Action not permitted
Modal body text goes here.
Modal Title
Modal Body
wid-sec-w-2024-3368
Vulnerability from csaf_certbund
Published
2024-11-06 23:00
Modified
2024-11-17 23:00
Summary
Linux Kernel: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Der Kernel stellt den Kern des Linux Betriebssystems dar.
Angriff
Ein lokaler Angreifer kann mehrere Schwachstellen im Linux Kernel ausnutzen, um einen Denial of Service Angriff durchzuführen oder einen unspezifischen Angriff durchzuführen.
Betroffene Betriebssysteme
- Linux
{ "document": { "aggregate_severity": { "text": "mittel" }, "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "de-DE", "notes": [ { "category": "legal_disclaimer", "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen." }, { "category": "description", "text": "Der Kernel stellt den Kern des Linux Betriebssystems dar.", "title": "Produktbeschreibung" }, { "category": "summary", "text": "Ein lokaler Angreifer kann mehrere Schwachstellen im Linux Kernel ausnutzen, um einen Denial of Service Angriff durchzuf\u00fchren oder einen unspezifischen Angriff durchzuf\u00fchren.", "title": "Angriff" }, { "category": "general", "text": "- Linux", "title": "Betroffene Betriebssysteme" } ], "publisher": { "category": "other", "contact_details": "csaf-provider@cert-bund.de", "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik", "namespace": "https://www.bsi.bund.de" }, "references": [ { "category": "self", "summary": "WID-SEC-W-2024-3368 - CSAF Version", "url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-3368.json" }, { "category": "self", "summary": "WID-SEC-2024-3368 - Portal Version", "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-3368" }, { "category": "external", "summary": "Kernel CVE Announce Mailingliste", "url": "https://lore.kernel.org/linux-cve-announce/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2024-50139", "url": "https://lore.kernel.org/linux-cve-announce/2024110740-CVE-2024-50139-9ac6@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2024-50140", "url": "https://lore.kernel.org/linux-cve-announce/2024110742-CVE-2024-50140-2371@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2024-50141", "url": "https://lore.kernel.org/linux-cve-announce/2024110742-CVE-2024-50141-a773@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2024-50142", "url": "https://lore.kernel.org/linux-cve-announce/2024110743-CVE-2024-50142-e0dc@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2024-50143", "url": "https://lore.kernel.org/linux-cve-announce/2024110743-CVE-2024-50143-4678@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2024-50144", "url": "https://lore.kernel.org/linux-cve-announce/2024110743-CVE-2024-50144-973b@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2024-50145", "url": "https://lore.kernel.org/linux-cve-announce/2024110744-CVE-2024-50145-10b6@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2024-50146", "url": "https://lore.kernel.org/linux-cve-announce/2024110744-CVE-2024-50146-964d@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2024-50147", "url": "https://lore.kernel.org/linux-cve-announce/2024110744-CVE-2024-50147-d5b6@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2024-50148", "url": "https://lore.kernel.org/linux-cve-announce/2024110744-CVE-2024-50148-b75c@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2024-50149", "url": "https://lore.kernel.org/linux-cve-announce/2024110744-CVE-2024-50149-8ac4@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2024-50150", "url": "https://lore.kernel.org/linux-cve-announce/2024110745-CVE-2024-50150-0254@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2024-50151", "url": "https://lore.kernel.org/linux-cve-announce/2024110745-CVE-2024-50151-f52b@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2024-50152", "url": "https://lore.kernel.org/linux-cve-announce/2024110745-CVE-2024-50152-535e@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2024-50153", "url": "https://lore.kernel.org/linux-cve-announce/2024110745-CVE-2024-50153-ecf2@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2024-50154", "url": "https://lore.kernel.org/linux-cve-announce/2024110745-CVE-2024-50154-0259@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2024-50159", "url": "https://lore.kernel.org/linux-cve-announce/2024110747-CVE-2024-50159-3dec@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2024-50170", "url": "https://lore.kernel.org/linux-cve-announce/2024110749-CVE-2024-50170-05db@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2024-50171", "url": "https://lore.kernel.org/linux-cve-announce/2024110749-CVE-2024-50171-38cb@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2024-50172", "url": "https://lore.kernel.org/linux-cve-announce/2024110749-CVE-2024-50172-6cd4@gregkh/" }, { "category": "external", "summary": "openSUSE Security Update OPENSUSE-SU-2024:14500-1 vom 2024-11-16", "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/2NO44GTYBSPPWKFDREFWHITK4XKTNVLP/" } ], "source_lang": "en-US", "title": "Linux Kernel: Mehrere Schwachstellen", "tracking": { "current_release_date": "2024-11-17T23:00:00.000+00:00", "generator": { "date": "2024-11-18T09:04:53.078+00:00", "engine": { "name": "BSI-WID", "version": "1.3.8" } }, "id": "WID-SEC-W-2024-3368", "initial_release_date": "2024-11-06T23:00:00.000+00:00", "revision_history": [ { "date": "2024-11-06T23:00:00.000+00:00", "number": "1", "summary": "Initiale Fassung" }, { "date": "2024-11-17T23:00:00.000+00:00", "number": "2", "summary": "Neue Updates von openSUSE aufgenommen" } ], "status": "final", "version": "2" } }, "product_tree": { "branches": [ { "branches": [ { "category": "product_name", "name": "Open Source Linux Kernel", "product": { "name": "Open Source Linux Kernel", "product_id": "T008144", "product_identification_helper": { "cpe": "cpe:/a:linux:linux_kernel:-" } } } ], "category": "vendor", "name": "Open Source" }, { "branches": [ { "category": "product_name", "name": "SUSE openSUSE", "product": { "name": "SUSE openSUSE", "product_id": "T027843", "product_identification_helper": { "cpe": "cpe:/o:suse:opensuse:-" } } } ], "category": "vendor", "name": "SUSE" } ] }, "vulnerabilities": [ { "cve": "CVE-2024-50139", "notes": [ { "category": "description", "text": "Im Linux-Kernel bestehen mehrere Schwachstellen. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie KVM, smb oder drm/xe, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer Race-Condition oder einer NULL-Pointer-Dereferenz und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um nicht spezifizierte Auswirkungen zu verursachen, die m\u00f6glicherweise zu einem Denial-of-Service-Zustand f\u00fchren." } ], "product_status": { "known_affected": [ "T027843", "T008144" ] }, "release_date": "2024-11-06T23:00:00.000+00:00", "title": "CVE-2024-50139" }, { "cve": "CVE-2024-50140", "notes": [ { "category": "description", "text": "Im Linux-Kernel bestehen mehrere Schwachstellen. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie KVM, smb oder drm/xe, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer Race-Condition oder einer NULL-Pointer-Dereferenz und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um nicht spezifizierte Auswirkungen zu verursachen, die m\u00f6glicherweise zu einem Denial-of-Service-Zustand f\u00fchren." } ], "product_status": { "known_affected": [ "T027843", "T008144" ] }, "release_date": "2024-11-06T23:00:00.000+00:00", "title": "CVE-2024-50140" }, { "cve": "CVE-2024-50141", "notes": [ { "category": "description", "text": "Im Linux-Kernel bestehen mehrere Schwachstellen. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie KVM, smb oder drm/xe, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer Race-Condition oder einer NULL-Pointer-Dereferenz und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um nicht spezifizierte Auswirkungen zu verursachen, die m\u00f6glicherweise zu einem Denial-of-Service-Zustand f\u00fchren." } ], "product_status": { "known_affected": [ "T027843", "T008144" ] }, "release_date": "2024-11-06T23:00:00.000+00:00", "title": "CVE-2024-50141" }, { "cve": "CVE-2024-50142", "notes": [ { "category": "description", "text": "Im Linux-Kernel bestehen mehrere Schwachstellen. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie KVM, smb oder drm/xe, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer Race-Condition oder einer NULL-Pointer-Dereferenz und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um nicht spezifizierte Auswirkungen zu verursachen, die m\u00f6glicherweise zu einem Denial-of-Service-Zustand f\u00fchren." } ], "product_status": { "known_affected": [ "T027843", "T008144" ] }, "release_date": "2024-11-06T23:00:00.000+00:00", "title": "CVE-2024-50142" }, { "cve": "CVE-2024-50143", "notes": [ { "category": "description", "text": "Im Linux-Kernel bestehen mehrere Schwachstellen. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie KVM, smb oder drm/xe, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer Race-Condition oder einer NULL-Pointer-Dereferenz und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um nicht spezifizierte Auswirkungen zu verursachen, die m\u00f6glicherweise zu einem Denial-of-Service-Zustand f\u00fchren." } ], "product_status": { "known_affected": [ "T027843", "T008144" ] }, "release_date": "2024-11-06T23:00:00.000+00:00", "title": "CVE-2024-50143" }, { "cve": "CVE-2024-50144", "notes": [ { "category": "description", "text": "Im Linux-Kernel bestehen mehrere Schwachstellen. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie KVM, smb oder drm/xe, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer Race-Condition oder einer NULL-Pointer-Dereferenz und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um nicht spezifizierte Auswirkungen zu verursachen, die m\u00f6glicherweise zu einem Denial-of-Service-Zustand f\u00fchren." } ], "product_status": { "known_affected": [ "T027843", "T008144" ] }, "release_date": "2024-11-06T23:00:00.000+00:00", "title": "CVE-2024-50144" }, { "cve": "CVE-2024-50145", "notes": [ { "category": "description", "text": "Im Linux-Kernel bestehen mehrere Schwachstellen. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie KVM, smb oder drm/xe, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer Race-Condition oder einer NULL-Pointer-Dereferenz und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um nicht spezifizierte Auswirkungen zu verursachen, die m\u00f6glicherweise zu einem Denial-of-Service-Zustand f\u00fchren." } ], "product_status": { "known_affected": [ "T027843", "T008144" ] }, "release_date": "2024-11-06T23:00:00.000+00:00", "title": "CVE-2024-50145" }, { "cve": "CVE-2024-50146", "notes": [ { "category": "description", "text": "Im Linux-Kernel bestehen mehrere Schwachstellen. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie KVM, smb oder drm/xe, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer Race-Condition oder einer NULL-Pointer-Dereferenz und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um nicht spezifizierte Auswirkungen zu verursachen, die m\u00f6glicherweise zu einem Denial-of-Service-Zustand f\u00fchren." } ], "product_status": { "known_affected": [ "T027843", "T008144" ] }, "release_date": "2024-11-06T23:00:00.000+00:00", "title": "CVE-2024-50146" }, { "cve": "CVE-2024-50147", "notes": [ { "category": "description", "text": "Im Linux-Kernel bestehen mehrere Schwachstellen. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie KVM, smb oder drm/xe, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer Race-Condition oder einer NULL-Pointer-Dereferenz und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um nicht spezifizierte Auswirkungen zu verursachen, die m\u00f6glicherweise zu einem Denial-of-Service-Zustand f\u00fchren." } ], "product_status": { "known_affected": [ "T027843", "T008144" ] }, "release_date": "2024-11-06T23:00:00.000+00:00", "title": "CVE-2024-50147" }, { "cve": "CVE-2024-50148", "notes": [ { "category": "description", "text": "Im Linux-Kernel bestehen mehrere Schwachstellen. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie KVM, smb oder drm/xe, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer Race-Condition oder einer NULL-Pointer-Dereferenz und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um nicht spezifizierte Auswirkungen zu verursachen, die m\u00f6glicherweise zu einem Denial-of-Service-Zustand f\u00fchren." } ], "product_status": { "known_affected": [ "T027843", "T008144" ] }, "release_date": "2024-11-06T23:00:00.000+00:00", "title": "CVE-2024-50148" }, { "cve": "CVE-2024-50149", "notes": [ { "category": "description", "text": "Im Linux-Kernel bestehen mehrere Schwachstellen. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie KVM, smb oder drm/xe, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer Race-Condition oder einer NULL-Pointer-Dereferenz und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um nicht spezifizierte Auswirkungen zu verursachen, die m\u00f6glicherweise zu einem Denial-of-Service-Zustand f\u00fchren." } ], "product_status": { "known_affected": [ "T027843", "T008144" ] }, "release_date": "2024-11-06T23:00:00.000+00:00", "title": "CVE-2024-50149" }, { "cve": "CVE-2024-50150", "notes": [ { "category": "description", "text": "Im Linux-Kernel bestehen mehrere Schwachstellen. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie KVM, smb oder drm/xe, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer Race-Condition oder einer NULL-Pointer-Dereferenz und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um nicht spezifizierte Auswirkungen zu verursachen, die m\u00f6glicherweise zu einem Denial-of-Service-Zustand f\u00fchren." } ], "product_status": { "known_affected": [ "T027843", "T008144" ] }, "release_date": "2024-11-06T23:00:00.000+00:00", "title": "CVE-2024-50150" }, { "cve": "CVE-2024-50151", "notes": [ { "category": "description", "text": "Im Linux-Kernel bestehen mehrere Schwachstellen. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie KVM, smb oder drm/xe, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer Race-Condition oder einer NULL-Pointer-Dereferenz und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um nicht spezifizierte Auswirkungen zu verursachen, die m\u00f6glicherweise zu einem Denial-of-Service-Zustand f\u00fchren." } ], "product_status": { "known_affected": [ "T027843", "T008144" ] }, "release_date": "2024-11-06T23:00:00.000+00:00", "title": "CVE-2024-50151" }, { "cve": "CVE-2024-50152", "notes": [ { "category": "description", "text": "Im Linux-Kernel bestehen mehrere Schwachstellen. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie KVM, smb oder drm/xe, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer Race-Condition oder einer NULL-Pointer-Dereferenz und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um nicht spezifizierte Auswirkungen zu verursachen, die m\u00f6glicherweise zu einem Denial-of-Service-Zustand f\u00fchren." } ], "product_status": { "known_affected": [ "T027843", "T008144" ] }, "release_date": "2024-11-06T23:00:00.000+00:00", "title": "CVE-2024-50152" }, { "cve": "CVE-2024-50153", "notes": [ { "category": "description", "text": "Im Linux-Kernel bestehen mehrere Schwachstellen. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie KVM, smb oder drm/xe, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer Race-Condition oder einer NULL-Pointer-Dereferenz und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um nicht spezifizierte Auswirkungen zu verursachen, die m\u00f6glicherweise zu einem Denial-of-Service-Zustand f\u00fchren." } ], "product_status": { "known_affected": [ "T027843", "T008144" ] }, "release_date": "2024-11-06T23:00:00.000+00:00", "title": "CVE-2024-50153" }, { "cve": "CVE-2024-50154", "notes": [ { "category": "description", "text": "Im Linux-Kernel bestehen mehrere Schwachstellen. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie KVM, smb oder drm/xe, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer Race-Condition oder einer NULL-Pointer-Dereferenz und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um nicht spezifizierte Auswirkungen zu verursachen, die m\u00f6glicherweise zu einem Denial-of-Service-Zustand f\u00fchren." } ], "product_status": { "known_affected": [ "T027843", "T008144" ] }, "release_date": "2024-11-06T23:00:00.000+00:00", "title": "CVE-2024-50154" }, { "cve": "CVE-2024-50159", "notes": [ { "category": "description", "text": "Im Linux-Kernel bestehen mehrere Schwachstellen. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie KVM, smb oder drm/xe, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer Race-Condition oder einer NULL-Pointer-Dereferenz und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um nicht spezifizierte Auswirkungen zu verursachen, die m\u00f6glicherweise zu einem Denial-of-Service-Zustand f\u00fchren." } ], "product_status": { "known_affected": [ "T027843", "T008144" ] }, "release_date": "2024-11-06T23:00:00.000+00:00", "title": "CVE-2024-50159" }, { "cve": "CVE-2024-50170", "notes": [ { "category": "description", "text": "Im Linux-Kernel bestehen mehrere Schwachstellen. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie KVM, smb oder drm/xe, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer Race-Condition oder einer NULL-Pointer-Dereferenz und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um nicht spezifizierte Auswirkungen zu verursachen, die m\u00f6glicherweise zu einem Denial-of-Service-Zustand f\u00fchren." } ], "product_status": { "known_affected": [ "T027843", "T008144" ] }, "release_date": "2024-11-06T23:00:00.000+00:00", "title": "CVE-2024-50170" }, { "cve": "CVE-2024-50171", "notes": [ { "category": "description", "text": "Im Linux-Kernel bestehen mehrere Schwachstellen. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie KVM, smb oder drm/xe, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer Race-Condition oder einer NULL-Pointer-Dereferenz und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um nicht spezifizierte Auswirkungen zu verursachen, die m\u00f6glicherweise zu einem Denial-of-Service-Zustand f\u00fchren." } ], "product_status": { "known_affected": [ "T027843", "T008144" ] }, "release_date": "2024-11-06T23:00:00.000+00:00", "title": "CVE-2024-50171" }, { "cve": "CVE-2024-50172", "notes": [ { "category": "description", "text": "Im Linux-Kernel bestehen mehrere Schwachstellen. Diese Fehler bestehen in mehreren Subsystemen und Komponenten wie KVM, smb oder drm/xe, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer Use-after-free-, einer Race-Condition oder einer NULL-Pointer-Dereferenz und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um nicht spezifizierte Auswirkungen zu verursachen, die m\u00f6glicherweise zu einem Denial-of-Service-Zustand f\u00fchren." } ], "product_status": { "known_affected": [ "T027843", "T008144" ] }, "release_date": "2024-11-06T23:00:00.000+00:00", "title": "CVE-2024-50172" } ] }
cve-2024-50141
Vulnerability from cvelistv5
Published
2024-11-07 09:31
Modified
2024-12-19 09:34
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ACPI: PRM: Find EFI_MEMORY_RUNTIME block for PRM handler and context
PRMT needs to find the correct type of block to translate the PA-VA
mapping for EFI runtime services.
The issue arises because the PRMT is finding a block of type
EFI_CONVENTIONAL_MEMORY, which is not appropriate for runtime services
as described in Section 2.2.2 (Runtime Services) of the UEFI
Specification [1]. Since the PRM handler is a type of runtime service,
this causes an exception when the PRM handler is called.
[Firmware Bug]: Unable to handle paging request in EFI runtime service
WARNING: CPU: 22 PID: 4330 at drivers/firmware/efi/runtime-wrappers.c:341
__efi_queue_work+0x11c/0x170
Call trace:
Let PRMT find a block with EFI_MEMORY_RUNTIME for PRM handler and PRM
context.
If no suitable block is found, a warning message will be printed, but
the procedure continues to manage the next PRM handler.
However, if the PRM handler is actually called without proper allocation,
it would result in a failure during error handling.
By using the correct memory types for runtime services, ensure that the
PRM handler and the context are properly mapped in the virtual address
space during runtime, preventing the paging request error.
The issue is really that only memory that has been remapped for runtime
by the firmware can be used by the PRM handler, and so the region needs
to have the EFI_MEMORY_RUNTIME attribute.
[ rjw: Subject and changelog edits ]
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: cefc7ca46235f01d5233e3abd4b79452af01d9e9 Version: cefc7ca46235f01d5233e3abd4b79452af01d9e9 Version: cefc7ca46235f01d5233e3abd4b79452af01d9e9 Version: cefc7ca46235f01d5233e3abd4b79452af01d9e9 Version: cefc7ca46235f01d5233e3abd4b79452af01d9e9 |
||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/acpi/prmt.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "8df52929530839e878e6912e33348b54101e3250", "status": "affected", "version": "cefc7ca46235f01d5233e3abd4b79452af01d9e9", "versionType": "git" }, { "lessThan": "8ce081ad842510f0e70fa6065a401660eac876d4", "status": "affected", "version": "cefc7ca46235f01d5233e3abd4b79452af01d9e9", "versionType": "git" }, { "lessThan": "795b080d9aa127215a5baf088a22fa09341a0126", "status": "affected", "version": "cefc7ca46235f01d5233e3abd4b79452af01d9e9", "versionType": "git" }, { "lessThan": "20e9fafb8bb6f545667d7916b0e81e68c0748810", "status": "affected", "version": "cefc7ca46235f01d5233e3abd4b79452af01d9e9", "versionType": "git" }, { "lessThan": "088984c8d54c0053fc4ae606981291d741c5924b", "status": "affected", "version": "cefc7ca46235f01d5233e3abd4b79452af01d9e9", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/acpi/prmt.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.14" }, { "lessThan": "5.14", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.171", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.115", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.59", "versionType": "semver" }, { "lessThanOrEqual": "6.11.*", "status": "unaffected", "version": "6.11.6", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.12", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: PRM: Find EFI_MEMORY_RUNTIME block for PRM handler and context\n\nPRMT needs to find the correct type of block to translate the PA-VA\nmapping for EFI runtime services.\n\nThe issue arises because the PRMT is finding a block of type\nEFI_CONVENTIONAL_MEMORY, which is not appropriate for runtime services\nas described in Section 2.2.2 (Runtime Services) of the UEFI\nSpecification [1]. Since the PRM handler is a type of runtime service,\nthis causes an exception when the PRM handler is called.\n\n [Firmware Bug]: Unable to handle paging request in EFI runtime service\n WARNING: CPU: 22 PID: 4330 at drivers/firmware/efi/runtime-wrappers.c:341\n __efi_queue_work+0x11c/0x170\n Call trace:\n\nLet PRMT find a block with EFI_MEMORY_RUNTIME for PRM handler and PRM\ncontext.\n\nIf no suitable block is found, a warning message will be printed, but\nthe procedure continues to manage the next PRM handler.\n\nHowever, if the PRM handler is actually called without proper allocation,\nit would result in a failure during error handling.\n\nBy using the correct memory types for runtime services, ensure that the\nPRM handler and the context are properly mapped in the virtual address\nspace during runtime, preventing the paging request error.\n\nThe issue is really that only memory that has been remapped for runtime\nby the firmware can be used by the PRM handler, and so the region needs\nto have the EFI_MEMORY_RUNTIME attribute.\n\n[ rjw: Subject and changelog edits ]" } ], "providerMetadata": { "dateUpdated": "2024-12-19T09:34:01.481Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/8df52929530839e878e6912e33348b54101e3250" }, { "url": "https://git.kernel.org/stable/c/8ce081ad842510f0e70fa6065a401660eac876d4" }, { "url": "https://git.kernel.org/stable/c/795b080d9aa127215a5baf088a22fa09341a0126" }, { "url": "https://git.kernel.org/stable/c/20e9fafb8bb6f545667d7916b0e81e68c0748810" }, { "url": "https://git.kernel.org/stable/c/088984c8d54c0053fc4ae606981291d741c5924b" } ], "title": "ACPI: PRM: Find EFI_MEMORY_RUNTIME block for PRM handler and context", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-50141", "datePublished": "2024-11-07T09:31:18.461Z", "dateReserved": "2024-10-21T19:36:19.956Z", "dateUpdated": "2024-12-19T09:34:01.481Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-50140
Vulnerability from cvelistv5
Published
2024-11-07 09:31
Modified
2024-12-19 09:34
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
sched/core: Disable page allocation in task_tick_mm_cid()
With KASAN and PREEMPT_RT enabled, calling task_work_add() in
task_tick_mm_cid() may cause the following splat.
[ 63.696416] BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48
[ 63.696416] in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 610, name: modprobe
[ 63.696416] preempt_count: 10001, expected: 0
[ 63.696416] RCU nest depth: 1, expected: 1
This problem is caused by the following call trace.
sched_tick() [ acquire rq->__lock ]
-> task_tick_mm_cid()
-> task_work_add()
-> __kasan_record_aux_stack()
-> kasan_save_stack()
-> stack_depot_save_flags()
-> alloc_pages_mpol_noprof()
-> __alloc_pages_noprof()
-> get_page_from_freelist()
-> rmqueue()
-> rmqueue_pcplist()
-> __rmqueue_pcplist()
-> rmqueue_bulk()
-> rt_spin_lock()
The rq lock is a raw_spinlock_t. We can't sleep while holding
it. IOW, we can't call alloc_pages() in stack_depot_save_flags().
The task_tick_mm_cid() function with its task_work_add() call was
introduced by commit 223baf9d17f2 ("sched: Fix performance regression
introduced by mm_cid") in v6.4 kernel.
Fortunately, there is a kasan_record_aux_stack_noalloc() variant that
calls stack_depot_save_flags() while not allowing it to allocate
new pages. To allow task_tick_mm_cid() to use task_work without
page allocation, a new TWAF_NO_ALLOC flag is added to enable calling
kasan_record_aux_stack_noalloc() instead of kasan_record_aux_stack()
if set. The task_tick_mm_cid() function is modified to add this new flag.
The possible downside is the missing stack trace in a KASAN report due
to new page allocation required when task_work_add_noallloc() is called
which should be rare.
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "include/linux/task_work.h", "kernel/sched/core.c", "kernel/task_work.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "509c29d0d26f68a6f6d0a05cb1a89725237e2b87", "status": "affected", "version": "223baf9d17f25e2608dbdff7232c095c1e612268", "versionType": "git" }, { "lessThan": "ce0241ef83eed55f675376e8a3605d23de53d875", "status": "affected", "version": "223baf9d17f25e2608dbdff7232c095c1e612268", "versionType": "git" }, { "lessThan": "73ab05aa46b02d96509cb029a8d04fca7bbde8c7", "status": "affected", "version": "223baf9d17f25e2608dbdff7232c095c1e612268", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "include/linux/task_work.h", "kernel/sched/core.c", "kernel/task_work.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.4" }, { "lessThan": "6.4", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.59", "versionType": "semver" }, { "lessThanOrEqual": "6.11.*", "status": "unaffected", "version": "6.11.6", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.12", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/core: Disable page allocation in task_tick_mm_cid()\n\nWith KASAN and PREEMPT_RT enabled, calling task_work_add() in\ntask_tick_mm_cid() may cause the following splat.\n\n[ 63.696416] BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48\n[ 63.696416] in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 610, name: modprobe\n[ 63.696416] preempt_count: 10001, expected: 0\n[ 63.696416] RCU nest depth: 1, expected: 1\n\nThis problem is caused by the following call trace.\n\n sched_tick() [ acquire rq-\u003e__lock ]\n -\u003e task_tick_mm_cid()\n -\u003e task_work_add()\n -\u003e __kasan_record_aux_stack()\n -\u003e kasan_save_stack()\n -\u003e stack_depot_save_flags()\n -\u003e alloc_pages_mpol_noprof()\n -\u003e __alloc_pages_noprof()\n\t -\u003e get_page_from_freelist()\n\t -\u003e rmqueue()\n\t -\u003e rmqueue_pcplist()\n\t -\u003e __rmqueue_pcplist()\n\t -\u003e rmqueue_bulk()\n\t -\u003e rt_spin_lock()\n\nThe rq lock is a raw_spinlock_t. We can\u0027t sleep while holding\nit. IOW, we can\u0027t call alloc_pages() in stack_depot_save_flags().\n\nThe task_tick_mm_cid() function with its task_work_add() call was\nintroduced by commit 223baf9d17f2 (\"sched: Fix performance regression\nintroduced by mm_cid\") in v6.4 kernel.\n\nFortunately, there is a kasan_record_aux_stack_noalloc() variant that\ncalls stack_depot_save_flags() while not allowing it to allocate\nnew pages. To allow task_tick_mm_cid() to use task_work without\npage allocation, a new TWAF_NO_ALLOC flag is added to enable calling\nkasan_record_aux_stack_noalloc() instead of kasan_record_aux_stack()\nif set. The task_tick_mm_cid() function is modified to add this new flag.\n\nThe possible downside is the missing stack trace in a KASAN report due\nto new page allocation required when task_work_add_noallloc() is called\nwhich should be rare." } ], "providerMetadata": { "dateUpdated": "2024-12-19T09:34:00.373Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/509c29d0d26f68a6f6d0a05cb1a89725237e2b87" }, { "url": "https://git.kernel.org/stable/c/ce0241ef83eed55f675376e8a3605d23de53d875" }, { "url": "https://git.kernel.org/stable/c/73ab05aa46b02d96509cb029a8d04fca7bbde8c7" } ], "title": "sched/core: Disable page allocation in task_tick_mm_cid()", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-50140", "datePublished": "2024-11-07T09:31:17.379Z", "dateReserved": "2024-10-21T19:36:19.956Z", "dateUpdated": "2024-12-19T09:34:00.373Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-50142
Vulnerability from cvelistv5
Published
2024-11-07 09:31
Modified
2024-12-19 09:34
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
xfrm: validate new SA's prefixlen using SA family when sel.family is unset
This expands the validation introduced in commit 07bf7908950a ("xfrm:
Validate address prefix lengths in the xfrm selector.")
syzbot created an SA with
usersa.sel.family = AF_UNSPEC
usersa.sel.prefixlen_s = 128
usersa.family = AF_INET
Because of the AF_UNSPEC selector, verify_newsa_info doesn't put
limits on prefixlen_{s,d}. But then copy_from_user_state sets
x->sel.family to usersa.family (AF_INET). Do the same conversion in
verify_newsa_info before validating prefixlen_{s,d}, since that's how
prefixlen is going to be used later on.
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "net/xfrm/xfrm_user.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "f31398570acf0f0804c644006f7bfa9067106b0a", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "401ad99a5ae7180dd9449eac104cb755f442e7f3", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "8df5cd51fd70c33aa1776e5cbcd82b0a86649d73", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "2d08a6c31c65f23db71a5385ee9cf9d8f9a67a71", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "bce1afaa212ec380bf971614f70909a27882b862", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "7d9868180bd1e4cf37e7c5067362658971162366", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "e68dd80ba498265d2266b12dc3459164f4ff0c4a", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "3f0ab59e6537c6a8f9e1b355b48f9c05a76e8563", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "net/xfrm/xfrm_user.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "2.6.12" }, { "lessThan": "2.6.12", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "4.19.*", "status": "unaffected", "version": "4.19.323", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.285", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.229", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.170", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.115", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.59", "versionType": "semver" }, { "lessThanOrEqual": "6.11.*", "status": "unaffected", "version": "6.11.6", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.12", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: validate new SA\u0027s prefixlen using SA family when sel.family is unset\n\nThis expands the validation introduced in commit 07bf7908950a (\"xfrm:\nValidate address prefix lengths in the xfrm selector.\")\n\nsyzbot created an SA with\n usersa.sel.family = AF_UNSPEC\n usersa.sel.prefixlen_s = 128\n usersa.family = AF_INET\n\nBecause of the AF_UNSPEC selector, verify_newsa_info doesn\u0027t put\nlimits on prefixlen_{s,d}. But then copy_from_user_state sets\nx-\u003esel.family to usersa.family (AF_INET). Do the same conversion in\nverify_newsa_info before validating prefixlen_{s,d}, since that\u0027s how\nprefixlen is going to be used later on." } ], "providerMetadata": { "dateUpdated": "2024-12-19T09:34:02.678Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/f31398570acf0f0804c644006f7bfa9067106b0a" }, { "url": "https://git.kernel.org/stable/c/401ad99a5ae7180dd9449eac104cb755f442e7f3" }, { "url": "https://git.kernel.org/stable/c/8df5cd51fd70c33aa1776e5cbcd82b0a86649d73" }, { "url": "https://git.kernel.org/stable/c/2d08a6c31c65f23db71a5385ee9cf9d8f9a67a71" }, { "url": "https://git.kernel.org/stable/c/bce1afaa212ec380bf971614f70909a27882b862" }, { "url": "https://git.kernel.org/stable/c/7d9868180bd1e4cf37e7c5067362658971162366" }, { "url": "https://git.kernel.org/stable/c/e68dd80ba498265d2266b12dc3459164f4ff0c4a" }, { "url": "https://git.kernel.org/stable/c/3f0ab59e6537c6a8f9e1b355b48f9c05a76e8563" } ], "title": "xfrm: validate new SA\u0027s prefixlen using SA family when sel.family is unset", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-50142", "datePublished": "2024-11-07T09:31:19.415Z", "dateReserved": "2024-10-21T19:36:19.956Z", "dateUpdated": "2024-12-19T09:34:02.678Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-50147
Vulnerability from cvelistv5
Published
2024-11-07 09:31
Modified
2024-12-19 09:34
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5: Fix command bitmask initialization
Command bitmask have a dedicated bit for MANAGE_PAGES command, this bit
isn't Initialize during command bitmask Initialization, only during
MANAGE_PAGES.
In addition, mlx5_cmd_trigger_completions() is trying to trigger
completion for MANAGE_PAGES command as well.
Hence, in case health error occurred before any MANAGE_PAGES command
have been invoke (for example, during mlx5_enable_hca()),
mlx5_cmd_trigger_completions() will try to trigger completion for
MANAGE_PAGES command, which will result in null-ptr-deref error.[1]
Fix it by Initialize command bitmask correctly.
While at it, re-write the code for better understanding.
[1]
BUG: KASAN: null-ptr-deref in mlx5_cmd_trigger_completions+0x1db/0x600 [mlx5_core]
Write of size 4 at addr 0000000000000214 by task kworker/u96:2/12078
CPU: 10 PID: 12078 Comm: kworker/u96:2 Not tainted 6.9.0-rc2_for_upstream_debug_2024_04_07_19_01 #1
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
Workqueue: mlx5_health0000:08:00.0 mlx5_fw_fatal_reporter_err_work [mlx5_core]
Call Trace:
<TASK>
dump_stack_lvl+0x7e/0xc0
kasan_report+0xb9/0xf0
kasan_check_range+0xec/0x190
mlx5_cmd_trigger_completions+0x1db/0x600 [mlx5_core]
mlx5_cmd_flush+0x94/0x240 [mlx5_core]
enter_error_state+0x6c/0xd0 [mlx5_core]
mlx5_fw_fatal_reporter_err_work+0xf3/0x480 [mlx5_core]
process_one_work+0x787/0x1490
? lockdep_hardirqs_on_prepare+0x400/0x400
? pwq_dec_nr_in_flight+0xda0/0xda0
? assign_work+0x168/0x240
worker_thread+0x586/0xd30
? rescuer_thread+0xae0/0xae0
kthread+0x2df/0x3b0
? kthread_complete_and_exit+0x20/0x20
ret_from_fork+0x2d/0x70
? kthread_complete_and_exit+0x20/0x20
ret_from_fork_asm+0x11/0x20
</TASK>
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/net/ethernet/mellanox/mlx5/core/cmd.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "d1606090bb294cecb7de3c4ed177f5aa0abd4c4e", "status": "affected", "version": "9b98d395b85dd042fe83fb696b1ac02e6c93a520", "versionType": "git" }, { "lessThan": "d88564c79d1cedaf2655f12261eca0d2796bde4e", "status": "affected", "version": "9b98d395b85dd042fe83fb696b1ac02e6c93a520", "versionType": "git" }, { "lessThan": "2feac1e562be0efc621a6722644a90f355d53473", "status": "affected", "version": "9b98d395b85dd042fe83fb696b1ac02e6c93a520", "versionType": "git" }, { "lessThan": "d62b14045c6511a7b2d4948d1a83a4e592deeb05", "status": "affected", "version": "9b98d395b85dd042fe83fb696b1ac02e6c93a520", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/net/ethernet/mellanox/mlx5/core/cmd.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.1" }, { "lessThan": "6.1", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.115", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.59", "versionType": "semver" }, { "lessThanOrEqual": "6.11.*", "status": "unaffected", "version": "6.11.6", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.12", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Fix command bitmask initialization\n\nCommand bitmask have a dedicated bit for MANAGE_PAGES command, this bit\nisn\u0027t Initialize during command bitmask Initialization, only during\nMANAGE_PAGES.\n\nIn addition, mlx5_cmd_trigger_completions() is trying to trigger\ncompletion for MANAGE_PAGES command as well.\n\nHence, in case health error occurred before any MANAGE_PAGES command\nhave been invoke (for example, during mlx5_enable_hca()),\nmlx5_cmd_trigger_completions() will try to trigger completion for\nMANAGE_PAGES command, which will result in null-ptr-deref error.[1]\n\nFix it by Initialize command bitmask correctly.\n\nWhile at it, re-write the code for better understanding.\n\n[1]\nBUG: KASAN: null-ptr-deref in mlx5_cmd_trigger_completions+0x1db/0x600 [mlx5_core]\nWrite of size 4 at addr 0000000000000214 by task kworker/u96:2/12078\nCPU: 10 PID: 12078 Comm: kworker/u96:2 Not tainted 6.9.0-rc2_for_upstream_debug_2024_04_07_19_01 #1\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\nWorkqueue: mlx5_health0000:08:00.0 mlx5_fw_fatal_reporter_err_work [mlx5_core]\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x7e/0xc0\n kasan_report+0xb9/0xf0\n kasan_check_range+0xec/0x190\n mlx5_cmd_trigger_completions+0x1db/0x600 [mlx5_core]\n mlx5_cmd_flush+0x94/0x240 [mlx5_core]\n enter_error_state+0x6c/0xd0 [mlx5_core]\n mlx5_fw_fatal_reporter_err_work+0xf3/0x480 [mlx5_core]\n process_one_work+0x787/0x1490\n ? lockdep_hardirqs_on_prepare+0x400/0x400\n ? pwq_dec_nr_in_flight+0xda0/0xda0\n ? assign_work+0x168/0x240\n worker_thread+0x586/0xd30\n ? rescuer_thread+0xae0/0xae0\n kthread+0x2df/0x3b0\n ? kthread_complete_and_exit+0x20/0x20\n ret_from_fork+0x2d/0x70\n ? kthread_complete_and_exit+0x20/0x20\n ret_from_fork_asm+0x11/0x20\n \u003c/TASK\u003e" } ], "providerMetadata": { "dateUpdated": "2024-12-19T09:34:08.329Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/d1606090bb294cecb7de3c4ed177f5aa0abd4c4e" }, { "url": "https://git.kernel.org/stable/c/d88564c79d1cedaf2655f12261eca0d2796bde4e" }, { "url": "https://git.kernel.org/stable/c/2feac1e562be0efc621a6722644a90f355d53473" }, { "url": "https://git.kernel.org/stable/c/d62b14045c6511a7b2d4948d1a83a4e592deeb05" } ], "title": "net/mlx5: Fix command bitmask initialization", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-50147", "datePublished": "2024-11-07T09:31:24.151Z", "dateReserved": "2024-10-21T19:36:19.958Z", "dateUpdated": "2024-12-19T09:34:08.329Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-50159
Vulnerability from cvelistv5
Published
2024-11-07 09:31
Modified
2024-12-19 09:34
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
firmware: arm_scmi: Fix the double free in scmi_debugfs_common_setup()
Clang static checker(scan-build) throws below warning:
| drivers/firmware/arm_scmi/driver.c:line 2915, column 2
| Attempt to free released memory.
When devm_add_action_or_reset() fails, scmi_debugfs_common_cleanup()
will run twice which causes double free of 'dbg->name'.
Remove the redundant scmi_debugfs_common_cleanup() to fix this problem.
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/firmware/arm_scmi/driver.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "6d91d07913aee90556362d648d6a28a1eda419dc", "status": "affected", "version": "c3d4aed763ce4a39f8ed36c7b7cd9a6a35971329", "versionType": "git" }, { "lessThan": "fb324fdaf546bf14bc4c17e0037bca6cb952b121", "status": "affected", "version": "c3d4aed763ce4a39f8ed36c7b7cd9a6a35971329", "versionType": "git" }, { "lessThan": "39b13dce1a91cdfc3bec9238f9e89094551bd428", "status": "affected", "version": "c3d4aed763ce4a39f8ed36c7b7cd9a6a35971329", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/firmware/arm_scmi/driver.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.3" }, { "lessThan": "6.3", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.59", "versionType": "semver" }, { "lessThanOrEqual": "6.11.*", "status": "unaffected", "version": "6.11.6", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.12", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: arm_scmi: Fix the double free in scmi_debugfs_common_setup()\n\nClang static checker(scan-build) throws below warning\uff1a\n | drivers/firmware/arm_scmi/driver.c:line 2915, column 2\n | Attempt to free released memory.\n\nWhen devm_add_action_or_reset() fails, scmi_debugfs_common_cleanup()\nwill run twice which causes double free of \u0027dbg-\u003ename\u0027.\n\nRemove the redundant scmi_debugfs_common_cleanup() to fix this problem." } ], "providerMetadata": { "dateUpdated": "2024-12-19T09:34:22.006Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/6d91d07913aee90556362d648d6a28a1eda419dc" }, { "url": "https://git.kernel.org/stable/c/fb324fdaf546bf14bc4c17e0037bca6cb952b121" }, { "url": "https://git.kernel.org/stable/c/39b13dce1a91cdfc3bec9238f9e89094551bd428" } ], "title": "firmware: arm_scmi: Fix the double free in scmi_debugfs_common_setup()", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-50159", "datePublished": "2024-11-07T09:31:36.167Z", "dateReserved": "2024-10-21T19:36:19.961Z", "dateUpdated": "2024-12-19T09:34:22.006Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-50145
Vulnerability from cvelistv5
Published
2024-11-07 09:31
Modified
2024-12-19 09:34
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
octeon_ep: Add SKB allocation failures handling in __octep_oq_process_rx()
build_skb() returns NULL in case of a memory allocation failure so handle
it inside __octep_oq_process_rx() to avoid NULL pointer dereference.
__octep_oq_process_rx() is called during NAPI polling by the driver. If
skb allocation fails, keep on pulling packets out of the Rx DMA queue: we
shouldn't break the polling immediately and thus falsely indicate to the
octep_napi_poll() that the Rx pressure is going down. As there is no
associated skb in this case, don't process the packets and don't push them
up the network stack - they are skipped.
Helper function is implemented to unmmap/flush all the fragment buffers
used by the dropped packet. 'alloc_failures' counter is incremented to
mark the skb allocation error in driver statistics.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/net/ethernet/marvell/octeon_ep/octep_rx.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "09ce491112bbf0b866e2638d3e961c1c73d1f00b", "status": "affected", "version": "37d79d0596062057f588bdbb2ebad5455a43d353", "versionType": "git" }, { "lessThan": "c2d2dc4f88bb3cfc4f3cc320fd3ff51b0ae5b0ea", "status": "affected", "version": "37d79d0596062057f588bdbb2ebad5455a43d353", "versionType": "git" }, { "lessThan": "2dedcb6f99f4c1a11944e7cc35dbeb9b18a5cbac", "status": "affected", "version": "37d79d0596062057f588bdbb2ebad5455a43d353", "versionType": "git" }, { "lessThan": "eb592008f79be52ccef88cd9a5249b3fc0367278", "status": "affected", "version": "37d79d0596062057f588bdbb2ebad5455a43d353", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/net/ethernet/marvell/octeon_ep/octep_rx.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.19" }, { "lessThan": "5.19", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.115", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.59", "versionType": "semver" }, { "lessThanOrEqual": "6.11.*", "status": "unaffected", "version": "6.11.6", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.12", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nocteon_ep: Add SKB allocation failures handling in __octep_oq_process_rx()\n\nbuild_skb() returns NULL in case of a memory allocation failure so handle\nit inside __octep_oq_process_rx() to avoid NULL pointer dereference.\n\n__octep_oq_process_rx() is called during NAPI polling by the driver. If\nskb allocation fails, keep on pulling packets out of the Rx DMA queue: we\nshouldn\u0027t break the polling immediately and thus falsely indicate to the\noctep_napi_poll() that the Rx pressure is going down. As there is no\nassociated skb in this case, don\u0027t process the packets and don\u0027t push them\nup the network stack - they are skipped.\n\nHelper function is implemented to unmmap/flush all the fragment buffers\nused by the dropped packet. \u0027alloc_failures\u0027 counter is incremented to\nmark the skb allocation error in driver statistics.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE." } ], "providerMetadata": { "dateUpdated": "2024-12-19T09:34:06.081Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/09ce491112bbf0b866e2638d3e961c1c73d1f00b" }, { "url": "https://git.kernel.org/stable/c/c2d2dc4f88bb3cfc4f3cc320fd3ff51b0ae5b0ea" }, { "url": "https://git.kernel.org/stable/c/2dedcb6f99f4c1a11944e7cc35dbeb9b18a5cbac" }, { "url": "https://git.kernel.org/stable/c/eb592008f79be52ccef88cd9a5249b3fc0367278" } ], "title": "octeon_ep: Add SKB allocation failures handling in __octep_oq_process_rx()", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-50145", "datePublished": "2024-11-07T09:31:22.202Z", "dateReserved": "2024-10-21T19:36:19.956Z", "dateUpdated": "2024-12-19T09:34:06.081Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-50146
Vulnerability from cvelistv5
Published
2024-11-07 09:31
Modified
2024-12-19 09:34
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5e: Don't call cleanup on profile rollback failure
When profile rollback fails in mlx5e_netdev_change_profile, the netdev
profile var is left set to NULL. Avoid a crash when unloading the driver
by not calling profile->cleanup in such a case.
This was encountered while testing, with the original trigger that
the wq rescuer thread creation got interrupted (presumably due to
Ctrl+C-ing modprobe), which gets converted to ENOMEM (-12) by
mlx5e_priv_init, the profile rollback also fails for the same reason
(signal still active) so the profile is left as NULL, leading to a crash
later in _mlx5e_remove.
[ 732.473932] mlx5_core 0000:08:00.1: E-Switch: Unload vfs: mode(OFFLOADS), nvfs(2), necvfs(0), active vports(2)
[ 734.525513] workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR
[ 734.557372] mlx5_core 0000:08:00.1: mlx5e_netdev_init_profile:6235:(pid 6086): mlx5e_priv_init failed, err=-12
[ 734.559187] mlx5_core 0000:08:00.1 eth3: mlx5e_netdev_change_profile: new profile init failed, -12
[ 734.560153] workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR
[ 734.589378] mlx5_core 0000:08:00.1: mlx5e_netdev_init_profile:6235:(pid 6086): mlx5e_priv_init failed, err=-12
[ 734.591136] mlx5_core 0000:08:00.1 eth3: mlx5e_netdev_change_profile: failed to rollback to orig profile, -12
[ 745.537492] BUG: kernel NULL pointer dereference, address: 0000000000000008
[ 745.538222] #PF: supervisor read access in kernel mode
<snipped>
[ 745.551290] Call Trace:
[ 745.551590] <TASK>
[ 745.551866] ? __die+0x20/0x60
[ 745.552218] ? page_fault_oops+0x150/0x400
[ 745.555307] ? exc_page_fault+0x79/0x240
[ 745.555729] ? asm_exc_page_fault+0x22/0x30
[ 745.556166] ? mlx5e_remove+0x6b/0xb0 [mlx5_core]
[ 745.556698] auxiliary_bus_remove+0x18/0x30
[ 745.557134] device_release_driver_internal+0x1df/0x240
[ 745.557654] bus_remove_device+0xd7/0x140
[ 745.558075] device_del+0x15b/0x3c0
[ 745.558456] mlx5_rescan_drivers_locked.part.0+0xb1/0x2f0 [mlx5_core]
[ 745.559112] mlx5_unregister_device+0x34/0x50 [mlx5_core]
[ 745.559686] mlx5_uninit_one+0x46/0xf0 [mlx5_core]
[ 745.560203] remove_one+0x4e/0xd0 [mlx5_core]
[ 745.560694] pci_device_remove+0x39/0xa0
[ 745.561112] device_release_driver_internal+0x1df/0x240
[ 745.561631] driver_detach+0x47/0x90
[ 745.562022] bus_remove_driver+0x84/0x100
[ 745.562444] pci_unregister_driver+0x3b/0x90
[ 745.562890] mlx5_cleanup+0xc/0x1b [mlx5_core]
[ 745.563415] __x64_sys_delete_module+0x14d/0x2f0
[ 745.563886] ? kmem_cache_free+0x1b0/0x460
[ 745.564313] ? lockdep_hardirqs_on_prepare+0xe2/0x190
[ 745.564825] do_syscall_64+0x6d/0x140
[ 745.565223] entry_SYSCALL_64_after_hwframe+0x4b/0x53
[ 745.565725] RIP: 0033:0x7f1579b1288b
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/net/ethernet/mellanox/mlx5/core/en_main.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "3955b77494c3c7d14873b1db67e7e00c46a714db", "status": "affected", "version": "3ef14e463f6ed0218710f56b97e1a7d0448784d2", "versionType": "git" }, { "lessThan": "4dbc1d1a9f39c3711ad2a40addca04d07d9ab5d0", "status": "affected", "version": "3ef14e463f6ed0218710f56b97e1a7d0448784d2", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/net/ethernet/mellanox/mlx5/core/en_main.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.12" }, { "lessThan": "5.12", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.11.*", "status": "unaffected", "version": "6.11.6", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.12", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Don\u0027t call cleanup on profile rollback failure\n\nWhen profile rollback fails in mlx5e_netdev_change_profile, the netdev\nprofile var is left set to NULL. Avoid a crash when unloading the driver\nby not calling profile-\u003ecleanup in such a case.\n\nThis was encountered while testing, with the original trigger that\nthe wq rescuer thread creation got interrupted (presumably due to\nCtrl+C-ing modprobe), which gets converted to ENOMEM (-12) by\nmlx5e_priv_init, the profile rollback also fails for the same reason\n(signal still active) so the profile is left as NULL, leading to a crash\nlater in _mlx5e_remove.\n\n [ 732.473932] mlx5_core 0000:08:00.1: E-Switch: Unload vfs: mode(OFFLOADS), nvfs(2), necvfs(0), active vports(2)\n [ 734.525513] workqueue: Failed to create a rescuer kthread for wq \"mlx5e\": -EINTR\n [ 734.557372] mlx5_core 0000:08:00.1: mlx5e_netdev_init_profile:6235:(pid 6086): mlx5e_priv_init failed, err=-12\n [ 734.559187] mlx5_core 0000:08:00.1 eth3: mlx5e_netdev_change_profile: new profile init failed, -12\n [ 734.560153] workqueue: Failed to create a rescuer kthread for wq \"mlx5e\": -EINTR\n [ 734.589378] mlx5_core 0000:08:00.1: mlx5e_netdev_init_profile:6235:(pid 6086): mlx5e_priv_init failed, err=-12\n [ 734.591136] mlx5_core 0000:08:00.1 eth3: mlx5e_netdev_change_profile: failed to rollback to orig profile, -12\n [ 745.537492] BUG: kernel NULL pointer dereference, address: 0000000000000008\n [ 745.538222] #PF: supervisor read access in kernel mode\n\u003csnipped\u003e\n [ 745.551290] Call Trace:\n [ 745.551590] \u003cTASK\u003e\n [ 745.551866] ? __die+0x20/0x60\n [ 745.552218] ? page_fault_oops+0x150/0x400\n [ 745.555307] ? exc_page_fault+0x79/0x240\n [ 745.555729] ? asm_exc_page_fault+0x22/0x30\n [ 745.556166] ? mlx5e_remove+0x6b/0xb0 [mlx5_core]\n [ 745.556698] auxiliary_bus_remove+0x18/0x30\n [ 745.557134] device_release_driver_internal+0x1df/0x240\n [ 745.557654] bus_remove_device+0xd7/0x140\n [ 745.558075] device_del+0x15b/0x3c0\n [ 745.558456] mlx5_rescan_drivers_locked.part.0+0xb1/0x2f0 [mlx5_core]\n [ 745.559112] mlx5_unregister_device+0x34/0x50 [mlx5_core]\n [ 745.559686] mlx5_uninit_one+0x46/0xf0 [mlx5_core]\n [ 745.560203] remove_one+0x4e/0xd0 [mlx5_core]\n [ 745.560694] pci_device_remove+0x39/0xa0\n [ 745.561112] device_release_driver_internal+0x1df/0x240\n [ 745.561631] driver_detach+0x47/0x90\n [ 745.562022] bus_remove_driver+0x84/0x100\n [ 745.562444] pci_unregister_driver+0x3b/0x90\n [ 745.562890] mlx5_cleanup+0xc/0x1b [mlx5_core]\n [ 745.563415] __x64_sys_delete_module+0x14d/0x2f0\n [ 745.563886] ? kmem_cache_free+0x1b0/0x460\n [ 745.564313] ? lockdep_hardirqs_on_prepare+0xe2/0x190\n [ 745.564825] do_syscall_64+0x6d/0x140\n [ 745.565223] entry_SYSCALL_64_after_hwframe+0x4b/0x53\n [ 745.565725] RIP: 0033:0x7f1579b1288b" } ], "providerMetadata": { "dateUpdated": "2024-12-19T09:34:07.200Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/3955b77494c3c7d14873b1db67e7e00c46a714db" }, { "url": "https://git.kernel.org/stable/c/4dbc1d1a9f39c3711ad2a40addca04d07d9ab5d0" } ], "title": "net/mlx5e: Don\u0027t call cleanup on profile rollback failure", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-50146", "datePublished": "2024-11-07T09:31:23.123Z", "dateReserved": "2024-10-21T19:36:19.956Z", "dateUpdated": "2024-12-19T09:34:07.200Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-50152
Vulnerability from cvelistv5
Published
2024-11-07 09:31
Modified
2024-12-19 09:34
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
smb: client: fix possible double free in smb2_set_ea()
Clang static checker(scan-build) warning:
fs/smb/client/smb2ops.c:1304:2: Attempt to free released memory.
1304 | kfree(ea);
| ^~~~~~~~~
There is a double free in such case:
'ea is initialized to NULL' -> 'first successful memory allocation for
ea' -> 'something failed, goto sea_exit' -> 'first memory release for ea'
-> 'goto replay_again' -> 'second goto sea_exit before allocate memory
for ea' -> 'second memory release for ea resulted in double free'.
Re-initialie 'ea' to NULL near to the replay_again label, it can fix this
double free problem.
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "fs/smb/client/smb2ops.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "b1813c220b76f60b1727984794377c4aa849d4c1", "status": "affected", "version": "433042a91f9373241307725b52de573933ffedbf", "versionType": "git" }, { "lessThan": "c9f758ecf2562dfdd4adf12c22921b5de8366123", "status": "affected", "version": "4f1fffa2376922f3d1d506e49c0fd445b023a28e", "versionType": "git" }, { "lessThan": "19ebc1e6cab334a8193398d4152deb76019b5d34", "status": "affected", "version": "4f1fffa2376922f3d1d506e49c0fd445b023a28e", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "fs/smb/client/smb2ops.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.8" }, { "lessThan": "6.8", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.59", "versionType": "semver" }, { "lessThanOrEqual": "6.11.*", "status": "unaffected", "version": "6.11.6", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.12", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix possible double free in smb2_set_ea()\n\nClang static checker(scan-build) warning\uff1a\nfs/smb/client/smb2ops.c:1304:2: Attempt to free released memory.\n 1304 | kfree(ea);\n | ^~~~~~~~~\n\nThere is a double free in such case:\n\u0027ea is initialized to NULL\u0027 -\u003e \u0027first successful memory allocation for\nea\u0027 -\u003e \u0027something failed, goto sea_exit\u0027 -\u003e \u0027first memory release for ea\u0027\n-\u003e \u0027goto replay_again\u0027 -\u003e \u0027second goto sea_exit before allocate memory\nfor ea\u0027 -\u003e \u0027second memory release for ea resulted in double free\u0027.\n\nRe-initialie \u0027ea\u0027 to NULL near to the replay_again label, it can fix this\ndouble free problem." } ], "providerMetadata": { "dateUpdated": "2024-12-19T09:34:14.052Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/b1813c220b76f60b1727984794377c4aa849d4c1" }, { "url": "https://git.kernel.org/stable/c/c9f758ecf2562dfdd4adf12c22921b5de8366123" }, { "url": "https://git.kernel.org/stable/c/19ebc1e6cab334a8193398d4152deb76019b5d34" } ], "title": "smb: client: fix possible double free in smb2_set_ea()", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-50152", "datePublished": "2024-11-07T09:31:28.733Z", "dateReserved": "2024-10-21T19:36:19.959Z", "dateUpdated": "2024-12-19T09:34:14.052Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-50154
Vulnerability from cvelistv5
Published
2024-11-07 09:31
Modified
2024-12-19 09:34
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tcp/dccp: Don't use timer_pending() in reqsk_queue_unlink().
Martin KaFai Lau reported use-after-free [0] in reqsk_timer_handler().
"""
We are seeing a use-after-free from a bpf prog attached to
trace_tcp_retransmit_synack. The program passes the req->sk to the
bpf_sk_storage_get_tracing kernel helper which does check for null
before using it.
"""
The commit 83fccfc3940c ("inet: fix potential deadlock in
reqsk_queue_unlink()") added timer_pending() in reqsk_queue_unlink() not
to call del_timer_sync() from reqsk_timer_handler(), but it introduced a
small race window.
Before the timer is called, expire_timers() calls detach_timer(timer, true)
to clear timer->entry.pprev and marks it as not pending.
If reqsk_queue_unlink() checks timer_pending() just after expire_timers()
calls detach_timer(), TCP will miss del_timer_sync(); the reqsk timer will
continue running and send multiple SYN+ACKs until it expires.
The reported UAF could happen if req->sk is close()d earlier than the timer
expiration, which is 63s by default.
The scenario would be
1. inet_csk_complete_hashdance() calls inet_csk_reqsk_queue_drop(),
but del_timer_sync() is missed
2. reqsk timer is executed and scheduled again
3. req->sk is accept()ed and reqsk_put() decrements rsk_refcnt, but
reqsk timer still has another one, and inet_csk_accept() does not
clear req->sk for non-TFO sockets
4. sk is close()d
5. reqsk timer is executed again, and BPF touches req->sk
Let's not use timer_pending() by passing the caller context to
__inet_csk_reqsk_queue_drop().
Note that reqsk timer is pinned, so the issue does not happen in most
use cases. [1]
[0]
BUG: KFENCE: use-after-free read in bpf_sk_storage_get_tracing+0x2e/0x1b0
Use-after-free read at 0x00000000a891fb3a (in kfence-#1):
bpf_sk_storage_get_tracing+0x2e/0x1b0
bpf_prog_5ea3e95db6da0438_tcp_retransmit_synack+0x1d20/0x1dda
bpf_trace_run2+0x4c/0xc0
tcp_rtx_synack+0xf9/0x100
reqsk_timer_handler+0xda/0x3d0
run_timer_softirq+0x292/0x8a0
irq_exit_rcu+0xf5/0x320
sysvec_apic_timer_interrupt+0x6d/0x80
asm_sysvec_apic_timer_interrupt+0x16/0x20
intel_idle_irq+0x5a/0xa0
cpuidle_enter_state+0x94/0x273
cpu_startup_entry+0x15e/0x260
start_secondary+0x8a/0x90
secondary_startup_64_no_verify+0xfa/0xfb
kfence-#1: 0x00000000a72cc7b6-0x00000000d97616d9, size=2376, cache=TCPv6
allocated by task 0 on cpu 9 at 260507.901592s:
sk_prot_alloc+0x35/0x140
sk_clone_lock+0x1f/0x3f0
inet_csk_clone_lock+0x15/0x160
tcp_create_openreq_child+0x1f/0x410
tcp_v6_syn_recv_sock+0x1da/0x700
tcp_check_req+0x1fb/0x510
tcp_v6_rcv+0x98b/0x1420
ipv6_list_rcv+0x2258/0x26e0
napi_complete_done+0x5b1/0x2990
mlx5e_napi_poll+0x2ae/0x8d0
net_rx_action+0x13e/0x590
irq_exit_rcu+0xf5/0x320
common_interrupt+0x80/0x90
asm_common_interrupt+0x22/0x40
cpuidle_enter_state+0xfb/0x273
cpu_startup_entry+0x15e/0x260
start_secondary+0x8a/0x90
secondary_startup_64_no_verify+0xfa/0xfb
freed by task 0 on cpu 9 at 260507.927527s:
rcu_core_si+0x4ff/0xf10
irq_exit_rcu+0xf5/0x320
sysvec_apic_timer_interrupt+0x6d/0x80
asm_sysvec_apic_timer_interrupt+0x16/0x20
cpuidle_enter_state+0xfb/0x273
cpu_startup_entry+0x15e/0x260
start_secondary+0x8a/0x90
secondary_startup_64_no_verify+0xfa/0xfb
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 83fccfc3940c4a2db90fd7e7079f5b465cd8c6af Version: 83fccfc3940c4a2db90fd7e7079f5b465cd8c6af Version: 83fccfc3940c4a2db90fd7e7079f5b465cd8c6af Version: 83fccfc3940c4a2db90fd7e7079f5b465cd8c6af Version: 83fccfc3940c4a2db90fd7e7079f5b465cd8c6af |
||||
|
{ "containers": { "adp": [ { "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2024-50154", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "timestamp": "2024-12-11T14:25:48.087506Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-416", "description": "CWE-416 Use After Free", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-12-11T14:58:32.999Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "net/ipv4/inet_connection_sock.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "8459d61fbf24967839a70235165673148c7c7f17", "status": "affected", "version": "83fccfc3940c4a2db90fd7e7079f5b465cd8c6af", "versionType": "git" }, { "lessThan": "5071beb59ee416e8ab456ac8647a4dabcda823b1", "status": "affected", "version": "83fccfc3940c4a2db90fd7e7079f5b465cd8c6af", "versionType": "git" }, { "lessThan": "997ae8da14f1639ce6fb66a063dab54031cd61b3", "status": "affected", "version": "83fccfc3940c4a2db90fd7e7079f5b465cd8c6af", "versionType": "git" }, { "lessThan": "51e34db64f4e43c7b055ccf881b7f3e0c31bb26d", "status": "affected", "version": "83fccfc3940c4a2db90fd7e7079f5b465cd8c6af", "versionType": "git" }, { "lessThan": "e8c526f2bdf1845bedaf6a478816a3d06fa78b8f", "status": "affected", "version": "83fccfc3940c4a2db90fd7e7079f5b465cd8c6af", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "net/ipv4/inet_connection_sock.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "4.2" }, { "lessThan": "4.2", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.170", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.115", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.59", "versionType": "semver" }, { "lessThanOrEqual": "6.11.*", "status": "unaffected", "version": "6.11.6", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.12", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp/dccp: Don\u0027t use timer_pending() in reqsk_queue_unlink().\n\nMartin KaFai Lau reported use-after-free [0] in reqsk_timer_handler().\n\n \"\"\"\n We are seeing a use-after-free from a bpf prog attached to\n trace_tcp_retransmit_synack. The program passes the req-\u003esk to the\n bpf_sk_storage_get_tracing kernel helper which does check for null\n before using it.\n \"\"\"\n\nThe commit 83fccfc3940c (\"inet: fix potential deadlock in\nreqsk_queue_unlink()\") added timer_pending() in reqsk_queue_unlink() not\nto call del_timer_sync() from reqsk_timer_handler(), but it introduced a\nsmall race window.\n\nBefore the timer is called, expire_timers() calls detach_timer(timer, true)\nto clear timer-\u003eentry.pprev and marks it as not pending.\n\nIf reqsk_queue_unlink() checks timer_pending() just after expire_timers()\ncalls detach_timer(), TCP will miss del_timer_sync(); the reqsk timer will\ncontinue running and send multiple SYN+ACKs until it expires.\n\nThe reported UAF could happen if req-\u003esk is close()d earlier than the timer\nexpiration, which is 63s by default.\n\nThe scenario would be\n\n 1. inet_csk_complete_hashdance() calls inet_csk_reqsk_queue_drop(),\n but del_timer_sync() is missed\n\n 2. reqsk timer is executed and scheduled again\n\n 3. req-\u003esk is accept()ed and reqsk_put() decrements rsk_refcnt, but\n reqsk timer still has another one, and inet_csk_accept() does not\n clear req-\u003esk for non-TFO sockets\n\n 4. sk is close()d\n\n 5. reqsk timer is executed again, and BPF touches req-\u003esk\n\nLet\u0027s not use timer_pending() by passing the caller context to\n__inet_csk_reqsk_queue_drop().\n\nNote that reqsk timer is pinned, so the issue does not happen in most\nuse cases. [1]\n\n[0]\nBUG: KFENCE: use-after-free read in bpf_sk_storage_get_tracing+0x2e/0x1b0\n\nUse-after-free read at 0x00000000a891fb3a (in kfence-#1):\nbpf_sk_storage_get_tracing+0x2e/0x1b0\nbpf_prog_5ea3e95db6da0438_tcp_retransmit_synack+0x1d20/0x1dda\nbpf_trace_run2+0x4c/0xc0\ntcp_rtx_synack+0xf9/0x100\nreqsk_timer_handler+0xda/0x3d0\nrun_timer_softirq+0x292/0x8a0\nirq_exit_rcu+0xf5/0x320\nsysvec_apic_timer_interrupt+0x6d/0x80\nasm_sysvec_apic_timer_interrupt+0x16/0x20\nintel_idle_irq+0x5a/0xa0\ncpuidle_enter_state+0x94/0x273\ncpu_startup_entry+0x15e/0x260\nstart_secondary+0x8a/0x90\nsecondary_startup_64_no_verify+0xfa/0xfb\n\nkfence-#1: 0x00000000a72cc7b6-0x00000000d97616d9, size=2376, cache=TCPv6\n\nallocated by task 0 on cpu 9 at 260507.901592s:\nsk_prot_alloc+0x35/0x140\nsk_clone_lock+0x1f/0x3f0\ninet_csk_clone_lock+0x15/0x160\ntcp_create_openreq_child+0x1f/0x410\ntcp_v6_syn_recv_sock+0x1da/0x700\ntcp_check_req+0x1fb/0x510\ntcp_v6_rcv+0x98b/0x1420\nipv6_list_rcv+0x2258/0x26e0\nnapi_complete_done+0x5b1/0x2990\nmlx5e_napi_poll+0x2ae/0x8d0\nnet_rx_action+0x13e/0x590\nirq_exit_rcu+0xf5/0x320\ncommon_interrupt+0x80/0x90\nasm_common_interrupt+0x22/0x40\ncpuidle_enter_state+0xfb/0x273\ncpu_startup_entry+0x15e/0x260\nstart_secondary+0x8a/0x90\nsecondary_startup_64_no_verify+0xfa/0xfb\n\nfreed by task 0 on cpu 9 at 260507.927527s:\nrcu_core_si+0x4ff/0xf10\nirq_exit_rcu+0xf5/0x320\nsysvec_apic_timer_interrupt+0x6d/0x80\nasm_sysvec_apic_timer_interrupt+0x16/0x20\ncpuidle_enter_state+0xfb/0x273\ncpu_startup_entry+0x15e/0x260\nstart_secondary+0x8a/0x90\nsecondary_startup_64_no_verify+0xfa/0xfb" } ], "providerMetadata": { "dateUpdated": "2024-12-19T09:34:16.350Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/8459d61fbf24967839a70235165673148c7c7f17" }, { "url": "https://git.kernel.org/stable/c/5071beb59ee416e8ab456ac8647a4dabcda823b1" }, { "url": "https://git.kernel.org/stable/c/997ae8da14f1639ce6fb66a063dab54031cd61b3" }, { "url": "https://git.kernel.org/stable/c/51e34db64f4e43c7b055ccf881b7f3e0c31bb26d" }, { "url": "https://git.kernel.org/stable/c/e8c526f2bdf1845bedaf6a478816a3d06fa78b8f" } ], "title": "tcp/dccp: Don\u0027t use timer_pending() in reqsk_queue_unlink().", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-50154", "datePublished": "2024-11-07T09:31:30.855Z", "dateReserved": "2024-10-21T19:36:19.960Z", "dateUpdated": "2024-12-19T09:34:16.350Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-50139
Vulnerability from cvelistv5
Published
2024-11-07 09:31
Modified
2024-12-19 09:33
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
KVM: arm64: Fix shift-out-of-bounds bug
Fix a shift-out-of-bounds bug reported by UBSAN when running
VM with MTE enabled host kernel.
UBSAN: shift-out-of-bounds in arch/arm64/kvm/sys_regs.c:1988:14
shift exponent 33 is too large for 32-bit type 'int'
CPU: 26 UID: 0 PID: 7629 Comm: qemu-kvm Not tainted 6.12.0-rc2 #34
Hardware name: IEI NF5280R7/Mitchell MB, BIOS 00.00. 2024-10-12 09:28:54 10/14/2024
Call trace:
dump_backtrace+0xa0/0x128
show_stack+0x20/0x38
dump_stack_lvl+0x74/0x90
dump_stack+0x18/0x28
__ubsan_handle_shift_out_of_bounds+0xf8/0x1e0
reset_clidr+0x10c/0x1c8
kvm_reset_sys_regs+0x50/0x1c8
kvm_reset_vcpu+0xec/0x2b0
__kvm_vcpu_set_target+0x84/0x158
kvm_vcpu_set_target+0x138/0x168
kvm_arch_vcpu_ioctl_vcpu_init+0x40/0x2b0
kvm_arch_vcpu_ioctl+0x28c/0x4b8
kvm_vcpu_ioctl+0x4bc/0x7a8
__arm64_sys_ioctl+0xb4/0x100
invoke_syscall+0x70/0x100
el0_svc_common.constprop.0+0x48/0xf0
do_el0_svc+0x24/0x38
el0_svc+0x3c/0x158
el0t_64_sync_handler+0x120/0x130
el0t_64_sync+0x194/0x198
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "arch/arm64/kvm/sys_regs.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "04ed2ba07ce73f323052475fbd33d647aca3ff2e", "status": "affected", "version": "7af0c2534f4c57b16e92dfca8c5f40fa90fbb3f3", "versionType": "git" }, { "lessThan": "4b9e11794d910aa55300debbac5f0adcc42c491a", "status": "affected", "version": "7af0c2534f4c57b16e92dfca8c5f40fa90fbb3f3", "versionType": "git" }, { "lessThan": "c6c167afa090ea0451f91814e1318755a8fb8bb9", "status": "affected", "version": "7af0c2534f4c57b16e92dfca8c5f40fa90fbb3f3", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "arch/arm64/kvm/sys_regs.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.3" }, { "lessThan": "6.3", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.59", "versionType": "semver" }, { "lessThanOrEqual": "6.11.*", "status": "unaffected", "version": "6.11.6", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.12", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: arm64: Fix shift-out-of-bounds bug\n\nFix a shift-out-of-bounds bug reported by UBSAN when running\nVM with MTE enabled host kernel.\n\nUBSAN: shift-out-of-bounds in arch/arm64/kvm/sys_regs.c:1988:14\nshift exponent 33 is too large for 32-bit type \u0027int\u0027\nCPU: 26 UID: 0 PID: 7629 Comm: qemu-kvm Not tainted 6.12.0-rc2 #34\nHardware name: IEI NF5280R7/Mitchell MB, BIOS 00.00. 2024-10-12 09:28:54 10/14/2024\nCall trace:\n dump_backtrace+0xa0/0x128\n show_stack+0x20/0x38\n dump_stack_lvl+0x74/0x90\n dump_stack+0x18/0x28\n __ubsan_handle_shift_out_of_bounds+0xf8/0x1e0\n reset_clidr+0x10c/0x1c8\n kvm_reset_sys_regs+0x50/0x1c8\n kvm_reset_vcpu+0xec/0x2b0\n __kvm_vcpu_set_target+0x84/0x158\n kvm_vcpu_set_target+0x138/0x168\n kvm_arch_vcpu_ioctl_vcpu_init+0x40/0x2b0\n kvm_arch_vcpu_ioctl+0x28c/0x4b8\n kvm_vcpu_ioctl+0x4bc/0x7a8\n __arm64_sys_ioctl+0xb4/0x100\n invoke_syscall+0x70/0x100\n el0_svc_common.constprop.0+0x48/0xf0\n do_el0_svc+0x24/0x38\n el0_svc+0x3c/0x158\n el0t_64_sync_handler+0x120/0x130\n el0t_64_sync+0x194/0x198" } ], "providerMetadata": { "dateUpdated": "2024-12-19T09:33:59.050Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/04ed2ba07ce73f323052475fbd33d647aca3ff2e" }, { "url": "https://git.kernel.org/stable/c/4b9e11794d910aa55300debbac5f0adcc42c491a" }, { "url": "https://git.kernel.org/stable/c/c6c167afa090ea0451f91814e1318755a8fb8bb9" } ], "title": "KVM: arm64: Fix shift-out-of-bounds bug", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-50139", "datePublished": "2024-11-07T09:31:15.925Z", "dateReserved": "2024-10-21T19:36:19.956Z", "dateUpdated": "2024-12-19T09:33:59.050Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-50171
Vulnerability from cvelistv5
Published
2024-11-07 09:31
Modified
2024-12-19 09:34
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: systemport: fix potential memory leak in bcm_sysport_xmit()
The bcm_sysport_xmit() returns NETDEV_TX_OK without freeing skb
in case of dma_map_single() fails, add dev_kfree_skb() to fix it.
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 80105befdb4b8cea924711b40b2462b87df65b62 Version: 80105befdb4b8cea924711b40b2462b87df65b62 Version: 80105befdb4b8cea924711b40b2462b87df65b62 Version: 80105befdb4b8cea924711b40b2462b87df65b62 Version: 80105befdb4b8cea924711b40b2462b87df65b62 Version: 80105befdb4b8cea924711b40b2462b87df65b62 Version: 80105befdb4b8cea924711b40b2462b87df65b62 Version: 80105befdb4b8cea924711b40b2462b87df65b62 |
||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/net/ethernet/broadcom/bcmsysport.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "8e81ce7d0166a2249deb6d5e42f28a8b8c9ea72f", "status": "affected", "version": "80105befdb4b8cea924711b40b2462b87df65b62", "versionType": "git" }, { "lessThan": "31701ef0c4547973991ff63596c927f841dfd133", "status": "affected", "version": "80105befdb4b8cea924711b40b2462b87df65b62", "versionType": "git" }, { "lessThan": "b6321146773dcbbc372a54dbada67e0b50e0a25c", "status": "affected", "version": "80105befdb4b8cea924711b40b2462b87df65b62", "versionType": "git" }, { "lessThan": "5febfc545389805ce83d37f9f4317055b26dd7d7", "status": "affected", "version": "80105befdb4b8cea924711b40b2462b87df65b62", "versionType": "git" }, { "lessThan": "533d2f30aef272dade17870a509521c3afc38a03", "status": "affected", "version": "80105befdb4b8cea924711b40b2462b87df65b62", "versionType": "git" }, { "lessThan": "4b70478b984af3c9d0279c121df5ff94e2533dbd", "status": "affected", "version": "80105befdb4b8cea924711b40b2462b87df65b62", "versionType": "git" }, { "lessThan": "7d5030a819c3589cf9948b1eee397b626ec590f5", "status": "affected", "version": "80105befdb4b8cea924711b40b2462b87df65b62", "versionType": "git" }, { "lessThan": "c401ed1c709948e57945485088413e1bb5e94bd1", "status": "affected", "version": "80105befdb4b8cea924711b40b2462b87df65b62", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/net/ethernet/broadcom/bcmsysport.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "3.16" }, { "lessThan": "3.16", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "4.19.*", "status": "unaffected", "version": "4.19.323", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.285", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.229", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.170", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.115", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.59", "versionType": "semver" }, { "lessThanOrEqual": "6.11.*", "status": "unaffected", "version": "6.11.6", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.12", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: systemport: fix potential memory leak in bcm_sysport_xmit()\n\nThe bcm_sysport_xmit() returns NETDEV_TX_OK without freeing skb\nin case of dma_map_single() fails, add dev_kfree_skb() to fix it." } ], "providerMetadata": { "dateUpdated": "2024-12-19T09:34:35.687Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/8e81ce7d0166a2249deb6d5e42f28a8b8c9ea72f" }, { "url": "https://git.kernel.org/stable/c/31701ef0c4547973991ff63596c927f841dfd133" }, { "url": "https://git.kernel.org/stable/c/b6321146773dcbbc372a54dbada67e0b50e0a25c" }, { "url": "https://git.kernel.org/stable/c/5febfc545389805ce83d37f9f4317055b26dd7d7" }, { "url": "https://git.kernel.org/stable/c/533d2f30aef272dade17870a509521c3afc38a03" }, { "url": "https://git.kernel.org/stable/c/4b70478b984af3c9d0279c121df5ff94e2533dbd" }, { "url": "https://git.kernel.org/stable/c/7d5030a819c3589cf9948b1eee397b626ec590f5" }, { "url": "https://git.kernel.org/stable/c/c401ed1c709948e57945485088413e1bb5e94bd1" } ], "title": "net: systemport: fix potential memory leak in bcm_sysport_xmit()", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-50171", "datePublished": "2024-11-07T09:31:47.585Z", "dateReserved": "2024-10-21T19:36:19.963Z", "dateUpdated": "2024-12-19T09:34:35.687Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-50153
Vulnerability from cvelistv5
Published
2024-11-07 09:31
Modified
2024-12-19 09:34
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: target: core: Fix null-ptr-deref in target_alloc_device()
There is a null-ptr-deref issue reported by KASAN:
BUG: KASAN: null-ptr-deref in target_alloc_device+0xbc4/0xbe0 [target_core_mod]
...
kasan_report+0xb9/0xf0
target_alloc_device+0xbc4/0xbe0 [target_core_mod]
core_dev_setup_virtual_lun0+0xef/0x1f0 [target_core_mod]
target_core_init_configfs+0x205/0x420 [target_core_mod]
do_one_initcall+0xdd/0x4e0
...
entry_SYSCALL_64_after_hwframe+0x76/0x7e
In target_alloc_device(), if allocing memory for dev queues fails, then
dev will be freed by dev->transport->free_device(), but dev->transport
is not initialized at that time, which will lead to a null pointer
reference problem.
Fixing this bug by freeing dev with hba->backend->ops->free_device().
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 008b936bbde3e87a611b3828a0d5d2a4f99026a0 Version: 1526d9f10c6184031e42afad0adbdde1213e8ad1 Version: 1526d9f10c6184031e42afad0adbdde1213e8ad1 Version: 1526d9f10c6184031e42afad0adbdde1213e8ad1 Version: 1526d9f10c6184031e42afad0adbdde1213e8ad1 Version: 1526d9f10c6184031e42afad0adbdde1213e8ad1 |
||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/target/target_core_device.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "8c1e6717f60d31f8af3937c23c4f1498529584e1", "status": "affected", "version": "008b936bbde3e87a611b3828a0d5d2a4f99026a0", "versionType": "git" }, { "lessThan": "39e02fa90323243187c91bb3e8f2f5f6a9aacfc7", "status": "affected", "version": "1526d9f10c6184031e42afad0adbdde1213e8ad1", "versionType": "git" }, { "lessThan": "895ab729425ef9bf3b6d2f8d0853abe64896f314", "status": "affected", "version": "1526d9f10c6184031e42afad0adbdde1213e8ad1", "versionType": "git" }, { "lessThan": "b80e9bc85bd9af378e7eac83e15dd129557bbdb6", "status": "affected", "version": "1526d9f10c6184031e42afad0adbdde1213e8ad1", "versionType": "git" }, { "lessThan": "14a6a2adb440e4ae97bee73b2360946bd033dadd", "status": "affected", "version": "1526d9f10c6184031e42afad0adbdde1213e8ad1", "versionType": "git" }, { "lessThan": "fca6caeb4a61d240f031914413fcc69534f6dc03", "status": "affected", "version": "1526d9f10c6184031e42afad0adbdde1213e8ad1", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/target/target_core_device.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.11" }, { "lessThan": "5.11", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.229", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.170", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.115", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.59", "versionType": "semver" }, { "lessThanOrEqual": "6.11.*", "status": "unaffected", "version": "6.11.6", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.12", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: core: Fix null-ptr-deref in target_alloc_device()\n\nThere is a null-ptr-deref issue reported by KASAN:\n\nBUG: KASAN: null-ptr-deref in target_alloc_device+0xbc4/0xbe0 [target_core_mod]\n...\n kasan_report+0xb9/0xf0\n target_alloc_device+0xbc4/0xbe0 [target_core_mod]\n core_dev_setup_virtual_lun0+0xef/0x1f0 [target_core_mod]\n target_core_init_configfs+0x205/0x420 [target_core_mod]\n do_one_initcall+0xdd/0x4e0\n...\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nIn target_alloc_device(), if allocing memory for dev queues fails, then\ndev will be freed by dev-\u003etransport-\u003efree_device(), but dev-\u003etransport\nis not initialized at that time, which will lead to a null pointer\nreference problem.\n\nFixing this bug by freeing dev with hba-\u003ebackend-\u003eops-\u003efree_device()." } ], "providerMetadata": { "dateUpdated": "2024-12-19T09:34:15.225Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/8c1e6717f60d31f8af3937c23c4f1498529584e1" }, { "url": "https://git.kernel.org/stable/c/39e02fa90323243187c91bb3e8f2f5f6a9aacfc7" }, { "url": "https://git.kernel.org/stable/c/895ab729425ef9bf3b6d2f8d0853abe64896f314" }, { "url": "https://git.kernel.org/stable/c/b80e9bc85bd9af378e7eac83e15dd129557bbdb6" }, { "url": "https://git.kernel.org/stable/c/14a6a2adb440e4ae97bee73b2360946bd033dadd" }, { "url": "https://git.kernel.org/stable/c/fca6caeb4a61d240f031914413fcc69534f6dc03" } ], "title": "scsi: target: core: Fix null-ptr-deref in target_alloc_device()", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-50153", "datePublished": "2024-11-07T09:31:29.791Z", "dateReserved": "2024-10-21T19:36:19.960Z", "dateUpdated": "2024-12-19T09:34:15.225Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-50170
Vulnerability from cvelistv5
Published
2024-11-07 09:31
Modified
2024-12-19 09:34
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: bcmasp: fix potential memory leak in bcmasp_xmit()
The bcmasp_xmit() returns NETDEV_TX_OK without freeing skb
in case of mapping fails, add dev_kfree_skb() to fix it.
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/net/ethernet/broadcom/asp2/bcmasp_intf.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "7218de0778aefbbbcfe474a55f88bbf6f244627d", "status": "affected", "version": "490cb412007de593e07c1d3e2b1ec4233886707c", "versionType": "git" }, { "lessThan": "f689f20d3e09f2d4d0a2c575a9859115a33e68bd", "status": "affected", "version": "490cb412007de593e07c1d3e2b1ec4233886707c", "versionType": "git" }, { "lessThan": "fed07d3eb8a8d9fcc0e455175a89bc6445d6faed", "status": "affected", "version": "490cb412007de593e07c1d3e2b1ec4233886707c", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/net/ethernet/broadcom/asp2/bcmasp_intf.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.6" }, { "lessThan": "6.6", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.59", "versionType": "semver" }, { "lessThanOrEqual": "6.11.*", "status": "unaffected", "version": "6.11.6", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.12", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bcmasp: fix potential memory leak in bcmasp_xmit()\n\nThe bcmasp_xmit() returns NETDEV_TX_OK without freeing skb\nin case of mapping fails, add dev_kfree_skb() to fix it." } ], "providerMetadata": { "dateUpdated": "2024-12-19T09:34:34.550Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/7218de0778aefbbbcfe474a55f88bbf6f244627d" }, { "url": "https://git.kernel.org/stable/c/f689f20d3e09f2d4d0a2c575a9859115a33e68bd" }, { "url": "https://git.kernel.org/stable/c/fed07d3eb8a8d9fcc0e455175a89bc6445d6faed" } ], "title": "net: bcmasp: fix potential memory leak in bcmasp_xmit()", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-50170", "datePublished": "2024-11-07T09:31:46.722Z", "dateReserved": "2024-10-21T19:36:19.963Z", "dateUpdated": "2024-12-19T09:34:34.550Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-50151
Vulnerability from cvelistv5
Published
2024-11-07 09:31
Modified
2024-12-19 09:34
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
smb: client: fix OOBs when building SMB2_IOCTL request
When using encryption, either enforced by the server or when using
'seal' mount option, the client will squash all compound request buffers
down for encryption into a single iov in smb2_set_next_command().
SMB2_ioctl_init() allocates a small buffer (448 bytes) to hold the
SMB2_IOCTL request in the first iov, and if the user passes an input
buffer that is greater than 328 bytes, smb2_set_next_command() will
end up writing off the end of @rqst->iov[0].iov_base as shown below:
mount.cifs //srv/share /mnt -o ...,seal
ln -s $(perl -e "print('a')for 1..1024") /mnt/link
BUG: KASAN: slab-out-of-bounds in
smb2_set_next_command.cold+0x1d6/0x24c [cifs]
Write of size 4116 at addr ffff8881148fcab8 by task ln/859
CPU: 1 UID: 0 PID: 859 Comm: ln Not tainted 6.12.0-rc3 #1
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
1.16.3-2.fc40 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x5d/0x80
? smb2_set_next_command.cold+0x1d6/0x24c [cifs]
print_report+0x156/0x4d9
? smb2_set_next_command.cold+0x1d6/0x24c [cifs]
? __virt_addr_valid+0x145/0x310
? __phys_addr+0x46/0x90
? smb2_set_next_command.cold+0x1d6/0x24c [cifs]
kasan_report+0xda/0x110
? smb2_set_next_command.cold+0x1d6/0x24c [cifs]
kasan_check_range+0x10f/0x1f0
__asan_memcpy+0x3c/0x60
smb2_set_next_command.cold+0x1d6/0x24c [cifs]
smb2_compound_op+0x238c/0x3840 [cifs]
? kasan_save_track+0x14/0x30
? kasan_save_free_info+0x3b/0x70
? vfs_symlink+0x1a1/0x2c0
? do_symlinkat+0x108/0x1c0
? __pfx_smb2_compound_op+0x10/0x10 [cifs]
? kmem_cache_free+0x118/0x3e0
? cifs_get_writable_path+0xeb/0x1a0 [cifs]
smb2_get_reparse_inode+0x423/0x540 [cifs]
? __pfx_smb2_get_reparse_inode+0x10/0x10 [cifs]
? rcu_is_watching+0x20/0x50
? __kmalloc_noprof+0x37c/0x480
? smb2_create_reparse_symlink+0x257/0x490 [cifs]
? smb2_create_reparse_symlink+0x38f/0x490 [cifs]
smb2_create_reparse_symlink+0x38f/0x490 [cifs]
? __pfx_smb2_create_reparse_symlink+0x10/0x10 [cifs]
? find_held_lock+0x8a/0xa0
? hlock_class+0x32/0xb0
? __build_path_from_dentry_optional_prefix+0x19d/0x2e0 [cifs]
cifs_symlink+0x24f/0x960 [cifs]
? __pfx_make_vfsuid+0x10/0x10
? __pfx_cifs_symlink+0x10/0x10 [cifs]
? make_vfsgid+0x6b/0xc0
? generic_permission+0x96/0x2d0
vfs_symlink+0x1a1/0x2c0
do_symlinkat+0x108/0x1c0
? __pfx_do_symlinkat+0x10/0x10
? strncpy_from_user+0xaa/0x160
__x64_sys_symlinkat+0xb9/0xf0
do_syscall_64+0xbb/0x1d0
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f08d75c13bb
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: e77fe73c7e38c36145825d84cfe385d400aba4fd Version: e77fe73c7e38c36145825d84cfe385d400aba4fd Version: e77fe73c7e38c36145825d84cfe385d400aba4fd Version: e77fe73c7e38c36145825d84cfe385d400aba4fd Version: e77fe73c7e38c36145825d84cfe385d400aba4fd Version: e77fe73c7e38c36145825d84cfe385d400aba4fd Version: e77fe73c7e38c36145825d84cfe385d400aba4fd |
||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "fs/smb/client/smb2pdu.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "6f0516ef1290da24b85461ed08a0938af7415e49", "status": "affected", "version": "e77fe73c7e38c36145825d84cfe385d400aba4fd", "versionType": "git" }, { "lessThan": "ed31aba8ce93472d9e16f5cff844ae7c94e9601d", "status": "affected", "version": "e77fe73c7e38c36145825d84cfe385d400aba4fd", "versionType": "git" }, { "lessThan": "e07d05b7f5ad9a503d9cab0afde2ab867bb65470", "status": "affected", "version": "e77fe73c7e38c36145825d84cfe385d400aba4fd", "versionType": "git" }, { "lessThan": "2ef632bfb888d1a14f81c1703817951e0bec5531", "status": "affected", "version": "e77fe73c7e38c36145825d84cfe385d400aba4fd", "versionType": "git" }, { "lessThan": "b209c3a0bc3ac172265c7fa8309e5d00654f2510", "status": "affected", "version": "e77fe73c7e38c36145825d84cfe385d400aba4fd", "versionType": "git" }, { "lessThan": "fe92ddc1c32d4474e605e3a31a4afcd0e7d765ec", "status": "affected", "version": "e77fe73c7e38c36145825d84cfe385d400aba4fd", "versionType": "git" }, { "lessThan": "1ab60323c5201bef25f2a3dc0ccc404d9aca77f1", "status": "affected", "version": "e77fe73c7e38c36145825d84cfe385d400aba4fd", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "fs/smb/client/smb2pdu.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.0" }, { "lessThan": "5.0", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.285", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.229", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.170", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.115", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.59", "versionType": "semver" }, { "lessThanOrEqual": "6.11.*", "status": "unaffected", "version": "6.11.6", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.12", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix OOBs when building SMB2_IOCTL request\n\nWhen using encryption, either enforced by the server or when using\n\u0027seal\u0027 mount option, the client will squash all compound request buffers\ndown for encryption into a single iov in smb2_set_next_command().\n\nSMB2_ioctl_init() allocates a small buffer (448 bytes) to hold the\nSMB2_IOCTL request in the first iov, and if the user passes an input\nbuffer that is greater than 328 bytes, smb2_set_next_command() will\nend up writing off the end of @rqst-\u003eiov[0].iov_base as shown below:\n\n mount.cifs //srv/share /mnt -o ...,seal\n ln -s $(perl -e \"print(\u0027a\u0027)for 1..1024\") /mnt/link\n\n BUG: KASAN: slab-out-of-bounds in\n smb2_set_next_command.cold+0x1d6/0x24c [cifs]\n Write of size 4116 at addr ffff8881148fcab8 by task ln/859\n\n CPU: 1 UID: 0 PID: 859 Comm: ln Not tainted 6.12.0-rc3 #1\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS\n 1.16.3-2.fc40 04/01/2014\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x5d/0x80\n ? smb2_set_next_command.cold+0x1d6/0x24c [cifs]\n print_report+0x156/0x4d9\n ? smb2_set_next_command.cold+0x1d6/0x24c [cifs]\n ? __virt_addr_valid+0x145/0x310\n ? __phys_addr+0x46/0x90\n ? smb2_set_next_command.cold+0x1d6/0x24c [cifs]\n kasan_report+0xda/0x110\n ? smb2_set_next_command.cold+0x1d6/0x24c [cifs]\n kasan_check_range+0x10f/0x1f0\n __asan_memcpy+0x3c/0x60\n smb2_set_next_command.cold+0x1d6/0x24c [cifs]\n smb2_compound_op+0x238c/0x3840 [cifs]\n ? kasan_save_track+0x14/0x30\n ? kasan_save_free_info+0x3b/0x70\n ? vfs_symlink+0x1a1/0x2c0\n ? do_symlinkat+0x108/0x1c0\n ? __pfx_smb2_compound_op+0x10/0x10 [cifs]\n ? kmem_cache_free+0x118/0x3e0\n ? cifs_get_writable_path+0xeb/0x1a0 [cifs]\n smb2_get_reparse_inode+0x423/0x540 [cifs]\n ? __pfx_smb2_get_reparse_inode+0x10/0x10 [cifs]\n ? rcu_is_watching+0x20/0x50\n ? __kmalloc_noprof+0x37c/0x480\n ? smb2_create_reparse_symlink+0x257/0x490 [cifs]\n ? smb2_create_reparse_symlink+0x38f/0x490 [cifs]\n smb2_create_reparse_symlink+0x38f/0x490 [cifs]\n ? __pfx_smb2_create_reparse_symlink+0x10/0x10 [cifs]\n ? find_held_lock+0x8a/0xa0\n ? hlock_class+0x32/0xb0\n ? __build_path_from_dentry_optional_prefix+0x19d/0x2e0 [cifs]\n cifs_symlink+0x24f/0x960 [cifs]\n ? __pfx_make_vfsuid+0x10/0x10\n ? __pfx_cifs_symlink+0x10/0x10 [cifs]\n ? make_vfsgid+0x6b/0xc0\n ? generic_permission+0x96/0x2d0\n vfs_symlink+0x1a1/0x2c0\n do_symlinkat+0x108/0x1c0\n ? __pfx_do_symlinkat+0x10/0x10\n ? strncpy_from_user+0xaa/0x160\n __x64_sys_symlinkat+0xb9/0xf0\n do_syscall_64+0xbb/0x1d0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n RIP: 0033:0x7f08d75c13bb" } ], "providerMetadata": { "dateUpdated": "2024-12-19T09:34:12.931Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/6f0516ef1290da24b85461ed08a0938af7415e49" }, { "url": "https://git.kernel.org/stable/c/ed31aba8ce93472d9e16f5cff844ae7c94e9601d" }, { "url": "https://git.kernel.org/stable/c/e07d05b7f5ad9a503d9cab0afde2ab867bb65470" }, { "url": "https://git.kernel.org/stable/c/2ef632bfb888d1a14f81c1703817951e0bec5531" }, { "url": "https://git.kernel.org/stable/c/b209c3a0bc3ac172265c7fa8309e5d00654f2510" }, { "url": "https://git.kernel.org/stable/c/fe92ddc1c32d4474e605e3a31a4afcd0e7d765ec" }, { "url": "https://git.kernel.org/stable/c/1ab60323c5201bef25f2a3dc0ccc404d9aca77f1" } ], "title": "smb: client: fix OOBs when building SMB2_IOCTL request", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-50151", "datePublished": "2024-11-07T09:31:27.672Z", "dateReserved": "2024-10-21T19:36:19.959Z", "dateUpdated": "2024-12-19T09:34:12.931Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-50149
Vulnerability from cvelistv5
Published
2024-11-07 09:31
Modified
2024-12-19 09:34
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/xe: Don't free job in TDR
Freeing job in TDR is not safe as TDR can pass the run_job thread
resulting in UAF. It is only safe for free job to naturally be called by
the scheduler. Rather free job in TDR, add to pending list.
(cherry picked from commit ea2f6a77d0c40d97f4a4dc93fee4afe15d94926d)
References
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2024-50149", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "timestamp": "2024-12-11T14:25:51.665392Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-416", "description": "CWE-416 Use After Free", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-12-11T14:58:33.233Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/gpu/drm/xe/xe_guc_submit.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "be8fe75e57f8fa3f87e3b1c283cc7cd9f9b80867", "status": "affected", "version": "e275d61c5f3ffc250b2a9601d36fbd11b4db774b", "versionType": "git" }, { "lessThan": "82926f52d7a09c65d916c0ef8d4305fc95d68c0c", "status": "affected", "version": "e275d61c5f3ffc250b2a9601d36fbd11b4db774b", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/gpu/drm/xe/xe_guc_submit.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.10" }, { "lessThan": "6.10", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.11.*", "status": "unaffected", "version": "6.11.6", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.12", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: Don\u0027t free job in TDR\n\nFreeing job in TDR is not safe as TDR can pass the run_job thread\nresulting in UAF. It is only safe for free job to naturally be called by\nthe scheduler. Rather free job in TDR, add to pending list.\n\n(cherry picked from commit ea2f6a77d0c40d97f4a4dc93fee4afe15d94926d)" } ], "providerMetadata": { "dateUpdated": "2024-12-19T09:34:10.591Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/be8fe75e57f8fa3f87e3b1c283cc7cd9f9b80867" }, { "url": "https://git.kernel.org/stable/c/82926f52d7a09c65d916c0ef8d4305fc95d68c0c" } ], "title": "drm/xe: Don\u0027t free job in TDR", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-50149", "datePublished": "2024-11-07T09:31:25.885Z", "dateReserved": "2024-10-21T19:36:19.959Z", "dateUpdated": "2024-12-19T09:34:10.591Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-50150
Vulnerability from cvelistv5
Published
2024-11-07 09:31
Modified
2024-12-19 09:34
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: typec: altmode should keep reference to parent
The altmode device release refers to its parent device, but without keeping
a reference to it.
When registering the altmode, get a reference to the parent and put it in
the release function.
Before this fix, when using CONFIG_DEBUG_KOBJECT_RELEASE, we see issues
like this:
[ 43.572860] kobject: 'port0.0' (ffff8880057ba008): kobject_release, parent 0000000000000000 (delayed 3000)
[ 43.573532] kobject: 'port0.1' (ffff8880057bd008): kobject_release, parent 0000000000000000 (delayed 1000)
[ 43.574407] kobject: 'port0' (ffff8880057b9008): kobject_release, parent 0000000000000000 (delayed 3000)
[ 43.575059] kobject: 'port1.0' (ffff8880057ca008): kobject_release, parent 0000000000000000 (delayed 4000)
[ 43.575908] kobject: 'port1.1' (ffff8880057c9008): kobject_release, parent 0000000000000000 (delayed 4000)
[ 43.576908] kobject: 'typec' (ffff8880062dbc00): kobject_release, parent 0000000000000000 (delayed 4000)
[ 43.577769] kobject: 'port1' (ffff8880057bf008): kobject_release, parent 0000000000000000 (delayed 3000)
[ 46.612867] ==================================================================
[ 46.613402] BUG: KASAN: slab-use-after-free in typec_altmode_release+0x38/0x129
[ 46.614003] Read of size 8 at addr ffff8880057b9118 by task kworker/2:1/48
[ 46.614538]
[ 46.614668] CPU: 2 UID: 0 PID: 48 Comm: kworker/2:1 Not tainted 6.12.0-rc1-00138-gedbae730ad31 #535
[ 46.615391] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014
[ 46.616042] Workqueue: events kobject_delayed_cleanup
[ 46.616446] Call Trace:
[ 46.616648] <TASK>
[ 46.616820] dump_stack_lvl+0x5b/0x7c
[ 46.617112] ? typec_altmode_release+0x38/0x129
[ 46.617470] print_report+0x14c/0x49e
[ 46.617769] ? rcu_read_unlock_sched+0x56/0x69
[ 46.618117] ? __virt_addr_valid+0x19a/0x1ab
[ 46.618456] ? kmem_cache_debug_flags+0xc/0x1d
[ 46.618807] ? typec_altmode_release+0x38/0x129
[ 46.619161] kasan_report+0x8d/0xb4
[ 46.619447] ? typec_altmode_release+0x38/0x129
[ 46.619809] ? process_scheduled_works+0x3cb/0x85f
[ 46.620185] typec_altmode_release+0x38/0x129
[ 46.620537] ? process_scheduled_works+0x3cb/0x85f
[ 46.620907] device_release+0xaf/0xf2
[ 46.621206] kobject_delayed_cleanup+0x13b/0x17a
[ 46.621584] process_scheduled_works+0x4f6/0x85f
[ 46.621955] ? __pfx_process_scheduled_works+0x10/0x10
[ 46.622353] ? hlock_class+0x31/0x9a
[ 46.622647] ? lock_acquired+0x361/0x3c3
[ 46.622956] ? move_linked_works+0x46/0x7d
[ 46.623277] worker_thread+0x1ce/0x291
[ 46.623582] ? __kthread_parkme+0xc8/0xdf
[ 46.623900] ? __pfx_worker_thread+0x10/0x10
[ 46.624236] kthread+0x17e/0x190
[ 46.624501] ? kthread+0xfb/0x190
[ 46.624756] ? __pfx_kthread+0x10/0x10
[ 46.625015] ret_from_fork+0x20/0x40
[ 46.625268] ? __pfx_kthread+0x10/0x10
[ 46.625532] ret_from_fork_asm+0x1a/0x30
[ 46.625805] </TASK>
[ 46.625953]
[ 46.626056] Allocated by task 678:
[ 46.626287] kasan_save_stack+0x24/0x44
[ 46.626555] kasan_save_track+0x14/0x2d
[ 46.626811] __kasan_kmalloc+0x3f/0x4d
[ 46.627049] __kmalloc_noprof+0x1bf/0x1f0
[ 46.627362] typec_register_port+0x23/0x491
[ 46.627698] cros_typec_probe+0x634/0xbb6
[ 46.628026] platform_probe+0x47/0x8c
[ 46.628311] really_probe+0x20a/0x47d
[ 46.628605] device_driver_attach+0x39/0x72
[ 46.628940] bind_store+0x87/0xd7
[ 46.629213] kernfs_fop_write_iter+0x1aa/0x218
[ 46.629574] vfs_write+0x1d6/0x29b
[ 46.629856] ksys_write+0xcd/0x13b
[ 46.630128] do_syscall_64+0xd4/0x139
[ 46.630420] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ 46.630820]
[ 46.630946] Freed by task 48:
[ 46.631182] kasan_save_stack+0x24/0x44
[ 46.631493] kasan_save_track+0x14/0x2d
[ 46.631799] kasan_save_free_info+0x3f/0x4d
[ 46.632144] __kasan_slab_free+0x37/0x45
[ 46.632474]
---truncated---
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 8a37d87d72f0c69f837229c04d2fcd7117ea57e7 Version: 8a37d87d72f0c69f837229c04d2fcd7117ea57e7 Version: 8a37d87d72f0c69f837229c04d2fcd7117ea57e7 Version: 8a37d87d72f0c69f837229c04d2fcd7117ea57e7 Version: 8a37d87d72f0c69f837229c04d2fcd7117ea57e7 Version: 8a37d87d72f0c69f837229c04d2fcd7117ea57e7 Version: 8a37d87d72f0c69f837229c04d2fcd7117ea57e7 Version: 8a37d87d72f0c69f837229c04d2fcd7117ea57e7 |
||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/usb/typec/class.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "2b0b33e8a58388fa9078f0fbe9af1900e6b08879", "status": "affected", "version": "8a37d87d72f0c69f837229c04d2fcd7117ea57e7", "versionType": "git" }, { "lessThan": "2c15c4133d00f5da632fce60ed013fc31aa9aa58", "status": "affected", "version": "8a37d87d72f0c69f837229c04d2fcd7117ea57e7", "versionType": "git" }, { "lessThan": "6af43ec3bf40f8b428d9134ffa7a291aecd60da8", "status": "affected", "version": "8a37d87d72f0c69f837229c04d2fcd7117ea57e7", "versionType": "git" }, { "lessThan": "87474406056891e4fdea0794e1f632b21b3dfa27", "status": "affected", "version": "8a37d87d72f0c69f837229c04d2fcd7117ea57e7", "versionType": "git" }, { "lessThan": "bee1b68cb8bcee4fd3a8bde3a4886e0b1375dc4d", "status": "affected", "version": "8a37d87d72f0c69f837229c04d2fcd7117ea57e7", "versionType": "git" }, { "lessThan": "1ded6b12499e6dee9b0e1ceac633be36538f6fc2", "status": "affected", "version": "8a37d87d72f0c69f837229c04d2fcd7117ea57e7", "versionType": "git" }, { "lessThan": "68a7c7fe322546be1464174c8d85874b8161deda", "status": "affected", "version": "8a37d87d72f0c69f837229c04d2fcd7117ea57e7", "versionType": "git" }, { "lessThan": "befab3a278c59db0cc88c8799638064f6d3fd6f8", "status": "affected", "version": "8a37d87d72f0c69f837229c04d2fcd7117ea57e7", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/usb/typec/class.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "4.19" }, { "lessThan": "4.19", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "4.19.*", "status": "unaffected", "version": "4.19.323", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.285", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.229", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.170", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.115", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.59", "versionType": "semver" }, { "lessThanOrEqual": "6.11.*", "status": "unaffected", "version": "6.11.6", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.12", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: altmode should keep reference to parent\n\nThe altmode device release refers to its parent device, but without keeping\na reference to it.\n\nWhen registering the altmode, get a reference to the parent and put it in\nthe release function.\n\nBefore this fix, when using CONFIG_DEBUG_KOBJECT_RELEASE, we see issues\nlike this:\n\n[ 43.572860] kobject: \u0027port0.0\u0027 (ffff8880057ba008): kobject_release, parent 0000000000000000 (delayed 3000)\n[ 43.573532] kobject: \u0027port0.1\u0027 (ffff8880057bd008): kobject_release, parent 0000000000000000 (delayed 1000)\n[ 43.574407] kobject: \u0027port0\u0027 (ffff8880057b9008): kobject_release, parent 0000000000000000 (delayed 3000)\n[ 43.575059] kobject: \u0027port1.0\u0027 (ffff8880057ca008): kobject_release, parent 0000000000000000 (delayed 4000)\n[ 43.575908] kobject: \u0027port1.1\u0027 (ffff8880057c9008): kobject_release, parent 0000000000000000 (delayed 4000)\n[ 43.576908] kobject: \u0027typec\u0027 (ffff8880062dbc00): kobject_release, parent 0000000000000000 (delayed 4000)\n[ 43.577769] kobject: \u0027port1\u0027 (ffff8880057bf008): kobject_release, parent 0000000000000000 (delayed 3000)\n[ 46.612867] ==================================================================\n[ 46.613402] BUG: KASAN: slab-use-after-free in typec_altmode_release+0x38/0x129\n[ 46.614003] Read of size 8 at addr ffff8880057b9118 by task kworker/2:1/48\n[ 46.614538]\n[ 46.614668] CPU: 2 UID: 0 PID: 48 Comm: kworker/2:1 Not tainted 6.12.0-rc1-00138-gedbae730ad31 #535\n[ 46.615391] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014\n[ 46.616042] Workqueue: events kobject_delayed_cleanup\n[ 46.616446] Call Trace:\n[ 46.616648] \u003cTASK\u003e\n[ 46.616820] dump_stack_lvl+0x5b/0x7c\n[ 46.617112] ? typec_altmode_release+0x38/0x129\n[ 46.617470] print_report+0x14c/0x49e\n[ 46.617769] ? rcu_read_unlock_sched+0x56/0x69\n[ 46.618117] ? __virt_addr_valid+0x19a/0x1ab\n[ 46.618456] ? kmem_cache_debug_flags+0xc/0x1d\n[ 46.618807] ? typec_altmode_release+0x38/0x129\n[ 46.619161] kasan_report+0x8d/0xb4\n[ 46.619447] ? typec_altmode_release+0x38/0x129\n[ 46.619809] ? process_scheduled_works+0x3cb/0x85f\n[ 46.620185] typec_altmode_release+0x38/0x129\n[ 46.620537] ? process_scheduled_works+0x3cb/0x85f\n[ 46.620907] device_release+0xaf/0xf2\n[ 46.621206] kobject_delayed_cleanup+0x13b/0x17a\n[ 46.621584] process_scheduled_works+0x4f6/0x85f\n[ 46.621955] ? __pfx_process_scheduled_works+0x10/0x10\n[ 46.622353] ? hlock_class+0x31/0x9a\n[ 46.622647] ? lock_acquired+0x361/0x3c3\n[ 46.622956] ? move_linked_works+0x46/0x7d\n[ 46.623277] worker_thread+0x1ce/0x291\n[ 46.623582] ? __kthread_parkme+0xc8/0xdf\n[ 46.623900] ? __pfx_worker_thread+0x10/0x10\n[ 46.624236] kthread+0x17e/0x190\n[ 46.624501] ? kthread+0xfb/0x190\n[ 46.624756] ? __pfx_kthread+0x10/0x10\n[ 46.625015] ret_from_fork+0x20/0x40\n[ 46.625268] ? __pfx_kthread+0x10/0x10\n[ 46.625532] ret_from_fork_asm+0x1a/0x30\n[ 46.625805] \u003c/TASK\u003e\n[ 46.625953]\n[ 46.626056] Allocated by task 678:\n[ 46.626287] kasan_save_stack+0x24/0x44\n[ 46.626555] kasan_save_track+0x14/0x2d\n[ 46.626811] __kasan_kmalloc+0x3f/0x4d\n[ 46.627049] __kmalloc_noprof+0x1bf/0x1f0\n[ 46.627362] typec_register_port+0x23/0x491\n[ 46.627698] cros_typec_probe+0x634/0xbb6\n[ 46.628026] platform_probe+0x47/0x8c\n[ 46.628311] really_probe+0x20a/0x47d\n[ 46.628605] device_driver_attach+0x39/0x72\n[ 46.628940] bind_store+0x87/0xd7\n[ 46.629213] kernfs_fop_write_iter+0x1aa/0x218\n[ 46.629574] vfs_write+0x1d6/0x29b\n[ 46.629856] ksys_write+0xcd/0x13b\n[ 46.630128] do_syscall_64+0xd4/0x139\n[ 46.630420] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[ 46.630820]\n[ 46.630946] Freed by task 48:\n[ 46.631182] kasan_save_stack+0x24/0x44\n[ 46.631493] kasan_save_track+0x14/0x2d\n[ 46.631799] kasan_save_free_info+0x3f/0x4d\n[ 46.632144] __kasan_slab_free+0x37/0x45\n[ 46.632474]\n---truncated---" } ], "providerMetadata": { "dateUpdated": "2024-12-19T09:34:11.774Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/2b0b33e8a58388fa9078f0fbe9af1900e6b08879" }, { "url": "https://git.kernel.org/stable/c/2c15c4133d00f5da632fce60ed013fc31aa9aa58" }, { "url": "https://git.kernel.org/stable/c/6af43ec3bf40f8b428d9134ffa7a291aecd60da8" }, { "url": "https://git.kernel.org/stable/c/87474406056891e4fdea0794e1f632b21b3dfa27" }, { "url": "https://git.kernel.org/stable/c/bee1b68cb8bcee4fd3a8bde3a4886e0b1375dc4d" }, { "url": "https://git.kernel.org/stable/c/1ded6b12499e6dee9b0e1ceac633be36538f6fc2" }, { "url": "https://git.kernel.org/stable/c/68a7c7fe322546be1464174c8d85874b8161deda" }, { "url": "https://git.kernel.org/stable/c/befab3a278c59db0cc88c8799638064f6d3fd6f8" } ], "title": "usb: typec: altmode should keep reference to parent", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-50150", "datePublished": "2024-11-07T09:31:26.782Z", "dateReserved": "2024-10-21T19:36:19.959Z", "dateUpdated": "2024-12-19T09:34:11.774Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-50143
Vulnerability from cvelistv5
Published
2024-11-07 09:31
Modified
2024-12-19 09:34
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
udf: fix uninit-value use in udf_get_fileshortad
Check for overflow when computing alen in udf_current_aext to mitigate
later uninit-value use in udf_get_fileshortad KMSAN bug[1].
After applying the patch reproducer did not trigger any issue[2].
[1] https://syzkaller.appspot.com/bug?extid=8901c4560b7ab5c2f9df
[2] https://syzkaller.appspot.com/x/log.txt?x=10242227980000
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "fs/udf/inode.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "5eb76fb98b3335aa5cca6a7db2e659561c79c32b", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "417bd613bdbe791549f7687bb1b9b8012ff111c2", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "4fc0d8660e391dcd8dde23c44d702be1f6846c61", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "72e445df65a0aa9066c6fe2b8736ba2fcca6dac7", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "1ac49babc952f48d82676979b20885e480e69be8", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "e52e0b92ed31dc62afbda15c243dcee0bb5bb58d", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "264db9d666ad9a35075cc9ed9ec09d021580fbb1", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "fs/udf/inode.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThanOrEqual": "4.19.*", "status": "unaffected", "version": "4.19.323", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.285", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.170", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.115", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.59", "versionType": "semver" }, { "lessThanOrEqual": "6.11.*", "status": "unaffected", "version": "6.11.6", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.12", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nudf: fix uninit-value use in udf_get_fileshortad\n\nCheck for overflow when computing alen in udf_current_aext to mitigate\nlater uninit-value use in udf_get_fileshortad KMSAN bug[1].\nAfter applying the patch reproducer did not trigger any issue[2].\n\n[1] https://syzkaller.appspot.com/bug?extid=8901c4560b7ab5c2f9df\n[2] https://syzkaller.appspot.com/x/log.txt?x=10242227980000" } ], "providerMetadata": { "dateUpdated": "2024-12-19T09:34:03.835Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/5eb76fb98b3335aa5cca6a7db2e659561c79c32b" }, { "url": "https://git.kernel.org/stable/c/417bd613bdbe791549f7687bb1b9b8012ff111c2" }, { "url": "https://git.kernel.org/stable/c/4fc0d8660e391dcd8dde23c44d702be1f6846c61" }, { "url": "https://git.kernel.org/stable/c/72e445df65a0aa9066c6fe2b8736ba2fcca6dac7" }, { "url": "https://git.kernel.org/stable/c/1ac49babc952f48d82676979b20885e480e69be8" }, { "url": "https://git.kernel.org/stable/c/e52e0b92ed31dc62afbda15c243dcee0bb5bb58d" }, { "url": "https://git.kernel.org/stable/c/264db9d666ad9a35075cc9ed9ec09d021580fbb1" } ], "title": "udf: fix uninit-value use in udf_get_fileshortad", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-50143", "datePublished": "2024-11-07T09:31:20.340Z", "dateReserved": "2024-10-21T19:36:19.956Z", "dateUpdated": "2024-12-19T09:34:03.835Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-50144
Vulnerability from cvelistv5
Published
2024-11-07 09:31
Modified
2024-12-19 09:34
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/xe: fix unbalanced rpm put() with fence_fini()
Currently we can call fence_fini() twice if something goes wrong when
sending the GuC CT for the tlb request, since we signal the fence and
return an error, leading to the caller also calling fini() on the error
path in the case of stack version of the flow, which leads to an extra
rpm put() which might later cause device to enter suspend when it
shouldn't. It looks like we can just drop the fini() call since the
fence signaller side will already call this for us.
There are known mysterious splats with device going to sleep even with
an rpm ref, and this could be one candidate.
v2 (Matt B):
- Prefer warning if we detect double fini()
(cherry picked from commit cfcbc0520d5055825f0647ab922b655688605183)
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/gpu/drm/xe/xe_gt_tlb_invalidation.c", "drivers/gpu/drm/xe/xe_gt_tlb_invalidation.h", "drivers/gpu/drm/xe/xe_vm.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "046bd018c0123b1a49c22abed5f9ea31d1454c78", "status": "affected", "version": "f002702290fccbd473f5bb94e52f25c96917fff2", "versionType": "git" }, { "lessThan": "03a86c24aea0920a1ca20a0d7771d5e176db538d", "status": "affected", "version": "f002702290fccbd473f5bb94e52f25c96917fff2", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/gpu/drm/xe/xe_gt_tlb_invalidation.c", "drivers/gpu/drm/xe/xe_gt_tlb_invalidation.h", "drivers/gpu/drm/xe/xe_vm.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.11" }, { "lessThan": "6.11", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.11.*", "status": "unaffected", "version": "6.11.6", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.12", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: fix unbalanced rpm put() with fence_fini()\n\nCurrently we can call fence_fini() twice if something goes wrong when\nsending the GuC CT for the tlb request, since we signal the fence and\nreturn an error, leading to the caller also calling fini() on the error\npath in the case of stack version of the flow, which leads to an extra\nrpm put() which might later cause device to enter suspend when it\nshouldn\u0027t. It looks like we can just drop the fini() call since the\nfence signaller side will already call this for us.\n\nThere are known mysterious splats with device going to sleep even with\nan rpm ref, and this could be one candidate.\n\nv2 (Matt B):\n - Prefer warning if we detect double fini()\n\n(cherry picked from commit cfcbc0520d5055825f0647ab922b655688605183)" } ], "providerMetadata": { "dateUpdated": "2024-12-19T09:34:04.951Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/046bd018c0123b1a49c22abed5f9ea31d1454c78" }, { "url": "https://git.kernel.org/stable/c/03a86c24aea0920a1ca20a0d7771d5e176db538d" } ], "title": "drm/xe: fix unbalanced rpm put() with fence_fini()", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-50144", "datePublished": "2024-11-07T09:31:21.224Z", "dateReserved": "2024-10-21T19:36:19.956Z", "dateUpdated": "2024-12-19T09:34:04.951Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-50172
Vulnerability from cvelistv5
Published
2024-11-07 09:31
Modified
2024-12-19 09:34
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/bnxt_re: Fix a possible memory leak
In bnxt_re_setup_chip_ctx() when bnxt_qplib_map_db_bar() fails
driver is not freeing the memory allocated for "rdev->chip_ctx".
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/infiniband/hw/bnxt_re/main.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "73e04a6114e08b5eb10e589e12b680955accb376", "status": "affected", "version": "0ac20faf5d837b59fb4c041ea320932ed47fd67f", "versionType": "git" }, { "lessThan": "595fa9b17201028d35f92d450fc0ecda873fe469", "status": "affected", "version": "0ac20faf5d837b59fb4c041ea320932ed47fd67f", "versionType": "git" }, { "lessThan": "3fc5410f225d1651580a4aeb7c72f55e28673b53", "status": "affected", "version": "0ac20faf5d837b59fb4c041ea320932ed47fd67f", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/infiniband/hw/bnxt_re/main.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.5" }, { "lessThan": "6.5", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.59", "versionType": "semver" }, { "lessThanOrEqual": "6.11.*", "status": "unaffected", "version": "6.11.6", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.12", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/bnxt_re: Fix a possible memory leak\n\nIn bnxt_re_setup_chip_ctx() when bnxt_qplib_map_db_bar() fails\ndriver is not freeing the memory allocated for \"rdev-\u003echip_ctx\"." } ], "providerMetadata": { "dateUpdated": "2024-12-19T09:34:36.818Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/73e04a6114e08b5eb10e589e12b680955accb376" }, { "url": "https://git.kernel.org/stable/c/595fa9b17201028d35f92d450fc0ecda873fe469" }, { "url": "https://git.kernel.org/stable/c/3fc5410f225d1651580a4aeb7c72f55e28673b53" } ], "title": "RDMA/bnxt_re: Fix a possible memory leak", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-50172", "datePublished": "2024-11-07T09:31:48.430Z", "dateReserved": "2024-10-21T19:36:19.963Z", "dateUpdated": "2024-12-19T09:34:36.818Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-50148
Vulnerability from cvelistv5
Published
2024-11-07 09:31
Modified
2024-12-19 09:34
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: bnep: fix wild-memory-access in proto_unregister
There's issue as follows:
KASAN: maybe wild-memory-access in range [0xdead...108-0xdead...10f]
CPU: 3 UID: 0 PID: 2805 Comm: rmmod Tainted: G W
RIP: 0010:proto_unregister+0xee/0x400
Call Trace:
<TASK>
__do_sys_delete_module+0x318/0x580
do_syscall_64+0xc1/0x1d0
entry_SYSCALL_64_after_hwframe+0x77/0x7f
As bnep_init() ignore bnep_sock_init()'s return value, and bnep_sock_init()
will cleanup all resource. Then when remove bnep module will call
bnep_sock_cleanup() to cleanup sock's resource.
To solve above issue just return bnep_sock_init()'s return value in
bnep_exit().
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "net/bluetooth/bnep/core.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "e232728242c4e98fb30e4c6bedb6ba8b482b6301", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "2c439470b23d78095a0d2f923342df58b155f669", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "6c151aeb6dc414db8f4daf51be072e802fae6667", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "fa58e23ea1359bd24b323916d191e2e9b4b19783", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "03015b6329e6de42f03ec917c25c4cf944f81f66", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "d10cd7bf574ead01fae140ce117a11bcdacbe6a8", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "20c424bc475b2b2a6e0e2225d2aae095c2ab2f41", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "64a90991ba8d4e32e3173ddd83d0b24167a5668c", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "net/bluetooth/bnep/core.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "2.6.12" }, { "lessThan": "2.6.12", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "4.19.*", "status": "unaffected", "version": "4.19.323", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.285", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.229", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.170", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.115", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.59", "versionType": "semver" }, { "lessThanOrEqual": "6.11.*", "status": "unaffected", "version": "6.11.6", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.12", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: bnep: fix wild-memory-access in proto_unregister\n\nThere\u0027s issue as follows:\n KASAN: maybe wild-memory-access in range [0xdead...108-0xdead...10f]\n CPU: 3 UID: 0 PID: 2805 Comm: rmmod Tainted: G W\n RIP: 0010:proto_unregister+0xee/0x400\n Call Trace:\n \u003cTASK\u003e\n __do_sys_delete_module+0x318/0x580\n do_syscall_64+0xc1/0x1d0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nAs bnep_init() ignore bnep_sock_init()\u0027s return value, and bnep_sock_init()\nwill cleanup all resource. Then when remove bnep module will call\nbnep_sock_cleanup() to cleanup sock\u0027s resource.\nTo solve above issue just return bnep_sock_init()\u0027s return value in\nbnep_exit()." } ], "providerMetadata": { "dateUpdated": "2024-12-19T09:34:09.474Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/e232728242c4e98fb30e4c6bedb6ba8b482b6301" }, { "url": "https://git.kernel.org/stable/c/2c439470b23d78095a0d2f923342df58b155f669" }, { "url": "https://git.kernel.org/stable/c/6c151aeb6dc414db8f4daf51be072e802fae6667" }, { "url": "https://git.kernel.org/stable/c/fa58e23ea1359bd24b323916d191e2e9b4b19783" }, { "url": "https://git.kernel.org/stable/c/03015b6329e6de42f03ec917c25c4cf944f81f66" }, { "url": "https://git.kernel.org/stable/c/d10cd7bf574ead01fae140ce117a11bcdacbe6a8" }, { "url": "https://git.kernel.org/stable/c/20c424bc475b2b2a6e0e2225d2aae095c2ab2f41" }, { "url": "https://git.kernel.org/stable/c/64a90991ba8d4e32e3173ddd83d0b24167a5668c" } ], "title": "Bluetooth: bnep: fix wild-memory-access in proto_unregister", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-50148", "datePublished": "2024-11-07T09:31:24.987Z", "dateReserved": "2024-10-21T19:36:19.959Z", "dateUpdated": "2024-12-19T09:34:09.474Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
Loading…
Loading…
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.