Action not permitted
Modal body text goes here.
Modal Title
Modal Body
wid-sec-w-2024-3608
Vulnerability from csaf_certbund
Published
2024-12-04 23:00
Modified
2025-01-19 23:00
Summary
Linux Kernel: Mehrere Schwachstellen ermöglichen Denial of Service
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Der Kernel stellt den Kern des Linux Betriebssystems dar.
Angriff
Ein lokaler Angreifer kann mehrere Schwachstellen im Linux Kernel ausnutzen, um einen Denial of Service Angriff durchzuführen.
Betroffene Betriebssysteme
- Linux
{ "document": { "aggregate_severity": { "text": "mittel" }, "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "de-DE", "notes": [ { "category": "legal_disclaimer", "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen." }, { "category": "description", "text": "Der Kernel stellt den Kern des Linux Betriebssystems dar.", "title": "Produktbeschreibung" }, { "category": "summary", "text": "Ein lokaler Angreifer kann mehrere Schwachstellen im Linux Kernel ausnutzen, um einen Denial of Service Angriff durchzuf\u00fchren.", "title": "Angriff" }, { "category": "general", "text": "- Linux", "title": "Betroffene Betriebssysteme" } ], "publisher": { "category": "other", "contact_details": "csaf-provider@cert-bund.de", "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik", "namespace": "https://www.bsi.bund.de" }, "references": [ { "category": "self", "summary": "WID-SEC-W-2024-3608 - CSAF Version", "url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-3608.json" }, { "category": "self", "summary": "WID-SEC-2024-3608 - Portal Version", "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-3608" }, { "category": "external", "summary": "Kernel CVE Announce Mailingliste", "url": "https://lore.kernel.org/linux-cve-announce/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2024-53125", "url": "https://lore.kernel.org/linux-cve-announce/2024120413-CVE-2024-53125-69ff@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2024-53126", "url": "https://lore.kernel.org/linux-cve-announce/2024120448-CVE-2024-53126-0282@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2024-53127", "url": "https://lore.kernel.org/linux-cve-announce/2024120449-CVE-2024-53127-518c@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2024-53128", "url": "https://lore.kernel.org/linux-cve-announce/2024120449-CVE-2024-53128-f08c@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2024-53129", "url": "https://lore.kernel.org/linux-cve-announce/2024120449-CVE-2024-53129-9f04@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2024-53130", "url": "https://lore.kernel.org/linux-cve-announce/2024120450-CVE-2024-53130-5621@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2024-53131", "url": "https://lore.kernel.org/linux-cve-announce/2024120450-CVE-2024-53131-60ad@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2024-53132", "url": "https://lore.kernel.org/linux-cve-announce/2024120450-CVE-2024-53132-2d51@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2024-53133", "url": "https://lore.kernel.org/linux-cve-announce/2024120451-CVE-2024-53133-b0b7@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2024-53134", "url": "https://lore.kernel.org/linux-cve-announce/2024120451-CVE-2024-53134-cb0a@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2024-53135", "url": "https://lore.kernel.org/linux-cve-announce/2024120451-CVE-2024-53135-8dcc@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2024-53136", "url": "https://lore.kernel.org/linux-cve-announce/2024120452-CVE-2024-53136-f7f8@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2024-53137", "url": "https://lore.kernel.org/linux-cve-announce/2024120452-CVE-2024-53137-b908@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2024-53138", "url": "https://lore.kernel.org/linux-cve-announce/2024120452-CVE-2024-53138-1849@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2024-53139", "url": "https://lore.kernel.org/linux-cve-announce/2024120453-CVE-2024-53139-4311@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2024-53140", "url": "https://lore.kernel.org/linux-cve-announce/2024120453-CVE-2024-53140-6ecf@gregkh/" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:4318-1 vom 2024-12-13", "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-December/019999.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:4316-1 vom 2024-12-13", "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/S4I5Z6ALCJLHTP25U3HMJHEXN4DR2USM/" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2024:4314-1 vom 2024-12-13", "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/SARXL66CQHD5VSFG5PUBNBVBPVFUN4KT/" }, { "category": "external", "summary": "Debian Security Advisory DLA-4008 vom 2025-01-03", "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:0117-1 vom 2025-01-15", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-January/020131.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:0153-1 vom 2025-01-17", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-January/020150.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:0154-1 vom 2025-01-17", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-January/020151.html" } ], "source_lang": "en-US", "title": "Linux Kernel: Mehrere Schwachstellen erm\u00f6glichen Denial of Service", "tracking": { "current_release_date": "2025-01-19T23:00:00.000+00:00", "generator": { "date": "2025-01-20T09:18:44.707+00:00", "engine": { "name": "BSI-WID", "version": "1.3.10" } }, "id": "WID-SEC-W-2024-3608", "initial_release_date": "2024-12-04T23:00:00.000+00:00", "revision_history": [ { "date": "2024-12-04T23:00:00.000+00:00", "number": "1", "summary": "Initiale Fassung" }, { "date": "2024-12-15T23:00:00.000+00:00", "number": "2", "summary": "Neue Updates von SUSE aufgenommen" }, { "date": "2025-01-02T23:00:00.000+00:00", "number": "3", "summary": "Neue Updates von Debian aufgenommen" }, { "date": "2025-01-15T23:00:00.000+00:00", "number": "4", "summary": "Neue Updates von SUSE aufgenommen" }, { "date": "2025-01-19T23:00:00.000+00:00", "number": "5", "summary": "Neue Updates von SUSE aufgenommen" } ], "status": "final", "version": "5" } }, "product_tree": { "branches": [ { "branches": [ { "category": "product_name", "name": "Debian Linux", "product": { "name": "Debian Linux", "product_id": "2951", "product_identification_helper": { "cpe": "cpe:/o:debian:debian_linux:-" } } } ], "category": "vendor", "name": "Debian" }, { "branches": [ { "category": "product_name", "name": "Open Source Linux Kernel", "product": { "name": "Open Source Linux Kernel", "product_id": "T008144", "product_identification_helper": { "cpe": "cpe:/a:linux:linux_kernel:-" } } } ], "category": "vendor", "name": "Open Source" }, { "branches": [ { "category": "product_name", "name": "SUSE Linux", "product": { "name": "SUSE Linux", "product_id": "T002207", "product_identification_helper": { "cpe": "cpe:/o:suse:suse_linux:-" } } } ], "category": "vendor", "name": "SUSE" } ] }, "vulnerabilities": [ { "cve": "CVE-2024-53125", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler existieren in verschiedenen Subsystemen und Komponenten wie KVM, ARM oder pmdomain, u.a. wegen mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einer Race-Condition oder einem Use-After-Free und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen." } ], "product_status": { "known_affected": [ "2951", "T002207", "T008144" ] }, "release_date": "2024-12-04T23:00:00.000+00:00", "title": "CVE-2024-53125" }, { "cve": "CVE-2024-53126", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler existieren in verschiedenen Subsystemen und Komponenten wie KVM, ARM oder pmdomain, u.a. wegen mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einer Race-Condition oder einem Use-After-Free und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen." } ], "product_status": { "known_affected": [ "2951", "T002207", "T008144" ] }, "release_date": "2024-12-04T23:00:00.000+00:00", "title": "CVE-2024-53126" }, { "cve": "CVE-2024-53127", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler existieren in verschiedenen Subsystemen und Komponenten wie KVM, ARM oder pmdomain, u.a. wegen mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einer Race-Condition oder einem Use-After-Free und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen." } ], "product_status": { "known_affected": [ "2951", "T002207", "T008144" ] }, "release_date": "2024-12-04T23:00:00.000+00:00", "title": "CVE-2024-53127" }, { "cve": "CVE-2024-53128", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler existieren in verschiedenen Subsystemen und Komponenten wie KVM, ARM oder pmdomain, u.a. wegen mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einer Race-Condition oder einem Use-After-Free und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen." } ], "product_status": { "known_affected": [ "2951", "T002207", "T008144" ] }, "release_date": "2024-12-04T23:00:00.000+00:00", "title": "CVE-2024-53128" }, { "cve": "CVE-2024-53129", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler existieren in verschiedenen Subsystemen und Komponenten wie KVM, ARM oder pmdomain, u.a. wegen mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einer Race-Condition oder einem Use-After-Free und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen." } ], "product_status": { "known_affected": [ "2951", "T002207", "T008144" ] }, "release_date": "2024-12-04T23:00:00.000+00:00", "title": "CVE-2024-53129" }, { "cve": "CVE-2024-53130", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler existieren in verschiedenen Subsystemen und Komponenten wie KVM, ARM oder pmdomain, u.a. wegen mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einer Race-Condition oder einem Use-After-Free und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen." } ], "product_status": { "known_affected": [ "2951", "T002207", "T008144" ] }, "release_date": "2024-12-04T23:00:00.000+00:00", "title": "CVE-2024-53130" }, { "cve": "CVE-2024-53131", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler existieren in verschiedenen Subsystemen und Komponenten wie KVM, ARM oder pmdomain, u.a. wegen mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einer Race-Condition oder einem Use-After-Free und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen." } ], "product_status": { "known_affected": [ "2951", "T002207", "T008144" ] }, "release_date": "2024-12-04T23:00:00.000+00:00", "title": "CVE-2024-53131" }, { "cve": "CVE-2024-53132", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler existieren in verschiedenen Subsystemen und Komponenten wie KVM, ARM oder pmdomain, u.a. wegen mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einer Race-Condition oder einem Use-After-Free und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen." } ], "product_status": { "known_affected": [ "2951", "T002207", "T008144" ] }, "release_date": "2024-12-04T23:00:00.000+00:00", "title": "CVE-2024-53132" }, { "cve": "CVE-2024-53133", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler existieren in verschiedenen Subsystemen und Komponenten wie KVM, ARM oder pmdomain, u.a. wegen mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einer Race-Condition oder einem Use-After-Free und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen." } ], "product_status": { "known_affected": [ "2951", "T002207", "T008144" ] }, "release_date": "2024-12-04T23:00:00.000+00:00", "title": "CVE-2024-53133" }, { "cve": "CVE-2024-53134", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler existieren in verschiedenen Subsystemen und Komponenten wie KVM, ARM oder pmdomain, u.a. wegen mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einer Race-Condition oder einem Use-After-Free und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen." } ], "product_status": { "known_affected": [ "2951", "T002207", "T008144" ] }, "release_date": "2024-12-04T23:00:00.000+00:00", "title": "CVE-2024-53134" }, { "cve": "CVE-2024-53135", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler existieren in verschiedenen Subsystemen und Komponenten wie KVM, ARM oder pmdomain, u.a. wegen mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einer Race-Condition oder einem Use-After-Free und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen." } ], "product_status": { "known_affected": [ "2951", "T002207", "T008144" ] }, "release_date": "2024-12-04T23:00:00.000+00:00", "title": "CVE-2024-53135" }, { "cve": "CVE-2024-53136", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler existieren in verschiedenen Subsystemen und Komponenten wie KVM, ARM oder pmdomain, u.a. wegen mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einer Race-Condition oder einem Use-After-Free und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen." } ], "product_status": { "known_affected": [ "2951", "T002207", "T008144" ] }, "release_date": "2024-12-04T23:00:00.000+00:00", "title": "CVE-2024-53136" }, { "cve": "CVE-2024-53137", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler existieren in verschiedenen Subsystemen und Komponenten wie KVM, ARM oder pmdomain, u.a. wegen mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einer Race-Condition oder einem Use-After-Free und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen." } ], "product_status": { "known_affected": [ "2951", "T002207", "T008144" ] }, "release_date": "2024-12-04T23:00:00.000+00:00", "title": "CVE-2024-53137" }, { "cve": "CVE-2024-53138", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler existieren in verschiedenen Subsystemen und Komponenten wie KVM, ARM oder pmdomain, u.a. wegen mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einer Race-Condition oder einem Use-After-Free und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen." } ], "product_status": { "known_affected": [ "2951", "T002207", "T008144" ] }, "release_date": "2024-12-04T23:00:00.000+00:00", "title": "CVE-2024-53138" }, { "cve": "CVE-2024-53139", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler existieren in verschiedenen Subsystemen und Komponenten wie KVM, ARM oder pmdomain, u.a. wegen mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einer Race-Condition oder einem Use-After-Free und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen." } ], "product_status": { "known_affected": [ "2951", "T002207", "T008144" ] }, "release_date": "2024-12-04T23:00:00.000+00:00", "title": "CVE-2024-53139" }, { "cve": "CVE-2024-53140", "notes": [ { "category": "description", "text": "Es bestehen mehrere Schwachstellen im Linux-Kernel. Diese Fehler existieren in verschiedenen Subsystemen und Komponenten wie KVM, ARM oder pmdomain, u.a. wegen mehrerer sicherheitsrelevanter Probleme wie einer NULL-Zeiger-Dereferenz, einer Race-Condition oder einem Use-After-Free und mehr. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen." } ], "product_status": { "known_affected": [ "2951", "T002207", "T008144" ] }, "release_date": "2024-12-04T23:00:00.000+00:00", "title": "CVE-2024-53140" } ] }
cve-2024-53135
Vulnerability from cvelistv5
Published
2024-12-04 14:20
Modified
2024-12-19 09:40
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
KVM: VMX: Bury Intel PT virtualization (guest/host mode) behind CONFIG_BROKEN
Hide KVM's pt_mode module param behind CONFIG_BROKEN, i.e. disable support
for virtualizing Intel PT via guest/host mode unless BROKEN=y. There are
myriad bugs in the implementation, some of which are fatal to the guest,
and others which put the stability and health of the host at risk.
For guest fatalities, the most glaring issue is that KVM fails to ensure
tracing is disabled, and *stays* disabled prior to VM-Enter, which is
necessary as hardware disallows loading (the guest's) RTIT_CTL if tracing
is enabled (enforced via a VMX consistency check). Per the SDM:
If the logical processor is operating with Intel PT enabled (if
IA32_RTIT_CTL.TraceEn = 1) at the time of VM entry, the "load
IA32_RTIT_CTL" VM-entry control must be 0.
On the host side, KVM doesn't validate the guest CPUID configuration
provided by userspace, and even worse, uses the guest configuration to
decide what MSRs to save/load at VM-Enter and VM-Exit. E.g. configuring
guest CPUID to enumerate more address ranges than are supported in hardware
will result in KVM trying to passthrough, save, and load non-existent MSRs,
which generates a variety of WARNs, ToPA ERRORs in the host, a potential
deadlock, etc.
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: f99e3daf94ff35dd4a878d32ff66e1fd35223ad6 Version: f99e3daf94ff35dd4a878d32ff66e1fd35223ad6 Version: f99e3daf94ff35dd4a878d32ff66e1fd35223ad6 Version: f99e3daf94ff35dd4a878d32ff66e1fd35223ad6 Version: f99e3daf94ff35dd4a878d32ff66e1fd35223ad6 Version: f99e3daf94ff35dd4a878d32ff66e1fd35223ad6 Version: f99e3daf94ff35dd4a878d32ff66e1fd35223ad6 |
||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "arch/x86/kvm/vmx/vmx.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "c3742319d021f5aa3a0a8c828485fee14753f6de", "status": "affected", "version": "f99e3daf94ff35dd4a878d32ff66e1fd35223ad6", "versionType": "git" }, { "lessThan": "d4b42f926adcce4e5ec193c714afd9d37bba8e5b", "status": "affected", "version": "f99e3daf94ff35dd4a878d32ff66e1fd35223ad6", "versionType": "git" }, { "lessThan": "b8a1d572478b6f239061ee9578b2451bf2f021c2", "status": "affected", "version": "f99e3daf94ff35dd4a878d32ff66e1fd35223ad6", "versionType": "git" }, { "lessThan": "e6716f4230a8784957273ddd27326264b27b9313", "status": "affected", "version": "f99e3daf94ff35dd4a878d32ff66e1fd35223ad6", "versionType": "git" }, { "lessThan": "d28b059ee4779b5102c5da6e929762520510e406", "status": "affected", "version": "f99e3daf94ff35dd4a878d32ff66e1fd35223ad6", "versionType": "git" }, { "lessThan": "b91bb0ce5cd7005b376eac690ec664c1b56372ec", "status": "affected", "version": "f99e3daf94ff35dd4a878d32ff66e1fd35223ad6", "versionType": "git" }, { "lessThan": "aa0d42cacf093a6fcca872edc954f6f812926a17", "status": "affected", "version": "f99e3daf94ff35dd4a878d32ff66e1fd35223ad6", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "arch/x86/kvm/vmx/vmx.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.0" }, { "lessThan": "5.0", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.287", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.231", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.174", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.119", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.63", "versionType": "semver" }, { "lessThanOrEqual": "6.11.*", "status": "unaffected", "version": "6.11.10", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.12", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: VMX: Bury Intel PT virtualization (guest/host mode) behind CONFIG_BROKEN\n\nHide KVM\u0027s pt_mode module param behind CONFIG_BROKEN, i.e. disable support\nfor virtualizing Intel PT via guest/host mode unless BROKEN=y. There are\nmyriad bugs in the implementation, some of which are fatal to the guest,\nand others which put the stability and health of the host at risk.\n\nFor guest fatalities, the most glaring issue is that KVM fails to ensure\ntracing is disabled, and *stays* disabled prior to VM-Enter, which is\nnecessary as hardware disallows loading (the guest\u0027s) RTIT_CTL if tracing\nis enabled (enforced via a VMX consistency check). Per the SDM:\n\n If the logical processor is operating with Intel PT enabled (if\n IA32_RTIT_CTL.TraceEn = 1) at the time of VM entry, the \"load\n IA32_RTIT_CTL\" VM-entry control must be 0.\n\nOn the host side, KVM doesn\u0027t validate the guest CPUID configuration\nprovided by userspace, and even worse, uses the guest configuration to\ndecide what MSRs to save/load at VM-Enter and VM-Exit. E.g. configuring\nguest CPUID to enumerate more address ranges than are supported in hardware\nwill result in KVM trying to passthrough, save, and load non-existent MSRs,\nwhich generates a variety of WARNs, ToPA ERRORs in the host, a potential\ndeadlock, etc." } ], "providerMetadata": { "dateUpdated": "2024-12-19T09:40:03.779Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/c3742319d021f5aa3a0a8c828485fee14753f6de" }, { "url": "https://git.kernel.org/stable/c/d4b42f926adcce4e5ec193c714afd9d37bba8e5b" }, { "url": "https://git.kernel.org/stable/c/b8a1d572478b6f239061ee9578b2451bf2f021c2" }, { "url": "https://git.kernel.org/stable/c/e6716f4230a8784957273ddd27326264b27b9313" }, { "url": "https://git.kernel.org/stable/c/d28b059ee4779b5102c5da6e929762520510e406" }, { "url": "https://git.kernel.org/stable/c/b91bb0ce5cd7005b376eac690ec664c1b56372ec" }, { "url": "https://git.kernel.org/stable/c/aa0d42cacf093a6fcca872edc954f6f812926a17" } ], "title": "KVM: VMX: Bury Intel PT virtualization (guest/host mode) behind CONFIG_BROKEN", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-53135", "datePublished": "2024-12-04T14:20:40.815Z", "dateReserved": "2024-11-19T17:17:24.996Z", "dateUpdated": "2024-12-19T09:40:03.779Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-53138
Vulnerability from cvelistv5
Published
2024-12-04 14:20
Modified
2024-12-19 09:40
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5e: kTLS, Fix incorrect page refcounting
The kTLS tx handling code is using a mix of get_page() and
page_ref_inc() APIs to increment the page reference. But on the release
path (mlx5e_ktls_tx_handle_resync_dump_comp()), only put_page() is used.
This is an issue when using pages from large folios: the get_page()
references are stored on the folio page while the page_ref_inc()
references are stored directly in the given page. On release the folio
page will be dereferenced too many times.
This was found while doing kTLS testing with sendfile() + ZC when the
served file was read from NFS on a kernel with NFS large folios support
(commit 49b29a573da8 ("nfs: add support for large folios")).
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 84d1bb2b139e0184b1754aa1b5776186b475fce8 Version: 84d1bb2b139e0184b1754aa1b5776186b475fce8 Version: 84d1bb2b139e0184b1754aa1b5776186b475fce8 Version: 84d1bb2b139e0184b1754aa1b5776186b475fce8 Version: 84d1bb2b139e0184b1754aa1b5776186b475fce8 Version: 84d1bb2b139e0184b1754aa1b5776186b475fce8 Version: 84d1bb2b139e0184b1754aa1b5776186b475fce8 |
||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/net/ethernet/mellanox/mlx5/core/en_accel/ktls_tx.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "a0ddb20a748b122ea86003485f7992fa5e84cc95", "status": "affected", "version": "84d1bb2b139e0184b1754aa1b5776186b475fce8", "versionType": "git" }, { "lessThan": "ffad2ac8c859c1c1a981fe9c4f7ff925db684a43", "status": "affected", "version": "84d1bb2b139e0184b1754aa1b5776186b475fce8", "versionType": "git" }, { "lessThan": "c7b97f9e794d8e2bbaa50e1d6c230196fd214b5e", "status": "affected", "version": "84d1bb2b139e0184b1754aa1b5776186b475fce8", "versionType": "git" }, { "lessThan": "69fbd07f17b0fdaf8970bc705f5bf115c297839d", "status": "affected", "version": "84d1bb2b139e0184b1754aa1b5776186b475fce8", "versionType": "git" }, { "lessThan": "93a14620b97c911489a5b008782f3d9b0c4aeff4", "status": "affected", "version": "84d1bb2b139e0184b1754aa1b5776186b475fce8", "versionType": "git" }, { "lessThan": "2723e8b2cbd486cb96e5a61b22473f7fd62e18df", "status": "affected", "version": "84d1bb2b139e0184b1754aa1b5776186b475fce8", "versionType": "git" }, { "lessThan": "dd6e972cc5890d91d6749bb48e3912721c4e4b25", "status": "affected", "version": "84d1bb2b139e0184b1754aa1b5776186b475fce8", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/net/ethernet/mellanox/mlx5/core/en_accel/ktls_tx.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.4" }, { "lessThan": "5.4", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.287", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.231", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.174", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.119", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.63", "versionType": "semver" }, { "lessThanOrEqual": "6.11.*", "status": "unaffected", "version": "6.11.10", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.12", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: kTLS, Fix incorrect page refcounting\n\nThe kTLS tx handling code is using a mix of get_page() and\npage_ref_inc() APIs to increment the page reference. But on the release\npath (mlx5e_ktls_tx_handle_resync_dump_comp()), only put_page() is used.\n\nThis is an issue when using pages from large folios: the get_page()\nreferences are stored on the folio page while the page_ref_inc()\nreferences are stored directly in the given page. On release the folio\npage will be dereferenced too many times.\n\nThis was found while doing kTLS testing with sendfile() + ZC when the\nserved file was read from NFS on a kernel with NFS large folios support\n(commit 49b29a573da8 (\"nfs: add support for large folios\"))." } ], "providerMetadata": { "dateUpdated": "2024-12-19T09:40:07.399Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/a0ddb20a748b122ea86003485f7992fa5e84cc95" }, { "url": "https://git.kernel.org/stable/c/ffad2ac8c859c1c1a981fe9c4f7ff925db684a43" }, { "url": "https://git.kernel.org/stable/c/c7b97f9e794d8e2bbaa50e1d6c230196fd214b5e" }, { "url": "https://git.kernel.org/stable/c/69fbd07f17b0fdaf8970bc705f5bf115c297839d" }, { "url": "https://git.kernel.org/stable/c/93a14620b97c911489a5b008782f3d9b0c4aeff4" }, { "url": "https://git.kernel.org/stable/c/2723e8b2cbd486cb96e5a61b22473f7fd62e18df" }, { "url": "https://git.kernel.org/stable/c/dd6e972cc5890d91d6749bb48e3912721c4e4b25" } ], "title": "net/mlx5e: kTLS, Fix incorrect page refcounting", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-53138", "datePublished": "2024-12-04T14:20:43.395Z", "dateReserved": "2024-11-19T17:17:24.996Z", "dateUpdated": "2024-12-19T09:40:07.399Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-53137
Vulnerability from cvelistv5
Published
2024-12-04 14:20
Modified
2024-12-19 09:40
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ARM: fix cacheflush with PAN
It seems that the cacheflush syscall got broken when PAN for LPAE was
implemented. User access was not enabled around the cache maintenance
instructions, causing them to fault.
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "arch/arm/kernel/traps.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "e6960a2ed49c9a25357817535f7cc50594a58604", "status": "affected", "version": "7af5b901e84743c608aae90cb0e429702812c324", "versionType": "git" }, { "lessThan": "ca29cfcc4a21083d671522ad384532e28a43f033", "status": "affected", "version": "7af5b901e84743c608aae90cb0e429702812c324", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "arch/arm/kernel/traps.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.10" }, { "lessThan": "6.10", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.11.*", "status": "unaffected", "version": "6.11.10", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.12", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nARM: fix cacheflush with PAN\n\nIt seems that the cacheflush syscall got broken when PAN for LPAE was\nimplemented. User access was not enabled around the cache maintenance\ninstructions, causing them to fault." } ], "providerMetadata": { "dateUpdated": "2024-12-19T09:40:06.221Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/e6960a2ed49c9a25357817535f7cc50594a58604" }, { "url": "https://git.kernel.org/stable/c/ca29cfcc4a21083d671522ad384532e28a43f033" } ], "title": "ARM: fix cacheflush with PAN", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-53137", "datePublished": "2024-12-04T14:20:42.510Z", "dateReserved": "2024-11-19T17:17:24.996Z", "dateUpdated": "2024-12-19T09:40:06.221Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-53140
Vulnerability from cvelistv5
Published
2024-12-04 14:20
Modified
2024-12-19 09:40
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
netlink: terminate outstanding dump on socket close
Netlink supports iterative dumping of data. It provides the families
the following ops:
- start - (optional) kicks off the dumping process
- dump - actual dump helper, keeps getting called until it returns 0
- done - (optional) pairs with .start, can be used for cleanup
The whole process is asynchronous and the repeated calls to .dump
don't actually happen in a tight loop, but rather are triggered
in response to recvmsg() on the socket.
This gives the user full control over the dump, but also means that
the user can close the socket without getting to the end of the dump.
To make sure .start is always paired with .done we check if there
is an ongoing dump before freeing the socket, and if so call .done.
The complication is that sockets can get freed from BH and .done
is allowed to sleep. So we use a workqueue to defer the call, when
needed.
Unfortunately this does not work correctly. What we defer is not
the cleanup but rather releasing a reference on the socket.
We have no guarantee that we own the last reference, if someone
else holds the socket they may release it in BH and we're back
to square one.
The whole dance, however, appears to be unnecessary. Only the user
can interact with dumps, so we can clean up when socket is closed.
And close always happens in process context. Some async code may
still access the socket after close, queue notification skbs to it etc.
but no dumps can start, end or otherwise make progress.
Delete the workqueue and flush the dump state directly from the release
handler. Note that further cleanup is possible in -next, for instance
we now always call .done before releasing the main module reference,
so dump doesn't have to take a reference of its own.
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: ed5d7788a934a4b6d6d025e948ed4da496b4f12e Version: ed5d7788a934a4b6d6d025e948ed4da496b4f12e Version: ed5d7788a934a4b6d6d025e948ed4da496b4f12e Version: ed5d7788a934a4b6d6d025e948ed4da496b4f12e Version: ed5d7788a934a4b6d6d025e948ed4da496b4f12e Version: ed5d7788a934a4b6d6d025e948ed4da496b4f12e Version: ed5d7788a934a4b6d6d025e948ed4da496b4f12e Version: ed5d7788a934a4b6d6d025e948ed4da496b4f12e |
||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "net/netlink/af_netlink.c", "net/netlink/af_netlink.h" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "114a61d8d94ae3a43b82446cf737fd757021b834", "status": "affected", "version": "ed5d7788a934a4b6d6d025e948ed4da496b4f12e", "versionType": "git" }, { "lessThan": "598c956b62699c3753929602560d8df322e60559", "status": "affected", "version": "ed5d7788a934a4b6d6d025e948ed4da496b4f12e", "versionType": "git" }, { "lessThan": "6e3f2c512d2b7dbd247485b1dd9e43e4210a18f4", "status": "affected", "version": "ed5d7788a934a4b6d6d025e948ed4da496b4f12e", "versionType": "git" }, { "lessThan": "d2fab3d66cc16cfb9e3ea1772abe6b79b71fa603", "status": "affected", "version": "ed5d7788a934a4b6d6d025e948ed4da496b4f12e", "versionType": "git" }, { "lessThan": "4e87a52133284afbd40fb522dbf96e258af52a98", "status": "affected", "version": "ed5d7788a934a4b6d6d025e948ed4da496b4f12e", "versionType": "git" }, { "lessThan": "bbc769d2fa1b8b368c5fbe013b5b096afa3c05ca", "status": "affected", "version": "ed5d7788a934a4b6d6d025e948ed4da496b4f12e", "versionType": "git" }, { "lessThan": "176c41b3ca9281a9736b67c6121b03dbf0c8c08f", "status": "affected", "version": "ed5d7788a934a4b6d6d025e948ed4da496b4f12e", "versionType": "git" }, { "lessThan": "1904fb9ebf911441f90a68e96b22aa73e4410505", "status": "affected", "version": "ed5d7788a934a4b6d6d025e948ed4da496b4f12e", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "net/netlink/af_netlink.c", "net/netlink/af_netlink.h" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "4.9" }, { "lessThan": "4.9", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "4.19.*", "status": "unaffected", "version": "4.19.325", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.287", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.231", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.174", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.119", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.63", "versionType": "semver" }, { "lessThanOrEqual": "6.11.*", "status": "unaffected", "version": "6.11.10", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.12", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetlink: terminate outstanding dump on socket close\n\nNetlink supports iterative dumping of data. It provides the families\nthe following ops:\n - start - (optional) kicks off the dumping process\n - dump - actual dump helper, keeps getting called until it returns 0\n - done - (optional) pairs with .start, can be used for cleanup\nThe whole process is asynchronous and the repeated calls to .dump\ndon\u0027t actually happen in a tight loop, but rather are triggered\nin response to recvmsg() on the socket.\n\nThis gives the user full control over the dump, but also means that\nthe user can close the socket without getting to the end of the dump.\nTo make sure .start is always paired with .done we check if there\nis an ongoing dump before freeing the socket, and if so call .done.\n\nThe complication is that sockets can get freed from BH and .done\nis allowed to sleep. So we use a workqueue to defer the call, when\nneeded.\n\nUnfortunately this does not work correctly. What we defer is not\nthe cleanup but rather releasing a reference on the socket.\nWe have no guarantee that we own the last reference, if someone\nelse holds the socket they may release it in BH and we\u0027re back\nto square one.\n\nThe whole dance, however, appears to be unnecessary. Only the user\ncan interact with dumps, so we can clean up when socket is closed.\nAnd close always happens in process context. Some async code may\nstill access the socket after close, queue notification skbs to it etc.\nbut no dumps can start, end or otherwise make progress.\n\nDelete the workqueue and flush the dump state directly from the release\nhandler. Note that further cleanup is possible in -next, for instance\nwe now always call .done before releasing the main module reference,\nso dump doesn\u0027t have to take a reference of its own." } ], "providerMetadata": { "dateUpdated": "2024-12-19T09:40:09.982Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/114a61d8d94ae3a43b82446cf737fd757021b834" }, { "url": "https://git.kernel.org/stable/c/598c956b62699c3753929602560d8df322e60559" }, { "url": "https://git.kernel.org/stable/c/6e3f2c512d2b7dbd247485b1dd9e43e4210a18f4" }, { "url": "https://git.kernel.org/stable/c/d2fab3d66cc16cfb9e3ea1772abe6b79b71fa603" }, { "url": "https://git.kernel.org/stable/c/4e87a52133284afbd40fb522dbf96e258af52a98" }, { "url": "https://git.kernel.org/stable/c/bbc769d2fa1b8b368c5fbe013b5b096afa3c05ca" }, { "url": "https://git.kernel.org/stable/c/176c41b3ca9281a9736b67c6121b03dbf0c8c08f" }, { "url": "https://git.kernel.org/stable/c/1904fb9ebf911441f90a68e96b22aa73e4410505" } ], "title": "netlink: terminate outstanding dump on socket close", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-53140", "datePublished": "2024-12-04T14:20:44.914Z", "dateReserved": "2024-11-19T17:17:24.997Z", "dateUpdated": "2024-12-19T09:40:09.982Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-53128
Vulnerability from cvelistv5
Published
2024-12-04 14:20
Modified
2025-01-17 13:27
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
sched/task_stack: fix object_is_on_stack() for KASAN tagged pointers
When CONFIG_KASAN_SW_TAGS and CONFIG_KASAN_STACK are enabled, the
object_is_on_stack() function may produce incorrect results due to the
presence of tags in the obj pointer, while the stack pointer does not have
tags. This discrepancy can lead to incorrect stack object detection and
subsequently trigger warnings if CONFIG_DEBUG_OBJECTS is also enabled.
Example of the warning:
ODEBUG: object 3eff800082ea7bb0 is NOT on stack ffff800082ea0000, but annotated.
------------[ cut here ]------------
WARNING: CPU: 0 PID: 1 at lib/debugobjects.c:557 __debug_object_init+0x330/0x364
Modules linked in:
CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12.0-rc5 #4
Hardware name: linux,dummy-virt (DT)
pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : __debug_object_init+0x330/0x364
lr : __debug_object_init+0x330/0x364
sp : ffff800082ea7b40
x29: ffff800082ea7b40 x28: 98ff0000c0164518 x27: 98ff0000c0164534
x26: ffff800082d93ec8 x25: 0000000000000001 x24: 1cff0000c00172a0
x23: 0000000000000000 x22: ffff800082d93ed0 x21: ffff800081a24418
x20: 3eff800082ea7bb0 x19: efff800000000000 x18: 0000000000000000
x17: 00000000000000ff x16: 0000000000000047 x15: 206b63617473206e
x14: 0000000000000018 x13: ffff800082ea7780 x12: 0ffff800082ea78e
x11: 0ffff800082ea790 x10: 0ffff800082ea79d x9 : 34d77febe173e800
x8 : 34d77febe173e800 x7 : 0000000000000001 x6 : 0000000000000001
x5 : feff800082ea74b8 x4 : ffff800082870a90 x3 : ffff80008018d3c4
x2 : 0000000000000001 x1 : ffff800082858810 x0 : 0000000000000050
Call trace:
__debug_object_init+0x330/0x364
debug_object_init_on_stack+0x30/0x3c
schedule_hrtimeout_range_clock+0xac/0x26c
schedule_hrtimeout+0x1c/0x30
wait_task_inactive+0x1d4/0x25c
kthread_bind_mask+0x28/0x98
init_rescuer+0x1e8/0x280
workqueue_init+0x1a0/0x3cc
kernel_init_freeable+0x118/0x200
kernel_init+0x28/0x1f0
ret_from_fork+0x10/0x20
---[ end trace 0000000000000000 ]---
ODEBUG: object 3eff800082ea7bb0 is NOT on stack ffff800082ea0000, but annotated.
------------[ cut here ]------------
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "include/linux/sched/task_stack.h" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "397383db9c69470642ac95beb04f2150928d663b", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "2d2b19ed4169c38dc6c61a186c5f7bdafc709691", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "fbfe23012cec509dfbe09852019c4e4bb84999d0", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "fd7b4f9f46d46acbc7af3a439bb0d869efdc5c58", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "include/linux/sched/task_stack.h" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.125", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.69", "versionType": "semver" }, { "lessThanOrEqual": "6.11.*", "status": "unaffected", "version": "6.11.10", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.12", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/task_stack: fix object_is_on_stack() for KASAN tagged pointers\n\nWhen CONFIG_KASAN_SW_TAGS and CONFIG_KASAN_STACK are enabled, the\nobject_is_on_stack() function may produce incorrect results due to the\npresence of tags in the obj pointer, while the stack pointer does not have\ntags. This discrepancy can lead to incorrect stack object detection and\nsubsequently trigger warnings if CONFIG_DEBUG_OBJECTS is also enabled.\n\nExample of the warning:\n\nODEBUG: object 3eff800082ea7bb0 is NOT on stack ffff800082ea0000, but annotated.\n------------[ cut here ]------------\nWARNING: CPU: 0 PID: 1 at lib/debugobjects.c:557 __debug_object_init+0x330/0x364\nModules linked in:\nCPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12.0-rc5 #4\nHardware name: linux,dummy-virt (DT)\npstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : __debug_object_init+0x330/0x364\nlr : __debug_object_init+0x330/0x364\nsp : ffff800082ea7b40\nx29: ffff800082ea7b40 x28: 98ff0000c0164518 x27: 98ff0000c0164534\nx26: ffff800082d93ec8 x25: 0000000000000001 x24: 1cff0000c00172a0\nx23: 0000000000000000 x22: ffff800082d93ed0 x21: ffff800081a24418\nx20: 3eff800082ea7bb0 x19: efff800000000000 x18: 0000000000000000\nx17: 00000000000000ff x16: 0000000000000047 x15: 206b63617473206e\nx14: 0000000000000018 x13: ffff800082ea7780 x12: 0ffff800082ea78e\nx11: 0ffff800082ea790 x10: 0ffff800082ea79d x9 : 34d77febe173e800\nx8 : 34d77febe173e800 x7 : 0000000000000001 x6 : 0000000000000001\nx5 : feff800082ea74b8 x4 : ffff800082870a90 x3 : ffff80008018d3c4\nx2 : 0000000000000001 x1 : ffff800082858810 x0 : 0000000000000050\nCall trace:\n __debug_object_init+0x330/0x364\n debug_object_init_on_stack+0x30/0x3c\n schedule_hrtimeout_range_clock+0xac/0x26c\n schedule_hrtimeout+0x1c/0x30\n wait_task_inactive+0x1d4/0x25c\n kthread_bind_mask+0x28/0x98\n init_rescuer+0x1e8/0x280\n workqueue_init+0x1a0/0x3cc\n kernel_init_freeable+0x118/0x200\n kernel_init+0x28/0x1f0\n ret_from_fork+0x10/0x20\n---[ end trace 0000000000000000 ]---\nODEBUG: object 3eff800082ea7bb0 is NOT on stack ffff800082ea0000, but annotated.\n------------[ cut here ]------------" } ], "providerMetadata": { "dateUpdated": "2025-01-17T13:27:01.390Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/397383db9c69470642ac95beb04f2150928d663b" }, { "url": "https://git.kernel.org/stable/c/2d2b19ed4169c38dc6c61a186c5f7bdafc709691" }, { "url": "https://git.kernel.org/stable/c/fbfe23012cec509dfbe09852019c4e4bb84999d0" }, { "url": "https://git.kernel.org/stable/c/fd7b4f9f46d46acbc7af3a439bb0d869efdc5c58" } ], "title": "sched/task_stack: fix object_is_on_stack() for KASAN tagged pointers", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-53128", "datePublished": "2024-12-04T14:20:34.985Z", "dateReserved": "2024-11-19T17:17:24.995Z", "dateUpdated": "2025-01-17T13:27:01.390Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-53133
Vulnerability from cvelistv5
Published
2024-12-04 14:20
Modified
2024-12-19 09:40
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Handle dml allocation failure to avoid crash
[Why]
In the case where a dml allocation fails for any reason, the
current state's dml contexts would no longer be valid. Then
subsequent calls dc_state_copy_internal would shallow copy
invalid memory and if the new state was released, a double
free would occur.
[How]
Reset dml pointers in new_state to NULL and avoid invalid
pointer
(cherry picked from commit bcafdc61529a48f6f06355d78eb41b3aeda5296c)
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/gpu/drm/amd/display/dc/core/dc_state.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "874ff59cde8fc525112dda26b501a1bac17dde9f", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "6825cb07b79ffeb1d90ffaa7a1227462cdca34ae", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/gpu/drm/amd/display/dc/core/dc_state.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThanOrEqual": "6.11.*", "status": "unaffected", "version": "6.11.10", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.12", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Handle dml allocation failure to avoid crash\n\n[Why]\nIn the case where a dml allocation fails for any reason, the\ncurrent state\u0027s dml contexts would no longer be valid. Then\nsubsequent calls dc_state_copy_internal would shallow copy\ninvalid memory and if the new state was released, a double\nfree would occur.\n\n[How]\nReset dml pointers in new_state to NULL and avoid invalid\npointer\n\n(cherry picked from commit bcafdc61529a48f6f06355d78eb41b3aeda5296c)" } ], "providerMetadata": { "dateUpdated": "2024-12-19T09:40:01.005Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/874ff59cde8fc525112dda26b501a1bac17dde9f" }, { "url": "https://git.kernel.org/stable/c/6825cb07b79ffeb1d90ffaa7a1227462cdca34ae" } ], "title": "drm/amd/display: Handle dml allocation failure to avoid crash", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-53133", "datePublished": "2024-12-04T14:20:39.077Z", "dateReserved": "2024-11-19T17:17:24.996Z", "dateUpdated": "2024-12-19T09:40:01.005Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-53129
Vulnerability from cvelistv5
Published
2024-12-04 14:20
Modified
2024-12-19 09:39
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/rockchip: vop: Fix a dereferenced before check warning
The 'state' can't be NULL, we should check crtc_state.
Fix warning:
drivers/gpu/drm/rockchip/rockchip_drm_vop.c:1096
vop_plane_atomic_async_check() warn: variable dereferenced before check
'state' (see line 1077)
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 5ddb0bd4ddc35d9c9376d109398f84277bb8d25e Version: 5ddb0bd4ddc35d9c9376d109398f84277bb8d25e Version: 5ddb0bd4ddc35d9c9376d109398f84277bb8d25e Version: 5ddb0bd4ddc35d9c9376d109398f84277bb8d25e Version: 5ddb0bd4ddc35d9c9376d109398f84277bb8d25e |
||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/gpu/drm/rockchip/rockchip_drm_vop.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "4e47b99a7764b23a431bff6a3f91dfe77d294765", "status": "affected", "version": "5ddb0bd4ddc35d9c9376d109398f84277bb8d25e", "versionType": "git" }, { "lessThan": "656dbd1c21c2c088c70059cdd43ec83e7d54ec4d", "status": "affected", "version": "5ddb0bd4ddc35d9c9376d109398f84277bb8d25e", "versionType": "git" }, { "lessThan": "1e53059729691ca4d905118258b9fbd17d854174", "status": "affected", "version": "5ddb0bd4ddc35d9c9376d109398f84277bb8d25e", "versionType": "git" }, { "lessThan": "bbf8bc7e75863942028131ae39c23118f62de6c0", "status": "affected", "version": "5ddb0bd4ddc35d9c9376d109398f84277bb8d25e", "versionType": "git" }, { "lessThan": "ab1c793f457f740ab7108cc0b1340a402dbf484d", "status": "affected", "version": "5ddb0bd4ddc35d9c9376d109398f84277bb8d25e", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/gpu/drm/rockchip/rockchip_drm_vop.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.13" }, { "lessThan": "5.13", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.174", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.119", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.63", "versionType": "semver" }, { "lessThanOrEqual": "6.11.*", "status": "unaffected", "version": "6.11.10", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.12", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/rockchip: vop: Fix a dereferenced before check warning\n\nThe \u0027state\u0027 can\u0027t be NULL, we should check crtc_state.\n\nFix warning:\ndrivers/gpu/drm/rockchip/rockchip_drm_vop.c:1096\nvop_plane_atomic_async_check() warn: variable dereferenced before check\n\u0027state\u0027 (see line 1077)" } ], "providerMetadata": { "dateUpdated": "2024-12-19T09:39:55.466Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/4e47b99a7764b23a431bff6a3f91dfe77d294765" }, { "url": "https://git.kernel.org/stable/c/656dbd1c21c2c088c70059cdd43ec83e7d54ec4d" }, { "url": "https://git.kernel.org/stable/c/1e53059729691ca4d905118258b9fbd17d854174" }, { "url": "https://git.kernel.org/stable/c/bbf8bc7e75863942028131ae39c23118f62de6c0" }, { "url": "https://git.kernel.org/stable/c/ab1c793f457f740ab7108cc0b1340a402dbf484d" } ], "title": "drm/rockchip: vop: Fix a dereferenced before check warning", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-53129", "datePublished": "2024-12-04T14:20:35.907Z", "dateReserved": "2024-11-19T17:17:24.995Z", "dateUpdated": "2024-12-19T09:39:55.466Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-53130
Vulnerability from cvelistv5
Published
2024-12-04 14:20
Modified
2024-12-19 09:39
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
nilfs2: fix null-ptr-deref in block_dirty_buffer tracepoint
When using the "block:block_dirty_buffer" tracepoint, mark_buffer_dirty()
may cause a NULL pointer dereference, or a general protection fault when
KASAN is enabled.
This happens because, since the tracepoint was added in
mark_buffer_dirty(), it references the dev_t member bh->b_bdev->bd_dev
regardless of whether the buffer head has a pointer to a block_device
structure.
In the current implementation, nilfs_grab_buffer(), which grabs a buffer
to read (or create) a block of metadata, including b-tree node blocks,
does not set the block device, but instead does so only if the buffer is
not in the "uptodate" state for each of its caller block reading
functions. However, if the uptodate flag is set on a folio/page, and the
buffer heads are detached from it by try_to_free_buffers(), and new buffer
heads are then attached by create_empty_buffers(), the uptodate flag may
be restored to each buffer without the block device being set to
bh->b_bdev, and mark_buffer_dirty() may be called later in that state,
resulting in the bug mentioned above.
Fix this issue by making nilfs_grab_buffer() always set the block device
of the super block structure to the buffer head, regardless of the state
of the buffer's uptodate flag.
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 5305cb830834549b9203ad4d009ad5483c5e293f Version: 5305cb830834549b9203ad4d009ad5483c5e293f Version: 5305cb830834549b9203ad4d009ad5483c5e293f Version: 5305cb830834549b9203ad4d009ad5483c5e293f Version: 5305cb830834549b9203ad4d009ad5483c5e293f Version: 5305cb830834549b9203ad4d009ad5483c5e293f Version: 5305cb830834549b9203ad4d009ad5483c5e293f Version: 5305cb830834549b9203ad4d009ad5483c5e293f |
||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "fs/nilfs2/btnode.c", "fs/nilfs2/gcinode.c", "fs/nilfs2/mdt.c", "fs/nilfs2/page.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "7af3309c7a2ef26831a67125b11c34a7e01c1b2a", "status": "affected", "version": "5305cb830834549b9203ad4d009ad5483c5e293f", "versionType": "git" }, { "lessThan": "0ce59fb1c73fdd5b6028226aeb46259a0cdc0957", "status": "affected", "version": "5305cb830834549b9203ad4d009ad5483c5e293f", "versionType": "git" }, { "lessThan": "0a5014ad37c77ac6a2c525137c00a0e1724f6020", "status": "affected", "version": "5305cb830834549b9203ad4d009ad5483c5e293f", "versionType": "git" }, { "lessThan": "d904e4d845aafbcfd8a40c1df7d999f02f062be8", "status": "affected", "version": "5305cb830834549b9203ad4d009ad5483c5e293f", "versionType": "git" }, { "lessThan": "86b19031dbc79abc378dfae357f6ea33ebeb0c95", "status": "affected", "version": "5305cb830834549b9203ad4d009ad5483c5e293f", "versionType": "git" }, { "lessThan": "b0e4765740040c44039282057ecacd7435d1d2ba", "status": "affected", "version": "5305cb830834549b9203ad4d009ad5483c5e293f", "versionType": "git" }, { "lessThan": "ffc440a76a0f476a7e6ea838ec0dc8e9979944d1", "status": "affected", "version": "5305cb830834549b9203ad4d009ad5483c5e293f", "versionType": "git" }, { "lessThan": "2026559a6c4ce34db117d2db8f710fe2a9420d5a", "status": "affected", "version": "5305cb830834549b9203ad4d009ad5483c5e293f", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "fs/nilfs2/btnode.c", "fs/nilfs2/gcinode.c", "fs/nilfs2/mdt.c", "fs/nilfs2/page.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "3.9" }, { "lessThan": "3.9", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "4.19.*", "status": "unaffected", "version": "4.19.325", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.287", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.231", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.174", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.119", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.63", "versionType": "semver" }, { "lessThanOrEqual": "6.11.*", "status": "unaffected", "version": "6.11.10", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.12", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix null-ptr-deref in block_dirty_buffer tracepoint\n\nWhen using the \"block:block_dirty_buffer\" tracepoint, mark_buffer_dirty()\nmay cause a NULL pointer dereference, or a general protection fault when\nKASAN is enabled.\n\nThis happens because, since the tracepoint was added in\nmark_buffer_dirty(), it references the dev_t member bh-\u003eb_bdev-\u003ebd_dev\nregardless of whether the buffer head has a pointer to a block_device\nstructure.\n\nIn the current implementation, nilfs_grab_buffer(), which grabs a buffer\nto read (or create) a block of metadata, including b-tree node blocks,\ndoes not set the block device, but instead does so only if the buffer is\nnot in the \"uptodate\" state for each of its caller block reading\nfunctions. However, if the uptodate flag is set on a folio/page, and the\nbuffer heads are detached from it by try_to_free_buffers(), and new buffer\nheads are then attached by create_empty_buffers(), the uptodate flag may\nbe restored to each buffer without the block device being set to\nbh-\u003eb_bdev, and mark_buffer_dirty() may be called later in that state,\nresulting in the bug mentioned above.\n\nFix this issue by making nilfs_grab_buffer() always set the block device\nof the super block structure to the buffer head, regardless of the state\nof the buffer\u0027s uptodate flag." } ], "providerMetadata": { "dateUpdated": "2024-12-19T09:39:56.767Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/7af3309c7a2ef26831a67125b11c34a7e01c1b2a" }, { "url": "https://git.kernel.org/stable/c/0ce59fb1c73fdd5b6028226aeb46259a0cdc0957" }, { "url": "https://git.kernel.org/stable/c/0a5014ad37c77ac6a2c525137c00a0e1724f6020" }, { "url": "https://git.kernel.org/stable/c/d904e4d845aafbcfd8a40c1df7d999f02f062be8" }, { "url": "https://git.kernel.org/stable/c/86b19031dbc79abc378dfae357f6ea33ebeb0c95" }, { "url": "https://git.kernel.org/stable/c/b0e4765740040c44039282057ecacd7435d1d2ba" }, { "url": "https://git.kernel.org/stable/c/ffc440a76a0f476a7e6ea838ec0dc8e9979944d1" }, { "url": "https://git.kernel.org/stable/c/2026559a6c4ce34db117d2db8f710fe2a9420d5a" } ], "title": "nilfs2: fix null-ptr-deref in block_dirty_buffer tracepoint", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-53130", "datePublished": "2024-12-04T14:20:36.741Z", "dateReserved": "2024-11-19T17:17:24.995Z", "dateUpdated": "2024-12-19T09:39:56.767Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-53132
Vulnerability from cvelistv5
Published
2024-12-04 14:20
Modified
2024-12-19 09:39
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/xe/oa: Fix "Missing outer runtime PM protection" warning
Fix the following drm_WARN:
[953.586396] xe 0000:00:02.0: [drm] Missing outer runtime PM protection
...
<4> [953.587090] ? xe_pm_runtime_get_noresume+0x8d/0xa0 [xe]
<4> [953.587208] guc_exec_queue_add_msg+0x28/0x130 [xe]
<4> [953.587319] guc_exec_queue_fini+0x3a/0x40 [xe]
<4> [953.587425] xe_exec_queue_destroy+0xb3/0xf0 [xe]
<4> [953.587515] xe_oa_release+0x9c/0xc0 [xe]
(cherry picked from commit b107c63d2953907908fd0cafb0e543b3c3167b75)
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/gpu/drm/xe/xe_oa.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "ed7cd3510d8da6e3578d9125a9ea4440f8adeeaa", "status": "affected", "version": "e936f885f1e96f59d9d05fb6cb5a02b9b9b88a05", "versionType": "git" }, { "lessThan": "c0403e4ceecaefbeaf78263dffcd3e3f06a19f6b", "status": "affected", "version": "e936f885f1e96f59d9d05fb6cb5a02b9b9b88a05", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/gpu/drm/xe/xe_oa.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.11" }, { "lessThan": "6.11", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.11.*", "status": "unaffected", "version": "6.11.10", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.12", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/oa: Fix \"Missing outer runtime PM protection\" warning\n\nFix the following drm_WARN:\n\n[953.586396] xe 0000:00:02.0: [drm] Missing outer runtime PM protection\n...\n\u003c4\u003e [953.587090] ? xe_pm_runtime_get_noresume+0x8d/0xa0 [xe]\n\u003c4\u003e [953.587208] guc_exec_queue_add_msg+0x28/0x130 [xe]\n\u003c4\u003e [953.587319] guc_exec_queue_fini+0x3a/0x40 [xe]\n\u003c4\u003e [953.587425] xe_exec_queue_destroy+0xb3/0xf0 [xe]\n\u003c4\u003e [953.587515] xe_oa_release+0x9c/0xc0 [xe]\n\n(cherry picked from commit b107c63d2953907908fd0cafb0e543b3c3167b75)" } ], "providerMetadata": { "dateUpdated": "2024-12-19T09:39:59.429Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/ed7cd3510d8da6e3578d9125a9ea4440f8adeeaa" }, { "url": "https://git.kernel.org/stable/c/c0403e4ceecaefbeaf78263dffcd3e3f06a19f6b" } ], "title": "drm/xe/oa: Fix \"Missing outer runtime PM protection\" warning", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-53132", "datePublished": "2024-12-04T14:20:38.214Z", "dateReserved": "2024-11-19T17:17:24.996Z", "dateUpdated": "2024-12-19T09:39:59.429Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-53139
Vulnerability from cvelistv5
Published
2024-12-04 14:20
Modified
2024-12-19 09:40
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
sctp: fix possible UAF in sctp_v6_available()
A lockdep report [1] with CONFIG_PROVE_RCU_LIST=y hints
that sctp_v6_available() is calling dev_get_by_index_rcu()
and ipv6_chk_addr() without holding rcu.
[1]
=============================
WARNING: suspicious RCU usage
6.12.0-rc5-virtme #1216 Tainted: G W
-----------------------------
net/core/dev.c:876 RCU-list traversed in non-reader section!!
other info that might help us debug this:
rcu_scheduler_active = 2, debug_locks = 1
1 lock held by sctp_hello/31495:
#0: ffff9f1ebbdb7418 (sk_lock-AF_INET6){+.+.}-{0:0}, at: sctp_bind (./arch/x86/include/asm/jump_label.h:27 net/sctp/socket.c:315) sctp
stack backtrace:
CPU: 7 UID: 0 PID: 31495 Comm: sctp_hello Tainted: G W 6.12.0-rc5-virtme #1216
Tainted: [W]=WARN
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl (lib/dump_stack.c:123)
lockdep_rcu_suspicious (kernel/locking/lockdep.c:6822)
dev_get_by_index_rcu (net/core/dev.c:876 (discriminator 7))
sctp_v6_available (net/sctp/ipv6.c:701) sctp
sctp_do_bind (net/sctp/socket.c:400 (discriminator 1)) sctp
sctp_bind (net/sctp/socket.c:320) sctp
inet6_bind_sk (net/ipv6/af_inet6.c:465)
? security_socket_bind (security/security.c:4581 (discriminator 1))
__sys_bind (net/socket.c:1848 net/socket.c:1869)
? do_user_addr_fault (./include/linux/rcupdate.h:347 ./include/linux/rcupdate.h:880 ./include/linux/mm.h:729 arch/x86/mm/fault.c:1340)
? do_user_addr_fault (./arch/x86/include/asm/preempt.h:84 (discriminator 13) ./include/linux/rcupdate.h:98 (discriminator 13) ./include/linux/rcupdate.h:882 (discriminator 13) ./include/linux/mm.h:729 (discriminator 13) arch/x86/mm/fault.c:1340 (discriminator 13))
__x64_sys_bind (net/socket.c:1877 (discriminator 1) net/socket.c:1875 (discriminator 1) net/socket.c:1875 (discriminator 1))
do_syscall_64 (arch/x86/entry/common.c:52 (discriminator 1) arch/x86/entry/common.c:83 (discriminator 1))
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
RIP: 0033:0x7f59b934a1e7
Code: 44 00 00 48 8b 15 39 8c 0c 00 f7 d8 64 89 02 b8 ff ff ff ff eb bd 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 b8 31 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 09 8c 0c 00 f7 d8 64 89 01 48
All code
========
0: 44 00 00 add %r8b,(%rax)
3: 48 8b 15 39 8c 0c 00 mov 0xc8c39(%rip),%rdx # 0xc8c43
a: f7 d8 neg %eax
c: 64 89 02 mov %eax,%fs:(%rdx)
f: b8 ff ff ff ff mov $0xffffffff,%eax
14: eb bd jmp 0xffffffffffffffd3
16: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1)
1d: 00 00 00
20: 0f 1f 00 nopl (%rax)
23: b8 31 00 00 00 mov $0x31,%eax
28: 0f 05 syscall
2a:* 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax <-- trapping instruction
30: 73 01 jae 0x33
32: c3 ret
33: 48 8b 0d 09 8c 0c 00 mov 0xc8c09(%rip),%rcx # 0xc8c43
3a: f7 d8 neg %eax
3c: 64 89 01 mov %eax,%fs:(%rcx)
3f: 48 rex.W
Code starting with the faulting instruction
===========================================
0: 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax
6: 73 01 jae 0x9
8: c3 ret
9: 48 8b 0d 09 8c 0c 00 mov 0xc8c09(%rip),%rcx # 0xc8c19
10: f7 d8 neg %eax
12: 64 89 01 mov %eax,%fs:(%rcx)
15: 48 rex.W
RSP: 002b:00007ffe2d0ad398 EFLAGS: 00000202 ORIG_RAX: 0000000000000031
RAX: ffffffffffffffda RBX: 00007ffe2d0ad3d0 RCX: 00007f59b934a1e7
RDX: 000000000000001c RSI: 00007ffe2d0ad3d0 RDI: 0000000000000005
RBP: 0000000000000005 R08: 1999999999999999 R09: 0000000000000000
R10: 00007f59b9253298 R11: 000000000000
---truncated---
References
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2024-53139", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "timestamp": "2024-12-11T14:25:14.293518Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-416", "description": "CWE-416 Use After Free", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-12-11T14:58:31.168Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "net/sctp/ipv6.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "ad975697211f4f2c4ce61c3ba524fd14d88ceab8", "status": "affected", "version": "6fe1e52490a91cb23f6b3aafc93e7c5beb99f862", "versionType": "git" }, { "lessThan": "05656a66592759242c74063616291b7274d11b2f", "status": "affected", "version": "6fe1e52490a91cb23f6b3aafc93e7c5beb99f862", "versionType": "git" }, { "lessThan": "eb72e7fcc83987d5d5595b43222f23b295d5de7f", "status": "affected", "version": "6fe1e52490a91cb23f6b3aafc93e7c5beb99f862", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "net/sctp/ipv6.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.2" }, { "lessThan": "6.2", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.63", "versionType": "semver" }, { "lessThanOrEqual": "6.11.*", "status": "unaffected", "version": "6.11.10", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.12", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: fix possible UAF in sctp_v6_available()\n\nA lockdep report [1] with CONFIG_PROVE_RCU_LIST=y hints\nthat sctp_v6_available() is calling dev_get_by_index_rcu()\nand ipv6_chk_addr() without holding rcu.\n\n[1]\n =============================\n WARNING: suspicious RCU usage\n 6.12.0-rc5-virtme #1216 Tainted: G W\n -----------------------------\n net/core/dev.c:876 RCU-list traversed in non-reader section!!\n\nother info that might help us debug this:\n\nrcu_scheduler_active = 2, debug_locks = 1\n 1 lock held by sctp_hello/31495:\n #0: ffff9f1ebbdb7418 (sk_lock-AF_INET6){+.+.}-{0:0}, at: sctp_bind (./arch/x86/include/asm/jump_label.h:27 net/sctp/socket.c:315) sctp\n\nstack backtrace:\n CPU: 7 UID: 0 PID: 31495 Comm: sctp_hello Tainted: G W 6.12.0-rc5-virtme #1216\n Tainted: [W]=WARN\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl (lib/dump_stack.c:123)\n lockdep_rcu_suspicious (kernel/locking/lockdep.c:6822)\n dev_get_by_index_rcu (net/core/dev.c:876 (discriminator 7))\n sctp_v6_available (net/sctp/ipv6.c:701) sctp\n sctp_do_bind (net/sctp/socket.c:400 (discriminator 1)) sctp\n sctp_bind (net/sctp/socket.c:320) sctp\n inet6_bind_sk (net/ipv6/af_inet6.c:465)\n ? security_socket_bind (security/security.c:4581 (discriminator 1))\n __sys_bind (net/socket.c:1848 net/socket.c:1869)\n ? do_user_addr_fault (./include/linux/rcupdate.h:347 ./include/linux/rcupdate.h:880 ./include/linux/mm.h:729 arch/x86/mm/fault.c:1340)\n ? do_user_addr_fault (./arch/x86/include/asm/preempt.h:84 (discriminator 13) ./include/linux/rcupdate.h:98 (discriminator 13) ./include/linux/rcupdate.h:882 (discriminator 13) ./include/linux/mm.h:729 (discriminator 13) arch/x86/mm/fault.c:1340 (discriminator 13))\n __x64_sys_bind (net/socket.c:1877 (discriminator 1) net/socket.c:1875 (discriminator 1) net/socket.c:1875 (discriminator 1))\n do_syscall_64 (arch/x86/entry/common.c:52 (discriminator 1) arch/x86/entry/common.c:83 (discriminator 1))\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n RIP: 0033:0x7f59b934a1e7\n Code: 44 00 00 48 8b 15 39 8c 0c 00 f7 d8 64 89 02 b8 ff ff ff ff eb bd 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 b8 31 00 00 00 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 8b 0d 09 8c 0c 00 f7 d8 64 89 01 48\nAll code\n========\n 0:\t44 00 00 \tadd %r8b,(%rax)\n 3:\t48 8b 15 39 8c 0c 00 \tmov 0xc8c39(%rip),%rdx # 0xc8c43\n a:\tf7 d8 \tneg %eax\n c:\t64 89 02 \tmov %eax,%fs:(%rdx)\n f:\tb8 ff ff ff ff \tmov $0xffffffff,%eax\n 14:\teb bd \tjmp 0xffffffffffffffd3\n 16:\t66 2e 0f 1f 84 00 00 \tcs nopw 0x0(%rax,%rax,1)\n 1d:\t00 00 00\n 20:\t0f 1f 00 \tnopl (%rax)\n 23:\tb8 31 00 00 00 \tmov $0x31,%eax\n 28:\t0f 05 \tsyscall\n 2a:*\t48 3d 01 f0 ff ff \tcmp $0xfffffffffffff001,%rax\t\t\u003c-- trapping instruction\n 30:\t73 01 \tjae 0x33\n 32:\tc3 \tret\n 33:\t48 8b 0d 09 8c 0c 00 \tmov 0xc8c09(%rip),%rcx # 0xc8c43\n 3a:\tf7 d8 \tneg %eax\n 3c:\t64 89 01 \tmov %eax,%fs:(%rcx)\n 3f:\t48 \trex.W\n\nCode starting with the faulting instruction\n===========================================\n 0:\t48 3d 01 f0 ff ff \tcmp $0xfffffffffffff001,%rax\n 6:\t73 01 \tjae 0x9\n 8:\tc3 \tret\n 9:\t48 8b 0d 09 8c 0c 00 \tmov 0xc8c09(%rip),%rcx # 0xc8c19\n 10:\tf7 d8 \tneg %eax\n 12:\t64 89 01 \tmov %eax,%fs:(%rcx)\n 15:\t48 \trex.W\n RSP: 002b:00007ffe2d0ad398 EFLAGS: 00000202 ORIG_RAX: 0000000000000031\n RAX: ffffffffffffffda RBX: 00007ffe2d0ad3d0 RCX: 00007f59b934a1e7\n RDX: 000000000000001c RSI: 00007ffe2d0ad3d0 RDI: 0000000000000005\n RBP: 0000000000000005 R08: 1999999999999999 R09: 0000000000000000\n R10: 00007f59b9253298 R11: 000000000000\n---truncated---" } ], "providerMetadata": { "dateUpdated": "2024-12-19T09:40:08.648Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/ad975697211f4f2c4ce61c3ba524fd14d88ceab8" }, { "url": "https://git.kernel.org/stable/c/05656a66592759242c74063616291b7274d11b2f" }, { "url": "https://git.kernel.org/stable/c/eb72e7fcc83987d5d5595b43222f23b295d5de7f" } ], "title": "sctp: fix possible UAF in sctp_v6_available()", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-53139", "datePublished": "2024-12-04T14:20:44.169Z", "dateReserved": "2024-11-19T17:17:24.997Z", "dateUpdated": "2024-12-19T09:40:08.648Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-53127
Vulnerability from cvelistv5
Published
2024-12-04 14:20
Modified
2024-12-19 09:39
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Revert "mmc: dw_mmc: Fix IDMAC operation with pages bigger than 4K"
The commit 8396c793ffdf ("mmc: dw_mmc: Fix IDMAC operation with pages
bigger than 4K") increased the max_req_size, even for 4K pages, causing
various issues:
- Panic booting the kernel/rootfs from an SD card on Rockchip RK3566
- Panic booting the kernel/rootfs from an SD card on StarFive JH7100
- "swiotlb buffer is full" and data corruption on StarFive JH7110
At this stage no fix have been found, so it's probably better to just
revert the change.
This reverts commit 8396c793ffdf28bb8aee7cfe0891080f8cab7890.
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 32bd402f6760d57127d58a9888553b2db574bba6 Version: b9ee16a20d9976686185d7e59cd006c328b6a1e0 Version: 2793f423893579b35dc1fc24dd7c1ce58fa0345a Version: 9d715a234dd8f01af970b78ae2144a2fd3ead21c Version: 373f8f5b087f010dddae3306a79c6fdd5c2f8953 Version: 5b4bf3948875064a9adcda4b52b59e0520a8c576 Version: 8396c793ffdf28bb8aee7cfe0891080f8cab7890 Version: 8396c793ffdf28bb8aee7cfe0891080f8cab7890 |
||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/mmc/host/dw_mmc.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "00bff71745bc3583bd5ca59be91e0ee1d27f1944", "status": "affected", "version": "32bd402f6760d57127d58a9888553b2db574bba6", "versionType": "git" }, { "lessThan": "47693ba35bccaa16efa465159a1c12d78258349e", "status": "affected", "version": "b9ee16a20d9976686185d7e59cd006c328b6a1e0", "versionType": "git" }, { "lessThan": "938c13740f8b555986e53c0fcbaf00dcd1fabd4c", "status": "affected", "version": "2793f423893579b35dc1fc24dd7c1ce58fa0345a", "versionType": "git" }, { "lessThan": "f701eb601470bfc0a551913ce5f6ebaa770f0ce0", "status": "affected", "version": "9d715a234dd8f01af970b78ae2144a2fd3ead21c", "versionType": "git" }, { "lessThan": "8f9416147d7ed414109d3501f1cb3d7a1735b25a", "status": "affected", "version": "373f8f5b087f010dddae3306a79c6fdd5c2f8953", "versionType": "git" }, { "lessThan": "56de724c58c07a7ca3aac027cfd2ccb184ed9e4e", "status": "affected", "version": "5b4bf3948875064a9adcda4b52b59e0520a8c576", "versionType": "git" }, { "lessThan": "a4685366f07448420badb710ff5c12aaaadf63ad", "status": "affected", "version": "8396c793ffdf28bb8aee7cfe0891080f8cab7890", "versionType": "git" }, { "lessThan": "1635e407a4a64d08a8517ac59ca14ad4fc785e75", "status": "affected", "version": "8396c793ffdf28bb8aee7cfe0891080f8cab7890", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/mmc/host/dw_mmc.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.11" }, { "lessThan": "6.11", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "4.19.*", "status": "unaffected", "version": "4.19.325", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.287", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.231", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.174", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.119", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.63", "versionType": "semver" }, { "lessThanOrEqual": "6.11.*", "status": "unaffected", "version": "6.11.10", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.12", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"mmc: dw_mmc: Fix IDMAC operation with pages bigger than 4K\"\n\nThe commit 8396c793ffdf (\"mmc: dw_mmc: Fix IDMAC operation with pages\nbigger than 4K\") increased the max_req_size, even for 4K pages, causing\nvarious issues:\n- Panic booting the kernel/rootfs from an SD card on Rockchip RK3566\n- Panic booting the kernel/rootfs from an SD card on StarFive JH7100\n- \"swiotlb buffer is full\" and data corruption on StarFive JH7110\n\nAt this stage no fix have been found, so it\u0027s probably better to just\nrevert the change.\n\nThis reverts commit 8396c793ffdf28bb8aee7cfe0891080f8cab7890." } ], "providerMetadata": { "dateUpdated": "2024-12-19T09:39:52.683Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/00bff71745bc3583bd5ca59be91e0ee1d27f1944" }, { "url": "https://git.kernel.org/stable/c/47693ba35bccaa16efa465159a1c12d78258349e" }, { "url": "https://git.kernel.org/stable/c/938c13740f8b555986e53c0fcbaf00dcd1fabd4c" }, { "url": "https://git.kernel.org/stable/c/f701eb601470bfc0a551913ce5f6ebaa770f0ce0" }, { "url": "https://git.kernel.org/stable/c/8f9416147d7ed414109d3501f1cb3d7a1735b25a" }, { "url": "https://git.kernel.org/stable/c/56de724c58c07a7ca3aac027cfd2ccb184ed9e4e" }, { "url": "https://git.kernel.org/stable/c/a4685366f07448420badb710ff5c12aaaadf63ad" }, { "url": "https://git.kernel.org/stable/c/1635e407a4a64d08a8517ac59ca14ad4fc785e75" } ], "title": "Revert \"mmc: dw_mmc: Fix IDMAC operation with pages bigger than 4K\"", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-53127", "datePublished": "2024-12-04T14:20:31.547Z", "dateReserved": "2024-11-19T17:17:24.995Z", "dateUpdated": "2024-12-19T09:39:52.683Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-53131
Vulnerability from cvelistv5
Published
2024-12-04 14:20
Modified
2024-12-19 09:39
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
nilfs2: fix null-ptr-deref in block_touch_buffer tracepoint
Patch series "nilfs2: fix null-ptr-deref bugs on block tracepoints".
This series fixes null pointer dereference bugs that occur when using
nilfs2 and two block-related tracepoints.
This patch (of 2):
It has been reported that when using "block:block_touch_buffer"
tracepoint, touch_buffer() called from __nilfs_get_folio_block() causes a
NULL pointer dereference, or a general protection fault when KASAN is
enabled.
This happens because since the tracepoint was added in touch_buffer(), it
references the dev_t member bh->b_bdev->bd_dev regardless of whether the
buffer head has a pointer to a block_device structure. In the current
implementation, the block_device structure is set after the function
returns to the caller.
Here, touch_buffer() is used to mark the folio/page that owns the buffer
head as accessed, but the common search helper for folio/page used by the
caller function was optimized to mark the folio/page as accessed when it
was reimplemented a long time ago, eliminating the need to call
touch_buffer() here in the first place.
So this solves the issue by eliminating the touch_buffer() call itself.
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 5305cb830834549b9203ad4d009ad5483c5e293f Version: 5305cb830834549b9203ad4d009ad5483c5e293f Version: 5305cb830834549b9203ad4d009ad5483c5e293f Version: 5305cb830834549b9203ad4d009ad5483c5e293f Version: 5305cb830834549b9203ad4d009ad5483c5e293f Version: 5305cb830834549b9203ad4d009ad5483c5e293f Version: 5305cb830834549b9203ad4d009ad5483c5e293f Version: 5305cb830834549b9203ad4d009ad5483c5e293f |
||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "fs/nilfs2/page.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "085556bf8c70e2629e02e79268dac3016a08b8bf", "status": "affected", "version": "5305cb830834549b9203ad4d009ad5483c5e293f", "versionType": "git" }, { "lessThan": "6438f3f42cda825f6f59b4e45ac3a1da28a6f2c9", "status": "affected", "version": "5305cb830834549b9203ad4d009ad5483c5e293f", "versionType": "git" }, { "lessThan": "b017697a517f8779ada4e8ce1c2c75dbf60a2636", "status": "affected", "version": "5305cb830834549b9203ad4d009ad5483c5e293f", "versionType": "git" }, { "lessThan": "19c71cdd77973f99a9adc3190130bc3aa7ae5423", "status": "affected", "version": "5305cb830834549b9203ad4d009ad5483c5e293f", "versionType": "git" }, { "lessThan": "3b2a4fd9bbee77afdd3ed5a05a0c02b6cde8d3b9", "status": "affected", "version": "5305cb830834549b9203ad4d009ad5483c5e293f", "versionType": "git" }, { "lessThan": "59b49ca67cca7b007a5afd3de0283c8008157665", "status": "affected", "version": "5305cb830834549b9203ad4d009ad5483c5e293f", "versionType": "git" }, { "lessThan": "77e47f89d32c2d72eb33d0becbce7abe14d061f4", "status": "affected", "version": "5305cb830834549b9203ad4d009ad5483c5e293f", "versionType": "git" }, { "lessThan": "cd45e963e44b0f10d90b9e6c0e8b4f47f3c92471", "status": "affected", "version": "5305cb830834549b9203ad4d009ad5483c5e293f", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "fs/nilfs2/page.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "3.9" }, { "lessThan": "3.9", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "4.19.*", "status": "unaffected", "version": "4.19.325", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.287", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.231", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.174", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.119", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.63", "versionType": "semver" }, { "lessThanOrEqual": "6.11.*", "status": "unaffected", "version": "6.11.10", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.12", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix null-ptr-deref in block_touch_buffer tracepoint\n\nPatch series \"nilfs2: fix null-ptr-deref bugs on block tracepoints\".\n\nThis series fixes null pointer dereference bugs that occur when using\nnilfs2 and two block-related tracepoints.\n\n\nThis patch (of 2):\n\nIt has been reported that when using \"block:block_touch_buffer\"\ntracepoint, touch_buffer() called from __nilfs_get_folio_block() causes a\nNULL pointer dereference, or a general protection fault when KASAN is\nenabled.\n\nThis happens because since the tracepoint was added in touch_buffer(), it\nreferences the dev_t member bh-\u003eb_bdev-\u003ebd_dev regardless of whether the\nbuffer head has a pointer to a block_device structure. In the current\nimplementation, the block_device structure is set after the function\nreturns to the caller.\n\nHere, touch_buffer() is used to mark the folio/page that owns the buffer\nhead as accessed, but the common search helper for folio/page used by the\ncaller function was optimized to mark the folio/page as accessed when it\nwas reimplemented a long time ago, eliminating the need to call\ntouch_buffer() here in the first place.\n\nSo this solves the issue by eliminating the touch_buffer() call itself." } ], "providerMetadata": { "dateUpdated": "2024-12-19T09:39:58.093Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/085556bf8c70e2629e02e79268dac3016a08b8bf" }, { "url": "https://git.kernel.org/stable/c/6438f3f42cda825f6f59b4e45ac3a1da28a6f2c9" }, { "url": "https://git.kernel.org/stable/c/b017697a517f8779ada4e8ce1c2c75dbf60a2636" }, { "url": "https://git.kernel.org/stable/c/19c71cdd77973f99a9adc3190130bc3aa7ae5423" }, { "url": "https://git.kernel.org/stable/c/3b2a4fd9bbee77afdd3ed5a05a0c02b6cde8d3b9" }, { "url": "https://git.kernel.org/stable/c/59b49ca67cca7b007a5afd3de0283c8008157665" }, { "url": "https://git.kernel.org/stable/c/77e47f89d32c2d72eb33d0becbce7abe14d061f4" }, { "url": "https://git.kernel.org/stable/c/cd45e963e44b0f10d90b9e6c0e8b4f47f3c92471" } ], "title": "nilfs2: fix null-ptr-deref in block_touch_buffer tracepoint", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-53131", "datePublished": "2024-12-04T14:20:37.455Z", "dateReserved": "2024-11-19T17:17:24.995Z", "dateUpdated": "2024-12-19T09:39:58.093Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-53136
Vulnerability from cvelistv5
Published
2024-12-04 14:20
Modified
2024-12-19 09:40
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm: revert "mm: shmem: fix data-race in shmem_getattr()"
Revert d949d1d14fa2 ("mm: shmem: fix data-race in shmem_getattr()") as
suggested by Chuck [1]. It is causing deadlocks when accessing tmpfs over
NFS.
As Hugh commented, "added just to silence a syzbot sanitizer splat: added
where there has never been any practical problem".
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 9fb9703cd43ee20a6de8ccdef991677b7274cec0 Version: 7cc30ada84323be19395094d567579536e0d187e Version: bda1a99a0dd644f31a87d636ac624eeb975cb65a Version: 3d9528484480e8f4979b3a347930ed383be99f89 Version: 82cae1e30bd940253593c2d4f16d88343d1358f4 Version: edd1f905050686fdc4cfe233d818469fdf7d5ff8 Version: ffd56612566bc23877c8f45def2801f3324a222a Version: d949d1d14fa281ace388b1de978e8f2cd52875cf |
||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "mm/shmem.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "36b537e8f302f670c7cf35d88a3a294443e32d52", "status": "affected", "version": "9fb9703cd43ee20a6de8ccdef991677b7274cec0", "versionType": "git" }, { "lessThan": "a3c65022d89d5baa2cea8e87a6de983ea305f14c", "status": "affected", "version": "7cc30ada84323be19395094d567579536e0d187e", "versionType": "git" }, { "lessThan": "57cc8d253099d1b8627f0fb487ee011d9158ccc9", "status": "affected", "version": "bda1a99a0dd644f31a87d636ac624eeb975cb65a", "versionType": "git" }, { "lessThan": "d3f9d88c2c03b2646ace336236adca19f7697bd3", "status": "affected", "version": "3d9528484480e8f4979b3a347930ed383be99f89", "versionType": "git" }, { "lessThan": "5874c1150e77296565ad6e495ef41fbf87570d14", "status": "affected", "version": "82cae1e30bd940253593c2d4f16d88343d1358f4", "versionType": "git" }, { "lessThan": "64e67e8694252c1bf01b802ee911be3fee62c36b", "status": "affected", "version": "edd1f905050686fdc4cfe233d818469fdf7d5ff8", "versionType": "git" }, { "lessThan": "901dc2ad7c3789fa87dc3956f6697c5d62d5cf7e", "status": "affected", "version": "ffd56612566bc23877c8f45def2801f3324a222a", "versionType": "git" }, { "lessThan": "d1aa0c04294e29883d65eac6c2f72fe95cc7c049", "status": "affected", "version": "d949d1d14fa281ace388b1de978e8f2cd52875cf", "versionType": "git" } ] }, { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "mm/shmem.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "4.19.325", "status": "affected", "version": "4.19.323", "versionType": "semver" }, { "lessThan": "5.4.287", "status": "affected", "version": "5.4.285", "versionType": "semver" }, { "lessThan": "5.10.231", "status": "affected", "version": "5.10.229", "versionType": "semver" }, { "lessThan": "5.15.174", "status": "affected", "version": "5.15.171", "versionType": "semver" }, { "lessThan": "6.1.119", "status": "affected", "version": "6.1.116", "versionType": "semver" }, { "lessThan": "6.6.63", "status": "affected", "version": "6.6.60", "versionType": "semver" }, { "lessThan": "6.11.10", "status": "affected", "version": "6.11.7", "versionType": "semver" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: revert \"mm: shmem: fix data-race in shmem_getattr()\"\n\nRevert d949d1d14fa2 (\"mm: shmem: fix data-race in shmem_getattr()\") as\nsuggested by Chuck [1]. It is causing deadlocks when accessing tmpfs over\nNFS.\n\nAs Hugh commented, \"added just to silence a syzbot sanitizer splat: added\nwhere there has never been any practical problem\"." } ], "providerMetadata": { "dateUpdated": "2024-12-19T09:40:04.990Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/36b537e8f302f670c7cf35d88a3a294443e32d52" }, { "url": "https://git.kernel.org/stable/c/a3c65022d89d5baa2cea8e87a6de983ea305f14c" }, { "url": "https://git.kernel.org/stable/c/57cc8d253099d1b8627f0fb487ee011d9158ccc9" }, { "url": "https://git.kernel.org/stable/c/d3f9d88c2c03b2646ace336236adca19f7697bd3" }, { "url": "https://git.kernel.org/stable/c/5874c1150e77296565ad6e495ef41fbf87570d14" }, { "url": "https://git.kernel.org/stable/c/64e67e8694252c1bf01b802ee911be3fee62c36b" }, { "url": "https://git.kernel.org/stable/c/901dc2ad7c3789fa87dc3956f6697c5d62d5cf7e" }, { "url": "https://git.kernel.org/stable/c/d1aa0c04294e29883d65eac6c2f72fe95cc7c049" } ], "title": "mm: revert \"mm: shmem: fix data-race in shmem_getattr()\"", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-53136", "datePublished": "2024-12-04T14:20:41.634Z", "dateReserved": "2024-11-19T17:17:24.996Z", "dateUpdated": "2024-12-19T09:40:04.990Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-53126
Vulnerability from cvelistv5
Published
2024-12-04 14:20
Modified
2024-12-19 09:39
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
vdpa: solidrun: Fix UB bug with devres
In psnet_open_pf_bar() and snet_open_vf_bar() a string later passed to
pcim_iomap_regions() is placed on the stack. Neither
pcim_iomap_regions() nor the functions it calls copy that string.
Should the string later ever be used, this, consequently, causes
undefined behavior since the stack frame will by then have disappeared.
Fix the bug by allocating the strings on the heap through
devm_kasprintf().
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/vdpa/solidrun/snet_main.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "d372dd09cfbf1324f54cbffd81fcaf6cdf3e608e", "status": "affected", "version": "51a8f9d7f587290944d6fc733d1f897091c63159", "versionType": "git" }, { "lessThan": "5bb287da2d2d5bb8f7376e223b02edb16998982e", "status": "affected", "version": "51a8f9d7f587290944d6fc733d1f897091c63159", "versionType": "git" }, { "lessThan": "0b364cf53b20204e92bac7c6ebd1ee7d3ec62931", "status": "affected", "version": "51a8f9d7f587290944d6fc733d1f897091c63159", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/vdpa/solidrun/snet_main.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.3" }, { "lessThan": "6.3", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.63", "versionType": "semver" }, { "lessThanOrEqual": "6.11.*", "status": "unaffected", "version": "6.11.10", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.12", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvdpa: solidrun: Fix UB bug with devres\n\nIn psnet_open_pf_bar() and snet_open_vf_bar() a string later passed to\npcim_iomap_regions() is placed on the stack. Neither\npcim_iomap_regions() nor the functions it calls copy that string.\n\nShould the string later ever be used, this, consequently, causes\nundefined behavior since the stack frame will by then have disappeared.\n\nFix the bug by allocating the strings on the heap through\ndevm_kasprintf()." } ], "providerMetadata": { "dateUpdated": "2024-12-19T09:39:51.402Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/d372dd09cfbf1324f54cbffd81fcaf6cdf3e608e" }, { "url": "https://git.kernel.org/stable/c/5bb287da2d2d5bb8f7376e223b02edb16998982e" }, { "url": "https://git.kernel.org/stable/c/0b364cf53b20204e92bac7c6ebd1ee7d3ec62931" } ], "title": "vdpa: solidrun: Fix UB bug with devres", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-53126", "datePublished": "2024-12-04T14:20:30.788Z", "dateReserved": "2024-11-19T17:17:24.995Z", "dateUpdated": "2024-12-19T09:39:51.402Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-53134
Vulnerability from cvelistv5
Published
2024-12-04 14:20
Modified
2024-12-19 09:40
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
pmdomain: imx93-blk-ctrl: correct remove path
The check condition should be 'i < bc->onecell_data.num_domains', not
'bc->onecell_data.num_domains' which will make the look never finish
and cause kernel panic.
Also disable runtime to address
"imx93-blk-ctrl 4ac10000.system-controller: Unbalanced pm_runtime_enable!"
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/pmdomain/imx/imx93-blk-ctrl.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "8fc228ab5d38a026eae7183a5f74a4fac43d9b6a", "status": "affected", "version": "e9aa77d413c903ba4cf7da3fe0b419cae5b97a81", "versionType": "git" }, { "lessThan": "201fb9e164a1e4c5937de2cf58bcb0327c08664f", "status": "affected", "version": "e9aa77d413c903ba4cf7da3fe0b419cae5b97a81", "versionType": "git" }, { "lessThan": "f7c7c5aa556378a2c8da72c1f7f238b6648f95fb", "status": "affected", "version": "e9aa77d413c903ba4cf7da3fe0b419cae5b97a81", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/pmdomain/imx/imx93-blk-ctrl.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.1" }, { "lessThan": "6.1", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.63", "versionType": "semver" }, { "lessThanOrEqual": "6.11.*", "status": "unaffected", "version": "6.11.10", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.12", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\npmdomain: imx93-blk-ctrl: correct remove path\n\nThe check condition should be \u0027i \u003c bc-\u003eonecell_data.num_domains\u0027, not\n\u0027bc-\u003eonecell_data.num_domains\u0027 which will make the look never finish\nand cause kernel panic.\n\nAlso disable runtime to address\n\"imx93-blk-ctrl 4ac10000.system-controller: Unbalanced pm_runtime_enable!\"" } ], "providerMetadata": { "dateUpdated": "2024-12-19T09:40:02.399Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/8fc228ab5d38a026eae7183a5f74a4fac43d9b6a" }, { "url": "https://git.kernel.org/stable/c/201fb9e164a1e4c5937de2cf58bcb0327c08664f" }, { "url": "https://git.kernel.org/stable/c/f7c7c5aa556378a2c8da72c1f7f238b6648f95fb" } ], "title": "pmdomain: imx93-blk-ctrl: correct remove path", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-53134", "datePublished": "2024-12-04T14:20:40.002Z", "dateReserved": "2024-11-19T17:17:24.996Z", "dateUpdated": "2024-12-19T09:40:02.399Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-53125
Vulnerability from cvelistv5
Published
2024-12-04 14:11
Modified
2024-12-19 18:32
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: sync_linked_regs() must preserve subreg_def
Range propagation must not affect subreg_def marks, otherwise the
following example is rewritten by verifier incorrectly when
BPF_F_TEST_RND_HI32 flag is set:
0: call bpf_ktime_get_ns call bpf_ktime_get_ns
1: r0 &= 0x7fffffff after verifier r0 &= 0x7fffffff
2: w1 = w0 rewrites w1 = w0
3: if w0 < 10 goto +0 --------------> r11 = 0x2f5674a6 (r)
4: r1 >>= 32 r11 <<= 32 (r)
5: r0 = r1 r1 |= r11 (r)
6: exit; if w0 < 0xa goto pc+0
r1 >>= 32
r0 = r1
exit
(or zero extension of w1 at (2) is missing for architectures that
require zero extension for upper register half).
The following happens w/o this patch:
- r0 is marked as not a subreg at (0);
- w1 is marked as subreg at (2);
- w1 subreg_def is overridden at (3) by copy_register_state();
- w1 is read at (5) but mark_insn_zext() does not mark (2)
for zero extension, because w1 subreg_def is not set;
- because of BPF_F_TEST_RND_HI32 flag verifier inserts random
value for hi32 bits of (2) (marked (r));
- this random value is read at (5).
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 75748837b7e56919679e02163f45d5818c644d03 Version: 75748837b7e56919679e02163f45d5818c644d03 Version: 75748837b7e56919679e02163f45d5818c644d03 Version: 75748837b7e56919679e02163f45d5818c644d03 Version: 75748837b7e56919679e02163f45d5818c644d03 Version: 75748837b7e56919679e02163f45d5818c644d03 |
||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "kernel/bpf/verifier.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "dadf82c1b2608727bcc306843b540cd7414055a7", "status": "affected", "version": "75748837b7e56919679e02163f45d5818c644d03", "versionType": "git" }, { "lessThan": "b57ac2d92c1f565743f6890a5b9cf317ed856b09", "status": "affected", "version": "75748837b7e56919679e02163f45d5818c644d03", "versionType": "git" }, { "lessThan": "60fd3538d2a8fd44c41d25088c0ece3e1fd30659", "status": "affected", "version": "75748837b7e56919679e02163f45d5818c644d03", "versionType": "git" }, { "lessThan": "bfe9446ea1d95f6cb7848da19dfd58d2eec6fd84", "status": "affected", "version": "75748837b7e56919679e02163f45d5818c644d03", "versionType": "git" }, { "lessThan": "e2ef0f317a52e678fe8fa84b94d6a15b466d6ff0", "status": "affected", "version": "75748837b7e56919679e02163f45d5818c644d03", "versionType": "git" }, { "lessThan": "e9bd9c498cb0f5843996dbe5cbce7a1836a83c70", "status": "affected", "version": "75748837b7e56919679e02163f45d5818c644d03", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "kernel/bpf/verifier.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.10" }, { "lessThan": "5.10", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.232", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.175", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.121", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.67", "versionType": "semver" }, { "lessThanOrEqual": "6.11.*", "status": "unaffected", "version": "6.11.6", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.12", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: sync_linked_regs() must preserve subreg_def\n\nRange propagation must not affect subreg_def marks, otherwise the\nfollowing example is rewritten by verifier incorrectly when\nBPF_F_TEST_RND_HI32 flag is set:\n\n 0: call bpf_ktime_get_ns call bpf_ktime_get_ns\n 1: r0 \u0026= 0x7fffffff after verifier r0 \u0026= 0x7fffffff\n 2: w1 = w0 rewrites w1 = w0\n 3: if w0 \u003c 10 goto +0 --------------\u003e r11 = 0x2f5674a6 (r)\n 4: r1 \u003e\u003e= 32 r11 \u003c\u003c= 32 (r)\n 5: r0 = r1 r1 |= r11 (r)\n 6: exit; if w0 \u003c 0xa goto pc+0\n r1 \u003e\u003e= 32\n r0 = r1\n exit\n\n(or zero extension of w1 at (2) is missing for architectures that\n require zero extension for upper register half).\n\nThe following happens w/o this patch:\n- r0 is marked as not a subreg at (0);\n- w1 is marked as subreg at (2);\n- w1 subreg_def is overridden at (3) by copy_register_state();\n- w1 is read at (5) but mark_insn_zext() does not mark (2)\n for zero extension, because w1 subreg_def is not set;\n- because of BPF_F_TEST_RND_HI32 flag verifier inserts random\n value for hi32 bits of (2) (marked (r));\n- this random value is read at (5)." } ], "providerMetadata": { "dateUpdated": "2024-12-19T18:32:41.510Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/dadf82c1b2608727bcc306843b540cd7414055a7" }, { "url": "https://git.kernel.org/stable/c/b57ac2d92c1f565743f6890a5b9cf317ed856b09" }, { "url": "https://git.kernel.org/stable/c/60fd3538d2a8fd44c41d25088c0ece3e1fd30659" }, { "url": "https://git.kernel.org/stable/c/bfe9446ea1d95f6cb7848da19dfd58d2eec6fd84" }, { "url": "https://git.kernel.org/stable/c/e2ef0f317a52e678fe8fa84b94d6a15b466d6ff0" }, { "url": "https://git.kernel.org/stable/c/e9bd9c498cb0f5843996dbe5cbce7a1836a83c70" } ], "title": "bpf: sync_linked_regs() must preserve subreg_def", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-53125", "datePublished": "2024-12-04T14:11:09.326Z", "dateReserved": "2024-11-19T17:17:24.995Z", "dateUpdated": "2024-12-19T18:32:41.510Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
Loading…
Loading…
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.