/2021\nRIP: 0010:gp100_vmm_pgt_mem+0xe3/0x180 [nouveau]\nCode: c7 48 01 c8 49 89 45 58 85 d2 0f 84 95 00 00 00 41 0f b7 46 12 49 8b 7e 08 89 da 42 8d 2c f8 48 8b 47 08 41 83 c7 01 48 89 ee \u003c48\u003e 8b 40 08 ff d0 0f 1f 00 49 8b 7e 08 48 89 d9 48 8d 75 04 48 c1\nRSP: 0000:ffffac20c5857838 EFLAGS: 00010202\nRAX: 0000000000000000 RBX: 00000000004d8001 RCX: 0000000000000001\nRDX: 00000000004d8001 RSI: 00000000000006d8 RDI: ffffa07afe332180\nRBP: 00000000000006d8 R08: ffffac20c5857ad0 R09: 0000000000ffff10\nR10: 0000000000000001 R11: ffffa07af27e2de0 R12: 000000000000001c\nR13: ffffac20c5857ad0 R14: ffffa07a96fe9040 R15: 000000000000001c\nFS: 00007fe395eed7c0(0000) GS:ffffa07e2c980000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000008 CR3: 000000011febe001 CR4: 00000000003706f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n\n...\n\n ? gp100_vmm_pgt_mem+0xe3/0x180 [nouveau]\n ? gp100_vmm_pgt_mem+0x37/0x180 [nouveau]\n nvkm_vmm_iter+0x351/0xa20 [nouveau]\n ? __pfx_nvkm_vmm_ref_ptes+0x10/0x10 [nouveau]\n ? __pfx_gp100_vmm_pgt_mem+0x10/0x10 [nouveau]\n ? __pfx_gp100_vmm_pgt_mem+0x10/0x10 [nouveau]\n ? __lock_acquire+0x3ed/0x2170\n ? __pfx_gp100_vmm_pgt_mem+0x10/0x10 [nouveau]\n nvkm_vmm_ptes_get_map+0xc2/0x100 [nouveau]\n ? __pfx_nvkm_vmm_ref_ptes+0x10/0x10 [nouveau]\n ? __pfx_gp100_vmm_pgt_mem+0x10/0x10 [nouveau]\n nvkm_vmm_map_locked+0x224/0x3a0 [nouveau]\n\nAdding any sort of useful debug usually makes it go away, so I hand\nwrote the function in a line, and debugged the asm.\n\nEvery so often pt-\u003ememory-\u003eptrs is NULL. This ptrs ptr is set in\nthe nv50_instobj_acquire called from nvkm_kmap.\n\nIf Thread A and Thread B both get to nv50_instobj_acquire around\nthe same time, and Thread A hits the refcount_set line, and in\nlockstep thread B succeeds at refcount_inc_not_zero, there is a\nchance the ptrs value won\u0027t have been stored since refcount_set\nis unordered. Force a memory barrier here, I picked smp_mb, since\nwe want it on all CPUs and it\u0027s write followed by a read.\n\nv2: use paired smp_rmb/smp_wmb."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:01:29.153Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bba8ec5e9b16649d85bc9e9086bf7ae5b5716ff9"
},
{
"url": "https://git.kernel.org/stable/c/1bc4825d4c3ec6abe43cf06c3c39d664d044cbf7"
},
{
"url": "https://git.kernel.org/stable/c/13d76b2f443dc371842916dd8768009ff1594716"
},
{
"url": "https://git.kernel.org/stable/c/3ab056814cd8ab84744c9a19ef51360b2271c572"
},
{
"url": "https://git.kernel.org/stable/c/ad74d208f213c06d860916ad40f609ade8c13039"
},
{
"url": "https://git.kernel.org/stable/c/a019b44b1bc6ed224c46fb5f88a8a10dd116e525"
},
{
"url": "https://git.kernel.org/stable/c/21ca9539f09360fd83654f78f2c361f2f5ddcb52"
},
{
"url": "https://git.kernel.org/stable/c/fff1386cc889d8fb4089d285f883f8cba62d82ce"
}
],
"title": "nouveau: fix instmem race condition around ptr stores",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-26984",
"datePublished": "2024-05-01T05:27:20.506Z",
"dateReserved": "2024-02-19T14:20:24.204Z",
"dateUpdated": "2025-05-04T09:01:29.153Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-26704 (GCVE-0-2024-26704)
Vulnerability from cvelistv5
Published
2024-04-03 14:55
Modified
2025-05-04 08:54
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix double-free of blocks due to wrong extents moved_len
In ext4_move_extents(), moved_len is only updated when all moves are
successfully executed, and only discards orig_inode and donor_inode
preallocations when moved_len is not zero. When the loop fails to exit
after successfully moving some extents, moved_len is not updated and
remains at 0, so it does not discard the preallocations.
If the moved extents overlap with the preallocated extents, the
overlapped extents are freed twice in ext4_mb_release_inode_pa() and
ext4_process_freed_data() (as described in commit 94d7c16cbbbd ("ext4:
Fix double-free of blocks with EXT4_IOC_MOVE_EXT")), and bb_free is
incremented twice. Hence when trim is executed, a zero-division bug is
triggered in mb_update_avg_fragment_size() because bb_free is not zero
and bb_fragments is zero.
Therefore, update move_len after each extent move to avoid the issue.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: fcf6b1b729bcd23f2b49a84fb33ffbb44712ee6a Version: fcf6b1b729bcd23f2b49a84fb33ffbb44712ee6a Version: fcf6b1b729bcd23f2b49a84fb33ffbb44712ee6a Version: fcf6b1b729bcd23f2b49a84fb33ffbb44712ee6a Version: fcf6b1b729bcd23f2b49a84fb33ffbb44712ee6a Version: fcf6b1b729bcd23f2b49a84fb33ffbb44712ee6a Version: fcf6b1b729bcd23f2b49a84fb33ffbb44712ee6a Version: fcf6b1b729bcd23f2b49a84fb33ffbb44712ee6a |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:14:12.613Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/b4fbb89d722cbb16beaaea234b7230faaaf68c71"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/afbcad9ae7d6d11608399188f03a837451b6b3a1"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/d033a555d9a1cf53dbf3301af7199cc4a4c8f537"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/afba9d11320dad5ce222ac8964caf64b7b4bedb1"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/185eab30486ba3e7bf8b9c2e049c79a06ffd2bc1"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/2883940b19c38d5884c8626483811acf4d7e148f"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/559ddacb90da1d8786dd8ec4fd76bbfa404eaef6"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/55583e899a5357308274601364741a83e78d6ac4"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-26704",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T15:52:39.832740Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T17:33:27.505Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/move_extent.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b4fbb89d722cbb16beaaea234b7230faaaf68c71",
"status": "affected",
"version": "fcf6b1b729bcd23f2b49a84fb33ffbb44712ee6a",
"versionType": "git"
},
{
"lessThan": "afbcad9ae7d6d11608399188f03a837451b6b3a1",
"status": "affected",
"version": "fcf6b1b729bcd23f2b49a84fb33ffbb44712ee6a",
"versionType": "git"
},
{
"lessThan": "d033a555d9a1cf53dbf3301af7199cc4a4c8f537",
"status": "affected",
"version": "fcf6b1b729bcd23f2b49a84fb33ffbb44712ee6a",
"versionType": "git"
},
{
"lessThan": "afba9d11320dad5ce222ac8964caf64b7b4bedb1",
"status": "affected",
"version": "fcf6b1b729bcd23f2b49a84fb33ffbb44712ee6a",
"versionType": "git"
},
{
"lessThan": "185eab30486ba3e7bf8b9c2e049c79a06ffd2bc1",
"status": "affected",
"version": "fcf6b1b729bcd23f2b49a84fb33ffbb44712ee6a",
"versionType": "git"
},
{
"lessThan": "2883940b19c38d5884c8626483811acf4d7e148f",
"status": "affected",
"version": "fcf6b1b729bcd23f2b49a84fb33ffbb44712ee6a",
"versionType": "git"
},
{
"lessThan": "559ddacb90da1d8786dd8ec4fd76bbfa404eaef6",
"status": "affected",
"version": "fcf6b1b729bcd23f2b49a84fb33ffbb44712ee6a",
"versionType": "git"
},
{
"lessThan": "55583e899a5357308274601364741a83e78d6ac4",
"status": "affected",
"version": "fcf6b1b729bcd23f2b49a84fb33ffbb44712ee6a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/move_extent.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.18"
},
{
"lessThan": "3.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.307",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.269",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.79",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.7.*",
"status": "unaffected",
"version": "6.7.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.8",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.307",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.269",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.210",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.149",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.79",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.18",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.7.6",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8",
"versionStartIncluding": "3.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix double-free of blocks due to wrong extents moved_len\n\nIn ext4_move_extents(), moved_len is only updated when all moves are\nsuccessfully executed, and only discards orig_inode and donor_inode\npreallocations when moved_len is not zero. When the loop fails to exit\nafter successfully moving some extents, moved_len is not updated and\nremains at 0, so it does not discard the preallocations.\n\nIf the moved extents overlap with the preallocated extents, the\noverlapped extents are freed twice in ext4_mb_release_inode_pa() and\next4_process_freed_data() (as described in commit 94d7c16cbbbd (\"ext4:\nFix double-free of blocks with EXT4_IOC_MOVE_EXT\")), and bb_free is\nincremented twice. Hence when trim is executed, a zero-division bug is\ntriggered in mb_update_avg_fragment_size() because bb_free is not zero\nand bb_fragments is zero.\n\nTherefore, update move_len after each extent move to avoid the issue."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:54:27.242Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b4fbb89d722cbb16beaaea234b7230faaaf68c71"
},
{
"url": "https://git.kernel.org/stable/c/afbcad9ae7d6d11608399188f03a837451b6b3a1"
},
{
"url": "https://git.kernel.org/stable/c/d033a555d9a1cf53dbf3301af7199cc4a4c8f537"
},
{
"url": "https://git.kernel.org/stable/c/afba9d11320dad5ce222ac8964caf64b7b4bedb1"
},
{
"url": "https://git.kernel.org/stable/c/185eab30486ba3e7bf8b9c2e049c79a06ffd2bc1"
},
{
"url": "https://git.kernel.org/stable/c/2883940b19c38d5884c8626483811acf4d7e148f"
},
{
"url": "https://git.kernel.org/stable/c/559ddacb90da1d8786dd8ec4fd76bbfa404eaef6"
},
{
"url": "https://git.kernel.org/stable/c/55583e899a5357308274601364741a83e78d6ac4"
}
],
"title": "ext4: fix double-free of blocks due to wrong extents moved_len",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-26704",
"datePublished": "2024-04-03T14:55:02.672Z",
"dateReserved": "2024-02-19T14:20:24.158Z",
"dateUpdated": "2025-05-04T08:54:27.242Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-41038 (GCVE-0-2024-41038)
Vulnerability from cvelistv5
Published
2024-07-29 14:31
Modified
2025-05-04 09:20
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
firmware: cs_dsp: Prevent buffer overrun when processing V2 alg headers
Check that all fields of a V2 algorithm header fit into the available
firmware data buffer.
The wmfw V2 format introduced variable-length strings in the algorithm
block header. This means the overall header length is variable, and the
position of most fields varies depending on the length of the string
fields. Each field must be checked to ensure that it does not overflow
the firmware data buffer.
As this ia bugfix patch, the fixes avoid making any significant change to
the existing code. This makes it easier to review and less likely to
introduce new bugs.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:39:56.155Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/6619aa48a011364e9f29083cc76368e6acfe5b11"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/76ea8e13aaefdfda6e5601323d6ea5340359dcfa"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/014239b9971d79421a0ba652579e1ca1b7b57b6d"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/2163aff6bebbb752edf73f79700f5e2095f3559e"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41038",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T16:23:23.396612Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T17:34:03.220Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/firmware/cirrus/cs_dsp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6619aa48a011364e9f29083cc76368e6acfe5b11",
"status": "affected",
"version": "f6bc909e7673c30abcbdb329e7d0aa2e83c103d7",
"versionType": "git"
},
{
"lessThan": "76ea8e13aaefdfda6e5601323d6ea5340359dcfa",
"status": "affected",
"version": "f6bc909e7673c30abcbdb329e7d0aa2e83c103d7",
"versionType": "git"
},
{
"lessThan": "014239b9971d79421a0ba652579e1ca1b7b57b6d",
"status": "affected",
"version": "f6bc909e7673c30abcbdb329e7d0aa2e83c103d7",
"versionType": "git"
},
{
"lessThan": "2163aff6bebbb752edf73f79700f5e2095f3559e",
"status": "affected",
"version": "f6bc909e7673c30abcbdb329e7d0aa2e83c103d7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/firmware/cirrus/cs_dsp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.100",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.41",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.9.*",
"status": "unaffected",
"version": "6.9.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.10",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.100",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.41",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9.10",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.10",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: cs_dsp: Prevent buffer overrun when processing V2 alg headers\n\nCheck that all fields of a V2 algorithm header fit into the available\nfirmware data buffer.\n\nThe wmfw V2 format introduced variable-length strings in the algorithm\nblock header. This means the overall header length is variable, and the\nposition of most fields varies depending on the length of the string\nfields. Each field must be checked to ensure that it does not overflow\nthe firmware data buffer.\n\nAs this ia bugfix patch, the fixes avoid making any significant change to\nthe existing code. This makes it easier to review and less likely to\nintroduce new bugs."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:20:40.638Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6619aa48a011364e9f29083cc76368e6acfe5b11"
},
{
"url": "https://git.kernel.org/stable/c/76ea8e13aaefdfda6e5601323d6ea5340359dcfa"
},
{
"url": "https://git.kernel.org/stable/c/014239b9971d79421a0ba652579e1ca1b7b57b6d"
},
{
"url": "https://git.kernel.org/stable/c/2163aff6bebbb752edf73f79700f5e2095f3559e"
}
],
"title": "firmware: cs_dsp: Prevent buffer overrun when processing V2 alg headers",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-41038",
"datePublished": "2024-07-29T14:31:52.415Z",
"dateReserved": "2024-07-12T12:17:45.620Z",
"dateUpdated": "2025-05-04T09:20:40.638Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-52811 (GCVE-0-2023-52811)
Vulnerability from cvelistv5
Published
2024-05-21 15:31
Modified
2025-05-04 07:43
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: ibmvfc: Remove BUG_ON in the case of an empty event pool
In practice the driver should never send more commands than are allocated
to a queue's event pool. In the unlikely event that this happens, the code
asserts a BUG_ON, and in the case that the kernel is not configured to
crash on panic returns a junk event pointer from the empty event list
causing things to spiral from there. This BUG_ON is a historical artifact
of the ibmvfc driver first being upstreamed, and it is well known now that
the use of BUG_ON is bad practice except in the most unrecoverable
scenario. There is nothing about this scenario that prevents the driver
from recovering and carrying on.
Remove the BUG_ON in question from ibmvfc_get_event() and return a NULL
pointer in the case of an empty event pool. Update all call sites to
ibmvfc_get_event() to check for a NULL pointer and perfrom the appropriate
failure or recovery action.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-52811",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-29T17:41:58.046532Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-31T14:23:46.948Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:11:35.895Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/e1d1f79b1929dce470a5dc9281c574cd58e8c6c0"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/88984ec4792766df5a9de7a2ff2b5f281f94c7d4"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/d2af4ef80601224b90630c1ddc7cd2c7c8ab4dd8"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/8bbe784c2ff28d56ca0c548aaf3e584edc77052d"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/b39f2d10b86d0af353ea339e5815820026bca48f"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/ibmvscsi/ibmvfc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e1d1f79b1929dce470a5dc9281c574cd58e8c6c0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "88984ec4792766df5a9de7a2ff2b5f281f94c7d4",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d2af4ef80601224b90630c1ddc7cd2c7c8ab4dd8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8bbe784c2ff28d56ca0c548aaf3e584edc77052d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b39f2d10b86d0af353ea339e5815820026bca48f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/ibmvscsi/ibmvfc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.7",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.140",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.64",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ibmvfc: Remove BUG_ON in the case of an empty event pool\n\nIn practice the driver should never send more commands than are allocated\nto a queue\u0027s event pool. In the unlikely event that this happens, the code\nasserts a BUG_ON, and in the case that the kernel is not configured to\ncrash on panic returns a junk event pointer from the empty event list\ncausing things to spiral from there. This BUG_ON is a historical artifact\nof the ibmvfc driver first being upstreamed, and it is well known now that\nthe use of BUG_ON is bad practice except in the most unrecoverable\nscenario. There is nothing about this scenario that prevents the driver\nfrom recovering and carrying on.\n\nRemove the BUG_ON in question from ibmvfc_get_event() and return a NULL\npointer in the case of an empty event pool. Update all call sites to\nibmvfc_get_event() to check for a NULL pointer and perfrom the appropriate\nfailure or recovery action."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:43:38.190Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e1d1f79b1929dce470a5dc9281c574cd58e8c6c0"
},
{
"url": "https://git.kernel.org/stable/c/88984ec4792766df5a9de7a2ff2b5f281f94c7d4"
},
{
"url": "https://git.kernel.org/stable/c/d2af4ef80601224b90630c1ddc7cd2c7c8ab4dd8"
},
{
"url": "https://git.kernel.org/stable/c/8bbe784c2ff28d56ca0c548aaf3e584edc77052d"
},
{
"url": "https://git.kernel.org/stable/c/b39f2d10b86d0af353ea339e5815820026bca48f"
}
],
"title": "scsi: ibmvfc: Remove BUG_ON in the case of an empty event pool",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-52811",
"datePublished": "2024-05-21T15:31:20.282Z",
"dateReserved": "2024-05-21T15:19:24.248Z",
"dateUpdated": "2025-05-04T07:43:38.190Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-41031 (GCVE-0-2024-41031)
Vulnerability from cvelistv5
Published
2024-07-29 14:31
Modified
2025-05-04 09:20
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/filemap: skip to create PMD-sized page cache if needed
On ARM64, HPAGE_PMD_ORDER is 13 when the base page size is 64KB. The
PMD-sized page cache can't be supported by xarray as the following error
messages indicate.
------------[ cut here ]------------
WARNING: CPU: 35 PID: 7484 at lib/xarray.c:1025 xas_split_alloc+0xf8/0x128
Modules linked in: nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib \
nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct \
nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 \
ip_set rfkill nf_tables nfnetlink vfat fat virtio_balloon drm \
fuse xfs libcrc32c crct10dif_ce ghash_ce sha2_ce sha256_arm64 \
sha1_ce virtio_net net_failover virtio_console virtio_blk failover \
dimlib virtio_mmio
CPU: 35 PID: 7484 Comm: test Kdump: loaded Tainted: G W 6.10.0-rc5-gavin+ #9
Hardware name: QEMU KVM Virtual Machine, BIOS edk2-20240524-1.el9 05/24/2024
pstate: 83400005 (Nzcv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--)
pc : xas_split_alloc+0xf8/0x128
lr : split_huge_page_to_list_to_order+0x1c4/0x720
sp : ffff800087a4f6c0
x29: ffff800087a4f6c0 x28: ffff800087a4f720 x27: 000000001fffffff
x26: 0000000000000c40 x25: 000000000000000d x24: ffff00010625b858
x23: ffff800087a4f720 x22: ffffffdfc0780000 x21: 0000000000000000
x20: 0000000000000000 x19: ffffffdfc0780000 x18: 000000001ff40000
x17: 00000000ffffffff x16: 0000018000000000 x15: 51ec004000000000
x14: 0000e00000000000 x13: 0000000000002000 x12: 0000000000000020
x11: 51ec000000000000 x10: 51ece1c0ffff8000 x9 : ffffbeb961a44d28
x8 : 0000000000000003 x7 : ffffffdfc0456420 x6 : ffff0000e1aa6eb8
x5 : 20bf08b4fe778fca x4 : ffffffdfc0456420 x3 : 0000000000000c40
x2 : 000000000000000d x1 : 000000000000000c x0 : 0000000000000000
Call trace:
xas_split_alloc+0xf8/0x128
split_huge_page_to_list_to_order+0x1c4/0x720
truncate_inode_partial_folio+0xdc/0x160
truncate_inode_pages_range+0x1b4/0x4a8
truncate_pagecache_range+0x84/0xa0
xfs_flush_unmap_range+0x70/0x90 [xfs]
xfs_file_fallocate+0xfc/0x4d8 [xfs]
vfs_fallocate+0x124/0x2e8
ksys_fallocate+0x4c/0xa0
__arm64_sys_fallocate+0x24/0x38
invoke_syscall.constprop.0+0x7c/0xd8
do_el0_svc+0xb4/0xd0
el0_svc+0x44/0x1d8
el0t_64_sync_handler+0x134/0x150
el0t_64_sync+0x17c/0x180
Fix it by skipping to allocate PMD-sized page cache when its size is
larger than MAX_PAGECACHE_ORDER. For this specific case, we will fall to
regular path where the readahead window is determined by BDI's sysfs file
(read_ahead_kb).
References
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:39:56.076Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/06b5a69c27ec405a3c3f2da8520ff1ee70b94a21"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/1ef650d3b1b2a16473981b447f38705fe9b93972"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/3390916aca7af1893ed2ebcdfee1d6fdb65bb058"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41031",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T16:23:47.337033Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T17:34:03.906Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/filemap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "06b5a69c27ec405a3c3f2da8520ff1ee70b94a21",
"status": "affected",
"version": "4687fdbb805a92ce5a9f23042c436dc64fef8b77",
"versionType": "git"
},
{
"lessThan": "1ef650d3b1b2a16473981b447f38705fe9b93972",
"status": "affected",
"version": "4687fdbb805a92ce5a9f23042c436dc64fef8b77",
"versionType": "git"
},
{
"lessThan": "3390916aca7af1893ed2ebcdfee1d6fdb65bb058",
"status": "affected",
"version": "4687fdbb805a92ce5a9f23042c436dc64fef8b77",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/filemap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.41",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.9.*",
"status": "unaffected",
"version": "6.9.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.10",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.41",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9.10",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.10",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/filemap: skip to create PMD-sized page cache if needed\n\nOn ARM64, HPAGE_PMD_ORDER is 13 when the base page size is 64KB. The\nPMD-sized page cache can\u0027t be supported by xarray as the following error\nmessages indicate.\n\n------------[ cut here ]------------\nWARNING: CPU: 35 PID: 7484 at lib/xarray.c:1025 xas_split_alloc+0xf8/0x128\nModules linked in: nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib \\\nnft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct \\\nnft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 \\\nip_set rfkill nf_tables nfnetlink vfat fat virtio_balloon drm \\\nfuse xfs libcrc32c crct10dif_ce ghash_ce sha2_ce sha256_arm64 \\\nsha1_ce virtio_net net_failover virtio_console virtio_blk failover \\\ndimlib virtio_mmio\nCPU: 35 PID: 7484 Comm: test Kdump: loaded Tainted: G W 6.10.0-rc5-gavin+ #9\nHardware name: QEMU KVM Virtual Machine, BIOS edk2-20240524-1.el9 05/24/2024\npstate: 83400005 (Nzcv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--)\npc : xas_split_alloc+0xf8/0x128\nlr : split_huge_page_to_list_to_order+0x1c4/0x720\nsp : ffff800087a4f6c0\nx29: ffff800087a4f6c0 x28: ffff800087a4f720 x27: 000000001fffffff\nx26: 0000000000000c40 x25: 000000000000000d x24: ffff00010625b858\nx23: ffff800087a4f720 x22: ffffffdfc0780000 x21: 0000000000000000\nx20: 0000000000000000 x19: ffffffdfc0780000 x18: 000000001ff40000\nx17: 00000000ffffffff x16: 0000018000000000 x15: 51ec004000000000\nx14: 0000e00000000000 x13: 0000000000002000 x12: 0000000000000020\nx11: 51ec000000000000 x10: 51ece1c0ffff8000 x9 : ffffbeb961a44d28\nx8 : 0000000000000003 x7 : ffffffdfc0456420 x6 : ffff0000e1aa6eb8\nx5 : 20bf08b4fe778fca x4 : ffffffdfc0456420 x3 : 0000000000000c40\nx2 : 000000000000000d x1 : 000000000000000c x0 : 0000000000000000\nCall trace:\n xas_split_alloc+0xf8/0x128\n split_huge_page_to_list_to_order+0x1c4/0x720\n truncate_inode_partial_folio+0xdc/0x160\n truncate_inode_pages_range+0x1b4/0x4a8\n truncate_pagecache_range+0x84/0xa0\n xfs_flush_unmap_range+0x70/0x90 [xfs]\n xfs_file_fallocate+0xfc/0x4d8 [xfs]\n vfs_fallocate+0x124/0x2e8\n ksys_fallocate+0x4c/0xa0\n __arm64_sys_fallocate+0x24/0x38\n invoke_syscall.constprop.0+0x7c/0xd8\n do_el0_svc+0xb4/0xd0\n el0_svc+0x44/0x1d8\n el0t_64_sync_handler+0x134/0x150\n el0t_64_sync+0x17c/0x180\n\nFix it by skipping to allocate PMD-sized page cache when its size is\nlarger than MAX_PAGECACHE_ORDER. For this specific case, we will fall to\nregular path where the readahead window is determined by BDI\u0027s sysfs file\n(read_ahead_kb)."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:20:30.328Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/06b5a69c27ec405a3c3f2da8520ff1ee70b94a21"
},
{
"url": "https://git.kernel.org/stable/c/1ef650d3b1b2a16473981b447f38705fe9b93972"
},
{
"url": "https://git.kernel.org/stable/c/3390916aca7af1893ed2ebcdfee1d6fdb65bb058"
}
],
"title": "mm/filemap: skip to create PMD-sized page cache if needed",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-41031",
"datePublished": "2024-07-29T14:31:46.943Z",
"dateReserved": "2024-07-12T12:17:45.618Z",
"dateUpdated": "2025-05-04T09:20:30.328Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-41056 (GCVE-0-2024-41056)
Vulnerability from cvelistv5
Published
2024-07-29 14:33
Modified
2025-05-04 09:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
firmware: cs_dsp: Use strnlen() on name fields in V1 wmfw files
Use strnlen() instead of strlen() on the algorithm and coefficient name
string arrays in V1 wmfw files.
In V1 wmfw files the name is a NUL-terminated string in a fixed-size
array. cs_dsp should protect against overrunning the array if the NUL
terminator is missing.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:46:51.164Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/16d76857d6b5426f41b587d0bb925de3f25bfb21"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/392cff2f86a25a4286ff3151c7739143c61c1781"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/53a9f8cdbf35a682e9894e1a606f4640e5359185"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/680e126ec0400f6daecf0510c5bb97a55779ff03"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41056",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T16:22:25.022416Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T17:34:01.793Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/firmware/cirrus/cs_dsp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "16d76857d6b5426f41b587d0bb925de3f25bfb21",
"status": "affected",
"version": "f6bc909e7673c30abcbdb329e7d0aa2e83c103d7",
"versionType": "git"
},
{
"lessThan": "392cff2f86a25a4286ff3151c7739143c61c1781",
"status": "affected",
"version": "f6bc909e7673c30abcbdb329e7d0aa2e83c103d7",
"versionType": "git"
},
{
"lessThan": "53a9f8cdbf35a682e9894e1a606f4640e5359185",
"status": "affected",
"version": "f6bc909e7673c30abcbdb329e7d0aa2e83c103d7",
"versionType": "git"
},
{
"lessThan": "680e126ec0400f6daecf0510c5bb97a55779ff03",
"status": "affected",
"version": "f6bc909e7673c30abcbdb329e7d0aa2e83c103d7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/firmware/cirrus/cs_dsp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.100",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.41",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.9.*",
"status": "unaffected",
"version": "6.9.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.10",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.100",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.41",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9.10",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.10",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: cs_dsp: Use strnlen() on name fields in V1 wmfw files\n\nUse strnlen() instead of strlen() on the algorithm and coefficient name\nstring arrays in V1 wmfw files.\n\nIn V1 wmfw files the name is a NUL-terminated string in a fixed-size\narray. cs_dsp should protect against overrunning the array if the NUL\nterminator is missing."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:21:06.418Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/16d76857d6b5426f41b587d0bb925de3f25bfb21"
},
{
"url": "https://git.kernel.org/stable/c/392cff2f86a25a4286ff3151c7739143c61c1781"
},
{
"url": "https://git.kernel.org/stable/c/53a9f8cdbf35a682e9894e1a606f4640e5359185"
},
{
"url": "https://git.kernel.org/stable/c/680e126ec0400f6daecf0510c5bb97a55779ff03"
}
],
"title": "firmware: cs_dsp: Use strnlen() on name fields in V1 wmfw files",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-41056",
"datePublished": "2024-07-29T14:33:27.453Z",
"dateReserved": "2024-07-12T12:17:45.627Z",
"dateUpdated": "2025-05-04T09:21:06.418Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-38555 (GCVE-0-2024-38555)
Vulnerability from cvelistv5
Published
2024-06-19 13:35
Modified
2025-05-04 12:56
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5: Discard command completions in internal error
Fix use after free when FW completion arrives while device is in
internal error state. Avoid calling completion handler in this case,
since the device will flush the command interface and trigger all
completions manually.
Kernel log:
------------[ cut here ]------------
refcount_t: underflow; use-after-free.
...
RIP: 0010:refcount_warn_saturate+0xd8/0xe0
...
Call Trace:
<IRQ>
? __warn+0x79/0x120
? refcount_warn_saturate+0xd8/0xe0
? report_bug+0x17c/0x190
? handle_bug+0x3c/0x60
? exc_invalid_op+0x14/0x70
? asm_exc_invalid_op+0x16/0x20
? refcount_warn_saturate+0xd8/0xe0
cmd_ent_put+0x13b/0x160 [mlx5_core]
mlx5_cmd_comp_handler+0x5f9/0x670 [mlx5_core]
cmd_comp_notifier+0x1f/0x30 [mlx5_core]
notifier_call_chain+0x35/0xb0
atomic_notifier_call_chain+0x16/0x20
mlx5_eq_async_int+0xf6/0x290 [mlx5_core]
notifier_call_chain+0x35/0xb0
atomic_notifier_call_chain+0x16/0x20
irq_int_handler+0x19/0x30 [mlx5_core]
__handle_irq_event_percpu+0x4b/0x160
handle_irq_event+0x2e/0x80
handle_edge_irq+0x98/0x230
__common_interrupt+0x3b/0xa0
common_interrupt+0x7b/0xa0
</IRQ>
<TASK>
asm_common_interrupt+0x22/0x40
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 27c79b3a9212cf4ba634c157e07d29548181a208 Version: 51d138c2610a236c1ed0059d034ee4c74f452b86 Version: 51d138c2610a236c1ed0059d034ee4c74f452b86 Version: 51d138c2610a236c1ed0059d034ee4c74f452b86 Version: 51d138c2610a236c1ed0059d034ee4c74f452b86 Version: 51d138c2610a236c1ed0059d034ee4c74f452b86 Version: 51d138c2610a236c1ed0059d034ee4c74f452b86 Version: 2e5d24b3bf091802c5456dc8f8f6a6be4493c8ca |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:12:25.241Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/f6fbb8535e990f844371086ab2c1221f71f993d3"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/3cb92b0ad73d3f1734e812054e698d655e9581b0"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/bf8aaf0ae01c27ae3c06aa8610caf91e50393396"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/1337ec94bc5a9eed250e33f5f5c89a28a6bfabdb"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/1d5dce5e92a70274de67a59e1e674c3267f94cd7"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/7ac4c69c34240c6de820492c0a28a0bd1494265a"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/db9b31aa9bc56ff0d15b78f7e827d61c4a096e40"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-38555",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T17:14:41.121534Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T17:34:56.983Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/cmd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f6fbb8535e990f844371086ab2c1221f71f993d3",
"status": "affected",
"version": "27c79b3a9212cf4ba634c157e07d29548181a208",
"versionType": "git"
},
{
"lessThan": "3cb92b0ad73d3f1734e812054e698d655e9581b0",
"status": "affected",
"version": "51d138c2610a236c1ed0059d034ee4c74f452b86",
"versionType": "git"
},
{
"lessThan": "bf8aaf0ae01c27ae3c06aa8610caf91e50393396",
"status": "affected",
"version": "51d138c2610a236c1ed0059d034ee4c74f452b86",
"versionType": "git"
},
{
"lessThan": "1337ec94bc5a9eed250e33f5f5c89a28a6bfabdb",
"status": "affected",
"version": "51d138c2610a236c1ed0059d034ee4c74f452b86",
"versionType": "git"
},
{
"lessThan": "1d5dce5e92a70274de67a59e1e674c3267f94cd7",
"status": "affected",
"version": "51d138c2610a236c1ed0059d034ee4c74f452b86",
"versionType": "git"
},
{
"lessThan": "7ac4c69c34240c6de820492c0a28a0bd1494265a",
"status": "affected",
"version": "51d138c2610a236c1ed0059d034ee4c74f452b86",
"versionType": "git"
},
{
"lessThan": "db9b31aa9bc56ff0d15b78f7e827d61c4a096e40",
"status": "affected",
"version": "51d138c2610a236c1ed0059d034ee4c74f452b86",
"versionType": "git"
},
{
"status": "affected",
"version": "2e5d24b3bf091802c5456dc8f8f6a6be4493c8ca",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/cmd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.219",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.161",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.93",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.8.*",
"status": "unaffected",
"version": "6.8.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.9.*",
"status": "unaffected",
"version": "6.9.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.10",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.219",
"versionStartIncluding": "5.10.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.161",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.93",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.33",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8.12",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9.3",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.10",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.11.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Discard command completions in internal error\n\nFix use after free when FW completion arrives while device is in\ninternal error state. Avoid calling completion handler in this case,\nsince the device will flush the command interface and trigger all\ncompletions manually.\n\nKernel log:\n------------[ cut here ]------------\nrefcount_t: underflow; use-after-free.\n...\nRIP: 0010:refcount_warn_saturate+0xd8/0xe0\n...\nCall Trace:\n\u003cIRQ\u003e\n? __warn+0x79/0x120\n? refcount_warn_saturate+0xd8/0xe0\n? report_bug+0x17c/0x190\n? handle_bug+0x3c/0x60\n? exc_invalid_op+0x14/0x70\n? asm_exc_invalid_op+0x16/0x20\n? refcount_warn_saturate+0xd8/0xe0\ncmd_ent_put+0x13b/0x160 [mlx5_core]\nmlx5_cmd_comp_handler+0x5f9/0x670 [mlx5_core]\ncmd_comp_notifier+0x1f/0x30 [mlx5_core]\nnotifier_call_chain+0x35/0xb0\natomic_notifier_call_chain+0x16/0x20\nmlx5_eq_async_int+0xf6/0x290 [mlx5_core]\nnotifier_call_chain+0x35/0xb0\natomic_notifier_call_chain+0x16/0x20\nirq_int_handler+0x19/0x30 [mlx5_core]\n__handle_irq_event_percpu+0x4b/0x160\nhandle_irq_event+0x2e/0x80\nhandle_edge_irq+0x98/0x230\n__common_interrupt+0x3b/0xa0\ncommon_interrupt+0x7b/0xa0\n\u003c/IRQ\u003e\n\u003cTASK\u003e\nasm_common_interrupt+0x22/0x40"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T12:56:44.500Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f6fbb8535e990f844371086ab2c1221f71f993d3"
},
{
"url": "https://git.kernel.org/stable/c/3cb92b0ad73d3f1734e812054e698d655e9581b0"
},
{
"url": "https://git.kernel.org/stable/c/bf8aaf0ae01c27ae3c06aa8610caf91e50393396"
},
{
"url": "https://git.kernel.org/stable/c/1337ec94bc5a9eed250e33f5f5c89a28a6bfabdb"
},
{
"url": "https://git.kernel.org/stable/c/1d5dce5e92a70274de67a59e1e674c3267f94cd7"
},
{
"url": "https://git.kernel.org/stable/c/7ac4c69c34240c6de820492c0a28a0bd1494265a"
},
{
"url": "https://git.kernel.org/stable/c/db9b31aa9bc56ff0d15b78f7e827d61c4a096e40"
}
],
"title": "net/mlx5: Discard command completions in internal error",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-38555",
"datePublished": "2024-06-19T13:35:26.059Z",
"dateReserved": "2024-06-18T19:36:34.920Z",
"dateUpdated": "2025-05-04T12:56:44.500Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-42241 (GCVE-0-2024-42241)
Vulnerability from cvelistv5
Published
2024-08-07 15:14
Modified
2025-05-04 09:24
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/shmem: disable PMD-sized page cache if needed
For shmem files, it's possible that PMD-sized page cache can't be
supported by xarray. For example, 512MB page cache on ARM64 when the base
page size is 64KB can't be supported by xarray. It leads to errors as the
following messages indicate when this sort of xarray entry is split.
WARNING: CPU: 34 PID: 7578 at lib/xarray.c:1025 xas_split_alloc+0xf8/0x128
Modules linked in: binfmt_misc nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 \
nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject \
nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 \
ip_set rfkill nf_tables nfnetlink vfat fat virtio_balloon drm fuse xfs \
libcrc32c crct10dif_ce ghash_ce sha2_ce sha256_arm64 sha1_ce virtio_net \
net_failover virtio_console virtio_blk failover dimlib virtio_mmio
CPU: 34 PID: 7578 Comm: test Kdump: loaded Tainted: G W 6.10.0-rc5-gavin+ #9
Hardware name: QEMU KVM Virtual Machine, BIOS edk2-20240524-1.el9 05/24/2024
pstate: 83400005 (Nzcv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--)
pc : xas_split_alloc+0xf8/0x128
lr : split_huge_page_to_list_to_order+0x1c4/0x720
sp : ffff8000882af5f0
x29: ffff8000882af5f0 x28: ffff8000882af650 x27: ffff8000882af768
x26: 0000000000000cc0 x25: 000000000000000d x24: ffff00010625b858
x23: ffff8000882af650 x22: ffffffdfc0900000 x21: 0000000000000000
x20: 0000000000000000 x19: ffffffdfc0900000 x18: 0000000000000000
x17: 0000000000000000 x16: 0000018000000000 x15: 52f8004000000000
x14: 0000e00000000000 x13: 0000000000002000 x12: 0000000000000020
x11: 52f8000000000000 x10: 52f8e1c0ffff6000 x9 : ffffbeb9619a681c
x8 : 0000000000000003 x7 : 0000000000000000 x6 : ffff00010b02ddb0
x5 : ffffbeb96395e378 x4 : 0000000000000000 x3 : 0000000000000cc0
x2 : 000000000000000d x1 : 000000000000000c x0 : 0000000000000000
Call trace:
xas_split_alloc+0xf8/0x128
split_huge_page_to_list_to_order+0x1c4/0x720
truncate_inode_partial_folio+0xdc/0x160
shmem_undo_range+0x2bc/0x6a8
shmem_fallocate+0x134/0x430
vfs_fallocate+0x124/0x2e8
ksys_fallocate+0x4c/0xa0
__arm64_sys_fallocate+0x24/0x38
invoke_syscall.constprop.0+0x7c/0xd8
do_el0_svc+0xb4/0xd0
el0_svc+0x44/0x1d8
el0t_64_sync_handler+0x134/0x150
el0t_64_sync+0x17c/0x180
Fix it by disabling PMD-sized page cache when HPAGE_PMD_ORDER is larger
than MAX_PAGECACHE_ORDER. As Matthew Wilcox pointed, the page cache in a
shmem file isn't represented by a multi-index entry and doesn't have this
limitation when the xarry entry is split until commit 6b24ca4a1a8d ("mm:
Use multi-index entries in the page cache").
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-42241",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T16:13:47.790188Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T17:34:31.583Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/shmem.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "93893eacb372b0a4a30f7de6609b08c3ba6c4fd9",
"status": "affected",
"version": "6b24ca4a1a8d4ee3221d6d44ddbb99f542e4bda3",
"versionType": "git"
},
{
"lessThan": "cd25208ca9b0097f8e079d692fc678f36fdbc3f9",
"status": "affected",
"version": "6b24ca4a1a8d4ee3221d6d44ddbb99f542e4bda3",
"versionType": "git"
},
{
"lessThan": "9fd154ba926b34c833b7bfc4c14ee2e931b3d743",
"status": "affected",
"version": "6b24ca4a1a8d4ee3221d6d44ddbb99f542e4bda3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/shmem.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.41",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.9.*",
"status": "unaffected",
"version": "6.9.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.10",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.41",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9.10",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.10",
"versionStartIncluding": "5.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/shmem: disable PMD-sized page cache if needed\n\nFor shmem files, it\u0027s possible that PMD-sized page cache can\u0027t be\nsupported by xarray. For example, 512MB page cache on ARM64 when the base\npage size is 64KB can\u0027t be supported by xarray. It leads to errors as the\nfollowing messages indicate when this sort of xarray entry is split.\n\nWARNING: CPU: 34 PID: 7578 at lib/xarray.c:1025 xas_split_alloc+0xf8/0x128\nModules linked in: binfmt_misc nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 \\\nnft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject \\\nnft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 \\\nip_set rfkill nf_tables nfnetlink vfat fat virtio_balloon drm fuse xfs \\\nlibcrc32c crct10dif_ce ghash_ce sha2_ce sha256_arm64 sha1_ce virtio_net \\\nnet_failover virtio_console virtio_blk failover dimlib virtio_mmio\nCPU: 34 PID: 7578 Comm: test Kdump: loaded Tainted: G W 6.10.0-rc5-gavin+ #9\nHardware name: QEMU KVM Virtual Machine, BIOS edk2-20240524-1.el9 05/24/2024\npstate: 83400005 (Nzcv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--)\npc : xas_split_alloc+0xf8/0x128\nlr : split_huge_page_to_list_to_order+0x1c4/0x720\nsp : ffff8000882af5f0\nx29: ffff8000882af5f0 x28: ffff8000882af650 x27: ffff8000882af768\nx26: 0000000000000cc0 x25: 000000000000000d x24: ffff00010625b858\nx23: ffff8000882af650 x22: ffffffdfc0900000 x21: 0000000000000000\nx20: 0000000000000000 x19: ffffffdfc0900000 x18: 0000000000000000\nx17: 0000000000000000 x16: 0000018000000000 x15: 52f8004000000000\nx14: 0000e00000000000 x13: 0000000000002000 x12: 0000000000000020\nx11: 52f8000000000000 x10: 52f8e1c0ffff6000 x9 : ffffbeb9619a681c\nx8 : 0000000000000003 x7 : 0000000000000000 x6 : ffff00010b02ddb0\nx5 : ffffbeb96395e378 x4 : 0000000000000000 x3 : 0000000000000cc0\nx2 : 000000000000000d x1 : 000000000000000c x0 : 0000000000000000\nCall trace:\n xas_split_alloc+0xf8/0x128\n split_huge_page_to_list_to_order+0x1c4/0x720\n truncate_inode_partial_folio+0xdc/0x160\n shmem_undo_range+0x2bc/0x6a8\n shmem_fallocate+0x134/0x430\n vfs_fallocate+0x124/0x2e8\n ksys_fallocate+0x4c/0xa0\n __arm64_sys_fallocate+0x24/0x38\n invoke_syscall.constprop.0+0x7c/0xd8\n do_el0_svc+0xb4/0xd0\n el0_svc+0x44/0x1d8\n el0t_64_sync_handler+0x134/0x150\n el0t_64_sync+0x17c/0x180\n\nFix it by disabling PMD-sized page cache when HPAGE_PMD_ORDER is larger\nthan MAX_PAGECACHE_ORDER. As Matthew Wilcox pointed, the page cache in a\nshmem file isn\u0027t represented by a multi-index entry and doesn\u0027t have this\nlimitation when the xarry entry is split until commit 6b24ca4a1a8d (\"mm:\nUse multi-index entries in the page cache\")."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:24:53.405Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/93893eacb372b0a4a30f7de6609b08c3ba6c4fd9"
},
{
"url": "https://git.kernel.org/stable/c/cd25208ca9b0097f8e079d692fc678f36fdbc3f9"
},
{
"url": "https://git.kernel.org/stable/c/9fd154ba926b34c833b7bfc4c14ee2e931b3d743"
}
],
"title": "mm/shmem: disable PMD-sized page cache if needed",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-42241",
"datePublished": "2024-08-07T15:14:28.547Z",
"dateReserved": "2024-07-30T07:40:12.254Z",
"dateUpdated": "2025-05-04T09:24:53.405Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-52619 (GCVE-0-2023-52619)
Vulnerability from cvelistv5
Published
2024-03-18 10:19
Modified
2025-05-04 07:40
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
pstore/ram: Fix crash when setting number of cpus to an odd number
When the number of cpu cores is adjusted to 7 or other odd numbers,
the zone size will become an odd number.
The address of the zone will become:
addr of zone0 = BASE
addr of zone1 = BASE + zone_size
addr of zone2 = BASE + zone_size*2
...
The address of zone1/3/5/7 will be mapped to non-alignment va.
Eventually crashes will occur when accessing these va.
So, use ALIGN_DOWN() to make sure the zone size is even
to avoid this bug.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-52619",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-18T14:22:57.908463Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:23:25.786Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:03:21.348Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/8b69c30f4e8b69131d92096cb296dc1f217101e4"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/e9f6ac50890104fdf8194f2865680689239d30fb"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/a63e48cd835c34c38ef671d344cc029b1ea5bf10"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/2a37905d47bffec61e95d99f0c1cc5dc6377956c"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/75b0f71b26b3ad833c5c0670109c0af6e021e86a"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/0593cfd321df9001142a9d2c58d4144917dff7ee"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/cd40e43f870cf21726b22487a95ed223790b3542"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/d49270a04623ce3c0afddbf3e984cb245aa48e9c"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/pstore/ram.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8b69c30f4e8b69131d92096cb296dc1f217101e4",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e9f6ac50890104fdf8194f2865680689239d30fb",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a63e48cd835c34c38ef671d344cc029b1ea5bf10",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2a37905d47bffec61e95d99f0c1cc5dc6377956c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "75b0f71b26b3ad833c5c0670109c0af6e021e86a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0593cfd321df9001142a9d2c58d4144917dff7ee",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "cd40e43f870cf21726b22487a95ed223790b3542",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d49270a04623ce3c0afddbf3e984cb245aa48e9c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/pstore/ram.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.307",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.269",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.7.*",
"status": "unaffected",
"version": "6.7.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.8",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.307",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.269",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.210",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.149",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.77",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.7.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npstore/ram: Fix crash when setting number of cpus to an odd number\n\nWhen the number of cpu cores is adjusted to 7 or other odd numbers,\nthe zone size will become an odd number.\nThe address of the zone will become:\n addr of zone0 = BASE\n addr of zone1 = BASE + zone_size\n addr of zone2 = BASE + zone_size*2\n ...\nThe address of zone1/3/5/7 will be mapped to non-alignment va.\nEventually crashes will occur when accessing these va.\n\nSo, use ALIGN_DOWN() to make sure the zone size is even\nto avoid this bug."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:40:01.100Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8b69c30f4e8b69131d92096cb296dc1f217101e4"
},
{
"url": "https://git.kernel.org/stable/c/e9f6ac50890104fdf8194f2865680689239d30fb"
},
{
"url": "https://git.kernel.org/stable/c/a63e48cd835c34c38ef671d344cc029b1ea5bf10"
},
{
"url": "https://git.kernel.org/stable/c/2a37905d47bffec61e95d99f0c1cc5dc6377956c"
},
{
"url": "https://git.kernel.org/stable/c/75b0f71b26b3ad833c5c0670109c0af6e021e86a"
},
{
"url": "https://git.kernel.org/stable/c/0593cfd321df9001142a9d2c58d4144917dff7ee"
},
{
"url": "https://git.kernel.org/stable/c/cd40e43f870cf21726b22487a95ed223790b3542"
},
{
"url": "https://git.kernel.org/stable/c/d49270a04623ce3c0afddbf3e984cb245aa48e9c"
}
],
"title": "pstore/ram: Fix crash when setting number of cpus to an odd number",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-52619",
"datePublished": "2024-03-18T10:19:05.854Z",
"dateReserved": "2024-03-06T09:52:12.089Z",
"dateUpdated": "2025-05-04T07:40:01.100Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-42237 (GCVE-0-2024-42237)
Vulnerability from cvelistv5
Published
2024-08-07 15:14
Modified
2025-05-04 09:24
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
firmware: cs_dsp: Validate payload length before processing block
Move the payload length check in cs_dsp_load() and cs_dsp_coeff_load()
to be done before the block is processed.
The check that the length of a block payload does not exceed the number
of remaining bytes in the firwmware file buffer was being done near the
end of the loop iteration. However, some code before that check used the
length field without validating it.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-42237",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T16:14:00.898679Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T17:34:32.028Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/firmware/cirrus/cs_dsp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "259955eca9b7acf1299b1ac077d8cfbe12df35d8",
"status": "affected",
"version": "f6bc909e7673c30abcbdb329e7d0aa2e83c103d7",
"versionType": "git"
},
{
"lessThan": "3a9cd924aec1288d675df721f244da4dd7e16cff",
"status": "affected",
"version": "f6bc909e7673c30abcbdb329e7d0aa2e83c103d7",
"versionType": "git"
},
{
"lessThan": "71d9e313d8f7e18c543a9c80506fe6b1eb1fe0c8",
"status": "affected",
"version": "f6bc909e7673c30abcbdb329e7d0aa2e83c103d7",
"versionType": "git"
},
{
"lessThan": "6598afa9320b6ab13041616950ca5f8f938c0cf1",
"status": "affected",
"version": "f6bc909e7673c30abcbdb329e7d0aa2e83c103d7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/firmware/cirrus/cs_dsp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.100",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.41",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.9.*",
"status": "unaffected",
"version": "6.9.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.10",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.100",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.41",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9.10",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.10",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: cs_dsp: Validate payload length before processing block\n\nMove the payload length check in cs_dsp_load() and cs_dsp_coeff_load()\nto be done before the block is processed.\n\nThe check that the length of a block payload does not exceed the number\nof remaining bytes in the firwmware file buffer was being done near the\nend of the loop iteration. However, some code before that check used the\nlength field without validating it."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:24:48.143Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/259955eca9b7acf1299b1ac077d8cfbe12df35d8"
},
{
"url": "https://git.kernel.org/stable/c/3a9cd924aec1288d675df721f244da4dd7e16cff"
},
{
"url": "https://git.kernel.org/stable/c/71d9e313d8f7e18c543a9c80506fe6b1eb1fe0c8"
},
{
"url": "https://git.kernel.org/stable/c/6598afa9320b6ab13041616950ca5f8f938c0cf1"
}
],
"title": "firmware: cs_dsp: Validate payload length before processing block",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-42237",
"datePublished": "2024-08-07T15:14:26.221Z",
"dateReserved": "2024-07-30T07:40:12.253Z",
"dateUpdated": "2025-05-04T09:24:48.143Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-26601 (GCVE-0-2024-26601)
Vulnerability from cvelistv5
Published
2024-02-24 14:56
Modified
2025-05-04 08:52
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: regenerate buddy after block freeing failed if under fc replay
This mostly reverts commit 6bd97bf273bd ("ext4: remove redundant
mb_regenerate_buddy()") and reintroduces mb_regenerate_buddy(). Based on
code in mb_free_blocks(), fast commit replay can end up marking as free
blocks that are already marked as such. This causes corruption of the
buddy bitmap so we need to regenerate it in that case.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 0983142c5f17a62055ec851372273c3bc77e4788 Version: 6bd97bf273bdb4944904e57480f6545bca48ad77 Version: 6bd97bf273bdb4944904e57480f6545bca48ad77 Version: 6bd97bf273bdb4944904e57480f6545bca48ad77 Version: 6bd97bf273bdb4944904e57480f6545bca48ad77 Version: 6bd97bf273bdb4944904e57480f6545bca48ad77 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-26601",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-01T15:48:58.021731Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:48:55.950Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:07:19.651Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/94ebf71bddbcd4ab1ce43ae32c6cb66396d2d51a"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/c1317822e2de80e78f137d3a2d99febab1b80326"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/78327acd4cdc4a1601af718b781eece577b6b7d4"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/ea42d6cffb0dd27a417f410b9d0011e9859328cb"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/6b0d48647935e4b8c7b75d1eccb9043fcd4ee581"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/c9b528c35795b711331ed36dc3dbee90d5812d4e"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/mballoc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "94ebf71bddbcd4ab1ce43ae32c6cb66396d2d51a",
"status": "affected",
"version": "0983142c5f17a62055ec851372273c3bc77e4788",
"versionType": "git"
},
{
"lessThan": "c1317822e2de80e78f137d3a2d99febab1b80326",
"status": "affected",
"version": "6bd97bf273bdb4944904e57480f6545bca48ad77",
"versionType": "git"
},
{
"lessThan": "78327acd4cdc4a1601af718b781eece577b6b7d4",
"status": "affected",
"version": "6bd97bf273bdb4944904e57480f6545bca48ad77",
"versionType": "git"
},
{
"lessThan": "ea42d6cffb0dd27a417f410b9d0011e9859328cb",
"status": "affected",
"version": "6bd97bf273bdb4944904e57480f6545bca48ad77",
"versionType": "git"
},
{
"lessThan": "6b0d48647935e4b8c7b75d1eccb9043fcd4ee581",
"status": "affected",
"version": "6bd97bf273bdb4944904e57480f6545bca48ad77",
"versionType": "git"
},
{
"lessThan": "c9b528c35795b711331ed36dc3dbee90d5812d4e",
"status": "affected",
"version": "6bd97bf273bdb4944904e57480f6545bca48ad77",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/mballoc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.211",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.7.*",
"status": "unaffected",
"version": "6.7.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.8",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.211",
"versionStartIncluding": "5.10.181",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.150",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.78",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.17",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.7.5",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8",
"versionStartIncluding": "5.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: regenerate buddy after block freeing failed if under fc replay\n\nThis mostly reverts commit 6bd97bf273bd (\"ext4: remove redundant\nmb_regenerate_buddy()\") and reintroduces mb_regenerate_buddy(). Based on\ncode in mb_free_blocks(), fast commit replay can end up marking as free\nblocks that are already marked as such. This causes corruption of the\nbuddy bitmap so we need to regenerate it in that case."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:52:05.085Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/94ebf71bddbcd4ab1ce43ae32c6cb66396d2d51a"
},
{
"url": "https://git.kernel.org/stable/c/c1317822e2de80e78f137d3a2d99febab1b80326"
},
{
"url": "https://git.kernel.org/stable/c/78327acd4cdc4a1601af718b781eece577b6b7d4"
},
{
"url": "https://git.kernel.org/stable/c/ea42d6cffb0dd27a417f410b9d0011e9859328cb"
},
{
"url": "https://git.kernel.org/stable/c/6b0d48647935e4b8c7b75d1eccb9043fcd4ee581"
},
{
"url": "https://git.kernel.org/stable/c/c9b528c35795b711331ed36dc3dbee90d5812d4e"
}
],
"title": "ext4: regenerate buddy after block freeing failed if under fc replay",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-26601",
"datePublished": "2024-02-24T14:56:56.324Z",
"dateReserved": "2024-02-19T14:20:24.128Z",
"dateUpdated": "2025-05-04T08:52:05.085Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-26686 (GCVE-0-2024-26686)
Vulnerability from cvelistv5
Published
2024-04-03 14:54
Modified
2025-05-04 08:54
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
fs/proc: do_task_stat: use sig->stats_lock to gather the threads/children stats
lock_task_sighand() can trigger a hard lockup. If NR_CPUS threads call
do_task_stat() at the same time and the process has NR_THREADS, it will
spin with irqs disabled O(NR_CPUS * NR_THREADS) time.
Change do_task_stat() to use sig->stats_lock to gather the statistics
outside of ->siglock protected section, in the likely case this code will
run lockless.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-26686",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-03T18:03:13.492262Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:48:23.666Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:14:12.556Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/cf4b8c39b9a0bd81c47afc7ef62914a62dd5ec4d"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/27978243f165b44e342f28f449b91327944ea071"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/7601df8031fd67310af891897ef6cc0df4209305"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/proc/array.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4fe85bdaabd63f8f8579b24a10ed597c9c482164",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0c35d1914353799c54fa1843fe7dea6fcbcdbac5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "cf4b8c39b9a0bd81c47afc7ef62914a62dd5ec4d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3820b0fac7732a653bcc6f6ac20c1d72e697f8f6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "27978243f165b44e342f28f449b91327944ea071",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7601df8031fd67310af891897ef6cc0df4209305",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/proc/array.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.237",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.181",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.82",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.7.*",
"status": "unaffected",
"version": "6.7.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.8",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.237",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.181",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.82",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.64",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.7.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/proc: do_task_stat: use sig-\u003estats_lock to gather the threads/children stats\n\nlock_task_sighand() can trigger a hard lockup. If NR_CPUS threads call\ndo_task_stat() at the same time and the process has NR_THREADS, it will\nspin with irqs disabled O(NR_CPUS * NR_THREADS) time.\n\nChange do_task_stat() to use sig-\u003estats_lock to gather the statistics\noutside of -\u003esiglock protected section, in the likely case this code will\nrun lockless."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:54:03.497Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4fe85bdaabd63f8f8579b24a10ed597c9c482164"
},
{
"url": "https://git.kernel.org/stable/c/0c35d1914353799c54fa1843fe7dea6fcbcdbac5"
},
{
"url": "https://git.kernel.org/stable/c/cf4b8c39b9a0bd81c47afc7ef62914a62dd5ec4d"
},
{
"url": "https://git.kernel.org/stable/c/3820b0fac7732a653bcc6f6ac20c1d72e697f8f6"
},
{
"url": "https://git.kernel.org/stable/c/27978243f165b44e342f28f449b91327944ea071"
},
{
"url": "https://git.kernel.org/stable/c/7601df8031fd67310af891897ef6cc0df4209305"
}
],
"title": "fs/proc: do_task_stat: use sig-\u003estats_lock to gather the threads/children stats",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-26686",
"datePublished": "2024-04-03T14:54:48.530Z",
"dateReserved": "2024-02-19T14:20:24.154Z",
"dateUpdated": "2025-05-04T08:54:03.497Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-40988 (GCVE-0-2024-40988)
Vulnerability from cvelistv5
Published
2024-07-12 12:37
Modified
2025-05-04 09:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/radeon: fix UBSAN warning in kv_dpm.c
Adds bounds check for sumo_vid_mapping_entry.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:39:56.064Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/07e8f15fa16695cf4c90e89854e59af4a760055b"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/a8c6df9fe5bc390645d1e96eff14ffe414951aad"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/febe794b83693257f21a23d2e03ea695a62449c8"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/cf1cc8fcfe517e108794fb711f7faabfca0dc855"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/f803532bc3825384100dfc58873e035d77248447"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/9e57611182a817824a17b1c3dd300ee74a174b42"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/468a50fd46a09bba7ba18a11054ae64b6479ecdc"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/a498df5421fd737d11bfd152428ba6b1c8538321"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-40988",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T17:01:57.675980Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T17:34:20.590Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/radeon/sumo_dpm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "07e8f15fa16695cf4c90e89854e59af4a760055b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a8c6df9fe5bc390645d1e96eff14ffe414951aad",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "febe794b83693257f21a23d2e03ea695a62449c8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "cf1cc8fcfe517e108794fb711f7faabfca0dc855",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f803532bc3825384100dfc58873e035d77248447",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9e57611182a817824a17b1c3dd300ee74a174b42",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "468a50fd46a09bba7ba18a11054ae64b6479ecdc",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a498df5421fd737d11bfd152428ba6b1c8538321",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/radeon/sumo_dpm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.317",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.279",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.221",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.96",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.9.*",
"status": "unaffected",
"version": "6.9.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.10",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.317",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.279",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.221",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.162",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.96",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/radeon: fix UBSAN warning in kv_dpm.c\n\nAdds bounds check for sumo_vid_mapping_entry."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:19:26.716Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/07e8f15fa16695cf4c90e89854e59af4a760055b"
},
{
"url": "https://git.kernel.org/stable/c/a8c6df9fe5bc390645d1e96eff14ffe414951aad"
},
{
"url": "https://git.kernel.org/stable/c/febe794b83693257f21a23d2e03ea695a62449c8"
},
{
"url": "https://git.kernel.org/stable/c/cf1cc8fcfe517e108794fb711f7faabfca0dc855"
},
{
"url": "https://git.kernel.org/stable/c/f803532bc3825384100dfc58873e035d77248447"
},
{
"url": "https://git.kernel.org/stable/c/9e57611182a817824a17b1c3dd300ee74a174b42"
},
{
"url": "https://git.kernel.org/stable/c/468a50fd46a09bba7ba18a11054ae64b6479ecdc"
},
{
"url": "https://git.kernel.org/stable/c/a498df5421fd737d11bfd152428ba6b1c8538321"
}
],
"title": "drm/radeon: fix UBSAN warning in kv_dpm.c",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-40988",
"datePublished": "2024-07-12T12:37:33.133Z",
"dateReserved": "2024-07-12T12:17:45.605Z",
"dateUpdated": "2025-05-04T09:19:26.716Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-43854 (GCVE-0-2024-43854)
Vulnerability from cvelistv5
Published
2024-08-17 09:22
Modified
2025-05-04 09:27
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
block: initialize integrity buffer to zero before writing it to media
Metadata added by bio_integrity_prep is using plain kmalloc, which leads
to random kernel memory being written media. For PI metadata this is
limited to the app tag that isn't used by kernel generated metadata,
but for non-PI metadata the entire buffer leaks kernel memory.
Fix this by adding the __GFP_ZERO flag to allocations for writes.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 7ba1ba12eeef0aa7113beb16410ef8b7c748e18b Version: 7ba1ba12eeef0aa7113beb16410ef8b7c748e18b Version: 7ba1ba12eeef0aa7113beb16410ef8b7c748e18b Version: 7ba1ba12eeef0aa7113beb16410ef8b7c748e18b Version: 7ba1ba12eeef0aa7113beb16410ef8b7c748e18b Version: 7ba1ba12eeef0aa7113beb16410ef8b7c748e18b Version: 7ba1ba12eeef0aa7113beb16410ef8b7c748e18b Version: 7ba1ba12eeef0aa7113beb16410ef8b7c748e18b |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-43854",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T16:07:14.517245Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-12T17:33:20.780Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"block/bio-integrity.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9f4af4cf08f9a0329ade3d938f55d2220c40d0a6",
"status": "affected",
"version": "7ba1ba12eeef0aa7113beb16410ef8b7c748e18b",
"versionType": "git"
},
{
"lessThan": "129f95948a96105c1fad8e612c9097763e88ac5f",
"status": "affected",
"version": "7ba1ba12eeef0aa7113beb16410ef8b7c748e18b",
"versionType": "git"
},
{
"lessThan": "3fd11fe4f20756b4c0847f755a64cd96f8c6a005",
"status": "affected",
"version": "7ba1ba12eeef0aa7113beb16410ef8b7c748e18b",
"versionType": "git"
},
{
"lessThan": "cf6b45ea7a8df0f61bded1dc4a8561ac6ad143d2",
"status": "affected",
"version": "7ba1ba12eeef0aa7113beb16410ef8b7c748e18b",
"versionType": "git"
},
{
"lessThan": "d418313bd8f55c079a7da12651951b489a638ac1",
"status": "affected",
"version": "7ba1ba12eeef0aa7113beb16410ef8b7c748e18b",
"versionType": "git"
},
{
"lessThan": "23a19655fb56f241e592041156dfb1c6d04da644",
"status": "affected",
"version": "7ba1ba12eeef0aa7113beb16410ef8b7c748e18b",
"versionType": "git"
},
{
"lessThan": "ebc0e91ba76dc6544fff9f5b66408b1982806a00",
"status": "affected",
"version": "7ba1ba12eeef0aa7113beb16410ef8b7c748e18b",
"versionType": "git"
},
{
"lessThan": "899ee2c3829c5ac14bfc7d3c4a5846c0b709b78f",
"status": "affected",
"version": "7ba1ba12eeef0aa7113beb16410ef8b7c748e18b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"block/bio-integrity.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.27"
},
{
"lessThan": "2.6.27",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.322",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.284",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.226",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.165",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.44",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.10.*",
"status": "unaffected",
"version": "6.10.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.11",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.322",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.284",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.226",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.165",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.103",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.44",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.10.3",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.11",
"versionStartIncluding": "2.6.27",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: initialize integrity buffer to zero before writing it to media\n\nMetadata added by bio_integrity_prep is using plain kmalloc, which leads\nto random kernel memory being written media. For PI metadata this is\nlimited to the app tag that isn\u0027t used by kernel generated metadata,\nbut for non-PI metadata the entire buffer leaks kernel memory.\n\nFix this by adding the __GFP_ZERO flag to allocations for writes."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:27:45.701Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9f4af4cf08f9a0329ade3d938f55d2220c40d0a6"
},
{
"url": "https://git.kernel.org/stable/c/129f95948a96105c1fad8e612c9097763e88ac5f"
},
{
"url": "https://git.kernel.org/stable/c/3fd11fe4f20756b4c0847f755a64cd96f8c6a005"
},
{
"url": "https://git.kernel.org/stable/c/cf6b45ea7a8df0f61bded1dc4a8561ac6ad143d2"
},
{
"url": "https://git.kernel.org/stable/c/d418313bd8f55c079a7da12651951b489a638ac1"
},
{
"url": "https://git.kernel.org/stable/c/23a19655fb56f241e592041156dfb1c6d04da644"
},
{
"url": "https://git.kernel.org/stable/c/ebc0e91ba76dc6544fff9f5b66408b1982806a00"
},
{
"url": "https://git.kernel.org/stable/c/899ee2c3829c5ac14bfc7d3c4a5846c0b709b78f"
}
],
"title": "block: initialize integrity buffer to zero before writing it to media",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-43854",
"datePublished": "2024-08-17T09:22:11.297Z",
"dateReserved": "2024-08-17T09:11:59.278Z",
"dateUpdated": "2025-05-04T09:27:45.701Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-42238 (GCVE-0-2024-42238)
Vulnerability from cvelistv5
Published
2024-08-07 15:14
Modified
2025-05-04 09:24
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
firmware: cs_dsp: Return error if block header overflows file
Return an error from cs_dsp_power_up() if a block header is longer
than the amount of data left in the file.
The previous code in cs_dsp_load() and cs_dsp_load_coeff() would loop
while there was enough data left in the file for a valid region. This
protected against overrunning the end of the file data, but it didn't
abort the file processing with an error.
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-42238",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T16:13:57.707205Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T17:34:31.911Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/firmware/cirrus/cs_dsp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b8be70566b33abbd0180105070b4c67cfef8c44f",
"status": "affected",
"version": "f6bc909e7673c30abcbdb329e7d0aa2e83c103d7",
"versionType": "git"
},
{
"lessThan": "90ab191b7d181057d71234e8632e06b5844ac38e",
"status": "affected",
"version": "f6bc909e7673c30abcbdb329e7d0aa2e83c103d7",
"versionType": "git"
},
{
"lessThan": "6eabd23383805725eff416c203688b7a390d4153",
"status": "affected",
"version": "f6bc909e7673c30abcbdb329e7d0aa2e83c103d7",
"versionType": "git"
},
{
"lessThan": "959fe01e85b7241e3ec305d657febbe82da16a02",
"status": "affected",
"version": "f6bc909e7673c30abcbdb329e7d0aa2e83c103d7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/firmware/cirrus/cs_dsp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.100",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.41",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.9.*",
"status": "unaffected",
"version": "6.9.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.10",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.100",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.41",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9.10",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.10",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: cs_dsp: Return error if block header overflows file\n\nReturn an error from cs_dsp_power_up() if a block header is longer\nthan the amount of data left in the file.\n\nThe previous code in cs_dsp_load() and cs_dsp_load_coeff() would loop\nwhile there was enough data left in the file for a valid region. This\nprotected against overrunning the end of the file data, but it didn\u0027t\nabort the file processing with an error."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:24:49.417Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b8be70566b33abbd0180105070b4c67cfef8c44f"
},
{
"url": "https://git.kernel.org/stable/c/90ab191b7d181057d71234e8632e06b5844ac38e"
},
{
"url": "https://git.kernel.org/stable/c/6eabd23383805725eff416c203688b7a390d4153"
},
{
"url": "https://git.kernel.org/stable/c/959fe01e85b7241e3ec305d657febbe82da16a02"
}
],
"title": "firmware: cs_dsp: Return error if block header overflows file",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-42238",
"datePublished": "2024-08-07T15:14:26.812Z",
"dateReserved": "2024-07-30T07:40:12.253Z",
"dateUpdated": "2025-05-04T09:24:49.417Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-52775 (GCVE-0-2023-52775)
Vulnerability from cvelistv5
Published
2024-05-21 15:30
Modified
2025-05-04 07:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/smc: avoid data corruption caused by decline
We found a data corruption issue during testing of SMC-R on Redis
applications.
The benchmark has a low probability of reporting a strange error as
shown below.
"Error: Protocol error, got "\xe2" as reply type byte"
Finally, we found that the retrieved error data was as follows:
0xE2 0xD4 0xC3 0xD9 0x04 0x00 0x2C 0x20 0xA6 0x56 0x00 0x16 0x3E 0x0C
0xCB 0x04 0x02 0x01 0x00 0x00 0x20 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xE2
It is quite obvious that this is a SMC DECLINE message, which means that
the applications received SMC protocol message.
We found that this was caused by the following situations:
client server
¦ clc proposal
------------->
¦ clc accept
<-------------
¦ clc confirm
------------->
wait llc confirm
send llc confirm
¦failed llc confirm
¦ x------
(after 2s)timeout
wait llc confirm rsp
wait decline
(after 1s) timeout
(after 2s) timeout
¦ decline
-------------->
¦ decline
<--------------
As a result, a decline message was sent in the implementation, and this
message was read from TCP by the already-fallback connection.
This patch double the client timeout as 2x of the server value,
With this simple change, the Decline messages should never cross or
collide (during Confirm link timeout).
This issue requires an immediate solution, since the protocol updates
involve a more long-term solution.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-52775",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-22T18:24:43.628155Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:22:47.888Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:11:35.820Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/5ada292b5c504720a0acef8cae9acc62a694d19c"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/90072af9efe8c7bd7d086709014ddd44cebd5e7c"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/94a0ae698b4d5d5bb598e23228002a1491c50add"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/7234d2b5dffa5af77fd4e0deaebab509e130c6b1"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/e6d71b437abc2f249e3b6a1ae1a7228e09c6e563"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/smc/af_smc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5ada292b5c504720a0acef8cae9acc62a694d19c",
"status": "affected",
"version": "0fb0b02bd6fd26cba38002be4a6bbcae2228fd44",
"versionType": "git"
},
{
"lessThan": "90072af9efe8c7bd7d086709014ddd44cebd5e7c",
"status": "affected",
"version": "0fb0b02bd6fd26cba38002be4a6bbcae2228fd44",
"versionType": "git"
},
{
"lessThan": "94a0ae698b4d5d5bb598e23228002a1491c50add",
"status": "affected",
"version": "0fb0b02bd6fd26cba38002be4a6bbcae2228fd44",
"versionType": "git"
},
{
"lessThan": "7234d2b5dffa5af77fd4e0deaebab509e130c6b1",
"status": "affected",
"version": "0fb0b02bd6fd26cba38002be4a6bbcae2228fd44",
"versionType": "git"
},
{
"lessThan": "e6d71b437abc2f249e3b6a1ae1a7228e09c6e563",
"status": "affected",
"version": "0fb0b02bd6fd26cba38002be4a6bbcae2228fd44",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/smc/af_smc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.141",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.65",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.7",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.203",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.141",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.65",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.4",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.7",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: avoid data corruption caused by decline\n\nWe found a data corruption issue during testing of SMC-R on Redis\napplications.\n\nThe benchmark has a low probability of reporting a strange error as\nshown below.\n\n\"Error: Protocol error, got \"\\xe2\" as reply type byte\"\n\nFinally, we found that the retrieved error data was as follows:\n\n0xE2 0xD4 0xC3 0xD9 0x04 0x00 0x2C 0x20 0xA6 0x56 0x00 0x16 0x3E 0x0C\n0xCB 0x04 0x02 0x01 0x00 0x00 0x20 0x00 0x00 0x00 0x00 0x00 0x00 0x00\n0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xE2\n\nIt is quite obvious that this is a SMC DECLINE message, which means that\nthe applications received SMC protocol message.\nWe found that this was caused by the following situations:\n\nclient server\n \u00a6 clc proposal\n -------------\u003e\n \u00a6 clc accept\n \u003c-------------\n \u00a6 clc confirm\n -------------\u003e\nwait llc confirm\n\t\t\tsend llc confirm\n \u00a6failed llc confirm\n \u00a6 x------\n(after 2s)timeout\n wait llc confirm rsp\n\nwait decline\n\n(after 1s) timeout\n (after 2s) timeout\n \u00a6 decline\n --------------\u003e\n \u00a6 decline\n \u003c--------------\n\nAs a result, a decline message was sent in the implementation, and this\nmessage was read from TCP by the already-fallback connection.\n\nThis patch double the client timeout as 2x of the server value,\nWith this simple change, the Decline messages should never cross or\ncollide (during Confirm link timeout).\n\nThis issue requires an immediate solution, since the protocol updates\ninvolve a more long-term solution."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:42:58.791Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5ada292b5c504720a0acef8cae9acc62a694d19c"
},
{
"url": "https://git.kernel.org/stable/c/90072af9efe8c7bd7d086709014ddd44cebd5e7c"
},
{
"url": "https://git.kernel.org/stable/c/94a0ae698b4d5d5bb598e23228002a1491c50add"
},
{
"url": "https://git.kernel.org/stable/c/7234d2b5dffa5af77fd4e0deaebab509e130c6b1"
},
{
"url": "https://git.kernel.org/stable/c/e6d71b437abc2f249e3b6a1ae1a7228e09c6e563"
}
],
"title": "net/smc: avoid data corruption caused by decline",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-52775",
"datePublished": "2024-05-21T15:30:56.247Z",
"dateReserved": "2024-05-21T15:19:24.239Z",
"dateUpdated": "2025-05-04T07:42:58.791Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-41007 (GCVE-0-2024-41007)
Vulnerability from cvelistv5
Published
2024-07-15 08:48
Modified
2025-05-04 09:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tcp: avoid too many retransmit packets
If a TCP socket is using TCP_USER_TIMEOUT, and the other peer
retracted its window to zero, tcp_retransmit_timer() can
retransmit a packet every two jiffies (2 ms for HZ=1000),
for about 4 minutes after TCP_USER_TIMEOUT has 'expired'.
The fix is to make sure tcp_rtx_probe0_timed_out() takes
icsk->icsk_user_timeout into account.
Before blamed commit, the socket would not timeout after
icsk->icsk_user_timeout, but would use standard exponential
backoff for the retransmits.
Also worth noting that before commit e89688e3e978 ("net: tcp:
fix unexcepted socket die when snd_wnd is 0"), the issue
would last 2 minutes instead of 4.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: b701a99e431db784714c32fc6b68123045714679 Version: b701a99e431db784714c32fc6b68123045714679 Version: b701a99e431db784714c32fc6b68123045714679 Version: b701a99e431db784714c32fc6b68123045714679 Version: b701a99e431db784714c32fc6b68123045714679 Version: b701a99e431db784714c32fc6b68123045714679 Version: b701a99e431db784714c32fc6b68123045714679 Version: b701a99e431db784714c32fc6b68123045714679 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:39:56.161Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/7bb7670f92bfbd05fc41a8f9a8f358b7ffed65f4"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/d2346fca5bed130dc712f276ac63450201d52969"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/5d7e64d70a11d988553a08239c810a658e841982"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/04317a2471c2f637b4c49cbd0e9c0d04a519f570"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/e113cddefa27bbf5a79f72387b8fbd432a61a466"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/dfcdd7f89e401d2c6616be90c76c2fac3fa98fde"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/66cb64a1d2239cd0309f9b5038b05462570a5be1"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/97a9063518f198ec0adb2ecb89789de342bb8283"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41007",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T17:00:52.460807Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T17:34:18.296Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/tcp_timer.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7bb7670f92bfbd05fc41a8f9a8f358b7ffed65f4",
"status": "affected",
"version": "b701a99e431db784714c32fc6b68123045714679",
"versionType": "git"
},
{
"lessThan": "d2346fca5bed130dc712f276ac63450201d52969",
"status": "affected",
"version": "b701a99e431db784714c32fc6b68123045714679",
"versionType": "git"
},
{
"lessThan": "5d7e64d70a11d988553a08239c810a658e841982",
"status": "affected",
"version": "b701a99e431db784714c32fc6b68123045714679",
"versionType": "git"
},
{
"lessThan": "04317a2471c2f637b4c49cbd0e9c0d04a519f570",
"status": "affected",
"version": "b701a99e431db784714c32fc6b68123045714679",
"versionType": "git"
},
{
"lessThan": "e113cddefa27bbf5a79f72387b8fbd432a61a466",
"status": "affected",
"version": "b701a99e431db784714c32fc6b68123045714679",
"versionType": "git"
},
{
"lessThan": "dfcdd7f89e401d2c6616be90c76c2fac3fa98fde",
"status": "affected",
"version": "b701a99e431db784714c32fc6b68123045714679",
"versionType": "git"
},
{
"lessThan": "66cb64a1d2239cd0309f9b5038b05462570a5be1",
"status": "affected",
"version": "b701a99e431db784714c32fc6b68123045714679",
"versionType": "git"
},
{
"lessThan": "97a9063518f198ec0adb2ecb89789de342bb8283",
"status": "affected",
"version": "b701a99e431db784714c32fc6b68123045714679",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/tcp_timer.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.19"
},
{
"lessThan": "4.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.318",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.280",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.222",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.100",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.41",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.9.*",
"status": "unaffected",
"version": "6.9.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.10",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.318",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.280",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.222",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.163",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.100",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.41",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9.10",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.10",
"versionStartIncluding": "4.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: avoid too many retransmit packets\n\nIf a TCP socket is using TCP_USER_TIMEOUT, and the other peer\nretracted its window to zero, tcp_retransmit_timer() can\nretransmit a packet every two jiffies (2 ms for HZ=1000),\nfor about 4 minutes after TCP_USER_TIMEOUT has \u0027expired\u0027.\n\nThe fix is to make sure tcp_rtx_probe0_timed_out() takes\nicsk-\u003eicsk_user_timeout into account.\n\nBefore blamed commit, the socket would not timeout after\nicsk-\u003eicsk_user_timeout, but would use standard exponential\nbackoff for the retransmits.\n\nAlso worth noting that before commit e89688e3e978 (\"net: tcp:\nfix unexcepted socket die when snd_wnd is 0\"), the issue\nwould last 2 minutes instead of 4."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:19:56.819Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7bb7670f92bfbd05fc41a8f9a8f358b7ffed65f4"
},
{
"url": "https://git.kernel.org/stable/c/d2346fca5bed130dc712f276ac63450201d52969"
},
{
"url": "https://git.kernel.org/stable/c/5d7e64d70a11d988553a08239c810a658e841982"
},
{
"url": "https://git.kernel.org/stable/c/04317a2471c2f637b4c49cbd0e9c0d04a519f570"
},
{
"url": "https://git.kernel.org/stable/c/e113cddefa27bbf5a79f72387b8fbd432a61a466"
},
{
"url": "https://git.kernel.org/stable/c/dfcdd7f89e401d2c6616be90c76c2fac3fa98fde"
},
{
"url": "https://git.kernel.org/stable/c/66cb64a1d2239cd0309f9b5038b05462570a5be1"
},
{
"url": "https://git.kernel.org/stable/c/97a9063518f198ec0adb2ecb89789de342bb8283"
}
],
"title": "tcp: avoid too many retransmit packets",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-41007",
"datePublished": "2024-07-15T08:48:10.174Z",
"dateReserved": "2024-07-12T12:17:45.610Z",
"dateUpdated": "2025-05-04T09:19:56.819Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-52749 (GCVE-0-2023-52749)
Vulnerability from cvelistv5
Published
2024-05-21 15:30
Modified
2025-05-21 08:49
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
spi: Fix null dereference on suspend
A race condition exists where a synchronous (noqueue) transfer can be
active during a system suspend. This can cause a null pointer
dereference exception to occur when the system resumes.
Example order of events leading to the exception:
1. spi_sync() calls __spi_transfer_message_noqueue() which sets
ctlr->cur_msg
2. Spi transfer begins via spi_transfer_one_message()
3. System is suspended interrupting the transfer context
4. System is resumed
6. spi_controller_resume() calls spi_start_queue() which resets cur_msg
to NULL
7. Spi transfer context resumes and spi_finalize_current_message() is
called which dereferences cur_msg (which is now NULL)
Wait for synchronous transfers to complete before suspending by
acquiring the bus mutex and setting/checking a suspend flag.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-52749",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-17T17:36:59.089454Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-17T17:37:26.791Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:11:35.612Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/4ec4508db97502a12daee88c74782e8d35ced068"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/96474ea47dc67b0704392d59192b233c8197db0e"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/bef4a48f4ef798c4feddf045d49e53c8a97d5e37"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi.c",
"include/linux/spi/spi.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4ec4508db97502a12daee88c74782e8d35ced068",
"status": "affected",
"version": "ae7d2346dc89ae89a6e0aabe6037591a11e593c0",
"versionType": "git"
},
{
"lessThan": "96474ea47dc67b0704392d59192b233c8197db0e",
"status": "affected",
"version": "ae7d2346dc89ae89a6e0aabe6037591a11e593c0",
"versionType": "git"
},
{
"lessThan": "bef4a48f4ef798c4feddf045d49e53c8a97d5e37",
"status": "affected",
"version": "ae7d2346dc89ae89a6e0aabe6037591a11e593c0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi.c",
"include/linux/spi/spi.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.7",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.66",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.3",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.7",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: Fix null dereference on suspend\n\nA race condition exists where a synchronous (noqueue) transfer can be\nactive during a system suspend. This can cause a null pointer\ndereference exception to occur when the system resumes.\n\nExample order of events leading to the exception:\n1. spi_sync() calls __spi_transfer_message_noqueue() which sets\n ctlr-\u003ecur_msg\n2. Spi transfer begins via spi_transfer_one_message()\n3. System is suspended interrupting the transfer context\n4. System is resumed\n6. spi_controller_resume() calls spi_start_queue() which resets cur_msg\n to NULL\n7. Spi transfer context resumes and spi_finalize_current_message() is\n called which dereferences cur_msg (which is now NULL)\n\nWait for synchronous transfers to complete before suspending by\nacquiring the bus mutex and setting/checking a suspend flag."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-21T08:49:58.550Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4ec4508db97502a12daee88c74782e8d35ced068"
},
{
"url": "https://git.kernel.org/stable/c/96474ea47dc67b0704392d59192b233c8197db0e"
},
{
"url": "https://git.kernel.org/stable/c/bef4a48f4ef798c4feddf045d49e53c8a97d5e37"
}
],
"title": "spi: Fix null dereference on suspend",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-52749",
"datePublished": "2024-05-21T15:30:38.904Z",
"dateReserved": "2024-05-21T15:19:24.234Z",
"dateUpdated": "2025-05-21T08:49:58.550Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-27399 (GCVE-0-2024-27399)
Vulnerability from cvelistv5
Published
2024-05-13 10:24
Modified
2025-05-04 09:04
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: l2cap: fix null-ptr-deref in l2cap_chan_timeout
There is a race condition between l2cap_chan_timeout() and
l2cap_chan_del(). When we use l2cap_chan_del() to delete the
channel, the chan->conn will be set to null. But the conn could
be dereferenced again in the mutex_lock() of l2cap_chan_timeout().
As a result the null pointer dereference bug will happen. The
KASAN report triggered by POC is shown below:
[ 472.074580] ==================================================================
[ 472.075284] BUG: KASAN: null-ptr-deref in mutex_lock+0x68/0xc0
[ 472.075308] Write of size 8 at addr 0000000000000158 by task kworker/0:0/7
[ 472.075308]
[ 472.075308] CPU: 0 PID: 7 Comm: kworker/0:0 Not tainted 6.9.0-rc5-00356-g78c0094a146b #36
[ 472.075308] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu4
[ 472.075308] Workqueue: events l2cap_chan_timeout
[ 472.075308] Call Trace:
[ 472.075308] <TASK>
[ 472.075308] dump_stack_lvl+0x137/0x1a0
[ 472.075308] print_report+0x101/0x250
[ 472.075308] ? __virt_addr_valid+0x77/0x160
[ 472.075308] ? mutex_lock+0x68/0xc0
[ 472.075308] kasan_report+0x139/0x170
[ 472.075308] ? mutex_lock+0x68/0xc0
[ 472.075308] kasan_check_range+0x2c3/0x2e0
[ 472.075308] mutex_lock+0x68/0xc0
[ 472.075308] l2cap_chan_timeout+0x181/0x300
[ 472.075308] process_one_work+0x5d2/0xe00
[ 472.075308] worker_thread+0xe1d/0x1660
[ 472.075308] ? pr_cont_work+0x5e0/0x5e0
[ 472.075308] kthread+0x2b7/0x350
[ 472.075308] ? pr_cont_work+0x5e0/0x5e0
[ 472.075308] ? kthread_blkcg+0xd0/0xd0
[ 472.075308] ret_from_fork+0x4d/0x80
[ 472.075308] ? kthread_blkcg+0xd0/0xd0
[ 472.075308] ret_from_fork_asm+0x11/0x20
[ 472.075308] </TASK>
[ 472.075308] ==================================================================
[ 472.094860] Disabling lock debugging due to kernel taint
[ 472.096136] BUG: kernel NULL pointer dereference, address: 0000000000000158
[ 472.096136] #PF: supervisor write access in kernel mode
[ 472.096136] #PF: error_code(0x0002) - not-present page
[ 472.096136] PGD 0 P4D 0
[ 472.096136] Oops: 0002 [#1] PREEMPT SMP KASAN NOPTI
[ 472.096136] CPU: 0 PID: 7 Comm: kworker/0:0 Tainted: G B 6.9.0-rc5-00356-g78c0094a146b #36
[ 472.096136] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu4
[ 472.096136] Workqueue: events l2cap_chan_timeout
[ 472.096136] RIP: 0010:mutex_lock+0x88/0xc0
[ 472.096136] Code: be 08 00 00 00 e8 f8 23 1f fd 4c 89 f7 be 08 00 00 00 e8 eb 23 1f fd 42 80 3c 23 00 74 08 48 88
[ 472.096136] RSP: 0018:ffff88800744fc78 EFLAGS: 00000246
[ 472.096136] RAX: 0000000000000000 RBX: 1ffff11000e89f8f RCX: ffffffff8457c865
[ 472.096136] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffff88800744fc78
[ 472.096136] RBP: 0000000000000158 R08: ffff88800744fc7f R09: 1ffff11000e89f8f
[ 472.096136] R10: dffffc0000000000 R11: ffffed1000e89f90 R12: dffffc0000000000
[ 472.096136] R13: 0000000000000158 R14: ffff88800744fc78 R15: ffff888007405a00
[ 472.096136] FS: 0000000000000000(0000) GS:ffff88806d200000(0000) knlGS:0000000000000000
[ 472.096136] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 472.096136] CR2: 0000000000000158 CR3: 000000000da32000 CR4: 00000000000006f0
[ 472.096136] Call Trace:
[ 472.096136] <TASK>
[ 472.096136] ? __die_body+0x8d/0xe0
[ 472.096136] ? page_fault_oops+0x6b8/0x9a0
[ 472.096136] ? kernelmode_fixup_or_oops+0x20c/0x2a0
[ 472.096136] ? do_user_addr_fault+0x1027/0x1340
[ 472.096136] ? _printk+0x7a/0xa0
[ 472.096136] ? mutex_lock+0x68/0xc0
[ 472.096136] ? add_taint+0x42/0xd0
[ 472.096136] ? exc_page_fault+0x6a/0x1b0
[ 472.096136] ? asm_exc_page_fault+0x26/0x30
[ 472.096136] ? mutex_lock+0x75/0xc0
[ 472.096136] ? mutex_lock+0x88/0xc0
[ 472.096136] ? mutex_lock+0x75/0xc0
[ 472.096136] l2cap_chan_timeo
---truncated---
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 3df91ea20e744344100b10ae69a17211fcf5b207 Version: 3df91ea20e744344100b10ae69a17211fcf5b207 Version: 3df91ea20e744344100b10ae69a17211fcf5b207 Version: 3df91ea20e744344100b10ae69a17211fcf5b207 Version: 3df91ea20e744344100b10ae69a17211fcf5b207 Version: 3df91ea20e744344100b10ae69a17211fcf5b207 Version: 3df91ea20e744344100b10ae69a17211fcf5b207 Version: 3df91ea20e744344100b10ae69a17211fcf5b207 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-27399",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-13T20:21:44.727650Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-05T17:22:50.323Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-09-26T15:03:06.207Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/e137e2ba96e51902dc2878131823a96bf8e638ae"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/6466ee65e5b27161c846c73ef407f49dfa1bd1d9"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/06acb75e7ed600d0bbf7bff5628aa8f24a97978c"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/e97e16433eb4533083b096a3824b93a5ca3aee79"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/8960ff650aec70485b40771cd8e6e8c4cb467d33"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/955b5b6c54d95b5e7444dfc81c95c8e013f27ac0"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/eb86f955488c39526534211f2610e48a5cf8ead4"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/adf0398cee86643b8eacde95f17d073d022f782c"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OTB4HWU2PTVW5NEYHHLOCXDKG3PYA534/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DW2MIOIMOFUSNLHLRYX23AFR36BMKD65/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html"
},
{
"url": "https://security.netapp.com/advisory/ntap-20240926-0001/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/l2cap_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e137e2ba96e51902dc2878131823a96bf8e638ae",
"status": "affected",
"version": "3df91ea20e744344100b10ae69a17211fcf5b207",
"versionType": "git"
},
{
"lessThan": "6466ee65e5b27161c846c73ef407f49dfa1bd1d9",
"status": "affected",
"version": "3df91ea20e744344100b10ae69a17211fcf5b207",
"versionType": "git"
},
{
"lessThan": "06acb75e7ed600d0bbf7bff5628aa8f24a97978c",
"status": "affected",
"version": "3df91ea20e744344100b10ae69a17211fcf5b207",
"versionType": "git"
},
{
"lessThan": "e97e16433eb4533083b096a3824b93a5ca3aee79",
"status": "affected",
"version": "3df91ea20e744344100b10ae69a17211fcf5b207",
"versionType": "git"
},
{
"lessThan": "8960ff650aec70485b40771cd8e6e8c4cb467d33",
"status": "affected",
"version": "3df91ea20e744344100b10ae69a17211fcf5b207",
"versionType": "git"
},
{
"lessThan": "955b5b6c54d95b5e7444dfc81c95c8e013f27ac0",
"status": "affected",
"version": "3df91ea20e744344100b10ae69a17211fcf5b207",
"versionType": "git"
},
{
"lessThan": "eb86f955488c39526534211f2610e48a5cf8ead4",
"status": "affected",
"version": "3df91ea20e744344100b10ae69a17211fcf5b207",
"versionType": "git"
},
{
"lessThan": "adf0398cee86643b8eacde95f17d073d022f782c",
"status": "affected",
"version": "3df91ea20e744344100b10ae69a17211fcf5b207",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/l2cap_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.4"
},
{
"lessThan": "3.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.314",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.217",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.31",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.8.*",
"status": "unaffected",
"version": "6.8.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.9",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.314",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.276",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.217",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.159",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.91",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.31",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8.10",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9",
"versionStartIncluding": "3.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: l2cap: fix null-ptr-deref in l2cap_chan_timeout\n\nThere is a race condition between l2cap_chan_timeout() and\nl2cap_chan_del(). When we use l2cap_chan_del() to delete the\nchannel, the chan-\u003econn will be set to null. But the conn could\nbe dereferenced again in the mutex_lock() of l2cap_chan_timeout().\nAs a result the null pointer dereference bug will happen. The\nKASAN report triggered by POC is shown below:\n\n[ 472.074580] ==================================================================\n[ 472.075284] BUG: KASAN: null-ptr-deref in mutex_lock+0x68/0xc0\n[ 472.075308] Write of size 8 at addr 0000000000000158 by task kworker/0:0/7\n[ 472.075308]\n[ 472.075308] CPU: 0 PID: 7 Comm: kworker/0:0 Not tainted 6.9.0-rc5-00356-g78c0094a146b #36\n[ 472.075308] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu4\n[ 472.075308] Workqueue: events l2cap_chan_timeout\n[ 472.075308] Call Trace:\n[ 472.075308] \u003cTASK\u003e\n[ 472.075308] dump_stack_lvl+0x137/0x1a0\n[ 472.075308] print_report+0x101/0x250\n[ 472.075308] ? __virt_addr_valid+0x77/0x160\n[ 472.075308] ? mutex_lock+0x68/0xc0\n[ 472.075308] kasan_report+0x139/0x170\n[ 472.075308] ? mutex_lock+0x68/0xc0\n[ 472.075308] kasan_check_range+0x2c3/0x2e0\n[ 472.075308] mutex_lock+0x68/0xc0\n[ 472.075308] l2cap_chan_timeout+0x181/0x300\n[ 472.075308] process_one_work+0x5d2/0xe00\n[ 472.075308] worker_thread+0xe1d/0x1660\n[ 472.075308] ? pr_cont_work+0x5e0/0x5e0\n[ 472.075308] kthread+0x2b7/0x350\n[ 472.075308] ? pr_cont_work+0x5e0/0x5e0\n[ 472.075308] ? kthread_blkcg+0xd0/0xd0\n[ 472.075308] ret_from_fork+0x4d/0x80\n[ 472.075308] ? kthread_blkcg+0xd0/0xd0\n[ 472.075308] ret_from_fork_asm+0x11/0x20\n[ 472.075308] \u003c/TASK\u003e\n[ 472.075308] ==================================================================\n[ 472.094860] Disabling lock debugging due to kernel taint\n[ 472.096136] BUG: kernel NULL pointer dereference, address: 0000000000000158\n[ 472.096136] #PF: supervisor write access in kernel mode\n[ 472.096136] #PF: error_code(0x0002) - not-present page\n[ 472.096136] PGD 0 P4D 0\n[ 472.096136] Oops: 0002 [#1] PREEMPT SMP KASAN NOPTI\n[ 472.096136] CPU: 0 PID: 7 Comm: kworker/0:0 Tainted: G B 6.9.0-rc5-00356-g78c0094a146b #36\n[ 472.096136] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu4\n[ 472.096136] Workqueue: events l2cap_chan_timeout\n[ 472.096136] RIP: 0010:mutex_lock+0x88/0xc0\n[ 472.096136] Code: be 08 00 00 00 e8 f8 23 1f fd 4c 89 f7 be 08 00 00 00 e8 eb 23 1f fd 42 80 3c 23 00 74 08 48 88\n[ 472.096136] RSP: 0018:ffff88800744fc78 EFLAGS: 00000246\n[ 472.096136] RAX: 0000000000000000 RBX: 1ffff11000e89f8f RCX: ffffffff8457c865\n[ 472.096136] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffff88800744fc78\n[ 472.096136] RBP: 0000000000000158 R08: ffff88800744fc7f R09: 1ffff11000e89f8f\n[ 472.096136] R10: dffffc0000000000 R11: ffffed1000e89f90 R12: dffffc0000000000\n[ 472.096136] R13: 0000000000000158 R14: ffff88800744fc78 R15: ffff888007405a00\n[ 472.096136] FS: 0000000000000000(0000) GS:ffff88806d200000(0000) knlGS:0000000000000000\n[ 472.096136] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 472.096136] CR2: 0000000000000158 CR3: 000000000da32000 CR4: 00000000000006f0\n[ 472.096136] Call Trace:\n[ 472.096136] \u003cTASK\u003e\n[ 472.096136] ? __die_body+0x8d/0xe0\n[ 472.096136] ? page_fault_oops+0x6b8/0x9a0\n[ 472.096136] ? kernelmode_fixup_or_oops+0x20c/0x2a0\n[ 472.096136] ? do_user_addr_fault+0x1027/0x1340\n[ 472.096136] ? _printk+0x7a/0xa0\n[ 472.096136] ? mutex_lock+0x68/0xc0\n[ 472.096136] ? add_taint+0x42/0xd0\n[ 472.096136] ? exc_page_fault+0x6a/0x1b0\n[ 472.096136] ? asm_exc_page_fault+0x26/0x30\n[ 472.096136] ? mutex_lock+0x75/0xc0\n[ 472.096136] ? mutex_lock+0x88/0xc0\n[ 472.096136] ? mutex_lock+0x75/0xc0\n[ 472.096136] l2cap_chan_timeo\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:04:11.047Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e137e2ba96e51902dc2878131823a96bf8e638ae"
},
{
"url": "https://git.kernel.org/stable/c/6466ee65e5b27161c846c73ef407f49dfa1bd1d9"
},
{
"url": "https://git.kernel.org/stable/c/06acb75e7ed600d0bbf7bff5628aa8f24a97978c"
},
{
"url": "https://git.kernel.org/stable/c/e97e16433eb4533083b096a3824b93a5ca3aee79"
},
{
"url": "https://git.kernel.org/stable/c/8960ff650aec70485b40771cd8e6e8c4cb467d33"
},
{
"url": "https://git.kernel.org/stable/c/955b5b6c54d95b5e7444dfc81c95c8e013f27ac0"
},
{
"url": "https://git.kernel.org/stable/c/eb86f955488c39526534211f2610e48a5cf8ead4"
},
{
"url": "https://git.kernel.org/stable/c/adf0398cee86643b8eacde95f17d073d022f782c"
}
],
"title": "Bluetooth: l2cap: fix null-ptr-deref in l2cap_chan_timeout",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-27399",
"datePublished": "2024-05-13T10:24:57.045Z",
"dateReserved": "2024-02-25T13:47:42.681Z",
"dateUpdated": "2025-05-04T09:04:11.047Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-40997 (GCVE-0-2024-40997)
Vulnerability from cvelistv5
Published
2024-07-12 12:37
Modified
2025-05-04 09:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
cpufreq: amd-pstate: fix memory leak on CPU EPP exit
The cpudata memory from kzalloc() in amd_pstate_epp_cpu_init() is
not freed in the analogous exit function, so fix that.
[ rjw: Subject and changelog edits ]
References
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:39:56.139Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/448efb7ea0bfa2c4e27c5a2eb5684fd225cd12cd"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/8015c17fe11a8608cc3eb83d0ab831e1845a9582"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/cea04f3d9aeebda9d9c063c0dfa71e739c322c81"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-40997",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T17:01:28.872143Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T17:34:19.570Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/cpufreq/amd-pstate.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "448efb7ea0bfa2c4e27c5a2eb5684fd225cd12cd",
"status": "affected",
"version": "ffa5096a7c338641f70fb06d4778e8cf400181a8",
"versionType": "git"
},
{
"lessThan": "8015c17fe11a8608cc3eb83d0ab831e1845a9582",
"status": "affected",
"version": "ffa5096a7c338641f70fb06d4778e8cf400181a8",
"versionType": "git"
},
{
"lessThan": "cea04f3d9aeebda9d9c063c0dfa71e739c322c81",
"status": "affected",
"version": "ffa5096a7c338641f70fb06d4778e8cf400181a8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/cpufreq/amd-pstate.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.9.*",
"status": "unaffected",
"version": "6.9.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.10",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.36",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9.7",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.10",
"versionStartIncluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncpufreq: amd-pstate: fix memory leak on CPU EPP exit\n\nThe cpudata memory from kzalloc() in amd_pstate_epp_cpu_init() is\nnot freed in the analogous exit function, so fix that.\n\n[ rjw: Subject and changelog edits ]"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:19:39.229Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/448efb7ea0bfa2c4e27c5a2eb5684fd225cd12cd"
},
{
"url": "https://git.kernel.org/stable/c/8015c17fe11a8608cc3eb83d0ab831e1845a9582"
},
{
"url": "https://git.kernel.org/stable/c/cea04f3d9aeebda9d9c063c0dfa71e739c322c81"
}
],
"title": "cpufreq: amd-pstate: fix memory leak on CPU EPP exit",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-40997",
"datePublished": "2024-07-12T12:37:39.128Z",
"dateReserved": "2024-07-12T12:17:45.607Z",
"dateUpdated": "2025-05-04T09:19:39.229Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-37356 (GCVE-0-2024-37356)
Vulnerability from cvelistv5
Published
2024-06-21 10:18
Modified
2025-05-04 09:13
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tcp: Fix shift-out-of-bounds in dctcp_update_alpha().
In dctcp_update_alpha(), we use a module parameter dctcp_shift_g
as follows:
alpha -= min_not_zero(alpha, alpha >> dctcp_shift_g);
...
delivered_ce <<= (10 - dctcp_shift_g);
It seems syzkaller started fuzzing module parameters and triggered
shift-out-of-bounds [0] by setting 100 to dctcp_shift_g:
memcpy((void*)0x20000080,
"/sys/module/tcp_dctcp/parameters/dctcp_shift_g\000", 47);
res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x20000080ul,
/*flags=*/2ul, /*mode=*/0ul);
memcpy((void*)0x20000000, "100\000", 4);
syscall(__NR_write, /*fd=*/r[0], /*val=*/0x20000000ul, /*len=*/4ul);
Let's limit the max value of dctcp_shift_g by param_set_uint_minmax().
With this patch:
# echo 10 > /sys/module/tcp_dctcp/parameters/dctcp_shift_g
# cat /sys/module/tcp_dctcp/parameters/dctcp_shift_g
10
# echo 11 > /sys/module/tcp_dctcp/parameters/dctcp_shift_g
-bash: echo: write error: Invalid argument
[0]:
UBSAN: shift-out-of-bounds in net/ipv4/tcp_dctcp.c:143:12
shift exponent 100 is too large for 32-bit type 'u32' (aka 'unsigned int')
CPU: 0 PID: 8083 Comm: syz-executor345 Not tainted 6.9.0-05151-g1b294a1f3561 #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x201/0x300 lib/dump_stack.c:114
ubsan_epilogue lib/ubsan.c:231 [inline]
__ubsan_handle_shift_out_of_bounds+0x346/0x3a0 lib/ubsan.c:468
dctcp_update_alpha+0x540/0x570 net/ipv4/tcp_dctcp.c:143
tcp_in_ack_event net/ipv4/tcp_input.c:3802 [inline]
tcp_ack+0x17b1/0x3bc0 net/ipv4/tcp_input.c:3948
tcp_rcv_state_process+0x57a/0x2290 net/ipv4/tcp_input.c:6711
tcp_v4_do_rcv+0x764/0xc40 net/ipv4/tcp_ipv4.c:1937
sk_backlog_rcv include/net/sock.h:1106 [inline]
__release_sock+0x20f/0x350 net/core/sock.c:2983
release_sock+0x61/0x1f0 net/core/sock.c:3549
mptcp_subflow_shutdown+0x3d0/0x620 net/mptcp/protocol.c:2907
mptcp_check_send_data_fin+0x225/0x410 net/mptcp/protocol.c:2976
__mptcp_close+0x238/0xad0 net/mptcp/protocol.c:3072
mptcp_close+0x2a/0x1a0 net/mptcp/protocol.c:3127
inet_release+0x190/0x1f0 net/ipv4/af_inet.c:437
__sock_release net/socket.c:659 [inline]
sock_close+0xc0/0x240 net/socket.c:1421
__fput+0x41b/0x890 fs/file_table.c:422
task_work_run+0x23b/0x300 kernel/task_work.c:180
exit_task_work include/linux/task_work.h:38 [inline]
do_exit+0x9c8/0x2540 kernel/exit.c:878
do_group_exit+0x201/0x2b0 kernel/exit.c:1027
__do_sys_exit_group kernel/exit.c:1038 [inline]
__se_sys_exit_group kernel/exit.c:1036 [inline]
__x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1036
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xe4/0x240 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x67/0x6f
RIP: 0033:0x7f6c2b5005b6
Code: Unable to access opcode bytes at 0x7f6c2b50058c.
RSP: 002b:00007ffe883eb948 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 00007f6c2b5862f0 RCX: 00007f6c2b5005b6
RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001
RBP: 0000000000000001 R08: 00000000000000e7 R09: ffffffffffffffc0
R10: 0000000000000006 R11: 0000000000000246 R12: 00007f6c2b5862f0
R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
</TASK>
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: e3118e8359bb7c59555aca60c725106e6d78c5ce Version: e3118e8359bb7c59555aca60c725106e6d78c5ce Version: e3118e8359bb7c59555aca60c725106e6d78c5ce Version: e3118e8359bb7c59555aca60c725106e6d78c5ce Version: e3118e8359bb7c59555aca60c725106e6d78c5ce Version: e3118e8359bb7c59555aca60c725106e6d78c5ce Version: e3118e8359bb7c59555aca60c725106e6d78c5ce Version: e3118e8359bb7c59555aca60c725106e6d78c5ce |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-37356",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-21T13:56:45.436880Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-21T13:57:55.391Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:50:55.998Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/06d0fe049b51b0a92a70df8333fd85c4ba3eb2c6"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/6aacaa80d962f4916ccf90e2080306cec6c90fcf"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/e9b2f60636d18dfd0dd4965b3316f88dfd6a2b31"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/8602150286a2a860a1dc55cbd04f99316f19b40a"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/e65d13ec00a738fa7661925fd5929ab3c765d4be"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/02261d3f9dc7d1d7be7d778f839e3404ab99034c"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/237340dee373b97833a491d2e99fcf1d4a9adafd"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/3ebc46ca8675de6378e3f8f40768e180bb8afa66"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/tcp_dctcp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "06d0fe049b51b0a92a70df8333fd85c4ba3eb2c6",
"status": "affected",
"version": "e3118e8359bb7c59555aca60c725106e6d78c5ce",
"versionType": "git"
},
{
"lessThan": "6aacaa80d962f4916ccf90e2080306cec6c90fcf",
"status": "affected",
"version": "e3118e8359bb7c59555aca60c725106e6d78c5ce",
"versionType": "git"
},
{
"lessThan": "e9b2f60636d18dfd0dd4965b3316f88dfd6a2b31",
"status": "affected",
"version": "e3118e8359bb7c59555aca60c725106e6d78c5ce",
"versionType": "git"
},
{
"lessThan": "8602150286a2a860a1dc55cbd04f99316f19b40a",
"status": "affected",
"version": "e3118e8359bb7c59555aca60c725106e6d78c5ce",
"versionType": "git"
},
{
"lessThan": "e65d13ec00a738fa7661925fd5929ab3c765d4be",
"status": "affected",
"version": "e3118e8359bb7c59555aca60c725106e6d78c5ce",
"versionType": "git"
},
{
"lessThan": "02261d3f9dc7d1d7be7d778f839e3404ab99034c",
"status": "affected",
"version": "e3118e8359bb7c59555aca60c725106e6d78c5ce",
"versionType": "git"
},
{
"lessThan": "237340dee373b97833a491d2e99fcf1d4a9adafd",
"status": "affected",
"version": "e3118e8359bb7c59555aca60c725106e6d78c5ce",
"versionType": "git"
},
{
"lessThan": "3ebc46ca8675de6378e3f8f40768e180bb8afa66",
"status": "affected",
"version": "e3118e8359bb7c59555aca60c725106e6d78c5ce",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/tcp_dctcp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.18"
},
{
"lessThan": "3.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.316",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.278",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.219",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.161",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.93",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.9.*",
"status": "unaffected",
"version": "6.9.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.10",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.316",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.278",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.219",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.161",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.93",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.33",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9.4",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.10",
"versionStartIncluding": "3.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: Fix shift-out-of-bounds in dctcp_update_alpha().\n\nIn dctcp_update_alpha(), we use a module parameter dctcp_shift_g\nas follows:\n\n alpha -= min_not_zero(alpha, alpha \u003e\u003e dctcp_shift_g);\n ...\n delivered_ce \u003c\u003c= (10 - dctcp_shift_g);\n\nIt seems syzkaller started fuzzing module parameters and triggered\nshift-out-of-bounds [0] by setting 100 to dctcp_shift_g:\n\n memcpy((void*)0x20000080,\n \"/sys/module/tcp_dctcp/parameters/dctcp_shift_g\\000\", 47);\n res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x20000080ul,\n /*flags=*/2ul, /*mode=*/0ul);\n memcpy((void*)0x20000000, \"100\\000\", 4);\n syscall(__NR_write, /*fd=*/r[0], /*val=*/0x20000000ul, /*len=*/4ul);\n\nLet\u0027s limit the max value of dctcp_shift_g by param_set_uint_minmax().\n\nWith this patch:\n\n # echo 10 \u003e /sys/module/tcp_dctcp/parameters/dctcp_shift_g\n # cat /sys/module/tcp_dctcp/parameters/dctcp_shift_g\n 10\n # echo 11 \u003e /sys/module/tcp_dctcp/parameters/dctcp_shift_g\n -bash: echo: write error: Invalid argument\n\n[0]:\nUBSAN: shift-out-of-bounds in net/ipv4/tcp_dctcp.c:143:12\nshift exponent 100 is too large for 32-bit type \u0027u32\u0027 (aka \u0027unsigned int\u0027)\nCPU: 0 PID: 8083 Comm: syz-executor345 Not tainted 6.9.0-05151-g1b294a1f3561 #2\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\n1.13.0-1ubuntu1.1 04/01/2014\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x201/0x300 lib/dump_stack.c:114\n ubsan_epilogue lib/ubsan.c:231 [inline]\n __ubsan_handle_shift_out_of_bounds+0x346/0x3a0 lib/ubsan.c:468\n dctcp_update_alpha+0x540/0x570 net/ipv4/tcp_dctcp.c:143\n tcp_in_ack_event net/ipv4/tcp_input.c:3802 [inline]\n tcp_ack+0x17b1/0x3bc0 net/ipv4/tcp_input.c:3948\n tcp_rcv_state_process+0x57a/0x2290 net/ipv4/tcp_input.c:6711\n tcp_v4_do_rcv+0x764/0xc40 net/ipv4/tcp_ipv4.c:1937\n sk_backlog_rcv include/net/sock.h:1106 [inline]\n __release_sock+0x20f/0x350 net/core/sock.c:2983\n release_sock+0x61/0x1f0 net/core/sock.c:3549\n mptcp_subflow_shutdown+0x3d0/0x620 net/mptcp/protocol.c:2907\n mptcp_check_send_data_fin+0x225/0x410 net/mptcp/protocol.c:2976\n __mptcp_close+0x238/0xad0 net/mptcp/protocol.c:3072\n mptcp_close+0x2a/0x1a0 net/mptcp/protocol.c:3127\n inet_release+0x190/0x1f0 net/ipv4/af_inet.c:437\n __sock_release net/socket.c:659 [inline]\n sock_close+0xc0/0x240 net/socket.c:1421\n __fput+0x41b/0x890 fs/file_table.c:422\n task_work_run+0x23b/0x300 kernel/task_work.c:180\n exit_task_work include/linux/task_work.h:38 [inline]\n do_exit+0x9c8/0x2540 kernel/exit.c:878\n do_group_exit+0x201/0x2b0 kernel/exit.c:1027\n __do_sys_exit_group kernel/exit.c:1038 [inline]\n __se_sys_exit_group kernel/exit.c:1036 [inline]\n __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1036\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xe4/0x240 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x67/0x6f\nRIP: 0033:0x7f6c2b5005b6\nCode: Unable to access opcode bytes at 0x7f6c2b50058c.\nRSP: 002b:00007ffe883eb948 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7\nRAX: ffffffffffffffda RBX: 00007f6c2b5862f0 RCX: 00007f6c2b5005b6\nRDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001\nRBP: 0000000000000001 R08: 00000000000000e7 R09: ffffffffffffffc0\nR10: 0000000000000006 R11: 0000000000000246 R12: 00007f6c2b5862f0\nR13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001\n \u003c/TASK\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:13:22.548Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/06d0fe049b51b0a92a70df8333fd85c4ba3eb2c6"
},
{
"url": "https://git.kernel.org/stable/c/6aacaa80d962f4916ccf90e2080306cec6c90fcf"
},
{
"url": "https://git.kernel.org/stable/c/e9b2f60636d18dfd0dd4965b3316f88dfd6a2b31"
},
{
"url": "https://git.kernel.org/stable/c/8602150286a2a860a1dc55cbd04f99316f19b40a"
},
{
"url": "https://git.kernel.org/stable/c/e65d13ec00a738fa7661925fd5929ab3c765d4be"
},
{
"url": "https://git.kernel.org/stable/c/02261d3f9dc7d1d7be7d778f839e3404ab99034c"
},
{
"url": "https://git.kernel.org/stable/c/237340dee373b97833a491d2e99fcf1d4a9adafd"
},
{
"url": "https://git.kernel.org/stable/c/3ebc46ca8675de6378e3f8f40768e180bb8afa66"
}
],
"title": "tcp: Fix shift-out-of-bounds in dctcp_update_alpha().",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-37356",
"datePublished": "2024-06-21T10:18:11.642Z",
"dateReserved": "2024-06-21T10:13:16.306Z",
"dateUpdated": "2025-05-04T09:13:22.548Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-41041 (GCVE-0-2024-41041)
Vulnerability from cvelistv5
Published
2024-07-29 14:31
Modified
2025-05-04 09:20
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
udp: Set SOCK_RCU_FREE earlier in udp_lib_get_port().
syzkaller triggered the warning [0] in udp_v4_early_demux().
In udp_v[46]_early_demux() and sk_lookup(), we do not touch the refcount
of the looked-up sk and use sock_pfree() as skb->destructor, so we check
SOCK_RCU_FREE to ensure that the sk is safe to access during the RCU grace
period.
Currently, SOCK_RCU_FREE is flagged for a bound socket after being put
into the hash table. Moreover, the SOCK_RCU_FREE check is done too early
in udp_v[46]_early_demux() and sk_lookup(), so there could be a small race
window:
CPU1 CPU2
---- ----
udp_v4_early_demux() udp_lib_get_port()
| |- hlist_add_head_rcu()
|- sk = __udp4_lib_demux_lookup() |
|- DEBUG_NET_WARN_ON_ONCE(sk_is_refcounted(sk));
`- sock_set_flag(sk, SOCK_RCU_FREE)
We had the same bug in TCP and fixed it in commit 871019b22d1b ("net:
set SOCK_RCU_FREE before inserting socket into hashtable").
Let's apply the same fix for UDP.
[0]:
WARNING: CPU: 0 PID: 11198 at net/ipv4/udp.c:2599 udp_v4_early_demux+0x481/0xb70 net/ipv4/udp.c:2599
Modules linked in:
CPU: 0 PID: 11198 Comm: syz-executor.1 Not tainted 6.9.0-g93bda33046e7 #13
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
RIP: 0010:udp_v4_early_demux+0x481/0xb70 net/ipv4/udp.c:2599
Code: c5 7a 15 fe bb 01 00 00 00 44 89 e9 31 ff d3 e3 81 e3 bf ef ff ff 89 de e8 2c 74 15 fe 85 db 0f 85 02 06 00 00 e8 9f 7a 15 fe <0f> 0b e8 98 7a 15 fe 49 8d 7e 60 e8 4f 39 2f fe 49 c7 46 60 20 52
RSP: 0018:ffffc9000ce3fa58 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff8318c92c
RDX: ffff888036ccde00 RSI: ffffffff8318c2f1 RDI: 0000000000000001
RBP: ffff88805a2dd6e0 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0001ffffffffffff R12: ffff88805a2dd680
R13: 0000000000000007 R14: ffff88800923f900 R15: ffff88805456004e
FS: 00007fc449127640(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fc449126e38 CR3: 000000003de4b002 CR4: 0000000000770ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
PKRU: 55555554
Call Trace:
<TASK>
ip_rcv_finish_core.constprop.0+0xbdd/0xd20 net/ipv4/ip_input.c:349
ip_rcv_finish+0xda/0x150 net/ipv4/ip_input.c:447
NF_HOOK include/linux/netfilter.h:314 [inline]
NF_HOOK include/linux/netfilter.h:308 [inline]
ip_rcv+0x16c/0x180 net/ipv4/ip_input.c:569
__netif_receive_skb_one_core+0xb3/0xe0 net/core/dev.c:5624
__netif_receive_skb+0x21/0xd0 net/core/dev.c:5738
netif_receive_skb_internal net/core/dev.c:5824 [inline]
netif_receive_skb+0x271/0x300 net/core/dev.c:5884
tun_rx_batched drivers/net/tun.c:1549 [inline]
tun_get_user+0x24db/0x2c50 drivers/net/tun.c:2002
tun_chr_write_iter+0x107/0x1a0 drivers/net/tun.c:2048
new_sync_write fs/read_write.c:497 [inline]
vfs_write+0x76f/0x8d0 fs/read_write.c:590
ksys_write+0xbf/0x190 fs/read_write.c:643
__do_sys_write fs/read_write.c:655 [inline]
__se_sys_write fs/read_write.c:652 [inline]
__x64_sys_write+0x41/0x50 fs/read_write.c:652
x64_sys_call+0xe66/0x1990 arch/x86/include/generated/asm/syscalls_64.h:2
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x4b/0x110 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x4b/0x53
RIP: 0033:0x7fc44a68bc1f
Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 e9 cf f5 ff 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 3c d0 f5 ff 48
RSP: 002b:00007fc449126c90 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00000000004bc050 RCX: 00007fc44a68bc1f
R
---truncated---
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 6acc9b432e6714d72d7d77ec7c27f6f8358d0c71 Version: 6acc9b432e6714d72d7d77ec7c27f6f8358d0c71 Version: 6acc9b432e6714d72d7d77ec7c27f6f8358d0c71 Version: 6acc9b432e6714d72d7d77ec7c27f6f8358d0c71 Version: 6acc9b432e6714d72d7d77ec7c27f6f8358d0c71 Version: 6acc9b432e6714d72d7d77ec7c27f6f8358d0c71 Version: 6acc9b432e6714d72d7d77ec7c27f6f8358d0c71 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:39:56.185Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/7a67c4e47626e6daccda62888f8b096abb5d3940"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/9f965684c57c3117cfd2f754dd3270383c529fba"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/ddf516e50bf8a7bc9b3bd8a9831f9c7a8131a32a"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/a6db0d3ea6536e7120871e5448b3032570152ec6"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/c5fd77ca13d657c6e99bf04f0917445e6a80231e"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/20ceae10623c3b29fdf7609690849475bcdebdb0"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/5c0b485a8c6116516f33925b9ce5b6104a6eadfd"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41041",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T16:23:13.757861Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T17:32:58.050Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/udp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7a67c4e47626e6daccda62888f8b096abb5d3940",
"status": "affected",
"version": "6acc9b432e6714d72d7d77ec7c27f6f8358d0c71",
"versionType": "git"
},
{
"lessThan": "9f965684c57c3117cfd2f754dd3270383c529fba",
"status": "affected",
"version": "6acc9b432e6714d72d7d77ec7c27f6f8358d0c71",
"versionType": "git"
},
{
"lessThan": "ddf516e50bf8a7bc9b3bd8a9831f9c7a8131a32a",
"status": "affected",
"version": "6acc9b432e6714d72d7d77ec7c27f6f8358d0c71",
"versionType": "git"
},
{
"lessThan": "a6db0d3ea6536e7120871e5448b3032570152ec6",
"status": "affected",
"version": "6acc9b432e6714d72d7d77ec7c27f6f8358d0c71",
"versionType": "git"
},
{
"lessThan": "c5fd77ca13d657c6e99bf04f0917445e6a80231e",
"status": "affected",
"version": "6acc9b432e6714d72d7d77ec7c27f6f8358d0c71",
"versionType": "git"
},
{
"lessThan": "20ceae10623c3b29fdf7609690849475bcdebdb0",
"status": "affected",
"version": "6acc9b432e6714d72d7d77ec7c27f6f8358d0c71",
"versionType": "git"
},
{
"lessThan": "5c0b485a8c6116516f33925b9ce5b6104a6eadfd",
"status": "affected",
"version": "6acc9b432e6714d72d7d77ec7c27f6f8358d0c71",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/udp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.20"
},
{
"lessThan": "4.20",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.280",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.222",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.100",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.41",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.9.*",
"status": "unaffected",
"version": "6.9.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.10",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.280",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.222",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.163",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.100",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.41",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9.10",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.10",
"versionStartIncluding": "4.20",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nudp: Set SOCK_RCU_FREE earlier in udp_lib_get_port().\n\nsyzkaller triggered the warning [0] in udp_v4_early_demux().\n\nIn udp_v[46]_early_demux() and sk_lookup(), we do not touch the refcount\nof the looked-up sk and use sock_pfree() as skb-\u003edestructor, so we check\nSOCK_RCU_FREE to ensure that the sk is safe to access during the RCU grace\nperiod.\n\nCurrently, SOCK_RCU_FREE is flagged for a bound socket after being put\ninto the hash table. Moreover, the SOCK_RCU_FREE check is done too early\nin udp_v[46]_early_demux() and sk_lookup(), so there could be a small race\nwindow:\n\n CPU1 CPU2\n ---- ----\n udp_v4_early_demux() udp_lib_get_port()\n | |- hlist_add_head_rcu()\n |- sk = __udp4_lib_demux_lookup() |\n |- DEBUG_NET_WARN_ON_ONCE(sk_is_refcounted(sk));\n `- sock_set_flag(sk, SOCK_RCU_FREE)\n\nWe had the same bug in TCP and fixed it in commit 871019b22d1b (\"net:\nset SOCK_RCU_FREE before inserting socket into hashtable\").\n\nLet\u0027s apply the same fix for UDP.\n\n[0]:\nWARNING: CPU: 0 PID: 11198 at net/ipv4/udp.c:2599 udp_v4_early_demux+0x481/0xb70 net/ipv4/udp.c:2599\nModules linked in:\nCPU: 0 PID: 11198 Comm: syz-executor.1 Not tainted 6.9.0-g93bda33046e7 #13\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nRIP: 0010:udp_v4_early_demux+0x481/0xb70 net/ipv4/udp.c:2599\nCode: c5 7a 15 fe bb 01 00 00 00 44 89 e9 31 ff d3 e3 81 e3 bf ef ff ff 89 de e8 2c 74 15 fe 85 db 0f 85 02 06 00 00 e8 9f 7a 15 fe \u003c0f\u003e 0b e8 98 7a 15 fe 49 8d 7e 60 e8 4f 39 2f fe 49 c7 46 60 20 52\nRSP: 0018:ffffc9000ce3fa58 EFLAGS: 00010293\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff8318c92c\nRDX: ffff888036ccde00 RSI: ffffffff8318c2f1 RDI: 0000000000000001\nRBP: ffff88805a2dd6e0 R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000000000000 R11: 0001ffffffffffff R12: ffff88805a2dd680\nR13: 0000000000000007 R14: ffff88800923f900 R15: ffff88805456004e\nFS: 00007fc449127640(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007fc449126e38 CR3: 000000003de4b002 CR4: 0000000000770ef0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600\nPKRU: 55555554\nCall Trace:\n \u003cTASK\u003e\n ip_rcv_finish_core.constprop.0+0xbdd/0xd20 net/ipv4/ip_input.c:349\n ip_rcv_finish+0xda/0x150 net/ipv4/ip_input.c:447\n NF_HOOK include/linux/netfilter.h:314 [inline]\n NF_HOOK include/linux/netfilter.h:308 [inline]\n ip_rcv+0x16c/0x180 net/ipv4/ip_input.c:569\n __netif_receive_skb_one_core+0xb3/0xe0 net/core/dev.c:5624\n __netif_receive_skb+0x21/0xd0 net/core/dev.c:5738\n netif_receive_skb_internal net/core/dev.c:5824 [inline]\n netif_receive_skb+0x271/0x300 net/core/dev.c:5884\n tun_rx_batched drivers/net/tun.c:1549 [inline]\n tun_get_user+0x24db/0x2c50 drivers/net/tun.c:2002\n tun_chr_write_iter+0x107/0x1a0 drivers/net/tun.c:2048\n new_sync_write fs/read_write.c:497 [inline]\n vfs_write+0x76f/0x8d0 fs/read_write.c:590\n ksys_write+0xbf/0x190 fs/read_write.c:643\n __do_sys_write fs/read_write.c:655 [inline]\n __se_sys_write fs/read_write.c:652 [inline]\n __x64_sys_write+0x41/0x50 fs/read_write.c:652\n x64_sys_call+0xe66/0x1990 arch/x86/include/generated/asm/syscalls_64.h:2\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x4b/0x110 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\nRIP: 0033:0x7fc44a68bc1f\nCode: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 e9 cf f5 ff 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 \u003c48\u003e 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 3c d0 f5 ff 48\nRSP: 002b:00007fc449126c90 EFLAGS: 00000293 ORIG_RAX: 0000000000000001\nRAX: ffffffffffffffda RBX: 00000000004bc050 RCX: 00007fc44a68bc1f\nR\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:20:44.955Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7a67c4e47626e6daccda62888f8b096abb5d3940"
},
{
"url": "https://git.kernel.org/stable/c/9f965684c57c3117cfd2f754dd3270383c529fba"
},
{
"url": "https://git.kernel.org/stable/c/ddf516e50bf8a7bc9b3bd8a9831f9c7a8131a32a"
},
{
"url": "https://git.kernel.org/stable/c/a6db0d3ea6536e7120871e5448b3032570152ec6"
},
{
"url": "https://git.kernel.org/stable/c/c5fd77ca13d657c6e99bf04f0917445e6a80231e"
},
{
"url": "https://git.kernel.org/stable/c/20ceae10623c3b29fdf7609690849475bcdebdb0"
},
{
"url": "https://git.kernel.org/stable/c/5c0b485a8c6116516f33925b9ce5b6104a6eadfd"
}
],
"title": "udp: Set SOCK_RCU_FREE earlier in udp_lib_get_port().",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-41041",
"datePublished": "2024-07-29T14:31:54.647Z",
"dateReserved": "2024-07-12T12:17:45.623Z",
"dateUpdated": "2025-05-04T09:20:44.955Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-44989 (GCVE-0-2024-44989)
Vulnerability from cvelistv5
Published
2024-09-04 19:54
Modified
2025-05-04 09:30
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bonding: fix xfrm real_dev null pointer dereference
We shouldn't set real_dev to NULL because packets can be in transit and
xfrm might call xdo_dev_offload_ok() in parallel. All callbacks assume
real_dev is set.
Example trace:
kernel: BUG: unable to handle page fault for address: 0000000000001030
kernel: bond0: (slave eni0np1): making interface the new active one
kernel: #PF: supervisor write access in kernel mode
kernel: #PF: error_code(0x0002) - not-present page
kernel: PGD 0 P4D 0
kernel: Oops: 0002 [#1] PREEMPT SMP
kernel: CPU: 4 PID: 2237 Comm: ping Not tainted 6.7.7+ #12
kernel: Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014
kernel: RIP: 0010:nsim_ipsec_offload_ok+0xc/0x20 [netdevsim]
kernel: bond0: (slave eni0np1): bond_ipsec_add_sa_all: failed to add SA
kernel: Code: e0 0f 0b 48 83 7f 38 00 74 de 0f 0b 48 8b 47 08 48 8b 37 48 8b 78 40 e9 b2 e5 9a d7 66 90 0f 1f 44 00 00 48 8b 86 80 02 00 00 <83> 80 30 10 00 00 01 b8 01 00 00 00 c3 0f 1f 80 00 00 00 00 0f 1f
kernel: bond0: (slave eni0np1): making interface the new active one
kernel: RSP: 0018:ffffabde81553b98 EFLAGS: 00010246
kernel: bond0: (slave eni0np1): bond_ipsec_add_sa_all: failed to add SA
kernel:
kernel: RAX: 0000000000000000 RBX: ffff9eb404e74900 RCX: ffff9eb403d97c60
kernel: RDX: ffffffffc090de10 RSI: ffff9eb404e74900 RDI: ffff9eb3c5de9e00
kernel: RBP: ffff9eb3c0a42000 R08: 0000000000000010 R09: 0000000000000014
kernel: R10: 7974203030303030 R11: 3030303030303030 R12: 0000000000000000
kernel: R13: ffff9eb3c5de9e00 R14: ffffabde81553cc8 R15: ffff9eb404c53000
kernel: FS: 00007f2a77a3ad00(0000) GS:ffff9eb43bd00000(0000) knlGS:0000000000000000
kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
kernel: CR2: 0000000000001030 CR3: 00000001122ab000 CR4: 0000000000350ef0
kernel: bond0: (slave eni0np1): making interface the new active one
kernel: Call Trace:
kernel: <TASK>
kernel: ? __die+0x1f/0x60
kernel: bond0: (slave eni0np1): bond_ipsec_add_sa_all: failed to add SA
kernel: ? page_fault_oops+0x142/0x4c0
kernel: ? do_user_addr_fault+0x65/0x670
kernel: ? kvm_read_and_reset_apf_flags+0x3b/0x50
kernel: bond0: (slave eni0np1): making interface the new active one
kernel: ? exc_page_fault+0x7b/0x180
kernel: ? asm_exc_page_fault+0x22/0x30
kernel: ? nsim_bpf_uninit+0x50/0x50 [netdevsim]
kernel: bond0: (slave eni0np1): bond_ipsec_add_sa_all: failed to add SA
kernel: ? nsim_ipsec_offload_ok+0xc/0x20 [netdevsim]
kernel: bond0: (slave eni0np1): making interface the new active one
kernel: bond_ipsec_offload_ok+0x7b/0x90 [bonding]
kernel: xfrm_output+0x61/0x3b0
kernel: bond0: (slave eni0np1): bond_ipsec_add_sa_all: failed to add SA
kernel: ip_push_pending_frames+0x56/0x80
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 18cb261afd7bf50134e5ccacc5ec91ea16efadd4 Version: 18cb261afd7bf50134e5ccacc5ec91ea16efadd4 Version: 18cb261afd7bf50134e5ccacc5ec91ea16efadd4 Version: 18cb261afd7bf50134e5ccacc5ec91ea16efadd4 Version: 18cb261afd7bf50134e5ccacc5ec91ea16efadd4 Version: 18cb261afd7bf50134e5ccacc5ec91ea16efadd4 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-44989",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-04T20:19:50.219529Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-04T20:20:52.769Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/bonding/bond_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "21816b696c172c19d53a30d45ee005cce246ed21",
"status": "affected",
"version": "18cb261afd7bf50134e5ccacc5ec91ea16efadd4",
"versionType": "git"
},
{
"lessThan": "2f72c6a66bcd7e0187ec085237fee5db27145294",
"status": "affected",
"version": "18cb261afd7bf50134e5ccacc5ec91ea16efadd4",
"versionType": "git"
},
{
"lessThan": "7fa9243391ad2afe798ef4ea2e2851947b95754f",
"status": "affected",
"version": "18cb261afd7bf50134e5ccacc5ec91ea16efadd4",
"versionType": "git"
},
{
"lessThan": "4582d4ff413a07d4ed8a4823c652dc5207760548",
"status": "affected",
"version": "18cb261afd7bf50134e5ccacc5ec91ea16efadd4",
"versionType": "git"
},
{
"lessThan": "89fc1dca79db5c3e7a2d589ecbf8a3661c65f436",
"status": "affected",
"version": "18cb261afd7bf50134e5ccacc5ec91ea16efadd4",
"versionType": "git"
},
{
"lessThan": "f8cde9805981c50d0c029063dc7d82821806fc44",
"status": "affected",
"version": "18cb261afd7bf50134e5ccacc5ec91ea16efadd4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/bonding/bond_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.9"
},
{
"lessThan": "5.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.225",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.166",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.107",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.48",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.10.*",
"status": "unaffected",
"version": "6.10.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.11",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.225",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.166",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.107",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.48",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.10.7",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.11",
"versionStartIncluding": "5.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbonding: fix xfrm real_dev null pointer dereference\n\nWe shouldn\u0027t set real_dev to NULL because packets can be in transit and\nxfrm might call xdo_dev_offload_ok() in parallel. All callbacks assume\nreal_dev is set.\n\n Example trace:\n kernel: BUG: unable to handle page fault for address: 0000000000001030\n kernel: bond0: (slave eni0np1): making interface the new active one\n kernel: #PF: supervisor write access in kernel mode\n kernel: #PF: error_code(0x0002) - not-present page\n kernel: PGD 0 P4D 0\n kernel: Oops: 0002 [#1] PREEMPT SMP\n kernel: CPU: 4 PID: 2237 Comm: ping Not tainted 6.7.7+ #12\n kernel: Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014\n kernel: RIP: 0010:nsim_ipsec_offload_ok+0xc/0x20 [netdevsim]\n kernel: bond0: (slave eni0np1): bond_ipsec_add_sa_all: failed to add SA\n kernel: Code: e0 0f 0b 48 83 7f 38 00 74 de 0f 0b 48 8b 47 08 48 8b 37 48 8b 78 40 e9 b2 e5 9a d7 66 90 0f 1f 44 00 00 48 8b 86 80 02 00 00 \u003c83\u003e 80 30 10 00 00 01 b8 01 00 00 00 c3 0f 1f 80 00 00 00 00 0f 1f\n kernel: bond0: (slave eni0np1): making interface the new active one\n kernel: RSP: 0018:ffffabde81553b98 EFLAGS: 00010246\n kernel: bond0: (slave eni0np1): bond_ipsec_add_sa_all: failed to add SA\n kernel:\n kernel: RAX: 0000000000000000 RBX: ffff9eb404e74900 RCX: ffff9eb403d97c60\n kernel: RDX: ffffffffc090de10 RSI: ffff9eb404e74900 RDI: ffff9eb3c5de9e00\n kernel: RBP: ffff9eb3c0a42000 R08: 0000000000000010 R09: 0000000000000014\n kernel: R10: 7974203030303030 R11: 3030303030303030 R12: 0000000000000000\n kernel: R13: ffff9eb3c5de9e00 R14: ffffabde81553cc8 R15: ffff9eb404c53000\n kernel: FS: 00007f2a77a3ad00(0000) GS:ffff9eb43bd00000(0000) knlGS:0000000000000000\n kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n kernel: CR2: 0000000000001030 CR3: 00000001122ab000 CR4: 0000000000350ef0\n kernel: bond0: (slave eni0np1): making interface the new active one\n kernel: Call Trace:\n kernel: \u003cTASK\u003e\n kernel: ? __die+0x1f/0x60\n kernel: bond0: (slave eni0np1): bond_ipsec_add_sa_all: failed to add SA\n kernel: ? page_fault_oops+0x142/0x4c0\n kernel: ? do_user_addr_fault+0x65/0x670\n kernel: ? kvm_read_and_reset_apf_flags+0x3b/0x50\n kernel: bond0: (slave eni0np1): making interface the new active one\n kernel: ? exc_page_fault+0x7b/0x180\n kernel: ? asm_exc_page_fault+0x22/0x30\n kernel: ? nsim_bpf_uninit+0x50/0x50 [netdevsim]\n kernel: bond0: (slave eni0np1): bond_ipsec_add_sa_all: failed to add SA\n kernel: ? nsim_ipsec_offload_ok+0xc/0x20 [netdevsim]\n kernel: bond0: (slave eni0np1): making interface the new active one\n kernel: bond_ipsec_offload_ok+0x7b/0x90 [bonding]\n kernel: xfrm_output+0x61/0x3b0\n kernel: bond0: (slave eni0np1): bond_ipsec_add_sa_all: failed to add SA\n kernel: ip_push_pending_frames+0x56/0x80"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:30:32.250Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/21816b696c172c19d53a30d45ee005cce246ed21"
},
{
"url": "https://git.kernel.org/stable/c/2f72c6a66bcd7e0187ec085237fee5db27145294"
},
{
"url": "https://git.kernel.org/stable/c/7fa9243391ad2afe798ef4ea2e2851947b95754f"
},
{
"url": "https://git.kernel.org/stable/c/4582d4ff413a07d4ed8a4823c652dc5207760548"
},
{
"url": "https://git.kernel.org/stable/c/89fc1dca79db5c3e7a2d589ecbf8a3661c65f436"
},
{
"url": "https://git.kernel.org/stable/c/f8cde9805981c50d0c029063dc7d82821806fc44"
}
],
"title": "bonding: fix xfrm real_dev null pointer dereference",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-44989",
"datePublished": "2024-09-04T19:54:36.858Z",
"dateReserved": "2024-08-21T05:34:56.671Z",
"dateUpdated": "2025-05-04T09:30:32.250Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-38541 (GCVE-0-2024-38541)
Vulnerability from cvelistv5
Published
2024-06-19 13:35
Modified
2025-06-04 13:56
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
of: module: add buffer overflow check in of_modalias()
In of_modalias(), if the buffer happens to be too small even for the 1st
snprintf() call, the len parameter will become negative and str parameter
(if not NULL initially) will point beyond the buffer's end. Add the buffer
overflow check after the 1st snprintf() call and fix such check after the
strlen() call (accounting for the terminating NUL char).
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: bc575064d688c8933a6ca51429bea9bc63628d3b Version: bc575064d688c8933a6ca51429bea9bc63628d3b Version: bc575064d688c8933a6ca51429bea9bc63628d3b Version: bc575064d688c8933a6ca51429bea9bc63628d3b Version: bc575064d688c8933a6ca51429bea9bc63628d3b Version: bc575064d688c8933a6ca51429bea9bc63628d3b Version: bc575064d688c8933a6ca51429bea9bc63628d3b Version: bc575064d688c8933a6ca51429bea9bc63628d3b |
||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"lessThan": "0b0d5701a8bf",
"status": "affected",
"version": "bc575064d688",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"lessThan": "ee332023adfd",
"status": "affected",
"version": "bc575064d688",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"lessThan": "e45b69360a63",
"status": "affected",
"version": "bc575064d688",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"lessThan": "cf7385cb26ac",
"status": "affected",
"version": "bc575064d688",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"status": "affected",
"version": "4.14"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"lessThan": "4.14",
"status": "unaffected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"lessThanOrEqual": "6.7",
"status": "unaffected",
"version": "6.6.33",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"lessThanOrEqual": "6.9",
"status": "unaffected",
"version": "6.8.12",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"lessThanOrEqual": "6.10",
"status": "unaffected",
"version": "6.9.3",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"status": "unaffected",
"version": "6.10-rc1"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-38541",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-07T19:51:57.578646Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-120",
"description": "CWE-120 Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-04T13:56:15.426Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:12:25.977Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/0b0d5701a8bf02f8fee037e81aacf6746558bfd6"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/ee332023adfd5882808f2dabf037b32d6ce36f9e"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/e45b69360a63165377b30db4a1dfddd89ca18e9a"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/cf7385cb26ac4f0ee6c7385960525ad534323252"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/of/module.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "46795440ef2b4ac919d09310a69a404c5bc90a88",
"status": "affected",
"version": "bc575064d688c8933a6ca51429bea9bc63628d3b",
"versionType": "git"
},
{
"lessThan": "733e62786bdf1b2b9dbb09ba2246313306503414",
"status": "affected",
"version": "bc575064d688c8933a6ca51429bea9bc63628d3b",
"versionType": "git"
},
{
"lessThan": "c7f24b7d94549ff4623e8f41ea4d9f5319bd8ac8",
"status": "affected",
"version": "bc575064d688c8933a6ca51429bea9bc63628d3b",
"versionType": "git"
},
{
"lessThan": "5d59fd637a8af42b211a92b2edb2474325b4d488",
"status": "affected",
"version": "bc575064d688c8933a6ca51429bea9bc63628d3b",
"versionType": "git"
},
{
"lessThan": "0b0d5701a8bf02f8fee037e81aacf6746558bfd6",
"status": "affected",
"version": "bc575064d688c8933a6ca51429bea9bc63628d3b",
"versionType": "git"
},
{
"lessThan": "ee332023adfd5882808f2dabf037b32d6ce36f9e",
"status": "affected",
"version": "bc575064d688c8933a6ca51429bea9bc63628d3b",
"versionType": "git"
},
{
"lessThan": "e45b69360a63165377b30db4a1dfddd89ca18e9a",
"status": "affected",
"version": "bc575064d688c8933a6ca51429bea9bc63628d3b",
"versionType": "git"
},
{
"lessThan": "cf7385cb26ac4f0ee6c7385960525ad534323252",
"status": "affected",
"version": "bc575064d688c8933a6ca51429bea9bc63628d3b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/of/module.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.14"
},
{
"lessThan": "4.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.294",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.238",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.182",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.136",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.8.*",
"status": "unaffected",
"version": "6.8.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.9.*",
"status": "unaffected",
"version": "6.9.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.10",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.294",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.238",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.182",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.136",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.33",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8.12",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9.3",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.10",
"versionStartIncluding": "4.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nof: module: add buffer overflow check in of_modalias()\n\nIn of_modalias(), if the buffer happens to be too small even for the 1st\nsnprintf() call, the len parameter will become negative and str parameter\n(if not NULL initially) will point beyond the buffer\u0027s end. Add the buffer\noverflow check after the 1st snprintf() call and fix such check after the\nstrlen() call (accounting for the terminating NUL char)."
}
],
"providerMetadata": {
"dateUpdated": "2025-06-04T12:57:16.081Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/46795440ef2b4ac919d09310a69a404c5bc90a88"
},
{
"url": "https://git.kernel.org/stable/c/733e62786bdf1b2b9dbb09ba2246313306503414"
},
{
"url": "https://git.kernel.org/stable/c/c7f24b7d94549ff4623e8f41ea4d9f5319bd8ac8"
},
{
"url": "https://git.kernel.org/stable/c/5d59fd637a8af42b211a92b2edb2474325b4d488"
},
{
"url": "https://git.kernel.org/stable/c/0b0d5701a8bf02f8fee037e81aacf6746558bfd6"
},
{
"url": "https://git.kernel.org/stable/c/ee332023adfd5882808f2dabf037b32d6ce36f9e"
},
{
"url": "https://git.kernel.org/stable/c/e45b69360a63165377b30db4a1dfddd89ca18e9a"
},
{
"url": "https://git.kernel.org/stable/c/cf7385cb26ac4f0ee6c7385960525ad534323252"
}
],
"title": "of: module: add buffer overflow check in of_modalias()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-38541",
"datePublished": "2024-06-19T13:35:16.637Z",
"dateReserved": "2024-06-18T19:36:34.919Z",
"dateUpdated": "2025-06-04T13:56:15.426Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-41009 (GCVE-0-2024-41009)
Vulnerability from cvelistv5
Published
2024-07-17 06:10
Modified
2025-05-04 09:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix overrunning reservations in ringbuf
The BPF ring buffer internally is implemented as a power-of-2 sized circular
buffer, with two logical and ever-increasing counters: consumer_pos is the
consumer counter to show which logical position the consumer consumed the
data, and producer_pos which is the producer counter denoting the amount of
data reserved by all producers.
Each time a record is reserved, the producer that "owns" the record will
successfully advance producer counter. In user space each time a record is
read, the consumer of the data advanced the consumer counter once it finished
processing. Both counters are stored in separate pages so that from user
space, the producer counter is read-only and the consumer counter is read-write.
One aspect that simplifies and thus speeds up the implementation of both
producers and consumers is how the data area is mapped twice contiguously
back-to-back in the virtual memory, allowing to not take any special measures
for samples that have to wrap around at the end of the circular buffer data
area, because the next page after the last data page would be first data page
again, and thus the sample will still appear completely contiguous in virtual
memory.
Each record has a struct bpf_ringbuf_hdr { u32 len; u32 pg_off; } header for
book-keeping the length and offset, and is inaccessible to the BPF program.
Helpers like bpf_ringbuf_reserve() return `(void *)hdr + BPF_RINGBUF_HDR_SZ`
for the BPF program to use. Bing-Jhong and Muhammad reported that it is however
possible to make a second allocated memory chunk overlapping with the first
chunk and as a result, the BPF program is now able to edit first chunk's
header.
For example, consider the creation of a BPF_MAP_TYPE_RINGBUF map with size
of 0x4000. Next, the consumer_pos is modified to 0x3000 /before/ a call to
bpf_ringbuf_reserve() is made. This will allocate a chunk A, which is in
[0x0,0x3008], and the BPF program is able to edit [0x8,0x3008]. Now, lets
allocate a chunk B with size 0x3000. This will succeed because consumer_pos
was edited ahead of time to pass the `new_prod_pos - cons_pos > rb->mask`
check. Chunk B will be in range [0x3008,0x6010], and the BPF program is able
to edit [0x3010,0x6010]. Due to the ring buffer memory layout mentioned
earlier, the ranges [0x0,0x4000] and [0x4000,0x8000] point to the same data
pages. This means that chunk B at [0x4000,0x4008] is chunk A's header.
bpf_ringbuf_submit() / bpf_ringbuf_discard() use the header's pg_off to then
locate the bpf_ringbuf itself via bpf_ringbuf_restore_from_rec(). Once chunk
B modified chunk A's header, then bpf_ringbuf_commit() refers to the wrong
page and could cause a crash.
Fix it by calculating the oldest pending_pos and check whether the range
from the oldest outstanding record to the newest would span beyond the ring
buffer size. If that is the case, then reject the request. We've tested with
the ring buffer benchmark in BPF selftests (./benchs/run_bench_ringbufs.sh)
before/after the fix and while it seems a bit slower on some benchmarks, it
is still not significantly enough to matter.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 457f44363a8894135c85b7a9afd2bd8196db24ab Version: 457f44363a8894135c85b7a9afd2bd8196db24ab Version: 457f44363a8894135c85b7a9afd2bd8196db24ab Version: 457f44363a8894135c85b7a9afd2bd8196db24ab Version: 457f44363a8894135c85b7a9afd2bd8196db24ab Version: 457f44363a8894135c85b7a9afd2bd8196db24ab |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:39:56.138Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/be35504b959f2749bab280f4671e8df96dcf836f"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/0f98f40eb1ed52af8b81f61901b6c0289ff59de4"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/d1b9df0435bc61e0b44f578846516df8ef476686"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/511804ab701c0503b72eac08217eabfd366ba069"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/47416c852f2a04d348ea66ee451cbdcf8119f225"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/cfa1a2329a691ffd991fcf7248a57d752e712881"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41009",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T16:25:12.740807Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T17:34:06.763Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/bpf/ringbuf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "be35504b959f2749bab280f4671e8df96dcf836f",
"status": "affected",
"version": "457f44363a8894135c85b7a9afd2bd8196db24ab",
"versionType": "git"
},
{
"lessThan": "0f98f40eb1ed52af8b81f61901b6c0289ff59de4",
"status": "affected",
"version": "457f44363a8894135c85b7a9afd2bd8196db24ab",
"versionType": "git"
},
{
"lessThan": "d1b9df0435bc61e0b44f578846516df8ef476686",
"status": "affected",
"version": "457f44363a8894135c85b7a9afd2bd8196db24ab",
"versionType": "git"
},
{
"lessThan": "511804ab701c0503b72eac08217eabfd366ba069",
"status": "affected",
"version": "457f44363a8894135c85b7a9afd2bd8196db24ab",
"versionType": "git"
},
{
"lessThan": "47416c852f2a04d348ea66ee451cbdcf8119f225",
"status": "affected",
"version": "457f44363a8894135c85b7a9afd2bd8196db24ab",
"versionType": "git"
},
{
"lessThan": "cfa1a2329a691ffd991fcf7248a57d752e712881",
"status": "affected",
"version": "457f44363a8894135c85b7a9afd2bd8196db24ab",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/bpf/ringbuf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.223",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.164",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.97",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.37",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.9.*",
"status": "unaffected",
"version": "6.9.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.10",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.223",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.164",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.97",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.37",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9.8",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.10",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix overrunning reservations in ringbuf\n\nThe BPF ring buffer internally is implemented as a power-of-2 sized circular\nbuffer, with two logical and ever-increasing counters: consumer_pos is the\nconsumer counter to show which logical position the consumer consumed the\ndata, and producer_pos which is the producer counter denoting the amount of\ndata reserved by all producers.\n\nEach time a record is reserved, the producer that \"owns\" the record will\nsuccessfully advance producer counter. In user space each time a record is\nread, the consumer of the data advanced the consumer counter once it finished\nprocessing. Both counters are stored in separate pages so that from user\nspace, the producer counter is read-only and the consumer counter is read-write.\n\nOne aspect that simplifies and thus speeds up the implementation of both\nproducers and consumers is how the data area is mapped twice contiguously\nback-to-back in the virtual memory, allowing to not take any special measures\nfor samples that have to wrap around at the end of the circular buffer data\narea, because the next page after the last data page would be first data page\nagain, and thus the sample will still appear completely contiguous in virtual\nmemory.\n\nEach record has a struct bpf_ringbuf_hdr { u32 len; u32 pg_off; } header for\nbook-keeping the length and offset, and is inaccessible to the BPF program.\nHelpers like bpf_ringbuf_reserve() return `(void *)hdr + BPF_RINGBUF_HDR_SZ`\nfor the BPF program to use. Bing-Jhong and Muhammad reported that it is however\npossible to make a second allocated memory chunk overlapping with the first\nchunk and as a result, the BPF program is now able to edit first chunk\u0027s\nheader.\n\nFor example, consider the creation of a BPF_MAP_TYPE_RINGBUF map with size\nof 0x4000. Next, the consumer_pos is modified to 0x3000 /before/ a call to\nbpf_ringbuf_reserve() is made. This will allocate a chunk A, which is in\n[0x0,0x3008], and the BPF program is able to edit [0x8,0x3008]. Now, lets\nallocate a chunk B with size 0x3000. This will succeed because consumer_pos\nwas edited ahead of time to pass the `new_prod_pos - cons_pos \u003e rb-\u003emask`\ncheck. Chunk B will be in range [0x3008,0x6010], and the BPF program is able\nto edit [0x3010,0x6010]. Due to the ring buffer memory layout mentioned\nearlier, the ranges [0x0,0x4000] and [0x4000,0x8000] point to the same data\npages. This means that chunk B at [0x4000,0x4008] is chunk A\u0027s header.\nbpf_ringbuf_submit() / bpf_ringbuf_discard() use the header\u0027s pg_off to then\nlocate the bpf_ringbuf itself via bpf_ringbuf_restore_from_rec(). Once chunk\nB modified chunk A\u0027s header, then bpf_ringbuf_commit() refers to the wrong\npage and could cause a crash.\n\nFix it by calculating the oldest pending_pos and check whether the range\nfrom the oldest outstanding record to the newest would span beyond the ring\nbuffer size. If that is the case, then reject the request. We\u0027ve tested with\nthe ring buffer benchmark in BPF selftests (./benchs/run_bench_ringbufs.sh)\nbefore/after the fix and while it seems a bit slower on some benchmarks, it\nis still not significantly enough to matter."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:19:59.853Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/be35504b959f2749bab280f4671e8df96dcf836f"
},
{
"url": "https://git.kernel.org/stable/c/0f98f40eb1ed52af8b81f61901b6c0289ff59de4"
},
{
"url": "https://git.kernel.org/stable/c/d1b9df0435bc61e0b44f578846516df8ef476686"
},
{
"url": "https://git.kernel.org/stable/c/511804ab701c0503b72eac08217eabfd366ba069"
},
{
"url": "https://git.kernel.org/stable/c/47416c852f2a04d348ea66ee451cbdcf8119f225"
},
{
"url": "https://git.kernel.org/stable/c/cfa1a2329a691ffd991fcf7248a57d752e712881"
}
],
"title": "bpf: Fix overrunning reservations in ringbuf",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-41009",
"datePublished": "2024-07-17T06:10:11.351Z",
"dateReserved": "2024-07-12T12:17:45.610Z",
"dateUpdated": "2025-05-04T09:19:59.853Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-42240 (GCVE-0-2024-42240)
Vulnerability from cvelistv5
Published
2024-08-07 15:14
Modified
2025-05-04 12:57
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
x86/bhi: Avoid warning in #DB handler due to BHI mitigation
When BHI mitigation is enabled, if SYSENTER is invoked with the TF flag set
then entry_SYSENTER_compat() uses CLEAR_BRANCH_HISTORY and calls the
clear_bhb_loop() before the TF flag is cleared. This causes the #DB handler
(exc_debug_kernel()) to issue a warning because single-step is used outside the
entry_SYSENTER_compat() function.
To address this issue, entry_SYSENTER_compat() should use CLEAR_BRANCH_HISTORY
after making sure the TF flag is cleared.
The problem can be reproduced with the following sequence:
$ cat sysenter_step.c
int main()
{ asm("pushf; pop %ax; bts $8,%ax; push %ax; popf; sysenter"); }
$ gcc -o sysenter_step sysenter_step.c
$ ./sysenter_step
Segmentation fault (core dumped)
The program is expected to crash, and the #DB handler will issue a warning.
Kernel log:
WARNING: CPU: 27 PID: 7000 at arch/x86/kernel/traps.c:1009 exc_debug_kernel+0xd2/0x160
...
RIP: 0010:exc_debug_kernel+0xd2/0x160
...
Call Trace:
<#DB>
? show_regs+0x68/0x80
? __warn+0x8c/0x140
? exc_debug_kernel+0xd2/0x160
? report_bug+0x175/0x1a0
? handle_bug+0x44/0x90
? exc_invalid_op+0x1c/0x70
? asm_exc_invalid_op+0x1f/0x30
? exc_debug_kernel+0xd2/0x160
exc_debug+0x43/0x50
asm_exc_debug+0x1e/0x40
RIP: 0010:clear_bhb_loop+0x0/0xb0
...
</#DB>
<TASK>
? entry_SYSENTER_compat_after_hwframe+0x6e/0x8d
</TASK>
[ bp: Massage commit message. ]
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: bd53ec80f21839cfd4d852a6088279d602d67e5b Version: 07dbb10f153f483e8249acebdffedf922e2ec2e1 Version: eb36b0dce2138581bc6b5e39d0273cb4c96ded81 Version: 7390db8aea0d64e9deb28b8e1ce716f5020c7ee5 Version: 7390db8aea0d64e9deb28b8e1ce716f5020c7ee5 Version: 8f51637712e4da5be410a1666f8aee0d86eef898 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-42240",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T16:13:51.001454Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T17:34:31.693Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/entry/entry_64_compat.S"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "db56615e96c439e13783d7715330e824b4fd4b84",
"status": "affected",
"version": "bd53ec80f21839cfd4d852a6088279d602d67e5b",
"versionType": "git"
},
{
"lessThan": "a765679defe1dc1b8fa01928a6ad6361e72a1364",
"status": "affected",
"version": "07dbb10f153f483e8249acebdffedf922e2ec2e1",
"versionType": "git"
},
{
"lessThan": "dae3543db8f0cf8ac1a198c3bb4b6e3c24d576cf",
"status": "affected",
"version": "eb36b0dce2138581bc6b5e39d0273cb4c96ded81",
"versionType": "git"
},
{
"lessThan": "08518d48e5b744620524f0acd7c26c19bda7f513",
"status": "affected",
"version": "7390db8aea0d64e9deb28b8e1ce716f5020c7ee5",
"versionType": "git"
},
{
"lessThan": "ac8b270b61d48fcc61f052097777e3b5e11591e0",
"status": "affected",
"version": "7390db8aea0d64e9deb28b8e1ce716f5020c7ee5",
"versionType": "git"
},
{
"status": "affected",
"version": "8f51637712e4da5be410a1666f8aee0d86eef898",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/entry/entry_64_compat.S"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.9"
},
{
"lessThan": "6.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.100",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.41",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.9.*",
"status": "unaffected",
"version": "6.9.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.10",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.163",
"versionStartIncluding": "5.15.154",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.100",
"versionStartIncluding": "6.1.85",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.41",
"versionStartIncluding": "6.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9.10",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.10",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.8.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/bhi: Avoid warning in #DB handler due to BHI mitigation\n\nWhen BHI mitigation is enabled, if SYSENTER is invoked with the TF flag set\nthen entry_SYSENTER_compat() uses CLEAR_BRANCH_HISTORY and calls the\nclear_bhb_loop() before the TF flag is cleared. This causes the #DB handler\n(exc_debug_kernel()) to issue a warning because single-step is used outside the\nentry_SYSENTER_compat() function.\n\nTo address this issue, entry_SYSENTER_compat() should use CLEAR_BRANCH_HISTORY\nafter making sure the TF flag is cleared.\n\nThe problem can be reproduced with the following sequence:\n\n $ cat sysenter_step.c\n int main()\n { asm(\"pushf; pop %ax; bts $8,%ax; push %ax; popf; sysenter\"); }\n\n $ gcc -o sysenter_step sysenter_step.c\n\n $ ./sysenter_step\n Segmentation fault (core dumped)\n\nThe program is expected to crash, and the #DB handler will issue a warning.\n\nKernel log:\n\n WARNING: CPU: 27 PID: 7000 at arch/x86/kernel/traps.c:1009 exc_debug_kernel+0xd2/0x160\n ...\n RIP: 0010:exc_debug_kernel+0xd2/0x160\n ...\n Call Trace:\n \u003c#DB\u003e\n ? show_regs+0x68/0x80\n ? __warn+0x8c/0x140\n ? exc_debug_kernel+0xd2/0x160\n ? report_bug+0x175/0x1a0\n ? handle_bug+0x44/0x90\n ? exc_invalid_op+0x1c/0x70\n ? asm_exc_invalid_op+0x1f/0x30\n ? exc_debug_kernel+0xd2/0x160\n exc_debug+0x43/0x50\n asm_exc_debug+0x1e/0x40\n RIP: 0010:clear_bhb_loop+0x0/0xb0\n ...\n \u003c/#DB\u003e\n \u003cTASK\u003e\n ? entry_SYSENTER_compat_after_hwframe+0x6e/0x8d\n \u003c/TASK\u003e\n\n [ bp: Massage commit message. ]"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T12:57:48.564Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/db56615e96c439e13783d7715330e824b4fd4b84"
},
{
"url": "https://git.kernel.org/stable/c/a765679defe1dc1b8fa01928a6ad6361e72a1364"
},
{
"url": "https://git.kernel.org/stable/c/dae3543db8f0cf8ac1a198c3bb4b6e3c24d576cf"
},
{
"url": "https://git.kernel.org/stable/c/08518d48e5b744620524f0acd7c26c19bda7f513"
},
{
"url": "https://git.kernel.org/stable/c/ac8b270b61d48fcc61f052097777e3b5e11591e0"
}
],
"title": "x86/bhi: Avoid warning in #DB handler due to BHI mitigation",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-42240",
"datePublished": "2024-08-07T15:14:27.977Z",
"dateReserved": "2024-07-30T07:40:12.253Z",
"dateUpdated": "2025-05-04T12:57:48.564Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-41093 (GCVE-0-2024-41093)
Vulnerability from cvelistv5
Published
2024-07-29 15:48
Modified
2025-09-16 08:02
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu: avoid using null object of framebuffer
Instead of using state->fb->obj[0] directly, get object from framebuffer
by calling drm_gem_fb_get_obj() and return error code when object is
null to avoid using null object of framebuffer.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:46:52.289Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/7f35e01cb0ea4d295f5c067bb5c67dfcddaf05bc"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/6ce0544cabaa608018d5922ab404dc656a9d8447"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/330c8c1453848c04d335bad81371a66710210800"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/dd9ec0ea4cdde0fc48116e63969fc83e81d7ef46"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/bcfa48ff785bd121316592b131ff6531e3e696bb"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41093",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T16:20:32.237829Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T17:32:55.898Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_vkms.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7f35e01cb0ea4d295f5c067bb5c67dfcddaf05bc",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
},
{
"lessThan": "6ce0544cabaa608018d5922ab404dc656a9d8447",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
},
{
"lessThan": "330c8c1453848c04d335bad81371a66710210800",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
},
{
"lessThan": "dd9ec0ea4cdde0fc48116e63969fc83e81d7ef46",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
},
{
"lessThan": "bcfa48ff785bd121316592b131ff6531e3e696bb",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_vkms.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.2"
},
{
"lessThan": "4.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.97",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.37",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.9.*",
"status": "unaffected",
"version": "6.9.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.10",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.162",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.97",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.37",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9.8",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.10",
"versionStartIncluding": "4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: avoid using null object of framebuffer\n\nInstead of using state-\u003efb-\u003eobj[0] directly, get object from framebuffer\nby calling drm_gem_fb_get_obj() and return error code when object is\nnull to avoid using null object of framebuffer."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T08:02:40.601Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7f35e01cb0ea4d295f5c067bb5c67dfcddaf05bc"
},
{
"url": "https://git.kernel.org/stable/c/6ce0544cabaa608018d5922ab404dc656a9d8447"
},
{
"url": "https://git.kernel.org/stable/c/330c8c1453848c04d335bad81371a66710210800"
},
{
"url": "https://git.kernel.org/stable/c/dd9ec0ea4cdde0fc48116e63969fc83e81d7ef46"
},
{
"url": "https://git.kernel.org/stable/c/bcfa48ff785bd121316592b131ff6531e3e696bb"
}
],
"title": "drm/amdgpu: avoid using null object of framebuffer",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-41093",
"datePublished": "2024-07-29T15:48:06.686Z",
"dateReserved": "2024-07-12T12:17:45.636Z",
"dateUpdated": "2025-09-16T08:02:40.601Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-38384 (GCVE-0-2024-38384)
Vulnerability from cvelistv5
Published
2024-06-24 13:50
Modified
2025-05-04 09:13
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
blk-cgroup: fix list corruption from reorder of WRITE ->lqueued
__blkcg_rstat_flush() can be run anytime, especially when blk_cgroup_bio_start
is being executed.
If WRITE of `->lqueued` is re-ordered with READ of 'bisc->lnode.next' in
the loop of __blkcg_rstat_flush(), `next_bisc` can be assigned with one
stat instance being added in blk_cgroup_bio_start(), then the local
list in __blkcg_rstat_flush() could be corrupted.
Fix the issue by adding one barrier.
References
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"lessThan": "714e59b5456e",
"status": "affected",
"version": "3b8cc6298724",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"lessThan": "785298ab6b80",
"status": "affected",
"version": "3b8cc6298724",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"lessThan": "d0aac2363549",
"status": "affected",
"version": "3b8cc6298724",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"status": "affected",
"version": "6.2"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"lessThan": "6.2",
"status": "unaffected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"lessThanOrEqual": "6.7",
"status": "unaffected",
"version": "6.6.33",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"lessThanOrEqual": "6.10",
"status": "unaffected",
"version": "6.9.4",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "linux_kernel",
"vendor": "linux",
"versions": [
{
"status": "unaffected",
"version": "6.10-rc1"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-38384",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-25T13:27:38.979262Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-25T13:37:27.542Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:04:25.142Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/714e59b5456e4d6e4295a9968c564abe193f461c"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/785298ab6b802afa75089239266b6bbea590809c"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/d0aac2363549e12cc79b8e285f13d5a9f42fd08e"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"block/blk-cgroup.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "714e59b5456e4d6e4295a9968c564abe193f461c",
"status": "affected",
"version": "3b8cc6298724021da845f2f9fd7dd4b6829a6817",
"versionType": "git"
},
{
"lessThan": "785298ab6b802afa75089239266b6bbea590809c",
"status": "affected",
"version": "3b8cc6298724021da845f2f9fd7dd4b6829a6817",
"versionType": "git"
},
{
"lessThan": "d0aac2363549e12cc79b8e285f13d5a9f42fd08e",
"status": "affected",
"version": "3b8cc6298724021da845f2f9fd7dd4b6829a6817",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"block/blk-cgroup.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.2"
},
{
"lessThan": "6.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.9.*",
"status": "unaffected",
"version": "6.9.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.10",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.33",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9.4",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.10",
"versionStartIncluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-cgroup: fix list corruption from reorder of WRITE -\u003elqueued\n\n__blkcg_rstat_flush() can be run anytime, especially when blk_cgroup_bio_start\nis being executed.\n\nIf WRITE of `-\u003elqueued` is re-ordered with READ of \u0027bisc-\u003elnode.next\u0027 in\nthe loop of __blkcg_rstat_flush(), `next_bisc` can be assigned with one\nstat instance being added in blk_cgroup_bio_start(), then the local\nlist in __blkcg_rstat_flush() could be corrupted.\n\nFix the issue by adding one barrier."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:13:26.836Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/714e59b5456e4d6e4295a9968c564abe193f461c"
},
{
"url": "https://git.kernel.org/stable/c/785298ab6b802afa75089239266b6bbea590809c"
},
{
"url": "https://git.kernel.org/stable/c/d0aac2363549e12cc79b8e285f13d5a9f42fd08e"
}
],
"title": "blk-cgroup: fix list corruption from reorder of WRITE -\u003elqueued",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-38384",
"datePublished": "2024-06-24T13:50:51.033Z",
"dateReserved": "2024-06-21T11:16:40.612Z",
"dateUpdated": "2025-05-04T09:13:26.836Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-48804 (GCVE-0-2022-48804)
Vulnerability from cvelistv5
Published
2024-07-16 11:43
Modified
2025-05-04 08:23
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
vt_ioctl: fix array_index_nospec in vt_setactivate
array_index_nospec ensures that an out-of-bounds value is set to zero
on the transient path. Decreasing the value by one afterwards causes
a transient integer underflow. vsa.console should be decreased first
and then sanitized with array_index_nospec.
Kasper Acknowledgements: Jakob Koschel, Brian Johannesmeyer, Kaveh
Razavi, Herbert Bos, Cristiano Giuffrida from the VUSec group at VU
Amsterdam.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T15:25:01.606Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/830c5aa302ec16b4ee641aec769462c37f802c90"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/2a45a6bd1e6d651770aafff57ab3e1d3bb0b42e0"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/170325aba4608bde3e7d21c9c19b7bc266ac0885"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/ae3d57411562260ee3f4fd5e875f410002341104"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/778302ca09498b448620edd372dc908bebf80bdf"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/ffe54289b02e9c732d6f04c8ebbe3b2d90d32118"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/6550bdf52846f85a2a3726a5aa0c7c4399f2fc02"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/61cc70d9e8ef5b042d4ed87994d20100ec8896d9"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-48804",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T16:58:54.114050Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T17:34:14.042Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/tty/vt/vt_ioctl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "830c5aa302ec16b4ee641aec769462c37f802c90",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2a45a6bd1e6d651770aafff57ab3e1d3bb0b42e0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "170325aba4608bde3e7d21c9c19b7bc266ac0885",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ae3d57411562260ee3f4fd5e875f410002341104",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "778302ca09498b448620edd372dc908bebf80bdf",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ffe54289b02e9c732d6f04c8ebbe3b2d90d32118",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6550bdf52846f85a2a3726a5aa0c7c4399f2fc02",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "61cc70d9e8ef5b042d4ed87994d20100ec8896d9",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/tty/vt/vt_ioctl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.267",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.230",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.180",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.101",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.302",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.267",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.230",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.180",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.101",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvt_ioctl: fix array_index_nospec in vt_setactivate\n\narray_index_nospec ensures that an out-of-bounds value is set to zero\non the transient path. Decreasing the value by one afterwards causes\na transient integer underflow. vsa.console should be decreased first\nand then sanitized with array_index_nospec.\n\nKasper Acknowledgements: Jakob Koschel, Brian Johannesmeyer, Kaveh\nRazavi, Herbert Bos, Cristiano Giuffrida from the VUSec group at VU\nAmsterdam."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:23:27.517Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/830c5aa302ec16b4ee641aec769462c37f802c90"
},
{
"url": "https://git.kernel.org/stable/c/2a45a6bd1e6d651770aafff57ab3e1d3bb0b42e0"
},
{
"url": "https://git.kernel.org/stable/c/170325aba4608bde3e7d21c9c19b7bc266ac0885"
},
{
"url": "https://git.kernel.org/stable/c/ae3d57411562260ee3f4fd5e875f410002341104"
},
{
"url": "https://git.kernel.org/stable/c/778302ca09498b448620edd372dc908bebf80bdf"
},
{
"url": "https://git.kernel.org/stable/c/ffe54289b02e9c732d6f04c8ebbe3b2d90d32118"
},
{
"url": "https://git.kernel.org/stable/c/6550bdf52846f85a2a3726a5aa0c7c4399f2fc02"
},
{
"url": "https://git.kernel.org/stable/c/61cc70d9e8ef5b042d4ed87994d20100ec8896d9"
}
],
"title": "vt_ioctl: fix array_index_nospec in vt_setactivate",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-48804",
"datePublished": "2024-07-16T11:43:56.278Z",
"dateReserved": "2024-07-16T11:38:08.896Z",
"dateUpdated": "2025-05-04T08:23:27.517Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-42244 (GCVE-0-2024-42244)
Vulnerability from cvelistv5
Published
2024-08-07 15:14
Modified
2025-05-04 09:24
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
USB: serial: mos7840: fix crash on resume
Since commit c49cfa917025 ("USB: serial: use generic method if no
alternative is provided in usb serial layer"), USB serial core calls the
generic resume implementation when the driver has not provided one.
This can trigger a crash on resume with mos7840 since support for
multiple read URBs was added back in 2011. Specifically, both port read
URBs are now submitted on resume for open ports, but the context pointer
of the second URB is left set to the core rather than mos7840 port
structure.
Fix this by implementing dedicated suspend and resume functions for
mos7840.
Tested with Delock 87414 USB 2.0 to 4x serial adapter.
[ johan: analyse crash and rewrite commit message; set busy flag on
resume; drop bulk-in check; drop unnecessary usb_kill_urb() ]
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: d83b405383c965498923f3561c3321e2b5df5727 Version: d83b405383c965498923f3561c3321e2b5df5727 Version: d83b405383c965498923f3561c3321e2b5df5727 Version: d83b405383c965498923f3561c3321e2b5df5727 Version: d83b405383c965498923f3561c3321e2b5df5727 Version: d83b405383c965498923f3561c3321e2b5df5727 |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-42244",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T16:13:38.256870Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T17:34:31.353Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/serial/mos7840.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "932a86a711c722b45ed47ba2103adca34d225b33",
"status": "affected",
"version": "d83b405383c965498923f3561c3321e2b5df5727",
"versionType": "git"
},
{
"lessThan": "b14aa5673e0a8077ff4b74f0bb260735e7d5e6a4",
"status": "affected",
"version": "d83b405383c965498923f3561c3321e2b5df5727",
"versionType": "git"
},
{
"lessThan": "1094ed500987e67a9d18b0f95e1812f1cc720856",
"status": "affected",
"version": "d83b405383c965498923f3561c3321e2b5df5727",
"versionType": "git"
},
{
"lessThan": "5ae6a64f18211851c8df6b4221381c438b9a7348",
"status": "affected",
"version": "d83b405383c965498923f3561c3321e2b5df5727",
"versionType": "git"
},
{
"lessThan": "553e67dec846323b5575e78a776cf594c13f98c4",
"status": "affected",
"version": "d83b405383c965498923f3561c3321e2b5df5727",
"versionType": "git"
},
{
"lessThan": "c15a688e49987385baa8804bf65d570e362f8576",
"status": "affected",
"version": "d83b405383c965498923f3561c3321e2b5df5727",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/serial/mos7840.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.3"
},
{
"lessThan": "3.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.222",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.100",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.41",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.9.*",
"status": "unaffected",
"version": "6.9.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.10",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.222",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.163",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.100",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.41",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9.10",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.10",
"versionStartIncluding": "3.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: serial: mos7840: fix crash on resume\n\nSince commit c49cfa917025 (\"USB: serial: use generic method if no\nalternative is provided in usb serial layer\"), USB serial core calls the\ngeneric resume implementation when the driver has not provided one.\n\nThis can trigger a crash on resume with mos7840 since support for\nmultiple read URBs was added back in 2011. Specifically, both port read\nURBs are now submitted on resume for open ports, but the context pointer\nof the second URB is left set to the core rather than mos7840 port\nstructure.\n\nFix this by implementing dedicated suspend and resume functions for\nmos7840.\n\nTested with Delock 87414 USB 2.0 to 4x serial adapter.\n\n[ johan: analyse crash and rewrite commit message; set busy flag on\n resume; drop bulk-in check; drop unnecessary usb_kill_urb() ]"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:24:57.378Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/932a86a711c722b45ed47ba2103adca34d225b33"
},
{
"url": "https://git.kernel.org/stable/c/b14aa5673e0a8077ff4b74f0bb260735e7d5e6a4"
},
{
"url": "https://git.kernel.org/stable/c/1094ed500987e67a9d18b0f95e1812f1cc720856"
},
{
"url": "https://git.kernel.org/stable/c/5ae6a64f18211851c8df6b4221381c438b9a7348"
},
{
"url": "https://git.kernel.org/stable/c/553e67dec846323b5575e78a776cf594c13f98c4"
},
{
"url": "https://git.kernel.org/stable/c/c15a688e49987385baa8804bf65d570e362f8576"
}
],
"title": "USB: serial: mos7840: fix crash on resume",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-42244",
"datePublished": "2024-08-07T15:14:30.359Z",
"dateReserved": "2024-07-30T07:40:12.254Z",
"dateUpdated": "2025-05-04T09:24:57.378Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-41014 (GCVE-0-2024-41014)
Vulnerability from cvelistv5
Published
2024-07-29 06:37
Modified
2025-05-04 09:20
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
xfs: add bounds checking to xlog_recover_process_data
There is a lack of verification of the space occupied by fixed members
of xlog_op_header in the xlog_recover_process_data.
We can create a crafted image to trigger an out of bounds read by
following these steps:
1) Mount an image of xfs, and do some file operations to leave records
2) Before umounting, copy the image for subsequent steps to simulate
abnormal exit. Because umount will ensure that tail_blk and
head_blk are the same, which will result in the inability to enter
xlog_recover_process_data
3) Write a tool to parse and modify the copied image in step 2
4) Make the end of the xlog_op_header entries only 1 byte away from
xlog_rec_header->h_size
5) xlog_rec_header->h_num_logops++
6) Modify xlog_rec_header->h_crc
Fix:
Add a check to make sure there is sufficient space to access fixed members
of xlog_op_header.
References
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:39:55.916Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/fb63435b7c7dc112b1ae1baea5486e0a6e27b196"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41014",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T16:24:49.673152Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T17:34:05.954Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/xfs/xfs_log_recover.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d1e3efe783365db59da88f08a2e0bfe1cc95b143",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7cd9f0a33e738cd58876f1bc8d6c1aa5bc4fc8c1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "fb63435b7c7dc112b1ae1baea5486e0a6e27b196",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/xfs/xfs_log_recover.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.11",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.120",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.64",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfs: add bounds checking to xlog_recover_process_data\n\nThere is a lack of verification of the space occupied by fixed members\nof xlog_op_header in the xlog_recover_process_data.\n\nWe can create a crafted image to trigger an out of bounds read by\nfollowing these steps:\n 1) Mount an image of xfs, and do some file operations to leave records\n 2) Before umounting, copy the image for subsequent steps to simulate\n abnormal exit. Because umount will ensure that tail_blk and\n head_blk are the same, which will result in the inability to enter\n xlog_recover_process_data\n 3) Write a tool to parse and modify the copied image in step 2\n 4) Make the end of the xlog_op_header entries only 1 byte away from\n xlog_rec_header-\u003eh_size\n 5) xlog_rec_header-\u003eh_num_logops++\n 6) Modify xlog_rec_header-\u003eh_crc\n\nFix:\nAdd a check to make sure there is sufficient space to access fixed members\nof xlog_op_header."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:20:07.227Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d1e3efe783365db59da88f08a2e0bfe1cc95b143"
},
{
"url": "https://git.kernel.org/stable/c/7cd9f0a33e738cd58876f1bc8d6c1aa5bc4fc8c1"
},
{
"url": "https://git.kernel.org/stable/c/fb63435b7c7dc112b1ae1baea5486e0a6e27b196"
}
],
"title": "xfs: add bounds checking to xlog_recover_process_data",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-41014",
"datePublished": "2024-07-29T06:37:00.826Z",
"dateReserved": "2024-07-12T12:17:45.611Z",
"dateUpdated": "2025-05-04T09:20:07.227Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-42243 (GCVE-0-2024-42243)
Vulnerability from cvelistv5
Published
2024-08-07 15:14
Modified
2025-05-04 09:24
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/filemap: make MAX_PAGECACHE_ORDER acceptable to xarray
Patch series "mm/filemap: Limit page cache size to that supported by
xarray", v2.
Currently, xarray can't support arbitrary page cache size. More details
can be found from the WARN_ON() statement in xas_split_alloc(). In our
test whose code is attached below, we hit the WARN_ON() on ARM64 system
where the base page size is 64KB and huge page size is 512MB. The issue
was reported long time ago and some discussions on it can be found here
[1].
[1] https://www.spinics.net/lists/linux-xfs/msg75404.html
In order to fix the issue, we need to adjust MAX_PAGECACHE_ORDER to one
supported by xarray and avoid PMD-sized page cache if needed. The code
changes are suggested by David Hildenbrand.
PATCH[1] adjusts MAX_PAGECACHE_ORDER to that supported by xarray
PATCH[2-3] avoids PMD-sized page cache in the synchronous readahead path
PATCH[4] avoids PMD-sized page cache for shmem files if needed
Test program
============
# cat test.c
#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <fcntl.h>
#include <errno.h>
#include <sys/syscall.h>
#include <sys/mman.h>
#define TEST_XFS_FILENAME "/tmp/data"
#define TEST_SHMEM_FILENAME "/dev/shm/data"
#define TEST_MEM_SIZE 0x20000000
int main(int argc, char **argv)
{
const char *filename;
int fd = 0;
void *buf = (void *)-1, *p;
int pgsize = getpagesize();
int ret;
if (pgsize != 0x10000) {
fprintf(stderr, "64KB base page size is required\n");
return -EPERM;
}
system("echo force > /sys/kernel/mm/transparent_hugepage/shmem_enabled");
system("rm -fr /tmp/data");
system("rm -fr /dev/shm/data");
system("echo 1 > /proc/sys/vm/drop_caches");
/* Open xfs or shmem file */
filename = TEST_XFS_FILENAME;
if (argc > 1 && !strcmp(argv[1], "shmem"))
filename = TEST_SHMEM_FILENAME;
fd = open(filename, O_CREAT | O_RDWR | O_TRUNC);
if (fd < 0) {
fprintf(stderr, "Unable to open <%s>\n", filename);
return -EIO;
}
/* Extend file size */
ret = ftruncate(fd, TEST_MEM_SIZE);
if (ret) {
fprintf(stderr, "Error %d to ftruncate()\n", ret);
goto cleanup;
}
/* Create VMA */
buf = mmap(NULL, TEST_MEM_SIZE,
PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);
if (buf == (void *)-1) {
fprintf(stderr, "Unable to mmap <%s>\n", filename);
goto cleanup;
}
fprintf(stdout, "mapped buffer at 0x%p\n", buf);
ret = madvise(buf, TEST_MEM_SIZE, MADV_HUGEPAGE);
if (ret) {
fprintf(stderr, "Unable to madvise(MADV_HUGEPAGE)\n");
goto cleanup;
}
/* Populate VMA */
ret = madvise(buf, TEST_MEM_SIZE, MADV_POPULATE_WRITE);
if (ret) {
fprintf(stderr, "Error %d to madvise(MADV_POPULATE_WRITE)\n", ret);
goto cleanup;
}
/* Punch the file to enforce xarray split */
ret = fallocate(fd, FALLOC_FL_KEEP_SIZE | FALLOC_FL_PUNCH_HOLE,
TEST_MEM_SIZE - pgsize, pgsize);
if (ret)
fprintf(stderr, "Error %d to fallocate()\n", ret);
cleanup:
if (buf != (void *)-1)
munmap(buf, TEST_MEM_SIZE);
if (fd > 0)
close(fd);
return 0;
}
# gcc test.c -o test
# cat /proc/1/smaps | grep KernelPageSize | head -n 1
KernelPageSize: 64 kB
# ./test shmem
:
------------[ cut here ]------------
WARNING: CPU: 17 PID: 5253 at lib/xarray.c:1025 xas_split_alloc+0xf8/0x128
Modules linked in: nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib \
nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct \
nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 \
ip_set nf_tables rfkill nfnetlink vfat fat virtio_balloon \
drm fuse xfs libcrc32c crct10dif_ce ghash_ce sha2_ce sha256_arm64 \
virtio_net sha1_ce net_failover failover virtio_console virtio_blk \
dimlib virtio_mmio
CPU: 17 PID: 5253 Comm: test Kdump: loaded Tainted: G W 6.10.0-rc5-gavin+ #12
Hardware name: QEMU KVM Virtual Machine, BIOS edk2-20240524-1.el9 05/24/2024
pstate: 83400005 (Nzcv daif +PAN -UAO +TC
---truncated---
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-42243",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T16:13:41.421528Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T17:34:31.465Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/linux/pagemap.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a0c42ddd0969fdc760a85e20e267776028a7ca4e",
"status": "affected",
"version": "793917d997df2e432f3e9ac126e4482d68256d01",
"versionType": "git"
},
{
"lessThan": "333c5539a31f48828456aa9997ec2808f06a699a",
"status": "affected",
"version": "793917d997df2e432f3e9ac126e4482d68256d01",
"versionType": "git"
},
{
"lessThan": "099d90642a711caae377f53309abfe27e8724a8b",
"status": "affected",
"version": "793917d997df2e432f3e9ac126e4482d68256d01",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/linux/pagemap.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.41",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.9.*",
"status": "unaffected",
"version": "6.9.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.10",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.41",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9.10",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.10",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/filemap: make MAX_PAGECACHE_ORDER acceptable to xarray\n\nPatch series \"mm/filemap: Limit page cache size to that supported by\nxarray\", v2.\n\nCurrently, xarray can\u0027t support arbitrary page cache size. More details\ncan be found from the WARN_ON() statement in xas_split_alloc(). In our\ntest whose code is attached below, we hit the WARN_ON() on ARM64 system\nwhere the base page size is 64KB and huge page size is 512MB. The issue\nwas reported long time ago and some discussions on it can be found here\n[1].\n\n[1] https://www.spinics.net/lists/linux-xfs/msg75404.html\n\nIn order to fix the issue, we need to adjust MAX_PAGECACHE_ORDER to one\nsupported by xarray and avoid PMD-sized page cache if needed. The code\nchanges are suggested by David Hildenbrand.\n\nPATCH[1] adjusts MAX_PAGECACHE_ORDER to that supported by xarray\nPATCH[2-3] avoids PMD-sized page cache in the synchronous readahead path\nPATCH[4] avoids PMD-sized page cache for shmem files if needed\n\nTest program\n============\n# cat test.c\n#define _GNU_SOURCE\n#include \u003cstdio.h\u003e\n#include \u003cstdlib.h\u003e\n#include \u003cunistd.h\u003e\n#include \u003cstring.h\u003e\n#include \u003cfcntl.h\u003e\n#include \u003cerrno.h\u003e\n#include \u003csys/syscall.h\u003e\n#include \u003csys/mman.h\u003e\n\n#define TEST_XFS_FILENAME\t\"/tmp/data\"\n#define TEST_SHMEM_FILENAME\t\"/dev/shm/data\"\n#define TEST_MEM_SIZE\t\t0x20000000\n\nint main(int argc, char **argv)\n{\n\tconst char *filename;\n\tint fd = 0;\n\tvoid *buf = (void *)-1, *p;\n\tint pgsize = getpagesize();\n\tint ret;\n\n\tif (pgsize != 0x10000) {\n\t\tfprintf(stderr, \"64KB base page size is required\\n\");\n\t\treturn -EPERM;\n\t}\n\n\tsystem(\"echo force \u003e /sys/kernel/mm/transparent_hugepage/shmem_enabled\");\n\tsystem(\"rm -fr /tmp/data\");\n\tsystem(\"rm -fr /dev/shm/data\");\n\tsystem(\"echo 1 \u003e /proc/sys/vm/drop_caches\");\n\n\t/* Open xfs or shmem file */\n\tfilename = TEST_XFS_FILENAME;\n\tif (argc \u003e 1 \u0026\u0026 !strcmp(argv[1], \"shmem\"))\n\t\tfilename = TEST_SHMEM_FILENAME;\n\n\tfd = open(filename, O_CREAT | O_RDWR | O_TRUNC);\n\tif (fd \u003c 0) {\n\t\tfprintf(stderr, \"Unable to open \u003c%s\u003e\\n\", filename);\n\t\treturn -EIO;\n\t}\n\n\t/* Extend file size */\n\tret = ftruncate(fd, TEST_MEM_SIZE);\n\tif (ret) {\n\t\tfprintf(stderr, \"Error %d to ftruncate()\\n\", ret);\n\t\tgoto cleanup;\n\t}\n\n\t/* Create VMA */\n\tbuf = mmap(NULL, TEST_MEM_SIZE,\n\t\t PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);\n\tif (buf == (void *)-1) {\n\t\tfprintf(stderr, \"Unable to mmap \u003c%s\u003e\\n\", filename);\n\t\tgoto cleanup;\n\t}\n\n\tfprintf(stdout, \"mapped buffer at 0x%p\\n\", buf);\n\tret = madvise(buf, TEST_MEM_SIZE, MADV_HUGEPAGE);\n if (ret) {\n\t\tfprintf(stderr, \"Unable to madvise(MADV_HUGEPAGE)\\n\");\n\t\tgoto cleanup;\n\t}\n\n\t/* Populate VMA */\n\tret = madvise(buf, TEST_MEM_SIZE, MADV_POPULATE_WRITE);\n\tif (ret) {\n\t\tfprintf(stderr, \"Error %d to madvise(MADV_POPULATE_WRITE)\\n\", ret);\n\t\tgoto cleanup;\n\t}\n\n\t/* Punch the file to enforce xarray split */\n\tret = fallocate(fd, FALLOC_FL_KEEP_SIZE | FALLOC_FL_PUNCH_HOLE,\n \t\tTEST_MEM_SIZE - pgsize, pgsize);\n\tif (ret)\n\t\tfprintf(stderr, \"Error %d to fallocate()\\n\", ret);\n\ncleanup:\n\tif (buf != (void *)-1)\n\t\tmunmap(buf, TEST_MEM_SIZE);\n\tif (fd \u003e 0)\n\t\tclose(fd);\n\n\treturn 0;\n}\n\n# gcc test.c -o test\n# cat /proc/1/smaps | grep KernelPageSize | head -n 1\nKernelPageSize: 64 kB\n# ./test shmem\n :\n------------[ cut here ]------------\nWARNING: CPU: 17 PID: 5253 at lib/xarray.c:1025 xas_split_alloc+0xf8/0x128\nModules linked in: nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib \\\nnft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct \\\nnft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 \\\nip_set nf_tables rfkill nfnetlink vfat fat virtio_balloon \\\ndrm fuse xfs libcrc32c crct10dif_ce ghash_ce sha2_ce sha256_arm64 \\\nvirtio_net sha1_ce net_failover failover virtio_console virtio_blk \\\ndimlib virtio_mmio\nCPU: 17 PID: 5253 Comm: test Kdump: loaded Tainted: G W 6.10.0-rc5-gavin+ #12\nHardware name: QEMU KVM Virtual Machine, BIOS edk2-20240524-1.el9 05/24/2024\npstate: 83400005 (Nzcv daif +PAN -UAO +TC\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:24:56.159Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a0c42ddd0969fdc760a85e20e267776028a7ca4e"
},
{
"url": "https://git.kernel.org/stable/c/333c5539a31f48828456aa9997ec2808f06a699a"
},
{
"url": "https://git.kernel.org/stable/c/099d90642a711caae377f53309abfe27e8724a8b"
}
],
"title": "mm/filemap: make MAX_PAGECACHE_ORDER acceptable to xarray",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-42243",
"datePublished": "2024-08-07T15:14:29.717Z",
"dateReserved": "2024-07-30T07:40:12.254Z",
"dateUpdated": "2025-05-04T09:24:56.159Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…