Action not permitted
Modal body text goes here.
Modal Title
Modal Body
wid-sec-w-2024-3497
Vulnerability from csaf_certbund
Published
2024-11-18 23:00
Modified
2024-11-24 23:00
Summary
Linux Kernel: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Der Kernel stellt den Kern des Linux Betriebssystems dar.
Angriff
Ein Angreifer kann mehrere Schwachstellen in Linux Kernel ausnutzen, um einen Denial of Service Zustand herbeizuführen oderum einen nicht näher spezifizierten Angriff durchzuführen.
Betroffene Betriebssysteme
- Linux
{ "document": { "aggregate_severity": { "text": "hoch" }, "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "de-DE", "notes": [ { "category": "legal_disclaimer", "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen." }, { "category": "description", "text": "Der Kernel stellt den Kern des Linux Betriebssystems dar.", "title": "Produktbeschreibung" }, { "category": "summary", "text": "Ein Angreifer kann mehrere Schwachstellen in Linux Kernel ausnutzen, um einen Denial of Service Zustand herbeizuf\u00fchren oderum einen nicht n\u00e4her spezifizierten Angriff durchzuf\u00fchren.", "title": "Angriff" }, { "category": "general", "text": "- Linux", "title": "Betroffene Betriebssysteme" } ], "publisher": { "category": "other", "contact_details": "csaf-provider@cert-bund.de", "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik", "namespace": "https://www.bsi.bund.de" }, "references": [ { "category": "self", "summary": "WID-SEC-W-2024-3497 - CSAF Version", "url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-3497.json" }, { "category": "self", "summary": "WID-SEC-2024-3497 - Portal Version", "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-3497" }, { "category": "external", "summary": "Kernel CVE Announce Mailingliste", "url": "https://lore.kernel.org/linux-cve-announce/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2024-50296", "url": "https://lore.kernel.org/linux-cve-announce/2024111900-CVE-2024-50296-774e@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2024-50297", "url": "https://lore.kernel.org/linux-cve-announce/2024111902-CVE-2024-50297-7693@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2024-50298", "url": "https://lore.kernel.org/linux-cve-announce/2024111903-CVE-2024-50298-2ef7@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2024-50299", "url": "https://lore.kernel.org/linux-cve-announce/2024111904-CVE-2024-50299-795d@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2024-50300", "url": "https://lore.kernel.org/linux-cve-announce/2024111906-CVE-2024-50300-a5c0@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2024-50301", "url": "https://lore.kernel.org/linux-cve-announce/2024111907-CVE-2024-50301-ec76@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2024-50302", "url": "https://lore.kernel.org/linux-cve-announce/2024111908-CVE-2024-50302-f677@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2024-50264", "url": "https://lore.kernel.org/linux-cve-announce/2024111920-CVE-2024-50264-0889@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2024-50265", "url": "https://lore.kernel.org/linux-cve-announce/2024111921-CVE-2024-50265-dcd9@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2024-50266", "url": "https://lore.kernel.org/linux-cve-announce/2024111922-CVE-2024-50266-7fe4@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2024-50267", "url": "https://lore.kernel.org/linux-cve-announce/2024111924-CVE-2024-50267-2d0d@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2024-50268", "url": "https://lore.kernel.org/linux-cve-announce/2024111925-CVE-2024-50268-9b55@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2024-50269", "url": "https://lore.kernel.org/linux-cve-announce/2024111926-CVE-2024-50269-830b@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2024-50270", "url": "https://lore.kernel.org/linux-cve-announce/2024111927-CVE-2024-50270-473a@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2024-50271", "url": "https://lore.kernel.org/linux-cve-announce/2024111929-CVE-2024-50271-9089@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2024-50272", "url": "https://lore.kernel.org/linux-cve-announce/2024111930-CVE-2024-50272-5691@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2024-50273", "url": "https://lore.kernel.org/linux-cve-announce/2024111931-CVE-2024-50273-6359@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2024-50274", "url": "https://lore.kernel.org/linux-cve-announce/2024111932-CVE-2024-50274-a441@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2024-50275", "url": "https://lore.kernel.org/linux-cve-announce/2024111934-CVE-2024-50275-2e49@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2024-50276", "url": "https://lore.kernel.org/linux-cve-announce/2024111935-CVE-2024-50276-3026@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2024-50277", "url": "https://lore.kernel.org/linux-cve-announce/2024111936-CVE-2024-50277-1fe3@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2024-50278", "url": "https://lore.kernel.org/linux-cve-announce/2024111937-CVE-2024-50278-d6c9@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2024-50279", "url": "https://lore.kernel.org/linux-cve-announce/2024111939-CVE-2024-50279-d3f9@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2024-50280", "url": "https://lore.kernel.org/linux-cve-announce/2024111940-CVE-2024-50280-068b@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2024-50281", "url": "https://lore.kernel.org/linux-cve-announce/2024111941-CVE-2024-50281-f70e@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2024-50282", "url": "https://lore.kernel.org/linux-cve-announce/2024111943-CVE-2024-50282-1579@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2024-50283", "url": "https://lore.kernel.org/linux-cve-announce/2024111944-CVE-2024-50283-3aad@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2024-50284", "url": "https://lore.kernel.org/linux-cve-announce/2024111945-CVE-2024-50284-650e@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2024-50285", "url": "https://lore.kernel.org/linux-cve-announce/2024111946-CVE-2024-50285-6013@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2024-50286", "url": "https://lore.kernel.org/linux-cve-announce/2024111948-CVE-2024-50286-85e9@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2024-50287", "url": "https://lore.kernel.org/linux-cve-announce/2024111949-CVE-2024-50287-bf9b@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2024-50288", "url": "https://lore.kernel.org/linux-cve-announce/2024111950-CVE-2024-50288-1c5d@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2024-50289", "url": "https://lore.kernel.org/linux-cve-announce/2024111952-CVE-2024-50289-5a27@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2024-50290", "url": "https://lore.kernel.org/linux-cve-announce/2024111953-CVE-2024-50290-9705@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2024-50291", "url": "https://lore.kernel.org/linux-cve-announce/2024111954-CVE-2024-50291-5c62@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2024-50292", "url": "https://lore.kernel.org/linux-cve-announce/2024111955-CVE-2024-50292-e8b6@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2024-50293", "url": "https://lore.kernel.org/linux-cve-announce/2024111957-CVE-2024-50293-1bf1@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2023-52921", "url": "https://lore.kernel.org/linux-cve-announce/2024111958-CVE-2023-52921-78df@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2024-50294", "url": "https://lore.kernel.org/linux-cve-announce/2024111958-CVE-2024-50294-0ac7@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2024-50295", "url": "https://lore.kernel.org/linux-cve-announce/2024111959-CVE-2024-50295-1201@gregkh/" }, { "category": "external", "summary": "Debian Security Advisory DSA-5818 vom 2024-11-24", "url": "https://lists.debian.org/debian-security-announce/2024/msg00233.html" } ], "source_lang": "en-US", "title": "Linux Kernel: Mehrere Schwachstellen", "tracking": { "current_release_date": "2024-11-24T23:00:00.000+00:00", "generator": { "date": "2024-11-25T09:11:36.333+00:00", "engine": { "name": "BSI-WID", "version": "1.3.8" } }, "id": "WID-SEC-W-2024-3497", "initial_release_date": "2024-11-18T23:00:00.000+00:00", "revision_history": [ { "date": "2024-11-18T23:00:00.000+00:00", "number": "1", "summary": "Initiale Fassung" }, { "date": "2024-11-24T23:00:00.000+00:00", "number": "2", "summary": "Neue Updates von Debian aufgenommen" } ], "status": "final", "version": "2" } }, "product_tree": { "branches": [ { "branches": [ { "category": "product_name", "name": "Debian Linux", "product": { "name": "Debian Linux", "product_id": "2951", "product_identification_helper": { "cpe": "cpe:/o:debian:debian_linux:-" } } } ], "category": "vendor", "name": "Debian" }, { "branches": [ { "category": "product_name", "name": "Open Source Linux Kernel", "product": { "name": "Open Source Linux Kernel", "product_id": "T008144", "product_identification_helper": { "cpe": "cpe:/a:linux:linux_kernel:-" } } } ], "category": "vendor", "name": "Open Source" } ] }, "vulnerabilities": [ { "cve": "CVE-2023-52921", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen im Linux Kernel, aufgrund von verschiedenen Fehlern in der Speicherverwaltung oder anderen Implementierungsfehlern. Betroffen sind Komponenten wie \"ksmbd\", \"net\", \"USB\" und andere. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuf\u00fchren oder um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "2951", "T008144" ] }, "release_date": "2024-11-18T23:00:00.000+00:00", "title": "CVE-2023-52921" }, { "cve": "CVE-2024-50264", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen im Linux Kernel, aufgrund von verschiedenen Fehlern in der Speicherverwaltung oder anderen Implementierungsfehlern. Betroffen sind Komponenten wie \"ksmbd\", \"net\", \"USB\" und andere. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuf\u00fchren oder um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "2951", "T008144" ] }, "release_date": "2024-11-18T23:00:00.000+00:00", "title": "CVE-2024-50264" }, { "cve": "CVE-2024-50265", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen im Linux Kernel, aufgrund von verschiedenen Fehlern in der Speicherverwaltung oder anderen Implementierungsfehlern. Betroffen sind Komponenten wie \"ksmbd\", \"net\", \"USB\" und andere. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuf\u00fchren oder um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "2951", "T008144" ] }, "release_date": "2024-11-18T23:00:00.000+00:00", "title": "CVE-2024-50265" }, { "cve": "CVE-2024-50266", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen im Linux Kernel, aufgrund von verschiedenen Fehlern in der Speicherverwaltung oder anderen Implementierungsfehlern. Betroffen sind Komponenten wie \"ksmbd\", \"net\", \"USB\" und andere. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuf\u00fchren oder um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "2951", "T008144" ] }, "release_date": "2024-11-18T23:00:00.000+00:00", "title": "CVE-2024-50266" }, { "cve": "CVE-2024-50267", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen im Linux Kernel, aufgrund von verschiedenen Fehlern in der Speicherverwaltung oder anderen Implementierungsfehlern. Betroffen sind Komponenten wie \"ksmbd\", \"net\", \"USB\" und andere. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuf\u00fchren oder um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "2951", "T008144" ] }, "release_date": "2024-11-18T23:00:00.000+00:00", "title": "CVE-2024-50267" }, { "cve": "CVE-2024-50268", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen im Linux Kernel, aufgrund von verschiedenen Fehlern in der Speicherverwaltung oder anderen Implementierungsfehlern. Betroffen sind Komponenten wie \"ksmbd\", \"net\", \"USB\" und andere. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuf\u00fchren oder um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "2951", "T008144" ] }, "release_date": "2024-11-18T23:00:00.000+00:00", "title": "CVE-2024-50268" }, { "cve": "CVE-2024-50269", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen im Linux Kernel, aufgrund von verschiedenen Fehlern in der Speicherverwaltung oder anderen Implementierungsfehlern. Betroffen sind Komponenten wie \"ksmbd\", \"net\", \"USB\" und andere. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuf\u00fchren oder um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "2951", "T008144" ] }, "release_date": "2024-11-18T23:00:00.000+00:00", "title": "CVE-2024-50269" }, { "cve": "CVE-2024-50270", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen im Linux Kernel, aufgrund von verschiedenen Fehlern in der Speicherverwaltung oder anderen Implementierungsfehlern. Betroffen sind Komponenten wie \"ksmbd\", \"net\", \"USB\" und andere. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuf\u00fchren oder um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "2951", "T008144" ] }, "release_date": "2024-11-18T23:00:00.000+00:00", "title": "CVE-2024-50270" }, { "cve": "CVE-2024-50271", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen im Linux Kernel, aufgrund von verschiedenen Fehlern in der Speicherverwaltung oder anderen Implementierungsfehlern. Betroffen sind Komponenten wie \"ksmbd\", \"net\", \"USB\" und andere. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuf\u00fchren oder um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "2951", "T008144" ] }, "release_date": "2024-11-18T23:00:00.000+00:00", "title": "CVE-2024-50271" }, { "cve": "CVE-2024-50272", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen im Linux Kernel, aufgrund von verschiedenen Fehlern in der Speicherverwaltung oder anderen Implementierungsfehlern. Betroffen sind Komponenten wie \"ksmbd\", \"net\", \"USB\" und andere. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuf\u00fchren oder um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "2951", "T008144" ] }, "release_date": "2024-11-18T23:00:00.000+00:00", "title": "CVE-2024-50272" }, { "cve": "CVE-2024-50273", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen im Linux Kernel, aufgrund von verschiedenen Fehlern in der Speicherverwaltung oder anderen Implementierungsfehlern. Betroffen sind Komponenten wie \"ksmbd\", \"net\", \"USB\" und andere. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuf\u00fchren oder um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "2951", "T008144" ] }, "release_date": "2024-11-18T23:00:00.000+00:00", "title": "CVE-2024-50273" }, { "cve": "CVE-2024-50274", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen im Linux Kernel, aufgrund von verschiedenen Fehlern in der Speicherverwaltung oder anderen Implementierungsfehlern. Betroffen sind Komponenten wie \"ksmbd\", \"net\", \"USB\" und andere. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuf\u00fchren oder um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "2951", "T008144" ] }, "release_date": "2024-11-18T23:00:00.000+00:00", "title": "CVE-2024-50274" }, { "cve": "CVE-2024-50275", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen im Linux Kernel, aufgrund von verschiedenen Fehlern in der Speicherverwaltung oder anderen Implementierungsfehlern. Betroffen sind Komponenten wie \"ksmbd\", \"net\", \"USB\" und andere. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuf\u00fchren oder um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "2951", "T008144" ] }, "release_date": "2024-11-18T23:00:00.000+00:00", "title": "CVE-2024-50275" }, { "cve": "CVE-2024-50276", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen im Linux Kernel, aufgrund von verschiedenen Fehlern in der Speicherverwaltung oder anderen Implementierungsfehlern. Betroffen sind Komponenten wie \"ksmbd\", \"net\", \"USB\" und andere. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuf\u00fchren oder um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "2951", "T008144" ] }, "release_date": "2024-11-18T23:00:00.000+00:00", "title": "CVE-2024-50276" }, { "cve": "CVE-2024-50277", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen im Linux Kernel, aufgrund von verschiedenen Fehlern in der Speicherverwaltung oder anderen Implementierungsfehlern. Betroffen sind Komponenten wie \"ksmbd\", \"net\", \"USB\" und andere. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuf\u00fchren oder um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "2951", "T008144" ] }, "release_date": "2024-11-18T23:00:00.000+00:00", "title": "CVE-2024-50277" }, { "cve": "CVE-2024-50278", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen im Linux Kernel, aufgrund von verschiedenen Fehlern in der Speicherverwaltung oder anderen Implementierungsfehlern. Betroffen sind Komponenten wie \"ksmbd\", \"net\", \"USB\" und andere. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuf\u00fchren oder um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "2951", "T008144" ] }, "release_date": "2024-11-18T23:00:00.000+00:00", "title": "CVE-2024-50278" }, { "cve": "CVE-2024-50279", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen im Linux Kernel, aufgrund von verschiedenen Fehlern in der Speicherverwaltung oder anderen Implementierungsfehlern. Betroffen sind Komponenten wie \"ksmbd\", \"net\", \"USB\" und andere. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuf\u00fchren oder um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "2951", "T008144" ] }, "release_date": "2024-11-18T23:00:00.000+00:00", "title": "CVE-2024-50279" }, { "cve": "CVE-2024-50280", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen im Linux Kernel, aufgrund von verschiedenen Fehlern in der Speicherverwaltung oder anderen Implementierungsfehlern. Betroffen sind Komponenten wie \"ksmbd\", \"net\", \"USB\" und andere. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuf\u00fchren oder um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "2951", "T008144" ] }, "release_date": "2024-11-18T23:00:00.000+00:00", "title": "CVE-2024-50280" }, { "cve": "CVE-2024-50281", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen im Linux Kernel, aufgrund von verschiedenen Fehlern in der Speicherverwaltung oder anderen Implementierungsfehlern. Betroffen sind Komponenten wie \"ksmbd\", \"net\", \"USB\" und andere. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuf\u00fchren oder um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "2951", "T008144" ] }, "release_date": "2024-11-18T23:00:00.000+00:00", "title": "CVE-2024-50281" }, { "cve": "CVE-2024-50282", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen im Linux Kernel, aufgrund von verschiedenen Fehlern in der Speicherverwaltung oder anderen Implementierungsfehlern. Betroffen sind Komponenten wie \"ksmbd\", \"net\", \"USB\" und andere. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuf\u00fchren oder um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "2951", "T008144" ] }, "release_date": "2024-11-18T23:00:00.000+00:00", "title": "CVE-2024-50282" }, { "cve": "CVE-2024-50283", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen im Linux Kernel, aufgrund von verschiedenen Fehlern in der Speicherverwaltung oder anderen Implementierungsfehlern. Betroffen sind Komponenten wie \"ksmbd\", \"net\", \"USB\" und andere. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuf\u00fchren oder um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "2951", "T008144" ] }, "release_date": "2024-11-18T23:00:00.000+00:00", "title": "CVE-2024-50283" }, { "cve": "CVE-2024-50284", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen im Linux Kernel, aufgrund von verschiedenen Fehlern in der Speicherverwaltung oder anderen Implementierungsfehlern. Betroffen sind Komponenten wie \"ksmbd\", \"net\", \"USB\" und andere. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuf\u00fchren oder um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "2951", "T008144" ] }, "release_date": "2024-11-18T23:00:00.000+00:00", "title": "CVE-2024-50284" }, { "cve": "CVE-2024-50285", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen im Linux Kernel, aufgrund von verschiedenen Fehlern in der Speicherverwaltung oder anderen Implementierungsfehlern. Betroffen sind Komponenten wie \"ksmbd\", \"net\", \"USB\" und andere. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuf\u00fchren oder um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "2951", "T008144" ] }, "release_date": "2024-11-18T23:00:00.000+00:00", "title": "CVE-2024-50285" }, { "cve": "CVE-2024-50286", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen im Linux Kernel, aufgrund von verschiedenen Fehlern in der Speicherverwaltung oder anderen Implementierungsfehlern. Betroffen sind Komponenten wie \"ksmbd\", \"net\", \"USB\" und andere. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuf\u00fchren oder um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "2951", "T008144" ] }, "release_date": "2024-11-18T23:00:00.000+00:00", "title": "CVE-2024-50286" }, { "cve": "CVE-2024-50287", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen im Linux Kernel, aufgrund von verschiedenen Fehlern in der Speicherverwaltung oder anderen Implementierungsfehlern. Betroffen sind Komponenten wie \"ksmbd\", \"net\", \"USB\" und andere. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuf\u00fchren oder um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "2951", "T008144" ] }, "release_date": "2024-11-18T23:00:00.000+00:00", "title": "CVE-2024-50287" }, { "cve": "CVE-2024-50288", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen im Linux Kernel, aufgrund von verschiedenen Fehlern in der Speicherverwaltung oder anderen Implementierungsfehlern. Betroffen sind Komponenten wie \"ksmbd\", \"net\", \"USB\" und andere. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuf\u00fchren oder um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "2951", "T008144" ] }, "release_date": "2024-11-18T23:00:00.000+00:00", "title": "CVE-2024-50288" }, { "cve": "CVE-2024-50289", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen im Linux Kernel, aufgrund von verschiedenen Fehlern in der Speicherverwaltung oder anderen Implementierungsfehlern. Betroffen sind Komponenten wie \"ksmbd\", \"net\", \"USB\" und andere. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuf\u00fchren oder um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "2951", "T008144" ] }, "release_date": "2024-11-18T23:00:00.000+00:00", "title": "CVE-2024-50289" }, { "cve": "CVE-2024-50290", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen im Linux Kernel, aufgrund von verschiedenen Fehlern in der Speicherverwaltung oder anderen Implementierungsfehlern. Betroffen sind Komponenten wie \"ksmbd\", \"net\", \"USB\" und andere. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuf\u00fchren oder um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "2951", "T008144" ] }, "release_date": "2024-11-18T23:00:00.000+00:00", "title": "CVE-2024-50290" }, { "cve": "CVE-2024-50291", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen im Linux Kernel, aufgrund von verschiedenen Fehlern in der Speicherverwaltung oder anderen Implementierungsfehlern. Betroffen sind Komponenten wie \"ksmbd\", \"net\", \"USB\" und andere. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuf\u00fchren oder um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "2951", "T008144" ] }, "release_date": "2024-11-18T23:00:00.000+00:00", "title": "CVE-2024-50291" }, { "cve": "CVE-2024-50292", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen im Linux Kernel, aufgrund von verschiedenen Fehlern in der Speicherverwaltung oder anderen Implementierungsfehlern. Betroffen sind Komponenten wie \"ksmbd\", \"net\", \"USB\" und andere. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuf\u00fchren oder um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "2951", "T008144" ] }, "release_date": "2024-11-18T23:00:00.000+00:00", "title": "CVE-2024-50292" }, { "cve": "CVE-2024-50293", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen im Linux Kernel, aufgrund von verschiedenen Fehlern in der Speicherverwaltung oder anderen Implementierungsfehlern. Betroffen sind Komponenten wie \"ksmbd\", \"net\", \"USB\" und andere. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuf\u00fchren oder um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "2951", "T008144" ] }, "release_date": "2024-11-18T23:00:00.000+00:00", "title": "CVE-2024-50293" }, { "cve": "CVE-2024-50294", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen im Linux Kernel, aufgrund von verschiedenen Fehlern in der Speicherverwaltung oder anderen Implementierungsfehlern. Betroffen sind Komponenten wie \"ksmbd\", \"net\", \"USB\" und andere. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuf\u00fchren oder um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "2951", "T008144" ] }, "release_date": "2024-11-18T23:00:00.000+00:00", "title": "CVE-2024-50294" }, { "cve": "CVE-2024-50295", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen im Linux Kernel, aufgrund von verschiedenen Fehlern in der Speicherverwaltung oder anderen Implementierungsfehlern. Betroffen sind Komponenten wie \"ksmbd\", \"net\", \"USB\" und andere. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuf\u00fchren oder um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "2951", "T008144" ] }, "release_date": "2024-11-18T23:00:00.000+00:00", "title": "CVE-2024-50295" }, { "cve": "CVE-2024-50296", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen im Linux Kernel, aufgrund von verschiedenen Fehlern in der Speicherverwaltung oder anderen Implementierungsfehlern. Betroffen sind Komponenten wie \"ksmbd\", \"net\", \"USB\" und andere. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuf\u00fchren oder um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "2951", "T008144" ] }, "release_date": "2024-11-18T23:00:00.000+00:00", "title": "CVE-2024-50296" }, { "cve": "CVE-2024-50297", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen im Linux Kernel, aufgrund von verschiedenen Fehlern in der Speicherverwaltung oder anderen Implementierungsfehlern. Betroffen sind Komponenten wie \"ksmbd\", \"net\", \"USB\" und andere. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuf\u00fchren oder um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "2951", "T008144" ] }, "release_date": "2024-11-18T23:00:00.000+00:00", "title": "CVE-2024-50297" }, { "cve": "CVE-2024-50298", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen im Linux Kernel, aufgrund von verschiedenen Fehlern in der Speicherverwaltung oder anderen Implementierungsfehlern. Betroffen sind Komponenten wie \"ksmbd\", \"net\", \"USB\" und andere. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuf\u00fchren oder um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "2951", "T008144" ] }, "release_date": "2024-11-18T23:00:00.000+00:00", "title": "CVE-2024-50298" }, { "cve": "CVE-2024-50299", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen im Linux Kernel, aufgrund von verschiedenen Fehlern in der Speicherverwaltung oder anderen Implementierungsfehlern. Betroffen sind Komponenten wie \"ksmbd\", \"net\", \"USB\" und andere. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuf\u00fchren oder um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "2951", "T008144" ] }, "release_date": "2024-11-18T23:00:00.000+00:00", "title": "CVE-2024-50299" }, { "cve": "CVE-2024-50300", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen im Linux Kernel, aufgrund von verschiedenen Fehlern in der Speicherverwaltung oder anderen Implementierungsfehlern. Betroffen sind Komponenten wie \"ksmbd\", \"net\", \"USB\" und andere. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuf\u00fchren oder um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "2951", "T008144" ] }, "release_date": "2024-11-18T23:00:00.000+00:00", "title": "CVE-2024-50300" }, { "cve": "CVE-2024-50301", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen im Linux Kernel, aufgrund von verschiedenen Fehlern in der Speicherverwaltung oder anderen Implementierungsfehlern. Betroffen sind Komponenten wie \"ksmbd\", \"net\", \"USB\" und andere. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuf\u00fchren oder um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "2951", "T008144" ] }, "release_date": "2024-11-18T23:00:00.000+00:00", "title": "CVE-2024-50301" }, { "cve": "CVE-2024-50302", "notes": [ { "category": "description", "text": "Es existieren mehrere Schwachstellen im Linux Kernel, aufgrund von verschiedenen Fehlern in der Speicherverwaltung oder anderen Implementierungsfehlern. Betroffen sind Komponenten wie \"ksmbd\", \"net\", \"USB\" und andere. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuf\u00fchren oder um nicht n\u00e4her spezifizierte Auswirkungen zu verursachen." } ], "product_status": { "known_affected": [ "2951", "T008144" ] }, "release_date": "2024-11-18T23:00:00.000+00:00", "title": "CVE-2024-50302" } ] }
cve-2024-50268
Vulnerability from cvelistv5
Published
2024-11-19 01:30
Modified
2024-12-19 09:36
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: typec: fix potential out of bounds in ucsi_ccg_update_set_new_cam_cmd()
The "*cmd" variable can be controlled by the user via debugfs. That means
"new_cam" can be as high as 255 while the size of the uc->updated[] array
is UCSI_MAX_ALTMODES (30).
The call tree is:
ucsi_cmd() // val comes from simple_attr_write_xsigned()
-> ucsi_send_command()
-> ucsi_send_command_common()
-> ucsi_run_command() // calls ucsi->ops->sync_control()
-> ucsi_ccg_sync_control()
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 170a6726d0e266f2c8f306e3d61715c32f4ee41e Version: 170a6726d0e266f2c8f306e3d61715c32f4ee41e Version: 170a6726d0e266f2c8f306e3d61715c32f4ee41e Version: 170a6726d0e266f2c8f306e3d61715c32f4ee41e Version: 170a6726d0e266f2c8f306e3d61715c32f4ee41e Version: 170a6726d0e266f2c8f306e3d61715c32f4ee41e |
||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/usb/typec/ucsi/ucsi_ccg.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "d76923164705821aa1b01b8d9d1741f20c654ab4", "status": "affected", "version": "170a6726d0e266f2c8f306e3d61715c32f4ee41e", "versionType": "git" }, { "lessThan": "8f47984b35f3be0cfc652c2ca358d5768ea3456b", "status": "affected", "version": "170a6726d0e266f2c8f306e3d61715c32f4ee41e", "versionType": "git" }, { "lessThan": "604314ecd682913925980dc955caea2d036eab5f", "status": "affected", "version": "170a6726d0e266f2c8f306e3d61715c32f4ee41e", "versionType": "git" }, { "lessThan": "69e19774f15e12dda6c6c58001d059e30895009b", "status": "affected", "version": "170a6726d0e266f2c8f306e3d61715c32f4ee41e", "versionType": "git" }, { "lessThan": "3a2ba841659a0f15102585120dea75d8d5209616", "status": "affected", "version": "170a6726d0e266f2c8f306e3d61715c32f4ee41e", "versionType": "git" }, { "lessThan": "7dd08a0b4193087976db6b3ee7807de7e8316f96", "status": "affected", "version": "170a6726d0e266f2c8f306e3d61715c32f4ee41e", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/usb/typec/ucsi/ucsi_ccg.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.6" }, { "lessThan": "5.6", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.230", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.172", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.117", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.61", "versionType": "semver" }, { "lessThanOrEqual": "6.11.*", "status": "unaffected", "version": "6.11.8", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.12", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: fix potential out of bounds in ucsi_ccg_update_set_new_cam_cmd()\n\nThe \"*cmd\" variable can be controlled by the user via debugfs. That means\n\"new_cam\" can be as high as 255 while the size of the uc-\u003eupdated[] array\nis UCSI_MAX_ALTMODES (30).\n\nThe call tree is:\nucsi_cmd() // val comes from simple_attr_write_xsigned()\n-\u003e ucsi_send_command()\n -\u003e ucsi_send_command_common()\n -\u003e ucsi_run_command() // calls ucsi-\u003eops-\u003esync_control()\n -\u003e ucsi_ccg_sync_control()" } ], "providerMetadata": { "dateUpdated": "2024-12-19T09:36:56.232Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/d76923164705821aa1b01b8d9d1741f20c654ab4" }, { "url": "https://git.kernel.org/stable/c/8f47984b35f3be0cfc652c2ca358d5768ea3456b" }, { "url": "https://git.kernel.org/stable/c/604314ecd682913925980dc955caea2d036eab5f" }, { "url": "https://git.kernel.org/stable/c/69e19774f15e12dda6c6c58001d059e30895009b" }, { "url": "https://git.kernel.org/stable/c/3a2ba841659a0f15102585120dea75d8d5209616" }, { "url": "https://git.kernel.org/stable/c/7dd08a0b4193087976db6b3ee7807de7e8316f96" } ], "title": "usb: typec: fix potential out of bounds in ucsi_ccg_update_set_new_cam_cmd()", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-50268", "datePublished": "2024-11-19T01:30:05.437Z", "dateReserved": "2024-10-21T19:36:19.982Z", "dateUpdated": "2024-12-19T09:36:56.232Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-50275
Vulnerability from cvelistv5
Published
2024-11-19 01:30
Modified
2024-12-19 09:37
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
arm64/sve: Discard stale CPU state when handling SVE traps
The logic for handling SVE traps manipulates saved FPSIMD/SVE state
incorrectly, and a race with preemption can result in a task having
TIF_SVE set and TIF_FOREIGN_FPSTATE clear even though the live CPU state
is stale (e.g. with SVE traps enabled). This has been observed to result
in warnings from do_sve_acc() where SVE traps are not expected while
TIF_SVE is set:
| if (test_and_set_thread_flag(TIF_SVE))
| WARN_ON(1); /* SVE access shouldn't have trapped */
Warnings of this form have been reported intermittently, e.g.
https://lore.kernel.org/linux-arm-kernel/CA+G9fYtEGe_DhY2Ms7+L7NKsLYUomGsgqpdBj+QwDLeSg=JhGg@mail.gmail.com/
https://lore.kernel.org/linux-arm-kernel/000000000000511e9a060ce5a45c@google.com/
The race can occur when the SVE trap handler is preempted before and
after manipulating the saved FPSIMD/SVE state, starting and ending on
the same CPU, e.g.
| void do_sve_acc(unsigned long esr, struct pt_regs *regs)
| {
| // Trap on CPU 0 with TIF_SVE clear, SVE traps enabled
| // task->fpsimd_cpu is 0.
| // per_cpu_ptr(&fpsimd_last_state, 0) is task.
|
| ...
|
| // Preempted; migrated from CPU 0 to CPU 1.
| // TIF_FOREIGN_FPSTATE is set.
|
| get_cpu_fpsimd_context();
|
| if (test_and_set_thread_flag(TIF_SVE))
| WARN_ON(1); /* SVE access shouldn't have trapped */
|
| sve_init_regs() {
| if (!test_thread_flag(TIF_FOREIGN_FPSTATE)) {
| ...
| } else {
| fpsimd_to_sve(current);
| current->thread.fp_type = FP_STATE_SVE;
| }
| }
|
| put_cpu_fpsimd_context();
|
| // Preempted; migrated from CPU 1 to CPU 0.
| // task->fpsimd_cpu is still 0
| // If per_cpu_ptr(&fpsimd_last_state, 0) is still task then:
| // - Stale HW state is reused (with SVE traps enabled)
| // - TIF_FOREIGN_FPSTATE is cleared
| // - A return to userspace skips HW state restore
| }
Fix the case where the state is not live and TIF_FOREIGN_FPSTATE is set
by calling fpsimd_flush_task_state() to detach from the saved CPU
state. This ensures that a subsequent context switch will not reuse the
stale CPU state, and will instead set TIF_FOREIGN_FPSTATE, forcing the
new state to be reloaded from memory prior to a return to userspace.
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: cccb78ce89c45a4414db712be4986edfb92434bd Version: cccb78ce89c45a4414db712be4986edfb92434bd Version: cccb78ce89c45a4414db712be4986edfb92434bd Version: cccb78ce89c45a4414db712be4986edfb92434bd Version: cccb78ce89c45a4414db712be4986edfb92434bd |
||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "arch/arm64/kernel/fpsimd.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "51d3d80a6dc314982a9a0aeb0961085922a1aa15", "status": "affected", "version": "cccb78ce89c45a4414db712be4986edfb92434bd", "versionType": "git" }, { "lessThan": "de529504b3274d57caf8f66800b714b0d3ee235a", "status": "affected", "version": "cccb78ce89c45a4414db712be4986edfb92434bd", "versionType": "git" }, { "lessThan": "51d11ea0250d6ee461987403bbfd4b2abb5613a7", "status": "affected", "version": "cccb78ce89c45a4414db712be4986edfb92434bd", "versionType": "git" }, { "lessThan": "fa9ce027b3ce37a2bb173bf2553b5caa438fd8c9", "status": "affected", "version": "cccb78ce89c45a4414db712be4986edfb92434bd", "versionType": "git" }, { "lessThan": "751ecf6afd6568adc98f2a6052315552c0483d18", "status": "affected", "version": "cccb78ce89c45a4414db712be4986edfb92434bd", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "arch/arm64/kernel/fpsimd.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.13" }, { "lessThan": "5.13", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.174", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.120", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.61", "versionType": "semver" }, { "lessThanOrEqual": "6.11.*", "status": "unaffected", "version": "6.11.8", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.12", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64/sve: Discard stale CPU state when handling SVE traps\n\nThe logic for handling SVE traps manipulates saved FPSIMD/SVE state\nincorrectly, and a race with preemption can result in a task having\nTIF_SVE set and TIF_FOREIGN_FPSTATE clear even though the live CPU state\nis stale (e.g. with SVE traps enabled). This has been observed to result\nin warnings from do_sve_acc() where SVE traps are not expected while\nTIF_SVE is set:\n\n| if (test_and_set_thread_flag(TIF_SVE))\n| WARN_ON(1); /* SVE access shouldn\u0027t have trapped */\n\nWarnings of this form have been reported intermittently, e.g.\n\n https://lore.kernel.org/linux-arm-kernel/CA+G9fYtEGe_DhY2Ms7+L7NKsLYUomGsgqpdBj+QwDLeSg=JhGg@mail.gmail.com/\n https://lore.kernel.org/linux-arm-kernel/000000000000511e9a060ce5a45c@google.com/\n\nThe race can occur when the SVE trap handler is preempted before and\nafter manipulating the saved FPSIMD/SVE state, starting and ending on\nthe same CPU, e.g.\n\n| void do_sve_acc(unsigned long esr, struct pt_regs *regs)\n| {\n| // Trap on CPU 0 with TIF_SVE clear, SVE traps enabled\n| // task-\u003efpsimd_cpu is 0.\n| // per_cpu_ptr(\u0026fpsimd_last_state, 0) is task.\n|\n| ...\n|\n| // Preempted; migrated from CPU 0 to CPU 1.\n| // TIF_FOREIGN_FPSTATE is set.\n|\n| get_cpu_fpsimd_context();\n|\n| if (test_and_set_thread_flag(TIF_SVE))\n| WARN_ON(1); /* SVE access shouldn\u0027t have trapped */\n|\n| sve_init_regs() {\n| if (!test_thread_flag(TIF_FOREIGN_FPSTATE)) {\n| ...\n| } else {\n| fpsimd_to_sve(current);\n| current-\u003ethread.fp_type = FP_STATE_SVE;\n| }\n| }\n|\n| put_cpu_fpsimd_context();\n|\n| // Preempted; migrated from CPU 1 to CPU 0.\n| // task-\u003efpsimd_cpu is still 0\n| // If per_cpu_ptr(\u0026fpsimd_last_state, 0) is still task then:\n| // - Stale HW state is reused (with SVE traps enabled)\n| // - TIF_FOREIGN_FPSTATE is cleared\n| // - A return to userspace skips HW state restore\n| }\n\nFix the case where the state is not live and TIF_FOREIGN_FPSTATE is set\nby calling fpsimd_flush_task_state() to detach from the saved CPU\nstate. This ensures that a subsequent context switch will not reuse the\nstale CPU state, and will instead set TIF_FOREIGN_FPSTATE, forcing the\nnew state to be reloaded from memory prior to a return to userspace." } ], "providerMetadata": { "dateUpdated": "2024-12-19T09:37:06.056Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/51d3d80a6dc314982a9a0aeb0961085922a1aa15" }, { "url": "https://git.kernel.org/stable/c/de529504b3274d57caf8f66800b714b0d3ee235a" }, { "url": "https://git.kernel.org/stable/c/51d11ea0250d6ee461987403bbfd4b2abb5613a7" }, { "url": "https://git.kernel.org/stable/c/fa9ce027b3ce37a2bb173bf2553b5caa438fd8c9" }, { "url": "https://git.kernel.org/stable/c/751ecf6afd6568adc98f2a6052315552c0483d18" } ], "title": "arm64/sve: Discard stale CPU state when handling SVE traps", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-50275", "datePublished": "2024-11-19T01:30:15.293Z", "dateReserved": "2024-10-21T19:36:19.983Z", "dateUpdated": "2024-12-19T09:37:06.056Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-50272
Vulnerability from cvelistv5
Published
2024-11-19 01:30
Modified
2024-12-19 09:37
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
filemap: Fix bounds checking in filemap_read()
If the caller supplies an iocb->ki_pos value that is close to the
filesystem upper limit, and an iterator with a count that causes us to
overflow that limit, then filemap_read() enters an infinite loop.
This behaviour was discovered when testing xfstests generic/525 with the
"localio" optimisation for loopback NFS mounts.
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "mm/filemap.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "26530b757c81f1389fb33ae0357500150933161b", "status": "affected", "version": "c2a9737f45e27d8263ff9643f994bda9bac0b944", "versionType": "git" }, { "lessThan": "a2746ab3bbc9c6408da5cd072653ec8c24749235", "status": "affected", "version": "c2a9737f45e27d8263ff9643f994bda9bac0b944", "versionType": "git" }, { "lessThan": "6450e73f4c86d481ac2e22e1bc848d346e140826", "status": "affected", "version": "c2a9737f45e27d8263ff9643f994bda9bac0b944", "versionType": "git" }, { "lessThan": "ace149e0830c380ddfce7e466fe860ca502fe4ee", "status": "affected", "version": "c2a9737f45e27d8263ff9643f994bda9bac0b944", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "mm/filemap.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "4.9" }, { "lessThan": "4.9", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.117", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.61", "versionType": "semver" }, { "lessThanOrEqual": "6.11.*", "status": "unaffected", "version": "6.11.8", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.12", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfilemap: Fix bounds checking in filemap_read()\n\nIf the caller supplies an iocb-\u003eki_pos value that is close to the\nfilesystem upper limit, and an iterator with a count that causes us to\noverflow that limit, then filemap_read() enters an infinite loop.\n\nThis behaviour was discovered when testing xfstests generic/525 with the\n\"localio\" optimisation for loopback NFS mounts." } ], "providerMetadata": { "dateUpdated": "2024-12-19T09:37:01.849Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/26530b757c81f1389fb33ae0357500150933161b" }, { "url": "https://git.kernel.org/stable/c/a2746ab3bbc9c6408da5cd072653ec8c24749235" }, { "url": "https://git.kernel.org/stable/c/6450e73f4c86d481ac2e22e1bc848d346e140826" }, { "url": "https://git.kernel.org/stable/c/ace149e0830c380ddfce7e466fe860ca502fe4ee" } ], "title": "filemap: Fix bounds checking in filemap_read()", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-50272", "datePublished": "2024-11-19T01:30:11.194Z", "dateReserved": "2024-10-21T19:36:19.982Z", "dateUpdated": "2024-12-19T09:37:01.849Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-50298
Vulnerability from cvelistv5
Published
2024-11-19 01:30
Modified
2024-12-19 09:37
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: enetc: allocate vf_state during PF probes
In the previous implementation, vf_state is allocated memory only when VF
is enabled. However, net_device_ops::ndo_set_vf_mac() may be called before
VF is enabled to configure the MAC address of VF. If this is the case,
enetc_pf_set_vf_mac() will access vf_state, resulting in access to a null
pointer. The simplified error log is as follows.
root@ls1028ardb:~# ip link set eno0 vf 1 mac 00:0c:e7:66:77:89
[ 173.543315] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000004
[ 173.637254] pc : enetc_pf_set_vf_mac+0x3c/0x80 Message from sy
[ 173.641973] lr : do_setlink+0x4a8/0xec8
[ 173.732292] Call trace:
[ 173.734740] enetc_pf_set_vf_mac+0x3c/0x80
[ 173.738847] __rtnl_newlink+0x530/0x89c
[ 173.742692] rtnl_newlink+0x50/0x7c
[ 173.746189] rtnetlink_rcv_msg+0x128/0x390
[ 173.750298] netlink_rcv_skb+0x60/0x130
[ 173.754145] rtnetlink_rcv+0x18/0x24
[ 173.757731] netlink_unicast+0x318/0x380
[ 173.761665] netlink_sendmsg+0x17c/0x3c8
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/net/ethernet/freescale/enetc/enetc_pf.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "ef0edfbe9eeed1fccad7cb705648af5222664944", "status": "affected", "version": "d4fd0404c1c95b17880f254ebfee3485693fa8ba", "versionType": "git" }, { "lessThan": "7eb923f8d4819737c07d6a8d0daef0a4d7f99e0c", "status": "affected", "version": "d4fd0404c1c95b17880f254ebfee3485693fa8ba", "versionType": "git" }, { "lessThan": "e15c5506dd39885cd047f811a64240e2e8ab401b", "status": "affected", "version": "d4fd0404c1c95b17880f254ebfee3485693fa8ba", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/net/ethernet/freescale/enetc/enetc_pf.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.1" }, { "lessThan": "5.1", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.61", "versionType": "semver" }, { "lessThanOrEqual": "6.11.*", "status": "unaffected", "version": "6.11.8", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.12", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: enetc: allocate vf_state during PF probes\n\nIn the previous implementation, vf_state is allocated memory only when VF\nis enabled. However, net_device_ops::ndo_set_vf_mac() may be called before\nVF is enabled to configure the MAC address of VF. If this is the case,\nenetc_pf_set_vf_mac() will access vf_state, resulting in access to a null\npointer. The simplified error log is as follows.\n\nroot@ls1028ardb:~# ip link set eno0 vf 1 mac 00:0c:e7:66:77:89\n[ 173.543315] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000004\n[ 173.637254] pc : enetc_pf_set_vf_mac+0x3c/0x80 Message from sy\n[ 173.641973] lr : do_setlink+0x4a8/0xec8\n[ 173.732292] Call trace:\n[ 173.734740] enetc_pf_set_vf_mac+0x3c/0x80\n[ 173.738847] __rtnl_newlink+0x530/0x89c\n[ 173.742692] rtnl_newlink+0x50/0x7c\n[ 173.746189] rtnetlink_rcv_msg+0x128/0x390\n[ 173.750298] netlink_rcv_skb+0x60/0x130\n[ 173.754145] rtnetlink_rcv+0x18/0x24\n[ 173.757731] netlink_unicast+0x318/0x380\n[ 173.761665] netlink_sendmsg+0x17c/0x3c8" } ], "providerMetadata": { "dateUpdated": "2024-12-19T09:37:41.551Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/ef0edfbe9eeed1fccad7cb705648af5222664944" }, { "url": "https://git.kernel.org/stable/c/7eb923f8d4819737c07d6a8d0daef0a4d7f99e0c" }, { "url": "https://git.kernel.org/stable/c/e15c5506dd39885cd047f811a64240e2e8ab401b" } ], "title": "net: enetc: allocate vf_state during PF probes", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-50298", "datePublished": "2024-11-19T01:30:46.029Z", "dateReserved": "2024-10-21T19:36:19.987Z", "dateUpdated": "2024-12-19T09:37:41.551Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-50278
Vulnerability from cvelistv5
Published
2024-11-19 01:30
Modified
2024-12-19 09:37
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
dm cache: fix potential out-of-bounds access on the first resume
Out-of-bounds access occurs if the fast device is expanded unexpectedly
before the first-time resume of the cache table. This happens because
expanding the fast device requires reloading the cache table for
cache_create to allocate new in-core data structures that fit the new
size, and the check in cache_preresume is not performed during the
first resume, leading to the issue.
Reproduce steps:
1. prepare component devices:
dmsetup create cmeta --table "0 8192 linear /dev/sdc 0"
dmsetup create cdata --table "0 65536 linear /dev/sdc 8192"
dmsetup create corig --table "0 524288 linear /dev/sdc 262144"
dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 oflag=direct
2. load a cache table of 512 cache blocks, and deliberately expand the
fast device before resuming the cache, making the in-core data
structures inadequate.
dmsetup create cache --notable
dmsetup reload cache --table "0 524288 cache /dev/mapper/cmeta \
/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0"
dmsetup reload cdata --table "0 131072 linear /dev/sdc 8192"
dmsetup resume cdata
dmsetup resume cache
3. suspend the cache to write out the in-core dirty bitset and hint
array, leading to out-of-bounds access to the dirty bitset at offset
0x40:
dmsetup suspend cache
KASAN reports:
BUG: KASAN: vmalloc-out-of-bounds in is_dirty_callback+0x2b/0x80
Read of size 8 at addr ffffc90000085040 by task dmsetup/90
(...snip...)
The buggy address belongs to the virtual mapping at
[ffffc90000085000, ffffc90000087000) created by:
cache_ctr+0x176a/0x35f0
(...snip...)
Memory state around the buggy address:
ffffc90000084f00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
ffffc90000084f80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
>ffffc90000085000: 00 00 00 00 00 00 00 00 f8 f8 f8 f8 f8 f8 f8 f8
^
ffffc90000085080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
ffffc90000085100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
Fix by checking the size change on the first resume.
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: f494a9c6b1b6dd9a9f21bbb75d9210d478eeb498 Version: f494a9c6b1b6dd9a9f21bbb75d9210d478eeb498 Version: f494a9c6b1b6dd9a9f21bbb75d9210d478eeb498 Version: f494a9c6b1b6dd9a9f21bbb75d9210d478eeb498 Version: f494a9c6b1b6dd9a9f21bbb75d9210d478eeb498 Version: f494a9c6b1b6dd9a9f21bbb75d9210d478eeb498 Version: f494a9c6b1b6dd9a9f21bbb75d9210d478eeb498 Version: f494a9c6b1b6dd9a9f21bbb75d9210d478eeb498 |
||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/md/dm-cache-target.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "e492f71854ce03474d49e87fd98b8df1f7cd1d2d", "status": "affected", "version": "f494a9c6b1b6dd9a9f21bbb75d9210d478eeb498", "versionType": "git" }, { "lessThan": "2222b0929d00e2d13732b799b63be391b5de4492", "status": "affected", "version": "f494a9c6b1b6dd9a9f21bbb75d9210d478eeb498", "versionType": "git" }, { "lessThan": "483b7261b35a9d369082ab298a6670912243f0be", "status": "affected", "version": "f494a9c6b1b6dd9a9f21bbb75d9210d478eeb498", "versionType": "git" }, { "lessThan": "fdef3b94dfebd57e3077a578b6e309a2bb6fa688", "status": "affected", "version": "f494a9c6b1b6dd9a9f21bbb75d9210d478eeb498", "versionType": "git" }, { "lessThan": "c52ec00cb2f9bebfada22edcc0db385b910a1cdb", "status": "affected", "version": "f494a9c6b1b6dd9a9f21bbb75d9210d478eeb498", "versionType": "git" }, { "lessThan": "036dd6e3d2638103e0092864577ea1d091466b86", "status": "affected", "version": "f494a9c6b1b6dd9a9f21bbb75d9210d478eeb498", "versionType": "git" }, { "lessThan": "13ed3624c6ef283acefa4cc42cc8ae54fd4391a4", "status": "affected", "version": "f494a9c6b1b6dd9a9f21bbb75d9210d478eeb498", "versionType": "git" }, { "lessThan": "c0ade5d98979585d4f5a93e4514c2e9a65afa08d", "status": "affected", "version": "f494a9c6b1b6dd9a9f21bbb75d9210d478eeb498", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/md/dm-cache-target.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "3.13" }, { "lessThan": "3.13", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "4.19.*", "status": "unaffected", "version": "4.19.324", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.286", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.230", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.172", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.117", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.61", "versionType": "semver" }, { "lessThanOrEqual": "6.11.*", "status": "unaffected", "version": "6.11.8", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.12", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm cache: fix potential out-of-bounds access on the first resume\n\nOut-of-bounds access occurs if the fast device is expanded unexpectedly\nbefore the first-time resume of the cache table. This happens because\nexpanding the fast device requires reloading the cache table for\ncache_create to allocate new in-core data structures that fit the new\nsize, and the check in cache_preresume is not performed during the\nfirst resume, leading to the issue.\n\nReproduce steps:\n\n1. prepare component devices:\n\ndmsetup create cmeta --table \"0 8192 linear /dev/sdc 0\"\ndmsetup create cdata --table \"0 65536 linear /dev/sdc 8192\"\ndmsetup create corig --table \"0 524288 linear /dev/sdc 262144\"\ndd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 oflag=direct\n\n2. load a cache table of 512 cache blocks, and deliberately expand the\n fast device before resuming the cache, making the in-core data\n structures inadequate.\n\ndmsetup create cache --notable\ndmsetup reload cache --table \"0 524288 cache /dev/mapper/cmeta \\\n/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0\"\ndmsetup reload cdata --table \"0 131072 linear /dev/sdc 8192\"\ndmsetup resume cdata\ndmsetup resume cache\n\n3. suspend the cache to write out the in-core dirty bitset and hint\n array, leading to out-of-bounds access to the dirty bitset at offset\n 0x40:\n\ndmsetup suspend cache\n\nKASAN reports:\n\n BUG: KASAN: vmalloc-out-of-bounds in is_dirty_callback+0x2b/0x80\n Read of size 8 at addr ffffc90000085040 by task dmsetup/90\n\n (...snip...)\n The buggy address belongs to the virtual mapping at\n [ffffc90000085000, ffffc90000087000) created by:\n cache_ctr+0x176a/0x35f0\n\n (...snip...)\n Memory state around the buggy address:\n ffffc90000084f00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8\n ffffc90000084f80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8\n \u003effffc90000085000: 00 00 00 00 00 00 00 00 f8 f8 f8 f8 f8 f8 f8 f8\n ^\n ffffc90000085080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8\n ffffc90000085100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8\n\nFix by checking the size change on the first resume." } ], "providerMetadata": { "dateUpdated": "2024-12-19T09:37:09.903Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/e492f71854ce03474d49e87fd98b8df1f7cd1d2d" }, { "url": "https://git.kernel.org/stable/c/2222b0929d00e2d13732b799b63be391b5de4492" }, { "url": "https://git.kernel.org/stable/c/483b7261b35a9d369082ab298a6670912243f0be" }, { "url": "https://git.kernel.org/stable/c/fdef3b94dfebd57e3077a578b6e309a2bb6fa688" }, { "url": "https://git.kernel.org/stable/c/c52ec00cb2f9bebfada22edcc0db385b910a1cdb" }, { "url": "https://git.kernel.org/stable/c/036dd6e3d2638103e0092864577ea1d091466b86" }, { "url": "https://git.kernel.org/stable/c/13ed3624c6ef283acefa4cc42cc8ae54fd4391a4" }, { "url": "https://git.kernel.org/stable/c/c0ade5d98979585d4f5a93e4514c2e9a65afa08d" } ], "title": "dm cache: fix potential out-of-bounds access on the first resume", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-50278", "datePublished": "2024-11-19T01:30:19.352Z", "dateReserved": "2024-10-21T19:36:19.983Z", "dateUpdated": "2024-12-19T09:37:09.903Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-50301
Vulnerability from cvelistv5
Published
2024-11-19 01:30
Modified
2024-12-19 09:37
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
security/keys: fix slab-out-of-bounds in key_task_permission
KASAN reports an out of bounds read:
BUG: KASAN: slab-out-of-bounds in __kuid_val include/linux/uidgid.h:36
BUG: KASAN: slab-out-of-bounds in uid_eq include/linux/uidgid.h:63 [inline]
BUG: KASAN: slab-out-of-bounds in key_task_permission+0x394/0x410
security/keys/permission.c:54
Read of size 4 at addr ffff88813c3ab618 by task stress-ng/4362
CPU: 2 PID: 4362 Comm: stress-ng Not tainted 5.10.0-14930-gafbffd6c3ede #15
Call Trace:
__dump_stack lib/dump_stack.c:82 [inline]
dump_stack+0x107/0x167 lib/dump_stack.c:123
print_address_description.constprop.0+0x19/0x170 mm/kasan/report.c:400
__kasan_report.cold+0x6c/0x84 mm/kasan/report.c:560
kasan_report+0x3a/0x50 mm/kasan/report.c:585
__kuid_val include/linux/uidgid.h:36 [inline]
uid_eq include/linux/uidgid.h:63 [inline]
key_task_permission+0x394/0x410 security/keys/permission.c:54
search_nested_keyrings+0x90e/0xe90 security/keys/keyring.c:793
This issue was also reported by syzbot.
It can be reproduced by following these steps(more details [1]):
1. Obtain more than 32 inputs that have similar hashes, which ends with the
pattern '0xxxxxxxe6'.
2. Reboot and add the keys obtained in step 1.
The reproducer demonstrates how this issue happened:
1. In the search_nested_keyrings function, when it iterates through the
slots in a node(below tag ascend_to_node), if the slot pointer is meta
and node->back_pointer != NULL(it means a root), it will proceed to
descend_to_node. However, there is an exception. If node is the root,
and one of the slots points to a shortcut, it will be treated as a
keyring.
2. Whether the ptr is keyring decided by keyring_ptr_is_keyring function.
However, KEYRING_PTR_SUBTYPE is 0x2UL, the same as
ASSOC_ARRAY_PTR_SUBTYPE_MASK.
3. When 32 keys with the similar hashes are added to the tree, the ROOT
has keys with hashes that are not similar (e.g. slot 0) and it splits
NODE A without using a shortcut. When NODE A is filled with keys that
all hashes are xxe6, the keys are similar, NODE A will split with a
shortcut. Finally, it forms the tree as shown below, where slot 6 points
to a shortcut.
NODE A
+------>+---+
ROOT | | 0 | xxe6
+---+ | +---+
xxxx | 0 | shortcut : : xxe6
+---+ | +---+
xxe6 : : | | | xxe6
+---+ | +---+
| 6 |---+ : : xxe6
+---+ +---+
xxe6 : : | f | xxe6
+---+ +---+
xxe6 | f |
+---+
4. As mentioned above, If a slot(slot 6) of the root points to a shortcut,
it may be mistakenly transferred to a key*, leading to a read
out-of-bounds read.
To fix this issue, one should jump to descend_to_node if the ptr is a
shortcut, regardless of whether the node is root or not.
[1] https://lore.kernel.org/linux-kernel/1cfa878e-8c7b-4570-8606-21daf5e13ce7@huaweicloud.com/
[jarkko: tweaked the commit message a bit to have an appropriate closes
tag.]
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: b2a4df200d570b2c33a57e1ebfa5896e4bc81b69 Version: b2a4df200d570b2c33a57e1ebfa5896e4bc81b69 Version: b2a4df200d570b2c33a57e1ebfa5896e4bc81b69 Version: b2a4df200d570b2c33a57e1ebfa5896e4bc81b69 Version: b2a4df200d570b2c33a57e1ebfa5896e4bc81b69 Version: b2a4df200d570b2c33a57e1ebfa5896e4bc81b69 Version: b2a4df200d570b2c33a57e1ebfa5896e4bc81b69 Version: b2a4df200d570b2c33a57e1ebfa5896e4bc81b69 |
||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "security/keys/keyring.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "c3ce634ad953ce48c75c39bdfd8b711dd95f346f", "status": "affected", "version": "b2a4df200d570b2c33a57e1ebfa5896e4bc81b69", "versionType": "git" }, { "lessThan": "4efb69a0e294ef201bcdf7ce3d6202cd0a545a5d", "status": "affected", "version": "b2a4df200d570b2c33a57e1ebfa5896e4bc81b69", "versionType": "git" }, { "lessThan": "1e4332581cd4eed75aea77af6f66cdcdda8b49b9", "status": "affected", "version": "b2a4df200d570b2c33a57e1ebfa5896e4bc81b69", "versionType": "git" }, { "lessThan": "199c20fb7499c79557a075dc24e9a7dae7d9f1ce", "status": "affected", "version": "b2a4df200d570b2c33a57e1ebfa5896e4bc81b69", "versionType": "git" }, { "lessThan": "bbad2d5b6c99db468d8f88b6ba6a56ed409b4881", "status": "affected", "version": "b2a4df200d570b2c33a57e1ebfa5896e4bc81b69", "versionType": "git" }, { "lessThan": "3e79ad156bedf2da0ab909a118d2cec6c9c22b79", "status": "affected", "version": "b2a4df200d570b2c33a57e1ebfa5896e4bc81b69", "versionType": "git" }, { "lessThan": "e0a317ad68e4ea48a0158187238c5407e4fdec8b", "status": "affected", "version": "b2a4df200d570b2c33a57e1ebfa5896e4bc81b69", "versionType": "git" }, { "lessThan": "4a74da044ec9ec8679e6beccc4306b936b62873f", "status": "affected", "version": "b2a4df200d570b2c33a57e1ebfa5896e4bc81b69", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "security/keys/keyring.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "3.13" }, { "lessThan": "3.13", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "4.19.*", "status": "unaffected", "version": "4.19.324", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.286", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.230", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.172", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.117", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.61", "versionType": "semver" }, { "lessThanOrEqual": "6.11.*", "status": "unaffected", "version": "6.11.8", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.12", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsecurity/keys: fix slab-out-of-bounds in key_task_permission\n\nKASAN reports an out of bounds read:\nBUG: KASAN: slab-out-of-bounds in __kuid_val include/linux/uidgid.h:36\nBUG: KASAN: slab-out-of-bounds in uid_eq include/linux/uidgid.h:63 [inline]\nBUG: KASAN: slab-out-of-bounds in key_task_permission+0x394/0x410\nsecurity/keys/permission.c:54\nRead of size 4 at addr ffff88813c3ab618 by task stress-ng/4362\n\nCPU: 2 PID: 4362 Comm: stress-ng Not tainted 5.10.0-14930-gafbffd6c3ede #15\nCall Trace:\n __dump_stack lib/dump_stack.c:82 [inline]\n dump_stack+0x107/0x167 lib/dump_stack.c:123\n print_address_description.constprop.0+0x19/0x170 mm/kasan/report.c:400\n __kasan_report.cold+0x6c/0x84 mm/kasan/report.c:560\n kasan_report+0x3a/0x50 mm/kasan/report.c:585\n __kuid_val include/linux/uidgid.h:36 [inline]\n uid_eq include/linux/uidgid.h:63 [inline]\n key_task_permission+0x394/0x410 security/keys/permission.c:54\n search_nested_keyrings+0x90e/0xe90 security/keys/keyring.c:793\n\nThis issue was also reported by syzbot.\n\nIt can be reproduced by following these steps(more details [1]):\n1. Obtain more than 32 inputs that have similar hashes, which ends with the\n pattern \u00270xxxxxxxe6\u0027.\n2. Reboot and add the keys obtained in step 1.\n\nThe reproducer demonstrates how this issue happened:\n1. In the search_nested_keyrings function, when it iterates through the\n slots in a node(below tag ascend_to_node), if the slot pointer is meta\n and node-\u003eback_pointer != NULL(it means a root), it will proceed to\n descend_to_node. However, there is an exception. If node is the root,\n and one of the slots points to a shortcut, it will be treated as a\n keyring.\n2. Whether the ptr is keyring decided by keyring_ptr_is_keyring function.\n However, KEYRING_PTR_SUBTYPE is 0x2UL, the same as\n ASSOC_ARRAY_PTR_SUBTYPE_MASK.\n3. When 32 keys with the similar hashes are added to the tree, the ROOT\n has keys with hashes that are not similar (e.g. slot 0) and it splits\n NODE A without using a shortcut. When NODE A is filled with keys that\n all hashes are xxe6, the keys are similar, NODE A will split with a\n shortcut. Finally, it forms the tree as shown below, where slot 6 points\n to a shortcut.\n\n NODE A\n +------\u003e+---+\n ROOT | | 0 | xxe6\n +---+ | +---+\n xxxx | 0 | shortcut : : xxe6\n +---+ | +---+\n xxe6 : : | | | xxe6\n +---+ | +---+\n | 6 |---+ : : xxe6\n +---+ +---+\n xxe6 : : | f | xxe6\n +---+ +---+\n xxe6 | f |\n +---+\n\n4. As mentioned above, If a slot(slot 6) of the root points to a shortcut,\n it may be mistakenly transferred to a key*, leading to a read\n out-of-bounds read.\n\nTo fix this issue, one should jump to descend_to_node if the ptr is a\nshortcut, regardless of whether the node is root or not.\n\n[1] https://lore.kernel.org/linux-kernel/1cfa878e-8c7b-4570-8606-21daf5e13ce7@huaweicloud.com/\n\n[jarkko: tweaked the commit message a bit to have an appropriate closes\n tag.]" } ], "providerMetadata": { "dateUpdated": "2024-12-19T09:37:45.554Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/c3ce634ad953ce48c75c39bdfd8b711dd95f346f" }, { "url": "https://git.kernel.org/stable/c/4efb69a0e294ef201bcdf7ce3d6202cd0a545a5d" }, { "url": "https://git.kernel.org/stable/c/1e4332581cd4eed75aea77af6f66cdcdda8b49b9" }, { "url": "https://git.kernel.org/stable/c/199c20fb7499c79557a075dc24e9a7dae7d9f1ce" }, { "url": "https://git.kernel.org/stable/c/bbad2d5b6c99db468d8f88b6ba6a56ed409b4881" }, { "url": "https://git.kernel.org/stable/c/3e79ad156bedf2da0ab909a118d2cec6c9c22b79" }, { "url": "https://git.kernel.org/stable/c/e0a317ad68e4ea48a0158187238c5407e4fdec8b" }, { "url": "https://git.kernel.org/stable/c/4a74da044ec9ec8679e6beccc4306b936b62873f" } ], "title": "security/keys: fix slab-out-of-bounds in key_task_permission", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-50301", "datePublished": "2024-11-19T01:30:49.982Z", "dateReserved": "2024-10-21T19:36:19.987Z", "dateUpdated": "2024-12-19T09:37:45.554Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-50283
Vulnerability from cvelistv5
Published
2024-11-19 01:30
Modified
2024-12-19 09:37
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: fix slab-use-after-free in smb3_preauth_hash_rsp
ksmbd_user_session_put should be called under smb3_preauth_hash_rsp().
It will avoid freeing session before calling smb3_preauth_hash_rsp().
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 0626e6641f6b467447c81dd7678a69c66f7746cf Version: 0626e6641f6b467447c81dd7678a69c66f7746cf Version: 0626e6641f6b467447c81dd7678a69c66f7746cf Version: 0626e6641f6b467447c81dd7678a69c66f7746cf Version: 0626e6641f6b467447c81dd7678a69c66f7746cf |
||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "fs/smb/server/server.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "cb645064e0811053c94e86677f2e58ed29359d62", "status": "affected", "version": "0626e6641f6b467447c81dd7678a69c66f7746cf", "versionType": "git" }, { "lessThan": "f7557bbca40d4ca8bb1c6c940ac6c95078bd0827", "status": "affected", "version": "0626e6641f6b467447c81dd7678a69c66f7746cf", "versionType": "git" }, { "lessThan": "c6cdc08c25a868a08068dfc319fa9fce982b8e7f", "status": "affected", "version": "0626e6641f6b467447c81dd7678a69c66f7746cf", "versionType": "git" }, { "lessThan": "1b6ad475d4ed577d34e0157eb507be00c588bf5c", "status": "affected", "version": "0626e6641f6b467447c81dd7678a69c66f7746cf", "versionType": "git" }, { "lessThan": "b8fc56fbca7482c1e5c0e3351c6ae78982e25ada", "status": "affected", "version": "0626e6641f6b467447c81dd7678a69c66f7746cf", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "fs/smb/server/server.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.15" }, { "lessThan": "5.15", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.174", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.117", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.61", "versionType": "semver" }, { "lessThanOrEqual": "6.11.*", "status": "unaffected", "version": "6.11.8", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.12", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix slab-use-after-free in smb3_preauth_hash_rsp\n\nksmbd_user_session_put should be called under smb3_preauth_hash_rsp().\nIt will avoid freeing session before calling smb3_preauth_hash_rsp()." } ], "providerMetadata": { "dateUpdated": "2024-12-19T09:37:16.205Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/cb645064e0811053c94e86677f2e58ed29359d62" }, { "url": "https://git.kernel.org/stable/c/f7557bbca40d4ca8bb1c6c940ac6c95078bd0827" }, { "url": "https://git.kernel.org/stable/c/c6cdc08c25a868a08068dfc319fa9fce982b8e7f" }, { "url": "https://git.kernel.org/stable/c/1b6ad475d4ed577d34e0157eb507be00c588bf5c" }, { "url": "https://git.kernel.org/stable/c/b8fc56fbca7482c1e5c0e3351c6ae78982e25ada" } ], "title": "ksmbd: fix slab-use-after-free in smb3_preauth_hash_rsp", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-50283", "datePublished": "2024-11-19T01:30:25.968Z", "dateReserved": "2024-10-21T19:36:19.984Z", "dateUpdated": "2024-12-19T09:37:16.205Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-50296
Vulnerability from cvelistv5
Published
2024-11-19 01:30
Modified
2024-12-19 09:37
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: hns3: fix kernel crash when uninstalling driver
When the driver is uninstalled and the VF is disabled concurrently, a
kernel crash occurs. The reason is that the two actions call function
pci_disable_sriov(). The num_VFs is checked to determine whether to
release the corresponding resources. During the second calling, num_VFs
is not 0 and the resource release function is called. However, the
corresponding resource has been released during the first invoking.
Therefore, the problem occurs:
[15277.839633][T50670] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020
...
[15278.131557][T50670] Call trace:
[15278.134686][T50670] klist_put+0x28/0x12c
[15278.138682][T50670] klist_del+0x14/0x20
[15278.142592][T50670] device_del+0xbc/0x3c0
[15278.146676][T50670] pci_remove_bus_device+0x84/0x120
[15278.151714][T50670] pci_stop_and_remove_bus_device+0x6c/0x80
[15278.157447][T50670] pci_iov_remove_virtfn+0xb4/0x12c
[15278.162485][T50670] sriov_disable+0x50/0x11c
[15278.166829][T50670] pci_disable_sriov+0x24/0x30
[15278.171433][T50670] hnae3_unregister_ae_algo_prepare+0x60/0x90 [hnae3]
[15278.178039][T50670] hclge_exit+0x28/0xd0 [hclge]
[15278.182730][T50670] __se_sys_delete_module.isra.0+0x164/0x230
[15278.188550][T50670] __arm64_sys_delete_module+0x1c/0x30
[15278.193848][T50670] invoke_syscall+0x50/0x11c
[15278.198278][T50670] el0_svc_common.constprop.0+0x158/0x164
[15278.203837][T50670] do_el0_svc+0x34/0xcc
[15278.207834][T50670] el0_svc+0x20/0x30
For details, see the following figure.
rmmod hclge disable VFs
----------------------------------------------------
hclge_exit() sriov_numvfs_store()
... device_lock()
pci_disable_sriov() hns3_pci_sriov_configure()
pci_disable_sriov()
sriov_disable()
sriov_disable() if !num_VFs :
if !num_VFs : return;
return; sriov_del_vfs()
sriov_del_vfs() ...
... klist_put()
klist_put() ...
... num_VFs = 0;
num_VFs = 0; device_unlock();
In this patch, when driver is removing, we get the device_lock()
to protect num_VFs, just like sriov_numvfs_store().
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: b06ad258e01389ca3ff13bc180f3fcd6a608f1cd Version: c4b64011e458aa2b246cd4e42012cfd83d2d9a5c Version: d36b15e3e7b5937cb1f6ac590a85facc3a320642 Version: 0dd8a25f355b4df2d41c08df1716340854c7d4c5 Version: 0dd8a25f355b4df2d41c08df1716340854c7d4c5 Version: 0dd8a25f355b4df2d41c08df1716340854c7d4c5 Version: 0dd8a25f355b4df2d41c08df1716340854c7d4c5 Version: 0dd8a25f355b4df2d41c08df1716340854c7d4c5 |
||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/net/ethernet/hisilicon/hns3/hnae3.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "a0df055775f30850c0da8f7dab40d67c0fd63908", "status": "affected", "version": "b06ad258e01389ca3ff13bc180f3fcd6a608f1cd", "versionType": "git" }, { "lessThan": "7ae4e56de7dbd0999578246a536cf52a63f4056d", "status": "affected", "version": "c4b64011e458aa2b246cd4e42012cfd83d2d9a5c", "versionType": "git" }, { "lessThan": "590a4b2d4e0b73586e88bce9b8135b593355ec09", "status": "affected", "version": "d36b15e3e7b5937cb1f6ac590a85facc3a320642", "versionType": "git" }, { "lessThan": "e36482b222e00cc7aeeea772fc0cf2943590bc4d", "status": "affected", "version": "0dd8a25f355b4df2d41c08df1716340854c7d4c5", "versionType": "git" }, { "lessThan": "76b155e14d9b182ce83d32ada2d0d7219ea8c8dd", "status": "affected", "version": "0dd8a25f355b4df2d41c08df1716340854c7d4c5", "versionType": "git" }, { "lessThan": "719edd9f3372ce7fb3b157647c6658672946874b", "status": "affected", "version": "0dd8a25f355b4df2d41c08df1716340854c7d4c5", "versionType": "git" }, { "lessThan": "b5c94e4d947d15d521e935ff10c5a22a7883dea5", "status": "affected", "version": "0dd8a25f355b4df2d41c08df1716340854c7d4c5", "versionType": "git" }, { "lessThan": "df3dff8ab6d79edc942464999d06fbaedf8cdd18", "status": "affected", "version": "0dd8a25f355b4df2d41c08df1716340854c7d4c5", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/net/ethernet/hisilicon/hns3/hnae3.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.15" }, { "lessThan": "5.15", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "4.19.*", "status": "unaffected", "version": "4.19.324", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.286", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.230", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.172", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.117", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.61", "versionType": "semver" }, { "lessThanOrEqual": "6.11.*", "status": "unaffected", "version": "6.11.8", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.12", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hns3: fix kernel crash when uninstalling driver\n\nWhen the driver is uninstalled and the VF is disabled concurrently, a\nkernel crash occurs. The reason is that the two actions call function\npci_disable_sriov(). The num_VFs is checked to determine whether to\nrelease the corresponding resources. During the second calling, num_VFs\nis not 0 and the resource release function is called. However, the\ncorresponding resource has been released during the first invoking.\nTherefore, the problem occurs:\n\n[15277.839633][T50670] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020\n...\n[15278.131557][T50670] Call trace:\n[15278.134686][T50670] klist_put+0x28/0x12c\n[15278.138682][T50670] klist_del+0x14/0x20\n[15278.142592][T50670] device_del+0xbc/0x3c0\n[15278.146676][T50670] pci_remove_bus_device+0x84/0x120\n[15278.151714][T50670] pci_stop_and_remove_bus_device+0x6c/0x80\n[15278.157447][T50670] pci_iov_remove_virtfn+0xb4/0x12c\n[15278.162485][T50670] sriov_disable+0x50/0x11c\n[15278.166829][T50670] pci_disable_sriov+0x24/0x30\n[15278.171433][T50670] hnae3_unregister_ae_algo_prepare+0x60/0x90 [hnae3]\n[15278.178039][T50670] hclge_exit+0x28/0xd0 [hclge]\n[15278.182730][T50670] __se_sys_delete_module.isra.0+0x164/0x230\n[15278.188550][T50670] __arm64_sys_delete_module+0x1c/0x30\n[15278.193848][T50670] invoke_syscall+0x50/0x11c\n[15278.198278][T50670] el0_svc_common.constprop.0+0x158/0x164\n[15278.203837][T50670] do_el0_svc+0x34/0xcc\n[15278.207834][T50670] el0_svc+0x20/0x30\n\nFor details, see the following figure.\n\n rmmod hclge disable VFs\n----------------------------------------------------\nhclge_exit() sriov_numvfs_store()\n ... device_lock()\n pci_disable_sriov() hns3_pci_sriov_configure()\n pci_disable_sriov()\n sriov_disable()\n sriov_disable() if !num_VFs :\n if !num_VFs : return;\n return; sriov_del_vfs()\n sriov_del_vfs() ...\n ... klist_put()\n klist_put() ...\n ... num_VFs = 0;\n num_VFs = 0; device_unlock();\n\nIn this patch, when driver is removing, we get the device_lock()\nto protect num_VFs, just like sriov_numvfs_store()." } ], "providerMetadata": { "dateUpdated": "2024-12-19T09:37:38.924Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/a0df055775f30850c0da8f7dab40d67c0fd63908" }, { "url": "https://git.kernel.org/stable/c/7ae4e56de7dbd0999578246a536cf52a63f4056d" }, { "url": "https://git.kernel.org/stable/c/590a4b2d4e0b73586e88bce9b8135b593355ec09" }, { "url": "https://git.kernel.org/stable/c/e36482b222e00cc7aeeea772fc0cf2943590bc4d" }, { "url": "https://git.kernel.org/stable/c/76b155e14d9b182ce83d32ada2d0d7219ea8c8dd" }, { "url": "https://git.kernel.org/stable/c/719edd9f3372ce7fb3b157647c6658672946874b" }, { "url": "https://git.kernel.org/stable/c/b5c94e4d947d15d521e935ff10c5a22a7883dea5" }, { "url": "https://git.kernel.org/stable/c/df3dff8ab6d79edc942464999d06fbaedf8cdd18" } ], "title": "net: hns3: fix kernel crash when uninstalling driver", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-50296", "datePublished": "2024-11-19T01:30:43.318Z", "dateReserved": "2024-10-21T19:36:19.986Z", "dateUpdated": "2024-12-19T09:37:38.924Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-50266
Vulnerability from cvelistv5
Published
2024-11-19 01:30
Modified
2024-12-19 09:36
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
clk: qcom: videocc-sm8350: use HW_CTRL_TRIGGER for vcodec GDSCs
A recent change in the venus driver results in a stuck clock on the
Lenovo ThinkPad X13s, for example, when streaming video in firefox:
video_cc_mvs0_clk status stuck at 'off'
WARNING: CPU: 6 PID: 2885 at drivers/clk/qcom/clk-branch.c:87 clk_branch_wait+0x144/0x15c
...
Call trace:
clk_branch_wait+0x144/0x15c
clk_branch2_enable+0x30/0x40
clk_core_enable+0xd8/0x29c
clk_enable+0x2c/0x4c
vcodec_clks_enable.isra.0+0x94/0xd8 [venus_core]
coreid_power_v4+0x464/0x628 [venus_core]
vdec_start_streaming+0xc4/0x510 [venus_dec]
vb2_start_streaming+0x6c/0x180 [videobuf2_common]
vb2_core_streamon+0x120/0x1dc [videobuf2_common]
vb2_streamon+0x1c/0x6c [videobuf2_v4l2]
v4l2_m2m_ioctl_streamon+0x30/0x80 [v4l2_mem2mem]
v4l_streamon+0x24/0x30 [videodev]
using the out-of-tree sm8350/sc8280xp venus support. [1]
Update also the sm8350/sc8280xp GDSC definitions so that the hw control
mode can be changed at runtime as the venus driver now requires.
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/clk/qcom/videocc-sm8350.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "d055f6f2bdfb8b9c9bc071f748c16bd3afb2db0f", "status": "affected", "version": "ec9a652e514903df887791b669b70e86ab4e3ec5", "versionType": "git" }, { "lessThan": "f903663a8dcd6e1656e52856afbf706cc14cbe6d", "status": "affected", "version": "ec9a652e514903df887791b669b70e86ab4e3ec5", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/clk/qcom/videocc-sm8350.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.11" }, { "lessThan": "6.11", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.11.*", "status": "unaffected", "version": "6.11.8", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.12", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: qcom: videocc-sm8350: use HW_CTRL_TRIGGER for vcodec GDSCs\n\nA recent change in the venus driver results in a stuck clock on the\nLenovo ThinkPad X13s, for example, when streaming video in firefox:\n\n\tvideo_cc_mvs0_clk status stuck at \u0027off\u0027\n\tWARNING: CPU: 6 PID: 2885 at drivers/clk/qcom/clk-branch.c:87 clk_branch_wait+0x144/0x15c\n\t...\n\tCall trace:\n\t clk_branch_wait+0x144/0x15c\n\t clk_branch2_enable+0x30/0x40\n\t clk_core_enable+0xd8/0x29c\n\t clk_enable+0x2c/0x4c\n\t vcodec_clks_enable.isra.0+0x94/0xd8 [venus_core]\n\t coreid_power_v4+0x464/0x628 [venus_core]\n\t vdec_start_streaming+0xc4/0x510 [venus_dec]\n\t vb2_start_streaming+0x6c/0x180 [videobuf2_common]\n\t vb2_core_streamon+0x120/0x1dc [videobuf2_common]\n\t vb2_streamon+0x1c/0x6c [videobuf2_v4l2]\n\t v4l2_m2m_ioctl_streamon+0x30/0x80 [v4l2_mem2mem]\n\t v4l_streamon+0x24/0x30 [videodev]\n\nusing the out-of-tree sm8350/sc8280xp venus support. [1]\n\nUpdate also the sm8350/sc8280xp GDSC definitions so that the hw control\nmode can be changed at runtime as the venus driver now requires." } ], "providerMetadata": { "dateUpdated": "2024-12-19T09:36:53.512Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/d055f6f2bdfb8b9c9bc071f748c16bd3afb2db0f" }, { "url": "https://git.kernel.org/stable/c/f903663a8dcd6e1656e52856afbf706cc14cbe6d" } ], "title": "clk: qcom: videocc-sm8350: use HW_CTRL_TRIGGER for vcodec GDSCs", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-50266", "datePublished": "2024-11-19T01:30:02.413Z", "dateReserved": "2024-10-21T19:36:19.982Z", "dateUpdated": "2024-12-19T09:36:53.512Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-50274
Vulnerability from cvelistv5
Published
2024-11-19 01:30
Modified
2024-12-19 09:37
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
idpf: avoid vport access in idpf_get_link_ksettings
When the device control plane is removed or the platform
running device control plane is rebooted, a reset is detected
on the driver. On driver reset, it releases the resources and
waits for the reset to complete. If the reset fails, it takes
the error path and releases the vport lock. At this time if the
monitoring tools tries to access link settings, it call traces
for accessing released vport pointer.
To avoid it, move link_speed_mbps to netdev_priv structure
which removes the dependency on vport pointer and the vport lock
in idpf_get_link_ksettings. Also use netif_carrier_ok()
to check the link status and adjust the offsetof to use link_up
instead of link_speed_mbps.
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/net/ethernet/intel/idpf/idpf.h", "drivers/net/ethernet/intel/idpf/idpf_ethtool.c", "drivers/net/ethernet/intel/idpf/idpf_lib.c", "drivers/net/ethernet/intel/idpf/idpf_virtchnl.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "fa4d906ad0fb63a980a1d586a061c78ea1a345ba", "status": "affected", "version": "02cbfba1add5bd9088c7d14c6b93b77a6ea8f3bb", "versionType": "git" }, { "lessThan": "81d2fb4c7c18a3b36ba3e00b9d5b753107472d75", "status": "affected", "version": "02cbfba1add5bd9088c7d14c6b93b77a6ea8f3bb", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/net/ethernet/intel/idpf/idpf.h", "drivers/net/ethernet/intel/idpf/idpf_ethtool.c", "drivers/net/ethernet/intel/idpf/idpf_lib.c", "drivers/net/ethernet/intel/idpf/idpf_virtchnl.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.7" }, { "lessThan": "6.7", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.11.*", "status": "unaffected", "version": "6.11.8", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.12", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nidpf: avoid vport access in idpf_get_link_ksettings\n\nWhen the device control plane is removed or the platform\nrunning device control plane is rebooted, a reset is detected\non the driver. On driver reset, it releases the resources and\nwaits for the reset to complete. If the reset fails, it takes\nthe error path and releases the vport lock. At this time if the\nmonitoring tools tries to access link settings, it call traces\nfor accessing released vport pointer.\n\nTo avoid it, move link_speed_mbps to netdev_priv structure\nwhich removes the dependency on vport pointer and the vport lock\nin idpf_get_link_ksettings. Also use netif_carrier_ok()\nto check the link status and adjust the offsetof to use link_up\ninstead of link_speed_mbps." } ], "providerMetadata": { "dateUpdated": "2024-12-19T09:37:04.833Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/fa4d906ad0fb63a980a1d586a061c78ea1a345ba" }, { "url": "https://git.kernel.org/stable/c/81d2fb4c7c18a3b36ba3e00b9d5b753107472d75" } ], "title": "idpf: avoid vport access in idpf_get_link_ksettings", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-50274", "datePublished": "2024-11-19T01:30:13.973Z", "dateReserved": "2024-10-21T19:36:19.983Z", "dateUpdated": "2024-12-19T09:37:04.833Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-50285
Vulnerability from cvelistv5
Published
2024-11-19 01:30
Modified
2024-12-19 09:37
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: check outstanding simultaneous SMB operations
If Client send simultaneous SMB operations to ksmbd, It exhausts too much
memory through the "ksmbd_work_cache”. It will cause OOM issue.
ksmbd has a credit mechanism but it can't handle this problem. This patch
add the check if it exceeds max credits to prevent this problem by assuming
that one smb request consumes at least one credit.
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "fs/smb/server/connection.c", "fs/smb/server/connection.h", "fs/smb/server/server.c", "fs/smb/server/smb_common.c", "fs/smb/server/smb_common.h" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "1f993777275cbd8f74765c4f9d9285cb907c9be5", "status": "affected", "version": "0626e6641f6b467447c81dd7678a69c66f7746cf", "versionType": "git" }, { "lessThan": "e257ac6fe138623cf59fca8898abdf659dbc8356", "status": "affected", "version": "0626e6641f6b467447c81dd7678a69c66f7746cf", "versionType": "git" }, { "lessThan": "0a77d947f599b1f39065015bec99390d0c0022ee", "status": "affected", "version": "0626e6641f6b467447c81dd7678a69c66f7746cf", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "fs/smb/server/connection.c", "fs/smb/server/connection.h", "fs/smb/server/server.c", "fs/smb/server/smb_common.c", "fs/smb/server/smb_common.h" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.15" }, { "lessThan": "5.15", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.61", "versionType": "semver" }, { "lessThanOrEqual": "6.11.*", "status": "unaffected", "version": "6.11.8", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.12", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: check outstanding simultaneous SMB operations\n\nIf Client send simultaneous SMB operations to ksmbd, It exhausts too much\nmemory through the \"ksmbd_work_cache\u201d. It will cause OOM issue.\nksmbd has a credit mechanism but it can\u0027t handle this problem. This patch\nadd the check if it exceeds max credits to prevent this problem by assuming\nthat one smb request consumes at least one credit." } ], "providerMetadata": { "dateUpdated": "2024-12-19T09:37:19.038Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/1f993777275cbd8f74765c4f9d9285cb907c9be5" }, { "url": "https://git.kernel.org/stable/c/e257ac6fe138623cf59fca8898abdf659dbc8356" }, { "url": "https://git.kernel.org/stable/c/0a77d947f599b1f39065015bec99390d0c0022ee" } ], "title": "ksmbd: check outstanding simultaneous SMB operations", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-50285", "datePublished": "2024-11-19T01:30:28.603Z", "dateReserved": "2024-10-21T19:36:19.984Z", "dateUpdated": "2024-12-19T09:37:19.038Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-50273
Vulnerability from cvelistv5
Published
2024-11-19 01:30
Modified
2024-12-19 09:37
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: reinitialize delayed ref list after deleting it from the list
At insert_delayed_ref() if we need to update the action of an existing
ref to BTRFS_DROP_DELAYED_REF, we delete the ref from its ref head's
ref_add_list using list_del(), which leaves the ref's add_list member
not reinitialized, as list_del() sets the next and prev members of the
list to LIST_POISON1 and LIST_POISON2, respectively.
If later we end up calling drop_delayed_ref() against the ref, which can
happen during merging or when destroying delayed refs due to a transaction
abort, we can trigger a crash since at drop_delayed_ref() we call
list_empty() against the ref's add_list, which returns false since
the list was not reinitialized after the list_del() and as a consequence
we call list_del() again at drop_delayed_ref(). This results in an
invalid list access since the next and prev members are set to poison
pointers, resulting in a splat if CONFIG_LIST_HARDENED and
CONFIG_DEBUG_LIST are set or invalid poison pointer dereferences
otherwise.
So fix this by deleting from the list with list_del_init() instead.
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1d57ee941692d0cc928526e21a1557b2ae3e11db Version: 1d57ee941692d0cc928526e21a1557b2ae3e11db Version: 1d57ee941692d0cc928526e21a1557b2ae3e11db Version: 1d57ee941692d0cc928526e21a1557b2ae3e11db Version: 1d57ee941692d0cc928526e21a1557b2ae3e11db Version: 1d57ee941692d0cc928526e21a1557b2ae3e11db Version: 1d57ee941692d0cc928526e21a1557b2ae3e11db Version: 1d57ee941692d0cc928526e21a1557b2ae3e11db |
||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "fs/btrfs/delayed-ref.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "2fd0948a483e9cb2d669c7199bc620a21c97673d", "status": "affected", "version": "1d57ee941692d0cc928526e21a1557b2ae3e11db", "versionType": "git" }, { "lessThan": "93c5b8decc0ef39ba84f4211d2db6da0a4aefbeb", "status": "affected", "version": "1d57ee941692d0cc928526e21a1557b2ae3e11db", "versionType": "git" }, { "lessThan": "bf0b0c6d159767c0d1c21f793950d78486690ee0", "status": "affected", "version": "1d57ee941692d0cc928526e21a1557b2ae3e11db", "versionType": "git" }, { "lessThan": "c24fa427fc0ae827b2a3a07f13738cbf82c3f851", "status": "affected", "version": "1d57ee941692d0cc928526e21a1557b2ae3e11db", "versionType": "git" }, { "lessThan": "2cb1a73d1d44a1c11b0ee5eeced765dd80ec48e6", "status": "affected", "version": "1d57ee941692d0cc928526e21a1557b2ae3e11db", "versionType": "git" }, { "lessThan": "f04be6d68f715c1473a8422fc0460f57b5e99931", "status": "affected", "version": "1d57ee941692d0cc928526e21a1557b2ae3e11db", "versionType": "git" }, { "lessThan": "50a3933760b427759afdd23156a7280a19357a92", "status": "affected", "version": "1d57ee941692d0cc928526e21a1557b2ae3e11db", "versionType": "git" }, { "lessThan": "c9a75ec45f1111ef530ab186c2a7684d0a0c9245", "status": "affected", "version": "1d57ee941692d0cc928526e21a1557b2ae3e11db", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "fs/btrfs/delayed-ref.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "4.10" }, { "lessThan": "4.10", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "4.19.*", "status": "unaffected", "version": "4.19.324", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.286", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.230", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.172", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.117", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.61", "versionType": "semver" }, { "lessThanOrEqual": "6.11.*", "status": "unaffected", "version": "6.11.8", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.12", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: reinitialize delayed ref list after deleting it from the list\n\nAt insert_delayed_ref() if we need to update the action of an existing\nref to BTRFS_DROP_DELAYED_REF, we delete the ref from its ref head\u0027s\nref_add_list using list_del(), which leaves the ref\u0027s add_list member\nnot reinitialized, as list_del() sets the next and prev members of the\nlist to LIST_POISON1 and LIST_POISON2, respectively.\n\nIf later we end up calling drop_delayed_ref() against the ref, which can\nhappen during merging or when destroying delayed refs due to a transaction\nabort, we can trigger a crash since at drop_delayed_ref() we call\nlist_empty() against the ref\u0027s add_list, which returns false since\nthe list was not reinitialized after the list_del() and as a consequence\nwe call list_del() again at drop_delayed_ref(). This results in an\ninvalid list access since the next and prev members are set to poison\npointers, resulting in a splat if CONFIG_LIST_HARDENED and\nCONFIG_DEBUG_LIST are set or invalid poison pointer dereferences\notherwise.\n\nSo fix this by deleting from the list with list_del_init() instead." } ], "providerMetadata": { "dateUpdated": "2024-12-19T09:37:03.572Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/2fd0948a483e9cb2d669c7199bc620a21c97673d" }, { "url": "https://git.kernel.org/stable/c/93c5b8decc0ef39ba84f4211d2db6da0a4aefbeb" }, { "url": "https://git.kernel.org/stable/c/bf0b0c6d159767c0d1c21f793950d78486690ee0" }, { "url": "https://git.kernel.org/stable/c/c24fa427fc0ae827b2a3a07f13738cbf82c3f851" }, { "url": "https://git.kernel.org/stable/c/2cb1a73d1d44a1c11b0ee5eeced765dd80ec48e6" }, { "url": "https://git.kernel.org/stable/c/f04be6d68f715c1473a8422fc0460f57b5e99931" }, { "url": "https://git.kernel.org/stable/c/50a3933760b427759afdd23156a7280a19357a92" }, { "url": "https://git.kernel.org/stable/c/c9a75ec45f1111ef530ab186c2a7684d0a0c9245" } ], "title": "btrfs: reinitialize delayed ref list after deleting it from the list", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-50273", "datePublished": "2024-11-19T01:30:12.589Z", "dateReserved": "2024-10-21T19:36:19.983Z", "dateUpdated": "2024-12-19T09:37:03.572Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-50302
Vulnerability from cvelistv5
Published
2024-11-19 01:30
Modified
2024-12-19 09:37
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
HID: core: zero-initialize the report buffer
Since the report buffer is used by all kinds of drivers in various ways, let's
zero-initialize it during allocation to make sure that it can't be ever used
to leak kernel memory via specially-crafted report.
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 27ce405039bfe6d3f4143415c638f56a3df77dca Version: 27ce405039bfe6d3f4143415c638f56a3df77dca Version: 27ce405039bfe6d3f4143415c638f56a3df77dca Version: 27ce405039bfe6d3f4143415c638f56a3df77dca Version: 27ce405039bfe6d3f4143415c638f56a3df77dca Version: 27ce405039bfe6d3f4143415c638f56a3df77dca Version: 27ce405039bfe6d3f4143415c638f56a3df77dca Version: 27ce405039bfe6d3f4143415c638f56a3df77dca |
||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/hid/hid-core.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "e7ea60184e1e88a3c9e437b3265cbb6439aa7e26", "status": "affected", "version": "27ce405039bfe6d3f4143415c638f56a3df77dca", "versionType": "git" }, { "lessThan": "3f9e88f2672c4635960570ee9741778d4135ecf5", "status": "affected", "version": "27ce405039bfe6d3f4143415c638f56a3df77dca", "versionType": "git" }, { "lessThan": "d7dc68d82ab3fcfc3f65322465da3d7031d4ab46", "status": "affected", "version": "27ce405039bfe6d3f4143415c638f56a3df77dca", "versionType": "git" }, { "lessThan": "05ade5d4337867929e7ef664e7ac8e0c734f1aaf", "status": "affected", "version": "27ce405039bfe6d3f4143415c638f56a3df77dca", "versionType": "git" }, { "lessThan": "1884ab3d22536a5c14b17c78c2ce76d1734e8b0b", "status": "affected", "version": "27ce405039bfe6d3f4143415c638f56a3df77dca", "versionType": "git" }, { "lessThan": "9d9f5c75c0c7f31766ec27d90f7a6ac673193191", "status": "affected", "version": "27ce405039bfe6d3f4143415c638f56a3df77dca", "versionType": "git" }, { "lessThan": "492015e6249fbcd42138b49de3c588d826dd9648", "status": "affected", "version": "27ce405039bfe6d3f4143415c638f56a3df77dca", "versionType": "git" }, { "lessThan": "177f25d1292c7e16e1199b39c85480f7f8815552", "status": "affected", "version": "27ce405039bfe6d3f4143415c638f56a3df77dca", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/hid/hid-core.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "3.12" }, { "lessThan": "3.12", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "4.19.*", "status": "unaffected", "version": "4.19.324", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.286", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.230", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.172", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.117", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.61", "versionType": "semver" }, { "lessThanOrEqual": "6.11.*", "status": "unaffected", "version": "6.11.8", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.12", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: core: zero-initialize the report buffer\n\nSince the report buffer is used by all kinds of drivers in various ways, let\u0027s\nzero-initialize it during allocation to make sure that it can\u0027t be ever used\nto leak kernel memory via specially-crafted report." } ], "providerMetadata": { "dateUpdated": "2024-12-19T09:37:46.944Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/e7ea60184e1e88a3c9e437b3265cbb6439aa7e26" }, { "url": "https://git.kernel.org/stable/c/3f9e88f2672c4635960570ee9741778d4135ecf5" }, { "url": "https://git.kernel.org/stable/c/d7dc68d82ab3fcfc3f65322465da3d7031d4ab46" }, { "url": "https://git.kernel.org/stable/c/05ade5d4337867929e7ef664e7ac8e0c734f1aaf" }, { "url": "https://git.kernel.org/stable/c/1884ab3d22536a5c14b17c78c2ce76d1734e8b0b" }, { "url": "https://git.kernel.org/stable/c/9d9f5c75c0c7f31766ec27d90f7a6ac673193191" }, { "url": "https://git.kernel.org/stable/c/492015e6249fbcd42138b49de3c588d826dd9648" }, { "url": "https://git.kernel.org/stable/c/177f25d1292c7e16e1199b39c85480f7f8815552" } ], "title": "HID: core: zero-initialize the report buffer", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-50302", "datePublished": "2024-11-19T01:30:51.300Z", "dateReserved": "2024-10-21T19:36:19.987Z", "dateUpdated": "2024-12-19T09:37:46.944Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-50300
Vulnerability from cvelistv5
Published
2024-11-19 01:30
Modified
2024-12-19 09:37
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
regulator: rtq2208: Fix uninitialized use of regulator_config
Fix rtq2208 driver uninitialized use to cause kernel error.
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/regulator/rtq2208-regulator.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "9b7c0405af667857b3ad24a7ef6723f5475a9e43", "status": "affected", "version": "85a11f55621a0c18b22b43ab4219450ac1d19386", "versionType": "git" }, { "lessThan": "64fbab934ae59be9caffc80a75450984b1e108e0", "status": "affected", "version": "85a11f55621a0c18b22b43ab4219450ac1d19386", "versionType": "git" }, { "lessThan": "2feb023110843acce790e9089e72e9a9503d9fa5", "status": "affected", "version": "85a11f55621a0c18b22b43ab4219450ac1d19386", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/regulator/rtq2208-regulator.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.6" }, { "lessThan": "6.6", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.61", "versionType": "semver" }, { "lessThanOrEqual": "6.11.*", "status": "unaffected", "version": "6.11.8", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.12", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nregulator: rtq2208: Fix uninitialized use of regulator_config\n\nFix rtq2208 driver uninitialized use to cause kernel error." } ], "providerMetadata": { "dateUpdated": "2024-12-19T09:37:44.037Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/9b7c0405af667857b3ad24a7ef6723f5475a9e43" }, { "url": "https://git.kernel.org/stable/c/64fbab934ae59be9caffc80a75450984b1e108e0" }, { "url": "https://git.kernel.org/stable/c/2feb023110843acce790e9089e72e9a9503d9fa5" } ], "title": "regulator: rtq2208: Fix uninitialized use of regulator_config", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-50300", "datePublished": "2024-11-19T01:30:48.650Z", "dateReserved": "2024-10-21T19:36:19.987Z", "dateUpdated": "2024-12-19T09:37:44.037Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-50294
Vulnerability from cvelistv5
Published
2024-11-19 01:30
Modified
2024-12-19 09:37
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
rxrpc: Fix missing locking causing hanging calls
If a call gets aborted (e.g. because kafs saw a signal) between it being
queued for connection and the I/O thread picking up the call, the abort
will be prioritised over the connection and it will be removed from
local->new_client_calls by rxrpc_disconnect_client_call() without a lock
being held. This may cause other calls on the list to disappear if a race
occurs.
Fix this by taking the client_call_lock when removing a call from whatever
list its ->wait_link happens to be on.
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "include/trace/events/rxrpc.h", "net/rxrpc/conn_client.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "996a7208dadbf2cdda8d51444d5ee1fdd1ccbc92", "status": "affected", "version": "9d35d880e0e4a3ab32d8c12f9e4d76198aadd42d", "versionType": "git" }, { "lessThan": "b1fdb0bb3b6513f5bd26f92369fd6ac1a2422d8b", "status": "affected", "version": "9d35d880e0e4a3ab32d8c12f9e4d76198aadd42d", "versionType": "git" }, { "lessThan": "fc9de52de38f656399d2ce40f7349a6b5f86e787", "status": "affected", "version": "9d35d880e0e4a3ab32d8c12f9e4d76198aadd42d", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "include/trace/events/rxrpc.h", "net/rxrpc/conn_client.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.2" }, { "lessThan": "6.2", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.61", "versionType": "semver" }, { "lessThanOrEqual": "6.11.*", "status": "unaffected", "version": "6.11.8", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.12", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Fix missing locking causing hanging calls\n\nIf a call gets aborted (e.g. because kafs saw a signal) between it being\nqueued for connection and the I/O thread picking up the call, the abort\nwill be prioritised over the connection and it will be removed from\nlocal-\u003enew_client_calls by rxrpc_disconnect_client_call() without a lock\nbeing held. This may cause other calls on the list to disappear if a race\noccurs.\n\nFix this by taking the client_call_lock when removing a call from whatever\nlist its -\u003ewait_link happens to be on." } ], "providerMetadata": { "dateUpdated": "2024-12-19T09:37:36.299Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/996a7208dadbf2cdda8d51444d5ee1fdd1ccbc92" }, { "url": "https://git.kernel.org/stable/c/b1fdb0bb3b6513f5bd26f92369fd6ac1a2422d8b" }, { "url": "https://git.kernel.org/stable/c/fc9de52de38f656399d2ce40f7349a6b5f86e787" } ], "title": "rxrpc: Fix missing locking causing hanging calls", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-50294", "datePublished": "2024-11-19T01:30:40.699Z", "dateReserved": "2024-10-21T19:36:19.986Z", "dateUpdated": "2024-12-19T09:37:36.299Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-50286
Vulnerability from cvelistv5
Published
2024-11-19 01:30
Modified
2024-12-19 09:37
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: fix slab-use-after-free in ksmbd_smb2_session_create
There is a race condition between ksmbd_smb2_session_create and
ksmbd_expire_session. This patch add missing sessions_table_lock
while adding/deleting session from global session table.
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "fs/smb/server/mgmt/user_session.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "f56446ba5378d19e31040b548a14ee9a8f1500ea", "status": "affected", "version": "0626e6641f6b467447c81dd7678a69c66f7746cf", "versionType": "git" }, { "lessThan": "e923503a56b3385b64ae492e3225e4623f560c5b", "status": "affected", "version": "0626e6641f6b467447c81dd7678a69c66f7746cf", "versionType": "git" }, { "lessThan": "e7a2ad2044377853cf8c59528dac808a08a99c72", "status": "affected", "version": "0626e6641f6b467447c81dd7678a69c66f7746cf", "versionType": "git" }, { "lessThan": "0a77715db22611df50b178374c51e2ba0d58866e", "status": "affected", "version": "0626e6641f6b467447c81dd7678a69c66f7746cf", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "fs/smb/server/mgmt/user_session.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.15" }, { "lessThan": "5.15", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.117", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.61", "versionType": "semver" }, { "lessThanOrEqual": "6.11.*", "status": "unaffected", "version": "6.11.8", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.12", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix slab-use-after-free in ksmbd_smb2_session_create\n\nThere is a race condition between ksmbd_smb2_session_create and\nksmbd_expire_session. This patch add missing sessions_table_lock\nwhile adding/deleting session from global session table." } ], "providerMetadata": { "dateUpdated": "2024-12-19T09:37:20.356Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/f56446ba5378d19e31040b548a14ee9a8f1500ea" }, { "url": "https://git.kernel.org/stable/c/e923503a56b3385b64ae492e3225e4623f560c5b" }, { "url": "https://git.kernel.org/stable/c/e7a2ad2044377853cf8c59528dac808a08a99c72" }, { "url": "https://git.kernel.org/stable/c/0a77715db22611df50b178374c51e2ba0d58866e" } ], "title": "ksmbd: fix slab-use-after-free in ksmbd_smb2_session_create", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-50286", "datePublished": "2024-11-19T01:30:29.948Z", "dateReserved": "2024-10-21T19:36:19.984Z", "dateUpdated": "2024-12-19T09:37:20.356Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-50281
Vulnerability from cvelistv5
Published
2024-11-19 01:30
Modified
2024-12-19 09:37
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
KEYS: trusted: dcp: fix NULL dereference in AEAD crypto operation
When sealing or unsealing a key blob we currently do not wait for
the AEAD cipher operation to finish and simply return after submitting
the request. If there is some load on the system we can exit before
the cipher operation is done and the buffer we read from/write to
is already removed from the stack. This will e.g. result in NULL
pointer dereference errors in the DCP driver during blob creation.
Fix this by waiting for the AEAD cipher operation to finish before
resuming the seal and unseal calls.
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "security/keys/trusted-keys/trusted_dcp.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "c75e0272289eae18c5379518a9c56ef31d65cc7d", "status": "affected", "version": "0e28bf61a5f9ab30be3f3b4eafb8d097e39446bb", "versionType": "git" }, { "lessThan": "04de7589e0a95167d803ecadd115235ba2c14997", "status": "affected", "version": "0e28bf61a5f9ab30be3f3b4eafb8d097e39446bb", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "security/keys/trusted-keys/trusted_dcp.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.11" }, { "lessThan": "6.11", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.11.*", "status": "unaffected", "version": "6.11.8", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.12", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKEYS: trusted: dcp: fix NULL dereference in AEAD crypto operation\n\nWhen sealing or unsealing a key blob we currently do not wait for\nthe AEAD cipher operation to finish and simply return after submitting\nthe request. If there is some load on the system we can exit before\nthe cipher operation is done and the buffer we read from/write to\nis already removed from the stack. This will e.g. result in NULL\npointer dereference errors in the DCP driver during blob creation.\n\nFix this by waiting for the AEAD cipher operation to finish before\nresuming the seal and unseal calls." } ], "providerMetadata": { "dateUpdated": "2024-12-19T09:37:13.699Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/c75e0272289eae18c5379518a9c56ef31d65cc7d" }, { "url": "https://git.kernel.org/stable/c/04de7589e0a95167d803ecadd115235ba2c14997" } ], "title": "KEYS: trusted: dcp: fix NULL dereference in AEAD crypto operation", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-50281", "datePublished": "2024-11-19T01:30:23.275Z", "dateReserved": "2024-10-21T19:36:19.983Z", "dateUpdated": "2024-12-19T09:37:13.699Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-50279
Vulnerability from cvelistv5
Published
2024-11-19 01:30
Modified
2024-12-19 09:37
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
dm cache: fix out-of-bounds access to the dirty bitset when resizing
dm-cache checks the dirty bits of the cache blocks to be dropped when
shrinking the fast device, but an index bug in bitset iteration causes
out-of-bounds access.
Reproduce steps:
1. create a cache device of 1024 cache blocks (128 bytes dirty bitset)
dmsetup create cmeta --table "0 8192 linear /dev/sdc 0"
dmsetup create cdata --table "0 131072 linear /dev/sdc 8192"
dmsetup create corig --table "0 524288 linear /dev/sdc 262144"
dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 oflag=direct
dmsetup create cache --table "0 524288 cache /dev/mapper/cmeta \
/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0"
2. shrink the fast device to 512 cache blocks, triggering out-of-bounds
access to the dirty bitset (offset 0x80)
dmsetup suspend cache
dmsetup reload cdata --table "0 65536 linear /dev/sdc 8192"
dmsetup resume cdata
dmsetup resume cache
KASAN reports:
BUG: KASAN: vmalloc-out-of-bounds in cache_preresume+0x269/0x7b0
Read of size 8 at addr ffffc900000f3080 by task dmsetup/131
(...snip...)
The buggy address belongs to the virtual mapping at
[ffffc900000f3000, ffffc900000f5000) created by:
cache_ctr+0x176a/0x35f0
(...snip...)
Memory state around the buggy address:
ffffc900000f2f80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
ffffc900000f3000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffffc900000f3080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
^
ffffc900000f3100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
ffffc900000f3180: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
Fix by making the index post-incremented.
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: f494a9c6b1b6dd9a9f21bbb75d9210d478eeb498 Version: f494a9c6b1b6dd9a9f21bbb75d9210d478eeb498 Version: f494a9c6b1b6dd9a9f21bbb75d9210d478eeb498 Version: f494a9c6b1b6dd9a9f21bbb75d9210d478eeb498 Version: f494a9c6b1b6dd9a9f21bbb75d9210d478eeb498 Version: f494a9c6b1b6dd9a9f21bbb75d9210d478eeb498 Version: f494a9c6b1b6dd9a9f21bbb75d9210d478eeb498 Version: f494a9c6b1b6dd9a9f21bbb75d9210d478eeb498 |
||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/md/dm-cache-target.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "4fa4feb873cea0e9d6ff883b37cca6f33169d8b4", "status": "affected", "version": "f494a9c6b1b6dd9a9f21bbb75d9210d478eeb498", "versionType": "git" }, { "lessThan": "8501e38dc9e0060814c4085815fc83da3e6d43bf", "status": "affected", "version": "f494a9c6b1b6dd9a9f21bbb75d9210d478eeb498", "versionType": "git" }, { "lessThan": "ee1f74925717ab36f6a091104c170639501ce818", "status": "affected", "version": "f494a9c6b1b6dd9a9f21bbb75d9210d478eeb498", "versionType": "git" }, { "lessThan": "ff1dd8a04c30e8d4e2fd5c83198ca672eb6a9e7f", "status": "affected", "version": "f494a9c6b1b6dd9a9f21bbb75d9210d478eeb498", "versionType": "git" }, { "lessThan": "56507203e1b6127967ec2b51fb0b23a0d4af1334", "status": "affected", "version": "f494a9c6b1b6dd9a9f21bbb75d9210d478eeb498", "versionType": "git" }, { "lessThan": "e57648ce325fa405fe6bbd0e6a618ced7c301a2d", "status": "affected", "version": "f494a9c6b1b6dd9a9f21bbb75d9210d478eeb498", "versionType": "git" }, { "lessThan": "3b02c40ff10fdf83cc545850db208de855ebe22c", "status": "affected", "version": "f494a9c6b1b6dd9a9f21bbb75d9210d478eeb498", "versionType": "git" }, { "lessThan": "792227719725497ce10a8039803bec13f89f8910", "status": "affected", "version": "f494a9c6b1b6dd9a9f21bbb75d9210d478eeb498", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/md/dm-cache-target.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "3.13" }, { "lessThan": "3.13", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "4.19.*", "status": "unaffected", "version": "4.19.324", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.286", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.230", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.172", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.117", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.61", "versionType": "semver" }, { "lessThanOrEqual": "6.11.*", "status": "unaffected", "version": "6.11.8", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.12", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm cache: fix out-of-bounds access to the dirty bitset when resizing\n\ndm-cache checks the dirty bits of the cache blocks to be dropped when\nshrinking the fast device, but an index bug in bitset iteration causes\nout-of-bounds access.\n\nReproduce steps:\n\n1. create a cache device of 1024 cache blocks (128 bytes dirty bitset)\n\ndmsetup create cmeta --table \"0 8192 linear /dev/sdc 0\"\ndmsetup create cdata --table \"0 131072 linear /dev/sdc 8192\"\ndmsetup create corig --table \"0 524288 linear /dev/sdc 262144\"\ndd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 oflag=direct\ndmsetup create cache --table \"0 524288 cache /dev/mapper/cmeta \\\n/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0\"\n\n2. shrink the fast device to 512 cache blocks, triggering out-of-bounds\n access to the dirty bitset (offset 0x80)\n\ndmsetup suspend cache\ndmsetup reload cdata --table \"0 65536 linear /dev/sdc 8192\"\ndmsetup resume cdata\ndmsetup resume cache\n\nKASAN reports:\n\n BUG: KASAN: vmalloc-out-of-bounds in cache_preresume+0x269/0x7b0\n Read of size 8 at addr ffffc900000f3080 by task dmsetup/131\n\n (...snip...)\n The buggy address belongs to the virtual mapping at\n [ffffc900000f3000, ffffc900000f5000) created by:\n cache_ctr+0x176a/0x35f0\n\n (...snip...)\n Memory state around the buggy address:\n ffffc900000f2f80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8\n ffffc900000f3000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n \u003effffc900000f3080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8\n ^\n ffffc900000f3100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8\n ffffc900000f3180: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8\n\nFix by making the index post-incremented." } ], "providerMetadata": { "dateUpdated": "2024-12-19T09:37:11.114Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/4fa4feb873cea0e9d6ff883b37cca6f33169d8b4" }, { "url": "https://git.kernel.org/stable/c/8501e38dc9e0060814c4085815fc83da3e6d43bf" }, { "url": "https://git.kernel.org/stable/c/ee1f74925717ab36f6a091104c170639501ce818" }, { "url": "https://git.kernel.org/stable/c/ff1dd8a04c30e8d4e2fd5c83198ca672eb6a9e7f" }, { "url": "https://git.kernel.org/stable/c/56507203e1b6127967ec2b51fb0b23a0d4af1334" }, { "url": "https://git.kernel.org/stable/c/e57648ce325fa405fe6bbd0e6a618ced7c301a2d" }, { "url": "https://git.kernel.org/stable/c/3b02c40ff10fdf83cc545850db208de855ebe22c" }, { "url": "https://git.kernel.org/stable/c/792227719725497ce10a8039803bec13f89f8910" } ], "title": "dm cache: fix out-of-bounds access to the dirty bitset when resizing", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-50279", "datePublished": "2024-11-19T01:30:20.712Z", "dateReserved": "2024-10-21T19:36:19.983Z", "dateUpdated": "2024-12-19T09:37:11.114Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-50267
Vulnerability from cvelistv5
Published
2024-11-19 01:30
Modified
2024-12-19 09:36
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
USB: serial: io_edgeport: fix use after free in debug printk
The "dev_dbg(&urb->dev->dev, ..." which happens after usb_free_urb(urb)
is a use after free of the "urb" pointer. Store the "dev" pointer at the
start of the function to avoid this issue.
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 984f68683298ba53af32f909de1f9452fbb37ccb Version: 984f68683298ba53af32f909de1f9452fbb37ccb Version: 984f68683298ba53af32f909de1f9452fbb37ccb Version: 984f68683298ba53af32f909de1f9452fbb37ccb Version: 984f68683298ba53af32f909de1f9452fbb37ccb Version: 984f68683298ba53af32f909de1f9452fbb37ccb Version: 984f68683298ba53af32f909de1f9452fbb37ccb Version: 984f68683298ba53af32f909de1f9452fbb37ccb |
||||
|
{ "containers": { "adp": [ { "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2024-50267", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "timestamp": "2024-12-11T14:26:40.834609Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-416", "description": "CWE-416 Use After Free", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-12-11T14:58:31.952Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/usb/serial/io_edgeport.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "e6ceb04eeb6115d872d4c4078d12f1170ed755ce", "status": "affected", "version": "984f68683298ba53af32f909de1f9452fbb37ccb", "versionType": "git" }, { "lessThan": "39709ce93f5c3f9eb535efe2afea088805d1128f", "status": "affected", "version": "984f68683298ba53af32f909de1f9452fbb37ccb", "versionType": "git" }, { "lessThan": "e567fc8f7a4460e486e52c9261b1e8b9f5dc42aa", "status": "affected", "version": "984f68683298ba53af32f909de1f9452fbb37ccb", "versionType": "git" }, { "lessThan": "44fff2c16c5aafbdb70c7183dae0a415ae74705e", "status": "affected", "version": "984f68683298ba53af32f909de1f9452fbb37ccb", "versionType": "git" }, { "lessThan": "275258c30bbda29467216e96fb655b16bcc9992b", "status": "affected", "version": "984f68683298ba53af32f909de1f9452fbb37ccb", "versionType": "git" }, { "lessThan": "13d6ff3ca76056d06a9d88300be2a293442ff595", "status": "affected", "version": "984f68683298ba53af32f909de1f9452fbb37ccb", "versionType": "git" }, { "lessThan": "314bdf446053e123f37543aa535197ee75f8aa97", "status": "affected", "version": "984f68683298ba53af32f909de1f9452fbb37ccb", "versionType": "git" }, { "lessThan": "37bb5628379295c1254c113a407cab03a0f4d0b4", "status": "affected", "version": "984f68683298ba53af32f909de1f9452fbb37ccb", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/usb/serial/io_edgeport.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "3.7" }, { "lessThan": "3.7", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "4.19.*", "status": "unaffected", "version": "4.19.324", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.286", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.230", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.172", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.117", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.61", "versionType": "semver" }, { "lessThanOrEqual": "6.11.*", "status": "unaffected", "version": "6.11.8", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.12", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: serial: io_edgeport: fix use after free in debug printk\n\nThe \"dev_dbg(\u0026urb-\u003edev-\u003edev, ...\" which happens after usb_free_urb(urb)\nis a use after free of the \"urb\" pointer. Store the \"dev\" pointer at the\nstart of the function to avoid this issue." } ], "providerMetadata": { "dateUpdated": "2024-12-19T09:36:54.826Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/e6ceb04eeb6115d872d4c4078d12f1170ed755ce" }, { "url": "https://git.kernel.org/stable/c/39709ce93f5c3f9eb535efe2afea088805d1128f" }, { "url": "https://git.kernel.org/stable/c/e567fc8f7a4460e486e52c9261b1e8b9f5dc42aa" }, { "url": "https://git.kernel.org/stable/c/44fff2c16c5aafbdb70c7183dae0a415ae74705e" }, { "url": "https://git.kernel.org/stable/c/275258c30bbda29467216e96fb655b16bcc9992b" }, { "url": "https://git.kernel.org/stable/c/13d6ff3ca76056d06a9d88300be2a293442ff595" }, { "url": "https://git.kernel.org/stable/c/314bdf446053e123f37543aa535197ee75f8aa97" }, { "url": "https://git.kernel.org/stable/c/37bb5628379295c1254c113a407cab03a0f4d0b4" } ], "title": "USB: serial: io_edgeport: fix use after free in debug printk", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-50267", "datePublished": "2024-11-19T01:30:03.929Z", "dateReserved": "2024-10-21T19:36:19.982Z", "dateUpdated": "2024-12-19T09:36:54.826Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-50270
Vulnerability from cvelistv5
Published
2024-11-19 01:30
Modified
2024-12-19 09:36
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/damon/core: avoid overflow in damon_feed_loop_next_input()
damon_feed_loop_next_input() is inefficient and fragile to overflows.
Specifically, 'score_goal_diff_bp' calculation can overflow when 'score'
is high. The calculation is actually unnecessary at all because 'goal' is
a constant of value 10,000. Calculation of 'compensation' is again
fragile to overflow. Final calculation of return value for under-achiving
case is again fragile to overflow when the current score is
under-achieving the target.
Add two corner cases handling at the beginning of the function to make the
body easier to read, and rewrite the body of the function to avoid
overflows and the unnecessary bp value calcuation.
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "mm/damon/core.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "2d339a1f0f16ff5dea58e612ff336f0be0d041e9", "status": "affected", "version": "9294a037c01564786abb15436529fae3863268a2", "versionType": "git" }, { "lessThan": "4401e9d10ab0281a520b9f8c220f30f60b5c248f", "status": "affected", "version": "9294a037c01564786abb15436529fae3863268a2", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "mm/damon/core.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.8" }, { "lessThan": "6.8", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.11.*", "status": "unaffected", "version": "6.11.8", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.12", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/core: avoid overflow in damon_feed_loop_next_input()\n\ndamon_feed_loop_next_input() is inefficient and fragile to overflows. \nSpecifically, \u0027score_goal_diff_bp\u0027 calculation can overflow when \u0027score\u0027\nis high. The calculation is actually unnecessary at all because \u0027goal\u0027 is\na constant of value 10,000. Calculation of \u0027compensation\u0027 is again\nfragile to overflow. Final calculation of return value for under-achiving\ncase is again fragile to overflow when the current score is\nunder-achieving the target.\n\nAdd two corner cases handling at the beginning of the function to make the\nbody easier to read, and rewrite the body of the function to avoid\noverflows and the unnecessary bp value calcuation." } ], "providerMetadata": { "dateUpdated": "2024-12-19T09:36:58.860Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/2d339a1f0f16ff5dea58e612ff336f0be0d041e9" }, { "url": "https://git.kernel.org/stable/c/4401e9d10ab0281a520b9f8c220f30f60b5c248f" } ], "title": "mm/damon/core: avoid overflow in damon_feed_loop_next_input()", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-50270", "datePublished": "2024-11-19T01:30:08.406Z", "dateReserved": "2024-10-21T19:36:19.982Z", "dateUpdated": "2024-12-19T09:36:58.860Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-50271
Vulnerability from cvelistv5
Published
2024-11-19 01:30
Modified
2024-12-19 09:37
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
signal: restore the override_rlimit logic
Prior to commit d64696905554 ("Reimplement RLIMIT_SIGPENDING on top of
ucounts") UCOUNT_RLIMIT_SIGPENDING rlimit was not enforced for a class of
signals. However now it's enforced unconditionally, even if
override_rlimit is set. This behavior change caused production issues.
For example, if the limit is reached and a process receives a SIGSEGV
signal, sigqueue_alloc fails to allocate the necessary resources for the
signal delivery, preventing the signal from being delivered with siginfo.
This prevents the process from correctly identifying the fault address and
handling the error. From the user-space perspective, applications are
unaware that the limit has been reached and that the siginfo is
effectively 'corrupted'. This can lead to unpredictable behavior and
crashes, as we observed with java applications.
Fix this by passing override_rlimit into inc_rlimit_get_ucounts() and skip
the comparison to max there if override_rlimit is set. This effectively
restores the old behavior.
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "include/linux/user_namespace.h", "kernel/signal.c", "kernel/ucount.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "012f4d5d25e9ef92ee129bd5aa7aa60f692681e1", "status": "affected", "version": "d64696905554e919321e31afc210606653b8f6a4", "versionType": "git" }, { "lessThan": "4877d9b2a2ebad3ae240127aaa4cb8258b145cf7", "status": "affected", "version": "d64696905554e919321e31afc210606653b8f6a4", "versionType": "git" }, { "lessThan": "0208ea17a1e4456fbfe555f13ae5c28f3d671e40", "status": "affected", "version": "d64696905554e919321e31afc210606653b8f6a4", "versionType": "git" }, { "lessThan": "9e05e5c7ee8758141d2db7e8fea2cab34500c6ed", "status": "affected", "version": "d64696905554e919321e31afc210606653b8f6a4", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "include/linux/user_namespace.h", "kernel/signal.c", "kernel/ucount.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.14" }, { "lessThan": "5.14", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.117", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.61", "versionType": "semver" }, { "lessThanOrEqual": "6.11.*", "status": "unaffected", "version": "6.11.8", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.12", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsignal: restore the override_rlimit logic\n\nPrior to commit d64696905554 (\"Reimplement RLIMIT_SIGPENDING on top of\nucounts\") UCOUNT_RLIMIT_SIGPENDING rlimit was not enforced for a class of\nsignals. However now it\u0027s enforced unconditionally, even if\noverride_rlimit is set. This behavior change caused production issues. \n\nFor example, if the limit is reached and a process receives a SIGSEGV\nsignal, sigqueue_alloc fails to allocate the necessary resources for the\nsignal delivery, preventing the signal from being delivered with siginfo. \nThis prevents the process from correctly identifying the fault address and\nhandling the error. From the user-space perspective, applications are\nunaware that the limit has been reached and that the siginfo is\neffectively \u0027corrupted\u0027. This can lead to unpredictable behavior and\ncrashes, as we observed with java applications.\n\nFix this by passing override_rlimit into inc_rlimit_get_ucounts() and skip\nthe comparison to max there if override_rlimit is set. This effectively\nrestores the old behavior." } ], "providerMetadata": { "dateUpdated": "2024-12-19T09:37:00.535Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/012f4d5d25e9ef92ee129bd5aa7aa60f692681e1" }, { "url": "https://git.kernel.org/stable/c/4877d9b2a2ebad3ae240127aaa4cb8258b145cf7" }, { "url": "https://git.kernel.org/stable/c/0208ea17a1e4456fbfe555f13ae5c28f3d671e40" }, { "url": "https://git.kernel.org/stable/c/9e05e5c7ee8758141d2db7e8fea2cab34500c6ed" } ], "title": "signal: restore the override_rlimit logic", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-50271", "datePublished": "2024-11-19T01:30:09.788Z", "dateReserved": "2024-10-21T19:36:19.982Z", "dateUpdated": "2024-12-19T09:37:00.535Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-50295
Vulnerability from cvelistv5
Published
2024-11-19 01:30
Modified
2024-12-19 09:37
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: arc: fix the device for dma_map_single/dma_unmap_single
The ndev->dev and pdev->dev aren't the same device, use ndev->dev.parent
which has dma_mask, ndev->dev.parent is just pdev->dev.
Or it would cause the following issue:
[ 39.933526] ------------[ cut here ]------------
[ 39.938414] WARNING: CPU: 1 PID: 501 at kernel/dma/mapping.c:149 dma_map_page_attrs+0x90/0x1f8
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: f959dcd6ddfd29235030e8026471ac1b022ad2b0 Version: f959dcd6ddfd29235030e8026471ac1b022ad2b0 Version: f959dcd6ddfd29235030e8026471ac1b022ad2b0 Version: f959dcd6ddfd29235030e8026471ac1b022ad2b0 Version: f959dcd6ddfd29235030e8026471ac1b022ad2b0 Version: f959dcd6ddfd29235030e8026471ac1b022ad2b0 |
||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/net/ethernet/arc/emac_main.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "30606ea3fae57f8e9f2467415389e988e3c53a18", "status": "affected", "version": "f959dcd6ddfd29235030e8026471ac1b022ad2b0", "versionType": "git" }, { "lessThan": "3898393b5483c8aa2efd7cb13aa70e22078ab022", "status": "affected", "version": "f959dcd6ddfd29235030e8026471ac1b022ad2b0", "versionType": "git" }, { "lessThan": "fd4e062fbc07156f8e9d73212d347c744572677e", "status": "affected", "version": "f959dcd6ddfd29235030e8026471ac1b022ad2b0", "versionType": "git" }, { "lessThan": "8ed7a4a39c3f7cd9655af867e878fda512ae67ad", "status": "affected", "version": "f959dcd6ddfd29235030e8026471ac1b022ad2b0", "versionType": "git" }, { "lessThan": "cd4706d9ac0d8d3bab8dc9e50cc1187f6cfa43dd", "status": "affected", "version": "f959dcd6ddfd29235030e8026471ac1b022ad2b0", "versionType": "git" }, { "lessThan": "71803c1dfa29e0d13b99e48fda11107cc8caebc7", "status": "affected", "version": "f959dcd6ddfd29235030e8026471ac1b022ad2b0", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/net/ethernet/arc/emac_main.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.10" }, { "lessThan": "5.10", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.230", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.172", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.117", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.61", "versionType": "semver" }, { "lessThanOrEqual": "6.11.*", "status": "unaffected", "version": "6.11.8", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.12", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: arc: fix the device for dma_map_single/dma_unmap_single\n\nThe ndev-\u003edev and pdev-\u003edev aren\u0027t the same device, use ndev-\u003edev.parent\nwhich has dma_mask, ndev-\u003edev.parent is just pdev-\u003edev.\nOr it would cause the following issue:\n\n[ 39.933526] ------------[ cut here ]------------\n[ 39.938414] WARNING: CPU: 1 PID: 501 at kernel/dma/mapping.c:149 dma_map_page_attrs+0x90/0x1f8" } ], "providerMetadata": { "dateUpdated": "2024-12-19T09:37:37.761Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/30606ea3fae57f8e9f2467415389e988e3c53a18" }, { "url": "https://git.kernel.org/stable/c/3898393b5483c8aa2efd7cb13aa70e22078ab022" }, { "url": "https://git.kernel.org/stable/c/fd4e062fbc07156f8e9d73212d347c744572677e" }, { "url": "https://git.kernel.org/stable/c/8ed7a4a39c3f7cd9655af867e878fda512ae67ad" }, { "url": "https://git.kernel.org/stable/c/cd4706d9ac0d8d3bab8dc9e50cc1187f6cfa43dd" }, { "url": "https://git.kernel.org/stable/c/71803c1dfa29e0d13b99e48fda11107cc8caebc7" } ], "title": "net: arc: fix the device for dma_map_single/dma_unmap_single", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-50295", "datePublished": "2024-11-19T01:30:41.999Z", "dateReserved": "2024-10-21T19:36:19.986Z", "dateUpdated": "2024-12-19T09:37:37.761Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-50282
Vulnerability from cvelistv5
Published
2024-11-19 01:30
Modified
2024-12-19 09:37
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu: add missing size check in amdgpu_debugfs_gprwave_read()
Avoid a possible buffer overflow if size is larger than 4K.
(cherry picked from commit f5d873f5825b40d886d03bd2aede91d4cf002434)
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "673bdb4200c092692f83b5f7ba3df57021d52d29", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "7ccd781794d247589104a791caab491e21218fba", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "17f5f18085acb5e9d8d13d84a4e12bb3aff2bd64", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "aaf6160a4b7f9ee3cd91aa5b3251f5dbe2170f42", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "25d7e84343e1235b667cf5226c3934fdf36f0df6", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "8906728f2fbd6504cb488f4afdd66af28f330a7a", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "2faaee36e6e30f9efc7fa6bcb0bdcbe05c23f51f", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "4d75b9468021c73108b4439794d69e892b1d24e3", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThanOrEqual": "4.19.*", "status": "unaffected", "version": "4.19.324", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.286", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.230", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.172", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.117", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.61", "versionType": "semver" }, { "lessThanOrEqual": "6.11.*", "status": "unaffected", "version": "6.11.8", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.12", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: add missing size check in amdgpu_debugfs_gprwave_read()\n\nAvoid a possible buffer overflow if size is larger than 4K.\n\n(cherry picked from commit f5d873f5825b40d886d03bd2aede91d4cf002434)" } ], "providerMetadata": { "dateUpdated": "2024-12-19T09:37:14.979Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/673bdb4200c092692f83b5f7ba3df57021d52d29" }, { "url": "https://git.kernel.org/stable/c/7ccd781794d247589104a791caab491e21218fba" }, { "url": "https://git.kernel.org/stable/c/17f5f18085acb5e9d8d13d84a4e12bb3aff2bd64" }, { "url": "https://git.kernel.org/stable/c/aaf6160a4b7f9ee3cd91aa5b3251f5dbe2170f42" }, { "url": "https://git.kernel.org/stable/c/25d7e84343e1235b667cf5226c3934fdf36f0df6" }, { "url": "https://git.kernel.org/stable/c/8906728f2fbd6504cb488f4afdd66af28f330a7a" }, { "url": "https://git.kernel.org/stable/c/2faaee36e6e30f9efc7fa6bcb0bdcbe05c23f51f" }, { "url": "https://git.kernel.org/stable/c/4d75b9468021c73108b4439794d69e892b1d24e3" } ], "title": "drm/amdgpu: add missing size check in amdgpu_debugfs_gprwave_read()", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-50282", "datePublished": "2024-11-19T01:30:24.581Z", "dateReserved": "2024-10-21T19:36:19.984Z", "dateUpdated": "2024-12-19T09:37:14.979Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-50265
Vulnerability from cvelistv5
Published
2024-11-19 01:30
Modified
2024-12-19 09:36
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ocfs2: remove entry once instead of null-ptr-dereference in ocfs2_xa_remove()
Syzkaller is able to provoke null-ptr-dereference in ocfs2_xa_remove():
[ 57.319872] (a.out,1161,7):ocfs2_xa_remove:2028 ERROR: status = -12
[ 57.320420] (a.out,1161,7):ocfs2_xa_cleanup_value_truncate:1999 ERROR: Partial truncate while removing xattr overlay.upper. Leaking 1 clusters and removing the entry
[ 57.321727] BUG: kernel NULL pointer dereference, address: 0000000000000004
[...]
[ 57.325727] RIP: 0010:ocfs2_xa_block_wipe_namevalue+0x2a/0xc0
[...]
[ 57.331328] Call Trace:
[ 57.331477] <TASK>
[...]
[ 57.333511] ? do_user_addr_fault+0x3e5/0x740
[ 57.333778] ? exc_page_fault+0x70/0x170
[ 57.334016] ? asm_exc_page_fault+0x2b/0x30
[ 57.334263] ? __pfx_ocfs2_xa_block_wipe_namevalue+0x10/0x10
[ 57.334596] ? ocfs2_xa_block_wipe_namevalue+0x2a/0xc0
[ 57.334913] ocfs2_xa_remove_entry+0x23/0xc0
[ 57.335164] ocfs2_xa_set+0x704/0xcf0
[ 57.335381] ? _raw_spin_unlock+0x1a/0x40
[ 57.335620] ? ocfs2_inode_cache_unlock+0x16/0x20
[ 57.335915] ? trace_preempt_on+0x1e/0x70
[ 57.336153] ? start_this_handle+0x16c/0x500
[ 57.336410] ? preempt_count_sub+0x50/0x80
[ 57.336656] ? _raw_read_unlock+0x20/0x40
[ 57.336906] ? start_this_handle+0x16c/0x500
[ 57.337162] ocfs2_xattr_block_set+0xa6/0x1e0
[ 57.337424] __ocfs2_xattr_set_handle+0x1fd/0x5d0
[ 57.337706] ? ocfs2_start_trans+0x13d/0x290
[ 57.337971] ocfs2_xattr_set+0xb13/0xfb0
[ 57.338207] ? dput+0x46/0x1c0
[ 57.338393] ocfs2_xattr_trusted_set+0x28/0x30
[ 57.338665] ? ocfs2_xattr_trusted_set+0x28/0x30
[ 57.338948] __vfs_removexattr+0x92/0xc0
[ 57.339182] __vfs_removexattr_locked+0xd5/0x190
[ 57.339456] ? preempt_count_sub+0x50/0x80
[ 57.339705] vfs_removexattr+0x5f/0x100
[...]
Reproducer uses faultinject facility to fail ocfs2_xa_remove() ->
ocfs2_xa_value_truncate() with -ENOMEM.
In this case the comment mentions that we can return 0 if
ocfs2_xa_cleanup_value_truncate() is going to wipe the entry
anyway. But the following 'rc' check is wrong and execution flow do
'ocfs2_xa_remove_entry(loc);' twice:
* 1st: in ocfs2_xa_cleanup_value_truncate();
* 2nd: returning back to ocfs2_xa_remove() instead of going to 'out'.
Fix this by skipping the 2nd removal of the same entry and making
syzkaller repro happy.
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 399ff3a748cf4c8c853e96dd477153202636527b Version: 399ff3a748cf4c8c853e96dd477153202636527b Version: 399ff3a748cf4c8c853e96dd477153202636527b Version: 399ff3a748cf4c8c853e96dd477153202636527b Version: 399ff3a748cf4c8c853e96dd477153202636527b Version: 399ff3a748cf4c8c853e96dd477153202636527b Version: 399ff3a748cf4c8c853e96dd477153202636527b Version: 399ff3a748cf4c8c853e96dd477153202636527b |
||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "fs/ocfs2/xattr.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "38cbf13b2e7a31362babe411f7c2c3c52cd2734b", "status": "affected", "version": "399ff3a748cf4c8c853e96dd477153202636527b", "versionType": "git" }, { "lessThan": "168a9b8303fcb0317db4c06b23ce1c0ce2af4e10", "status": "affected", "version": "399ff3a748cf4c8c853e96dd477153202636527b", "versionType": "git" }, { "lessThan": "6a7e6dcf90fe7721d0863067b6ca9a9442134692", "status": "affected", "version": "399ff3a748cf4c8c853e96dd477153202636527b", "versionType": "git" }, { "lessThan": "dcc8fe8c83145041cb6c80cac21f6173a3ff0204", "status": "affected", "version": "399ff3a748cf4c8c853e96dd477153202636527b", "versionType": "git" }, { "lessThan": "86dd0e8d42828923c68ad506933336bcd6f2317d", "status": "affected", "version": "399ff3a748cf4c8c853e96dd477153202636527b", "versionType": "git" }, { "lessThan": "dd73c942eed76a014c7a5597e6926435274d2c4c", "status": "affected", "version": "399ff3a748cf4c8c853e96dd477153202636527b", "versionType": "git" }, { "lessThan": "2b5369528ee63c88371816178a05b5e664c87386", "status": "affected", "version": "399ff3a748cf4c8c853e96dd477153202636527b", "versionType": "git" }, { "lessThan": "0b63c0e01fba40e3992bc627272ec7b618ccaef7", "status": "affected", "version": "399ff3a748cf4c8c853e96dd477153202636527b", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "fs/ocfs2/xattr.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "2.6.34" }, { "lessThan": "2.6.34", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "4.19.*", "status": "unaffected", "version": "4.19.324", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.286", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.230", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.172", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.117", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.61", "versionType": "semver" }, { "lessThanOrEqual": "6.11.*", "status": "unaffected", "version": "6.11.8", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.12", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: remove entry once instead of null-ptr-dereference in ocfs2_xa_remove()\n\nSyzkaller is able to provoke null-ptr-dereference in ocfs2_xa_remove():\n\n[ 57.319872] (a.out,1161,7):ocfs2_xa_remove:2028 ERROR: status = -12\n[ 57.320420] (a.out,1161,7):ocfs2_xa_cleanup_value_truncate:1999 ERROR: Partial truncate while removing xattr overlay.upper. Leaking 1 clusters and removing the entry\n[ 57.321727] BUG: kernel NULL pointer dereference, address: 0000000000000004\n[...]\n[ 57.325727] RIP: 0010:ocfs2_xa_block_wipe_namevalue+0x2a/0xc0\n[...]\n[ 57.331328] Call Trace:\n[ 57.331477] \u003cTASK\u003e\n[...]\n[ 57.333511] ? do_user_addr_fault+0x3e5/0x740\n[ 57.333778] ? exc_page_fault+0x70/0x170\n[ 57.334016] ? asm_exc_page_fault+0x2b/0x30\n[ 57.334263] ? __pfx_ocfs2_xa_block_wipe_namevalue+0x10/0x10\n[ 57.334596] ? ocfs2_xa_block_wipe_namevalue+0x2a/0xc0\n[ 57.334913] ocfs2_xa_remove_entry+0x23/0xc0\n[ 57.335164] ocfs2_xa_set+0x704/0xcf0\n[ 57.335381] ? _raw_spin_unlock+0x1a/0x40\n[ 57.335620] ? ocfs2_inode_cache_unlock+0x16/0x20\n[ 57.335915] ? trace_preempt_on+0x1e/0x70\n[ 57.336153] ? start_this_handle+0x16c/0x500\n[ 57.336410] ? preempt_count_sub+0x50/0x80\n[ 57.336656] ? _raw_read_unlock+0x20/0x40\n[ 57.336906] ? start_this_handle+0x16c/0x500\n[ 57.337162] ocfs2_xattr_block_set+0xa6/0x1e0\n[ 57.337424] __ocfs2_xattr_set_handle+0x1fd/0x5d0\n[ 57.337706] ? ocfs2_start_trans+0x13d/0x290\n[ 57.337971] ocfs2_xattr_set+0xb13/0xfb0\n[ 57.338207] ? dput+0x46/0x1c0\n[ 57.338393] ocfs2_xattr_trusted_set+0x28/0x30\n[ 57.338665] ? ocfs2_xattr_trusted_set+0x28/0x30\n[ 57.338948] __vfs_removexattr+0x92/0xc0\n[ 57.339182] __vfs_removexattr_locked+0xd5/0x190\n[ 57.339456] ? preempt_count_sub+0x50/0x80\n[ 57.339705] vfs_removexattr+0x5f/0x100\n[...]\n\nReproducer uses faultinject facility to fail ocfs2_xa_remove() -\u003e\nocfs2_xa_value_truncate() with -ENOMEM.\n\nIn this case the comment mentions that we can return 0 if\nocfs2_xa_cleanup_value_truncate() is going to wipe the entry\nanyway. But the following \u0027rc\u0027 check is wrong and execution flow do\n\u0027ocfs2_xa_remove_entry(loc);\u0027 twice:\n* 1st: in ocfs2_xa_cleanup_value_truncate();\n* 2nd: returning back to ocfs2_xa_remove() instead of going to \u0027out\u0027.\n\nFix this by skipping the 2nd removal of the same entry and making\nsyzkaller repro happy." } ], "providerMetadata": { "dateUpdated": "2024-12-19T09:36:52.267Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/38cbf13b2e7a31362babe411f7c2c3c52cd2734b" }, { "url": "https://git.kernel.org/stable/c/168a9b8303fcb0317db4c06b23ce1c0ce2af4e10" }, { "url": "https://git.kernel.org/stable/c/6a7e6dcf90fe7721d0863067b6ca9a9442134692" }, { "url": "https://git.kernel.org/stable/c/dcc8fe8c83145041cb6c80cac21f6173a3ff0204" }, { "url": "https://git.kernel.org/stable/c/86dd0e8d42828923c68ad506933336bcd6f2317d" }, { "url": "https://git.kernel.org/stable/c/dd73c942eed76a014c7a5597e6926435274d2c4c" }, { "url": "https://git.kernel.org/stable/c/2b5369528ee63c88371816178a05b5e664c87386" }, { "url": "https://git.kernel.org/stable/c/0b63c0e01fba40e3992bc627272ec7b618ccaef7" } ], "title": "ocfs2: remove entry once instead of null-ptr-dereference in ocfs2_xa_remove()", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-50265", "datePublished": "2024-11-19T01:30:00.861Z", "dateReserved": "2024-10-21T19:36:19.982Z", "dateUpdated": "2024-12-19T09:36:52.267Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-50280
Vulnerability from cvelistv5
Published
2024-11-19 01:30
Modified
2024-12-19 09:37
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
dm cache: fix flushing uninitialized delayed_work on cache_ctr error
An unexpected WARN_ON from flush_work() may occur when cache creation
fails, caused by destroying the uninitialized delayed_work waker in the
error path of cache_create(). For example, the warning appears on the
superblock checksum error.
Reproduce steps:
dmsetup create cmeta --table "0 8192 linear /dev/sdc 0"
dmsetup create cdata --table "0 65536 linear /dev/sdc 8192"
dmsetup create corig --table "0 524288 linear /dev/sdc 262144"
dd if=/dev/urandom of=/dev/mapper/cmeta bs=4k count=1 oflag=direct
dmsetup create cache --table "0 524288 cache /dev/mapper/cmeta \
/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0"
Kernel logs:
(snip)
WARNING: CPU: 0 PID: 84 at kernel/workqueue.c:4178 __flush_work+0x5d4/0x890
Fix by pulling out the cancel_delayed_work_sync() from the constructor's
error path. This patch doesn't affect the use-after-free fix for
concurrent dm_resume and dm_destroy (commit 6a459d8edbdb ("dm cache: Fix
UAF in destroy()")) as cache_dtr is not changed.
References
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2024-50280", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "timestamp": "2024-12-11T14:25:27.627011Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-416", "description": "CWE-416 Use After Free", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-12-11T14:58:31.803Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/md/dm-cache-target.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "5a754d3c771280f2d06bf8ab716d6a0d36ca256e", "status": "affected", "version": "6a3e412c2ab131c54945327a7676b006f000a209", "versionType": "git" }, { "lessThan": "8cc12dab635333c4ea28e72d7b947be7d0543c2c", "status": "affected", "version": "6a459d8edbdbe7b24db42a5a9f21e6aa9e00c2aa", "versionType": "git" }, { "lessThan": "aee3ecda73ce13af7c3e556383342b57e6bd0718", "status": "affected", "version": "6a459d8edbdbe7b24db42a5a9f21e6aa9e00c2aa", "versionType": "git" }, { "lessThan": "135496c208ba26fd68cdef10b64ed7a91ac9a7ff", "status": "affected", "version": "6a459d8edbdbe7b24db42a5a9f21e6aa9e00c2aa", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/md/dm-cache-target.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.2" }, { "lessThan": "6.2", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.117", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.61", "versionType": "semver" }, { "lessThanOrEqual": "6.11.*", "status": "unaffected", "version": "6.11.8", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.12", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm cache: fix flushing uninitialized delayed_work on cache_ctr error\n\nAn unexpected WARN_ON from flush_work() may occur when cache creation\nfails, caused by destroying the uninitialized delayed_work waker in the\nerror path of cache_create(). For example, the warning appears on the\nsuperblock checksum error.\n\nReproduce steps:\n\ndmsetup create cmeta --table \"0 8192 linear /dev/sdc 0\"\ndmsetup create cdata --table \"0 65536 linear /dev/sdc 8192\"\ndmsetup create corig --table \"0 524288 linear /dev/sdc 262144\"\ndd if=/dev/urandom of=/dev/mapper/cmeta bs=4k count=1 oflag=direct\ndmsetup create cache --table \"0 524288 cache /dev/mapper/cmeta \\\n/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0\"\n\nKernel logs:\n\n(snip)\nWARNING: CPU: 0 PID: 84 at kernel/workqueue.c:4178 __flush_work+0x5d4/0x890\n\nFix by pulling out the cancel_delayed_work_sync() from the constructor\u0027s\nerror path. This patch doesn\u0027t affect the use-after-free fix for\nconcurrent dm_resume and dm_destroy (commit 6a459d8edbdb (\"dm cache: Fix\nUAF in destroy()\")) as cache_dtr is not changed." } ], "providerMetadata": { "dateUpdated": "2024-12-19T09:37:12.375Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/5a754d3c771280f2d06bf8ab716d6a0d36ca256e" }, { "url": "https://git.kernel.org/stable/c/8cc12dab635333c4ea28e72d7b947be7d0543c2c" }, { "url": "https://git.kernel.org/stable/c/aee3ecda73ce13af7c3e556383342b57e6bd0718" }, { "url": "https://git.kernel.org/stable/c/135496c208ba26fd68cdef10b64ed7a91ac9a7ff" } ], "title": "dm cache: fix flushing uninitialized delayed_work on cache_ctr error", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-50280", "datePublished": "2024-11-19T01:30:21.999Z", "dateReserved": "2024-10-21T19:36:19.983Z", "dateUpdated": "2024-12-19T09:37:12.375Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-50287
Vulnerability from cvelistv5
Published
2024-11-19 01:30
Modified
2024-12-19 09:37
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: v4l2-tpg: prevent the risk of a division by zero
As reported by Coverity, the logic at tpg_precalculate_line()
blindly rescales the buffer even when scaled_witdh is equal to
zero. If this ever happens, this will cause a division by zero.
Instead, add a WARN_ON_ONCE() to trigger such cases and return
without doing any precalculation.
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 63881df94d3ecbb0deafa0b77da62ff2f32961c4 Version: 63881df94d3ecbb0deafa0b77da62ff2f32961c4 Version: 63881df94d3ecbb0deafa0b77da62ff2f32961c4 Version: 63881df94d3ecbb0deafa0b77da62ff2f32961c4 Version: 63881df94d3ecbb0deafa0b77da62ff2f32961c4 Version: 63881df94d3ecbb0deafa0b77da62ff2f32961c4 Version: 63881df94d3ecbb0deafa0b77da62ff2f32961c4 Version: 63881df94d3ecbb0deafa0b77da62ff2f32961c4 |
||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/media/common/v4l2-tpg/v4l2-tpg-core.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "e3c36d0bde309f690ed1f9cd5f7e63b3a513f94a", "status": "affected", "version": "63881df94d3ecbb0deafa0b77da62ff2f32961c4", "versionType": "git" }, { "lessThan": "0bfc6e38ee2250f0503d96f1a1de441c31d88715", "status": "affected", "version": "63881df94d3ecbb0deafa0b77da62ff2f32961c4", "versionType": "git" }, { "lessThan": "054931ca3cfcb8e8fa036e887d6f379942b02565", "status": "affected", "version": "63881df94d3ecbb0deafa0b77da62ff2f32961c4", "versionType": "git" }, { "lessThan": "a749c15dccc58d9cbad9cd23bd8ab4b5fa96cf47", "status": "affected", "version": "63881df94d3ecbb0deafa0b77da62ff2f32961c4", "versionType": "git" }, { "lessThan": "c63c30c9d9f2c8de34b16cd2b8400240533b914e", "status": "affected", "version": "63881df94d3ecbb0deafa0b77da62ff2f32961c4", "versionType": "git" }, { "lessThan": "2d0f01aa602fd15a805771bdf3f4d9a9b4df7f47", "status": "affected", "version": "63881df94d3ecbb0deafa0b77da62ff2f32961c4", "versionType": "git" }, { "lessThan": "0cdb42ba0b28f548c1a4e86bb8489dba0d78fc21", "status": "affected", "version": "63881df94d3ecbb0deafa0b77da62ff2f32961c4", "versionType": "git" }, { "lessThan": "e6a3ea83fbe15d4818d01804e904cbb0e64e543b", "status": "affected", "version": "63881df94d3ecbb0deafa0b77da62ff2f32961c4", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/media/common/v4l2-tpg/v4l2-tpg-core.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "3.18" }, { "lessThan": "3.18", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "4.19.*", "status": "unaffected", "version": "4.19.324", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.286", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.230", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.172", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.117", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.61", "versionType": "semver" }, { "lessThanOrEqual": "6.11.*", "status": "unaffected", "version": "6.11.8", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.12", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: v4l2-tpg: prevent the risk of a division by zero\n\nAs reported by Coverity, the logic at tpg_precalculate_line()\nblindly rescales the buffer even when scaled_witdh is equal to\nzero. If this ever happens, this will cause a division by zero.\n\nInstead, add a WARN_ON_ONCE() to trigger such cases and return\nwithout doing any precalculation." } ], "providerMetadata": { "dateUpdated": "2024-12-19T09:37:21.679Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/e3c36d0bde309f690ed1f9cd5f7e63b3a513f94a" }, { "url": "https://git.kernel.org/stable/c/0bfc6e38ee2250f0503d96f1a1de441c31d88715" }, { "url": "https://git.kernel.org/stable/c/054931ca3cfcb8e8fa036e887d6f379942b02565" }, { "url": "https://git.kernel.org/stable/c/a749c15dccc58d9cbad9cd23bd8ab4b5fa96cf47" }, { "url": "https://git.kernel.org/stable/c/c63c30c9d9f2c8de34b16cd2b8400240533b914e" }, { "url": "https://git.kernel.org/stable/c/2d0f01aa602fd15a805771bdf3f4d9a9b4df7f47" }, { "url": "https://git.kernel.org/stable/c/0cdb42ba0b28f548c1a4e86bb8489dba0d78fc21" }, { "url": "https://git.kernel.org/stable/c/e6a3ea83fbe15d4818d01804e904cbb0e64e543b" } ], "title": "media: v4l2-tpg: prevent the risk of a division by zero", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-50287", "datePublished": "2024-11-19T01:30:31.338Z", "dateReserved": "2024-10-21T19:36:19.984Z", "dateUpdated": "2024-12-19T09:37:21.679Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-50291
Vulnerability from cvelistv5
Published
2024-11-19 01:30
Modified
2024-12-19 09:37
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: dvb-core: add missing buffer index check
dvb_vb2_expbuf() didn't check if the given buffer index was
for a valid buffer. Add this check.
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/media/dvb-core/dvb_vb2.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "721c37af0355cc0b540909c57fd7930dc99c72d8", "status": "affected", "version": "7dc866df40127dceac9ba83ae16c0c11e7d1666f", "versionType": "git" }, { "lessThan": "fa88dc7db176c79b50adb132a56120a1d4d9d18b", "status": "affected", "version": "7dc866df40127dceac9ba83ae16c0c11e7d1666f", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/media/dvb-core/dvb_vb2.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.8" }, { "lessThan": "6.8", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.11.*", "status": "unaffected", "version": "6.11.8", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.12", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: dvb-core: add missing buffer index check\n\ndvb_vb2_expbuf() didn\u0027t check if the given buffer index was\nfor a valid buffer. Add this check." } ], "providerMetadata": { "dateUpdated": "2024-12-19T09:37:26.871Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/721c37af0355cc0b540909c57fd7930dc99c72d8" }, { "url": "https://git.kernel.org/stable/c/fa88dc7db176c79b50adb132a56120a1d4d9d18b" } ], "title": "media: dvb-core: add missing buffer index check", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-50291", "datePublished": "2024-11-19T01:30:36.685Z", "dateReserved": "2024-10-21T19:36:19.985Z", "dateUpdated": "2024-12-19T09:37:26.871Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-50292
Vulnerability from cvelistv5
Published
2024-11-19 01:30
Modified
2024-12-19 09:37
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: stm32: spdifrx: fix dma channel release in stm32_spdifrx_remove
In case of error when requesting ctrl_chan DMA channel, ctrl_chan is not
null. So the release of the dma channel leads to the following issue:
[ 4.879000] st,stm32-spdifrx 500d0000.audio-controller:
dma_request_slave_channel error -19
[ 4.888975] Unable to handle kernel NULL pointer dereference
at virtual address 000000000000003d
[...]
[ 5.096577] Call trace:
[ 5.099099] dma_release_channel+0x24/0x100
[ 5.103235] stm32_spdifrx_remove+0x24/0x60 [snd_soc_stm32_spdifrx]
[ 5.109494] stm32_spdifrx_probe+0x320/0x4c4 [snd_soc_stm32_spdifrx]
To avoid this issue, release channel only if the pointer is valid.
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 794df9448edb55978e50372f083aeedade1b2844 Version: 794df9448edb55978e50372f083aeedade1b2844 Version: 794df9448edb55978e50372f083aeedade1b2844 Version: 794df9448edb55978e50372f083aeedade1b2844 Version: 794df9448edb55978e50372f083aeedade1b2844 Version: 794df9448edb55978e50372f083aeedade1b2844 |
||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "sound/soc/stm/stm32_spdifrx.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "3a977b554f668382dfba31fd62e4cce4fe5643db", "status": "affected", "version": "794df9448edb55978e50372f083aeedade1b2844", "versionType": "git" }, { "lessThan": "0d75f887aabd80cf37ea48d28f159afa7850ea28", "status": "affected", "version": "794df9448edb55978e50372f083aeedade1b2844", "versionType": "git" }, { "lessThan": "4f1d74f74752eab8af6b8b28797dc6490d57374c", "status": "affected", "version": "794df9448edb55978e50372f083aeedade1b2844", "versionType": "git" }, { "lessThan": "23bdbd1ef3e063e03d3c50c15a591b005ebbae39", "status": "affected", "version": "794df9448edb55978e50372f083aeedade1b2844", "versionType": "git" }, { "lessThan": "22ae9321054cf7f36c537702af133659f51a0b88", "status": "affected", "version": "794df9448edb55978e50372f083aeedade1b2844", "versionType": "git" }, { "lessThan": "9bb4af400c386374ab1047df44c508512c08c31f", "status": "affected", "version": "794df9448edb55978e50372f083aeedade1b2844", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "sound/soc/stm/stm32_spdifrx.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.7" }, { "lessThan": "5.7", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.230", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.172", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.117", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.61", "versionType": "semver" }, { "lessThanOrEqual": "6.11.*", "status": "unaffected", "version": "6.11.8", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.12", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: stm32: spdifrx: fix dma channel release in stm32_spdifrx_remove\n\nIn case of error when requesting ctrl_chan DMA channel, ctrl_chan is not\nnull. So the release of the dma channel leads to the following issue:\n[ 4.879000] st,stm32-spdifrx 500d0000.audio-controller:\ndma_request_slave_channel error -19\n[ 4.888975] Unable to handle kernel NULL pointer dereference\nat virtual address 000000000000003d\n[...]\n[ 5.096577] Call trace:\n[ 5.099099] dma_release_channel+0x24/0x100\n[ 5.103235] stm32_spdifrx_remove+0x24/0x60 [snd_soc_stm32_spdifrx]\n[ 5.109494] stm32_spdifrx_probe+0x320/0x4c4 [snd_soc_stm32_spdifrx]\n\nTo avoid this issue, release channel only if the pointer is valid." } ], "providerMetadata": { "dateUpdated": "2024-12-19T09:37:28.236Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/3a977b554f668382dfba31fd62e4cce4fe5643db" }, { "url": "https://git.kernel.org/stable/c/0d75f887aabd80cf37ea48d28f159afa7850ea28" }, { "url": "https://git.kernel.org/stable/c/4f1d74f74752eab8af6b8b28797dc6490d57374c" }, { "url": "https://git.kernel.org/stable/c/23bdbd1ef3e063e03d3c50c15a591b005ebbae39" }, { "url": "https://git.kernel.org/stable/c/22ae9321054cf7f36c537702af133659f51a0b88" }, { "url": "https://git.kernel.org/stable/c/9bb4af400c386374ab1047df44c508512c08c31f" } ], "title": "ASoC: stm32: spdifrx: fix dma channel release in stm32_spdifrx_remove", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-50292", "datePublished": "2024-11-19T01:30:38.036Z", "dateReserved": "2024-10-21T19:36:19.985Z", "dateUpdated": "2024-12-19T09:37:28.236Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-50299
Vulnerability from cvelistv5
Published
2024-11-19 01:30
Modified
2024-12-19 09:37
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
sctp: properly validate chunk size in sctp_sf_ootb()
A size validation fix similar to that in Commit 50619dbf8db7 ("sctp: add
size validation when walking chunks") is also required in sctp_sf_ootb()
to address a crash reported by syzbot:
BUG: KMSAN: uninit-value in sctp_sf_ootb+0x7f5/0xce0 net/sctp/sm_statefuns.c:3712
sctp_sf_ootb+0x7f5/0xce0 net/sctp/sm_statefuns.c:3712
sctp_do_sm+0x181/0x93d0 net/sctp/sm_sideeffect.c:1166
sctp_endpoint_bh_rcv+0xc38/0xf90 net/sctp/endpointola.c:407
sctp_inq_push+0x2ef/0x380 net/sctp/inqueue.c:88
sctp_rcv+0x3831/0x3b20 net/sctp/input.c:243
sctp4_rcv+0x42/0x50 net/sctp/protocol.c:1159
ip_protocol_deliver_rcu+0xb51/0x13d0 net/ipv4/ip_input.c:205
ip_local_deliver_finish+0x336/0x500 net/ipv4/ip_input.c:233
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "net/sctp/sm_statefuns.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "67b9a278b80f71ec62091ded97c6bcbea33b5ec3", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "9b5d42aeaf1a52f73b003a33da6deef7df34685f", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "40b283ba76665437bc2ac72079c51b57b25bff9e", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "a758aa6a773bb872196bcc3173171ef8996bddf0", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "bf9bff13225baf5f658577f7d985fc4933d79527", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "d3fb3cc83cf313e4f87063ce0f3fea76b071567b", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "8820d2d6589f62ee5514793fff9b50c9f8101182", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "0ead60804b64f5bd6999eec88e503c6a1a242d41", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "net/sctp/sm_statefuns.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "2.6.12" }, { "lessThan": "2.6.12", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "4.19.*", "status": "unaffected", "version": "4.19.324", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.286", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.230", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.172", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.117", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.61", "versionType": "semver" }, { "lessThanOrEqual": "6.11.*", "status": "unaffected", "version": "6.11.8", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.12", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: properly validate chunk size in sctp_sf_ootb()\n\nA size validation fix similar to that in Commit 50619dbf8db7 (\"sctp: add\nsize validation when walking chunks\") is also required in sctp_sf_ootb()\nto address a crash reported by syzbot:\n\n BUG: KMSAN: uninit-value in sctp_sf_ootb+0x7f5/0xce0 net/sctp/sm_statefuns.c:3712\n sctp_sf_ootb+0x7f5/0xce0 net/sctp/sm_statefuns.c:3712\n sctp_do_sm+0x181/0x93d0 net/sctp/sm_sideeffect.c:1166\n sctp_endpoint_bh_rcv+0xc38/0xf90 net/sctp/endpointola.c:407\n sctp_inq_push+0x2ef/0x380 net/sctp/inqueue.c:88\n sctp_rcv+0x3831/0x3b20 net/sctp/input.c:243\n sctp4_rcv+0x42/0x50 net/sctp/protocol.c:1159\n ip_protocol_deliver_rcu+0xb51/0x13d0 net/ipv4/ip_input.c:205\n ip_local_deliver_finish+0x336/0x500 net/ipv4/ip_input.c:233" } ], "providerMetadata": { "dateUpdated": "2024-12-19T09:37:42.785Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/67b9a278b80f71ec62091ded97c6bcbea33b5ec3" }, { "url": "https://git.kernel.org/stable/c/9b5d42aeaf1a52f73b003a33da6deef7df34685f" }, { "url": "https://git.kernel.org/stable/c/40b283ba76665437bc2ac72079c51b57b25bff9e" }, { "url": "https://git.kernel.org/stable/c/a758aa6a773bb872196bcc3173171ef8996bddf0" }, { "url": "https://git.kernel.org/stable/c/bf9bff13225baf5f658577f7d985fc4933d79527" }, { "url": "https://git.kernel.org/stable/c/d3fb3cc83cf313e4f87063ce0f3fea76b071567b" }, { "url": "https://git.kernel.org/stable/c/8820d2d6589f62ee5514793fff9b50c9f8101182" }, { "url": "https://git.kernel.org/stable/c/0ead60804b64f5bd6999eec88e503c6a1a242d41" } ], "title": "sctp: properly validate chunk size in sctp_sf_ootb()", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-50299", "datePublished": "2024-11-19T01:30:47.362Z", "dateReserved": "2024-10-21T19:36:19.987Z", "dateUpdated": "2024-12-19T09:37:42.785Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-50289
Vulnerability from cvelistv5
Published
2024-11-19 01:30
Modified
2024-12-19 09:37
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: av7110: fix a spectre vulnerability
As warned by smatch:
drivers/staging/media/av7110/av7110_ca.c:270 dvb_ca_ioctl() warn: potential spectre issue 'av7110->ci_slot' [w] (local cap)
There is a spectre-related vulnerability at the code. Fix it.
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/staging/media/av7110/av7110.h", "drivers/staging/media/av7110/av7110_ca.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "f3927206c478bd249c225414f7a751752a30e7b9", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "458ea1c0be991573ec436aa0afa23baacfae101a", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/staging/media/av7110/av7110.h", "drivers/staging/media/av7110/av7110_ca.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "2.6.12" }, { "lessThan": "2.6.12", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.11.*", "status": "unaffected", "version": "6.11.8", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.12", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: av7110: fix a spectre vulnerability\n\nAs warned by smatch:\n\tdrivers/staging/media/av7110/av7110_ca.c:270 dvb_ca_ioctl() warn: potential spectre issue \u0027av7110-\u003eci_slot\u0027 [w] (local cap)\n\nThere is a spectre-related vulnerability at the code. Fix it." } ], "providerMetadata": { "dateUpdated": "2024-12-19T09:37:24.258Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/f3927206c478bd249c225414f7a751752a30e7b9" }, { "url": "https://git.kernel.org/stable/c/458ea1c0be991573ec436aa0afa23baacfae101a" } ], "title": "media: av7110: fix a spectre vulnerability", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-50289", "datePublished": "2024-11-19T01:30:34.029Z", "dateReserved": "2024-10-21T19:36:19.984Z", "dateUpdated": "2024-12-19T09:37:24.258Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-50264
Vulnerability from cvelistv5
Published
2024-11-19 01:29
Modified
2024-12-19 09:36
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
vsock/virtio: Initialization of the dangling pointer occurring in vsk->trans
During loopback communication, a dangling pointer can be created in
vsk->trans, potentially leading to a Use-After-Free condition. This
issue is resolved by initializing vsk->trans to NULL.
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 06a8fc78367d070720af960dcecec917d3ae5f3b Version: 06a8fc78367d070720af960dcecec917d3ae5f3b Version: 06a8fc78367d070720af960dcecec917d3ae5f3b Version: 06a8fc78367d070720af960dcecec917d3ae5f3b Version: 06a8fc78367d070720af960dcecec917d3ae5f3b Version: 06a8fc78367d070720af960dcecec917d3ae5f3b Version: 06a8fc78367d070720af960dcecec917d3ae5f3b Version: 06a8fc78367d070720af960dcecec917d3ae5f3b |
||||
|
{ "containers": { "adp": [ { "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2024-50264", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "timestamp": "2024-12-11T14:48:50.387406Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-416", "description": "CWE-416 Use After Free", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-12-11T14:58:32.111Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "net/vmw_vsock/virtio_transport_common.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "5f092a4271f6dccf88fe0d132475a17b69ef71df", "status": "affected", "version": "06a8fc78367d070720af960dcecec917d3ae5f3b", "versionType": "git" }, { "lessThan": "fd8ae346692a56b4437d626c5460c7104980f389", "status": "affected", "version": "06a8fc78367d070720af960dcecec917d3ae5f3b", "versionType": "git" }, { "lessThan": "eb1bdcb7dfc30b24495ee4c5533af0ed135cb5f1", "status": "affected", "version": "06a8fc78367d070720af960dcecec917d3ae5f3b", "versionType": "git" }, { "lessThan": "2a6a4e69f255b7aed17f93995691ab4f0d3c2203", "status": "affected", "version": "06a8fc78367d070720af960dcecec917d3ae5f3b", "versionType": "git" }, { "lessThan": "44d29897eafd0e1196453d3003a4d5e0b968eeab", "status": "affected", "version": "06a8fc78367d070720af960dcecec917d3ae5f3b", "versionType": "git" }, { "lessThan": "b110196fec44fe966952004bd426967c2a8fd358", "status": "affected", "version": "06a8fc78367d070720af960dcecec917d3ae5f3b", "versionType": "git" }, { "lessThan": "5f970935d09934222fdef3d0e20c648ea7a963c1", "status": "affected", "version": "06a8fc78367d070720af960dcecec917d3ae5f3b", "versionType": "git" }, { "lessThan": "6ca575374dd9a507cdd16dfa0e78c2e9e20bd05f", "status": "affected", "version": "06a8fc78367d070720af960dcecec917d3ae5f3b", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "net/vmw_vsock/virtio_transport_common.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "4.8" }, { "lessThan": "4.8", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "4.19.*", "status": "unaffected", "version": "4.19.324", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.286", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.230", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.172", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.117", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.61", "versionType": "semver" }, { "lessThanOrEqual": "6.11.*", "status": "unaffected", "version": "6.11.8", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.12", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvsock/virtio: Initialization of the dangling pointer occurring in vsk-\u003etrans\n\nDuring loopback communication, a dangling pointer can be created in\nvsk-\u003etrans, potentially leading to a Use-After-Free condition. This\nissue is resolved by initializing vsk-\u003etrans to NULL." } ], "providerMetadata": { "dateUpdated": "2024-12-19T09:36:51.035Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/5f092a4271f6dccf88fe0d132475a17b69ef71df" }, { "url": "https://git.kernel.org/stable/c/fd8ae346692a56b4437d626c5460c7104980f389" }, { "url": "https://git.kernel.org/stable/c/eb1bdcb7dfc30b24495ee4c5533af0ed135cb5f1" }, { "url": "https://git.kernel.org/stable/c/2a6a4e69f255b7aed17f93995691ab4f0d3c2203" }, { "url": "https://git.kernel.org/stable/c/44d29897eafd0e1196453d3003a4d5e0b968eeab" }, { "url": "https://git.kernel.org/stable/c/b110196fec44fe966952004bd426967c2a8fd358" }, { "url": "https://git.kernel.org/stable/c/5f970935d09934222fdef3d0e20c648ea7a963c1" }, { "url": "https://git.kernel.org/stable/c/6ca575374dd9a507cdd16dfa0e78c2e9e20bd05f" } ], "title": "vsock/virtio: Initialization of the dangling pointer occurring in vsk-\u003etrans", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-50264", "datePublished": "2024-11-19T01:29:59.511Z", "dateReserved": "2024-10-21T19:36:19.982Z", "dateUpdated": "2024-12-19T09:36:51.035Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-50284
Vulnerability from cvelistv5
Published
2024-11-19 01:30
Modified
2024-12-19 09:37
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: Fix the missing xa_store error check
xa_store() can fail, it return xa_err(-EINVAL) if the entry cannot
be stored in an XArray, or xa_err(-ENOMEM) if memory allocation failed,
so check error for xa_store() to fix it.
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "fs/smb/server/mgmt/user_session.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "d8664ce789bd46290c59a00da6897252f92c237d", "status": "affected", "version": "052b41ef2abe274f068e892aee81406f11bd1f3a", "versionType": "git" }, { "lessThan": "726c1568b9145fa13ee248df184b186c382a7ff8", "status": "affected", "version": "b685757c7b08d5073046fb379be965fd6c06aafc", "versionType": "git" }, { "lessThan": "c2a232c4f790f4bcd4d218904c56ac7a39a448f5", "status": "affected", "version": "b685757c7b08d5073046fb379be965fd6c06aafc", "versionType": "git" }, { "lessThan": "3abab905b14f4ba756d413f37f1fb02b708eee93", "status": "affected", "version": "b685757c7b08d5073046fb379be965fd6c06aafc", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "fs/smb/server/mgmt/user_session.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.3" }, { "lessThan": "6.3", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.117", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.61", "versionType": "semver" }, { "lessThanOrEqual": "6.11.*", "status": "unaffected", "version": "6.11.8", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.12", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: Fix the missing xa_store error check\n\nxa_store() can fail, it return xa_err(-EINVAL) if the entry cannot\nbe stored in an XArray, or xa_err(-ENOMEM) if memory allocation failed,\nso check error for xa_store() to fix it." } ], "providerMetadata": { "dateUpdated": "2024-12-19T09:37:17.703Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/d8664ce789bd46290c59a00da6897252f92c237d" }, { "url": "https://git.kernel.org/stable/c/726c1568b9145fa13ee248df184b186c382a7ff8" }, { "url": "https://git.kernel.org/stable/c/c2a232c4f790f4bcd4d218904c56ac7a39a448f5" }, { "url": "https://git.kernel.org/stable/c/3abab905b14f4ba756d413f37f1fb02b708eee93" } ], "title": "ksmbd: Fix the missing xa_store error check", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-50284", "datePublished": "2024-11-19T01:30:27.273Z", "dateReserved": "2024-10-21T19:36:19.984Z", "dateUpdated": "2024-12-19T09:37:17.703Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-50293
Vulnerability from cvelistv5
Published
2024-11-19 01:30
Modified
2024-12-19 09:37
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/smc: do not leave a dangling sk pointer in __smc_create()
Thanks to commit 4bbd360a5084 ("socket: Print pf->create() when
it does not clear sock->sk on failure."), syzbot found an issue with AF_SMC:
smc_create must clear sock->sk on failure, family: 43, type: 1, protocol: 0
WARNING: CPU: 0 PID: 5827 at net/socket.c:1565 __sock_create+0x96f/0xa30 net/socket.c:1563
Modules linked in:
CPU: 0 UID: 0 PID: 5827 Comm: syz-executor259 Not tainted 6.12.0-rc6-next-20241106-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
RIP: 0010:__sock_create+0x96f/0xa30 net/socket.c:1563
Code: 03 00 74 08 4c 89 e7 e8 4f 3b 85 f8 49 8b 34 24 48 c7 c7 40 89 0c 8d 8b 54 24 04 8b 4c 24 0c 44 8b 44 24 08 e8 32 78 db f7 90 <0f> 0b 90 90 e9 d3 fd ff ff 89 e9 80 e1 07 fe c1 38 c1 0f 8c ee f7
RSP: 0018:ffffc90003e4fda0 EFLAGS: 00010246
RAX: 099c6f938c7f4700 RBX: 1ffffffff1a595fd RCX: ffff888034823c00
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 00000000ffffffe9 R08: ffffffff81567052 R09: 1ffff920007c9f50
R10: dffffc0000000000 R11: fffff520007c9f51 R12: ffffffff8d2cafe8
R13: 1ffffffff1a595fe R14: ffffffff9a789c40 R15: ffff8880764298c0
FS: 000055557b518380(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fa62ff43225 CR3: 0000000031628000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
sock_create net/socket.c:1616 [inline]
__sys_socket_create net/socket.c:1653 [inline]
__sys_socket+0x150/0x3c0 net/socket.c:1700
__do_sys_socket net/socket.c:1714 [inline]
__se_sys_socket net/socket.c:1712 [inline]
For reference, see commit 2d859aff775d ("Merge branch
'do-not-leave-dangling-sk-pointers-in-pf-create-functions'")
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "net/smc/af_smc.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "d2cc492124e1f22daa1700f069bcc58788043381", "status": "affected", "version": "d25a92ccae6bed02327b63d138e12e7806830f78", "versionType": "git" }, { "lessThan": "d293958a8595ba566fb90b99da4d6263e14fee15", "status": "affected", "version": "d25a92ccae6bed02327b63d138e12e7806830f78", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "net/smc/af_smc.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.11" }, { "lessThan": "6.11", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.11.*", "status": "unaffected", "version": "6.11.8", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.12", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: do not leave a dangling sk pointer in __smc_create()\n\nThanks to commit 4bbd360a5084 (\"socket: Print pf-\u003ecreate() when\nit does not clear sock-\u003esk on failure.\"), syzbot found an issue with AF_SMC:\n\nsmc_create must clear sock-\u003esk on failure, family: 43, type: 1, protocol: 0\n WARNING: CPU: 0 PID: 5827 at net/socket.c:1565 __sock_create+0x96f/0xa30 net/socket.c:1563\nModules linked in:\nCPU: 0 UID: 0 PID: 5827 Comm: syz-executor259 Not tainted 6.12.0-rc6-next-20241106-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\n RIP: 0010:__sock_create+0x96f/0xa30 net/socket.c:1563\nCode: 03 00 74 08 4c 89 e7 e8 4f 3b 85 f8 49 8b 34 24 48 c7 c7 40 89 0c 8d 8b 54 24 04 8b 4c 24 0c 44 8b 44 24 08 e8 32 78 db f7 90 \u003c0f\u003e 0b 90 90 e9 d3 fd ff ff 89 e9 80 e1 07 fe c1 38 c1 0f 8c ee f7\nRSP: 0018:ffffc90003e4fda0 EFLAGS: 00010246\nRAX: 099c6f938c7f4700 RBX: 1ffffffff1a595fd RCX: ffff888034823c00\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 00000000ffffffe9 R08: ffffffff81567052 R09: 1ffff920007c9f50\nR10: dffffc0000000000 R11: fffff520007c9f51 R12: ffffffff8d2cafe8\nR13: 1ffffffff1a595fe R14: ffffffff9a789c40 R15: ffff8880764298c0\nFS: 000055557b518380(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007fa62ff43225 CR3: 0000000031628000 CR4: 00000000003526f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n sock_create net/socket.c:1616 [inline]\n __sys_socket_create net/socket.c:1653 [inline]\n __sys_socket+0x150/0x3c0 net/socket.c:1700\n __do_sys_socket net/socket.c:1714 [inline]\n __se_sys_socket net/socket.c:1712 [inline]\n\nFor reference, see commit 2d859aff775d (\"Merge branch\n\u0027do-not-leave-dangling-sk-pointers-in-pf-create-functions\u0027\")" } ], "providerMetadata": { "dateUpdated": "2024-12-19T09:37:29.983Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/d2cc492124e1f22daa1700f069bcc58788043381" }, { "url": "https://git.kernel.org/stable/c/d293958a8595ba566fb90b99da4d6263e14fee15" } ], "title": "net/smc: do not leave a dangling sk pointer in __smc_create()", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-50293", "datePublished": "2024-11-19T01:30:39.362Z", "dateReserved": "2024-10-21T19:36:19.986Z", "dateUpdated": "2024-12-19T09:37:29.983Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-50276
Vulnerability from cvelistv5
Published
2024-11-19 01:30
Modified
2024-12-19 09:37
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: vertexcom: mse102x: Fix possible double free of TX skb
The scope of the TX skb is wider than just mse102x_tx_frame_spi(),
so in case the TX skb room needs to be expanded, we should free the
the temporary skb instead of the original skb. Otherwise the original
TX skb pointer would be freed again in mse102x_tx_work(), which leads
to crashes:
Internal error: Oops: 0000000096000004 [#2] PREEMPT SMP
CPU: 0 PID: 712 Comm: kworker/0:1 Tainted: G D 6.6.23
Hardware name: chargebyte Charge SOM DC-ONE (DT)
Workqueue: events mse102x_tx_work [mse102x]
pstate: 20400009 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : skb_release_data+0xb8/0x1d8
lr : skb_release_data+0x1ac/0x1d8
sp : ffff8000819a3cc0
x29: ffff8000819a3cc0 x28: ffff0000046daa60 x27: ffff0000057f2dc0
x26: ffff000005386c00 x25: 0000000000000002 x24: 00000000ffffffff
x23: 0000000000000000 x22: 0000000000000001 x21: ffff0000057f2e50
x20: 0000000000000006 x19: 0000000000000000 x18: ffff00003fdacfcc
x17: e69ad452d0c49def x16: 84a005feff870102 x15: 0000000000000000
x14: 000000000000024a x13: 0000000000000002 x12: 0000000000000000
x11: 0000000000000400 x10: 0000000000000930 x9 : ffff00003fd913e8
x8 : fffffc00001bc008
x7 : 0000000000000000 x6 : 0000000000000008
x5 : ffff00003fd91340 x4 : 0000000000000000 x3 : 0000000000000009
x2 : 00000000fffffffe x1 : 0000000000000000 x0 : 0000000000000000
Call trace:
skb_release_data+0xb8/0x1d8
kfree_skb_reason+0x48/0xb0
mse102x_tx_work+0x164/0x35c [mse102x]
process_one_work+0x138/0x260
worker_thread+0x32c/0x438
kthread+0x118/0x11c
ret_from_fork+0x10/0x20
Code: aa1303e0 97fffab6 72001c1f 54000141 (f9400660)
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/net/ethernet/vertexcom/mse102x.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "2cf0e77f5a0aa1ff336aa71743eda55c73902187", "status": "affected", "version": "2f207cbf0dd44278af2aa3ff0fc95b0f97cc4e4c", "versionType": "git" }, { "lessThan": "1325e838089da25217f4b403318a270fcdf88f34", "status": "affected", "version": "2f207cbf0dd44278af2aa3ff0fc95b0f97cc4e4c", "versionType": "git" }, { "lessThan": "91c9daa21f3ff8668f9e1d6c860024ce7ad64137", "status": "affected", "version": "2f207cbf0dd44278af2aa3ff0fc95b0f97cc4e4c", "versionType": "git" }, { "lessThan": "1f26339b2ed63d1e8e18a18674fb73a392f3660e", "status": "affected", "version": "2f207cbf0dd44278af2aa3ff0fc95b0f97cc4e4c", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/net/ethernet/vertexcom/mse102x.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.17" }, { "lessThan": "5.17", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.117", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.61", "versionType": "semver" }, { "lessThanOrEqual": "6.11.*", "status": "unaffected", "version": "6.11.8", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.12", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: vertexcom: mse102x: Fix possible double free of TX skb\n\nThe scope of the TX skb is wider than just mse102x_tx_frame_spi(),\nso in case the TX skb room needs to be expanded, we should free the\nthe temporary skb instead of the original skb. Otherwise the original\nTX skb pointer would be freed again in mse102x_tx_work(), which leads\nto crashes:\n\n Internal error: Oops: 0000000096000004 [#2] PREEMPT SMP\n CPU: 0 PID: 712 Comm: kworker/0:1 Tainted: G D 6.6.23\n Hardware name: chargebyte Charge SOM DC-ONE (DT)\n Workqueue: events mse102x_tx_work [mse102x]\n pstate: 20400009 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : skb_release_data+0xb8/0x1d8\n lr : skb_release_data+0x1ac/0x1d8\n sp : ffff8000819a3cc0\n x29: ffff8000819a3cc0 x28: ffff0000046daa60 x27: ffff0000057f2dc0\n x26: ffff000005386c00 x25: 0000000000000002 x24: 00000000ffffffff\n x23: 0000000000000000 x22: 0000000000000001 x21: ffff0000057f2e50\n x20: 0000000000000006 x19: 0000000000000000 x18: ffff00003fdacfcc\n x17: e69ad452d0c49def x16: 84a005feff870102 x15: 0000000000000000\n x14: 000000000000024a x13: 0000000000000002 x12: 0000000000000000\n x11: 0000000000000400 x10: 0000000000000930 x9 : ffff00003fd913e8\n x8 : fffffc00001bc008\n x7 : 0000000000000000 x6 : 0000000000000008\n x5 : ffff00003fd91340 x4 : 0000000000000000 x3 : 0000000000000009\n x2 : 00000000fffffffe x1 : 0000000000000000 x0 : 0000000000000000\n Call trace:\n skb_release_data+0xb8/0x1d8\n kfree_skb_reason+0x48/0xb0\n mse102x_tx_work+0x164/0x35c [mse102x]\n process_one_work+0x138/0x260\n worker_thread+0x32c/0x438\n kthread+0x118/0x11c\n ret_from_fork+0x10/0x20\n Code: aa1303e0 97fffab6 72001c1f 54000141 (f9400660)" } ], "providerMetadata": { "dateUpdated": "2024-12-19T09:37:07.301Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/2cf0e77f5a0aa1ff336aa71743eda55c73902187" }, { "url": "https://git.kernel.org/stable/c/1325e838089da25217f4b403318a270fcdf88f34" }, { "url": "https://git.kernel.org/stable/c/91c9daa21f3ff8668f9e1d6c860024ce7ad64137" }, { "url": "https://git.kernel.org/stable/c/1f26339b2ed63d1e8e18a18674fb73a392f3660e" } ], "title": "net: vertexcom: mse102x: Fix possible double free of TX skb", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-50276", "datePublished": "2024-11-19T01:30:16.647Z", "dateReserved": "2024-10-21T19:36:19.983Z", "dateUpdated": "2024-12-19T09:37:07.301Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-50269
Vulnerability from cvelistv5
Published
2024-11-19 01:30
Modified
2024-12-19 09:36
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: musb: sunxi: Fix accessing an released usb phy
Commit 6ed05c68cbca ("usb: musb: sunxi: Explicitly release USB PHY on
exit") will cause that usb phy @glue->xceiv is accessed after released.
1) register platform driver @sunxi_musb_driver
// get the usb phy @glue->xceiv
sunxi_musb_probe() -> devm_usb_get_phy().
2) register and unregister platform driver @musb_driver
musb_probe() -> sunxi_musb_init()
use the phy here
//the phy is released here
musb_remove() -> sunxi_musb_exit() -> devm_usb_put_phy()
3) register @musb_driver again
musb_probe() -> sunxi_musb_init()
use the phy here but the phy has been released at 2).
...
Fixed by reverting the commit, namely, removing devm_usb_put_phy()
from sunxi_musb_exit().
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 6ed05c68cbcae42cd52b8e53b66952bfa9c002ce Version: 6ed05c68cbcae42cd52b8e53b66952bfa9c002ce Version: 6ed05c68cbcae42cd52b8e53b66952bfa9c002ce Version: 6ed05c68cbcae42cd52b8e53b66952bfa9c002ce Version: 6ed05c68cbcae42cd52b8e53b66952bfa9c002ce Version: 6ed05c68cbcae42cd52b8e53b66952bfa9c002ce Version: 6ed05c68cbcae42cd52b8e53b66952bfa9c002ce Version: 6ed05c68cbcae42cd52b8e53b66952bfa9c002ce |
||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/usb/musb/sunxi.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "721ddad945596220c123eb6f7126729fe277ee4f", "status": "affected", "version": "6ed05c68cbcae42cd52b8e53b66952bfa9c002ce", "versionType": "git" }, { "lessThan": "4aa77d5ea9944468e16c3eed15e858fd5de44de1", "status": "affected", "version": "6ed05c68cbcae42cd52b8e53b66952bfa9c002ce", "versionType": "git" }, { "lessThan": "6e2848d1c8c0139161e69ac0a94133e90e9988e8", "status": "affected", "version": "6ed05c68cbcae42cd52b8e53b66952bfa9c002ce", "versionType": "git" }, { "lessThan": "63559ba8077cbadae1c92a65b73ea522bf377dd9", "status": "affected", "version": "6ed05c68cbcae42cd52b8e53b66952bfa9c002ce", "versionType": "git" }, { "lessThan": "ccd811c304d2ee56189bfbc49302cb3c44361893", "status": "affected", "version": "6ed05c68cbcae42cd52b8e53b66952bfa9c002ce", "versionType": "git" }, { "lessThan": "8a30da5aa9609663b3e05bcc91a916537f66a4cd", "status": "affected", "version": "6ed05c68cbcae42cd52b8e53b66952bfa9c002ce", "versionType": "git" }, { "lessThan": "b08baa75b989cf779cbfa0969681f8ba2dc46569", "status": "affected", "version": "6ed05c68cbcae42cd52b8e53b66952bfa9c002ce", "versionType": "git" }, { "lessThan": "498dbd9aea205db9da674994b74c7bf8e18448bd", "status": "affected", "version": "6ed05c68cbcae42cd52b8e53b66952bfa9c002ce", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/usb/musb/sunxi.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "4.14" }, { "lessThan": "4.14", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "4.19.*", "status": "unaffected", "version": "4.19.324", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.286", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.230", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.172", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.117", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.61", "versionType": "semver" }, { "lessThanOrEqual": "6.11.*", "status": "unaffected", "version": "6.11.8", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.12", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: musb: sunxi: Fix accessing an released usb phy\n\nCommit 6ed05c68cbca (\"usb: musb: sunxi: Explicitly release USB PHY on\nexit\") will cause that usb phy @glue-\u003exceiv is accessed after released.\n\n1) register platform driver @sunxi_musb_driver\n// get the usb phy @glue-\u003exceiv\nsunxi_musb_probe() -\u003e devm_usb_get_phy().\n\n2) register and unregister platform driver @musb_driver\nmusb_probe() -\u003e sunxi_musb_init()\nuse the phy here\n//the phy is released here\nmusb_remove() -\u003e sunxi_musb_exit() -\u003e devm_usb_put_phy()\n\n3) register @musb_driver again\nmusb_probe() -\u003e sunxi_musb_init()\nuse the phy here but the phy has been released at 2).\n...\n\nFixed by reverting the commit, namely, removing devm_usb_put_phy()\nfrom sunxi_musb_exit()." } ], "providerMetadata": { "dateUpdated": "2024-12-19T09:36:57.569Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/721ddad945596220c123eb6f7126729fe277ee4f" }, { "url": "https://git.kernel.org/stable/c/4aa77d5ea9944468e16c3eed15e858fd5de44de1" }, { "url": "https://git.kernel.org/stable/c/6e2848d1c8c0139161e69ac0a94133e90e9988e8" }, { "url": "https://git.kernel.org/stable/c/63559ba8077cbadae1c92a65b73ea522bf377dd9" }, { "url": "https://git.kernel.org/stable/c/ccd811c304d2ee56189bfbc49302cb3c44361893" }, { "url": "https://git.kernel.org/stable/c/8a30da5aa9609663b3e05bcc91a916537f66a4cd" }, { "url": "https://git.kernel.org/stable/c/b08baa75b989cf779cbfa0969681f8ba2dc46569" }, { "url": "https://git.kernel.org/stable/c/498dbd9aea205db9da674994b74c7bf8e18448bd" } ], "title": "usb: musb: sunxi: Fix accessing an released usb phy", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-50269", "datePublished": "2024-11-19T01:30:06.910Z", "dateReserved": "2024-10-21T19:36:19.982Z", "dateUpdated": "2024-12-19T09:36:57.569Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-50290
Vulnerability from cvelistv5
Published
2024-11-19 01:30
Modified
2024-12-19 09:37
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: cx24116: prevent overflows on SNR calculus
as reported by Coverity, if reading SNR registers fail, a negative
number will be returned, causing an underflow when reading SNR
registers.
Prevent that.
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 8953db793d5bdeea5ac92c9e97f57d3ff8a7dccf Version: 8953db793d5bdeea5ac92c9e97f57d3ff8a7dccf Version: 8953db793d5bdeea5ac92c9e97f57d3ff8a7dccf Version: 8953db793d5bdeea5ac92c9e97f57d3ff8a7dccf Version: 8953db793d5bdeea5ac92c9e97f57d3ff8a7dccf Version: 8953db793d5bdeea5ac92c9e97f57d3ff8a7dccf Version: 8953db793d5bdeea5ac92c9e97f57d3ff8a7dccf Version: 8953db793d5bdeea5ac92c9e97f57d3ff8a7dccf |
||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/media/dvb-frontends/cx24116.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "127b9076baeadd734b18ddc8f2cd93b47d5a3ea3", "status": "affected", "version": "8953db793d5bdeea5ac92c9e97f57d3ff8a7dccf", "versionType": "git" }, { "lessThan": "cad97ca8cfd43a78a19b59949f33e3563d369247", "status": "affected", "version": "8953db793d5bdeea5ac92c9e97f57d3ff8a7dccf", "versionType": "git" }, { "lessThan": "828047c70f4716fde4b1316f7b610e97a4e83824", "status": "affected", "version": "8953db793d5bdeea5ac92c9e97f57d3ff8a7dccf", "versionType": "git" }, { "lessThan": "f2b4f277c41db8d548f38f1dd091bbdf6a5acb07", "status": "affected", "version": "8953db793d5bdeea5ac92c9e97f57d3ff8a7dccf", "versionType": "git" }, { "lessThan": "fbefe31e4598cdb0889eee2e74c995b2212efb08", "status": "affected", "version": "8953db793d5bdeea5ac92c9e97f57d3ff8a7dccf", "versionType": "git" }, { "lessThan": "83c152b55d88cbf6fc4685941fcb31333986774d", "status": "affected", "version": "8953db793d5bdeea5ac92c9e97f57d3ff8a7dccf", "versionType": "git" }, { "lessThan": "3a1ed994d9454132354b860321414955da289929", "status": "affected", "version": "8953db793d5bdeea5ac92c9e97f57d3ff8a7dccf", "versionType": "git" }, { "lessThan": "576a307a7650bd544fbb24df801b9b7863b85e2f", "status": "affected", "version": "8953db793d5bdeea5ac92c9e97f57d3ff8a7dccf", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/media/dvb-frontends/cx24116.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "2.6.28" }, { "lessThan": "2.6.28", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "4.19.*", "status": "unaffected", "version": "4.19.324", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.286", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.230", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.172", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.117", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.61", "versionType": "semver" }, { "lessThanOrEqual": "6.11.*", "status": "unaffected", "version": "6.11.8", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.12", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: cx24116: prevent overflows on SNR calculus\n\nas reported by Coverity, if reading SNR registers fail, a negative\nnumber will be returned, causing an underflow when reading SNR\nregisters.\n\nPrevent that." } ], "providerMetadata": { "dateUpdated": "2024-12-19T09:37:25.558Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/127b9076baeadd734b18ddc8f2cd93b47d5a3ea3" }, { "url": "https://git.kernel.org/stable/c/cad97ca8cfd43a78a19b59949f33e3563d369247" }, { "url": "https://git.kernel.org/stable/c/828047c70f4716fde4b1316f7b610e97a4e83824" }, { "url": "https://git.kernel.org/stable/c/f2b4f277c41db8d548f38f1dd091bbdf6a5acb07" }, { "url": "https://git.kernel.org/stable/c/fbefe31e4598cdb0889eee2e74c995b2212efb08" }, { "url": "https://git.kernel.org/stable/c/83c152b55d88cbf6fc4685941fcb31333986774d" }, { "url": "https://git.kernel.org/stable/c/3a1ed994d9454132354b860321414955da289929" }, { "url": "https://git.kernel.org/stable/c/576a307a7650bd544fbb24df801b9b7863b85e2f" } ], "title": "media: cx24116: prevent overflows on SNR calculus", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-50290", "datePublished": "2024-11-19T01:30:35.352Z", "dateReserved": "2024-10-21T19:36:19.985Z", "dateUpdated": "2024-12-19T09:37:25.558Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-50297
Vulnerability from cvelistv5
Published
2024-11-19 01:30
Modified
2024-12-19 09:37
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: xilinx: axienet: Enqueue Tx packets in dql before dmaengine starts
Enqueue packets in dql after dma engine starts causes race condition.
Tx transfer starts once dma engine is started and may execute dql dequeue
in completion before it gets queued. It results in following kernel crash
while running iperf stress test:
kernel BUG at lib/dynamic_queue_limits.c:99!
<snip>
Internal error: Oops - BUG: 00000000f2000800 [#1] SMP
pc : dql_completed+0x238/0x248
lr : dql_completed+0x3c/0x248
Call trace:
dql_completed+0x238/0x248
axienet_dma_tx_cb+0xa0/0x170
xilinx_dma_do_tasklet+0xdc/0x290
tasklet_action_common+0xf8/0x11c
tasklet_action+0x30/0x3c
handle_softirqs+0xf8/0x230
<snip>
Start dmaengine after enqueue in dql fixes the crash.
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/net/ethernet/xilinx/xilinx_axienet_main.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "def3dee25cbd1c9b2ed443c3f6180e952563de77", "status": "affected", "version": "6a91b846af85a24241decd686269e8e038eb13d1", "versionType": "git" }, { "lessThan": "5ccdcdf186aec6b9111845fd37e1757e9b413e2f", "status": "affected", "version": "6a91b846af85a24241decd686269e8e038eb13d1", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/net/ethernet/xilinx/xilinx_axienet_main.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.8" }, { "lessThan": "6.8", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.11.*", "status": "unaffected", "version": "6.11.8", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.12", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: xilinx: axienet: Enqueue Tx packets in dql before dmaengine starts\n\nEnqueue packets in dql after dma engine starts causes race condition.\nTx transfer starts once dma engine is started and may execute dql dequeue\nin completion before it gets queued. It results in following kernel crash\nwhile running iperf stress test:\n\nkernel BUG at lib/dynamic_queue_limits.c:99!\n\u003csnip\u003e\nInternal error: Oops - BUG: 00000000f2000800 [#1] SMP\npc : dql_completed+0x238/0x248\nlr : dql_completed+0x3c/0x248\n\nCall trace:\n dql_completed+0x238/0x248\n axienet_dma_tx_cb+0xa0/0x170\n xilinx_dma_do_tasklet+0xdc/0x290\n tasklet_action_common+0xf8/0x11c\n tasklet_action+0x30/0x3c\n handle_softirqs+0xf8/0x230\n\u003csnip\u003e\n\nStart dmaengine after enqueue in dql fixes the crash." } ], "providerMetadata": { "dateUpdated": "2024-12-19T09:37:40.179Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/def3dee25cbd1c9b2ed443c3f6180e952563de77" }, { "url": "https://git.kernel.org/stable/c/5ccdcdf186aec6b9111845fd37e1757e9b413e2f" } ], "title": "net: xilinx: axienet: Enqueue Tx packets in dql before dmaengine starts", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-50297", "datePublished": "2024-11-19T01:30:44.680Z", "dateReserved": "2024-10-21T19:36:19.986Z", "dateUpdated": "2024-12-19T09:37:40.179Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-50277
Vulnerability from cvelistv5
Published
2024-11-19 01:30
Modified
2024-12-19 09:37
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
dm: fix a crash if blk_alloc_disk fails
If blk_alloc_disk fails, the variable md->disk is set to an error value.
cleanup_mapped_device will see that md->disk is non-NULL and it will
attempt to access it, causing a crash on this statement
"md->disk->private_data = NULL;".
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/md/dm.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "d7aec2a06730b774a97caaf48cbbc58330a85829", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "fed13a5478680614ba97fc87e71f16e2e197912e", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/md/dm.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThanOrEqual": "6.11.*", "status": "unaffected", "version": "6.11.8", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.12", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm: fix a crash if blk_alloc_disk fails\n\nIf blk_alloc_disk fails, the variable md-\u003edisk is set to an error value.\ncleanup_mapped_device will see that md-\u003edisk is non-NULL and it will\nattempt to access it, causing a crash on this statement\n\"md-\u003edisk-\u003eprivate_data = NULL;\"." } ], "providerMetadata": { "dateUpdated": "2024-12-19T09:37:08.555Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/d7aec2a06730b774a97caaf48cbbc58330a85829" }, { "url": "https://git.kernel.org/stable/c/fed13a5478680614ba97fc87e71f16e2e197912e" } ], "title": "dm: fix a crash if blk_alloc_disk fails", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-50277", "datePublished": "2024-11-19T01:30:17.994Z", "dateReserved": "2024-10-21T19:36:19.983Z", "dateUpdated": "2024-12-19T09:37:08.555Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2023-52921
Vulnerability from cvelistv5
Published
2024-11-19 01:26
Modified
2024-12-19 08:28
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu: fix possible UAF in amdgpu_cs_pass1()
Since the gang_size check is outside of chunk parsing
loop, we need to reset i before we free the chunk data.
Suggested by Ye Zhang (@VAR10CK) of Baidu Security.
References
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2023-52921", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "timestamp": "2024-12-11T14:25:32.419190Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-416", "description": "CWE-416 Use After Free", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-12-11T14:58:32.296Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "9a2393af1f35d1975204fc00035c64a1c792b278", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "e08e9dd09809b16f8f8cee8c466841b33d24ed96", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "90e065677e0362a777b9db97ea21d43a39211399", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.46", "versionType": "semver" }, { "lessThanOrEqual": "6.4.*", "status": "unaffected", "version": "6.4.11", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.5", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: fix possible UAF in amdgpu_cs_pass1()\n\nSince the gang_size check is outside of chunk parsing\nloop, we need to reset i before we free the chunk data.\n\nSuggested by Ye Zhang (@VAR10CK) of Baidu Security." } ], "providerMetadata": { "dateUpdated": "2024-12-19T08:28:36.028Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/9a2393af1f35d1975204fc00035c64a1c792b278" }, { "url": "https://git.kernel.org/stable/c/e08e9dd09809b16f8f8cee8c466841b33d24ed96" }, { "url": "https://git.kernel.org/stable/c/90e065677e0362a777b9db97ea21d43a39211399" } ], "title": "drm/amdgpu: fix possible UAF in amdgpu_cs_pass1()", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2023-52921", "datePublished": "2024-11-19T01:26:30.495Z", "dateReserved": "2024-08-21T06:07:11.018Z", "dateUpdated": "2024-12-19T08:28:36.028Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-50288
Vulnerability from cvelistv5
Published
2024-11-19 01:30
Modified
2024-12-19 09:37
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: vivid: fix buffer overwrite when using > 32 buffers
The maximum number of buffers that can be requested was increased to
64 for the video capture queue. But video capture used a must_blank
array that was still sized for 32 (VIDEO_MAX_FRAME). This caused an
out-of-bounds write when using buffer indices >= 32.
Create a new define MAX_VID_CAP_BUFFERS that is used to access the
must_blank array and set max_num_buffers for the video capture queue.
This solves a crash reported by:
https://bugzilla.kernel.org/show_bug.cgi?id=219258
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/media/test-drivers/vivid/vivid-core.c", "drivers/media/test-drivers/vivid/vivid-core.h", "drivers/media/test-drivers/vivid/vivid-ctrls.c", "drivers/media/test-drivers/vivid/vivid-vid-cap.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "e6bacd8f2178b22859fe6d9f755f19dfcd9d3862", "status": "affected", "version": "cea70ed416b428f8214be196d62cc7ffaa11f1b8", "versionType": "git" }, { "lessThan": "96d8569563916fe2f8fe17317e20e43f54f9ba4b", "status": "affected", "version": "cea70ed416b428f8214be196d62cc7ffaa11f1b8", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/media/test-drivers/vivid/vivid-core.c", "drivers/media/test-drivers/vivid/vivid-core.h", "drivers/media/test-drivers/vivid/vivid-ctrls.c", "drivers/media/test-drivers/vivid/vivid-vid-cap.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.8" }, { "lessThan": "6.8", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.11.*", "status": "unaffected", "version": "6.11.8", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.12", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: vivid: fix buffer overwrite when using \u003e 32 buffers\n\nThe maximum number of buffers that can be requested was increased to\n64 for the video capture queue. But video capture used a must_blank\narray that was still sized for 32 (VIDEO_MAX_FRAME). This caused an\nout-of-bounds write when using buffer indices \u003e= 32.\n\nCreate a new define MAX_VID_CAP_BUFFERS that is used to access the\nmust_blank array and set max_num_buffers for the video capture queue.\n\nThis solves a crash reported by:\n\n\thttps://bugzilla.kernel.org/show_bug.cgi?id=219258" } ], "providerMetadata": { "dateUpdated": "2024-12-19T09:37:23.011Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/e6bacd8f2178b22859fe6d9f755f19dfcd9d3862" }, { "url": "https://git.kernel.org/stable/c/96d8569563916fe2f8fe17317e20e43f54f9ba4b" } ], "title": "media: vivid: fix buffer overwrite when using \u003e 32 buffers", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-50288", "datePublished": "2024-11-19T01:30:32.682Z", "dateReserved": "2024-10-21T19:36:19.984Z", "dateUpdated": "2024-12-19T09:37:23.011Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
Loading…
Loading…
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.