diff options
| author | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2024-05-01 07:31:05 +0200 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2024-05-01 07:31:05 +0200 |
| commit | 066ff875952b7778a4d2571f224776441b994414 (patch) | |
| tree | c149bdf452395688078aa9695602d505df6d0c1b | |
| parent | 55441d0dd1f40c5762cd7cf8c9ca312ed0964c4a (diff) | |
| download | vulns-066ff875952b7778a4d2571f224776441b994414.tar.gz | |
cves issued for some 6.8.8 commits
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
172 files changed, 9150 insertions, 0 deletions
diff --git a/cve/reserved/2024/CVE-2024-26936 b/cve/published/2024/CVE-2024-26936 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26936 +++ b/cve/published/2024/CVE-2024-26936 diff --git a/cve/published/2024/CVE-2024-26936.json b/cve/published/2024/CVE-2024-26936.json new file mode 100644 index 00000000..1f21ae74 --- /dev/null +++ b/cve/published/2024/CVE-2024-26936.json @@ -0,0 +1,108 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: validate request buffer size in smb2_allocate_rsp_buf()\n\nThe response buffer should be allocated in smb2_allocate_rsp_buf\nbefore validating request. But the fields in payload as well as smb2 header\nis used in smb2_allocate_rsp_buf(). This patch add simple buffer size\nvalidation to avoid potencial out-of-bounds in request buffer." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "1da177e4c3f4", + "lessThan": "21ff9d7d223c", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "5c20b242d4fe", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "2c27a64a2bc4", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "17cf0c2794bd", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "6.1.88", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.29", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8.8", + "lessThanOrEqual": "6.8.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.9-rc6", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/21ff9d7d223c5c19cb4334009e4c0c83a2f4d674" + }, + { + "url": "https://git.kernel.org/stable/c/5c20b242d4fed73a93591e48bfd9772e2322fb11" + }, + { + "url": "https://git.kernel.org/stable/c/2c27a64a2bc47d9bfc7c3cf8be14be53b1ee7cb6" + }, + { + "url": "https://git.kernel.org/stable/c/17cf0c2794bdb6f39671265aa18aea5c22ee8c4a" + } + ], + "title": "ksmbd: validate request buffer size in smb2_allocate_rsp_buf()", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26936", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26936.mbox b/cve/published/2024/CVE-2024-26936.mbox new file mode 100644 index 00000000..6b101359 --- /dev/null +++ b/cve/published/2024/CVE-2024-26936.mbox @@ -0,0 +1,71 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26936: ksmbd: validate request buffer size in smb2_allocate_rsp_buf() +Message-Id: <2024050141-CVE-2024-26936-0264@gregkh> +Content-Length: 2008 +Lines: 54 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2063; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=8Vk3iZpcUq2v0dUHT2gG4F6D/7VNmGalfbemlG96ITg=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGmGlxtt4zjWTv7H8tZ0laxY6jWpCAblhVliN3ftL3j+e + YXdDvUjHbEsDIJMDLJiiixftvEc3V9xSNHL0PY0zBxWJpAhDFycAjCR4iMMc7hOhPWd+z4pUSY3 + OS790sqbQpPuTmBYMIc1bnMJ/9VptV7BPfE3iioif/xSBwA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +ksmbd: validate request buffer size in smb2_allocate_rsp_buf() + +The response buffer should be allocated in smb2_allocate_rsp_buf +before validating request. But the fields in payload as well as smb2 header +is used in smb2_allocate_rsp_buf(). This patch add simple buffer size +validation to avoid potencial out-of-bounds in request buffer. + +The Linux kernel CVE team has assigned CVE-2024-26936 to this issue. + + +Affected and fixed versions +=========================== + + Fixed in 6.1.88 with commit 21ff9d7d223c + Fixed in 6.6.29 with commit 5c20b242d4fe + Fixed in 6.8.8 with commit 2c27a64a2bc4 + Fixed in 6.9-rc6 with commit 17cf0c2794bd + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26936 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + fs/smb/server/smb2pdu.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/21ff9d7d223c5c19cb4334009e4c0c83a2f4d674 + https://git.kernel.org/stable/c/5c20b242d4fed73a93591e48bfd9772e2322fb11 + https://git.kernel.org/stable/c/2c27a64a2bc47d9bfc7c3cf8be14be53b1ee7cb6 + https://git.kernel.org/stable/c/17cf0c2794bdb6f39671265aa18aea5c22ee8c4a diff --git a/cve/published/2024/CVE-2024-26936.sha1 b/cve/published/2024/CVE-2024-26936.sha1 new file mode 100644 index 00000000..56533947 --- /dev/null +++ b/cve/published/2024/CVE-2024-26936.sha1 @@ -0,0 +1 @@ +17cf0c2794bdb6f39671265aa18aea5c22ee8c4a diff --git a/cve/reserved/2024/CVE-2024-26980 b/cve/published/2024/CVE-2024-26980 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26980 +++ b/cve/published/2024/CVE-2024-26980 diff --git a/cve/published/2024/CVE-2024-26980.json b/cve/published/2024/CVE-2024-26980.json new file mode 100644 index 00000000..d6b81bc0 --- /dev/null +++ b/cve/published/2024/CVE-2024-26980.json @@ -0,0 +1,108 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix slab-out-of-bounds in smb2_allocate_rsp_buf\n\nIf ->ProtocolId is SMB2_TRANSFORM_PROTO_NUM, smb2 request size\nvalidation could be skipped. if request size is smaller than\nsizeof(struct smb2_query_info_req), slab-out-of-bounds read can happen in\nsmb2_allocate_rsp_buf(). This patch allocate response buffer after\ndecrypting transform request. smb3_decrypt_req() will validate transform\nrequest size and avoid slab-out-of-bound in smb2_allocate_rsp_buf()." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "1da177e4c3f4", + "lessThan": "b80ba648714e", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "3160d9734453", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "0977f89722ec", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "c119f4ede3fa", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "6.1.88", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.29", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8.8", + "lessThanOrEqual": "6.8.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.9-rc6", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/b80ba648714e6d790d69610cf14656be222d0248" + }, + { + "url": "https://git.kernel.org/stable/c/3160d9734453a40db248487f8204830879c207f1" + }, + { + "url": "https://git.kernel.org/stable/c/0977f89722eceba165700ea384f075143f012085" + }, + { + "url": "https://git.kernel.org/stable/c/c119f4ede3fa90a9463f50831761c28f989bfb20" + } + ], + "title": "ksmbd: fix slab-out-of-bounds in smb2_allocate_rsp_buf", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26980", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26980.mbox b/cve/published/2024/CVE-2024-26980.mbox new file mode 100644 index 00000000..cbe3d0e1 --- /dev/null +++ b/cve/published/2024/CVE-2024-26980.mbox @@ -0,0 +1,73 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26980: ksmbd: fix slab-out-of-bounds in smb2_allocate_rsp_buf +Message-Id: <2024050141-CVE-2024-26980-4b16@gregkh> +Content-Length: 2132 +Lines: 56 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2189; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=EUZ5XGVRUU3/g5B1VLybO8LXiXJRCIA9+aYUKBDEf/o=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGmGlxuLFpbP3Gz1/7ECU++zKbHn2ThUJ5qYldz/Uf8vq + zfvib94RywLgyATg6yYIsuXbTxH91ccUvQytD0NM4eVCWQIAxenAEzk7lOG+RWMxbtU7p3PW+ii + cTVc/+qJ998utDEsOJW88PemCHvGA5c6rwaYLam/FJGwAAA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +ksmbd: fix slab-out-of-bounds in smb2_allocate_rsp_buf + +If ->ProtocolId is SMB2_TRANSFORM_PROTO_NUM, smb2 request size +validation could be skipped. if request size is smaller than +sizeof(struct smb2_query_info_req), slab-out-of-bounds read can happen in +smb2_allocate_rsp_buf(). This patch allocate response buffer after +decrypting transform request. smb3_decrypt_req() will validate transform +request size and avoid slab-out-of-bound in smb2_allocate_rsp_buf(). + +The Linux kernel CVE team has assigned CVE-2024-26980 to this issue. + + +Affected and fixed versions +=========================== + + Fixed in 6.1.88 with commit b80ba648714e + Fixed in 6.6.29 with commit 3160d9734453 + Fixed in 6.8.8 with commit 0977f89722ec + Fixed in 6.9-rc6 with commit c119f4ede3fa + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26980 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + fs/smb/server/server.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/b80ba648714e6d790d69610cf14656be222d0248 + https://git.kernel.org/stable/c/3160d9734453a40db248487f8204830879c207f1 + https://git.kernel.org/stable/c/0977f89722eceba165700ea384f075143f012085 + https://git.kernel.org/stable/c/c119f4ede3fa90a9463f50831761c28f989bfb20 diff --git a/cve/published/2024/CVE-2024-26980.sha1 b/cve/published/2024/CVE-2024-26980.sha1 new file mode 100644 index 00000000..a8ac8b58 --- /dev/null +++ b/cve/published/2024/CVE-2024-26980.sha1 @@ -0,0 +1 @@ +c119f4ede3fa90a9463f50831761c28f989bfb20 diff --git a/cve/reserved/2024/CVE-2024-26981 b/cve/published/2024/CVE-2024-26981 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26981 +++ b/cve/published/2024/CVE-2024-26981 diff --git a/cve/published/2024/CVE-2024-26981.json b/cve/published/2024/CVE-2024-26981.json new file mode 100644 index 00000000..e59a4d09 --- /dev/null +++ b/cve/published/2024/CVE-2024-26981.json @@ -0,0 +1,133 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix OOB in nilfs_set_de_type\n\nThe size of the nilfs_type_by_mode array in the fs/nilfs2/dir.c file is\ndefined as \"S_IFMT >> S_SHIFT\", but the nilfs_set_de_type() function,\nwhich uses this array, specifies the index to read from the array in the\nsame way as \"(mode & S_IFMT) >> S_SHIFT\".\n\nstatic void nilfs_set_de_type(struct nilfs_dir_entry *de, struct inode\n *inode)\n{\n\tumode_t mode = inode->i_mode;\n\n\tde->file_type = nilfs_type_by_mode[(mode & S_IFMT)>>S_SHIFT]; // oob\n}\n\nHowever, when the index is determined this way, an out-of-bounds (OOB)\nerror occurs by referring to an index that is 1 larger than the array size\nwhen the condition \"mode & S_IFMT == S_IFMT\" is satisfied. Therefore, a\npatch to resize the nilfs_type_by_mode array should be applied to prevent\nOOB errors." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "2ba466d74ed7", + "lessThan": "bdbe483da21f", + "status": "affected", + "versionType": "git" + }, + { + "version": "2ba466d74ed7", + "lessThan": "897ac5306bbe", + "status": "affected", + "versionType": "git" + }, + { + "version": "2ba466d74ed7", + "lessThan": "2382eae66b19", + "status": "affected", + "versionType": "git" + }, + { + "version": "2ba466d74ed7", + "lessThan": "90823f8d9ecc", + "status": "affected", + "versionType": "git" + }, + { + "version": "2ba466d74ed7", + "lessThan": "c4a7dc9523b5", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "2.6.30", + "status": "affected" + }, + { + "version": "0", + "lessThan": "2.6.30", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.157", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.88", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.29", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8.8", + "lessThanOrEqual": "6.8.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.9-rc5", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/bdbe483da21f852c93b22557b146bc4d989260f0" + }, + { + "url": "https://git.kernel.org/stable/c/897ac5306bbeb83e90c437326f7044c79a17c611" + }, + { + "url": "https://git.kernel.org/stable/c/2382eae66b196c31893984a538908c3eb7506ff9" + }, + { + "url": "https://git.kernel.org/stable/c/90823f8d9ecca3d5fa6b102c8e464c62f416975f" + }, + { + "url": "https://git.kernel.org/stable/c/c4a7dc9523b59b3e73fd522c73e95e072f876b16" + } + ], + "title": "nilfs2: fix OOB in nilfs_set_de_type", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26981", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26981.mbox b/cve/published/2024/CVE-2024-26981.mbox new file mode 100644 index 00000000..82e2be92 --- /dev/null +++ b/cve/published/2024/CVE-2024-26981.mbox @@ -0,0 +1,87 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26981: nilfs2: fix OOB in nilfs_set_de_type +Message-Id: <2024050141-CVE-2024-26981-db53@gregkh> +Content-Length: 2848 +Lines: 70 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2919; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=0rt4CUB9mpSHzuwoAMUUV0tO9uFLvyajpEKeYrj/+dI=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGmGlxvD0/U1//GeEK5/HKAwLTq1Mq0yPbt/5dP+gJWyJ + tXsaf86YlkYBJkYZMUUWb5s4zm6v+KQopeh7WmYOaxMIEMYuDgFYCITEhlmMb847nOs5LmmRPe8 + uHOvvsz+rvnqCsP80mhOW8ZZ8sJLPB3WmoVsi/99R/cXAA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +nilfs2: fix OOB in nilfs_set_de_type + +The size of the nilfs_type_by_mode array in the fs/nilfs2/dir.c file is +defined as "S_IFMT >> S_SHIFT", but the nilfs_set_de_type() function, +which uses this array, specifies the index to read from the array in the +same way as "(mode & S_IFMT) >> S_SHIFT". + +static void nilfs_set_de_type(struct nilfs_dir_entry *de, struct inode + *inode) +{ + umode_t mode = inode->i_mode; + + de->file_type = nilfs_type_by_mode[(mode & S_IFMT)>>S_SHIFT]; // oob +} + +However, when the index is determined this way, an out-of-bounds (OOB) +error occurs by referring to an index that is 1 larger than the array size +when the condition "mode & S_IFMT == S_IFMT" is satisfied. Therefore, a +patch to resize the nilfs_type_by_mode array should be applied to prevent +OOB errors. + +The Linux kernel CVE team has assigned CVE-2024-26981 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 2.6.30 with commit 2ba466d74ed7 and fixed in 5.15.157 with commit bdbe483da21f + Issue introduced in 2.6.30 with commit 2ba466d74ed7 and fixed in 6.1.88 with commit 897ac5306bbe + Issue introduced in 2.6.30 with commit 2ba466d74ed7 and fixed in 6.6.29 with commit 2382eae66b19 + Issue introduced in 2.6.30 with commit 2ba466d74ed7 and fixed in 6.8.8 with commit 90823f8d9ecc + Issue introduced in 2.6.30 with commit 2ba466d74ed7 and fixed in 6.9-rc5 with commit c4a7dc9523b5 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26981 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + fs/nilfs2/dir.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/bdbe483da21f852c93b22557b146bc4d989260f0 + https://git.kernel.org/stable/c/897ac5306bbeb83e90c437326f7044c79a17c611 + https://git.kernel.org/stable/c/2382eae66b196c31893984a538908c3eb7506ff9 + https://git.kernel.org/stable/c/90823f8d9ecca3d5fa6b102c8e464c62f416975f + https://git.kernel.org/stable/c/c4a7dc9523b59b3e73fd522c73e95e072f876b16 diff --git a/cve/published/2024/CVE-2024-26981.sha1 b/cve/published/2024/CVE-2024-26981.sha1 new file mode 100644 index 00000000..82ce7ee5 --- /dev/null +++ b/cve/published/2024/CVE-2024-26981.sha1 @@ -0,0 +1 @@ +c4a7dc9523b59b3e73fd522c73e95e072f876b16 diff --git a/cve/reserved/2024/CVE-2024-26982 b/cve/published/2024/CVE-2024-26982 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26982 +++ b/cve/published/2024/CVE-2024-26982 diff --git a/cve/published/2024/CVE-2024-26982.json b/cve/published/2024/CVE-2024-26982.json new file mode 100644 index 00000000..43d226fd --- /dev/null +++ b/cve/published/2024/CVE-2024-26982.json @@ -0,0 +1,78 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nSquashfs: check the inode number is not the invalid value of zero\n\nSyskiller has produced an out of bounds access in fill_meta_index().\n\nThat out of bounds access is ultimately caused because the inode\nhas an inode number with the invalid value of zero, which was not checked.\n\nThe reason this causes the out of bounds access is due to following\nsequence of events:\n\n1. Fill_meta_index() is called to allocate (via empty_meta_index())\n and fill a metadata index. It however suffers a data read error\n and aborts, invalidating the newly returned empty metadata index.\n It does this by setting the inode number of the index to zero,\n which means unused (zero is not a valid inode number).\n\n2. When fill_meta_index() is subsequently called again on another\n read operation, locate_meta_index() returns the previous index\n because it matches the inode number of 0. Because this index\n has been returned it is expected to have been filled, and because\n it hasn't been, an out of bounds access is performed.\n\nThis patch adds a sanity check which checks that the inode number\nis not zero when the inode is created and returns -EINVAL if it is.\n\n[phillip@squashfs.org.uk: whitespace fix]\n Link: https://lkml.kernel.org/r/20240409204723.446925-1-phillip@squashfs.org.uk" + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "1da177e4c3f4", + "lessThan": "7def00ebc9f2", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "9253c54e01b6", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "6.8.8", + "lessThanOrEqual": "6.8.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.9-rc5", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/7def00ebc9f2d6a581ddf46ce4541f84a10680e5" + }, + { + "url": "https://git.kernel.org/stable/c/9253c54e01b6505d348afbc02abaa4d9f8a01395" + } + ], + "title": "Squashfs: check the inode number is not the invalid value of zero", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26982", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26982.mbox b/cve/published/2024/CVE-2024-26982.mbox new file mode 100644 index 00000000..1c79d7e4 --- /dev/null +++ b/cve/published/2024/CVE-2024-26982.mbox @@ -0,0 +1,88 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26982: Squashfs: check the inode number is not the invalid value of zero +Message-Id: <2024050141-CVE-2024-26982-8675@gregkh> +Content-Length: 2714 +Lines: 71 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2786; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=z4ZVijsspQtpXVPlYLndiTKX0ezqjzeIBBMiboMOuo4=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGmGl5u4IgMZ393vmOgwQXPvma4/f6sy5rmWvDj62jgqw + WvV21qRjlgWBkEmBlkxRZYv23iO7q84pOhlaHsaZg4rE8gQBi5OAZiI9H6GBRtiDs1l6Oz9NTd1 + d3bauwmZ02OiuxnmabaK3dCfO3XK9aVXiu84BDsciTuvBAA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +Squashfs: check the inode number is not the invalid value of zero + +Syskiller has produced an out of bounds access in fill_meta_index(). + +That out of bounds access is ultimately caused because the inode +has an inode number with the invalid value of zero, which was not checked. + +The reason this causes the out of bounds access is due to following +sequence of events: + +1. Fill_meta_index() is called to allocate (via empty_meta_index()) + and fill a metadata index. It however suffers a data read error + and aborts, invalidating the newly returned empty metadata index. + It does this by setting the inode number of the index to zero, + which means unused (zero is not a valid inode number). + +2. When fill_meta_index() is subsequently called again on another + read operation, locate_meta_index() returns the previous index + because it matches the inode number of 0. Because this index + has been returned it is expected to have been filled, and because + it hasn't been, an out of bounds access is performed. + +This patch adds a sanity check which checks that the inode number +is not zero when the inode is created and returns -EINVAL if it is. + +[phillip@squashfs.org.uk: whitespace fix] + Link: https://lkml.kernel.org/r/20240409204723.446925-1-phillip@squashfs.org.uk + +The Linux kernel CVE team has assigned CVE-2024-26982 to this issue. + + +Affected and fixed versions +=========================== + + Fixed in 6.8.8 with commit 7def00ebc9f2 + Fixed in 6.9-rc5 with commit 9253c54e01b6 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26982 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + fs/squashfs/inode.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/7def00ebc9f2d6a581ddf46ce4541f84a10680e5 + https://git.kernel.org/stable/c/9253c54e01b6505d348afbc02abaa4d9f8a01395 diff --git a/cve/published/2024/CVE-2024-26982.sha1 b/cve/published/2024/CVE-2024-26982.sha1 new file mode 100644 index 00000000..cce603c4 --- /dev/null +++ b/cve/published/2024/CVE-2024-26982.sha1 @@ -0,0 +1 @@ +9253c54e01b6505d348afbc02abaa4d9f8a01395 diff --git a/cve/reserved/2024/CVE-2024-26983 b/cve/published/2024/CVE-2024-26983 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26983 +++ b/cve/published/2024/CVE-2024-26983 diff --git a/cve/published/2024/CVE-2024-26983.json b/cve/published/2024/CVE-2024-26983.json new file mode 100644 index 00000000..62fd3f8c --- /dev/null +++ b/cve/published/2024/CVE-2024-26983.json @@ -0,0 +1,118 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbootconfig: use memblock_free_late to free xbc memory to buddy\n\nOn the time to free xbc memory in xbc_exit(), memblock may has handed\nover memory to buddy allocator. So it doesn't make sense to free memory\nback to memblock. memblock_free() called by xbc_exit() even causes UAF bugs\non architectures with CONFIG_ARCH_KEEP_MEMBLOCK disabled like x86.\nFollowing KASAN logs shows this case.\n\nThis patch fixes the xbc memory free problem by calling memblock_free()\nin early xbc init error rewind path and calling memblock_free_late() in\nxbc exit path to free memory to buddy allocator.\n\n[ 9.410890] ==================================================================\n[ 9.418962] BUG: KASAN: use-after-free in memblock_isolate_range+0x12d/0x260\n[ 9.426850] Read of size 8 at addr ffff88845dd30000 by task swapper/0/1\n\n[ 9.435901] CPU: 9 PID: 1 Comm: swapper/0 Tainted: G U 6.9.0-rc3-00208-g586b5dfb51b9 #5\n[ 9.446403] Hardware name: Intel Corporation RPLP LP5 (CPU:RaptorLake)/RPLP LP5 (ID:13), BIOS IRPPN02.01.01.00.00.19.015.D-00000000 Dec 28 2023\n[ 9.460789] Call Trace:\n[ 9.463518] <TASK>\n[ 9.465859] dump_stack_lvl+0x53/0x70\n[ 9.469949] print_report+0xce/0x610\n[ 9.473944] ? __virt_addr_valid+0xf5/0x1b0\n[ 9.478619] ? memblock_isolate_range+0x12d/0x260\n[ 9.483877] kasan_report+0xc6/0x100\n[ 9.487870] ? memblock_isolate_range+0x12d/0x260\n[ 9.493125] memblock_isolate_range+0x12d/0x260\n[ 9.498187] memblock_phys_free+0xb4/0x160\n[ 9.502762] ? __pfx_memblock_phys_free+0x10/0x10\n[ 9.508021] ? mutex_unlock+0x7e/0xd0\n[ 9.512111] ? __pfx_mutex_unlock+0x10/0x10\n[ 9.516786] ? kernel_init_freeable+0x2d4/0x430\n[ 9.521850] ? __pfx_kernel_init+0x10/0x10\n[ 9.526426] xbc_exit+0x17/0x70\n[ 9.529935] kernel_init+0x38/0x1e0\n[ 9.533829] ? _raw_spin_unlock_irq+0xd/0x30\n[ 9.538601] ret_from_fork+0x2c/0x50\n[ 9.542596] ? __pfx_kernel_init+0x10/0x10\n[ 9.547170] ret_from_fork_asm+0x1a/0x30\n[ 9.551552] </TASK>\n\n[ 9.555649] The buggy address belongs to the physical page:\n[ 9.561875] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x45dd30\n[ 9.570821] flags: 0x200000000000000(node=0|zone=2)\n[ 9.576271] page_type: 0xffffffff()\n[ 9.580167] raw: 0200000000000000 ffffea0011774c48 ffffea0012ba1848 0000000000000000\n[ 9.588823] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000\n[ 9.597476] page dumped because: kasan: bad access detected\n\n[ 9.605362] Memory state around the buggy address:\n[ 9.610714] ffff88845dd2ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n[ 9.618786] ffff88845dd2ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n[ 9.626857] >ffff88845dd30000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n[ 9.634930] ^\n[ 9.638534] ffff88845dd30080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n[ 9.646605] ffff88845dd30100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n[ 9.654675] ==================================================================" + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "40caa127f3c7", + "lessThan": "1e7feb31a18c", + "status": "affected", + "versionType": "git" + }, + { + "version": "40caa127f3c7", + "lessThan": "e46d3be714ad", + "status": "affected", + "versionType": "git" + }, + { + "version": "40caa127f3c7", + "lessThan": "5a7dfb8fcd3f", + "status": "affected", + "versionType": "git" + }, + { + "version": "40caa127f3c7", + "lessThan": "89f9a1e876b5", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.15", + "status": "affected" + }, + { + "version": "0", + "lessThan": "5.15", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.88", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.29", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8.8", + "lessThanOrEqual": "6.8.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.9-rc5", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/1e7feb31a18c197d63a5e606025ed63c762f8918" + }, + { + "url": "https://git.kernel.org/stable/c/e46d3be714ad9652480c6db129ab8125e2d20ab7" + }, + { + "url": "https://git.kernel.org/stable/c/5a7dfb8fcd3f29fc93161100179b27f24f3d5f35" + }, + { + "url": "https://git.kernel.org/stable/c/89f9a1e876b5a7ad884918c03a46831af202c8a0" + } + ], + "title": "bootconfig: use memblock_free_late to free xbc memory to buddy", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26983", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26983.mbox b/cve/published/2024/CVE-2024-26983.mbox new file mode 100644 index 00000000..ae88248b --- /dev/null +++ b/cve/published/2024/CVE-2024-26983.mbox @@ -0,0 +1,123 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26983: bootconfig: use memblock_free_late to free xbc memory to buddy +Message-Id: <2024050142-CVE-2024-26983-9424@gregkh> +Content-Length: 4987 +Lines: 106 +X-Developer-Signature: v=1; a=openpgp-sha256; l=5094; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=cW33wK86k4dLQzRCdQJnATcq1O+usZ7YUO26vD8uEj0=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGmGl5uMO396xmcXNbTvtPUt+asa/ZVf6e+/7lMzxd+bM + rFG3rzTEcvCIMjEICumyPJlG8/R/RWHFL0MbU/DzGFlAhnCwMUpABOZt4phwbxDDrMFJE4avbha + rnfr6VJxnc9zPzPMs2Q1STTdtjw6/ckuvqUOCtOrzm77CAA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +bootconfig: use memblock_free_late to free xbc memory to buddy + +On the time to free xbc memory in xbc_exit(), memblock may has handed +over memory to buddy allocator. So it doesn't make sense to free memory +back to memblock. memblock_free() called by xbc_exit() even causes UAF bugs +on architectures with CONFIG_ARCH_KEEP_MEMBLOCK disabled like x86. +Following KASAN logs shows this case. + +This patch fixes the xbc memory free problem by calling memblock_free() +in early xbc init error rewind path and calling memblock_free_late() in +xbc exit path to free memory to buddy allocator. + +[ 9.410890] ================================================================== +[ 9.418962] BUG: KASAN: use-after-free in memblock_isolate_range+0x12d/0x260 +[ 9.426850] Read of size 8 at addr ffff88845dd30000 by task swapper/0/1 + +[ 9.435901] CPU: 9 PID: 1 Comm: swapper/0 Tainted: G U 6.9.0-rc3-00208-g586b5dfb51b9 #5 +[ 9.446403] Hardware name: Intel Corporation RPLP LP5 (CPU:RaptorLake)/RPLP LP5 (ID:13), BIOS IRPPN02.01.01.00.00.19.015.D-00000000 Dec 28 2023 +[ 9.460789] Call Trace: +[ 9.463518] <TASK> +[ 9.465859] dump_stack_lvl+0x53/0x70 +[ 9.469949] print_report+0xce/0x610 +[ 9.473944] ? __virt_addr_valid+0xf5/0x1b0 +[ 9.478619] ? memblock_isolate_range+0x12d/0x260 +[ 9.483877] kasan_report+0xc6/0x100 +[ 9.487870] ? memblock_isolate_range+0x12d/0x260 +[ 9.493125] memblock_isolate_range+0x12d/0x260 +[ 9.498187] memblock_phys_free+0xb4/0x160 +[ 9.502762] ? __pfx_memblock_phys_free+0x10/0x10 +[ 9.508021] ? mutex_unlock+0x7e/0xd0 +[ 9.512111] ? __pfx_mutex_unlock+0x10/0x10 +[ 9.516786] ? kernel_init_freeable+0x2d4/0x430 +[ 9.521850] ? __pfx_kernel_init+0x10/0x10 +[ 9.526426] xbc_exit+0x17/0x70 +[ 9.529935] kernel_init+0x38/0x1e0 +[ 9.533829] ? _raw_spin_unlock_irq+0xd/0x30 +[ 9.538601] ret_from_fork+0x2c/0x50 +[ 9.542596] ? __pfx_kernel_init+0x10/0x10 +[ 9.547170] ret_from_fork_asm+0x1a/0x30 +[ 9.551552] </TASK> + +[ 9.555649] The buggy address belongs to the physical page: +[ 9.561875] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x45dd30 +[ 9.570821] flags: 0x200000000000000(node=0|zone=2) +[ 9.576271] page_type: 0xffffffff() +[ 9.580167] raw: 0200000000000000 ffffea0011774c48 ffffea0012ba1848 0000000000000000 +[ 9.588823] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 +[ 9.597476] page dumped because: kasan: bad access detected + +[ 9.605362] Memory state around the buggy address: +[ 9.610714] ffff88845dd2ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 9.618786] ffff88845dd2ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 9.626857] >ffff88845dd30000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +[ 9.634930] ^ +[ 9.638534] ffff88845dd30080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +[ 9.646605] ffff88845dd30100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +[ 9.654675] ================================================================== + +The Linux kernel CVE team has assigned CVE-2024-26983 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 5.15 with commit 40caa127f3c7 and fixed in 6.1.88 with commit 1e7feb31a18c + Issue introduced in 5.15 with commit 40caa127f3c7 and fixed in 6.6.29 with commit e46d3be714ad + Issue introduced in 5.15 with commit 40caa127f3c7 and fixed in 6.8.8 with commit 5a7dfb8fcd3f + Issue introduced in 5.15 with commit 40caa127f3c7 and fixed in 6.9-rc5 with commit 89f9a1e876b5 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26983 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + include/linux/bootconfig.h + lib/bootconfig.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/1e7feb31a18c197d63a5e606025ed63c762f8918 + https://git.kernel.org/stable/c/e46d3be714ad9652480c6db129ab8125e2d20ab7 + https://git.kernel.org/stable/c/5a7dfb8fcd3f29fc93161100179b27f24f3d5f35 + https://git.kernel.org/stable/c/89f9a1e876b5a7ad884918c03a46831af202c8a0 diff --git a/cve/published/2024/CVE-2024-26983.sha1 b/cve/published/2024/CVE-2024-26983.sha1 new file mode 100644 index 00000000..0b3ab971 --- /dev/null +++ b/cve/published/2024/CVE-2024-26983.sha1 @@ -0,0 +1 @@ +89f9a1e876b5a7ad884918c03a46831af202c8a0 diff --git a/cve/reserved/2024/CVE-2024-26984 b/cve/published/2024/CVE-2024-26984 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26984 +++ b/cve/published/2024/CVE-2024-26984 diff --git a/cve/published/2024/CVE-2024-26984.json b/cve/published/2024/CVE-2024-26984.json new file mode 100644 index 00000000..2f001a86 --- /dev/null +++ b/cve/published/2024/CVE-2024-26984.json @@ -0,0 +1,133 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnouveau: fix instmem race condition around ptr stores\n\nRunning a lot of VK CTS in parallel against nouveau, once every\nfew hours you might see something like this crash.\n\nBUG: kernel NULL pointer dereference, address: 0000000000000008\nPGD 8000000114e6e067 P4D 8000000114e6e067 PUD 109046067 PMD 0\nOops: 0000 [#1] PREEMPT SMP PTI\nCPU: 7 PID: 53891 Comm: deqp-vk Not tainted 6.8.0-rc6+ #27\nHardware name: Gigabyte Technology Co., Ltd. Z390 I AORUS PRO WIFI/Z390 I AORUS PRO WIFI-CF, BIOS F8 11/05/2021\nRIP: 0010:gp100_vmm_pgt_mem+0xe3/0x180 [nouveau]\nCode: c7 48 01 c8 49 89 45 58 85 d2 0f 84 95 00 00 00 41 0f b7 46 12 49 8b 7e 08 89 da 42 8d 2c f8 48 8b 47 08 41 83 c7 01 48 89 ee <48> 8b 40 08 ff d0 0f 1f 00 49 8b 7e 08 48 89 d9 48 8d 75 04 48 c1\nRSP: 0000:ffffac20c5857838 EFLAGS: 00010202\nRAX: 0000000000000000 RBX: 00000000004d8001 RCX: 0000000000000001\nRDX: 00000000004d8001 RSI: 00000000000006d8 RDI: ffffa07afe332180\nRBP: 00000000000006d8 R08: ffffac20c5857ad0 R09: 0000000000ffff10\nR10: 0000000000000001 R11: ffffa07af27e2de0 R12: 000000000000001c\nR13: ffffac20c5857ad0 R14: ffffa07a96fe9040 R15: 000000000000001c\nFS: 00007fe395eed7c0(0000) GS:ffffa07e2c980000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000008 CR3: 000000011febe001 CR4: 00000000003706f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n\n...\n\n ? gp100_vmm_pgt_mem+0xe3/0x180 [nouveau]\n ? gp100_vmm_pgt_mem+0x37/0x180 [nouveau]\n nvkm_vmm_iter+0x351/0xa20 [nouveau]\n ? __pfx_nvkm_vmm_ref_ptes+0x10/0x10 [nouveau]\n ? __pfx_gp100_vmm_pgt_mem+0x10/0x10 [nouveau]\n ? __pfx_gp100_vmm_pgt_mem+0x10/0x10 [nouveau]\n ? __lock_acquire+0x3ed/0x2170\n ? __pfx_gp100_vmm_pgt_mem+0x10/0x10 [nouveau]\n nvkm_vmm_ptes_get_map+0xc2/0x100 [nouveau]\n ? __pfx_nvkm_vmm_ref_ptes+0x10/0x10 [nouveau]\n ? __pfx_gp100_vmm_pgt_mem+0x10/0x10 [nouveau]\n nvkm_vmm_map_locked+0x224/0x3a0 [nouveau]\n\nAdding any sort of useful debug usually makes it go away, so I hand\nwrote the function in a line, and debugged the asm.\n\nEvery so often pt->memory->ptrs is NULL. This ptrs ptr is set in\nthe nv50_instobj_acquire called from nvkm_kmap.\n\nIf Thread A and Thread B both get to nv50_instobj_acquire around\nthe same time, and Thread A hits the refcount_set line, and in\nlockstep thread B succeeds at refcount_inc_not_zero, there is a\nchance the ptrs value won't have been stored since refcount_set\nis unordered. Force a memory barrier here, I picked smp_mb, since\nwe want it on all CPUs and it's write followed by a read.\n\nv2: use paired smp_rmb/smp_wmb." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "be55287aa5ba", + "lessThan": "3ab056814cd8", + "status": "affected", + "versionType": "git" + }, + { + "version": "be55287aa5ba", + "lessThan": "ad74d208f213", + "status": "affected", + "versionType": "git" + }, + { + "version": "be55287aa5ba", + "lessThan": "a019b44b1bc6", + "status": "affected", + "versionType": "git" + }, + { + "version": "be55287aa5ba", + "lessThan": "21ca9539f093", + "status": "affected", + "versionType": "git" + }, + { + "version": "be55287aa5ba", + "lessThan": "fff1386cc889", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "4.15", + "status": "affected" + }, + { + "version": "0", + "lessThan": "4.15", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.157", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.88", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.29", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8.8", + "lessThanOrEqual": "6.8.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.9-rc5", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/3ab056814cd8ab84744c9a19ef51360b2271c572" + }, + { + "url": "https://git.kernel.org/stable/c/ad74d208f213c06d860916ad40f609ade8c13039" + }, + { + "url": "https://git.kernel.org/stable/c/a019b44b1bc6ed224c46fb5f88a8a10dd116e525" + }, + { + "url": "https://git.kernel.org/stable/c/21ca9539f09360fd83654f78f2c361f2f5ddcb52" + }, + { + "url": "https://git.kernel.org/stable/c/fff1386cc889d8fb4089d285f883f8cba62d82ce" + } + ], + "title": "nouveau: fix instmem race condition around ptr stores", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26984", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26984.mbox b/cve/published/2024/CVE-2024-26984.mbox new file mode 100644 index 00000000..29891d31 --- /dev/null +++ b/cve/published/2024/CVE-2024-26984.mbox @@ -0,0 +1,121 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26984: nouveau: fix instmem race condition around ptr stores +Message-Id: <2024050142-CVE-2024-26984-3028@gregkh> +Content-Length: 4721 +Lines: 104 +X-Developer-Signature: v=1; a=openpgp-sha256; l=4826; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=5Js3C38mUMD19Phbqm2OTgr+Ji/NkNUmuJYpiEGxbrY=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGmGl5usHqx7ql/iKld/i8Xpmvzshzcy9riJrdhmcWaWZ + NEakwdpHbEsDIJMDLJiiixftvEc3V9xSNHL0PY0zBxWJpAhDFycAjCRe00MC3avrHk4T/XVXY3l + 304vU3so0eRddolhvlPHs3u71y34qruBV7Us53lJQOeSEAA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +nouveau: fix instmem race condition around ptr stores + +Running a lot of VK CTS in parallel against nouveau, once every +few hours you might see something like this crash. + +BUG: kernel NULL pointer dereference, address: 0000000000000008 +PGD 8000000114e6e067 P4D 8000000114e6e067 PUD 109046067 PMD 0 +Oops: 0000 [#1] PREEMPT SMP PTI +CPU: 7 PID: 53891 Comm: deqp-vk Not tainted 6.8.0-rc6+ #27 +Hardware name: Gigabyte Technology Co., Ltd. Z390 I AORUS PRO WIFI/Z390 I AORUS PRO WIFI-CF, BIOS F8 11/05/2021 +RIP: 0010:gp100_vmm_pgt_mem+0xe3/0x180 [nouveau] +Code: c7 48 01 c8 49 89 45 58 85 d2 0f 84 95 00 00 00 41 0f b7 46 12 49 8b 7e 08 89 da 42 8d 2c f8 48 8b 47 08 41 83 c7 01 48 89 ee <48> 8b 40 08 ff d0 0f 1f 00 49 8b 7e 08 48 89 d9 48 8d 75 04 48 c1 +RSP: 0000:ffffac20c5857838 EFLAGS: 00010202 +RAX: 0000000000000000 RBX: 00000000004d8001 RCX: 0000000000000001 +RDX: 00000000004d8001 RSI: 00000000000006d8 RDI: ffffa07afe332180 +RBP: 00000000000006d8 R08: ffffac20c5857ad0 R09: 0000000000ffff10 +R10: 0000000000000001 R11: ffffa07af27e2de0 R12: 000000000000001c +R13: ffffac20c5857ad0 R14: ffffa07a96fe9040 R15: 000000000000001c +FS: 00007fe395eed7c0(0000) GS:ffffa07e2c980000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000000000008 CR3: 000000011febe001 CR4: 00000000003706f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + +... + + ? gp100_vmm_pgt_mem+0xe3/0x180 [nouveau] + ? gp100_vmm_pgt_mem+0x37/0x180 [nouveau] + nvkm_vmm_iter+0x351/0xa20 [nouveau] + ? __pfx_nvkm_vmm_ref_ptes+0x10/0x10 [nouveau] + ? __pfx_gp100_vmm_pgt_mem+0x10/0x10 [nouveau] + ? __pfx_gp100_vmm_pgt_mem+0x10/0x10 [nouveau] + ? __lock_acquire+0x3ed/0x2170 + ? __pfx_gp100_vmm_pgt_mem+0x10/0x10 [nouveau] + nvkm_vmm_ptes_get_map+0xc2/0x100 [nouveau] + ? __pfx_nvkm_vmm_ref_ptes+0x10/0x10 [nouveau] + ? __pfx_gp100_vmm_pgt_mem+0x10/0x10 [nouveau] + nvkm_vmm_map_locked+0x224/0x3a0 [nouveau] + +Adding any sort of useful debug usually makes it go away, so I hand +wrote the function in a line, and debugged the asm. + +Every so often pt->memory->ptrs is NULL. This ptrs ptr is set in +the nv50_instobj_acquire called from nvkm_kmap. + +If Thread A and Thread B both get to nv50_instobj_acquire around +the same time, and Thread A hits the refcount_set line, and in +lockstep thread B succeeds at refcount_inc_not_zero, there is a +chance the ptrs value won't have been stored since refcount_set +is unordered. Force a memory barrier here, I picked smp_mb, since +we want it on all CPUs and it's write followed by a read. + +v2: use paired smp_rmb/smp_wmb. + +The Linux kernel CVE team has assigned CVE-2024-26984 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 4.15 with commit be55287aa5ba and fixed in 5.15.157 with commit 3ab056814cd8 + Issue introduced in 4.15 with commit be55287aa5ba and fixed in 6.1.88 with commit ad74d208f213 + Issue introduced in 4.15 with commit be55287aa5ba and fixed in 6.6.29 with commit a019b44b1bc6 + Issue introduced in 4.15 with commit be55287aa5ba and fixed in 6.8.8 with commit 21ca9539f093 + Issue introduced in 4.15 with commit be55287aa5ba and fixed in 6.9-rc5 with commit fff1386cc889 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26984 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/gpu/drm/nouveau/nvkm/subdev/instmem/nv50.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/3ab056814cd8ab84744c9a19ef51360b2271c572 + https://git.kernel.org/stable/c/ad74d208f213c06d860916ad40f609ade8c13039 + https://git.kernel.org/stable/c/a019b44b1bc6ed224c46fb5f88a8a10dd116e525 + https://git.kernel.org/stable/c/21ca9539f09360fd83654f78f2c361f2f5ddcb52 + https://git.kernel.org/stable/c/fff1386cc889d8fb4089d285f883f8cba62d82ce diff --git a/cve/published/2024/CVE-2024-26984.sha1 b/cve/published/2024/CVE-2024-26984.sha1 new file mode 100644 index 00000000..87db76a9 --- /dev/null +++ b/cve/published/2024/CVE-2024-26984.sha1 @@ -0,0 +1 @@ +fff1386cc889d8fb4089d285f883f8cba62d82ce diff --git a/cve/reserved/2024/CVE-2024-26985 b/cve/published/2024/CVE-2024-26985 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26985 +++ b/cve/published/2024/CVE-2024-26985 diff --git a/cve/published/2024/CVE-2024-26985.json b/cve/published/2024/CVE-2024-26985.json new file mode 100644 index 00000000..730512b6 --- /dev/null +++ b/cve/published/2024/CVE-2024-26985.json @@ -0,0 +1,88 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: Fix bo leak in intel_fb_bo_framebuffer_init\n\nAdd a unreference bo in the error path, to prevent leaking a bo ref.\n\nReturn 0 on success to clarify the success path.\n\n(cherry picked from commit a2f3d731be3893e730417ae3190760fcaffdf549)" + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "44e694958b95", + "lessThan": "7d8ac0942c31", + "status": "affected", + "versionType": "git" + }, + { + "version": "44e694958b95", + "lessThan": "652ead9b746a", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "6.8", + "status": "affected" + }, + { + "version": "0", + "lessThan": "6.8", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8.8", + "lessThanOrEqual": "6.8.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.9-rc5", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/7d8ac0942c312abda43b407eff72d31747a7b472" + }, + { + "url": "https://git.kernel.org/stable/c/652ead9b746a63e4e79d7ad66d3edf0a8a5b0c2f" + } + ], + "title": "drm/xe: Fix bo leak in intel_fb_bo_framebuffer_init", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26985", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26985.mbox b/cve/published/2024/CVE-2024-26985.mbox new file mode 100644 index 00000000..09fcdd5e --- /dev/null +++ b/cve/published/2024/CVE-2024-26985.mbox @@ -0,0 +1,68 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26985: drm/xe: Fix bo leak in intel_fb_bo_framebuffer_init +Message-Id: <2024050142-CVE-2024-26985-37ac@gregkh> +Content-Length: 1803 +Lines: 51 +X-Developer-Signature: v=1; a=openpgp-sha256; l=1855; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=8+0aXQvdR5dkS/k8aGVDevoaRUShNdHCtdzeVH2Vi7M=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGmGl5tCDko9PmuXKbNXwfbtqfcvNk6f3KYbGy4SaObw0 + mpf+s24jlgWBkEmBlkxRZYv23iO7q84pOhlaHsaZg4rE8gQBi5OAZjI8kyG+cmWfPXvXnk0bo/b + FzOFJZ2v9ZVkFsOC3luH/fy8ruVtDvrkNX12QMDmq+yVAA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +drm/xe: Fix bo leak in intel_fb_bo_framebuffer_init + +Add a unreference bo in the error path, to prevent leaking a bo ref. + +Return 0 on success to clarify the success path. + +(cherry picked from commit a2f3d731be3893e730417ae3190760fcaffdf549) + +The Linux kernel CVE team has assigned CVE-2024-26985 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 6.8 with commit 44e694958b95 and fixed in 6.8.8 with commit 7d8ac0942c31 + Issue introduced in 6.8 with commit 44e694958b95 and fixed in 6.9-rc5 with commit 652ead9b746a + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26985 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/gpu/drm/xe/display/intel_fb_bo.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/7d8ac0942c312abda43b407eff72d31747a7b472 + https://git.kernel.org/stable/c/652ead9b746a63e4e79d7ad66d3edf0a8a5b0c2f diff --git a/cve/published/2024/CVE-2024-26985.sha1 b/cve/published/2024/CVE-2024-26985.sha1 new file mode 100644 index 00000000..af635d83 --- /dev/null +++ b/cve/published/2024/CVE-2024-26985.sha1 @@ -0,0 +1 @@ +652ead9b746a63e4e79d7ad66d3edf0a8a5b0c2f diff --git a/cve/reserved/2024/CVE-2024-26986 b/cve/published/2024/CVE-2024-26986 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26986 +++ b/cve/published/2024/CVE-2024-26986 diff --git a/cve/published/2024/CVE-2024-26986.json b/cve/published/2024/CVE-2024-26986.json new file mode 100644 index 00000000..fc197387 --- /dev/null +++ b/cve/published/2024/CVE-2024-26986.json @@ -0,0 +1,103 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: Fix memory leak in create_process failure\n\nFix memory leak due to a leaked mmget reference on an error handling\ncode path that is triggered when attempting to create KFD processes\nwhile a GPU reset is in progress." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "0ab2d7532b05", + "lessThan": "aa02d43367a9", + "status": "affected", + "versionType": "git" + }, + { + "version": "0ab2d7532b05", + "lessThan": "0dcd87641164", + "status": "affected", + "versionType": "git" + }, + { + "version": "0ab2d7532b05", + "lessThan": "18921b205012", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "6.5", + "status": "affected" + }, + { + "version": "0", + "lessThan": "6.5", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.29", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8.8", + "lessThanOrEqual": "6.8.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.9-rc5", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/aa02d43367a9adf8c85fb382fea4171fb266c8d0" + }, + { + "url": "https://git.kernel.org/stable/c/0dcd876411644da98a6b4d5a18d32ca94c15bdb5" + }, + { + "url": "https://git.kernel.org/stable/c/18921b205012568b45760753ad3146ddb9e2d4e2" + } + ], + "title": "drm/amdkfd: Fix memory leak in create_process failure", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26986", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26986.mbox b/cve/published/2024/CVE-2024-26986.mbox new file mode 100644 index 00000000..63a18458 --- /dev/null +++ b/cve/published/2024/CVE-2024-26986.mbox @@ -0,0 +1,68 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26986: drm/amdkfd: Fix memory leak in create_process failure +Message-Id: <2024050142-CVE-2024-26986-4650@gregkh> +Content-Length: 1956 +Lines: 51 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2008; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=2IPL9rRB8TF1wjbZi6SP2xFW2iNFEWa+RDHDrdrTQvM=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGmGl5uSucp772v4rPqdsshO3MjhYuqLzDLZUy4poZ/Ze + UJMt2R0xLIwCDIxyIopsnzZxnN0f8UhRS9D29Mwc1iZQIYwcHEKwEQUDjPML+/h+Nv7ef4T39sX + st4cmSn3ofahL8OCLXLPX6tt32lnKGoiapk4ua5B9qMOAA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +drm/amdkfd: Fix memory leak in create_process failure + +Fix memory leak due to a leaked mmget reference on an error handling +code path that is triggered when attempting to create KFD processes +while a GPU reset is in progress. + +The Linux kernel CVE team has assigned CVE-2024-26986 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 6.5 with commit 0ab2d7532b05 and fixed in 6.6.29 with commit aa02d43367a9 + Issue introduced in 6.5 with commit 0ab2d7532b05 and fixed in 6.8.8 with commit 0dcd87641164 + Issue introduced in 6.5 with commit 0ab2d7532b05 and fixed in 6.9-rc5 with commit 18921b205012 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26986 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/gpu/drm/amd/amdkfd/kfd_process.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/aa02d43367a9adf8c85fb382fea4171fb266c8d0 + https://git.kernel.org/stable/c/0dcd876411644da98a6b4d5a18d32ca94c15bdb5 + https://git.kernel.org/stable/c/18921b205012568b45760753ad3146ddb9e2d4e2 diff --git a/cve/published/2024/CVE-2024-26986.sha1 b/cve/published/2024/CVE-2024-26986.sha1 new file mode 100644 index 00000000..171f990d --- /dev/null +++ b/cve/published/2024/CVE-2024-26986.sha1 @@ -0,0 +1 @@ +18921b205012568b45760753ad3146ddb9e2d4e2 diff --git a/cve/reserved/2024/CVE-2024-26987 b/cve/published/2024/CVE-2024-26987 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26987 +++ b/cve/published/2024/CVE-2024-26987 diff --git a/cve/published/2024/CVE-2024-26987.json b/cve/published/2024/CVE-2024-26987.json new file mode 100644 index 00000000..cf3a512e --- /dev/null +++ b/cve/published/2024/CVE-2024-26987.json @@ -0,0 +1,118 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/memory-failure: fix deadlock when hugetlb_optimize_vmemmap is enabled\n\nWhen I did hard offline test with hugetlb pages, below deadlock occurs:\n\n======================================================\nWARNING: possible circular locking dependency detected\n6.8.0-11409-gf6cef5f8c37f #1 Not tainted\n------------------------------------------------------\nbash/46904 is trying to acquire lock:\nffffffffabe68910 (cpu_hotplug_lock){++++}-{0:0}, at: static_key_slow_dec+0x16/0x60\n\nbut task is already holding lock:\nffffffffabf92ea8 (pcp_batch_high_lock){+.+.}-{3:3}, at: zone_pcp_disable+0x16/0x40\n\nwhich lock already depends on the new lock.\n\nthe existing dependency chain (in reverse order) is:\n\n-> #1 (pcp_batch_high_lock){+.+.}-{3:3}:\n __mutex_lock+0x6c/0x770\n page_alloc_cpu_online+0x3c/0x70\n cpuhp_invoke_callback+0x397/0x5f0\n __cpuhp_invoke_callback_range+0x71/0xe0\n _cpu_up+0xeb/0x210\n cpu_up+0x91/0xe0\n cpuhp_bringup_mask+0x49/0xb0\n bringup_nonboot_cpus+0xb7/0xe0\n smp_init+0x25/0xa0\n kernel_init_freeable+0x15f/0x3e0\n kernel_init+0x15/0x1b0\n ret_from_fork+0x2f/0x50\n ret_from_fork_asm+0x1a/0x30\n\n-> #0 (cpu_hotplug_lock){++++}-{0:0}:\n __lock_acquire+0x1298/0x1cd0\n lock_acquire+0xc0/0x2b0\n cpus_read_lock+0x2a/0xc0\n static_key_slow_dec+0x16/0x60\n __hugetlb_vmemmap_restore_folio+0x1b9/0x200\n dissolve_free_huge_page+0x211/0x260\n __page_handle_poison+0x45/0xc0\n memory_failure+0x65e/0xc70\n hard_offline_page_store+0x55/0xa0\n kernfs_fop_write_iter+0x12c/0x1d0\n vfs_write+0x387/0x550\n ksys_write+0x64/0xe0\n do_syscall_64+0xca/0x1e0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nother info that might help us debug this:\n\n Possible unsafe locking scenario:\n\n CPU0 CPU1\n ---- ----\n lock(pcp_batch_high_lock);\n lock(cpu_hotplug_lock);\n lock(pcp_batch_high_lock);\n rlock(cpu_hotplug_lock);\n\n *** DEADLOCK ***\n\n5 locks held by bash/46904:\n #0: ffff98f6c3bb23f0 (sb_writers#5){.+.+}-{0:0}, at: ksys_write+0x64/0xe0\n #1: ffff98f6c328e488 (&of->mutex){+.+.}-{3:3}, at: kernfs_fop_write_iter+0xf8/0x1d0\n #2: ffff98ef83b31890 (kn->active#113){.+.+}-{0:0}, at: kernfs_fop_write_iter+0x100/0x1d0\n #3: ffffffffabf9db48 (mf_mutex){+.+.}-{3:3}, at: memory_failure+0x44/0xc70\n #4: ffffffffabf92ea8 (pcp_batch_high_lock){+.+.}-{3:3}, at: zone_pcp_disable+0x16/0x40\n\nstack backtrace:\nCPU: 10 PID: 46904 Comm: bash Kdump: loaded Not tainted 6.8.0-11409-gf6cef5f8c37f #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\nCall Trace:\n <TASK>\n dump_stack_lvl+0x68/0xa0\n check_noncircular+0x129/0x140\n __lock_acquire+0x1298/0x1cd0\n lock_acquire+0xc0/0x2b0\n cpus_read_lock+0x2a/0xc0\n static_key_slow_dec+0x16/0x60\n __hugetlb_vmemmap_restore_folio+0x1b9/0x200\n dissolve_free_huge_page+0x211/0x260\n __page_handle_poison+0x45/0xc0\n memory_failure+0x65e/0xc70\n hard_offline_page_store+0x55/0xa0\n kernfs_fop_write_iter+0x12c/0x1d0\n vfs_write+0x387/0x550\n ksys_write+0x64/0xe0\n do_syscall_64+0xca/0x1e0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\nRIP: 0033:0x7fc862314887\nCode: 10 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74 24\nRSP: 002b:00007fff19311268 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\nRAX: ffffffffffffffda RBX: 000000000000000c RCX: 00007fc862314887\nRDX: 000000000000000c RSI: 000056405645fe10 RDI: 0000000000000001\nRBP: 000056405645fe10 R08: 00007fc8623d1460 R09: 000000007fffffff\nR10: 0000000000000000 R11: 0000000000000246 R12: 000000000000000c\nR13: 00007fc86241b780 R14: 00007fc862417600 R15: 00007fc862416a00\n\nIn short, below scene breaks the \n---truncated---" + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "a6b40850c442", + "lessThan": "5ef7ba2799a3", + "status": "affected", + "versionType": "git" + }, + { + "version": "a6b40850c442", + "lessThan": "882e1180c83f", + "status": "affected", + "versionType": "git" + }, + { + "version": "a6b40850c442", + "lessThan": "49955b24002d", + "status": "affected", + "versionType": "git" + }, + { + "version": "a6b40850c442", + "lessThan": "1983184c22dd", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.18", + "status": "affected" + }, + { + "version": "0", + "lessThan": "5.18", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.88", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.29", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8.8", + "lessThanOrEqual": "6.8.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.9-rc5", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/5ef7ba2799a3b5ed292b8f6407376e2c25ef002e" + }, + { + "url": "https://git.kernel.org/stable/c/882e1180c83f5b75bae03d0ccc31ccedfe5159de" + }, + { + "url": "https://git.kernel.org/stable/c/49955b24002dc16a0ae2e83a57a2a6c863a1845c" + }, + { + "url": "https://git.kernel.org/stable/c/1983184c22dd84a4d95a71e5c6775c2638557dc7" + } + ], + "title": "mm/memory-failure: fix deadlock when hugetlb_optimize_vmemmap is enabled", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26987", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26987.mbox b/cve/published/2024/CVE-2024-26987.mbox new file mode 100644 index 00000000..4c4c0368 --- /dev/null +++ b/cve/published/2024/CVE-2024-26987.mbox @@ -0,0 +1,183 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26987: mm/memory-failure: fix deadlock when hugetlb_optimize_vmemmap is enabled +Message-Id: <2024050143-CVE-2024-26987-507c@gregkh> +Content-Length: 6469 +Lines: 166 +X-Developer-Signature: v=1; a=openpgp-sha256; l=6636; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=ubw6Z3vZCy+7/GaqnFsRCIb3bzSsnWKoBO8Wg9mz7As=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGmGl5uvMq5sf2r66Hz9vV3bTzcfb2EVvxGy1YFxXl3Bg + QsfEwMvdMSyMAgyMciKKbJ82cZzdH/FIUUvQ9vTMHNYmUCGMHBxCsBEtsYyLFhsssO8nfmST0LF + /V+ndy+fHGjRs5ZhfiyrX1LJrTaZU0G13yNKpu07sH7DfgA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +mm/memory-failure: fix deadlock when hugetlb_optimize_vmemmap is enabled + +When I did hard offline test with hugetlb pages, below deadlock occurs: + +====================================================== +WARNING: possible circular locking dependency detected +6.8.0-11409-gf6cef5f8c37f #1 Not tainted +------------------------------------------------------ +bash/46904 is trying to acquire lock: +ffffffffabe68910 (cpu_hotplug_lock){++++}-{0:0}, at: static_key_slow_dec+0x16/0x60 + +but task is already holding lock: +ffffffffabf92ea8 (pcp_batch_high_lock){+.+.}-{3:3}, at: zone_pcp_disable+0x16/0x40 + +which lock already depends on the new lock. + +the existing dependency chain (in reverse order) is: + +-> #1 (pcp_batch_high_lock){+.+.}-{3:3}: + __mutex_lock+0x6c/0x770 + page_alloc_cpu_online+0x3c/0x70 + cpuhp_invoke_callback+0x397/0x5f0 + __cpuhp_invoke_callback_range+0x71/0xe0 + _cpu_up+0xeb/0x210 + cpu_up+0x91/0xe0 + cpuhp_bringup_mask+0x49/0xb0 + bringup_nonboot_cpus+0xb7/0xe0 + smp_init+0x25/0xa0 + kernel_init_freeable+0x15f/0x3e0 + kernel_init+0x15/0x1b0 + ret_from_fork+0x2f/0x50 + ret_from_fork_asm+0x1a/0x30 + +-> #0 (cpu_hotplug_lock){++++}-{0:0}: + __lock_acquire+0x1298/0x1cd0 + lock_acquire+0xc0/0x2b0 + cpus_read_lock+0x2a/0xc0 + static_key_slow_dec+0x16/0x60 + __hugetlb_vmemmap_restore_folio+0x1b9/0x200 + dissolve_free_huge_page+0x211/0x260 + __page_handle_poison+0x45/0xc0 + memory_failure+0x65e/0xc70 + hard_offline_page_store+0x55/0xa0 + kernfs_fop_write_iter+0x12c/0x1d0 + vfs_write+0x387/0x550 + ksys_write+0x64/0xe0 + do_syscall_64+0xca/0x1e0 + entry_SYSCALL_64_after_hwframe+0x6d/0x75 + +other info that might help us debug this: + + Possible unsafe locking scenario: + + CPU0 CPU1 + ---- ---- + lock(pcp_batch_high_lock); + lock(cpu_hotplug_lock); + lock(pcp_batch_high_lock); + rlock(cpu_hotplug_lock); + + *** DEADLOCK *** + +5 locks held by bash/46904: + #0: ffff98f6c3bb23f0 (sb_writers#5){.+.+}-{0:0}, at: ksys_write+0x64/0xe0 + #1: ffff98f6c328e488 (&of->mutex){+.+.}-{3:3}, at: kernfs_fop_write_iter+0xf8/0x1d0 + #2: ffff98ef83b31890 (kn->active#113){.+.+}-{0:0}, at: kernfs_fop_write_iter+0x100/0x1d0 + #3: ffffffffabf9db48 (mf_mutex){+.+.}-{3:3}, at: memory_failure+0x44/0xc70 + #4: ffffffffabf92ea8 (pcp_batch_high_lock){+.+.}-{3:3}, at: zone_pcp_disable+0x16/0x40 + +stack backtrace: +CPU: 10 PID: 46904 Comm: bash Kdump: loaded Not tainted 6.8.0-11409-gf6cef5f8c37f #1 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 +Call Trace: + <TASK> + dump_stack_lvl+0x68/0xa0 + check_noncircular+0x129/0x140 + __lock_acquire+0x1298/0x1cd0 + lock_acquire+0xc0/0x2b0 + cpus_read_lock+0x2a/0xc0 + static_key_slow_dec+0x16/0x60 + __hugetlb_vmemmap_restore_folio+0x1b9/0x200 + dissolve_free_huge_page+0x211/0x260 + __page_handle_poison+0x45/0xc0 + memory_failure+0x65e/0xc70 + hard_offline_page_store+0x55/0xa0 + kernfs_fop_write_iter+0x12c/0x1d0 + vfs_write+0x387/0x550 + ksys_write+0x64/0xe0 + do_syscall_64+0xca/0x1e0 + entry_SYSCALL_64_after_hwframe+0x6d/0x75 +RIP: 0033:0x7fc862314887 +Code: 10 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74 24 +RSP: 002b:00007fff19311268 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 +RAX: ffffffffffffffda RBX: 000000000000000c RCX: 00007fc862314887 +RDX: 000000000000000c RSI: 000056405645fe10 RDI: 0000000000000001 +RBP: 000056405645fe10 R08: 00007fc8623d1460 R09: 000000007fffffff +R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000000c +R13: 00007fc86241b780 R14: 00007fc862417600 R15: 00007fc862416a00 + +In short, below scene breaks the lock dependency chain: + + memory_failure + __page_handle_poison + zone_pcp_disable -- lock(pcp_batch_high_lock) + dissolve_free_huge_page + __hugetlb_vmemmap_restore_folio + static_key_slow_dec + cpus_read_lock -- rlock(cpu_hotplug_lock) + +Fix this by calling drain_all_pages() instead. + +This issue won't occur until commit a6b40850c442 ("mm: hugetlb: replace +hugetlb_free_vmemmap_enabled with a static_key"). As it introduced +rlock(cpu_hotplug_lock) in dissolve_free_huge_page() code path while +lock(pcp_batch_high_lock) is already in the __page_handle_poison(). + +[linmiaohe@huawei.com: extend comment per Oscar] +[akpm@linux-foundation.org: reflow block comment] + +The Linux kernel CVE team has assigned CVE-2024-26987 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 5.18 with commit a6b40850c442 and fixed in 6.1.88 with commit 5ef7ba2799a3 + Issue introduced in 5.18 with commit a6b40850c442 and fixed in 6.6.29 with commit 882e1180c83f + Issue introduced in 5.18 with commit a6b40850c442 and fixed in 6.8.8 with commit 49955b24002d + Issue introduced in 5.18 with commit a6b40850c442 and fixed in 6.9-rc5 with commit 1983184c22dd + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26987 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + mm/memory-failure.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/5ef7ba2799a3b5ed292b8f6407376e2c25ef002e + https://git.kernel.org/stable/c/882e1180c83f5b75bae03d0ccc31ccedfe5159de + https://git.kernel.org/stable/c/49955b24002dc16a0ae2e83a57a2a6c863a1845c + https://git.kernel.org/stable/c/1983184c22dd84a4d95a71e5c6775c2638557dc7 diff --git a/cve/published/2024/CVE-2024-26987.sha1 b/cve/published/2024/CVE-2024-26987.sha1 new file mode 100644 index 00000000..a22c4d57 --- /dev/null +++ b/cve/published/2024/CVE-2024-26987.sha1 @@ -0,0 +1 @@ +1983184c22dd84a4d95a71e5c6775c2638557dc7 diff --git a/cve/reserved/2024/CVE-2024-26988 b/cve/published/2024/CVE-2024-26988 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26988 +++ b/cve/published/2024/CVE-2024-26988 diff --git a/cve/published/2024/CVE-2024-26988.json b/cve/published/2024/CVE-2024-26988.json new file mode 100644 index 00000000..ff9eda9a --- /dev/null +++ b/cve/published/2024/CVE-2024-26988.json @@ -0,0 +1,133 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ninit/main.c: Fix potential static_command_line memory overflow\n\nWe allocate memory of size 'xlen + strlen(boot_command_line) + 1' for\nstatic_command_line, but the strings copied into static_command_line are\nextra_command_line and command_line, rather than extra_command_line and\nboot_command_line.\n\nWhen strlen(command_line) > strlen(boot_command_line), static_command_line\nwill overflow.\n\nThis patch just recovers strlen(command_line) which was miss-consolidated\nwith strlen(boot_command_line) in the commit f5c7310ac73e (\"init/main: add\nchecks for the return value of memblock_alloc*()\")" + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "f5c7310ac73e", + "lessThan": "0dc727a4e054", + "status": "affected", + "versionType": "git" + }, + { + "version": "f5c7310ac73e", + "lessThan": "76c2f4d426a5", + "status": "affected", + "versionType": "git" + }, + { + "version": "f5c7310ac73e", + "lessThan": "81cf85ae4f2d", + "status": "affected", + "versionType": "git" + }, + { + "version": "f5c7310ac73e", + "lessThan": "936a02b5a963", + "status": "affected", + "versionType": "git" + }, + { + "version": "f5c7310ac73e", + "lessThan": "46dad3c1e578", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.1", + "status": "affected" + }, + { + "version": "0", + "lessThan": "5.1", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.157", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.88", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.29", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8.8", + "lessThanOrEqual": "6.8.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.9-rc5", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/0dc727a4e05400205358a22c3d01ccad2c8e1fe4" + }, + { + "url": "https://git.kernel.org/stable/c/76c2f4d426a5358fced5d5990744d46f10a4ccea" + }, + { + "url": "https://git.kernel.org/stable/c/81cf85ae4f2dd5fa3e43021782aa72c4c85558e8" + }, + { + "url": "https://git.kernel.org/stable/c/936a02b5a9630c5beb0353c3085cc49d86c57034" + }, + { + "url": "https://git.kernel.org/stable/c/46dad3c1e57897ab9228332f03e1c14798d2d3b9" + } + ], + "title": "init/main.c: Fix potential static_command_line memory overflow", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26988", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26988.mbox b/cve/published/2024/CVE-2024-26988.mbox new file mode 100644 index 00000000..3e26fc26 --- /dev/null +++ b/cve/published/2024/CVE-2024-26988.mbox @@ -0,0 +1,80 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26988: init/main.c: Fix potential static_command_line memory overflow +Message-Id: <2024050143-CVE-2024-26988-c304@gregkh> +Content-Length: 2631 +Lines: 63 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2695; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=ApP3BMKiytB0sE7Bk+ptQR0Vm6/9DxzW0fshm01WbII=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGmGl5sLXm37/Zwh0rvuot1pq3auhw5C92T4cwzdLOeJL + 5PfK+vTEcvCIMjEICumyPJlG8/R/RWHFL0MbU/DzGFlAhnCwMUpABNRjmNYsP/lCvZHm75snCP8 + 0uVIpsyloNvnxBjmV6ra2X6rCLeqfvTovQv3uwYD66lTAA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +init/main.c: Fix potential static_command_line memory overflow + +We allocate memory of size 'xlen + strlen(boot_command_line) + 1' for +static_command_line, but the strings copied into static_command_line are +extra_command_line and command_line, rather than extra_command_line and +boot_command_line. + +When strlen(command_line) > strlen(boot_command_line), static_command_line +will overflow. + +This patch just recovers strlen(command_line) which was miss-consolidated +with strlen(boot_command_line) in the commit f5c7310ac73e ("init/main: add +checks for the return value of memblock_alloc*()") + +The Linux kernel CVE team has assigned CVE-2024-26988 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 5.1 with commit f5c7310ac73e and fixed in 5.15.157 with commit 0dc727a4e054 + Issue introduced in 5.1 with commit f5c7310ac73e and fixed in 6.1.88 with commit 76c2f4d426a5 + Issue introduced in 5.1 with commit f5c7310ac73e and fixed in 6.6.29 with commit 81cf85ae4f2d + Issue introduced in 5.1 with commit f5c7310ac73e and fixed in 6.8.8 with commit 936a02b5a963 + Issue introduced in 5.1 with commit f5c7310ac73e and fixed in 6.9-rc5 with commit 46dad3c1e578 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26988 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + init/main.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/0dc727a4e05400205358a22c3d01ccad2c8e1fe4 + https://git.kernel.org/stable/c/76c2f4d426a5358fced5d5990744d46f10a4ccea + https://git.kernel.org/stable/c/81cf85ae4f2dd5fa3e43021782aa72c4c85558e8 + https://git.kernel.org/stable/c/936a02b5a9630c5beb0353c3085cc49d86c57034 + https://git.kernel.org/stable/c/46dad3c1e57897ab9228332f03e1c14798d2d3b9 diff --git a/cve/published/2024/CVE-2024-26988.sha1 b/cve/published/2024/CVE-2024-26988.sha1 new file mode 100644 index 00000000..8f4aa930 --- /dev/null +++ b/cve/published/2024/CVE-2024-26988.sha1 @@ -0,0 +1 @@ +46dad3c1e57897ab9228332f03e1c14798d2d3b9 diff --git a/cve/reserved/2024/CVE-2024-26989 b/cve/published/2024/CVE-2024-26989 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26989 +++ b/cve/published/2024/CVE-2024-26989 diff --git a/cve/published/2024/CVE-2024-26989.json b/cve/published/2024/CVE-2024-26989.json new file mode 100644 index 00000000..3ea7304a --- /dev/null +++ b/cve/published/2024/CVE-2024-26989.json @@ -0,0 +1,133 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: hibernate: Fix level3 translation fault in swsusp_save()\n\nOn arm64 machines, swsusp_save() faults if it attempts to access\nMEMBLOCK_NOMAP memory ranges. This can be reproduced in QEMU using UEFI\nwhen booting with rodata=off debug_pagealloc=off and CONFIG_KFENCE=n:\n\n Unable to handle kernel paging request at virtual address ffffff8000000000\n Mem abort info:\n ESR = 0x0000000096000007\n EC = 0x25: DABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n FSC = 0x07: level 3 translation fault\n Data abort info:\n ISV = 0, ISS = 0x00000007, ISS2 = 0x00000000\n CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n swapper pgtable: 4k pages, 39-bit VAs, pgdp=00000000eeb0b000\n [ffffff8000000000] pgd=180000217fff9803, p4d=180000217fff9803, pud=180000217fff9803, pmd=180000217fff8803, pte=0000000000000000\n Internal error: Oops: 0000000096000007 [#1] SMP\n Internal error: Oops: 0000000096000007 [#1] SMP\n Modules linked in: xt_multiport ipt_REJECT nf_reject_ipv4 xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c iptable_filter bpfilter rfkill at803x snd_hda_codec_hdmi snd_hda_intel snd_intel_dspcfg dwmac_generic stmmac_platform snd_hda_codec stmmac joydev pcs_xpcs snd_hda_core phylink ppdev lp parport ramoops reed_solomon ip_tables x_tables nls_iso8859_1 vfat multipath linear amdgpu amdxcp drm_exec gpu_sched drm_buddy hid_generic usbhid hid radeon video drm_suballoc_helper drm_ttm_helper ttm i2c_algo_bit drm_display_helper cec drm_kms_helper drm\n CPU: 0 PID: 3663 Comm: systemd-sleep Not tainted 6.6.2+ #76\n Source Version: 4e22ed63a0a48e7a7cff9b98b7806d8d4add7dc0\n Hardware name: Greatwall GW-XXXXXX-XXX/GW-XXXXXX-XXX, BIOS KunLun BIOS V4.0 01/19/2021\n pstate: 600003c5 (nZCv DAIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : swsusp_save+0x280/0x538\n lr : swsusp_save+0x280/0x538\n sp : ffffffa034a3fa40\n x29: ffffffa034a3fa40 x28: ffffff8000001000 x27: 0000000000000000\n x26: ffffff8001400000 x25: ffffffc08113e248 x24: 0000000000000000\n x23: 0000000000080000 x22: ffffffc08113e280 x21: 00000000000c69f2\n x20: ffffff8000000000 x19: ffffffc081ae2500 x18: 0000000000000000\n x17: 6666662074736420 x16: 3030303030303030 x15: 3038666666666666\n x14: 0000000000000b69 x13: ffffff9f89088530 x12: 00000000ffffffea\n x11: 00000000ffff7fff x10: 00000000ffff7fff x9 : ffffffc08193f0d0\n x8 : 00000000000bffe8 x7 : c0000000ffff7fff x6 : 0000000000000001\n x5 : ffffffa0fff09dc8 x4 : 0000000000000000 x3 : 0000000000000027\n x2 : 0000000000000000 x1 : 0000000000000000 x0 : 000000000000004e\n Call trace:\n swsusp_save+0x280/0x538\n swsusp_arch_suspend+0x148/0x190\n hibernation_snapshot+0x240/0x39c\n hibernate+0xc4/0x378\n state_store+0xf0/0x10c\n kobj_attr_store+0x14/0x24\n\nThe reason is swsusp_save() -> copy_data_pages() -> page_is_saveable()\n-> kernel_page_present() assuming that a page is always present when\ncan_set_direct_map() is false (all of rodata_full,\ndebug_pagealloc_enabled() and arm64_kfence_can_set_direct_map() false),\nirrespective of the MEMBLOCK_NOMAP ranges. Such MEMBLOCK_NOMAP regions\nshould not be saved during hibernation.\n\nThis problem was introduced by changes to the pfn_valid() logic in\ncommit a7d9f306ba70 (\"arm64: drop pfn_valid_within() and simplify\npfn_valid()\").\n\nSimilar to other architectures, drop the !can_set_direct_map() check in\nkernel_page_present() so that page_is_savable() skips such pages.\n\n[catalin.marinas@arm.com: rework commit message]" + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "a7d9f306ba70", + "lessThan": "813f5213f2c6", + "status": "affected", + "versionType": "git" + }, + { + "version": "a7d9f306ba70", + "lessThan": "f7e71a7cf399", + "status": "affected", + "versionType": "git" + }, + { + "version": "a7d9f306ba70", + "lessThan": "31f815cb4360", + "status": "affected", + "versionType": "git" + }, + { + "version": "a7d9f306ba70", + "lessThan": "022b19ebc31c", + "status": "affected", + "versionType": "git" + }, + { + "version": "a7d9f306ba70", + "lessThan": "50449ca66cc5", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.14", + "status": "affected" + }, + { + "version": "0", + "lessThan": "5.14", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.157", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.88", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.29", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8.8", + "lessThanOrEqual": "6.8.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.9-rc5", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/813f5213f2c612dc800054859aaa396ec8ad7069" + }, + { + "url": "https://git.kernel.org/stable/c/f7e71a7cf399f53ff9fc314ca3836dc913b05bd6" + }, + { + "url": "https://git.kernel.org/stable/c/31f815cb436082e72d34ed2e8a182140a73ebdf4" + }, + { + "url": "https://git.kernel.org/stable/c/022b19ebc31cce369c407617041a3db810db23b3" + }, + { + "url": "https://git.kernel.org/stable/c/50449ca66cc5a8cbc64749cf4b9f3d3fc5f4b457" + } + ], + "title": "arm64: hibernate: Fix level3 translation fault in swsusp_save()", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26989", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26989.mbox b/cve/published/2024/CVE-2024-26989.mbox new file mode 100644 index 00000000..e5a39b1a --- /dev/null +++ b/cve/published/2024/CVE-2024-26989.mbox @@ -0,0 +1,129 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26989: arm64: hibernate: Fix level3 translation fault in swsusp_save() +Message-Id: <2024050143-CVE-2024-26989-851d@gregkh> +Content-Length: 5554 +Lines: 112 +X-Developer-Signature: v=1; a=openpgp-sha256; l=5667; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=FqO3CjLQVU6pnfZ20jklq6OkVTtxLKRsAqGpg5JPjlI=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGmGl5ufz/rL5qvw6Mauc9Lr2et4H3EsteBg38WhyNo7T + +TQu+spHbEsDIJMDLJiiixftvEc3V9xSNHL0PY0zBxWJpAhDFycAjCR3j6GBb1hQcXa4kGK17+a + JUxe/t55R8LpQoYFq9p29J/f+Wdfr0uu84lYa7WWCcyTAA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +arm64: hibernate: Fix level3 translation fault in swsusp_save() + +On arm64 machines, swsusp_save() faults if it attempts to access +MEMBLOCK_NOMAP memory ranges. This can be reproduced in QEMU using UEFI +when booting with rodata=off debug_pagealloc=off and CONFIG_KFENCE=n: + + Unable to handle kernel paging request at virtual address ffffff8000000000 + Mem abort info: + ESR = 0x0000000096000007 + EC = 0x25: DABT (current EL), IL = 32 bits + SET = 0, FnV = 0 + EA = 0, S1PTW = 0 + FSC = 0x07: level 3 translation fault + Data abort info: + ISV = 0, ISS = 0x00000007, ISS2 = 0x00000000 + CM = 0, WnR = 0, TnD = 0, TagAccess = 0 + GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 + swapper pgtable: 4k pages, 39-bit VAs, pgdp=00000000eeb0b000 + [ffffff8000000000] pgd=180000217fff9803, p4d=180000217fff9803, pud=180000217fff9803, pmd=180000217fff8803, pte=0000000000000000 + Internal error: Oops: 0000000096000007 [#1] SMP + Internal error: Oops: 0000000096000007 [#1] SMP + Modules linked in: xt_multiport ipt_REJECT nf_reject_ipv4 xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c iptable_filter bpfilter rfkill at803x snd_hda_codec_hdmi snd_hda_intel snd_intel_dspcfg dwmac_generic stmmac_platform snd_hda_codec stmmac joydev pcs_xpcs snd_hda_core phylink ppdev lp parport ramoops reed_solomon ip_tables x_tables nls_iso8859_1 vfat multipath linear amdgpu amdxcp drm_exec gpu_sched drm_buddy hid_generic usbhid hid radeon video drm_suballoc_helper drm_ttm_helper ttm i2c_algo_bit drm_display_helper cec drm_kms_helper drm + CPU: 0 PID: 3663 Comm: systemd-sleep Not tainted 6.6.2+ #76 + Source Version: 4e22ed63a0a48e7a7cff9b98b7806d8d4add7dc0 + Hardware name: Greatwall GW-XXXXXX-XXX/GW-XXXXXX-XXX, BIOS KunLun BIOS V4.0 01/19/2021 + pstate: 600003c5 (nZCv DAIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) + pc : swsusp_save+0x280/0x538 + lr : swsusp_save+0x280/0x538 + sp : ffffffa034a3fa40 + x29: ffffffa034a3fa40 x28: ffffff8000001000 x27: 0000000000000000 + x26: ffffff8001400000 x25: ffffffc08113e248 x24: 0000000000000000 + x23: 0000000000080000 x22: ffffffc08113e280 x21: 00000000000c69f2 + x20: ffffff8000000000 x19: ffffffc081ae2500 x18: 0000000000000000 + x17: 6666662074736420 x16: 3030303030303030 x15: 3038666666666666 + x14: 0000000000000b69 x13: ffffff9f89088530 x12: 00000000ffffffea + x11: 00000000ffff7fff x10: 00000000ffff7fff x9 : ffffffc08193f0d0 + x8 : 00000000000bffe8 x7 : c0000000ffff7fff x6 : 0000000000000001 + x5 : ffffffa0fff09dc8 x4 : 0000000000000000 x3 : 0000000000000027 + x2 : 0000000000000000 x1 : 0000000000000000 x0 : 000000000000004e + Call trace: + swsusp_save+0x280/0x538 + swsusp_arch_suspend+0x148/0x190 + hibernation_snapshot+0x240/0x39c + hibernate+0xc4/0x378 + state_store+0xf0/0x10c + kobj_attr_store+0x14/0x24 + +The reason is swsusp_save() -> copy_data_pages() -> page_is_saveable() +-> kernel_page_present() assuming that a page is always present when +can_set_direct_map() is false (all of rodata_full, +debug_pagealloc_enabled() and arm64_kfence_can_set_direct_map() false), +irrespective of the MEMBLOCK_NOMAP ranges. Such MEMBLOCK_NOMAP regions +should not be saved during hibernation. + +This problem was introduced by changes to the pfn_valid() logic in +commit a7d9f306ba70 ("arm64: drop pfn_valid_within() and simplify +pfn_valid()"). + +Similar to other architectures, drop the !can_set_direct_map() check in +kernel_page_present() so that page_is_savable() skips such pages. + +[catalin.marinas@arm.com: rework commit message] + +The Linux kernel CVE team has assigned CVE-2024-26989 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 5.14 with commit a7d9f306ba70 and fixed in 5.15.157 with commit 813f5213f2c6 + Issue introduced in 5.14 with commit a7d9f306ba70 and fixed in 6.1.88 with commit f7e71a7cf399 + Issue introduced in 5.14 with commit a7d9f306ba70 and fixed in 6.6.29 with commit 31f815cb4360 + Issue introduced in 5.14 with commit a7d9f306ba70 and fixed in 6.8.8 with commit 022b19ebc31c + Issue introduced in 5.14 with commit a7d9f306ba70 and fixed in 6.9-rc5 with commit 50449ca66cc5 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26989 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + arch/arm64/mm/pageattr.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/813f5213f2c612dc800054859aaa396ec8ad7069 + https://git.kernel.org/stable/c/f7e71a7cf399f53ff9fc314ca3836dc913b05bd6 + https://git.kernel.org/stable/c/31f815cb436082e72d34ed2e8a182140a73ebdf4 + https://git.kernel.org/stable/c/022b19ebc31cce369c407617041a3db810db23b3 + https://git.kernel.org/stable/c/50449ca66cc5a8cbc64749cf4b9f3d3fc5f4b457 diff --git a/cve/published/2024/CVE-2024-26989.sha1 b/cve/published/2024/CVE-2024-26989.sha1 new file mode 100644 index 00000000..6d2fb8a5 --- /dev/null +++ b/cve/published/2024/CVE-2024-26989.sha1 @@ -0,0 +1 @@ +50449ca66cc5a8cbc64749cf4b9f3d3fc5f4b457 diff --git a/cve/reserved/2024/CVE-2024-26990 b/cve/published/2024/CVE-2024-26990 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26990 +++ b/cve/published/2024/CVE-2024-26990 diff --git a/cve/published/2024/CVE-2024-26990.json b/cve/published/2024/CVE-2024-26990.json new file mode 100644 index 00000000..782956f0 --- /dev/null +++ b/cve/published/2024/CVE-2024-26990.json @@ -0,0 +1,103 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86/mmu: Write-protect L2 SPTEs in TDP MMU when clearing dirty status\n\nCheck kvm_mmu_page_ad_need_write_protect() when deciding whether to\nwrite-protect or clear D-bits on TDP MMU SPTEs, so that the TDP MMU\naccounts for any role-specific reasons for disabling D-bit dirty logging.\n\nSpecifically, TDP MMU SPTEs must be write-protected when the TDP MMU is\nbeing used to run an L2 (i.e. L1 has disabled EPT) and PML is enabled.\nKVM always disables PML when running L2, even when L1 and L2 GPAs are in\nthe some domain, so failing to write-protect TDP MMU SPTEs will cause\nwrites made by L2 to not be reflected in the dirty log.\n\n[sean: massage shortlog and changelog, tweak ternary op formatting]" + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5982a5392663", + "lessThan": "cdf811a93747", + "status": "affected", + "versionType": "git" + }, + { + "version": "5982a5392663", + "lessThan": "e20bff0f1b2d", + "status": "affected", + "versionType": "git" + }, + { + "version": "5982a5392663", + "lessThan": "2673dfb591a3", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "6.4", + "status": "affected" + }, + { + "version": "0", + "lessThan": "6.4", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.29", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8.8", + "lessThanOrEqual": "6.8.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.9-rc5", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/cdf811a937471af2d1facdf8ae80e5e68096f1ed" + }, + { + "url": "https://git.kernel.org/stable/c/e20bff0f1b2de9cfe303dd35ff46470104a87404" + }, + { + "url": "https://git.kernel.org/stable/c/2673dfb591a359c75080dd5af3da484b89320d22" + } + ], + "title": "KVM: x86/mmu: Write-protect L2 SPTEs in TDP MMU when clearing dirty status", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26990", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26990.mbox b/cve/published/2024/CVE-2024-26990.mbox new file mode 100644 index 00000000..da3818b7 --- /dev/null +++ b/cve/published/2024/CVE-2024-26990.mbox @@ -0,0 +1,76 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26990: KVM: x86/mmu: Write-protect L2 SPTEs in TDP MMU when clearing dirty status +Message-Id: <2024050143-CVE-2024-26990-0a1f@gregkh> +Content-Length: 2414 +Lines: 59 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2474; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=rO8q7twWPzXqBaZ0iHavxZDpP/kJmPtrLAXTqEIAXYE=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGmGl5vZ/60++XdZ9dkdL4+9Wf/jlv+Hbo0ofaOMyIr4E + yc+vzHX6ohlYRBkYpAVU2T5so3n6P6KQ4pehranYeawMoEMYeDiFICJPDzOsGDzlOuM3Rzbsysf + dP7cpBG8vknoRwvDPJ3LDIt7vPh2nf986uK7oNd83xZ4nAYA +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +KVM: x86/mmu: Write-protect L2 SPTEs in TDP MMU when clearing dirty status + +Check kvm_mmu_page_ad_need_write_protect() when deciding whether to +write-protect or clear D-bits on TDP MMU SPTEs, so that the TDP MMU +accounts for any role-specific reasons for disabling D-bit dirty logging. + +Specifically, TDP MMU SPTEs must be write-protected when the TDP MMU is +being used to run an L2 (i.e. L1 has disabled EPT) and PML is enabled. +KVM always disables PML when running L2, even when L1 and L2 GPAs are in +the some domain, so failing to write-protect TDP MMU SPTEs will cause +writes made by L2 to not be reflected in the dirty log. + +[sean: massage shortlog and changelog, tweak ternary op formatting] + +The Linux kernel CVE team has assigned CVE-2024-26990 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 6.4 with commit 5982a5392663 and fixed in 6.6.29 with commit cdf811a93747 + Issue introduced in 6.4 with commit 5982a5392663 and fixed in 6.8.8 with commit e20bff0f1b2d + Issue introduced in 6.4 with commit 5982a5392663 and fixed in 6.9-rc5 with commit 2673dfb591a3 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26990 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + arch/x86/kvm/mmu/tdp_mmu.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/cdf811a937471af2d1facdf8ae80e5e68096f1ed + https://git.kernel.org/stable/c/e20bff0f1b2de9cfe303dd35ff46470104a87404 + https://git.kernel.org/stable/c/2673dfb591a359c75080dd5af3da484b89320d22 diff --git a/cve/published/2024/CVE-2024-26990.sha1 b/cve/published/2024/CVE-2024-26990.sha1 new file mode 100644 index 00000000..a2106c3d --- /dev/null +++ b/cve/published/2024/CVE-2024-26990.sha1 @@ -0,0 +1 @@ +2673dfb591a359c75080dd5af3da484b89320d22 diff --git a/cve/reserved/2024/CVE-2024-26991 b/cve/published/2024/CVE-2024-26991 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26991 +++ b/cve/published/2024/CVE-2024-26991 diff --git a/cve/published/2024/CVE-2024-26991.json b/cve/published/2024/CVE-2024-26991.json new file mode 100644 index 00000000..bdb09815 --- /dev/null +++ b/cve/published/2024/CVE-2024-26991.json @@ -0,0 +1,88 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86/mmu: x86: Don't overflow lpage_info when checking attributes\n\nFix KVM_SET_MEMORY_ATTRIBUTES to not overflow lpage_info array and trigger\nKASAN splat, as seen in the private_mem_conversions_test selftest.\n\nWhen memory attributes are set on a GFN range, that range will have\nspecific properties applied to the TDP. A huge page cannot be used when\nthe attributes are inconsistent, so they are disabled for those the\nspecific huge pages. For internal KVM reasons, huge pages are also not\nallowed to span adjacent memslots regardless of whether the backing memory\ncould be mapped as huge.\n\nWhat GFNs support which huge page sizes is tracked by an array of arrays\n'lpage_info' on the memslot, of ‘kvm_lpage_info’ structs. Each index of\nlpage_info contains a vmalloc allocated array of these for a specific\nsupported page size. The kvm_lpage_info denotes whether a specific huge\npage (GFN and page size) on the memslot is supported. These arrays include\nindices for unaligned head and tail huge pages.\n\nPreventing huge pages from spanning adjacent memslot is covered by\nincrementing the count in head and tail kvm_lpage_info when the memslot is\nallocated, but disallowing huge pages for memory that has mixed attributes\nhas to be done in a more complicated way. During the\nKVM_SET_MEMORY_ATTRIBUTES ioctl KVM updates lpage_info for each memslot in\nthe range that has mismatched attributes. KVM does this a memslot at a\ntime, and marks a special bit, KVM_LPAGE_MIXED_FLAG, in the kvm_lpage_info\nfor any huge page. This bit is essentially a permanently elevated count.\nSo huge pages will not be mapped for the GFN at that page size if the\ncount is elevated in either case: a huge head or tail page unaligned to\nthe memslot or if KVM_LPAGE_MIXED_FLAG is set because it has mixed\nattributes.\n\nTo determine whether a huge page has consistent attributes, the\nKVM_SET_MEMORY_ATTRIBUTES operation checks an xarray to make sure it\nconsistently has the incoming attribute. Since level - 1 huge pages are\naligned to level huge pages, it employs an optimization. As long as the\nlevel - 1 huge pages are checked first, it can just check these and assume\nthat if each level - 1 huge page contained within the level sized huge\npage is not mixed, then the level size huge page is not mixed. This\noptimization happens in the helper hugepage_has_attrs().\n\nUnfortunately, although the kvm_lpage_info array representing page size\n'level' will contain an entry for an unaligned tail page of size level,\nthe array for level - 1 will not contain an entry for each GFN at page\nsize level. The level - 1 array will only contain an index for any\nunaligned region covered by level - 1 huge page size, which can be a\nsmaller region. So this causes the optimization to overflow the level - 1\nkvm_lpage_info and perform a vmalloc out of bounds read.\n\nIn some cases of head and tail pages where an overflow could happen,\ncallers skip the operation completely as KVM_LPAGE_MIXED_FLAG is not\nrequired to prevent huge pages as discussed earlier. But for memslots that\nare smaller than the 1GB page size, it does call hugepage_has_attrs(). In\nthis case the huge page is both the head and tail page. The issue can be\nobserved simply by compiling the kernel with CONFIG_KASAN_VMALLOC and\nrunning the selftest “private_mem_conversions_test”, which produces the\noutput like the following:\n\nBUG: KASAN: vmalloc-out-of-bounds in hugepage_has_attrs+0x7e/0x110\nRead of size 4 at addr ffffc900000a3008 by task private_mem_con/169\nCall Trace:\n dump_stack_lvl\n print_report\n ? __virt_addr_valid\n ? hugepage_has_attrs\n ? hugepage_has_attrs\n kasan_report\n ? hugepage_has_attrs\n hugepage_has_attrs\n kvm_arch_post_set_memory_attributes\n kvm_vm_ioctl\n\nIt is a little ambiguous whether the unaligned head page (in the bug case\nalso the tail page) should be expected to have KVM_LPAGE_MIXED_FLAG set.\nIt is not functionally required, as the unal\n---truncated---" + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "90b4fe17981e", + "lessThan": "048cc4a028e6", + "status": "affected", + "versionType": "git" + }, + { + "version": "90b4fe17981e", + "lessThan": "992b54bd083c", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "6.8", + "status": "affected" + }, + { + "version": "0", + "lessThan": "6.8", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8.8", + "lessThanOrEqual": "6.8.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.9-rc5", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/048cc4a028e635d339687ed968985d2d1669494c" + }, + { + "url": "https://git.kernel.org/stable/c/992b54bd083c5bee24ff7cc35991388ab08598c4" + } + ], + "title": "KVM: x86/mmu: x86: Don't overflow lpage_info when checking attributes", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26991", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26991.mbox b/cve/published/2024/CVE-2024-26991.mbox new file mode 100644 index 00000000..85d42b17 --- /dev/null +++ b/cve/published/2024/CVE-2024-26991.mbox @@ -0,0 +1,140 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26991: KVM: x86/mmu: x86: Don't overflow lpage_info when checking attributes +Message-Id: <2024050144-CVE-2024-26991-f6d3@gregkh> +Content-Length: 5733 +Lines: 123 +X-Developer-Signature: v=1; a=openpgp-sha256; l=5857; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=BkvGr/QXjfbZeY8NAML9J28CUMenehFZpQDHErHXD+Q=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGmGl1veTP69lTPv67WsN1IJaYsedq4LW+ywa5f7JKHME + Enhxwe2d8SyMAgyMciKKbJ82cZzdH/FIUUvQ9vTMHNYmUCGMHBxCsBEdKwY5gdwhS+xeXG9VOdd + bhcPq8W1C7aNHxgWrDZ2j41g0Hi49czzlx4qtW82xa0sAwA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +KVM: x86/mmu: x86: Don't overflow lpage_info when checking attributes + +Fix KVM_SET_MEMORY_ATTRIBUTES to not overflow lpage_info array and trigger +KASAN splat, as seen in the private_mem_conversions_test selftest. + +When memory attributes are set on a GFN range, that range will have +specific properties applied to the TDP. A huge page cannot be used when +the attributes are inconsistent, so they are disabled for those the +specific huge pages. For internal KVM reasons, huge pages are also not +allowed to span adjacent memslots regardless of whether the backing memory +could be mapped as huge. + +What GFNs support which huge page sizes is tracked by an array of arrays +'lpage_info' on the memslot, of ‘kvm_lpage_info’ structs. Each index of +lpage_info contains a vmalloc allocated array of these for a specific +supported page size. The kvm_lpage_info denotes whether a specific huge +page (GFN and page size) on the memslot is supported. These arrays include +indices for unaligned head and tail huge pages. + +Preventing huge pages from spanning adjacent memslot is covered by +incrementing the count in head and tail kvm_lpage_info when the memslot is +allocated, but disallowing huge pages for memory that has mixed attributes +has to be done in a more complicated way. During the +KVM_SET_MEMORY_ATTRIBUTES ioctl KVM updates lpage_info for each memslot in +the range that has mismatched attributes. KVM does this a memslot at a +time, and marks a special bit, KVM_LPAGE_MIXED_FLAG, in the kvm_lpage_info +for any huge page. This bit is essentially a permanently elevated count. +So huge pages will not be mapped for the GFN at that page size if the +count is elevated in either case: a huge head or tail page unaligned to +the memslot or if KVM_LPAGE_MIXED_FLAG is set because it has mixed +attributes. + +To determine whether a huge page has consistent attributes, the +KVM_SET_MEMORY_ATTRIBUTES operation checks an xarray to make sure it +consistently has the incoming attribute. Since level - 1 huge pages are +aligned to level huge pages, it employs an optimization. As long as the +level - 1 huge pages are checked first, it can just check these and assume +that if each level - 1 huge page contained within the level sized huge +page is not mixed, then the level size huge page is not mixed. This +optimization happens in the helper hugepage_has_attrs(). + +Unfortunately, although the kvm_lpage_info array representing page size +'level' will contain an entry for an unaligned tail page of size level, +the array for level - 1 will not contain an entry for each GFN at page +size level. The level - 1 array will only contain an index for any +unaligned region covered by level - 1 huge page size, which can be a +smaller region. So this causes the optimization to overflow the level - 1 +kvm_lpage_info and perform a vmalloc out of bounds read. + +In some cases of head and tail pages where an overflow could happen, +callers skip the operation completely as KVM_LPAGE_MIXED_FLAG is not +required to prevent huge pages as discussed earlier. But for memslots that +are smaller than the 1GB page size, it does call hugepage_has_attrs(). In +this case the huge page is both the head and tail page. The issue can be +observed simply by compiling the kernel with CONFIG_KASAN_VMALLOC and +running the selftest “private_mem_conversions_test”, which produces the +output like the following: + +BUG: KASAN: vmalloc-out-of-bounds in hugepage_has_attrs+0x7e/0x110 +Read of size 4 at addr ffffc900000a3008 by task private_mem_con/169 +Call Trace: + dump_stack_lvl + print_report + ? __virt_addr_valid + ? hugepage_has_attrs + ? hugepage_has_attrs + kasan_report + ? hugepage_has_attrs + hugepage_has_attrs + kvm_arch_post_set_memory_attributes + kvm_vm_ioctl + +It is a little ambiguous whether the unaligned head page (in the bug case +also the tail page) should be expected to have KVM_LPAGE_MIXED_FLAG set. +It is not functionally required, as the unaligned head/tail pages will +already have their kvm_lpage_info count incremented. The comments imply +not setting it on unaligned head pages is intentional, so fix the callers +to skip trying to set KVM_LPAGE_MIXED_FLAG in this case, and in doing so +not call hugepage_has_attrs(). + +The Linux kernel CVE team has assigned CVE-2024-26991 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 6.8 with commit 90b4fe17981e and fixed in 6.8.8 with commit 048cc4a028e6 + Issue introduced in 6.8 with commit 90b4fe17981e and fixed in 6.9-rc5 with commit 992b54bd083c + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26991 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + arch/x86/kvm/mmu/mmu.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/048cc4a028e635d339687ed968985d2d1669494c + https://git.kernel.org/stable/c/992b54bd083c5bee24ff7cc35991388ab08598c4 diff --git a/cve/published/2024/CVE-2024-26991.sha1 b/cve/published/2024/CVE-2024-26991.sha1 new file mode 100644 index 00000000..e19039cb --- /dev/null +++ b/cve/published/2024/CVE-2024-26991.sha1 @@ -0,0 +1 @@ +992b54bd083c5bee24ff7cc35991388ab08598c4 diff --git a/cve/reserved/2024/CVE-2024-26992 b/cve/published/2024/CVE-2024-26992 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26992 +++ b/cve/published/2024/CVE-2024-26992 diff --git a/cve/published/2024/CVE-2024-26992.json b/cve/published/2024/CVE-2024-26992.json new file mode 100644 index 00000000..812893ed --- /dev/null +++ b/cve/published/2024/CVE-2024-26992.json @@ -0,0 +1,118 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86/pmu: Disable support for adaptive PEBS\n\nDrop support for virtualizing adaptive PEBS, as KVM's implementation is\narchitecturally broken without an obvious/easy path forward, and because\nexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leak\nhost kernel addresses to the guest.\n\nBug #1 is that KVM doesn't account for the upper 32 bits of\nIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.g\nfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()\nstores local variables as u8s and truncates the upper bits too, etc.\n\nBug #2 is that, because KVM _always_ sets precise_ip to a non-zero value\nfor PEBS events, perf will _always_ generate an adaptive record, even if\nthe guest requested a basic record. Note, KVM will also enable adaptive\nPEBS in individual *counter*, even if adaptive PEBS isn't exposed to the\nguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,\ni.e. the guest will only ever see Basic records.\n\nBug #3 is in perf. intel_pmu_disable_fixed() doesn't clear the upper\nbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, and\nintel_pmu_enable_fixed() effectively doesn't clear ICL_FIXED_0_ADAPTIVE\neither. I.e. perf _always_ enables ADAPTIVE counters, regardless of what\nKVM requests.\n\nBug #4 is that adaptive PEBS *might* effectively bypass event filters set\nby the host, as \"Updated Memory Access Info Group\" records information\nthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.\n\nBug #5 is that KVM doesn't ensure LBR MSRs hold guest values (or at least\nzeros) when entering a vCPU with adaptive PEBS, which allows the guest\nto read host LBRs, i.e. host RIPs/addresses, by enabling \"LBR Entries\"\nrecords.\n\nDisable adaptive PEBS support as an immediate fix due to the severity of\nthe LBR leak in particular, and because fixing all of the bugs will be\nnon-trivial, e.g. not suitable for backporting to stable kernels.\n\nNote! This will break live migration, but trying to make KVM play nice\nwith live migration would be quite complicated, wouldn't be guaranteed to\nwork (i.e. KVM might still kill/confuse the guest), and it's not clear\nthat there are any publicly available VMMs that support adaptive PEBS,\nlet alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn't\nsupport PEBS in any capacity." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "c59a1f106f5c", + "lessThan": "0fb74c00d140", + "status": "affected", + "versionType": "git" + }, + { + "version": "c59a1f106f5c", + "lessThan": "037e48ceccf1", + "status": "affected", + "versionType": "git" + }, + { + "version": "c59a1f106f5c", + "lessThan": "7a7650b3ac23", + "status": "affected", + "versionType": "git" + }, + { + "version": "c59a1f106f5c", + "lessThan": "9e985cbf2942", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "6.0", + "status": "affected" + }, + { + "version": "0", + "lessThan": "6.0", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.88", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.29", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8.8", + "lessThanOrEqual": "6.8.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.9-rc5", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/0fb74c00d140a66128afc0003785dcc57e69d312" + }, + { + "url": "https://git.kernel.org/stable/c/037e48ceccf163899374b601afb6ae8d0bf1d2ac" + }, + { + "url": "https://git.kernel.org/stable/c/7a7650b3ac23e5fc8c990f00e94f787dc84e3175" + }, + { + "url": "https://git.kernel.org/stable/c/9e985cbf2942a1bb8fcef9adc2a17d90fd7ca8ee" + } + ], + "title": "KVM: x86/pmu: Disable support for adaptive PEBS", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26992", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26992.mbox b/cve/published/2024/CVE-2024-26992.mbox new file mode 100644 index 00000000..b6e242a0 --- /dev/null +++ b/cve/published/2024/CVE-2024-26992.mbox @@ -0,0 +1,109 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26992: KVM: x86/pmu: Disable support for adaptive PEBS +Message-Id: <2024050144-CVE-2024-26992-4f0e@gregkh> +Content-Length: 4184 +Lines: 92 +X-Developer-Signature: v=1; a=openpgp-sha256; l=4277; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=McnO0WQDE9oY+4Cv6uFPnnuHPkVznOs1z/hofdjyWuw=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGmGl1sYb26dH/27xfrRrxUzPS1m5K648ET4o7mykEzI9 + ntKC++e7IhlYRBkYpAVU2T5so3n6P6KQ4pehranYeawMoEMYeDiFICJzEtlWLCXy6fLYj3LqkVS + 59MCNnMzzHHatIFhwaGMXSVyBnNWTg7NvzfhSsukN1O5KgA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +KVM: x86/pmu: Disable support for adaptive PEBS + +Drop support for virtualizing adaptive PEBS, as KVM's implementation is +architecturally broken without an obvious/easy path forward, and because +exposing adaptive PEBS can leak host LBRs to the guest, i.e. can leak +host kernel addresses to the guest. + +Bug #1 is that KVM doesn't account for the upper 32 bits of +IA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.g +fixed_ctrl_field() drops the upper bits, reprogram_fixed_counters() +stores local variables as u8s and truncates the upper bits too, etc. + +Bug #2 is that, because KVM _always_ sets precise_ip to a non-zero value +for PEBS events, perf will _always_ generate an adaptive record, even if +the guest requested a basic record. Note, KVM will also enable adaptive +PEBS in individual *counter*, even if adaptive PEBS isn't exposed to the +guest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero, +i.e. the guest will only ever see Basic records. + +Bug #3 is in perf. intel_pmu_disable_fixed() doesn't clear the upper +bits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, and +intel_pmu_enable_fixed() effectively doesn't clear ICL_FIXED_0_ADAPTIVE +either. I.e. perf _always_ enables ADAPTIVE counters, regardless of what +KVM requests. + +Bug #4 is that adaptive PEBS *might* effectively bypass event filters set +by the host, as "Updated Memory Access Info Group" records information +that might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER. + +Bug #5 is that KVM doesn't ensure LBR MSRs hold guest values (or at least +zeros) when entering a vCPU with adaptive PEBS, which allows the guest +to read host LBRs, i.e. host RIPs/addresses, by enabling "LBR Entries" +records. + +Disable adaptive PEBS support as an immediate fix due to the severity of +the LBR leak in particular, and because fixing all of the bugs will be +non-trivial, e.g. not suitable for backporting to stable kernels. + +Note! This will break live migration, but trying to make KVM play nice +with live migration would be quite complicated, wouldn't be guaranteed to +work (i.e. KVM might still kill/confuse the guest), and it's not clear +that there are any publicly available VMMs that support adaptive PEBS, +let alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn't +support PEBS in any capacity. + +The Linux kernel CVE team has assigned CVE-2024-26992 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 6.0 with commit c59a1f106f5c and fixed in 6.1.88 with commit 0fb74c00d140 + Issue introduced in 6.0 with commit c59a1f106f5c and fixed in 6.6.29 with commit 037e48ceccf1 + Issue introduced in 6.0 with commit c59a1f106f5c and fixed in 6.8.8 with commit 7a7650b3ac23 + Issue introduced in 6.0 with commit c59a1f106f5c and fixed in 6.9-rc5 with commit 9e985cbf2942 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26992 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + arch/x86/kvm/vmx/vmx.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/0fb74c00d140a66128afc0003785dcc57e69d312 + https://git.kernel.org/stable/c/037e48ceccf163899374b601afb6ae8d0bf1d2ac + https://git.kernel.org/stable/c/7a7650b3ac23e5fc8c990f00e94f787dc84e3175 + https://git.kernel.org/stable/c/9e985cbf2942a1bb8fcef9adc2a17d90fd7ca8ee diff --git a/cve/published/2024/CVE-2024-26992.sha1 b/cve/published/2024/CVE-2024-26992.sha1 new file mode 100644 index 00000000..b96b6d7d --- /dev/null +++ b/cve/published/2024/CVE-2024-26992.sha1 @@ -0,0 +1 @@ +9e985cbf2942a1bb8fcef9adc2a17d90fd7ca8ee diff --git a/cve/reserved/2024/CVE-2024-26993 b/cve/published/2024/CVE-2024-26993 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26993 +++ b/cve/published/2024/CVE-2024-26993 diff --git a/cve/published/2024/CVE-2024-26993.json b/cve/published/2024/CVE-2024-26993.json new file mode 100644 index 00000000..55f64a9e --- /dev/null +++ b/cve/published/2024/CVE-2024-26993.json @@ -0,0 +1,133 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: sysfs: Fix reference leak in sysfs_break_active_protection()\n\nThe sysfs_break_active_protection() routine has an obvious reference\nleak in its error path. If the call to kernfs_find_and_get() fails then\nkn will be NULL, so the companion sysfs_unbreak_active_protection()\nroutine won't get called (and would only cause an access violation by\ntrying to dereference kn->parent if it was called). As a result, the\nreference to kobj acquired at the start of the function will never be\nreleased.\n\nFix the leak by adding an explicit kobject_put() call when kn is NULL." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "2afc9166f79b", + "lessThan": "43f00210cb25", + "status": "affected", + "versionType": "git" + }, + { + "version": "2afc9166f79b", + "lessThan": "5d43e072285e", + "status": "affected", + "versionType": "git" + }, + { + "version": "2afc9166f79b", + "lessThan": "ac107356aabc", + "status": "affected", + "versionType": "git" + }, + { + "version": "2afc9166f79b", + "lessThan": "a4c99b57d43b", + "status": "affected", + "versionType": "git" + }, + { + "version": "2afc9166f79b", + "lessThan": "a90bca2228c0", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "4.19", + "status": "affected" + }, + { + "version": "0", + "lessThan": "4.19", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.157", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.88", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.29", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8.8", + "lessThanOrEqual": "6.8.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.9-rc5", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/43f00210cb257bcb0387e8caeb4b46375d67f30c" + }, + { + "url": "https://git.kernel.org/stable/c/5d43e072285e81b0b63cee7189b3357c7768a43b" + }, + { + "url": "https://git.kernel.org/stable/c/ac107356aabc362aaeb77463e814fc067a5d3957" + }, + { + "url": "https://git.kernel.org/stable/c/a4c99b57d43bab45225ba92d574a8683f9edc8e4" + }, + { + "url": "https://git.kernel.org/stable/c/a90bca2228c0646fc29a72689d308e5fe03e6d78" + } + ], + "title": "fs: sysfs: Fix reference leak in sysfs_break_active_protection()", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26993", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26993.mbox b/cve/published/2024/CVE-2024-26993.mbox new file mode 100644 index 00000000..9b5d4691 --- /dev/null +++ b/cve/published/2024/CVE-2024-26993.mbox @@ -0,0 +1,84 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26993: fs: sysfs: Fix reference leak in sysfs_break_active_protection() +Message-Id: <2024050144-CVE-2024-26993-fe52@gregkh> +Content-Length: 2942 +Lines: 67 +X-Developer-Signature: v=1; a=openpgp-sha256; l=3010; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=6jUZn9WwVrs5PgQj77ln2yQyf5ZPTraUCtJ9vRw1s3U=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGmGl1s2KYa/yNo62dzo5QHRlH3GkmsPp9Us8/Rhud6R/ + kt48y7ujlgWBkEmBlkxRZYv23iO7q84pOhlaHsaZg4rE8gQBi5OAZhIdRTDglmxrQqn2yZ+OM/9 + qHf5sa6rzz76P2RYcCryGZ+i2qsJH6Tnfzn090FxabN9AwA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +fs: sysfs: Fix reference leak in sysfs_break_active_protection() + +The sysfs_break_active_protection() routine has an obvious reference +leak in its error path. If the call to kernfs_find_and_get() fails then +kn will be NULL, so the companion sysfs_unbreak_active_protection() +routine won't get called (and would only cause an access violation by +trying to dereference kn->parent if it was called). As a result, the +reference to kobj acquired at the start of the function will never be +released. + +Fix the leak by adding an explicit kobject_put() call when kn is NULL. + +The Linux kernel CVE team has assigned CVE-2024-26993 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 4.19 with commit 2afc9166f79b and fixed in 5.15.157 with commit 43f00210cb25 + Issue introduced in 4.19 with commit 2afc9166f79b and fixed in 6.1.88 with commit 5d43e072285e + Issue introduced in 4.19 with commit 2afc9166f79b and fixed in 6.6.29 with commit ac107356aabc + Issue introduced in 4.19 with commit 2afc9166f79b and fixed in 6.8.8 with commit a4c99b57d43b + Issue introduced in 4.19 with commit 2afc9166f79b and fixed in 6.9-rc5 with commit a90bca2228c0 + Issue introduced in 3.16.62 with commit e8a37b2fd5b5 + Issue introduced in 3.18.121 with commit a6abc93760dd + Issue introduced in 4.4.154 with commit 461a6385e58e + Issue introduced in 4.9.125 with commit 8a5e02a0f46e + Issue introduced in 4.14.68 with commit c984f4d1d40a + Issue introduced in 4.18.6 with commit 807d1d299a04 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26993 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + fs/sysfs/file.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/43f00210cb257bcb0387e8caeb4b46375d67f30c + https://git.kernel.org/stable/c/5d43e072285e81b0b63cee7189b3357c7768a43b + https://git.kernel.org/stable/c/ac107356aabc362aaeb77463e814fc067a5d3957 + https://git.kernel.org/stable/c/a4c99b57d43bab45225ba92d574a8683f9edc8e4 + https://git.kernel.org/stable/c/a90bca2228c0646fc29a72689d308e5fe03e6d78 diff --git a/cve/published/2024/CVE-2024-26993.sha1 b/cve/published/2024/CVE-2024-26993.sha1 new file mode 100644 index 00000000..71886f0f --- /dev/null +++ b/cve/published/2024/CVE-2024-26993.sha1 @@ -0,0 +1 @@ +a90bca2228c0646fc29a72689d308e5fe03e6d78 diff --git a/cve/reserved/2024/CVE-2024-26994 b/cve/published/2024/CVE-2024-26994 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26994 +++ b/cve/published/2024/CVE-2024-26994 diff --git a/cve/published/2024/CVE-2024-26994.json b/cve/published/2024/CVE-2024-26994.json new file mode 100644 index 00000000..5dff62b1 --- /dev/null +++ b/cve/published/2024/CVE-2024-26994.json @@ -0,0 +1,133 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspeakup: Avoid crash on very long word\n\nIn case a console is set up really large and contains a really long word\n(> 256 characters), we have to stop before the length of the word buffer." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "c6e3fd22cd53", + "lessThan": "0d130158db29", + "status": "affected", + "versionType": "git" + }, + { + "version": "c6e3fd22cd53", + "lessThan": "89af25bd4b4b", + "status": "affected", + "versionType": "git" + }, + { + "version": "c6e3fd22cd53", + "lessThan": "8defb1d22ba0", + "status": "affected", + "versionType": "git" + }, + { + "version": "c6e3fd22cd53", + "lessThan": "0efb15c14c49", + "status": "affected", + "versionType": "git" + }, + { + "version": "c6e3fd22cd53", + "lessThan": "c8d2f34ea96e", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "2.6.37", + "status": "affected" + }, + { + "version": "0", + "lessThan": "2.6.37", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.157", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.88", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.29", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8.8", + "lessThanOrEqual": "6.8.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.9-rc5", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/0d130158db29f5e0b3893154908cf618896450a8" + }, + { + "url": "https://git.kernel.org/stable/c/89af25bd4b4bf6a71295f07e07a8ae7dc03c6595" + }, + { + "url": "https://git.kernel.org/stable/c/8defb1d22ba0395b81feb963b96e252b097ba76f" + }, + { + "url": "https://git.kernel.org/stable/c/0efb15c14c493263cb3a5f65f5ddfd4603d19a76" + }, + { + "url": "https://git.kernel.org/stable/c/c8d2f34ea96ea3bce6ba2535f867f0d4ee3b22e1" + } + ], + "title": "speakup: Avoid crash on very long word", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26994", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26994.mbox b/cve/published/2024/CVE-2024-26994.mbox new file mode 100644 index 00000000..166012e1 --- /dev/null +++ b/cve/published/2024/CVE-2024-26994.mbox @@ -0,0 +1,71 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26994: speakup: Avoid crash on very long word +Message-Id: <2024050144-CVE-2024-26994-43c6@gregkh> +Content-Length: 2268 +Lines: 54 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2323; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=mMHkeHNFM8aFZkXwKCb9/lme8aPSUzy/RQIx2XJ6qRY=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGmGl1vyVXaYnp50+V9uXazz5SVR/39uzv65qEq2zNio7 + CPHxWUJHbEsDIJMDLJiiixftvEc3V9xSNHL0PY0zBxWJpAhDFycAjCRfk2GubJP3+go3d0rpqQZ + FBSZIdPX6y4/m2HB0v3crwtVJ7W0enMF/FuxZKqTzjpuAA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +speakup: Avoid crash on very long word + +In case a console is set up really large and contains a really long word +(> 256 characters), we have to stop before the length of the word buffer. + +The Linux kernel CVE team has assigned CVE-2024-26994 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 2.6.37 with commit c6e3fd22cd53 and fixed in 5.15.157 with commit 0d130158db29 + Issue introduced in 2.6.37 with commit c6e3fd22cd53 and fixed in 6.1.88 with commit 89af25bd4b4b + Issue introduced in 2.6.37 with commit c6e3fd22cd53 and fixed in 6.6.29 with commit 8defb1d22ba0 + Issue introduced in 2.6.37 with commit c6e3fd22cd53 and fixed in 6.8.8 with commit 0efb15c14c49 + Issue introduced in 2.6.37 with commit c6e3fd22cd53 and fixed in 6.9-rc5 with commit c8d2f34ea96e + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26994 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/accessibility/speakup/main.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/0d130158db29f5e0b3893154908cf618896450a8 + https://git.kernel.org/stable/c/89af25bd4b4bf6a71295f07e07a8ae7dc03c6595 + https://git.kernel.org/stable/c/8defb1d22ba0395b81feb963b96e252b097ba76f + https://git.kernel.org/stable/c/0efb15c14c493263cb3a5f65f5ddfd4603d19a76 + https://git.kernel.org/stable/c/c8d2f34ea96ea3bce6ba2535f867f0d4ee3b22e1 diff --git a/cve/published/2024/CVE-2024-26994.sha1 b/cve/published/2024/CVE-2024-26994.sha1 new file mode 100644 index 00000000..22b2202e --- /dev/null +++ b/cve/published/2024/CVE-2024-26994.sha1 @@ -0,0 +1 @@ +c8d2f34ea96ea3bce6ba2535f867f0d4ee3b22e1 diff --git a/cve/reserved/2024/CVE-2024-26995 b/cve/published/2024/CVE-2024-26995 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26995 +++ b/cve/published/2024/CVE-2024-26995 diff --git a/cve/published/2024/CVE-2024-26995.json b/cve/published/2024/CVE-2024-26995.json new file mode 100644 index 00000000..de6542bc --- /dev/null +++ b/cve/published/2024/CVE-2024-26995.json @@ -0,0 +1,88 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: tcpm: Correct the PDO counting in pd_set\n\nOff-by-one errors happen because nr_snk_pdo and nr_src_pdo are\nincorrectly added one. The index of the loop is equal to the number of\nPDOs to be updated when leaving the loop and it doesn't need to be added\none.\n\nWhen doing the power negotiation, TCPM relies on the \"nr_snk_pdo\" as\nthe size of the local sink PDO array to match the Source capabilities\nof the partner port. If the off-by-one overflow occurs, a wrong RDO\nmight be sent and unexpected power transfer might happen such as over\nvoltage or over current (than expected).\n\n\"nr_src_pdo\" is used to set the Rp level when the port is in Source\nrole. It is also the array size of the local Source capabilities when\nfilling up the buffer which will be sent as the Source PDOs (such as\nin Power Negotiation). If the off-by-one overflow occurs, a wrong Rp\nlevel might be set and wrong Source PDOs will be sent to the partner\nport. This could potentially cause over current or port resets." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "cd099cde4ed2", + "lessThan": "f3da3192cdd3", + "status": "affected", + "versionType": "git" + }, + { + "version": "cd099cde4ed2", + "lessThan": "c4128304c216", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "6.8", + "status": "affected" + }, + { + "version": "0", + "lessThan": "6.8", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8.8", + "lessThanOrEqual": "6.8.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.9-rc5", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/f3da3192cdd3fefe213390e976eec424a8e270b5" + }, + { + "url": "https://git.kernel.org/stable/c/c4128304c2169b4664ed6fb6200f228cead2ab70" + } + ], + "title": "usb: typec: tcpm: Correct the PDO counting in pd_set", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26995", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26995.mbox b/cve/published/2024/CVE-2024-26995.mbox new file mode 100644 index 00000000..9493aeea --- /dev/null +++ b/cve/published/2024/CVE-2024-26995.mbox @@ -0,0 +1,80 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26995: usb: typec: tcpm: Correct the PDO counting in pd_set +Message-Id: <2024050144-CVE-2024-26995-ac9b@gregkh> +Content-Length: 2545 +Lines: 63 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2609; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=ifNAGJknjCqoAQlh0LxNcPCtOjbx9gC2ShNjTIEdl6c=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGmGl1tjp0sfODSdW9043cMnVHqjwRudaiW/co/rMtLqu + 4VKI0U7YlkYBJkYZMUUWb5s4zm6v+KQopeh7WmYOaxMIEMYuDgFYCLOPxkWLNll6+H4+ZpewWFR + 5geetkkTWmvCGeYK338TWlS9fraY83amE/IeAbXaZlsA +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +usb: typec: tcpm: Correct the PDO counting in pd_set + +Off-by-one errors happen because nr_snk_pdo and nr_src_pdo are +incorrectly added one. The index of the loop is equal to the number of +PDOs to be updated when leaving the loop and it doesn't need to be added +one. + +When doing the power negotiation, TCPM relies on the "nr_snk_pdo" as +the size of the local sink PDO array to match the Source capabilities +of the partner port. If the off-by-one overflow occurs, a wrong RDO +might be sent and unexpected power transfer might happen such as over +voltage or over current (than expected). + +"nr_src_pdo" is used to set the Rp level when the port is in Source +role. It is also the array size of the local Source capabilities when +filling up the buffer which will be sent as the Source PDOs (such as +in Power Negotiation). If the off-by-one overflow occurs, a wrong Rp +level might be set and wrong Source PDOs will be sent to the partner +port. This could potentially cause over current or port resets. + +The Linux kernel CVE team has assigned CVE-2024-26995 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 6.8 with commit cd099cde4ed2 and fixed in 6.8.8 with commit f3da3192cdd3 + Issue introduced in 6.8 with commit cd099cde4ed2 and fixed in 6.9-rc5 with commit c4128304c216 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26995 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/usb/typec/tcpm/tcpm.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/f3da3192cdd3fefe213390e976eec424a8e270b5 + https://git.kernel.org/stable/c/c4128304c2169b4664ed6fb6200f228cead2ab70 diff --git a/cve/published/2024/CVE-2024-26995.sha1 b/cve/published/2024/CVE-2024-26995.sha1 new file mode 100644 index 00000000..0cce1419 --- /dev/null +++ b/cve/published/2024/CVE-2024-26995.sha1 @@ -0,0 +1 @@ +c4128304c2169b4664ed6fb6200f228cead2ab70 diff --git a/cve/reserved/2024/CVE-2024-26996 b/cve/published/2024/CVE-2024-26996 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26996 +++ b/cve/published/2024/CVE-2024-26996 diff --git a/cve/published/2024/CVE-2024-26996.json b/cve/published/2024/CVE-2024-26996.json new file mode 100644 index 00000000..b8218416 --- /dev/null +++ b/cve/published/2024/CVE-2024-26996.json @@ -0,0 +1,123 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_ncm: Fix UAF ncm object at re-bind after usb ep transport error\n\nWhen ncm function is working and then stop usb0 interface for link down,\neth_stop() is called. At this piont, accidentally if usb transport error\nshould happen in usb_ep_enable(), 'in_ep' and/or 'out_ep' may not be enabled.\n\nAfter that, ncm_disable() is called to disable for ncm unbind\nbut gether_disconnect() is never called since 'in_ep' is not enabled.\n\nAs the result, ncm object is released in ncm unbind\nbut 'dev->port_usb' associated to 'ncm->port' is not NULL.\n\nAnd when ncm bind again to recover netdev, ncm object is reallocated\nbut usb0 interface is already associated to previous released ncm object.\n\nTherefore, once usb0 interface is up and eth_start_xmit() is called,\nreleased ncm object is dereferrenced and it might cause use-after-free memory.\n\n[function unlink via configfs]\n usb0: eth_stop dev->port_usb=ffffff9b179c3200\n --> error happens in usb_ep_enable().\n NCM: ncm_disable: ncm=ffffff9b179c3200\n --> no gether_disconnect() since ncm->port.in_ep->enabled is false.\n NCM: ncm_unbind: ncm unbind ncm=ffffff9b179c3200\n NCM: ncm_free: ncm free ncm=ffffff9b179c3200 <-- released ncm\n\n[function link via configfs]\n NCM: ncm_alloc: ncm alloc ncm=ffffff9ac4f8a000\n NCM: ncm_bind: ncm bind ncm=ffffff9ac4f8a000\n NCM: ncm_set_alt: ncm=ffffff9ac4f8a000 alt=0\n usb0: eth_open dev->port_usb=ffffff9b179c3200 <-- previous released ncm\n usb0: eth_start dev->port_usb=ffffff9b179c3200 <--\n eth_start_xmit()\n --> dev->wrap()\n Unable to handle kernel paging request at virtual address dead00000000014f\n\nThis patch addresses the issue by checking if 'ncm->netdev' is not NULL at\nncm_disable() to call gether_disconnect() to deassociate 'dev->port_usb'.\nIt's more reasonable to check 'ncm->netdev' to call gether_connect/disconnect\nrather than check 'ncm->port.in_ep->enabled' since it might not be enabled\nbut the gether connection might be established." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "1da177e4c3f4", + "lessThan": "7f67c2020cb0", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "0588bbbd718a", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "f356fd0cbd9c", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "7250326cbb1f", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "6334b8e4553c", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.15.157", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.88", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.29", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8.8", + "lessThanOrEqual": "6.8.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.9-rc5", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/7f67c2020cb08499c400abf0fc32c65e4d9a09ca" + }, + { + "url": "https://git.kernel.org/stable/c/0588bbbd718a8130b98c54518f1e0b569ce60a93" + }, + { + "url": "https://git.kernel.org/stable/c/f356fd0cbd9c9cbd0854657a80d1608d0d732db3" + }, + { + "url": "https://git.kernel.org/stable/c/7250326cbb1f4f90391ac511a126b936cefb5bb7" + }, + { + "url": "https://git.kernel.org/stable/c/6334b8e4553cc69f51e383c9de545082213d785e" + } + ], + "title": "usb: gadget: f_ncm: Fix UAF ncm object at re-bind after usb ep transport error", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26996", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26996.mbox b/cve/published/2024/CVE-2024-26996.mbox new file mode 100644 index 00000000..5967d88d --- /dev/null +++ b/cve/published/2024/CVE-2024-26996.mbox @@ -0,0 +1,108 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26996: usb: gadget: f_ncm: Fix UAF ncm object at re-bind after usb ep transport error +Message-Id: <2024050145-CVE-2024-26996-ff2f@gregkh> +Content-Length: 3756 +Lines: 91 +X-Developer-Signature: v=1; a=openpgp-sha256; l=3848; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=jdy60trmXLXc0dclz+LDOGcpfesFRSSatYH0jgHoxZQ=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGmGl1s/Tjv6Km+l4CqP4+0S+ocjtX0MIpP/emaILb7x6 + 67J5XzFjlgWBkEmBlkxRZYv23iO7q84pOhlaHsaZg4rE8gQBi5OAZjIjW6G+ZE/7eKzM+UY5tjn + 1+1VTJMRbD84l2F+cfPeuq9+d2Kzm8peXWAyi9YJk28GAA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +usb: gadget: f_ncm: Fix UAF ncm object at re-bind after usb ep transport error + +When ncm function is working and then stop usb0 interface for link down, +eth_stop() is called. At this piont, accidentally if usb transport error +should happen in usb_ep_enable(), 'in_ep' and/or 'out_ep' may not be enabled. + +After that, ncm_disable() is called to disable for ncm unbind +but gether_disconnect() is never called since 'in_ep' is not enabled. + +As the result, ncm object is released in ncm unbind +but 'dev->port_usb' associated to 'ncm->port' is not NULL. + +And when ncm bind again to recover netdev, ncm object is reallocated +but usb0 interface is already associated to previous released ncm object. + +Therefore, once usb0 interface is up and eth_start_xmit() is called, +released ncm object is dereferrenced and it might cause use-after-free memory. + +[function unlink via configfs] + usb0: eth_stop dev->port_usb=ffffff9b179c3200 + --> error happens in usb_ep_enable(). + NCM: ncm_disable: ncm=ffffff9b179c3200 + --> no gether_disconnect() since ncm->port.in_ep->enabled is false. + NCM: ncm_unbind: ncm unbind ncm=ffffff9b179c3200 + NCM: ncm_free: ncm free ncm=ffffff9b179c3200 <-- released ncm + +[function link via configfs] + NCM: ncm_alloc: ncm alloc ncm=ffffff9ac4f8a000 + NCM: ncm_bind: ncm bind ncm=ffffff9ac4f8a000 + NCM: ncm_set_alt: ncm=ffffff9ac4f8a000 alt=0 + usb0: eth_open dev->port_usb=ffffff9b179c3200 <-- previous released ncm + usb0: eth_start dev->port_usb=ffffff9b179c3200 <-- + eth_start_xmit() + --> dev->wrap() + Unable to handle kernel paging request at virtual address dead00000000014f + +This patch addresses the issue by checking if 'ncm->netdev' is not NULL at +ncm_disable() to call gether_disconnect() to deassociate 'dev->port_usb'. +It's more reasonable to check 'ncm->netdev' to call gether_connect/disconnect +rather than check 'ncm->port.in_ep->enabled' since it might not be enabled +but the gether connection might be established. + +The Linux kernel CVE team has assigned CVE-2024-26996 to this issue. + + +Affected and fixed versions +=========================== + + Fixed in 5.15.157 with commit 7f67c2020cb0 + Fixed in 6.1.88 with commit 0588bbbd718a + Fixed in 6.6.29 with commit f356fd0cbd9c + Fixed in 6.8.8 with commit 7250326cbb1f + Fixed in 6.9-rc5 with commit 6334b8e4553c + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26996 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/usb/gadget/function/f_ncm.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/7f67c2020cb08499c400abf0fc32c65e4d9a09ca + https://git.kernel.org/stable/c/0588bbbd718a8130b98c54518f1e0b569ce60a93 + https://git.kernel.org/stable/c/f356fd0cbd9c9cbd0854657a80d1608d0d732db3 + https://git.kernel.org/stable/c/7250326cbb1f4f90391ac511a126b936cefb5bb7 + https://git.kernel.org/stable/c/6334b8e4553cc69f51e383c9de545082213d785e diff --git a/cve/published/2024/CVE-2024-26996.sha1 b/cve/published/2024/CVE-2024-26996.sha1 new file mode 100644 index 00000000..3e8fe38f --- /dev/null +++ b/cve/published/2024/CVE-2024-26996.sha1 @@ -0,0 +1 @@ +6334b8e4553cc69f51e383c9de545082213d785e diff --git a/cve/reserved/2024/CVE-2024-26997 b/cve/published/2024/CVE-2024-26997 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26997 +++ b/cve/published/2024/CVE-2024-26997 diff --git a/cve/published/2024/CVE-2024-26997.json b/cve/published/2024/CVE-2024-26997.json new file mode 100644 index 00000000..ea48c5a8 --- /dev/null +++ b/cve/published/2024/CVE-2024-26997.json @@ -0,0 +1,133 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc2: host: Fix dereference issue in DDMA completion flow.\n\nFixed variable dereference issue in DDMA completion flow." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "32d3f2f108eb", + "lessThan": "8aa5c28ac65c", + "status": "affected", + "versionType": "git" + }, + { + "version": "bc48eb1b53ce", + "lessThan": "9de10b59d168", + "status": "affected", + "versionType": "git" + }, + { + "version": "8d310e5d702c", + "lessThan": "8a139fa44870", + "status": "affected", + "versionType": "git" + }, + { + "version": "8b7c57ab6f6b", + "lessThan": "55656b2afd5f", + "status": "affected", + "versionType": "git" + }, + { + "version": "b258e4268850", + "lessThan": "eed04fa96c48", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "6.9-rc2", + "status": "affected" + }, + { + "version": "0", + "lessThan": "6.9-rc2", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.157", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.88", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.29", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8.8", + "lessThanOrEqual": "6.8.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.9-rc5", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/8aa5c28ac65cb5e7f1b9c0c3238c00b661dd2b8c" + }, + { + "url": "https://git.kernel.org/stable/c/9de10b59d16880a0a3ae2876c142fe54ce45d816" + }, + { + "url": "https://git.kernel.org/stable/c/8a139fa44870e84ac228b7b76423a49610e5ba9a" + }, + { + "url": "https://git.kernel.org/stable/c/55656b2afd5f1efcec4245f3e7e814c2a9ef53f6" + }, + { + "url": "https://git.kernel.org/stable/c/eed04fa96c48790c1cce73c8a248e9d460b088f8" + } + ], + "title": "usb: dwc2: host: Fix dereference issue in DDMA completion flow.", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26997", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26997.mbox b/cve/published/2024/CVE-2024-26997.mbox new file mode 100644 index 00000000..3ed567a8 --- /dev/null +++ b/cve/published/2024/CVE-2024-26997.mbox @@ -0,0 +1,74 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26997: usb: dwc2: host: Fix dereference issue in DDMA completion flow. +Message-Id: <2024050145-CVE-2024-26997-b8bf@gregkh> +Content-Length: 2414 +Lines: 57 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2472; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=diCpUyEQxrbRrBgyhXTUbHj8aOYu3Glthm6c+DL8NDo=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGmGl1tNFrPdEt3tHafd+XDFC6Fpr72Oly7d7H/l5sK2I + 57Sq2r2dcSyMAgyMciKKbJ82cZzdH/FIUUvQ9vTMHNYmUCGMHBxCsBEbskzLLh+6NdfCcfN52N7 + L4ZVOoVe4HYXV2VYcLK2WsD3z68VzkWdGgnTulV/z79eDAA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +usb: dwc2: host: Fix dereference issue in DDMA completion flow. + +Fixed variable dereference issue in DDMA completion flow. + +The Linux kernel CVE team has assigned CVE-2024-26997 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 5.15.154 with commit 32d3f2f108eb and fixed in 5.15.157 with commit 8aa5c28ac65c + Issue introduced in 6.1.84 with commit bc48eb1b53ce and fixed in 6.1.88 with commit 9de10b59d168 + Issue introduced in 6.6.24 with commit 8d310e5d702c and fixed in 6.6.29 with commit 8a139fa44870 + Issue introduced in 6.8.3 with commit 8b7c57ab6f6b and fixed in 6.8.8 with commit 55656b2afd5f + Issue introduced in 6.9-rc2 with commit b258e4268850 and fixed in 6.9-rc5 with commit eed04fa96c48 + Issue introduced in 4.19.312 with commit dca1dc1e99e0 + Issue introduced in 5.4.274 with commit 693bbbccd9c7 + Issue introduced in 5.10.215 with commit db4fa0c8e811 + Issue introduced in 6.7.12 with commit c4046e703e00 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26997 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/usb/dwc2/hcd_ddma.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/8aa5c28ac65cb5e7f1b9c0c3238c00b661dd2b8c + https://git.kernel.org/stable/c/9de10b59d16880a0a3ae2876c142fe54ce45d816 + https://git.kernel.org/stable/c/8a139fa44870e84ac228b7b76423a49610e5ba9a + https://git.kernel.org/stable/c/55656b2afd5f1efcec4245f3e7e814c2a9ef53f6 + https://git.kernel.org/stable/c/eed04fa96c48790c1cce73c8a248e9d460b088f8 diff --git a/cve/published/2024/CVE-2024-26997.sha1 b/cve/published/2024/CVE-2024-26997.sha1 new file mode 100644 index 00000000..412836b1 --- /dev/null +++ b/cve/published/2024/CVE-2024-26997.sha1 @@ -0,0 +1 @@ +eed04fa96c48790c1cce73c8a248e9d460b088f8 diff --git a/cve/reserved/2024/CVE-2024-26998 b/cve/published/2024/CVE-2024-26998 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26998 +++ b/cve/published/2024/CVE-2024-26998 diff --git a/cve/published/2024/CVE-2024-26998.json b/cve/published/2024/CVE-2024-26998.json new file mode 100644 index 00000000..a91f693b --- /dev/null +++ b/cve/published/2024/CVE-2024-26998.json @@ -0,0 +1,103 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: core: Clearing the circular buffer before NULLifying it\n\nThe circular buffer is NULLified in uart_tty_port_shutdown()\nunder the spin lock. However, the PM or other timer based callbacks\nmay still trigger after this event without knowning that buffer pointer\nis not valid. Since the serial code is a bit inconsistent in checking\nthe buffer state (some rely on the head-tail positions, some on the\nbuffer pointer), it's better to have both aligned, i.e. buffer pointer\nto be NULL and head-tail possitions to be the same, meaning it's empty.\nThis will prevent asynchronous calls to dereference NULL pointer as\nreported recently in 8250 case:\n\n BUG: kernel NULL pointer dereference, address: 00000cf5\n Workqueue: pm pm_runtime_work\n EIP: serial8250_tx_chars (drivers/tty/serial/8250/8250_port.c:1809)\n ...\n ? serial8250_tx_chars (drivers/tty/serial/8250/8250_port.c:1809)\n __start_tx (drivers/tty/serial/8250/8250_port.c:1551)\n serial8250_start_tx (drivers/tty/serial/8250/8250_port.c:1654)\n serial_port_runtime_suspend (include/linux/serial_core.h:667 drivers/tty/serial/serial_port.c:63)\n __rpm_callback (drivers/base/power/runtime.c:393)\n ? serial_port_remove (drivers/tty/serial/serial_port.c:50)\n rpm_suspend (drivers/base/power/runtime.c:447)\n\nThe proposed change will prevent ->start_tx() to be called during\nsuspend on shut down port." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "434beb66368d", + "lessThan": "7ae7104d5434", + "status": "affected", + "versionType": "git" + }, + { + "version": "43066e32227e", + "lessThan": "bb1118905e87", + "status": "affected", + "versionType": "git" + }, + { + "version": "43066e32227e", + "lessThan": "9cf7ea2eeb74", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "6.8", + "status": "affected" + }, + { + "version": "0", + "lessThan": "6.8", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.29", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8.8", + "lessThanOrEqual": "6.8.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.9-rc5", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/7ae7104d54342433a3a73975f6569beefdd86350" + }, + { + "url": "https://git.kernel.org/stable/c/bb1118905e875c111d7ccef9aee86ac5e4e7f985" + }, + { + "url": "https://git.kernel.org/stable/c/9cf7ea2eeb745213dc2a04103e426b960e807940" + } + ], + "title": "serial: core: Clearing the circular buffer before NULLifying it", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26998", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26998.mbox b/cve/published/2024/CVE-2024-26998.mbox new file mode 100644 index 00000000..e0b81533 --- /dev/null +++ b/cve/published/2024/CVE-2024-26998.mbox @@ -0,0 +1,90 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26998: serial: core: Clearing the circular buffer before NULLifying it +Message-Id: <2024050145-CVE-2024-26998-2262@gregkh> +Content-Length: 3136 +Lines: 73 +X-Developer-Signature: v=1; a=openpgp-sha256; l=3210; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=/GfQGWmy0HL1K6Ms0xXpra/geA90Kwfs4yEgssdfFJE=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGmGl1sFvVItH2y7+v5I0nX19OTDZUesyoKfTswpPq7Nw + Xko482GjlgWBkEmBlkxRZYv23iO7q84pOhlaHsaZg4rE8gQBi5OAZjIn3cMs1m3choc3XLv1fb/ + rlOOn+DZ3niseCPDPFsTrn1rd2etCA6rTvrEfyz7ynHeMgA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +serial: core: Clearing the circular buffer before NULLifying it + +The circular buffer is NULLified in uart_tty_port_shutdown() +under the spin lock. However, the PM or other timer based callbacks +may still trigger after this event without knowning that buffer pointer +is not valid. Since the serial code is a bit inconsistent in checking +the buffer state (some rely on the head-tail positions, some on the +buffer pointer), it's better to have both aligned, i.e. buffer pointer +to be NULL and head-tail possitions to be the same, meaning it's empty. +This will prevent asynchronous calls to dereference NULL pointer as +reported recently in 8250 case: + + BUG: kernel NULL pointer dereference, address: 00000cf5 + Workqueue: pm pm_runtime_work + EIP: serial8250_tx_chars (drivers/tty/serial/8250/8250_port.c:1809) + ... + ? serial8250_tx_chars (drivers/tty/serial/8250/8250_port.c:1809) + __start_tx (drivers/tty/serial/8250/8250_port.c:1551) + serial8250_start_tx (drivers/tty/serial/8250/8250_port.c:1654) + serial_port_runtime_suspend (include/linux/serial_core.h:667 drivers/tty/serial/serial_port.c:63) + __rpm_callback (drivers/base/power/runtime.c:393) + ? serial_port_remove (drivers/tty/serial/serial_port.c:50) + rpm_suspend (drivers/base/power/runtime.c:447) + +The proposed change will prevent ->start_tx() to be called during +suspend on shut down port. + +The Linux kernel CVE team has assigned CVE-2024-26998 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 6.6.24 with commit 434beb66368d and fixed in 6.6.29 with commit 7ae7104d5434 + Issue introduced in 6.8 with commit 43066e32227e and fixed in 6.8.8 with commit bb1118905e87 + Issue introduced in 6.8 with commit 43066e32227e and fixed in 6.9-rc5 with commit 9cf7ea2eeb74 + Issue introduced in 6.7.12 with commit a629a9b2f769 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26998 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/tty/serial/serial_core.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/7ae7104d54342433a3a73975f6569beefdd86350 + https://git.kernel.org/stable/c/bb1118905e875c111d7ccef9aee86ac5e4e7f985 + https://git.kernel.org/stable/c/9cf7ea2eeb745213dc2a04103e426b960e807940 diff --git a/cve/published/2024/CVE-2024-26998.sha1 b/cve/published/2024/CVE-2024-26998.sha1 new file mode 100644 index 00000000..9f456b79 --- /dev/null +++ b/cve/published/2024/CVE-2024-26998.sha1 @@ -0,0 +1 @@ +9cf7ea2eeb745213dc2a04103e426b960e807940 diff --git a/cve/reserved/2024/CVE-2024-26999 b/cve/published/2024/CVE-2024-26999 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26999 +++ b/cve/published/2024/CVE-2024-26999 diff --git a/cve/published/2024/CVE-2024-26999.json b/cve/published/2024/CVE-2024-26999.json new file mode 100644 index 00000000..084a9b16 --- /dev/null +++ b/cve/published/2024/CVE-2024-26999.json @@ -0,0 +1,133 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial/pmac_zilog: Remove flawed mitigation for rx irq flood\n\nThe mitigation was intended to stop the irq completely. That may be\nbetter than a hard lock-up but it turns out that you get a crash anyway\nif you're using pmac_zilog as a serial console:\n\nttyPZ0: pmz: rx irq flood !\nBUG: spinlock recursion on CPU#0, swapper/0\n\nThat's because the pr_err() call in pmz_receive_chars() results in\npmz_console_write() attempting to lock a spinlock already locked in\npmz_interrupt(). With CONFIG_DEBUG_SPINLOCK=y, this produces a fatal\nBUG splat. The spinlock in question is the one in struct uart_port.\n\nEven when it's not fatal, the serial port rx function ceases to work.\nAlso, the iteration limit doesn't play nicely with QEMU, as can be\nseen in the bug report linked below.\n\nA web search for other reports of the error message \"pmz: rx irq flood\"\ndidn't produce anything. So I don't think this code is needed any more.\nRemove it." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "1da177e4c3f4", + "lessThan": "7a3bbe41efa5", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "bbaafbb4651f", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "52aaf1ff1462", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "ca09dfc3cfdf", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "1be322644536", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "2.6.12", + "status": "affected" + }, + { + "version": "0", + "lessThan": "2.6.12", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.157", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.88", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.29", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8.8", + "lessThanOrEqual": "6.8.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.9-rc5", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/7a3bbe41efa55323b6ea3c35fa15941d4dbecdef" + }, + { + "url": "https://git.kernel.org/stable/c/bbaafbb4651fede8d3c3881601ecaa4f834f9d3f" + }, + { + "url": "https://git.kernel.org/stable/c/52aaf1ff14622a04148dbb9ccce6d9de5d534ea7" + }, + { + "url": "https://git.kernel.org/stable/c/ca09dfc3cfdf89e6af3ac24e1c6c0be5c575a729" + }, + { + "url": "https://git.kernel.org/stable/c/1be3226445362bfbf461c92a5bcdb1723f2e4907" + } + ], + "title": "serial/pmac_zilog: Remove flawed mitigation for rx irq flood", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26999", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26999.mbox b/cve/published/2024/CVE-2024-26999.mbox new file mode 100644 index 00000000..77dca0ea --- /dev/null +++ b/cve/published/2024/CVE-2024-26999.mbox @@ -0,0 +1,88 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26999: serial/pmac_zilog: Remove flawed mitigation for rx irq flood +Message-Id: <2024050145-CVE-2024-26999-057f@gregkh> +Content-Length: 3003 +Lines: 71 +X-Developer-Signature: v=1; a=openpgp-sha256; l=3075; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=fkF2VGPkbDDgdG84M42rZ+yccfQL7LvS4tESuvRJqPM=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGmGl1t/Oghe3Hh2y4bpb8M3/vt27vTz8qwJF494LOw/+ + iEt7q+uXkcsC4MgE4OsmCLLl208R/dXHFL0MrQ9DTOHlQlkCAMXpwBMZG8xwzyFmR6dM4OW3tqZ + wLV0zbQTeW+tLxoxzDM2tQqyqZX5uoPxVtnKANlDkfe3KgIA +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +serial/pmac_zilog: Remove flawed mitigation for rx irq flood + +The mitigation was intended to stop the irq completely. That may be +better than a hard lock-up but it turns out that you get a crash anyway +if you're using pmac_zilog as a serial console: + +ttyPZ0: pmz: rx irq flood ! +BUG: spinlock recursion on CPU#0, swapper/0 + +That's because the pr_err() call in pmz_receive_chars() results in +pmz_console_write() attempting to lock a spinlock already locked in +pmz_interrupt(). With CONFIG_DEBUG_SPINLOCK=y, this produces a fatal +BUG splat. The spinlock in question is the one in struct uart_port. + +Even when it's not fatal, the serial port rx function ceases to work. +Also, the iteration limit doesn't play nicely with QEMU, as can be +seen in the bug report linked below. + +A web search for other reports of the error message "pmz: rx irq flood" +didn't produce anything. So I don't think this code is needed any more. +Remove it. + +The Linux kernel CVE team has assigned CVE-2024-26999 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 2.6.12 with commit 1da177e4c3f4 and fixed in 5.15.157 with commit 7a3bbe41efa5 + Issue introduced in 2.6.12 with commit 1da177e4c3f4 and fixed in 6.1.88 with commit bbaafbb4651f + Issue introduced in 2.6.12 with commit 1da177e4c3f4 and fixed in 6.6.29 with commit 52aaf1ff1462 + Issue introduced in 2.6.12 with commit 1da177e4c3f4 and fixed in 6.8.8 with commit ca09dfc3cfdf + Issue introduced in 2.6.12 with commit 1da177e4c3f4 and fixed in 6.9-rc5 with commit 1be322644536 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26999 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/tty/serial/pmac_zilog.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/7a3bbe41efa55323b6ea3c35fa15941d4dbecdef + https://git.kernel.org/stable/c/bbaafbb4651fede8d3c3881601ecaa4f834f9d3f + https://git.kernel.org/stable/c/52aaf1ff14622a04148dbb9ccce6d9de5d534ea7 + https://git.kernel.org/stable/c/ca09dfc3cfdf89e6af3ac24e1c6c0be5c575a729 + https://git.kernel.org/stable/c/1be3226445362bfbf461c92a5bcdb1723f2e4907 diff --git a/cve/published/2024/CVE-2024-26999.sha1 b/cve/published/2024/CVE-2024-26999.sha1 new file mode 100644 index 00000000..23c411ba --- /dev/null +++ b/cve/published/2024/CVE-2024-26999.sha1 @@ -0,0 +1 @@ +1be3226445362bfbf461c92a5bcdb1723f2e4907 diff --git a/cve/reserved/2024/CVE-2024-27000 b/cve/published/2024/CVE-2024-27000 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-27000 +++ b/cve/published/2024/CVE-2024-27000 diff --git a/cve/published/2024/CVE-2024-27000.json b/cve/published/2024/CVE-2024-27000.json new file mode 100644 index 00000000..9a7a7cd8 --- /dev/null +++ b/cve/published/2024/CVE-2024-27000.json @@ -0,0 +1,118 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: mxs-auart: add spinlock around changing cts state\n\nThe uart_handle_cts_change() function in serial_core expects the caller\nto hold uport->lock. For example, I have seen the below kernel splat,\nwhen the Bluetooth driver is loaded on an i.MX28 board.\n\n [ 85.119255] ------------[ cut here ]------------\n [ 85.124413] WARNING: CPU: 0 PID: 27 at /drivers/tty/serial/serial_core.c:3453 uart_handle_cts_change+0xb4/0xec\n [ 85.134694] Modules linked in: hci_uart bluetooth ecdh_generic ecc wlcore_sdio configfs\n [ 85.143314] CPU: 0 PID: 27 Comm: kworker/u3:0 Not tainted 6.6.3-00021-gd62a2f068f92 #1\n [ 85.151396] Hardware name: Freescale MXS (Device Tree)\n [ 85.156679] Workqueue: hci0 hci_power_on [bluetooth]\n (...)\n [ 85.191765] uart_handle_cts_change from mxs_auart_irq_handle+0x380/0x3f4\n [ 85.198787] mxs_auart_irq_handle from __handle_irq_event_percpu+0x88/0x210\n (...)" + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "4d90bb147ef6", + "lessThan": "2c9b943e9924", + "status": "affected", + "versionType": "git" + }, + { + "version": "4d90bb147ef6", + "lessThan": "5f40fd6ca2cf", + "status": "affected", + "versionType": "git" + }, + { + "version": "4d90bb147ef6", + "lessThan": "94b0e65c75f4", + "status": "affected", + "versionType": "git" + }, + { + "version": "4d90bb147ef6", + "lessThan": "54c4ec5f8c47", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "3.18", + "status": "affected" + }, + { + "version": "0", + "lessThan": "3.18", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.88", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.29", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8.8", + "lessThanOrEqual": "6.8.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.9-rc5", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/2c9b943e9924cf1269e44289bc5e60e51b0f5270" + }, + { + "url": "https://git.kernel.org/stable/c/5f40fd6ca2cf0bfbc5a5c9e403dfce8ca899ba37" + }, + { + "url": "https://git.kernel.org/stable/c/94b0e65c75f4af888ab2dd6c90f060f762924e86" + }, + { + "url": "https://git.kernel.org/stable/c/54c4ec5f8c471b7c1137a1f769648549c423c026" + } + ], + "title": "serial: mxs-auart: add spinlock around changing cts state", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-27000", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-27000.mbox b/cve/published/2024/CVE-2024-27000.mbox new file mode 100644 index 00000000..9b2a0446 --- /dev/null +++ b/cve/published/2024/CVE-2024-27000.mbox @@ -0,0 +1,81 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-27000: serial: mxs-auart: add spinlock around changing cts state +Message-Id: <2024050146-CVE-2024-27000-c789@gregkh> +Content-Length: 2820 +Lines: 64 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2885; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=NoMspKvMdwOCQvSFrs5c1Lisg5Yi/cyrIilrAjtlc9k=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGmGl9vyWZ5xtxk+4/zeclbokKxKScq1kzw3fr4R+7Dzk + 3tmufivjlgWBkEmBlkxRZYv23iO7q84pOhlaHsaZg4rE8gQBi5OAZhIywyGefY3GOI/Cqz4ZuKY + febTqZieTS2cpxgWHC1j+3pVs/nzwZIpJ9JFJjhM8o9NBAA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +serial: mxs-auart: add spinlock around changing cts state + +The uart_handle_cts_change() function in serial_core expects the caller +to hold uport->lock. For example, I have seen the below kernel splat, +when the Bluetooth driver is loaded on an i.MX28 board. + + [ 85.119255] ------------[ cut here ]------------ + [ 85.124413] WARNING: CPU: 0 PID: 27 at /drivers/tty/serial/serial_core.c:3453 uart_handle_cts_change+0xb4/0xec + [ 85.134694] Modules linked in: hci_uart bluetooth ecdh_generic ecc wlcore_sdio configfs + [ 85.143314] CPU: 0 PID: 27 Comm: kworker/u3:0 Not tainted 6.6.3-00021-gd62a2f068f92 #1 + [ 85.151396] Hardware name: Freescale MXS (Device Tree) + [ 85.156679] Workqueue: hci0 hci_power_on [bluetooth] + (...) + [ 85.191765] uart_handle_cts_change from mxs_auart_irq_handle+0x380/0x3f4 + [ 85.198787] mxs_auart_irq_handle from __handle_irq_event_percpu+0x88/0x210 + (...) + +The Linux kernel CVE team has assigned CVE-2024-27000 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 3.18 with commit 4d90bb147ef6 and fixed in 6.1.88 with commit 2c9b943e9924 + Issue introduced in 3.18 with commit 4d90bb147ef6 and fixed in 6.6.29 with commit 5f40fd6ca2cf + Issue introduced in 3.18 with commit 4d90bb147ef6 and fixed in 6.8.8 with commit 94b0e65c75f4 + Issue introduced in 3.18 with commit 4d90bb147ef6 and fixed in 6.9-rc5 with commit 54c4ec5f8c47 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-27000 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/tty/serial/mxs-auart.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/2c9b943e9924cf1269e44289bc5e60e51b0f5270 + https://git.kernel.org/stable/c/5f40fd6ca2cf0bfbc5a5c9e403dfce8ca899ba37 + https://git.kernel.org/stable/c/94b0e65c75f4af888ab2dd6c90f060f762924e86 + https://git.kernel.org/stable/c/54c4ec5f8c471b7c1137a1f769648549c423c026 diff --git a/cve/published/2024/CVE-2024-27000.sha1 b/cve/published/2024/CVE-2024-27000.sha1 new file mode 100644 index 00000000..f48f4dc7 --- /dev/null +++ b/cve/published/2024/CVE-2024-27000.sha1 @@ -0,0 +1 @@ +54c4ec5f8c471b7c1137a1f769648549c423c026 diff --git a/cve/reserved/2024/CVE-2024-27001 b/cve/published/2024/CVE-2024-27001 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-27001 +++ b/cve/published/2024/CVE-2024-27001 diff --git a/cve/published/2024/CVE-2024-27001.json b/cve/published/2024/CVE-2024-27001.json new file mode 100644 index 00000000..e1f31c63 --- /dev/null +++ b/cve/published/2024/CVE-2024-27001.json @@ -0,0 +1,133 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: vmk80xx: fix incomplete endpoint checking\n\nWhile vmk80xx does have endpoint checking implemented, some things\ncan fall through the cracks. Depending on the hardware model,\nURBs can have either bulk or interrupt type, and current version\nof vmk80xx_find_usb_endpoints() function does not take that fully\ninto account. While this warning does not seem to be too harmful,\nat the very least it will crash systems with 'panic_on_warn' set on\nthem.\n\nFix the issue found by Syzkaller [1] by somewhat simplifying the\nendpoint checking process with usb_find_common_endpoints() and\nensuring that only expected endpoint types are present.\n\nThis patch has not been tested on real hardware.\n\n[1] Syzkaller report:\nusb 1-1: BOGUS urb xfer, pipe 1 != type 3\nWARNING: CPU: 0 PID: 781 at drivers/usb/core/urb.c:504 usb_submit_urb+0xc4e/0x18c0 drivers/usb/core/urb.c:503\n...\nCall Trace:\n <TASK>\n usb_start_wait_urb+0x113/0x520 drivers/usb/core/message.c:59\n vmk80xx_reset_device drivers/comedi/drivers/vmk80xx.c:227 [inline]\n vmk80xx_auto_attach+0xa1c/0x1a40 drivers/comedi/drivers/vmk80xx.c:818\n comedi_auto_config+0x238/0x380 drivers/comedi/drivers.c:1067\n usb_probe_interface+0x5cd/0xb00 drivers/usb/core/driver.c:399\n...\n\nSimilar issue also found by Syzkaller:" + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "49253d542cc0", + "lessThan": "b0b268eeb087", + "status": "affected", + "versionType": "git" + }, + { + "version": "49253d542cc0", + "lessThan": "ac882d6b21bf", + "status": "affected", + "versionType": "git" + }, + { + "version": "49253d542cc0", + "lessThan": "59f33af97961", + "status": "affected", + "versionType": "git" + }, + { + "version": "49253d542cc0", + "lessThan": "6ec3514a7d35", + "status": "affected", + "versionType": "git" + }, + { + "version": "49253d542cc0", + "lessThan": "d1718530e3f6", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "3.9", + "status": "affected" + }, + { + "version": "0", + "lessThan": "3.9", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.157", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.88", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.29", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8.8", + "lessThanOrEqual": "6.8.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.9-rc5", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/b0b268eeb087e324ef3ea71f8e6cabd07630517f" + }, + { + "url": "https://git.kernel.org/stable/c/ac882d6b21bffecb57bcc4486701239eef5aa67b" + }, + { + "url": "https://git.kernel.org/stable/c/59f33af9796160f851641d960bd93937f282c696" + }, + { + "url": "https://git.kernel.org/stable/c/6ec3514a7d35ad9cfab600187612c29f669069d2" + }, + { + "url": "https://git.kernel.org/stable/c/d1718530e3f640b7d5f0050e725216eab57a85d8" + } + ], + "title": "comedi: vmk80xx: fix incomplete endpoint checking", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-27001", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-27001.mbox b/cve/published/2024/CVE-2024-27001.mbox new file mode 100644 index 00000000..739a28ef --- /dev/null +++ b/cve/published/2024/CVE-2024-27001.mbox @@ -0,0 +1,97 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-27001: comedi: vmk80xx: fix incomplete endpoint checking +Message-Id: <2024050146-CVE-2024-27001-16ca@gregkh> +Content-Length: 3317 +Lines: 80 +X-Developer-Signature: v=1; a=openpgp-sha256; l=3398; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=+/jsABGZ2qq0MKphi/LwhMIaOdVXSsRqCiCw2WV9Mk8=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGmGl9smLD2+7XfZe4UPffv5f/7SWSXnqTFbKV+pxf1g/ + 3TX/bmHOmJZGASZGGTFFFm+bOM5ur/ikKKXoe1pmDmsTCBDGLg4BWAi9m4MC/b6F2ZkCm0Ok5j2 + Ub/p+rdN7oUvNzAsOBczsZLjqsbLzltRvZ7PyuWmLlykDQA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +comedi: vmk80xx: fix incomplete endpoint checking + +While vmk80xx does have endpoint checking implemented, some things +can fall through the cracks. Depending on the hardware model, +URBs can have either bulk or interrupt type, and current version +of vmk80xx_find_usb_endpoints() function does not take that fully +into account. While this warning does not seem to be too harmful, +at the very least it will crash systems with 'panic_on_warn' set on +them. + +Fix the issue found by Syzkaller [1] by somewhat simplifying the +endpoint checking process with usb_find_common_endpoints() and +ensuring that only expected endpoint types are present. + +This patch has not been tested on real hardware. + +[1] Syzkaller report: +usb 1-1: BOGUS urb xfer, pipe 1 != type 3 +WARNING: CPU: 0 PID: 781 at drivers/usb/core/urb.c:504 usb_submit_urb+0xc4e/0x18c0 drivers/usb/core/urb.c:503 +... +Call Trace: + <TASK> + usb_start_wait_urb+0x113/0x520 drivers/usb/core/message.c:59 + vmk80xx_reset_device drivers/comedi/drivers/vmk80xx.c:227 [inline] + vmk80xx_auto_attach+0xa1c/0x1a40 drivers/comedi/drivers/vmk80xx.c:818 + comedi_auto_config+0x238/0x380 drivers/comedi/drivers.c:1067 + usb_probe_interface+0x5cd/0xb00 drivers/usb/core/driver.c:399 +... + +Similar issue also found by Syzkaller: + +The Linux kernel CVE team has assigned CVE-2024-27001 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 3.9 with commit 49253d542cc0 and fixed in 5.15.157 with commit b0b268eeb087 + Issue introduced in 3.9 with commit 49253d542cc0 and fixed in 6.1.88 with commit ac882d6b21bf + Issue introduced in 3.9 with commit 49253d542cc0 and fixed in 6.6.29 with commit 59f33af97961 + Issue introduced in 3.9 with commit 49253d542cc0 and fixed in 6.8.8 with commit 6ec3514a7d35 + Issue introduced in 3.9 with commit 49253d542cc0 and fixed in 6.9-rc5 with commit d1718530e3f6 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-27001 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/comedi/drivers/vmk80xx.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/b0b268eeb087e324ef3ea71f8e6cabd07630517f + https://git.kernel.org/stable/c/ac882d6b21bffecb57bcc4486701239eef5aa67b + https://git.kernel.org/stable/c/59f33af9796160f851641d960bd93937f282c696 + https://git.kernel.org/stable/c/6ec3514a7d35ad9cfab600187612c29f669069d2 + https://git.kernel.org/stable/c/d1718530e3f640b7d5f0050e725216eab57a85d8 diff --git a/cve/published/2024/CVE-2024-27001.sha1 b/cve/published/2024/CVE-2024-27001.sha1 new file mode 100644 index 00000000..18e4fd53 --- /dev/null +++ b/cve/published/2024/CVE-2024-27001.sha1 @@ -0,0 +1 @@ +d1718530e3f640b7d5f0050e725216eab57a85d8 diff --git a/cve/reserved/2024/CVE-2024-27002 b/cve/published/2024/CVE-2024-27002 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-27002 +++ b/cve/published/2024/CVE-2024-27002 diff --git a/cve/published/2024/CVE-2024-27002.json b/cve/published/2024/CVE-2024-27002.json new file mode 100644 index 00000000..7cc62cea --- /dev/null +++ b/cve/published/2024/CVE-2024-27002.json @@ -0,0 +1,118 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: mediatek: Do a runtime PM get on controllers during probe\n\nmt8183-mfgcfg has a mutual dependency with genpd during the probing\nstage, which leads to a deadlock in the following call stack:\n\nCPU0: genpd_lock --> clk_prepare_lock\ngenpd_power_off_work_fn()\n genpd_lock()\n generic_pm_domain::power_off()\n clk_unprepare()\n clk_prepare_lock()\n\nCPU1: clk_prepare_lock --> genpd_lock\nclk_register()\n __clk_core_init()\n clk_prepare_lock()\n clk_pm_runtime_get()\n genpd_lock()\n\nDo a runtime PM get at the probe function to make sure clk_register()\nwon't acquire the genpd lock. Instead of only modifying mt8183-mfgcfg,\ndo this on all mediatek clock controller probings because we don't\nbelieve this would cause any regression.\n\nVerified on MT8183 and MT8192 Chromebooks." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "acddfc2c261b", + "lessThan": "165d22647257", + "status": "affected", + "versionType": "git" + }, + { + "version": "acddfc2c261b", + "lessThan": "c0dcd5c072e2", + "status": "affected", + "versionType": "git" + }, + { + "version": "acddfc2c261b", + "lessThan": "b62ed25feb34", + "status": "affected", + "versionType": "git" + }, + { + "version": "acddfc2c261b", + "lessThan": "2f7b1d8b5505", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.2", + "status": "affected" + }, + { + "version": "0", + "lessThan": "5.2", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.88", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.29", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8.8", + "lessThanOrEqual": "6.8.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.9-rc5", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/165d226472575b213dd90dfda19d1605dd7c19a8" + }, + { + "url": "https://git.kernel.org/stable/c/c0dcd5c072e2a3fff886f673e6a5d9bf8090c4cc" + }, + { + "url": "https://git.kernel.org/stable/c/b62ed25feb342eab052822eff0c554873799a4f5" + }, + { + "url": "https://git.kernel.org/stable/c/2f7b1d8b5505efb0057cd1ab85fca206063ea4c3" + } + ], + "title": "clk: mediatek: Do a runtime PM get on controllers during probe", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-27002", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-27002.mbox b/cve/published/2024/CVE-2024-27002.mbox new file mode 100644 index 00000000..4a9bdc86 --- /dev/null +++ b/cve/published/2024/CVE-2024-27002.mbox @@ -0,0 +1,90 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-27002: clk: mediatek: Do a runtime PM get on controllers during probe +Message-Id: <2024050146-CVE-2024-27002-3b11@gregkh> +Content-Length: 2675 +Lines: 73 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2749; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=x3WQz+Yf6EdusipLz77kuaLr8NzFUwJWzHrbCht+5hI=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGmGl9sKlU40iIndffv9xsPCAzfvBYie+S9dUciQ2SqyN + Vjig6x1RywLgyATg6yYIsuXbTxH91ccUvQytD0NM4eVCWQIAxenAEzk9S+GebY/Ug1vXyr1v7h3 + +bniqJZ1eos//2KY76gzPVyy2dF38+JjoX/9d2rlFewzBAA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +clk: mediatek: Do a runtime PM get on controllers during probe + +mt8183-mfgcfg has a mutual dependency with genpd during the probing +stage, which leads to a deadlock in the following call stack: + +CPU0: genpd_lock --> clk_prepare_lock +genpd_power_off_work_fn() + genpd_lock() + generic_pm_domain::power_off() + clk_unprepare() + clk_prepare_lock() + +CPU1: clk_prepare_lock --> genpd_lock +clk_register() + __clk_core_init() + clk_prepare_lock() + clk_pm_runtime_get() + genpd_lock() + +Do a runtime PM get at the probe function to make sure clk_register() +won't acquire the genpd lock. Instead of only modifying mt8183-mfgcfg, +do this on all mediatek clock controller probings because we don't +believe this would cause any regression. + +Verified on MT8183 and MT8192 Chromebooks. + +The Linux kernel CVE team has assigned CVE-2024-27002 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 5.2 with commit acddfc2c261b and fixed in 6.1.88 with commit 165d22647257 + Issue introduced in 5.2 with commit acddfc2c261b and fixed in 6.6.29 with commit c0dcd5c072e2 + Issue introduced in 5.2 with commit acddfc2c261b and fixed in 6.8.8 with commit b62ed25feb34 + Issue introduced in 5.2 with commit acddfc2c261b and fixed in 6.9-rc5 with commit 2f7b1d8b5505 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-27002 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/clk/mediatek/clk-mtk.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/165d226472575b213dd90dfda19d1605dd7c19a8 + https://git.kernel.org/stable/c/c0dcd5c072e2a3fff886f673e6a5d9bf8090c4cc + https://git.kernel.org/stable/c/b62ed25feb342eab052822eff0c554873799a4f5 + https://git.kernel.org/stable/c/2f7b1d8b5505efb0057cd1ab85fca206063ea4c3 diff --git a/cve/published/2024/CVE-2024-27002.sha1 b/cve/published/2024/CVE-2024-27002.sha1 new file mode 100644 index 00000000..d9f43f46 --- /dev/null +++ b/cve/published/2024/CVE-2024-27002.sha1 @@ -0,0 +1 @@ +2f7b1d8b5505efb0057cd1ab85fca206063ea4c3 diff --git a/cve/reserved/2024/CVE-2024-27003 b/cve/published/2024/CVE-2024-27003 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-27003 +++ b/cve/published/2024/CVE-2024-27003 diff --git a/cve/published/2024/CVE-2024-27003.json b/cve/published/2024/CVE-2024-27003.json new file mode 100644 index 00000000..10cad56a --- /dev/null +++ b/cve/published/2024/CVE-2024-27003.json @@ -0,0 +1,118 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: Get runtime PM before walking tree for clk_summary\n\nSimilar to the previous commit, we should make sure that all devices are\nruntime resumed before printing the clk_summary through debugfs. Failure\nto do so would result in a deadlock if the thread is resuming a device\nto print clk state and that device is also runtime resuming in another\nthread, e.g the screen is turning on and the display driver is starting\nup. We remove the calls to clk_pm_runtime_{get,put}() in this path\nbecause they're superfluous now that we know the devices are runtime\nresumed. This also squashes a bug where the return value of\nclk_pm_runtime_get() wasn't checked, leading to an RPM count underflow\non error paths." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "1bb294a7981c", + "lessThan": "83ada89e4a86", + "status": "affected", + "versionType": "git" + }, + { + "version": "1bb294a7981c", + "lessThan": "2c077fdfd09d", + "status": "affected", + "versionType": "git" + }, + { + "version": "1bb294a7981c", + "lessThan": "b457105309d3", + "status": "affected", + "versionType": "git" + }, + { + "version": "1bb294a7981c", + "lessThan": "9d1e795f754d", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.17", + "status": "affected" + }, + { + "version": "0", + "lessThan": "5.17", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.88", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.29", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8.8", + "lessThanOrEqual": "6.8.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.9-rc5", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/83ada89e4a86e2b28ea2b5113c76d6dc7560a4d0" + }, + { + "url": "https://git.kernel.org/stable/c/2c077fdfd09dffb31a890e5095c8ab205138a42e" + }, + { + "url": "https://git.kernel.org/stable/c/b457105309d388e4081c716cf7b81d517ff74db4" + }, + { + "url": "https://git.kernel.org/stable/c/9d1e795f754db1ac3344528b7af0b17b8146f321" + } + ], + "title": "clk: Get runtime PM before walking tree for clk_summary", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-27003", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-27003.mbox b/cve/published/2024/CVE-2024-27003.mbox new file mode 100644 index 00000000..48221c95 --- /dev/null +++ b/cve/published/2024/CVE-2024-27003.mbox @@ -0,0 +1,77 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-27003: clk: Get runtime PM before walking tree for clk_summary +Message-Id: <2024050146-CVE-2024-27003-c862@gregkh> +Content-Length: 2580 +Lines: 60 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2641; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=Aqn91OE2YNKj9ecgxHG0JdC5YXhjnMOtoHsEDExUvR0=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGmGl9seN7xxXKsUufzJ18kHAvosr0l0rEhxZHX7PbeJW + URK3E+5I5aFQZCJQVZMkeXLNp6j+ysOKXoZ2p6GmcPKBDKEgYtTACZS6cSwYP7ieduW7u/IyC6L + ecKooSp6/Uz4O4Z5xhw3eTeGTiko0xSeMP/D58wP5kc7AA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +clk: Get runtime PM before walking tree for clk_summary + +Similar to the previous commit, we should make sure that all devices are +runtime resumed before printing the clk_summary through debugfs. Failure +to do so would result in a deadlock if the thread is resuming a device +to print clk state and that device is also runtime resuming in another +thread, e.g the screen is turning on and the display driver is starting +up. We remove the calls to clk_pm_runtime_{get,put}() in this path +because they're superfluous now that we know the devices are runtime +resumed. This also squashes a bug where the return value of +clk_pm_runtime_get() wasn't checked, leading to an RPM count underflow +on error paths. + +The Linux kernel CVE team has assigned CVE-2024-27003 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 5.17 with commit 1bb294a7981c and fixed in 6.1.88 with commit 83ada89e4a86 + Issue introduced in 5.17 with commit 1bb294a7981c and fixed in 6.6.29 with commit 2c077fdfd09d + Issue introduced in 5.17 with commit 1bb294a7981c and fixed in 6.8.8 with commit b457105309d3 + Issue introduced in 5.17 with commit 1bb294a7981c and fixed in 6.9-rc5 with commit 9d1e795f754d + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-27003 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/clk/clk.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/83ada89e4a86e2b28ea2b5113c76d6dc7560a4d0 + https://git.kernel.org/stable/c/2c077fdfd09dffb31a890e5095c8ab205138a42e + https://git.kernel.org/stable/c/b457105309d388e4081c716cf7b81d517ff74db4 + https://git.kernel.org/stable/c/9d1e795f754db1ac3344528b7af0b17b8146f321 diff --git a/cve/published/2024/CVE-2024-27003.sha1 b/cve/published/2024/CVE-2024-27003.sha1 new file mode 100644 index 00000000..8a82d8ec --- /dev/null +++ b/cve/published/2024/CVE-2024-27003.sha1 @@ -0,0 +1 @@ +9d1e795f754db1ac3344528b7af0b17b8146f321 diff --git a/cve/reserved/2024/CVE-2024-27004 b/cve/published/2024/CVE-2024-27004 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-27004 +++ b/cve/published/2024/CVE-2024-27004 diff --git a/cve/published/2024/CVE-2024-27004.json b/cve/published/2024/CVE-2024-27004.json new file mode 100644 index 00000000..64561d85 --- /dev/null +++ b/cve/published/2024/CVE-2024-27004.json @@ -0,0 +1,133 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: Get runtime PM before walking tree during disable_unused\n\nDoug reported [1] the following hung task:\n\n INFO: task swapper/0:1 blocked for more than 122 seconds.\n Not tainted 5.15.149-21875-gf795ebc40eb8 #1\n \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n task:swapper/0 state:D stack: 0 pid: 1 ppid: 0 flags:0x00000008\n Call trace:\n __switch_to+0xf4/0x1f4\n __schedule+0x418/0xb80\n schedule+0x5c/0x10c\n rpm_resume+0xe0/0x52c\n rpm_resume+0x178/0x52c\n __pm_runtime_resume+0x58/0x98\n clk_pm_runtime_get+0x30/0xb0\n clk_disable_unused_subtree+0x58/0x208\n clk_disable_unused_subtree+0x38/0x208\n clk_disable_unused_subtree+0x38/0x208\n clk_disable_unused_subtree+0x38/0x208\n clk_disable_unused_subtree+0x38/0x208\n clk_disable_unused+0x4c/0xe4\n do_one_initcall+0xcc/0x2d8\n do_initcall_level+0xa4/0x148\n do_initcalls+0x5c/0x9c\n do_basic_setup+0x24/0x30\n kernel_init_freeable+0xec/0x164\n kernel_init+0x28/0x120\n ret_from_fork+0x10/0x20\n INFO: task kworker/u16:0:9 blocked for more than 122 seconds.\n Not tainted 5.15.149-21875-gf795ebc40eb8 #1\n \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n task:kworker/u16:0 state:D stack: 0 pid: 9 ppid: 2 flags:0x00000008\n Workqueue: events_unbound deferred_probe_work_func\n Call trace:\n __switch_to+0xf4/0x1f4\n __schedule+0x418/0xb80\n schedule+0x5c/0x10c\n schedule_preempt_disabled+0x2c/0x48\n __mutex_lock+0x238/0x488\n __mutex_lock_slowpath+0x1c/0x28\n mutex_lock+0x50/0x74\n clk_prepare_lock+0x7c/0x9c\n clk_core_prepare_lock+0x20/0x44\n clk_prepare+0x24/0x30\n clk_bulk_prepare+0x40/0xb0\n mdss_runtime_resume+0x54/0x1c8\n pm_generic_runtime_resume+0x30/0x44\n __genpd_runtime_resume+0x68/0x7c\n genpd_runtime_resume+0x108/0x1f4\n __rpm_callback+0x84/0x144\n rpm_callback+0x30/0x88\n rpm_resume+0x1f4/0x52c\n rpm_resume+0x178/0x52c\n __pm_runtime_resume+0x58/0x98\n __device_attach+0xe0/0x170\n device_initial_probe+0x1c/0x28\n bus_probe_device+0x3c/0x9c\n device_add+0x644/0x814\n mipi_dsi_device_register_full+0xe4/0x170\n devm_mipi_dsi_device_register_full+0x28/0x70\n ti_sn_bridge_probe+0x1dc/0x2c0\n auxiliary_bus_probe+0x4c/0x94\n really_probe+0xcc/0x2c8\n __driver_probe_device+0xa8/0x130\n driver_probe_device+0x48/0x110\n __device_attach_driver+0xa4/0xcc\n bus_for_each_drv+0x8c/0xd8\n __device_attach+0xf8/0x170\n device_initial_probe+0x1c/0x28\n bus_probe_device+0x3c/0x9c\n deferred_probe_work_func+0x9c/0xd8\n process_one_work+0x148/0x518\n worker_thread+0x138/0x350\n kthread+0x138/0x1e0\n ret_from_fork+0x10/0x20\n\nThe first thread is walking the clk tree and calling\nclk_pm_runtime_get() to power on devices required to read the clk\nhardware via struct clk_ops::is_enabled(). This thread holds the clk\nprepare_lock, and is trying to runtime PM resume a device, when it finds\nthat the device is in the process of resuming so the thread schedule()s\naway waiting for the device to finish resuming before continuing. The\nsecond thread is runtime PM resuming the same device, but the runtime\nresume callback is calling clk_prepare(), trying to grab the\nprepare_lock waiting on the first thread.\n\nThis is a classic ABBA deadlock. To properly fix the deadlock, we must\nnever runtime PM resume or suspend a device with the clk prepare_lock\nheld. Actually doing that is near impossible today because the global\nprepare_lock would have to be dropped in the middle of the tree, the\ndevice runtime PM resumed/suspended, and then the prepare_lock grabbed\nagain to ensure consistency of the clk tree topology. If anything\nchanges with the clk tree in the meantime, we've lost and will need to\nstart the operation all over again.\n\nLuckily, most of the time we're simply incrementing or decrementing the\nruntime PM count on an active device, so we don't have the chance to\nschedule away with the prepare_lock held. Let's fix this immediate\nproblem that can be\n---truncated---" + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "9a34b45397e5", + "lessThan": "a29ec0465dce", + "status": "affected", + "versionType": "git" + }, + { + "version": "9a34b45397e5", + "lessThan": "a424e713e0cc", + "status": "affected", + "versionType": "git" + }, + { + "version": "9a34b45397e5", + "lessThan": "60ff482c4205", + "status": "affected", + "versionType": "git" + }, + { + "version": "9a34b45397e5", + "lessThan": "115554862294", + "status": "affected", + "versionType": "git" + }, + { + "version": "9a34b45397e5", + "lessThan": "e581cf5d2162", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "4.15", + "status": "affected" + }, + { + "version": "0", + "lessThan": "4.15", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.157", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.88", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.29", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8.8", + "lessThanOrEqual": "6.8.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.9-rc5", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/a29ec0465dce0b871003698698ac6fa92c9a5034" + }, + { + "url": "https://git.kernel.org/stable/c/a424e713e0cc33d4b969cfda25b9f46df4d7b5bc" + }, + { + "url": "https://git.kernel.org/stable/c/60ff482c4205a5aac3b0595ab794cfd62295dab5" + }, + { + "url": "https://git.kernel.org/stable/c/115554862294397590088ba02f11f2aba6d5016c" + }, + { + "url": "https://git.kernel.org/stable/c/e581cf5d216289ef292d1a4036d53ce90e122469" + } + ], + "title": "clk: Get runtime PM before walking tree during disable_unused", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-27004", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-27004.mbox b/cve/published/2024/CVE-2024-27004.mbox new file mode 100644 index 00000000..85e5f384 --- /dev/null +++ b/cve/published/2024/CVE-2024-27004.mbox @@ -0,0 +1,179 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-27004: clk: Get runtime PM before walking tree during disable_unused +Message-Id: <2024050147-CVE-2024-27004-c429@gregkh> +Content-Length: 6726 +Lines: 162 +X-Developer-Signature: v=1; a=openpgp-sha256; l=6889; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=duSZqAs40dg2UXCtmPf58Re7zHIntx351xA3IY3x2G4=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGmGl9s1rgcfOLFV69SD4yvW1XycptIRdmapwaKGXkaG8 + I8/N/9J7IhlYRBkYpAVU2T5so3n6P6KQ4pehranYeawMoEMYeDiFICJ1L5kWDB3tckNVv68+IL3 + hr0yB/hyzk5MtWWYH8ET1cs+w7D0mRiPgLTPs4+sR9MXAQA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +clk: Get runtime PM before walking tree during disable_unused + +Doug reported [1] the following hung task: + + INFO: task swapper/0:1 blocked for more than 122 seconds. + Not tainted 5.15.149-21875-gf795ebc40eb8 #1 + "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. + task:swapper/0 state:D stack: 0 pid: 1 ppid: 0 flags:0x00000008 + Call trace: + __switch_to+0xf4/0x1f4 + __schedule+0x418/0xb80 + schedule+0x5c/0x10c + rpm_resume+0xe0/0x52c + rpm_resume+0x178/0x52c + __pm_runtime_resume+0x58/0x98 + clk_pm_runtime_get+0x30/0xb0 + clk_disable_unused_subtree+0x58/0x208 + clk_disable_unused_subtree+0x38/0x208 + clk_disable_unused_subtree+0x38/0x208 + clk_disable_unused_subtree+0x38/0x208 + clk_disable_unused_subtree+0x38/0x208 + clk_disable_unused+0x4c/0xe4 + do_one_initcall+0xcc/0x2d8 + do_initcall_level+0xa4/0x148 + do_initcalls+0x5c/0x9c + do_basic_setup+0x24/0x30 + kernel_init_freeable+0xec/0x164 + kernel_init+0x28/0x120 + ret_from_fork+0x10/0x20 + INFO: task kworker/u16:0:9 blocked for more than 122 seconds. + Not tainted 5.15.149-21875-gf795ebc40eb8 #1 + "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. + task:kworker/u16:0 state:D stack: 0 pid: 9 ppid: 2 flags:0x00000008 + Workqueue: events_unbound deferred_probe_work_func + Call trace: + __switch_to+0xf4/0x1f4 + __schedule+0x418/0xb80 + schedule+0x5c/0x10c + schedule_preempt_disabled+0x2c/0x48 + __mutex_lock+0x238/0x488 + __mutex_lock_slowpath+0x1c/0x28 + mutex_lock+0x50/0x74 + clk_prepare_lock+0x7c/0x9c + clk_core_prepare_lock+0x20/0x44 + clk_prepare+0x24/0x30 + clk_bulk_prepare+0x40/0xb0 + mdss_runtime_resume+0x54/0x1c8 + pm_generic_runtime_resume+0x30/0x44 + __genpd_runtime_resume+0x68/0x7c + genpd_runtime_resume+0x108/0x1f4 + __rpm_callback+0x84/0x144 + rpm_callback+0x30/0x88 + rpm_resume+0x1f4/0x52c + rpm_resume+0x178/0x52c + __pm_runtime_resume+0x58/0x98 + __device_attach+0xe0/0x170 + device_initial_probe+0x1c/0x28 + bus_probe_device+0x3c/0x9c + device_add+0x644/0x814 + mipi_dsi_device_register_full+0xe4/0x170 + devm_mipi_dsi_device_register_full+0x28/0x70 + ti_sn_bridge_probe+0x1dc/0x2c0 + auxiliary_bus_probe+0x4c/0x94 + really_probe+0xcc/0x2c8 + __driver_probe_device+0xa8/0x130 + driver_probe_device+0x48/0x110 + __device_attach_driver+0xa4/0xcc + bus_for_each_drv+0x8c/0xd8 + __device_attach+0xf8/0x170 + device_initial_probe+0x1c/0x28 + bus_probe_device+0x3c/0x9c + deferred_probe_work_func+0x9c/0xd8 + process_one_work+0x148/0x518 + worker_thread+0x138/0x350 + kthread+0x138/0x1e0 + ret_from_fork+0x10/0x20 + +The first thread is walking the clk tree and calling +clk_pm_runtime_get() to power on devices required to read the clk +hardware via struct clk_ops::is_enabled(). This thread holds the clk +prepare_lock, and is trying to runtime PM resume a device, when it finds +that the device is in the process of resuming so the thread schedule()s +away waiting for the device to finish resuming before continuing. The +second thread is runtime PM resuming the same device, but the runtime +resume callback is calling clk_prepare(), trying to grab the +prepare_lock waiting on the first thread. + +This is a classic ABBA deadlock. To properly fix the deadlock, we must +never runtime PM resume or suspend a device with the clk prepare_lock +held. Actually doing that is near impossible today because the global +prepare_lock would have to be dropped in the middle of the tree, the +device runtime PM resumed/suspended, and then the prepare_lock grabbed +again to ensure consistency of the clk tree topology. If anything +changes with the clk tree in the meantime, we've lost and will need to +start the operation all over again. + +Luckily, most of the time we're simply incrementing or decrementing the +runtime PM count on an active device, so we don't have the chance to +schedule away with the prepare_lock held. Let's fix this immediate +problem that can be triggered more easily by simply booting on Qualcomm +sc7180. + +Introduce a list of clk_core structures that have been registered, or +are in the process of being registered, that require runtime PM to +operate. Iterate this list and call clk_pm_runtime_get() on each of them +without holding the prepare_lock during clk_disable_unused(). This way +we can be certain that the runtime PM state of the devices will be +active and resumed so we can't schedule away while walking the clk tree +with the prepare_lock held. Similarly, call clk_pm_runtime_put() without +the prepare_lock held to properly drop the runtime PM reference. We +remove the calls to clk_pm_runtime_{get,put}() in this path because +they're superfluous now that we know the devices are runtime resumed. + +The Linux kernel CVE team has assigned CVE-2024-27004 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 4.15 with commit 9a34b45397e5 and fixed in 5.15.157 with commit a29ec0465dce + Issue introduced in 4.15 with commit 9a34b45397e5 and fixed in 6.1.88 with commit a424e713e0cc + Issue introduced in 4.15 with commit 9a34b45397e5 and fixed in 6.6.29 with commit 60ff482c4205 + Issue introduced in 4.15 with commit 9a34b45397e5 and fixed in 6.8.8 with commit 115554862294 + Issue introduced in 4.15 with commit 9a34b45397e5 and fixed in 6.9-rc5 with commit e581cf5d2162 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-27004 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/clk/clk.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/a29ec0465dce0b871003698698ac6fa92c9a5034 + https://git.kernel.org/stable/c/a424e713e0cc33d4b969cfda25b9f46df4d7b5bc + https://git.kernel.org/stable/c/60ff482c4205a5aac3b0595ab794cfd62295dab5 + https://git.kernel.org/stable/c/115554862294397590088ba02f11f2aba6d5016c + https://git.kernel.org/stable/c/e581cf5d216289ef292d1a4036d53ce90e122469 diff --git a/cve/published/2024/CVE-2024-27004.sha1 b/cve/published/2024/CVE-2024-27004.sha1 new file mode 100644 index 00000000..7bf3fad8 --- /dev/null +++ b/cve/published/2024/CVE-2024-27004.sha1 @@ -0,0 +1 @@ +e581cf5d216289ef292d1a4036d53ce90e122469 diff --git a/cve/reserved/2024/CVE-2024-27005 b/cve/published/2024/CVE-2024-27005 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-27005 +++ b/cve/published/2024/CVE-2024-27005 diff --git a/cve/published/2024/CVE-2024-27005.json b/cve/published/2024/CVE-2024-27005.json new file mode 100644 index 00000000..82660842 --- /dev/null +++ b/cve/published/2024/CVE-2024-27005.json @@ -0,0 +1,103 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ninterconnect: Don't access req_list while it's being manipulated\n\nThe icc_lock mutex was split into separate icc_lock and icc_bw_lock\nmutexes in [1] to avoid lockdep splats. However, this didn't adequately\nprotect access to icc_node::req_list.\n\nThe icc_set_bw() function will eventually iterate over req_list while\nonly holding icc_bw_lock, but req_list can be modified while only\nholding icc_lock. This causes races between icc_set_bw(), of_icc_get(),\nand icc_put().\n\nExample A:\n\n CPU0 CPU1\n ---- ----\n icc_set_bw(path_a)\n mutex_lock(&icc_bw_lock);\n icc_put(path_b)\n mutex_lock(&icc_lock);\n aggregate_requests()\n hlist_for_each_entry(r, ...\n hlist_del(...\n <r = invalid pointer>\n\nExample B:\n\n CPU0 CPU1\n ---- ----\n icc_set_bw(path_a)\n mutex_lock(&icc_bw_lock);\n path_b = of_icc_get()\n of_icc_get_by_index()\n mutex_lock(&icc_lock);\n path_find()\n path_init()\n aggregate_requests()\n hlist_for_each_entry(r, ...\n hlist_add_head(...\n <r = invalid pointer>\n\nFix this by ensuring icc_bw_lock is always held before manipulating\nicc_node::req_list. The additional places icc_bw_lock is held don't\nperform any memory allocations, so we should still be safe from the\noriginal lockdep splats that motivated the separate locks.\n\n[1] commit af42269c3523 (\"interconnect: Fix locking for runpm vs reclaim\")" + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "af42269c3523", + "lessThan": "d0d04efa2e36", + "status": "affected", + "versionType": "git" + }, + { + "version": "af42269c3523", + "lessThan": "4c65507121ea", + "status": "affected", + "versionType": "git" + }, + { + "version": "af42269c3523", + "lessThan": "de1bf25b6d77", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "6.6", + "status": "affected" + }, + { + "version": "0", + "lessThan": "6.6", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.29", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8.8", + "lessThanOrEqual": "6.8.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.9-rc5", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/d0d04efa2e367921654b5106cc5c05e3757c2b42" + }, + { + "url": "https://git.kernel.org/stable/c/4c65507121ea8e0b47fae6d2049c8688390d46b6" + }, + { + "url": "https://git.kernel.org/stable/c/de1bf25b6d771abdb52d43546cf57ad775fb68a1" + } + ], + "title": "interconnect: Don't access req_list while it's being manipulated", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-27005", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-27005.mbox b/cve/published/2024/CVE-2024-27005.mbox new file mode 100644 index 00000000..f541bfe6 --- /dev/null +++ b/cve/published/2024/CVE-2024-27005.mbox @@ -0,0 +1,114 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-27005: interconnect: Don't access req_list while it's being manipulated +Message-Id: <2024050147-CVE-2024-27005-e630@gregkh> +Content-Length: 3791 +Lines: 97 +X-Developer-Signature: v=1; a=openpgp-sha256; l=3889; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=WGcPTB/lzWImuB6xuJvLjZbblL/gODsvUJeuReW0roE=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGmGl9ujN6x26Yvc63YpIeFSlTzvMwt/Z6Vbi/mv26hPs + WVY+6yzI4aFQZCJQVZMkeXLNp6j+ysOKXoZ2p6GmcPKBDKEgYtTACbiuZVhxj/r/Ef/Pze2tMu9 + DpmqfOPTNYvnDHOFpVhPfNu/w+23rqqrcYMtj+s/e0MA +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +interconnect: Don't access req_list while it's being manipulated + +The icc_lock mutex was split into separate icc_lock and icc_bw_lock +mutexes in [1] to avoid lockdep splats. However, this didn't adequately +protect access to icc_node::req_list. + +The icc_set_bw() function will eventually iterate over req_list while +only holding icc_bw_lock, but req_list can be modified while only +holding icc_lock. This causes races between icc_set_bw(), of_icc_get(), +and icc_put(). + +Example A: + + CPU0 CPU1 + ---- ---- + icc_set_bw(path_a) + mutex_lock(&icc_bw_lock); + icc_put(path_b) + mutex_lock(&icc_lock); + aggregate_requests() + hlist_for_each_entry(r, ... + hlist_del(... + <r = invalid pointer> + +Example B: + + CPU0 CPU1 + ---- ---- + icc_set_bw(path_a) + mutex_lock(&icc_bw_lock); + path_b = of_icc_get() + of_icc_get_by_index() + mutex_lock(&icc_lock); + path_find() + path_init() + aggregate_requests() + hlist_for_each_entry(r, ... + hlist_add_head(... + <r = invalid pointer> + +Fix this by ensuring icc_bw_lock is always held before manipulating +icc_node::req_list. The additional places icc_bw_lock is held don't +perform any memory allocations, so we should still be safe from the +original lockdep splats that motivated the separate locks. + +[1] commit af42269c3523 ("interconnect: Fix locking for runpm vs reclaim") + +The Linux kernel CVE team has assigned CVE-2024-27005 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 6.6 with commit af42269c3523 and fixed in 6.6.29 with commit d0d04efa2e36 + Issue introduced in 6.6 with commit af42269c3523 and fixed in 6.8.8 with commit 4c65507121ea + Issue introduced in 6.6 with commit af42269c3523 and fixed in 6.9-rc5 with commit de1bf25b6d77 + Issue introduced in 5.15.133 with commit 9be2957f014d + Issue introduced in 5.15.151 with commit fe549d8e9763 + Issue introduced in 6.1.55 with commit ee42bfc791aa + Issue introduced in 6.1.81 with commit 19ec82b3cad1 + Issue introduced in 6.5.5 with commit 2f3a124696d4 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-27005 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/interconnect/core.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/d0d04efa2e367921654b5106cc5c05e3757c2b42 + https://git.kernel.org/stable/c/4c65507121ea8e0b47fae6d2049c8688390d46b6 + https://git.kernel.org/stable/c/de1bf25b6d771abdb52d43546cf57ad775fb68a1 diff --git a/cve/published/2024/CVE-2024-27005.sha1 b/cve/published/2024/CVE-2024-27005.sha1 new file mode 100644 index 00000000..af678150 --- /dev/null +++ b/cve/published/2024/CVE-2024-27005.sha1 @@ -0,0 +1 @@ +de1bf25b6d771abdb52d43546cf57ad775fb68a1 diff --git a/cve/reserved/2024/CVE-2024-27006 b/cve/published/2024/CVE-2024-27006 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-27006 +++ b/cve/published/2024/CVE-2024-27006 diff --git a/cve/published/2024/CVE-2024-27006.json b/cve/published/2024/CVE-2024-27006.json new file mode 100644 index 00000000..4f893ea9 --- /dev/null +++ b/cve/published/2024/CVE-2024-27006.json @@ -0,0 +1,88 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nthermal/debugfs: Add missing count increment to thermal_debug_tz_trip_up()\n\nThe count field in struct trip_stats, representing the number of times\nthe zone temperature was above the trip point, needs to be incremented\nin thermal_debug_tz_trip_up(), for two reasons.\n\nFirst, if a trip point is crossed on the way up for the first time,\nthermal_debug_update_temp() called from update_temperature() does\nnot see it because it has not been added to trips_crossed[] array\nin the thermal zone's struct tz_debugfs object yet. Therefore, when\nthermal_debug_tz_trip_up() is called after that, the trip point's\ncount value is 0, and the attempt to divide by it during the average\ntemperature computation leads to a divide error which causes the kernel\nto crash. Setting the count to 1 before the division by incrementing it\nfixes this problem.\n\nSecond, if a trip point is crossed on the way up, but it has been\ncrossed on the way up already before, its count value needs to be\nincremented to make a record of the fact that the zone temperature is\nabove the trip now. Without doing that, if the mitigations applied\nafter crossing the trip cause the zone temperature to drop below its\nthreshold, the count will not be updated for this episode at all and\nthe average temperature in the trip statistics record will be somewhat\nhigher than it should be.\n\nCc :6.8+ <stable@vger.kernel.org> # 6.8+" + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "7ef01f228c9f", + "lessThan": "9c8215d32e73", + "status": "affected", + "versionType": "git" + }, + { + "version": "7ef01f228c9f", + "lessThan": "b552f63cd437", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "6.8", + "status": "affected" + }, + { + "version": "0", + "lessThan": "6.8", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8.8", + "lessThanOrEqual": "6.8.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.9-rc5", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/9c8215d32e730b597c809a9d2090bf8ec1b79fcf" + }, + { + "url": "https://git.kernel.org/stable/c/b552f63cd43735048bbe9bfbb7a9dcfce166fbdd" + } + ], + "title": "thermal/debugfs: Add missing count increment to thermal_debug_tz_trip_up()", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-27006", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-27006.mbox b/cve/published/2024/CVE-2024-27006.mbox new file mode 100644 index 00000000..dff96b18 --- /dev/null +++ b/cve/published/2024/CVE-2024-27006.mbox @@ -0,0 +1,87 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-27006: thermal/debugfs: Add missing count increment to thermal_debug_tz_trip_up() +Message-Id: <2024050147-CVE-2024-27006-3b6f@gregkh> +Content-Length: 2938 +Lines: 70 +X-Developer-Signature: v=1; a=openpgp-sha256; l=3009; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=lbqvPp1Yg2tO/qVTj6/zsw59e/wnZ70jaBWrg6PbZMc=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGmGl9s5NXqOuJZe0HHpjPGpXR6wunXqZDmTf3/Yf25zO + m4hZnS+I5aFQZCJQVZMkeXLNp6j+ysOKXoZ2p6GmcPKBDKEgYtTACaySJRhfli80HkV0V6BO4on + 5U0Dd389NFfkA8McnmXuD5idnZ8LzD4m9XS6wtt/ivUTAA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +thermal/debugfs: Add missing count increment to thermal_debug_tz_trip_up() + +The count field in struct trip_stats, representing the number of times +the zone temperature was above the trip point, needs to be incremented +in thermal_debug_tz_trip_up(), for two reasons. + +First, if a trip point is crossed on the way up for the first time, +thermal_debug_update_temp() called from update_temperature() does +not see it because it has not been added to trips_crossed[] array +in the thermal zone's struct tz_debugfs object yet. Therefore, when +thermal_debug_tz_trip_up() is called after that, the trip point's +count value is 0, and the attempt to divide by it during the average +temperature computation leads to a divide error which causes the kernel +to crash. Setting the count to 1 before the division by incrementing it +fixes this problem. + +Second, if a trip point is crossed on the way up, but it has been +crossed on the way up already before, its count value needs to be +incremented to make a record of the fact that the zone temperature is +above the trip now. Without doing that, if the mitigations applied +after crossing the trip cause the zone temperature to drop below its +threshold, the count will not be updated for this episode at all and +the average temperature in the trip statistics record will be somewhat +higher than it should be. + +Cc :6.8+ <stable@vger.kernel.org> # 6.8+ + +The Linux kernel CVE team has assigned CVE-2024-27006 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 6.8 with commit 7ef01f228c9f and fixed in 6.8.8 with commit 9c8215d32e73 + Issue introduced in 6.8 with commit 7ef01f228c9f and fixed in 6.9-rc5 with commit b552f63cd437 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-27006 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/thermal/thermal_debugfs.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/9c8215d32e730b597c809a9d2090bf8ec1b79fcf + https://git.kernel.org/stable/c/b552f63cd43735048bbe9bfbb7a9dcfce166fbdd diff --git a/cve/published/2024/CVE-2024-27006.sha1 b/cve/published/2024/CVE-2024-27006.sha1 new file mode 100644 index 00000000..b1aaeefe --- /dev/null +++ b/cve/published/2024/CVE-2024-27006.sha1 @@ -0,0 +1 @@ +b552f63cd43735048bbe9bfbb7a9dcfce166fbdd diff --git a/cve/reserved/2024/CVE-2024-27007 b/cve/published/2024/CVE-2024-27007 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-27007 +++ b/cve/published/2024/CVE-2024-27007 diff --git a/cve/published/2024/CVE-2024-27007.json b/cve/published/2024/CVE-2024-27007.json new file mode 100644 index 00000000..59ad6180 --- /dev/null +++ b/cve/published/2024/CVE-2024-27007.json @@ -0,0 +1,88 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nuserfaultfd: change src_folio after ensuring it's unpinned in UFFDIO_MOVE\n\nCommit d7a08838ab74 (\"mm: userfaultfd: fix unexpected change to src_folio\nwhen UFFDIO_MOVE fails\") moved the src_folio->{mapping, index} changing to\nafter clearing the page-table and ensuring that it's not pinned. This\navoids failure of swapout+migration and possibly memory corruption.\n\nHowever, the commit missed fixing it in the huge-page case." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "adef440691ba", + "lessThan": "df5f6e683e7f", + "status": "affected", + "versionType": "git" + }, + { + "version": "adef440691ba", + "lessThan": "c0205eaf3af9", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "6.8", + "status": "affected" + }, + { + "version": "0", + "lessThan": "6.8", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8.8", + "lessThanOrEqual": "6.8.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.9-rc5", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/df5f6e683e7f21a15d8be6e7a0c7a46436963ebe" + }, + { + "url": "https://git.kernel.org/stable/c/c0205eaf3af9f5db14d4b5ee4abacf4a583c3c50" + } + ], + "title": "userfaultfd: change src_folio after ensuring it's unpinned in UFFDIO_MOVE", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-27007", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-27007.mbox b/cve/published/2024/CVE-2024-27007.mbox new file mode 100644 index 00000000..68bb1616 --- /dev/null +++ b/cve/published/2024/CVE-2024-27007.mbox @@ -0,0 +1,69 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-27007: userfaultfd: change src_folio after ensuring it's unpinned in UFFDIO_MOVE +Message-Id: <2024050147-CVE-2024-27007-686b@gregkh> +Content-Length: 1961 +Lines: 52 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2014; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=Zkhxyi0Xa30h4xNr9lYzUfUwCrp/5Kd1cIgCbxysVJ8=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGmGl9ujy509fFUvShQH6U/kXyqiFsPemLJu04k//5mWd + qXW5TzviGVhEGRikBVTZPmyjefo/opDil6Gtqdh5rAygQxh4OIUgIk8j2FYsOLBnPIze+9/+6l8 + ytJHomWapsD5KIb5wfPszO48vfPUPWb+qZC/VVuvOmuXAgA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +userfaultfd: change src_folio after ensuring it's unpinned in UFFDIO_MOVE + +Commit d7a08838ab74 ("mm: userfaultfd: fix unexpected change to src_folio +when UFFDIO_MOVE fails") moved the src_folio->{mapping, index} changing to +after clearing the page-table and ensuring that it's not pinned. This +avoids failure of swapout+migration and possibly memory corruption. + +However, the commit missed fixing it in the huge-page case. + +The Linux kernel CVE team has assigned CVE-2024-27007 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 6.8 with commit adef440691ba and fixed in 6.8.8 with commit df5f6e683e7f + Issue introduced in 6.8 with commit adef440691ba and fixed in 6.9-rc5 with commit c0205eaf3af9 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-27007 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + mm/huge_memory.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/df5f6e683e7f21a15d8be6e7a0c7a46436963ebe + https://git.kernel.org/stable/c/c0205eaf3af9f5db14d4b5ee4abacf4a583c3c50 diff --git a/cve/published/2024/CVE-2024-27007.sha1 b/cve/published/2024/CVE-2024-27007.sha1 new file mode 100644 index 00000000..de52afb0 --- /dev/null +++ b/cve/published/2024/CVE-2024-27007.sha1 @@ -0,0 +1 @@ +c0205eaf3af9f5db14d4b5ee4abacf4a583c3c50 diff --git a/cve/reserved/2024/CVE-2024-27008 b/cve/published/2024/CVE-2024-27008 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-27008 +++ b/cve/published/2024/CVE-2024-27008 diff --git a/cve/published/2024/CVE-2024-27008.json b/cve/published/2024/CVE-2024-27008.json new file mode 100644 index 00000000..b2b33b42 --- /dev/null +++ b/cve/published/2024/CVE-2024-27008.json @@ -0,0 +1,133 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm: nv04: Fix out of bounds access\n\nWhen Output Resource (dcb->or) value is assigned in\nfabricate_dcb_output(), there may be out of bounds access to\ndac_users array in case dcb->or is zero because ffs(dcb->or) is\nused as index there.\nThe 'or' argument of fabricate_dcb_output() must be interpreted as a\nnumber of bit to set, not value.\n\nUtilize macros from 'enum nouveau_or' in calls instead of hardcoding.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "2e5702aff395", + "lessThan": "df0991da7db8", + "status": "affected", + "versionType": "git" + }, + { + "version": "2e5702aff395", + "lessThan": "5fd4b090304e", + "status": "affected", + "versionType": "git" + }, + { + "version": "2e5702aff395", + "lessThan": "6690cc2732e2", + "status": "affected", + "versionType": "git" + }, + { + "version": "2e5702aff395", + "lessThan": "26212da39ee1", + "status": "affected", + "versionType": "git" + }, + { + "version": "2e5702aff395", + "lessThan": "cf92bb778eda", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "2.6.38", + "status": "affected" + }, + { + "version": "0", + "lessThan": "2.6.38", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.157", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.88", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.29", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8.8", + "lessThanOrEqual": "6.8.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.9-rc5", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/df0991da7db846f7fa4ec6740350f743d3b69b04" + }, + { + "url": "https://git.kernel.org/stable/c/5fd4b090304e450aa0e7cc9cc2b4873285c6face" + }, + { + "url": "https://git.kernel.org/stable/c/6690cc2732e2a8d0eaca44dcbac032a4b0148042" + }, + { + "url": "https://git.kernel.org/stable/c/26212da39ee14a52c76a202c6ae5153a84f579a5" + }, + { + "url": "https://git.kernel.org/stable/c/cf92bb778eda7830e79452c6917efa8474a30c1e" + } + ], + "title": "drm: nv04: Fix out of bounds access", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-27008", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-27008.mbox b/cve/published/2024/CVE-2024-27008.mbox new file mode 100644 index 00000000..5db73c63 --- /dev/null +++ b/cve/published/2024/CVE-2024-27008.mbox @@ -0,0 +1,79 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-27008: drm: nv04: Fix out of bounds access +Message-Id: <2024050148-CVE-2024-27008-5964@gregkh> +Content-Length: 2558 +Lines: 62 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2621; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=9h1Uq9ug0upiwuvUGHKaR15PwMpj5bOKksPxPa8a7UE=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGmGlzvuzZT5Yri/9fcs1Y0ti7Xi584+OatURKrZL9qrb + sLR6Nk7O2JZGASZGGTFFFm+bOM5ur/ikKKXoe1pmDmsTCBDGLg4BeAiHAzzrD5mh0eIH1YvrPtu + tWX7/p+t84smMSy44VJi5/zo4srQE58qZ61iv3Ly/osQAA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +drm: nv04: Fix out of bounds access + +When Output Resource (dcb->or) value is assigned in +fabricate_dcb_output(), there may be out of bounds access to +dac_users array in case dcb->or is zero because ffs(dcb->or) is +used as index there. +The 'or' argument of fabricate_dcb_output() must be interpreted as a +number of bit to set, not value. + +Utilize macros from 'enum nouveau_or' in calls instead of hardcoding. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +The Linux kernel CVE team has assigned CVE-2024-27008 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 2.6.38 with commit 2e5702aff395 and fixed in 5.15.157 with commit df0991da7db8 + Issue introduced in 2.6.38 with commit 2e5702aff395 and fixed in 6.1.88 with commit 5fd4b090304e + Issue introduced in 2.6.38 with commit 2e5702aff395 and fixed in 6.6.29 with commit 6690cc2732e2 + Issue introduced in 2.6.38 with commit 2e5702aff395 and fixed in 6.8.8 with commit 26212da39ee1 + Issue introduced in 2.6.38 with commit 2e5702aff395 and fixed in 6.9-rc5 with commit cf92bb778eda + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-27008 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/gpu/drm/nouveau/nouveau_bios.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/df0991da7db846f7fa4ec6740350f743d3b69b04 + https://git.kernel.org/stable/c/5fd4b090304e450aa0e7cc9cc2b4873285c6face + https://git.kernel.org/stable/c/6690cc2732e2a8d0eaca44dcbac032a4b0148042 + https://git.kernel.org/stable/c/26212da39ee14a52c76a202c6ae5153a84f579a5 + https://git.kernel.org/stable/c/cf92bb778eda7830e79452c6917efa8474a30c1e diff --git a/cve/published/2024/CVE-2024-27008.sha1 b/cve/published/2024/CVE-2024-27008.sha1 new file mode 100644 index 00000000..7539f43e --- /dev/null +++ b/cve/published/2024/CVE-2024-27008.sha1 @@ -0,0 +1 @@ +cf92bb778eda7830e79452c6917efa8474a30c1e diff --git a/cve/reserved/2024/CVE-2024-27009 b/cve/published/2024/CVE-2024-27009 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-27009 +++ b/cve/published/2024/CVE-2024-27009 diff --git a/cve/published/2024/CVE-2024-27009.json b/cve/published/2024/CVE-2024-27009.json new file mode 100644 index 00000000..00a33562 --- /dev/null +++ b/cve/published/2024/CVE-2024-27009.json @@ -0,0 +1,133 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/cio: fix race condition during online processing\n\nA race condition exists in ccw_device_set_online() that can cause the\nonline process to fail, leaving the affected device in an inconsistent\nstate. As a result, subsequent attempts to set that device online fail\nwith return code ENODEV.\n\nThe problem occurs when a path verification request arrives after\na wait for final device state completed, but before the result state\nis evaluated.\n\nFix this by ensuring that the CCW-device lock is held between\ndetermining final state and checking result state.\n\nNote that since:\n\ncommit 2297791c92d0 (\"s390/cio: dont unregister subchannel from child-drivers\")\n\npath verification requests are much more likely to occur during boot,\nresulting in an increased chance of this race condition occurring." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "2297791c92d0", + "lessThan": "3076b3c38a70", + "status": "affected", + "versionType": "git" + }, + { + "version": "2297791c92d0", + "lessThan": "559f3a633339", + "status": "affected", + "versionType": "git" + }, + { + "version": "2297791c92d0", + "lessThan": "2df56f4ea769", + "status": "affected", + "versionType": "git" + }, + { + "version": "2297791c92d0", + "lessThan": "a4234decd0fe", + "status": "affected", + "versionType": "git" + }, + { + "version": "2297791c92d0", + "lessThan": "2d8527f2f911", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.15", + "status": "affected" + }, + { + "version": "0", + "lessThan": "5.15", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.157", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.88", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.29", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8.8", + "lessThanOrEqual": "6.8.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.9-rc5", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/3076b3c38a704e10df5e143c213653309d532538" + }, + { + "url": "https://git.kernel.org/stable/c/559f3a6333397ab6cd4a696edd65a70b6be62c6e" + }, + { + "url": "https://git.kernel.org/stable/c/2df56f4ea769ff81e51bbb05699989603bde9c49" + }, + { + "url": "https://git.kernel.org/stable/c/a4234decd0fe429832ca81c4637be7248b88b49e" + }, + { + "url": "https://git.kernel.org/stable/c/2d8527f2f911fab84aec04df4788c0c23af3df48" + } + ], + "title": "s390/cio: fix race condition during online processing", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-27009", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-27009.mbox b/cve/published/2024/CVE-2024-27009.mbox new file mode 100644 index 00000000..bb476176 --- /dev/null +++ b/cve/published/2024/CVE-2024-27009.mbox @@ -0,0 +1,87 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-27009: s390/cio: fix race condition during online processing +Message-Id: <2024050148-CVE-2024-27009-d63d@gregkh> +Content-Length: 2853 +Lines: 70 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2924; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=zj74LIrvL3drapq6ruGyJrX9BMpnfdX8CQhHFYI+pvQ=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGmGlzvcXOQKKvSeJNa/X/XIflbRBUPt4pkshSYhHct+L + 5ui5PC7I5aFQZCJQVZMkeXLNp6j+ysOKXoZ2p6GmcPKBDKEgYtTACYi8pthrujLMIu8cN+Yv/0O + l3eKHWpfp2vnxTBPXfRHT8mlpaZ2+ZxTNOq+Jv7psvYAAA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +s390/cio: fix race condition during online processing + +A race condition exists in ccw_device_set_online() that can cause the +online process to fail, leaving the affected device in an inconsistent +state. As a result, subsequent attempts to set that device online fail +with return code ENODEV. + +The problem occurs when a path verification request arrives after +a wait for final device state completed, but before the result state +is evaluated. + +Fix this by ensuring that the CCW-device lock is held between +determining final state and checking result state. + +Note that since: + +commit 2297791c92d0 ("s390/cio: dont unregister subchannel from child-drivers") + +path verification requests are much more likely to occur during boot, +resulting in an increased chance of this race condition occurring. + +The Linux kernel CVE team has assigned CVE-2024-27009 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 5.15 with commit 2297791c92d0 and fixed in 5.15.157 with commit 3076b3c38a70 + Issue introduced in 5.15 with commit 2297791c92d0 and fixed in 6.1.88 with commit 559f3a633339 + Issue introduced in 5.15 with commit 2297791c92d0 and fixed in 6.6.29 with commit 2df56f4ea769 + Issue introduced in 5.15 with commit 2297791c92d0 and fixed in 6.8.8 with commit a4234decd0fe + Issue introduced in 5.15 with commit 2297791c92d0 and fixed in 6.9-rc5 with commit 2d8527f2f911 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-27009 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/s390/cio/device.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/3076b3c38a704e10df5e143c213653309d532538 + https://git.kernel.org/stable/c/559f3a6333397ab6cd4a696edd65a70b6be62c6e + https://git.kernel.org/stable/c/2df56f4ea769ff81e51bbb05699989603bde9c49 + https://git.kernel.org/stable/c/a4234decd0fe429832ca81c4637be7248b88b49e + https://git.kernel.org/stable/c/2d8527f2f911fab84aec04df4788c0c23af3df48 diff --git a/cve/published/2024/CVE-2024-27009.sha1 b/cve/published/2024/CVE-2024-27009.sha1 new file mode 100644 index 00000000..5f99fc8c --- /dev/null +++ b/cve/published/2024/CVE-2024-27009.sha1 @@ -0,0 +1 @@ +2d8527f2f911fab84aec04df4788c0c23af3df48 diff --git a/cve/reserved/2024/CVE-2024-27010 b/cve/published/2024/CVE-2024-27010 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-27010 +++ b/cve/published/2024/CVE-2024-27010 diff --git a/cve/published/2024/CVE-2024-27010.json b/cve/published/2024/CVE-2024-27010.json new file mode 100644 index 00000000..c43a107b --- /dev/null +++ b/cve/published/2024/CVE-2024-27010.json @@ -0,0 +1,88 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: Fix mirred deadlock on device recursion\n\nWhen the mirred action is used on a classful egress qdisc and a packet is\nmirrored or redirected to self we hit a qdisc lock deadlock.\nSee trace below.\n\n[..... other info removed for brevity....]\n[ 82.890906]\n[ 82.890906] ============================================\n[ 82.890906] WARNING: possible recursive locking detected\n[ 82.890906] 6.8.0-05205-g77fadd89fe2d-dirty #213 Tainted: G W\n[ 82.890906] --------------------------------------------\n[ 82.890906] ping/418 is trying to acquire lock:\n[ 82.890906] ffff888006994110 (&sch->q.lock){+.-.}-{3:3}, at:\n__dev_queue_xmit+0x1778/0x3550\n[ 82.890906]\n[ 82.890906] but task is already holding lock:\n[ 82.890906] ffff888006994110 (&sch->q.lock){+.-.}-{3:3}, at:\n__dev_queue_xmit+0x1778/0x3550\n[ 82.890906]\n[ 82.890906] other info that might help us debug this:\n[ 82.890906] Possible unsafe locking scenario:\n[ 82.890906]\n[ 82.890906] CPU0\n[ 82.890906] ----\n[ 82.890906] lock(&sch->q.lock);\n[ 82.890906] lock(&sch->q.lock);\n[ 82.890906]\n[ 82.890906] *** DEADLOCK ***\n[ 82.890906]\n[..... other info removed for brevity....]\n\nExample setup (eth0->eth0) to recreate\ntc qdisc add dev eth0 root handle 1: htb default 30\ntc filter add dev eth0 handle 1: protocol ip prio 2 matchall \\\n action mirred egress redirect dev eth0\n\nAnother example(eth0->eth1->eth0) to recreate\ntc qdisc add dev eth0 root handle 1: htb default 30\ntc filter add dev eth0 handle 1: protocol ip prio 2 matchall \\\n action mirred egress redirect dev eth1\n\ntc qdisc add dev eth1 root handle 1: htb default 30\ntc filter add dev eth1 handle 1: protocol ip prio 2 matchall \\\n action mirred egress redirect dev eth0\n\nWe fix this by adding an owner field (CPU id) to struct Qdisc set after\nroot qdisc is entered. When the softirq enters it a second time, if the\nqdisc owner is the same CPU, the packet is dropped to break the loop." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "e578d9c02587", + "lessThan": "e6b90468da4d", + "status": "affected", + "versionType": "git" + }, + { + "version": "e578d9c02587", + "lessThan": "0f022d32c3ec", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "4.2", + "status": "affected" + }, + { + "version": "0", + "lessThan": "4.2", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8.8", + "lessThanOrEqual": "6.8.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.9-rc5", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/e6b90468da4dae2281a6e381107f411efb48b0ef" + }, + { + "url": "https://git.kernel.org/stable/c/0f022d32c3eca477fbf79a205243a6123ed0fe11" + } + ], + "title": "net/sched: Fix mirred deadlock on device recursion", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-27010", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-27010.mbox b/cve/published/2024/CVE-2024-27010.mbox new file mode 100644 index 00000000..5494622f --- /dev/null +++ b/cve/published/2024/CVE-2024-27010.mbox @@ -0,0 +1,112 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-27010: net/sched: Fix mirred deadlock on device recursion +Message-Id: <2024050148-CVE-2024-27010-5a68@gregkh> +Content-Length: 3558 +Lines: 95 +X-Developer-Signature: v=1; a=openpgp-sha256; l=3654; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=Yc9E0RtzlZYPQDrn++hOXu3iNj0pAz3UNBhFiwxedZM=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGmGlzt2Oiec5hJ59bHos2MQt/4Ml4TFKgotoaHsKWLSP + eK1P+Z0xLIwCDIxyIopsnzZxnN0f8UhRS9D29Mwc1iZQIYwcHEKwERcjBgWbDd6oGAUICXtrfW+ + Wiy51jY1hechw4KJGzo6Nxo9Pf2e2Wze0UnC4qGnvvwFAA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +net/sched: Fix mirred deadlock on device recursion + +When the mirred action is used on a classful egress qdisc and a packet is +mirrored or redirected to self we hit a qdisc lock deadlock. +See trace below. + +[..... other info removed for brevity....] +[ 82.890906] +[ 82.890906] ============================================ +[ 82.890906] WARNING: possible recursive locking detected +[ 82.890906] 6.8.0-05205-g77fadd89fe2d-dirty #213 Tainted: G W +[ 82.890906] -------------------------------------------- +[ 82.890906] ping/418 is trying to acquire lock: +[ 82.890906] ffff888006994110 (&sch->q.lock){+.-.}-{3:3}, at: +__dev_queue_xmit+0x1778/0x3550 +[ 82.890906] +[ 82.890906] but task is already holding lock: +[ 82.890906] ffff888006994110 (&sch->q.lock){+.-.}-{3:3}, at: +__dev_queue_xmit+0x1778/0x3550 +[ 82.890906] +[ 82.890906] other info that might help us debug this: +[ 82.890906] Possible unsafe locking scenario: +[ 82.890906] +[ 82.890906] CPU0 +[ 82.890906] ---- +[ 82.890906] lock(&sch->q.lock); +[ 82.890906] lock(&sch->q.lock); +[ 82.890906] +[ 82.890906] *** DEADLOCK *** +[ 82.890906] +[..... other info removed for brevity....] + +Example setup (eth0->eth0) to recreate +tc qdisc add dev eth0 root handle 1: htb default 30 +tc filter add dev eth0 handle 1: protocol ip prio 2 matchall \ + action mirred egress redirect dev eth0 + +Another example(eth0->eth1->eth0) to recreate +tc qdisc add dev eth0 root handle 1: htb default 30 +tc filter add dev eth0 handle 1: protocol ip prio 2 matchall \ + action mirred egress redirect dev eth1 + +tc qdisc add dev eth1 root handle 1: htb default 30 +tc filter add dev eth1 handle 1: protocol ip prio 2 matchall \ + action mirred egress redirect dev eth0 + +We fix this by adding an owner field (CPU id) to struct Qdisc set after +root qdisc is entered. When the softirq enters it a second time, if the +qdisc owner is the same CPU, the packet is dropped to break the loop. + +The Linux kernel CVE team has assigned CVE-2024-27010 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 4.2 with commit e578d9c02587 and fixed in 6.8.8 with commit e6b90468da4d + Issue introduced in 4.2 with commit e578d9c02587 and fixed in 6.9-rc5 with commit 0f022d32c3ec + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-27010 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + include/net/sch_generic.h + net/core/dev.c + net/sched/sch_generic.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/e6b90468da4dae2281a6e381107f411efb48b0ef + https://git.kernel.org/stable/c/0f022d32c3eca477fbf79a205243a6123ed0fe11 diff --git a/cve/published/2024/CVE-2024-27010.sha1 b/cve/published/2024/CVE-2024-27010.sha1 new file mode 100644 index 00000000..6f2b44ea --- /dev/null +++ b/cve/published/2024/CVE-2024-27010.sha1 @@ -0,0 +1 @@ +0f022d32c3eca477fbf79a205243a6123ed0fe11 diff --git a/cve/reserved/2024/CVE-2024-27011 b/cve/published/2024/CVE-2024-27011 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-27011 +++ b/cve/published/2024/CVE-2024-27011 diff --git a/cve/published/2024/CVE-2024-27011.json b/cve/published/2024/CVE-2024-27011.json new file mode 100644 index 00000000..c79372a2 --- /dev/null +++ b/cve/published/2024/CVE-2024-27011.json @@ -0,0 +1,88 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: fix memleak in map from abort path\n\nThe delete set command does not rely on the transaction object for\nelement removal, therefore, a combination of delete element + delete set\nfrom the abort path could result in restoring twice the refcount of the\nmapping.\n\nCheck for inactive element in the next generation for the delete element\ncommand in the abort path, skip restoring state if next generation bit\nhas been already cleared. This is similar to the activate logic using\nthe set walk iterator.\n\n[ 6170.286929] ------------[ cut here ]------------\n[ 6170.286939] WARNING: CPU: 6 PID: 790302 at net/netfilter/nf_tables_api.c:2086 nf_tables_chain_destroy+0x1f7/0x220 [nf_tables]\n[ 6170.287071] Modules linked in: [...]\n[ 6170.287633] CPU: 6 PID: 790302 Comm: kworker/6:2 Not tainted 6.9.0-rc3+ #365\n[ 6170.287768] RIP: 0010:nf_tables_chain_destroy+0x1f7/0x220 [nf_tables]\n[ 6170.287886] Code: df 48 8d 7d 58 e8 69 2e 3b df 48 8b 7d 58 e8 80 1b 37 df 48 8d 7d 68 e8 57 2e 3b df 48 8b 7d 68 e8 6e 1b 37 df 48 89 ef eb c4 <0f> 0b 48 83 c4 08 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc 0f\n[ 6170.287895] RSP: 0018:ffff888134b8fd08 EFLAGS: 00010202\n[ 6170.287904] RAX: 0000000000000001 RBX: ffff888125bffb28 RCX: dffffc0000000000\n[ 6170.287912] RDX: 0000000000000003 RSI: ffffffffa20298ab RDI: ffff88811ebe4750\n[ 6170.287919] RBP: ffff88811ebe4700 R08: ffff88838e812650 R09: fffffbfff0623a55\n[ 6170.287926] R10: ffffffff8311d2af R11: 0000000000000001 R12: ffff888125bffb10\n[ 6170.287933] R13: ffff888125bffb10 R14: dead000000000122 R15: dead000000000100\n[ 6170.287940] FS: 0000000000000000(0000) GS:ffff888390b00000(0000) knlGS:0000000000000000\n[ 6170.287948] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 6170.287955] CR2: 00007fd31fc00710 CR3: 0000000133f60004 CR4: 00000000001706f0\n[ 6170.287962] Call Trace:\n[ 6170.287967] <TASK>\n[ 6170.287973] ? __warn+0x9f/0x1a0\n[ 6170.287986] ? nf_tables_chain_destroy+0x1f7/0x220 [nf_tables]\n[ 6170.288092] ? report_bug+0x1b1/0x1e0\n[ 6170.287986] ? nf_tables_chain_destroy+0x1f7/0x220 [nf_tables]\n[ 6170.288092] ? report_bug+0x1b1/0x1e0\n[ 6170.288104] ? handle_bug+0x3c/0x70\n[ 6170.288112] ? exc_invalid_op+0x17/0x40\n[ 6170.288120] ? asm_exc_invalid_op+0x1a/0x20\n[ 6170.288132] ? nf_tables_chain_destroy+0x2b/0x220 [nf_tables]\n[ 6170.288243] ? nf_tables_chain_destroy+0x1f7/0x220 [nf_tables]\n[ 6170.288366] ? nf_tables_chain_destroy+0x2b/0x220 [nf_tables]\n[ 6170.288483] nf_tables_trans_destroy_work+0x588/0x590 [nf_tables]" + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "591054469b3e", + "lessThan": "49d0e656d19d", + "status": "affected", + "versionType": "git" + }, + { + "version": "591054469b3e", + "lessThan": "86a1471d7cde", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "4.12", + "status": "affected" + }, + { + "version": "0", + "lessThan": "4.12", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8.8", + "lessThanOrEqual": "6.8.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.9-rc5", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/49d0e656d19dfb2d4d7c230e4a720d37b3decff6" + }, + { + "url": "https://git.kernel.org/stable/c/86a1471d7cde792941109b93b558b5dc078b9ee9" + } + ], + "title": "netfilter: nf_tables: fix memleak in map from abort path", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-27011", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-27011.mbox b/cve/published/2024/CVE-2024-27011.mbox new file mode 100644 index 00000000..c2f72aac --- /dev/null +++ b/cve/published/2024/CVE-2024-27011.mbox @@ -0,0 +1,102 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-27011: netfilter: nf_tables: fix memleak in map from abort path +Message-Id: <2024050148-CVE-2024-27011-2c70@gregkh> +Content-Length: 4055 +Lines: 85 +X-Developer-Signature: v=1; a=openpgp-sha256; l=4141; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=wqc4NlSX8uUHUBaOBES2Fvfh2K2EC4M03wVNd5TKXxM=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGmGlzteH+7fWtAaWOWQcap+8qzomHjLLz/MPZ5oHthxS + vXh9ul3O2JZGASZGGTFFFm+bOM5ur/ikKKXoe1pmDmsTCBDGLg4BWAi7ckMC7pNmBTFeZeV3qzl + rVQI4VZz3S7BwTC/tKxOkdFdf03U9zQWxxV1bFtTr6gCAA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +netfilter: nf_tables: fix memleak in map from abort path + +The delete set command does not rely on the transaction object for +element removal, therefore, a combination of delete element + delete set +from the abort path could result in restoring twice the refcount of the +mapping. + +Check for inactive element in the next generation for the delete element +command in the abort path, skip restoring state if next generation bit +has been already cleared. This is similar to the activate logic using +the set walk iterator. + +[ 6170.286929] ------------[ cut here ]------------ +[ 6170.286939] WARNING: CPU: 6 PID: 790302 at net/netfilter/nf_tables_api.c:2086 nf_tables_chain_destroy+0x1f7/0x220 [nf_tables] +[ 6170.287071] Modules linked in: [...] +[ 6170.287633] CPU: 6 PID: 790302 Comm: kworker/6:2 Not tainted 6.9.0-rc3+ #365 +[ 6170.287768] RIP: 0010:nf_tables_chain_destroy+0x1f7/0x220 [nf_tables] +[ 6170.287886] Code: df 48 8d 7d 58 e8 69 2e 3b df 48 8b 7d 58 e8 80 1b 37 df 48 8d 7d 68 e8 57 2e 3b df 48 8b 7d 68 e8 6e 1b 37 df 48 89 ef eb c4 <0f> 0b 48 83 c4 08 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc 0f +[ 6170.287895] RSP: 0018:ffff888134b8fd08 EFLAGS: 00010202 +[ 6170.287904] RAX: 0000000000000001 RBX: ffff888125bffb28 RCX: dffffc0000000000 +[ 6170.287912] RDX: 0000000000000003 RSI: ffffffffa20298ab RDI: ffff88811ebe4750 +[ 6170.287919] RBP: ffff88811ebe4700 R08: ffff88838e812650 R09: fffffbfff0623a55 +[ 6170.287926] R10: ffffffff8311d2af R11: 0000000000000001 R12: ffff888125bffb10 +[ 6170.287933] R13: ffff888125bffb10 R14: dead000000000122 R15: dead000000000100 +[ 6170.287940] FS: 0000000000000000(0000) GS:ffff888390b00000(0000) knlGS:0000000000000000 +[ 6170.287948] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 6170.287955] CR2: 00007fd31fc00710 CR3: 0000000133f60004 CR4: 00000000001706f0 +[ 6170.287962] Call Trace: +[ 6170.287967] <TASK> +[ 6170.287973] ? __warn+0x9f/0x1a0 +[ 6170.287986] ? nf_tables_chain_destroy+0x1f7/0x220 [nf_tables] +[ 6170.288092] ? report_bug+0x1b1/0x1e0 +[ 6170.287986] ? nf_tables_chain_destroy+0x1f7/0x220 [nf_tables] +[ 6170.288092] ? report_bug+0x1b1/0x1e0 +[ 6170.288104] ? handle_bug+0x3c/0x70 +[ 6170.288112] ? exc_invalid_op+0x17/0x40 +[ 6170.288120] ? asm_exc_invalid_op+0x1a/0x20 +[ 6170.288132] ? nf_tables_chain_destroy+0x2b/0x220 [nf_tables] +[ 6170.288243] ? nf_tables_chain_destroy+0x1f7/0x220 [nf_tables] +[ 6170.288366] ? nf_tables_chain_destroy+0x2b/0x220 [nf_tables] +[ 6170.288483] nf_tables_trans_destroy_work+0x588/0x590 [nf_tables] + +The Linux kernel CVE team has assigned CVE-2024-27011 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 4.12 with commit 591054469b3e and fixed in 6.8.8 with commit 49d0e656d19d + Issue introduced in 4.12 with commit 591054469b3e and fixed in 6.9-rc5 with commit 86a1471d7cde + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-27011 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + net/netfilter/nf_tables_api.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/49d0e656d19dfb2d4d7c230e4a720d37b3decff6 + https://git.kernel.org/stable/c/86a1471d7cde792941109b93b558b5dc078b9ee9 diff --git a/cve/published/2024/CVE-2024-27011.sha1 b/cve/published/2024/CVE-2024-27011.sha1 new file mode 100644 index 00000000..a062fce6 --- /dev/null +++ b/cve/published/2024/CVE-2024-27011.sha1 @@ -0,0 +1 @@ +86a1471d7cde792941109b93b558b5dc078b9ee9 diff --git a/cve/reserved/2024/CVE-2024-27012 b/cve/published/2024/CVE-2024-27012 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-27012 +++ b/cve/published/2024/CVE-2024-27012 diff --git a/cve/published/2024/CVE-2024-27012.json b/cve/published/2024/CVE-2024-27012.json new file mode 100644 index 00000000..0aa68e15 --- /dev/null +++ b/cve/published/2024/CVE-2024-27012.json @@ -0,0 +1,88 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: restore set elements when delete set fails\n\nFrom abort path, nft_mapelem_activate() needs to restore refcounters to\nthe original state. Currently, it uses the set->ops->walk() to iterate\nover these set elements. The existing set iterator skips inactive\nelements in the next generation, this does not work from the abort path\nto restore the original state since it has to skip active elements\ninstead (not inactive ones).\n\nThis patch moves the check for inactive elements to the set iterator\ncallback, then it reverses the logic for the .activate case which\nneeds to skip active elements.\n\nToggle next generation bit for elements when delete set command is\ninvoked and call nft_clear() from .activate (abort) path to restore the\nnext generation bit.\n\nThe splat below shows an object in mappings memleak:\n\n[43929.457523] ------------[ cut here ]------------\n[43929.457532] WARNING: CPU: 0 PID: 1139 at include/net/netfilter/nf_tables.h:1237 nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables]\n[...]\n[43929.458014] RIP: 0010:nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables]\n[43929.458076] Code: 83 f8 01 77 ab 49 8d 7c 24 08 e8 37 5e d0 de 49 8b 6c 24 08 48 8d 7d 50 e8 e9 5c d0 de 8b 45 50 8d 50 ff 89 55 50 85 c0 75 86 <0f> 0b eb 82 0f 0b eb b3 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90\n[43929.458081] RSP: 0018:ffff888140f9f4b0 EFLAGS: 00010246\n[43929.458086] RAX: 0000000000000000 RBX: ffff8881434f5288 RCX: dffffc0000000000\n[43929.458090] RDX: 00000000ffffffff RSI: ffffffffa26d28a7 RDI: ffff88810ecc9550\n[43929.458093] RBP: ffff88810ecc9500 R08: 0000000000000001 R09: ffffed10281f3e8f\n[43929.458096] R10: 0000000000000003 R11: ffff0000ffff0000 R12: ffff8881434f52a0\n[43929.458100] R13: ffff888140f9f5f4 R14: ffff888151c7a800 R15: 0000000000000002\n[43929.458103] FS: 00007f0c687c4740(0000) GS:ffff888390800000(0000) knlGS:0000000000000000\n[43929.458107] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[43929.458111] CR2: 00007f58dbe5b008 CR3: 0000000123602005 CR4: 00000000001706f0\n[43929.458114] Call Trace:\n[43929.458118] <TASK>\n[43929.458121] ? __warn+0x9f/0x1a0\n[43929.458127] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables]\n[43929.458188] ? report_bug+0x1b1/0x1e0\n[43929.458196] ? handle_bug+0x3c/0x70\n[43929.458200] ? exc_invalid_op+0x17/0x40\n[43929.458211] ? nft_setelem_data_deactivate+0xd7/0xf0 [nf_tables]\n[43929.458271] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables]\n[43929.458332] nft_mapelem_deactivate+0x24/0x30 [nf_tables]\n[43929.458392] nft_rhash_walk+0xdd/0x180 [nf_tables]\n[43929.458453] ? __pfx_nft_rhash_walk+0x10/0x10 [nf_tables]\n[43929.458512] ? rb_insert_color+0x2e/0x280\n[43929.458520] nft_map_deactivate+0xdc/0x1e0 [nf_tables]\n[43929.458582] ? __pfx_nft_map_deactivate+0x10/0x10 [nf_tables]\n[43929.458642] ? __pfx_nft_mapelem_deactivate+0x10/0x10 [nf_tables]\n[43929.458701] ? __rcu_read_unlock+0x46/0x70\n[43929.458709] nft_delset+0xff/0x110 [nf_tables]\n[43929.458769] nft_flush_table+0x16f/0x460 [nf_tables]\n[43929.458830] nf_tables_deltable+0x501/0x580 [nf_tables]" + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "628bd3e49cba", + "lessThan": "86658fc7414d", + "status": "affected", + "versionType": "git" + }, + { + "version": "628bd3e49cba", + "lessThan": "e79b47a8615d", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "6.4", + "status": "affected" + }, + { + "version": "0", + "lessThan": "6.4", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8.8", + "lessThanOrEqual": "6.8.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.9-rc5", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/86658fc7414d4b9e25c2699d751034537503d637" + }, + { + "url": "https://git.kernel.org/stable/c/e79b47a8615d42c68aaeb68971593333667382ed" + } + ], + "title": "netfilter: nf_tables: restore set elements when delete set fails", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-27012", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-27012.mbox b/cve/published/2024/CVE-2024-27012.mbox new file mode 100644 index 00000000..3aab877a --- /dev/null +++ b/cve/published/2024/CVE-2024-27012.mbox @@ -0,0 +1,123 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-27012: netfilter: nf_tables: restore set elements when delete set fails +Message-Id: <2024050148-CVE-2024-27012-5564@gregkh> +Content-Length: 4993 +Lines: 106 +X-Developer-Signature: v=1; a=openpgp-sha256; l=5100; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=/HjIqEXI6si3uw8YGO41Z6pzkwR4+yoPvJY6HNZEdNg=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGmGlztVzbUUjDZMXSBSXvU4tetygPvr0szHzBO/rhG5y + X/E75dfRywLgyATg6yYIsuXbTxH91ccUvQytD0NM4eVCWQIAxenAExkWizDXIk4tpeObyZ9ST3z + 59EvHu6ekP35sgwL+m37L30RaxEMlO65MJlRok9/QdhWAA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +netfilter: nf_tables: restore set elements when delete set fails + +>From abort path, nft_mapelem_activate() needs to restore refcounters to +the original state. Currently, it uses the set->ops->walk() to iterate +over these set elements. The existing set iterator skips inactive +elements in the next generation, this does not work from the abort path +to restore the original state since it has to skip active elements +instead (not inactive ones). + +This patch moves the check for inactive elements to the set iterator +callback, then it reverses the logic for the .activate case which +needs to skip active elements. + +Toggle next generation bit for elements when delete set command is +invoked and call nft_clear() from .activate (abort) path to restore the +next generation bit. + +The splat below shows an object in mappings memleak: + +[43929.457523] ------------[ cut here ]------------ +[43929.457532] WARNING: CPU: 0 PID: 1139 at include/net/netfilter/nf_tables.h:1237 nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] +[...] +[43929.458014] RIP: 0010:nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] +[43929.458076] Code: 83 f8 01 77 ab 49 8d 7c 24 08 e8 37 5e d0 de 49 8b 6c 24 08 48 8d 7d 50 e8 e9 5c d0 de 8b 45 50 8d 50 ff 89 55 50 85 c0 75 86 <0f> 0b eb 82 0f 0b eb b3 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 +[43929.458081] RSP: 0018:ffff888140f9f4b0 EFLAGS: 00010246 +[43929.458086] RAX: 0000000000000000 RBX: ffff8881434f5288 RCX: dffffc0000000000 +[43929.458090] RDX: 00000000ffffffff RSI: ffffffffa26d28a7 RDI: ffff88810ecc9550 +[43929.458093] RBP: ffff88810ecc9500 R08: 0000000000000001 R09: ffffed10281f3e8f +[43929.458096] R10: 0000000000000003 R11: ffff0000ffff0000 R12: ffff8881434f52a0 +[43929.458100] R13: ffff888140f9f5f4 R14: ffff888151c7a800 R15: 0000000000000002 +[43929.458103] FS: 00007f0c687c4740(0000) GS:ffff888390800000(0000) knlGS:0000000000000000 +[43929.458107] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[43929.458111] CR2: 00007f58dbe5b008 CR3: 0000000123602005 CR4: 00000000001706f0 +[43929.458114] Call Trace: +[43929.458118] <TASK> +[43929.458121] ? __warn+0x9f/0x1a0 +[43929.458127] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] +[43929.458188] ? report_bug+0x1b1/0x1e0 +[43929.458196] ? handle_bug+0x3c/0x70 +[43929.458200] ? exc_invalid_op+0x17/0x40 +[43929.458211] ? nft_setelem_data_deactivate+0xd7/0xf0 [nf_tables] +[43929.458271] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] +[43929.458332] nft_mapelem_deactivate+0x24/0x30 [nf_tables] +[43929.458392] nft_rhash_walk+0xdd/0x180 [nf_tables] +[43929.458453] ? __pfx_nft_rhash_walk+0x10/0x10 [nf_tables] +[43929.458512] ? rb_insert_color+0x2e/0x280 +[43929.458520] nft_map_deactivate+0xdc/0x1e0 [nf_tables] +[43929.458582] ? __pfx_nft_map_deactivate+0x10/0x10 [nf_tables] +[43929.458642] ? __pfx_nft_mapelem_deactivate+0x10/0x10 [nf_tables] +[43929.458701] ? __rcu_read_unlock+0x46/0x70 +[43929.458709] nft_delset+0xff/0x110 [nf_tables] +[43929.458769] nft_flush_table+0x16f/0x460 [nf_tables] +[43929.458830] nf_tables_deltable+0x501/0x580 [nf_tables] + +The Linux kernel CVE team has assigned CVE-2024-27012 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 6.4 with commit 628bd3e49cba and fixed in 6.8.8 with commit 86658fc7414d + Issue introduced in 6.4 with commit 628bd3e49cba and fixed in 6.9-rc5 with commit e79b47a8615d + Issue introduced in 5.4.262 with commit 3c7ec098e3b5 + Issue introduced in 5.10.188 with commit a136b7942ad2 + Issue introduced in 5.15.121 with commit 25aa2ad37c21 + Issue introduced in 6.1.36 with commit d60be2da67d1 + Issue introduced in 6.3.10 with commit dc7cdf8cbcbf + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-27012 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + net/netfilter/nf_tables_api.c + net/netfilter/nft_set_bitmap.c + net/netfilter/nft_set_hash.c + net/netfilter/nft_set_pipapo.c + net/netfilter/nft_set_rbtree.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/86658fc7414d4b9e25c2699d751034537503d637 + https://git.kernel.org/stable/c/e79b47a8615d42c68aaeb68971593333667382ed diff --git a/cve/published/2024/CVE-2024-27012.sha1 b/cve/published/2024/CVE-2024-27012.sha1 new file mode 100644 index 00000000..88006f19 --- /dev/null +++ b/cve/published/2024/CVE-2024-27012.sha1 @@ -0,0 +1 @@ +e79b47a8615d42c68aaeb68971593333667382ed diff --git a/cve/reserved/2024/CVE-2024-27013 b/cve/published/2024/CVE-2024-27013 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-27013 +++ b/cve/published/2024/CVE-2024-27013 diff --git a/cve/published/2024/CVE-2024-27013.json b/cve/published/2024/CVE-2024-27013.json new file mode 100644 index 00000000..d237d274 --- /dev/null +++ b/cve/published/2024/CVE-2024-27013.json @@ -0,0 +1,133 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntun: limit printing rate when illegal packet received by tun dev\n\nvhost_worker will call tun call backs to receive packets. If too many\nillegal packets arrives, tun_do_read will keep dumping packet contents.\nWhen console is enabled, it will costs much more cpu time to dump\npacket and soft lockup will be detected.\n\nnet_ratelimit mechanism can be used to limit the dumping rate.\n\nPID: 33036 TASK: ffff949da6f20000 CPU: 23 COMMAND: \"vhost-32980\"\n #0 [fffffe00003fce50] crash_nmi_callback at ffffffff89249253\n #1 [fffffe00003fce58] nmi_handle at ffffffff89225fa3\n #2 [fffffe00003fceb0] default_do_nmi at ffffffff8922642e\n #3 [fffffe00003fced0] do_nmi at ffffffff8922660d\n #4 [fffffe00003fcef0] end_repeat_nmi at ffffffff89c01663\n [exception RIP: io_serial_in+20]\n RIP: ffffffff89792594 RSP: ffffa655314979e8 RFLAGS: 00000002\n RAX: ffffffff89792500 RBX: ffffffff8af428a0 RCX: 0000000000000000\n RDX: 00000000000003fd RSI: 0000000000000005 RDI: ffffffff8af428a0\n RBP: 0000000000002710 R8: 0000000000000004 R9: 000000000000000f\n R10: 0000000000000000 R11: ffffffff8acbf64f R12: 0000000000000020\n R13: ffffffff8acbf698 R14: 0000000000000058 R15: 0000000000000000\n ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018\n #5 [ffffa655314979e8] io_serial_in at ffffffff89792594\n #6 [ffffa655314979e8] wait_for_xmitr at ffffffff89793470\n #7 [ffffa65531497a08] serial8250_console_putchar at ffffffff897934f6\n #8 [ffffa65531497a20] uart_console_write at ffffffff8978b605\n #9 [ffffa65531497a48] serial8250_console_write at ffffffff89796558\n #10 [ffffa65531497ac8] console_unlock at ffffffff89316124\n #11 [ffffa65531497b10] vprintk_emit at ffffffff89317c07\n #12 [ffffa65531497b68] printk at ffffffff89318306\n #13 [ffffa65531497bc8] print_hex_dump at ffffffff89650765\n #14 [ffffa65531497ca8] tun_do_read at ffffffffc0b06c27 [tun]\n #15 [ffffa65531497d38] tun_recvmsg at ffffffffc0b06e34 [tun]\n #16 [ffffa65531497d68] handle_rx at ffffffffc0c5d682 [vhost_net]\n #17 [ffffa65531497ed0] vhost_worker at ffffffffc0c644dc [vhost]\n #18 [ffffa65531497f10] kthread at ffffffff892d2e72\n #19 [ffffa65531497f50] ret_from_fork at ffffffff89c0022f" + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "ef3db4a59542", + "lessThan": "a50dbeca28ac", + "status": "affected", + "versionType": "git" + }, + { + "version": "ef3db4a59542", + "lessThan": "62e27ef18eb4", + "status": "affected", + "versionType": "git" + }, + { + "version": "ef3db4a59542", + "lessThan": "40f4ced305c6", + "status": "affected", + "versionType": "git" + }, + { + "version": "ef3db4a59542", + "lessThan": "52854101180b", + "status": "affected", + "versionType": "git" + }, + { + "version": "ef3db4a59542", + "lessThan": "f8bbc07ac535", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "2.6.35", + "status": "affected" + }, + { + "version": "0", + "lessThan": "2.6.35", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.157", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.88", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.29", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8.8", + "lessThanOrEqual": "6.8.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.9-rc5", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/a50dbeca28acf7051dfa92786b85f704c75db6eb" + }, + { + "url": "https://git.kernel.org/stable/c/62e27ef18eb4f0d33bbae8e9ef56b99696a74713" + }, + { + "url": "https://git.kernel.org/stable/c/40f4ced305c6c47487d3cd8da54676e2acc1a6ad" + }, + { + "url": "https://git.kernel.org/stable/c/52854101180beccdb9dc2077a3bea31b6ad48dfa" + }, + { + "url": "https://git.kernel.org/stable/c/f8bbc07ac535593139c875ffa19af924b1084540" + } + ], + "title": "tun: limit printing rate when illegal packet received by tun dev", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-27013", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-27013.mbox b/cve/published/2024/CVE-2024-27013.mbox new file mode 100644 index 00000000..ff0df774 --- /dev/null +++ b/cve/published/2024/CVE-2024-27013.mbox @@ -0,0 +1,105 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-27013: tun: limit printing rate when illegal packet received by tun dev +Message-Id: <2024050149-CVE-2024-27013-2c26@gregkh> +Content-Length: 4215 +Lines: 88 +X-Developer-Signature: v=1; a=openpgp-sha256; l=4304; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=3eEGe9OSjFaZOYLgGwR/+9KOBy/DCEpKNzqz9xehLuc=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGmGlzvF62KC2qcVzCifxbT14cK87XuT08WmcHTwrovXb + dqk5v2zI5aFQZCJQVZMkeXLNp6j+ysOKXoZ2p6GmcPKBDKEgYtTACYiHcQw36PA+HCtjNW2WX2W + vT2/lWM2h5pqMyy4bNbz7GriJFe5ZMlXpvXHr+dNMhYFAA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +tun: limit printing rate when illegal packet received by tun dev + +vhost_worker will call tun call backs to receive packets. If too many +illegal packets arrives, tun_do_read will keep dumping packet contents. +When console is enabled, it will costs much more cpu time to dump +packet and soft lockup will be detected. + +net_ratelimit mechanism can be used to limit the dumping rate. + +PID: 33036 TASK: ffff949da6f20000 CPU: 23 COMMAND: "vhost-32980" + #0 [fffffe00003fce50] crash_nmi_callback at ffffffff89249253 + #1 [fffffe00003fce58] nmi_handle at ffffffff89225fa3 + #2 [fffffe00003fceb0] default_do_nmi at ffffffff8922642e + #3 [fffffe00003fced0] do_nmi at ffffffff8922660d + #4 [fffffe00003fcef0] end_repeat_nmi at ffffffff89c01663 + [exception RIP: io_serial_in+20] + RIP: ffffffff89792594 RSP: ffffa655314979e8 RFLAGS: 00000002 + RAX: ffffffff89792500 RBX: ffffffff8af428a0 RCX: 0000000000000000 + RDX: 00000000000003fd RSI: 0000000000000005 RDI: ffffffff8af428a0 + RBP: 0000000000002710 R8: 0000000000000004 R9: 000000000000000f + R10: 0000000000000000 R11: ffffffff8acbf64f R12: 0000000000000020 + R13: ffffffff8acbf698 R14: 0000000000000058 R15: 0000000000000000 + ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 + #5 [ffffa655314979e8] io_serial_in at ffffffff89792594 + #6 [ffffa655314979e8] wait_for_xmitr at ffffffff89793470 + #7 [ffffa65531497a08] serial8250_console_putchar at ffffffff897934f6 + #8 [ffffa65531497a20] uart_console_write at ffffffff8978b605 + #9 [ffffa65531497a48] serial8250_console_write at ffffffff89796558 + #10 [ffffa65531497ac8] console_unlock at ffffffff89316124 + #11 [ffffa65531497b10] vprintk_emit at ffffffff89317c07 + #12 [ffffa65531497b68] printk at ffffffff89318306 + #13 [ffffa65531497bc8] print_hex_dump at ffffffff89650765 + #14 [ffffa65531497ca8] tun_do_read at ffffffffc0b06c27 [tun] + #15 [ffffa65531497d38] tun_recvmsg at ffffffffc0b06e34 [tun] + #16 [ffffa65531497d68] handle_rx at ffffffffc0c5d682 [vhost_net] + #17 [ffffa65531497ed0] vhost_worker at ffffffffc0c644dc [vhost] + #18 [ffffa65531497f10] kthread at ffffffff892d2e72 + #19 [ffffa65531497f50] ret_from_fork at ffffffff89c0022f + +The Linux kernel CVE team has assigned CVE-2024-27013 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 2.6.35 with commit ef3db4a59542 and fixed in 5.15.157 with commit a50dbeca28ac + Issue introduced in 2.6.35 with commit ef3db4a59542 and fixed in 6.1.88 with commit 62e27ef18eb4 + Issue introduced in 2.6.35 with commit ef3db4a59542 and fixed in 6.6.29 with commit 40f4ced305c6 + Issue introduced in 2.6.35 with commit ef3db4a59542 and fixed in 6.8.8 with commit 52854101180b + Issue introduced in 2.6.35 with commit ef3db4a59542 and fixed in 6.9-rc5 with commit f8bbc07ac535 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-27013 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/net/tun.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/a50dbeca28acf7051dfa92786b85f704c75db6eb + https://git.kernel.org/stable/c/62e27ef18eb4f0d33bbae8e9ef56b99696a74713 + https://git.kernel.org/stable/c/40f4ced305c6c47487d3cd8da54676e2acc1a6ad + https://git.kernel.org/stable/c/52854101180beccdb9dc2077a3bea31b6ad48dfa + https://git.kernel.org/stable/c/f8bbc07ac535593139c875ffa19af924b1084540 diff --git a/cve/published/2024/CVE-2024-27013.sha1 b/cve/published/2024/CVE-2024-27013.sha1 new file mode 100644 index 00000000..324bf9f8 --- /dev/null +++ b/cve/published/2024/CVE-2024-27013.sha1 @@ -0,0 +1 @@ +f8bbc07ac535593139c875ffa19af924b1084540 diff --git a/cve/reserved/2024/CVE-2024-27014 b/cve/published/2024/CVE-2024-27014 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-27014 +++ b/cve/published/2024/CVE-2024-27014 diff --git a/cve/published/2024/CVE-2024-27014.json b/cve/published/2024/CVE-2024-27014.json new file mode 100644 index 00000000..d45a339d --- /dev/null +++ b/cve/published/2024/CVE-2024-27014.json @@ -0,0 +1,118 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Prevent deadlock while disabling aRFS\n\nWhen disabling aRFS under the `priv->state_lock`, any scheduled\naRFS works are canceled using the `cancel_work_sync` function,\nwhich waits for the work to end if it has already started.\nHowever, while waiting for the work handler, the handler will\ntry to acquire the `state_lock` which is already acquired.\n\nThe worker acquires the lock to delete the rules if the state\nis down, which is not the worker's responsibility since\ndisabling aRFS deletes the rules.\n\nAdd an aRFS state variable, which indicates whether the aRFS is\nenabled and prevent adding rules when the aRFS is disabled.\n\nKernel log:\n\n======================================================\nWARNING: possible circular locking dependency detected\n6.7.0-rc4_net_next_mlx5_5483eb2 #1 Tainted: G I\n------------------------------------------------------\nethtool/386089 is trying to acquire lock:\nffff88810f21ce68 ((work_completion)(&rule->arfs_work)){+.+.}-{0:0}, at: __flush_work+0x74/0x4e0\n\nbut task is already holding lock:\nffff8884a1808cc0 (&priv->state_lock){+.+.}-{3:3}, at: mlx5e_ethtool_set_channels+0x53/0x200 [mlx5_core]\n\nwhich lock already depends on the new lock.\n\nthe existing dependency chain (in reverse order) is:\n\n-> #1 (&priv->state_lock){+.+.}-{3:3}:\n __mutex_lock+0x80/0xc90\n arfs_handle_work+0x4b/0x3b0 [mlx5_core]\n process_one_work+0x1dc/0x4a0\n worker_thread+0x1bf/0x3c0\n kthread+0xd7/0x100\n ret_from_fork+0x2d/0x50\n ret_from_fork_asm+0x11/0x20\n\n-> #0 ((work_completion)(&rule->arfs_work)){+.+.}-{0:0}:\n __lock_acquire+0x17b4/0x2c80\n lock_acquire+0xd0/0x2b0\n __flush_work+0x7a/0x4e0\n __cancel_work_timer+0x131/0x1c0\n arfs_del_rules+0x143/0x1e0 [mlx5_core]\n mlx5e_arfs_disable+0x1b/0x30 [mlx5_core]\n mlx5e_ethtool_set_channels+0xcb/0x200 [mlx5_core]\n ethnl_set_channels+0x28f/0x3b0\n ethnl_default_set_doit+0xec/0x240\n genl_family_rcv_msg_doit+0xd0/0x120\n genl_rcv_msg+0x188/0x2c0\n netlink_rcv_skb+0x54/0x100\n genl_rcv+0x24/0x40\n netlink_unicast+0x1a1/0x270\n netlink_sendmsg+0x214/0x460\n __sock_sendmsg+0x38/0x60\n __sys_sendto+0x113/0x170\n __x64_sys_sendto+0x20/0x30\n do_syscall_64+0x40/0xe0\n entry_SYSCALL_64_after_hwframe+0x46/0x4e\n\nother info that might help us debug this:\n\n Possible unsafe locking scenario:\n\n CPU0 CPU1\n ---- ----\n lock(&priv->state_lock);\n lock((work_completion)(&rule->arfs_work));\n lock(&priv->state_lock);\n lock((work_completion)(&rule->arfs_work));\n\n *** DEADLOCK ***\n\n3 locks held by ethtool/386089:\n #0: ffffffff82ea7210 (cb_lock){++++}-{3:3}, at: genl_rcv+0x15/0x40\n #1: ffffffff82e94c88 (rtnl_mutex){+.+.}-{3:3}, at: ethnl_default_set_doit+0xd3/0x240\n #2: ffff8884a1808cc0 (&priv->state_lock){+.+.}-{3:3}, at: mlx5e_ethtool_set_channels+0x53/0x200 [mlx5_core]\n\nstack backtrace:\nCPU: 15 PID: 386089 Comm: ethtool Tainted: G I 6.7.0-rc4_net_next_mlx5_5483eb2 #1\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\nCall Trace:\n <TASK>\n dump_stack_lvl+0x60/0xa0\n check_noncircular+0x144/0x160\n __lock_acquire+0x17b4/0x2c80\n lock_acquire+0xd0/0x2b0\n ? __flush_work+0x74/0x4e0\n ? save_trace+0x3e/0x360\n ? __flush_work+0x74/0x4e0\n __flush_work+0x7a/0x4e0\n ? __flush_work+0x74/0x4e0\n ? __lock_acquire+0xa78/0x2c80\n ? lock_acquire+0xd0/0x2b0\n ? mark_held_locks+0x49/0x70\n __cancel_work_timer+0x131/0x1c0\n ? mark_held_locks+0x49/0x70\n arfs_del_rules+0x143/0x1e0 [mlx5_core]\n mlx5e_arfs_disable+0x1b/0x30 [mlx5_core]\n mlx5e_ethtool_set_channels+0xcb/0x200 [mlx5_core]\n ethnl_set_channels+0x28f/0x3b0\n ethnl_default_set_doit+0xec/0x240\n genl_family_rcv_msg_doit+0xd0/0x120\n genl_rcv_msg+0x188/0x2c0\n ? ethn\n---truncated---" + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "45bf454ae884", + "lessThan": "46efa4d5930c", + "status": "affected", + "versionType": "git" + }, + { + "version": "45bf454ae884", + "lessThan": "48c4bb81df19", + "status": "affected", + "versionType": "git" + }, + { + "version": "45bf454ae884", + "lessThan": "0080bf994994", + "status": "affected", + "versionType": "git" + }, + { + "version": "45bf454ae884", + "lessThan": "fef965764cf5", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "4.7", + "status": "affected" + }, + { + "version": "0", + "lessThan": "4.7", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.88", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.29", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8.8", + "lessThanOrEqual": "6.8.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.9-rc5", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/46efa4d5930cf3c2af8c01f75e0a47e4fc045e3b" + }, + { + "url": "https://git.kernel.org/stable/c/48c4bb81df19402d4346032353d0795260255e3b" + }, + { + "url": "https://git.kernel.org/stable/c/0080bf99499468030248ebd25dd645e487dcecdc" + }, + { + "url": "https://git.kernel.org/stable/c/fef965764cf562f28afb997b626fc7c3cec99693" + } + ], + "title": "net/mlx5e: Prevent deadlock while disabling aRFS", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-27014", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-27014.mbox b/cve/published/2024/CVE-2024-27014.mbox new file mode 100644 index 00000000..79df0c88 --- /dev/null +++ b/cve/published/2024/CVE-2024-27014.mbox @@ -0,0 +1,184 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-27014: net/mlx5e: Prevent deadlock while disabling aRFS +Message-Id: <2024050149-CVE-2024-27014-d2dc@gregkh> +Content-Length: 6179 +Lines: 167 +X-Developer-Signature: v=1; a=openpgp-sha256; l=6347; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=q2QllU8xnHSpy0fuxyudUSMKxM0qiKehQGDfcAaBGLU=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGmGlztj2d9ctzbkrM4O/HmToXLNkYIVZlkL7PUDWJZNX + rX39SnvjlgWBkEmBlkxRZYv23iO7q84pOhlaHsaZg4rE8gQBi5OAZjIOzeG+cFFnaf/XrD8HZTG + qR4qL6x+b2eUAMM8pRXFmaqi2S3y1S/caj0bJf+W7HkPAA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +net/mlx5e: Prevent deadlock while disabling aRFS + +When disabling aRFS under the `priv->state_lock`, any scheduled +aRFS works are canceled using the `cancel_work_sync` function, +which waits for the work to end if it has already started. +However, while waiting for the work handler, the handler will +try to acquire the `state_lock` which is already acquired. + +The worker acquires the lock to delete the rules if the state +is down, which is not the worker's responsibility since +disabling aRFS deletes the rules. + +Add an aRFS state variable, which indicates whether the aRFS is +enabled and prevent adding rules when the aRFS is disabled. + +Kernel log: + +====================================================== +WARNING: possible circular locking dependency detected +6.7.0-rc4_net_next_mlx5_5483eb2 #1 Tainted: G I +------------------------------------------------------ +ethtool/386089 is trying to acquire lock: +ffff88810f21ce68 ((work_completion)(&rule->arfs_work)){+.+.}-{0:0}, at: __flush_work+0x74/0x4e0 + +but task is already holding lock: +ffff8884a1808cc0 (&priv->state_lock){+.+.}-{3:3}, at: mlx5e_ethtool_set_channels+0x53/0x200 [mlx5_core] + +which lock already depends on the new lock. + +the existing dependency chain (in reverse order) is: + +-> #1 (&priv->state_lock){+.+.}-{3:3}: + __mutex_lock+0x80/0xc90 + arfs_handle_work+0x4b/0x3b0 [mlx5_core] + process_one_work+0x1dc/0x4a0 + worker_thread+0x1bf/0x3c0 + kthread+0xd7/0x100 + ret_from_fork+0x2d/0x50 + ret_from_fork_asm+0x11/0x20 + +-> #0 ((work_completion)(&rule->arfs_work)){+.+.}-{0:0}: + __lock_acquire+0x17b4/0x2c80 + lock_acquire+0xd0/0x2b0 + __flush_work+0x7a/0x4e0 + __cancel_work_timer+0x131/0x1c0 + arfs_del_rules+0x143/0x1e0 [mlx5_core] + mlx5e_arfs_disable+0x1b/0x30 [mlx5_core] + mlx5e_ethtool_set_channels+0xcb/0x200 [mlx5_core] + ethnl_set_channels+0x28f/0x3b0 + ethnl_default_set_doit+0xec/0x240 + genl_family_rcv_msg_doit+0xd0/0x120 + genl_rcv_msg+0x188/0x2c0 + netlink_rcv_skb+0x54/0x100 + genl_rcv+0x24/0x40 + netlink_unicast+0x1a1/0x270 + netlink_sendmsg+0x214/0x460 + __sock_sendmsg+0x38/0x60 + __sys_sendto+0x113/0x170 + __x64_sys_sendto+0x20/0x30 + do_syscall_64+0x40/0xe0 + entry_SYSCALL_64_after_hwframe+0x46/0x4e + +other info that might help us debug this: + + Possible unsafe locking scenario: + + CPU0 CPU1 + ---- ---- + lock(&priv->state_lock); + lock((work_completion)(&rule->arfs_work)); + lock(&priv->state_lock); + lock((work_completion)(&rule->arfs_work)); + + *** DEADLOCK *** + +3 locks held by ethtool/386089: + #0: ffffffff82ea7210 (cb_lock){++++}-{3:3}, at: genl_rcv+0x15/0x40 + #1: ffffffff82e94c88 (rtnl_mutex){+.+.}-{3:3}, at: ethnl_default_set_doit+0xd3/0x240 + #2: ffff8884a1808cc0 (&priv->state_lock){+.+.}-{3:3}, at: mlx5e_ethtool_set_channels+0x53/0x200 [mlx5_core] + +stack backtrace: +CPU: 15 PID: 386089 Comm: ethtool Tainted: G I 6.7.0-rc4_net_next_mlx5_5483eb2 #1 +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 +Call Trace: + <TASK> + dump_stack_lvl+0x60/0xa0 + check_noncircular+0x144/0x160 + __lock_acquire+0x17b4/0x2c80 + lock_acquire+0xd0/0x2b0 + ? __flush_work+0x74/0x4e0 + ? save_trace+0x3e/0x360 + ? __flush_work+0x74/0x4e0 + __flush_work+0x7a/0x4e0 + ? __flush_work+0x74/0x4e0 + ? __lock_acquire+0xa78/0x2c80 + ? lock_acquire+0xd0/0x2b0 + ? mark_held_locks+0x49/0x70 + __cancel_work_timer+0x131/0x1c0 + ? mark_held_locks+0x49/0x70 + arfs_del_rules+0x143/0x1e0 [mlx5_core] + mlx5e_arfs_disable+0x1b/0x30 [mlx5_core] + mlx5e_ethtool_set_channels+0xcb/0x200 [mlx5_core] + ethnl_set_channels+0x28f/0x3b0 + ethnl_default_set_doit+0xec/0x240 + genl_family_rcv_msg_doit+0xd0/0x120 + genl_rcv_msg+0x188/0x2c0 + ? ethnl_ops_begin+0xb0/0xb0 + ? genl_family_rcv_msg_dumpit+0xf0/0xf0 + netlink_rcv_skb+0x54/0x100 + genl_rcv+0x24/0x40 + netlink_unicast+0x1a1/0x270 + netlink_sendmsg+0x214/0x460 + __sock_sendmsg+0x38/0x60 + __sys_sendto+0x113/0x170 + ? do_user_addr_fault+0x53f/0x8f0 + __x64_sys_sendto+0x20/0x30 + do_syscall_64+0x40/0xe0 + entry_SYSCALL_64_after_hwframe+0x46/0x4e + </TASK> + +The Linux kernel CVE team has assigned CVE-2024-27014 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 4.7 with commit 45bf454ae884 and fixed in 6.1.88 with commit 46efa4d5930c + Issue introduced in 4.7 with commit 45bf454ae884 and fixed in 6.6.29 with commit 48c4bb81df19 + Issue introduced in 4.7 with commit 45bf454ae884 and fixed in 6.8.8 with commit 0080bf994994 + Issue introduced in 4.7 with commit 45bf454ae884 and fixed in 6.9-rc5 with commit fef965764cf5 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-27014 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/net/ethernet/mellanox/mlx5/core/en_arfs.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/46efa4d5930cf3c2af8c01f75e0a47e4fc045e3b + https://git.kernel.org/stable/c/48c4bb81df19402d4346032353d0795260255e3b + https://git.kernel.org/stable/c/0080bf99499468030248ebd25dd645e487dcecdc + https://git.kernel.org/stable/c/fef965764cf562f28afb997b626fc7c3cec99693 diff --git a/cve/published/2024/CVE-2024-27014.sha1 b/cve/published/2024/CVE-2024-27014.sha1 new file mode 100644 index 00000000..3f2c8f72 --- /dev/null +++ b/cve/published/2024/CVE-2024-27014.sha1 @@ -0,0 +1 @@ +fef965764cf562f28afb997b626fc7c3cec99693 diff --git a/cve/reserved/2024/CVE-2024-27015 b/cve/published/2024/CVE-2024-27015 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-27015 +++ b/cve/published/2024/CVE-2024-27015 diff --git a/cve/published/2024/CVE-2024-27015.json b/cve/published/2024/CVE-2024-27015.json new file mode 100644 index 00000000..2be5ba92 --- /dev/null +++ b/cve/published/2024/CVE-2024-27015.json @@ -0,0 +1,133 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: flowtable: incorrect pppoe tuple\n\npppoe traffic reaching ingress path does not match the flowtable entry\nbecause the pppoe header is expected to be at the network header offset.\nThis bug causes a mismatch in the flow table lookup, so pppoe packets\nenter the classical forwarding path." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "72efd585f714", + "lessThan": "e719b52d0c56", + "status": "affected", + "versionType": "git" + }, + { + "version": "72efd585f714", + "lessThan": "f1c3c61701a0", + "status": "affected", + "versionType": "git" + }, + { + "version": "72efd585f714", + "lessThan": "4ed82dd368ad", + "status": "affected", + "versionType": "git" + }, + { + "version": "72efd585f714", + "lessThan": "e3f078103421", + "status": "affected", + "versionType": "git" + }, + { + "version": "72efd585f714", + "lessThan": "6db5dc7b351b", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.13", + "status": "affected" + }, + { + "version": "0", + "lessThan": "5.13", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.157", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.88", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.29", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8.8", + "lessThanOrEqual": "6.8.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.9-rc5", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/e719b52d0c56989b0f3475a03a6d64f182c85b56" + }, + { + "url": "https://git.kernel.org/stable/c/f1c3c61701a0b12f4906152c1626a5de580ea3d2" + }, + { + "url": "https://git.kernel.org/stable/c/4ed82dd368ad883dc4284292937b882f044e625d" + }, + { + "url": "https://git.kernel.org/stable/c/e3f078103421642fcd5f05c5e70777feb10f000d" + }, + { + "url": "https://git.kernel.org/stable/c/6db5dc7b351b9569940cd1cf445e237c42cd6d27" + } + ], + "title": "netfilter: flowtable: incorrect pppoe tuple", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-27015", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-27015.mbox b/cve/published/2024/CVE-2024-27015.mbox new file mode 100644 index 00000000..5fb6f347 --- /dev/null +++ b/cve/published/2024/CVE-2024-27015.mbox @@ -0,0 +1,73 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-27015: netfilter: flowtable: incorrect pppoe tuple +Message-Id: <2024050149-CVE-2024-27015-9ce1@gregkh> +Content-Length: 2363 +Lines: 56 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2420; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=UccIDbX66tPoeTz0oDORTFIUer5hdWlFdSwHzHR/+fM=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGmGlzsFN/dmXVl1PK6r6eAanr1dtVVv56wqk56nH1EXc + qmT0XtjRywLgyATg6yYIsuXbTxH91ccUvQytD0NM4eVCWQIAxenAEyE/S/DHL49E+5MXOP49qeE + 3B2dr5OYN3Rl5jLMM6/+Of+g9Lpspi0WxSWvky6kmM8tAQA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +netfilter: flowtable: incorrect pppoe tuple + +pppoe traffic reaching ingress path does not match the flowtable entry +because the pppoe header is expected to be at the network header offset. +This bug causes a mismatch in the flow table lookup, so pppoe packets +enter the classical forwarding path. + +The Linux kernel CVE team has assigned CVE-2024-27015 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 5.13 with commit 72efd585f714 and fixed in 5.15.157 with commit e719b52d0c56 + Issue introduced in 5.13 with commit 72efd585f714 and fixed in 6.1.88 with commit f1c3c61701a0 + Issue introduced in 5.13 with commit 72efd585f714 and fixed in 6.6.29 with commit 4ed82dd368ad + Issue introduced in 5.13 with commit 72efd585f714 and fixed in 6.8.8 with commit e3f078103421 + Issue introduced in 5.13 with commit 72efd585f714 and fixed in 6.9-rc5 with commit 6db5dc7b351b + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-27015 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + net/netfilter/nf_flow_table_ip.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/e719b52d0c56989b0f3475a03a6d64f182c85b56 + https://git.kernel.org/stable/c/f1c3c61701a0b12f4906152c1626a5de580ea3d2 + https://git.kernel.org/stable/c/4ed82dd368ad883dc4284292937b882f044e625d + https://git.kernel.org/stable/c/e3f078103421642fcd5f05c5e70777feb10f000d + https://git.kernel.org/stable/c/6db5dc7b351b9569940cd1cf445e237c42cd6d27 diff --git a/cve/published/2024/CVE-2024-27015.sha1 b/cve/published/2024/CVE-2024-27015.sha1 new file mode 100644 index 00000000..f8225d7d --- /dev/null +++ b/cve/published/2024/CVE-2024-27015.sha1 @@ -0,0 +1 @@ +6db5dc7b351b9569940cd1cf445e237c42cd6d27 diff --git a/cve/reserved/2024/CVE-2024-27016 b/cve/published/2024/CVE-2024-27016 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-27016 +++ b/cve/published/2024/CVE-2024-27016 diff --git a/cve/published/2024/CVE-2024-27016.json b/cve/published/2024/CVE-2024-27016.json new file mode 100644 index 00000000..4a138efd --- /dev/null +++ b/cve/published/2024/CVE-2024-27016.json @@ -0,0 +1,133 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: flowtable: validate pppoe header\n\nEnsure there is sufficient room to access the protocol field of the\nPPPoe header. Validate it once before the flowtable lookup, then use a\nhelper function to access protocol field." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "72efd585f714", + "lessThan": "d06977b9a410", + "status": "affected", + "versionType": "git" + }, + { + "version": "72efd585f714", + "lessThan": "8bf7c76a2a20", + "status": "affected", + "versionType": "git" + }, + { + "version": "72efd585f714", + "lessThan": "a2471d271042", + "status": "affected", + "versionType": "git" + }, + { + "version": "72efd585f714", + "lessThan": "cf366ee3bc1b", + "status": "affected", + "versionType": "git" + }, + { + "version": "72efd585f714", + "lessThan": "87b3593bed18", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.13", + "status": "affected" + }, + { + "version": "0", + "lessThan": "5.13", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.157", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.88", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.29", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8.8", + "lessThanOrEqual": "6.8.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.9-rc5", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/d06977b9a4109f8738bb276125eb6a0b772bc433" + }, + { + "url": "https://git.kernel.org/stable/c/8bf7c76a2a207ca2b4cfda0a279192adf27678d7" + }, + { + "url": "https://git.kernel.org/stable/c/a2471d271042ea18e8a6babc132a8716bb2f08b9" + }, + { + "url": "https://git.kernel.org/stable/c/cf366ee3bc1b7d1c76a882640ba3b3f8f1039163" + }, + { + "url": "https://git.kernel.org/stable/c/87b3593bed1868b2d9fe096c01bcdf0ea86cbebf" + } + ], + "title": "netfilter: flowtable: validate pppoe header", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-27016", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-27016.mbox b/cve/published/2024/CVE-2024-27016.mbox new file mode 100644 index 00000000..2cba5e11 --- /dev/null +++ b/cve/published/2024/CVE-2024-27016.mbox @@ -0,0 +1,74 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-27016: netfilter: flowtable: validate pppoe header +Message-Id: <2024050149-CVE-2024-27016-5114@gregkh> +Content-Length: 2368 +Lines: 57 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2426; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=2SzIy1AFZWaO3/4mv3bKefMxKnL2kuYhD9zAXAhs9BY=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGmGlzsbgrQcfp4s23Drt9qzEiGHb+l1IclMT035/zFfF + 92S5ifZEcvCIMjEICumyPJlG8/R/RWHFL0MbU/DzGFlAhnCwMUpABNZNJ1hwfXuHK/fhVsOqgSx + nSpbtnK6/ZcHMgwL9grxSU+QnntT8YqVzjX+7QZnReO8AA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +netfilter: flowtable: validate pppoe header + +Ensure there is sufficient room to access the protocol field of the +PPPoe header. Validate it once before the flowtable lookup, then use a +helper function to access protocol field. + +The Linux kernel CVE team has assigned CVE-2024-27016 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 5.13 with commit 72efd585f714 and fixed in 5.15.157 with commit d06977b9a410 + Issue introduced in 5.13 with commit 72efd585f714 and fixed in 6.1.88 with commit 8bf7c76a2a20 + Issue introduced in 5.13 with commit 72efd585f714 and fixed in 6.6.29 with commit a2471d271042 + Issue introduced in 5.13 with commit 72efd585f714 and fixed in 6.8.8 with commit cf366ee3bc1b + Issue introduced in 5.13 with commit 72efd585f714 and fixed in 6.9-rc5 with commit 87b3593bed18 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-27016 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + include/net/netfilter/nf_flow_table.h + net/netfilter/nf_flow_table_inet.c + net/netfilter/nf_flow_table_ip.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/d06977b9a4109f8738bb276125eb6a0b772bc433 + https://git.kernel.org/stable/c/8bf7c76a2a207ca2b4cfda0a279192adf27678d7 + https://git.kernel.org/stable/c/a2471d271042ea18e8a6babc132a8716bb2f08b9 + https://git.kernel.org/stable/c/cf366ee3bc1b7d1c76a882640ba3b3f8f1039163 + https://git.kernel.org/stable/c/87b3593bed1868b2d9fe096c01bcdf0ea86cbebf diff --git a/cve/published/2024/CVE-2024-27016.sha1 b/cve/published/2024/CVE-2024-27016.sha1 new file mode 100644 index 00000000..e48e2d52 --- /dev/null +++ b/cve/published/2024/CVE-2024-27016.sha1 @@ -0,0 +1 @@ +87b3593bed1868b2d9fe096c01bcdf0ea86cbebf diff --git a/cve/reserved/2024/CVE-2024-27017 b/cve/published/2024/CVE-2024-27017 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-27017 +++ b/cve/published/2024/CVE-2024-27017 diff --git a/cve/published/2024/CVE-2024-27017.json b/cve/published/2024/CVE-2024-27017.json new file mode 100644 index 00000000..73131ded --- /dev/null +++ b/cve/published/2024/CVE-2024-27017.json @@ -0,0 +1,88 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_set_pipapo: walk over current view on netlink dump\n\nThe generation mask can be updated while netlink dump is in progress.\nThe pipapo set backend walk iterator cannot rely on it to infer what\nview of the datastructure is to be used. Add notation to specify if user\nwants to read/update the set.\n\nBased on patch from Florian Westphal." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "2b84e215f874", + "lessThan": "721715655c72", + "status": "affected", + "versionType": "git" + }, + { + "version": "2b84e215f874", + "lessThan": "29b359cf6d95", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "6.4", + "status": "affected" + }, + { + "version": "0", + "lessThan": "6.4", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8.8", + "lessThanOrEqual": "6.8.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.9-rc5", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/721715655c72640567e8742567520c99801148ed" + }, + { + "url": "https://git.kernel.org/stable/c/29b359cf6d95fd60730533f7f10464e95bd17c73" + } + ], + "title": "netfilter: nft_set_pipapo: walk over current view on netlink dump", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-27017", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-27017.mbox b/cve/published/2024/CVE-2024-27017.mbox new file mode 100644 index 00000000..e82ef0c6 --- /dev/null +++ b/cve/published/2024/CVE-2024-27017.mbox @@ -0,0 +1,75 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-27017: netfilter: nft_set_pipapo: walk over current view on netlink dump +Message-Id: <2024050150-CVE-2024-27017-d867@gregkh> +Content-Length: 2181 +Lines: 58 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2240; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=jNjdVgLCeJUxdZNvWkYbI0v0+lgFChD94KGvAdJIlGQ=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGmGl7tO2ojnf97Odu/rh8rHpw6/vcS5oIItW2LnEr0dz + Yu+3iw+1hHLwiDIxCArpsjyZRvP0f0VhxS9DG1Pw8xhZQIZwsDFKQATudXDMJNRXa/+7r/UX1N+ + zZhewbRg3fa+MF2GBZ0tZhMsbha8Ljswe9enluyNecGnpwMA +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +netfilter: nft_set_pipapo: walk over current view on netlink dump + +The generation mask can be updated while netlink dump is in progress. +The pipapo set backend walk iterator cannot rely on it to infer what +view of the datastructure is to be used. Add notation to specify if user +wants to read/update the set. + +Based on patch from Florian Westphal. + +The Linux kernel CVE team has assigned CVE-2024-27017 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 6.4 with commit 2b84e215f874 and fixed in 6.8.8 with commit 721715655c72 + Issue introduced in 6.4 with commit 2b84e215f874 and fixed in 6.9-rc5 with commit 29b359cf6d95 + Issue introduced in 5.10.186 with commit 2a90da8e0dd5 + Issue introduced in 5.15.119 with commit 45eb6944d0f5 + Issue introduced in 6.1.36 with commit 0d836f917520 + Issue introduced in 6.3.10 with commit f661383b5f1a + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-27017 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + include/net/netfilter/nf_tables.h + net/netfilter/nf_tables_api.c + net/netfilter/nft_set_pipapo.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/721715655c72640567e8742567520c99801148ed + https://git.kernel.org/stable/c/29b359cf6d95fd60730533f7f10464e95bd17c73 diff --git a/cve/published/2024/CVE-2024-27017.sha1 b/cve/published/2024/CVE-2024-27017.sha1 new file mode 100644 index 00000000..e1e199e1 --- /dev/null +++ b/cve/published/2024/CVE-2024-27017.sha1 @@ -0,0 +1 @@ +29b359cf6d95fd60730533f7f10464e95bd17c73 diff --git a/cve/reserved/2024/CVE-2024-27018 b/cve/published/2024/CVE-2024-27018 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-27018 +++ b/cve/published/2024/CVE-2024-27018 diff --git a/cve/published/2024/CVE-2024-27018.json b/cve/published/2024/CVE-2024-27018.json new file mode 100644 index 00000000..ad2f67e5 --- /dev/null +++ b/cve/published/2024/CVE-2024-27018.json @@ -0,0 +1,133 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: br_netfilter: skip conntrack input hook for promisc packets\n\nFor historical reasons, when bridge device is in promisc mode, packets\nthat are directed to the taps follow bridge input hook path. This patch\nadds a workaround to reset conntrack for these packets.\n\nJianbo Liu reports warning splats in their test infrastructure where\ncloned packets reach the br_netfilter input hook to confirm the\nconntrack object.\n\nScratch one bit from BR_INPUT_SKB_CB to annotate that this packet has\nreached the input hook because it is passed up to the bridge device to\nreach the taps.\n\n[ 57.571874] WARNING: CPU: 1 PID: 0 at net/bridge/br_netfilter_hooks.c:616 br_nf_local_in+0x157/0x180 [br_netfilter]\n[ 57.572749] Modules linked in: xt_MASQUERADE nf_conntrack_netlink nfnetlink iptable_nat xt_addrtype xt_conntrack nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcgss oid_registry overlay rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_isc si ib_umad rdma_cm ib_ipoib iw_cm ib_cm mlx5_ib ib_uverbs ib_core mlx5ctl mlx5_core\n[ 57.575158] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.8.0+ #19\n[ 57.575700] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n[ 57.576662] RIP: 0010:br_nf_local_in+0x157/0x180 [br_netfilter]\n[ 57.577195] Code: fe ff ff 41 bd 04 00 00 00 be 04 00 00 00 e9 4a ff ff ff be 04 00 00 00 48 89 ef e8 f3 a9 3c e1 66 83 ad b4 00 00 00 04 eb 91 <0f> 0b e9 f1 fe ff ff 0f 0b e9 df fe ff ff 48 89 df e8 b3 53 47 e1\n[ 57.578722] RSP: 0018:ffff88885f845a08 EFLAGS: 00010202\n[ 57.579207] RAX: 0000000000000002 RBX: ffff88812dfe8000 RCX: 0000000000000000\n[ 57.579830] RDX: ffff88885f845a60 RSI: ffff8881022dc300 RDI: 0000000000000000\n[ 57.580454] RBP: ffff88885f845a60 R08: 0000000000000001 R09: 0000000000000003\n[ 57.581076] R10: 00000000ffff1300 R11: 0000000000000002 R12: 0000000000000000\n[ 57.581695] R13: ffff8881047ffe00 R14: ffff888108dbee00 R15: ffff88814519b800\n[ 57.582313] FS: 0000000000000000(0000) GS:ffff88885f840000(0000) knlGS:0000000000000000\n[ 57.583040] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 57.583564] CR2: 000000c4206aa000 CR3: 0000000103847001 CR4: 0000000000370eb0\n[ 57.584194] DR0: 0000000000000000 DR1: 0000000000000000 DR2:\n0000000000000000\n[ 57.584820] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:\n0000000000000400\n[ 57.585440] Call Trace:\n[ 57.585721] <IRQ>\n[ 57.585976] ? __warn+0x7d/0x130\n[ 57.586323] ? br_nf_local_in+0x157/0x180 [br_netfilter]\n[ 57.586811] ? report_bug+0xf1/0x1c0\n[ 57.587177] ? handle_bug+0x3f/0x70\n[ 57.587539] ? exc_invalid_op+0x13/0x60\n[ 57.587929] ? asm_exc_invalid_op+0x16/0x20\n[ 57.588336] ? br_nf_local_in+0x157/0x180 [br_netfilter]\n[ 57.588825] nf_hook_slow+0x3d/0xd0\n[ 57.589188] ? br_handle_vlan+0x4b/0x110\n[ 57.589579] br_pass_frame_up+0xfc/0x150\n[ 57.589970] ? br_port_flags_change+0x40/0x40\n[ 57.590396] br_handle_frame_finish+0x346/0x5e0\n[ 57.590837] ? ipt_do_table+0x32e/0x430\n[ 57.591221] ? br_handle_local_finish+0x20/0x20\n[ 57.591656] br_nf_hook_thresh+0x4b/0xf0 [br_netfilter]\n[ 57.592286] ? br_handle_local_finish+0x20/0x20\n[ 57.592802] br_nf_pre_routing_finish+0x178/0x480 [br_netfilter]\n[ 57.593348] ? br_handle_local_finish+0x20/0x20\n[ 57.593782] ? nf_nat_ipv4_pre_routing+0x25/0x60 [nf_nat]\n[ 57.594279] br_nf_pre_routing+0x24c/0x550 [br_netfilter]\n[ 57.594780] ? br_nf_hook_thresh+0xf0/0xf0 [br_netfilter]\n[ 57.595280] br_handle_frame+0x1f3/0x3d0\n[ 57.595676] ? br_handle_local_finish+0x20/0x20\n[ 57.596118] ? br_handle_frame_finish+0x5e0/0x5e0\n[ 57.596566] __netif_receive_skb_core+0x25b/0xfc0\n[ 57.597017] ? __napi_build_skb+0x37/0x40\n[ 57.597418] __netif_receive_skb_list_core+0xfb/0x220" + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "7c3f28599652", + "lessThan": "dceb683ab87c", + "status": "affected", + "versionType": "git" + }, + { + "version": "2b1414d5e94e", + "lessThan": "b13db0d16bc7", + "status": "affected", + "versionType": "git" + }, + { + "version": "80cd0487f630", + "lessThan": "3f59ac29dea0", + "status": "affected", + "versionType": "git" + }, + { + "version": "62e7151ae3eb", + "lessThan": "43193174510e", + "status": "affected", + "versionType": "git" + }, + { + "version": "62e7151ae3eb", + "lessThan": "751de2012eaf", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "6.8", + "status": "affected" + }, + { + "version": "0", + "lessThan": "6.8", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.157", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.88", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.29", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8.8", + "lessThanOrEqual": "6.8.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.9-rc5", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/dceb683ab87ca3666a9bb5c0158528b646faedc4" + }, + { + "url": "https://git.kernel.org/stable/c/b13db0d16bc7b2a52abcf5cb71334f63faa5dbd6" + }, + { + "url": "https://git.kernel.org/stable/c/3f59ac29dea0921637053908fe99268d157bbb9d" + }, + { + "url": "https://git.kernel.org/stable/c/43193174510ea4f3ce09b796e559a2fd9f148615" + }, + { + "url": "https://git.kernel.org/stable/c/751de2012eafa4d46d8081056761fa0e9cc8a178" + } + ], + "title": "netfilter: br_netfilter: skip conntrack input hook for promisc packets", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-27018", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-27018.mbox b/cve/published/2024/CVE-2024-27018.mbox new file mode 100644 index 00000000..59510f80 --- /dev/null +++ b/cve/published/2024/CVE-2024-27018.mbox @@ -0,0 +1,133 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-27018: netfilter: br_netfilter: skip conntrack input hook for promisc packets +Message-Id: <2024050150-CVE-2024-27018-d8a7@gregkh> +Content-Length: 5991 +Lines: 116 +X-Developer-Signature: v=1; a=openpgp-sha256; l=6108; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=cLmN+hoN/zJMscQEJKuLFCX9CtjqzLHZtEF1pGvw5EQ=; + b=kA0DAAIRMUfUDdst+ykByyZiAGYx04qjjh6CcWQkUKUsA8okSjCMXf4Bmq14tTvc1KolpKSY/ + ohdBAARAgAdFiEE9LYMxb94wiFKMT3LMUfUDdst+ykFAmYx04oACgkQMUfUDdst+ylcigCgl5cB + cKXzynFIEPVi+3uFiPQuhEcAoNNfNN44lvEILzzUJda77datXksp +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +netfilter: br_netfilter: skip conntrack input hook for promisc packets + +For historical reasons, when bridge device is in promisc mode, packets +that are directed to the taps follow bridge input hook path. This patch +adds a workaround to reset conntrack for these packets. + +Jianbo Liu reports warning splats in their test infrastructure where +cloned packets reach the br_netfilter input hook to confirm the +conntrack object. + +Scratch one bit from BR_INPUT_SKB_CB to annotate that this packet has +reached the input hook because it is passed up to the bridge device to +reach the taps. + +[ 57.571874] WARNING: CPU: 1 PID: 0 at net/bridge/br_netfilter_hooks.c:616 br_nf_local_in+0x157/0x180 [br_netfilter] +[ 57.572749] Modules linked in: xt_MASQUERADE nf_conntrack_netlink nfnetlink iptable_nat xt_addrtype xt_conntrack nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcgss oid_registry overlay rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_isc si ib_umad rdma_cm ib_ipoib iw_cm ib_cm mlx5_ib ib_uverbs ib_core mlx5ctl mlx5_core +[ 57.575158] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.8.0+ #19 +[ 57.575700] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 +[ 57.576662] RIP: 0010:br_nf_local_in+0x157/0x180 [br_netfilter] +[ 57.577195] Code: fe ff ff 41 bd 04 00 00 00 be 04 00 00 00 e9 4a ff ff ff be 04 00 00 00 48 89 ef e8 f3 a9 3c e1 66 83 ad b4 00 00 00 04 eb 91 <0f> 0b e9 f1 fe ff ff 0f 0b e9 df fe ff ff 48 89 df e8 b3 53 47 e1 +[ 57.578722] RSP: 0018:ffff88885f845a08 EFLAGS: 00010202 +[ 57.579207] RAX: 0000000000000002 RBX: ffff88812dfe8000 RCX: 0000000000000000 +[ 57.579830] RDX: ffff88885f845a60 RSI: ffff8881022dc300 RDI: 0000000000000000 +[ 57.580454] RBP: ffff88885f845a60 R08: 0000000000000001 R09: 0000000000000003 +[ 57.581076] R10: 00000000ffff1300 R11: 0000000000000002 R12: 0000000000000000 +[ 57.581695] R13: ffff8881047ffe00 R14: ffff888108dbee00 R15: ffff88814519b800 +[ 57.582313] FS: 0000000000000000(0000) GS:ffff88885f840000(0000) knlGS:0000000000000000 +[ 57.583040] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 57.583564] CR2: 000000c4206aa000 CR3: 0000000103847001 CR4: 0000000000370eb0 +[ 57.584194] DR0: 0000000000000000 DR1: 0000000000000000 DR2: +0000000000000000 +[ 57.584820] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: +0000000000000400 +[ 57.585440] Call Trace: +[ 57.585721] <IRQ> +[ 57.585976] ? __warn+0x7d/0x130 +[ 57.586323] ? br_nf_local_in+0x157/0x180 [br_netfilter] +[ 57.586811] ? report_bug+0xf1/0x1c0 +[ 57.587177] ? handle_bug+0x3f/0x70 +[ 57.587539] ? exc_invalid_op+0x13/0x60 +[ 57.587929] ? asm_exc_invalid_op+0x16/0x20 +[ 57.588336] ? br_nf_local_in+0x157/0x180 [br_netfilter] +[ 57.588825] nf_hook_slow+0x3d/0xd0 +[ 57.589188] ? br_handle_vlan+0x4b/0x110 +[ 57.589579] br_pass_frame_up+0xfc/0x150 +[ 57.589970] ? br_port_flags_change+0x40/0x40 +[ 57.590396] br_handle_frame_finish+0x346/0x5e0 +[ 57.590837] ? ipt_do_table+0x32e/0x430 +[ 57.591221] ? br_handle_local_finish+0x20/0x20 +[ 57.591656] br_nf_hook_thresh+0x4b/0xf0 [br_netfilter] +[ 57.592286] ? br_handle_local_finish+0x20/0x20 +[ 57.592802] br_nf_pre_routing_finish+0x178/0x480 [br_netfilter] +[ 57.593348] ? br_handle_local_finish+0x20/0x20 +[ 57.593782] ? nf_nat_ipv4_pre_routing+0x25/0x60 [nf_nat] +[ 57.594279] br_nf_pre_routing+0x24c/0x550 [br_netfilter] +[ 57.594780] ? br_nf_hook_thresh+0xf0/0xf0 [br_netfilter] +[ 57.595280] br_handle_frame+0x1f3/0x3d0 +[ 57.595676] ? br_handle_local_finish+0x20/0x20 +[ 57.596118] ? br_handle_frame_finish+0x5e0/0x5e0 +[ 57.596566] __netif_receive_skb_core+0x25b/0xfc0 +[ 57.597017] ? __napi_build_skb+0x37/0x40 +[ 57.597418] __netif_receive_skb_list_core+0xfb/0x220 + +The Linux kernel CVE team has assigned CVE-2024-27018 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 5.15.151 with commit 7c3f28599652 and fixed in 5.15.157 with commit dceb683ab87c + Issue introduced in 6.1.81 with commit 2b1414d5e94e and fixed in 6.1.88 with commit b13db0d16bc7 + Issue introduced in 6.6.21 with commit 80cd0487f630 and fixed in 6.6.29 with commit 3f59ac29dea0 + Issue introduced in 6.8 with commit 62e7151ae3eb and fixed in 6.8.8 with commit 43193174510e + Issue introduced in 6.8 with commit 62e7151ae3eb and fixed in 6.9-rc5 with commit 751de2012eaf + Issue introduced in 6.7.9 with commit cb734975b0ff + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-27018 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + net/bridge/br_input.c + net/bridge/br_netfilter_hooks.c + net/bridge/br_private.h + net/bridge/netfilter/nf_conntrack_bridge.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/dceb683ab87ca3666a9bb5c0158528b646faedc4 + https://git.kernel.org/stable/c/b13db0d16bc7b2a52abcf5cb71334f63faa5dbd6 + https://git.kernel.org/stable/c/3f59ac29dea0921637053908fe99268d157bbb9d + https://git.kernel.org/stable/c/43193174510ea4f3ce09b796e559a2fd9f148615 + https://git.kernel.org/stable/c/751de2012eafa4d46d8081056761fa0e9cc8a178 diff --git a/cve/published/2024/CVE-2024-27018.sha1 b/cve/published/2024/CVE-2024-27018.sha1 new file mode 100644 index 00000000..6e3d67dc --- /dev/null +++ b/cve/published/2024/CVE-2024-27018.sha1 @@ -0,0 +1 @@ +751de2012eafa4d46d8081056761fa0e9cc8a178 diff --git a/cve/reserved/2024/CVE-2024-27019 b/cve/published/2024/CVE-2024-27019 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-27019 +++ b/cve/published/2024/CVE-2024-27019 diff --git a/cve/published/2024/CVE-2024-27019.json b/cve/published/2024/CVE-2024-27019.json new file mode 100644 index 00000000..aa1815aa --- /dev/null +++ b/cve/published/2024/CVE-2024-27019.json @@ -0,0 +1,133 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: Fix potential data-race in __nft_obj_type_get()\n\nnft_unregister_obj() can concurrent with __nft_obj_type_get(),\nand there is not any protection when iterate over nf_tables_objects\nlist in __nft_obj_type_get(). Therefore, there is potential data-race\nof nf_tables_objects list entry.\n\nUse list_for_each_entry_rcu() to iterate over nf_tables_objects\nlist in __nft_obj_type_get(), and use rcu_read_lock() in the caller\nnft_obj_type_get() to protect the entire type query process." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "e50092404c1b", + "lessThan": "379bf7257bc5", + "status": "affected", + "versionType": "git" + }, + { + "version": "e50092404c1b", + "lessThan": "df7c0fb8c2b9", + "status": "affected", + "versionType": "git" + }, + { + "version": "e50092404c1b", + "lessThan": "ad333578f736", + "status": "affected", + "versionType": "git" + }, + { + "version": "e50092404c1b", + "lessThan": "4ca946b19caf", + "status": "affected", + "versionType": "git" + }, + { + "version": "e50092404c1b", + "lessThan": "d78d867dcea6", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "4.10", + "status": "affected" + }, + { + "version": "0", + "lessThan": "4.10", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.157", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.88", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.29", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8.8", + "lessThanOrEqual": "6.8.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.9-rc5", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/379bf7257bc5f2a1b1ca8514e08a871b7bf6d920" + }, + { + "url": "https://git.kernel.org/stable/c/df7c0fb8c2b9f9cac65659332581b19682a71349" + }, + { + "url": "https://git.kernel.org/stable/c/ad333578f736d56920e090d7db1f8dec891d815e" + }, + { + "url": "https://git.kernel.org/stable/c/4ca946b19caf655a08d5e2266d4d5526025ebb73" + }, + { + "url": "https://git.kernel.org/stable/c/d78d867dcea69c328db30df665be5be7d0148484" + } + ], + "title": "netfilter: nf_tables: Fix potential data-race in __nft_obj_type_get()", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-27019", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-27019.mbox b/cve/published/2024/CVE-2024-27019.mbox new file mode 100644 index 00000000..b19c242d --- /dev/null +++ b/cve/published/2024/CVE-2024-27019.mbox @@ -0,0 +1,77 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-27019: netfilter: nf_tables: Fix potential data-race in __nft_obj_type_get() +Message-Id: <2024050150-CVE-2024-27019-e3d4@gregkh> +Content-Length: 2563 +Lines: 60 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2624; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=hMCbn0PfZs2MnaOUGM58hbhv0nMtTAdVdWqgZdZUC5A=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGmGl7umu+25JGfUGZeS8MDycqav90pNhvUiinryU+sln + N/Oy3/WEcvCIMjEICumyPJlG8/R/RWHFL0MbU/DzGFlAhnCwMUpABMR38gwP9UuSW1f8SHhuZaL + pollKgW+afCsYJgf3JsWMeW9UlD3ypvqp/TNZ5Z0u64BAA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +netfilter: nf_tables: Fix potential data-race in __nft_obj_type_get() + +nft_unregister_obj() can concurrent with __nft_obj_type_get(), +and there is not any protection when iterate over nf_tables_objects +list in __nft_obj_type_get(). Therefore, there is potential data-race +of nf_tables_objects list entry. + +Use list_for_each_entry_rcu() to iterate over nf_tables_objects +list in __nft_obj_type_get(), and use rcu_read_lock() in the caller +nft_obj_type_get() to protect the entire type query process. + +The Linux kernel CVE team has assigned CVE-2024-27019 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 4.10 with commit e50092404c1b and fixed in 5.15.157 with commit 379bf7257bc5 + Issue introduced in 4.10 with commit e50092404c1b and fixed in 6.1.88 with commit df7c0fb8c2b9 + Issue introduced in 4.10 with commit e50092404c1b and fixed in 6.6.29 with commit ad333578f736 + Issue introduced in 4.10 with commit e50092404c1b and fixed in 6.8.8 with commit 4ca946b19caf + Issue introduced in 4.10 with commit e50092404c1b and fixed in 6.9-rc5 with commit d78d867dcea6 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-27019 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + net/netfilter/nf_tables_api.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/379bf7257bc5f2a1b1ca8514e08a871b7bf6d920 + https://git.kernel.org/stable/c/df7c0fb8c2b9f9cac65659332581b19682a71349 + https://git.kernel.org/stable/c/ad333578f736d56920e090d7db1f8dec891d815e + https://git.kernel.org/stable/c/4ca946b19caf655a08d5e2266d4d5526025ebb73 + https://git.kernel.org/stable/c/d78d867dcea69c328db30df665be5be7d0148484 diff --git a/cve/published/2024/CVE-2024-27019.sha1 b/cve/published/2024/CVE-2024-27019.sha1 new file mode 100644 index 00000000..bdc282e9 --- /dev/null +++ b/cve/published/2024/CVE-2024-27019.sha1 @@ -0,0 +1 @@ +d78d867dcea69c328db30df665be5be7d0148484 diff --git a/cve/reserved/2024/CVE-2024-27020 b/cve/published/2024/CVE-2024-27020 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-27020 +++ b/cve/published/2024/CVE-2024-27020 diff --git a/cve/published/2024/CVE-2024-27020.json b/cve/published/2024/CVE-2024-27020.json new file mode 100644 index 00000000..2e26d0af --- /dev/null +++ b/cve/published/2024/CVE-2024-27020.json @@ -0,0 +1,133 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: Fix potential data-race in __nft_expr_type_get()\n\nnft_unregister_expr() can concurrent with __nft_expr_type_get(),\nand there is not any protection when iterate over nf_tables_expressions\nlist in __nft_expr_type_get(). Therefore, there is potential data-race\nof nf_tables_expressions list entry.\n\nUse list_for_each_entry_rcu() to iterate over nf_tables_expressions\nlist in __nft_expr_type_get(), and use rcu_read_lock() in the caller\nnft_expr_type_get() to protect the entire type query process." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "ef1f7df9170d", + "lessThan": "0b6de00206ad", + "status": "affected", + "versionType": "git" + }, + { + "version": "ef1f7df9170d", + "lessThan": "8d56bad42ac4", + "status": "affected", + "versionType": "git" + }, + { + "version": "ef1f7df9170d", + "lessThan": "a9ebf340d123", + "status": "affected", + "versionType": "git" + }, + { + "version": "ef1f7df9170d", + "lessThan": "01f1a678b05a", + "status": "affected", + "versionType": "git" + }, + { + "version": "ef1f7df9170d", + "lessThan": "f969eb84ce48", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "3.13", + "status": "affected" + }, + { + "version": "0", + "lessThan": "3.13", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.157", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.88", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.29", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8.8", + "lessThanOrEqual": "6.8.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.9-rc5", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/0b6de00206adbbfc6373b3ae38d2a6f197987907" + }, + { + "url": "https://git.kernel.org/stable/c/8d56bad42ac4c43c6c72ddd6a654a2628bf839c5" + }, + { + "url": "https://git.kernel.org/stable/c/a9ebf340d123ae12582210407f879d6a5a1bc25b" + }, + { + "url": "https://git.kernel.org/stable/c/01f1a678b05ade4b1248019c2dcca773aebbeb7f" + }, + { + "url": "https://git.kernel.org/stable/c/f969eb84ce482331a991079ab7a5c4dc3b7f89bf" + } + ], + "title": "netfilter: nf_tables: Fix potential data-race in __nft_expr_type_get()", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-27020", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-27020.mbox b/cve/published/2024/CVE-2024-27020.mbox new file mode 100644 index 00000000..3ab5d6c9 --- /dev/null +++ b/cve/published/2024/CVE-2024-27020.mbox @@ -0,0 +1,77 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-27020: netfilter: nf_tables: Fix potential data-race in __nft_expr_type_get() +Message-Id: <2024050150-CVE-2024-27020-5158@gregkh> +Content-Length: 2581 +Lines: 60 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2642; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=ZmUSIBi3E/pArvzCj6nE1sI4RQCvbi/Zxrfbh7kDxuE=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGmGl7tOH1jS2s1TrGcwd7pEXHfCM+N/j8XVjZu5D3feN + tzu5yLREcvCIMjEICumyPJlG8/R/RWHFL0MbU/DzGFlAhnCwMUpABPZOothnvKZMJEZEm1yxU0O + l31WCUQHT0hoZlhwqa7FYYdIeZ4Jk9Z6jgM+eQszgn4DAA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +netfilter: nf_tables: Fix potential data-race in __nft_expr_type_get() + +nft_unregister_expr() can concurrent with __nft_expr_type_get(), +and there is not any protection when iterate over nf_tables_expressions +list in __nft_expr_type_get(). Therefore, there is potential data-race +of nf_tables_expressions list entry. + +Use list_for_each_entry_rcu() to iterate over nf_tables_expressions +list in __nft_expr_type_get(), and use rcu_read_lock() in the caller +nft_expr_type_get() to protect the entire type query process. + +The Linux kernel CVE team has assigned CVE-2024-27020 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 3.13 with commit ef1f7df9170d and fixed in 5.15.157 with commit 0b6de00206ad + Issue introduced in 3.13 with commit ef1f7df9170d and fixed in 6.1.88 with commit 8d56bad42ac4 + Issue introduced in 3.13 with commit ef1f7df9170d and fixed in 6.6.29 with commit a9ebf340d123 + Issue introduced in 3.13 with commit ef1f7df9170d and fixed in 6.8.8 with commit 01f1a678b05a + Issue introduced in 3.13 with commit ef1f7df9170d and fixed in 6.9-rc5 with commit f969eb84ce48 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-27020 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + net/netfilter/nf_tables_api.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/0b6de00206adbbfc6373b3ae38d2a6f197987907 + https://git.kernel.org/stable/c/8d56bad42ac4c43c6c72ddd6a654a2628bf839c5 + https://git.kernel.org/stable/c/a9ebf340d123ae12582210407f879d6a5a1bc25b + https://git.kernel.org/stable/c/01f1a678b05ade4b1248019c2dcca773aebbeb7f + https://git.kernel.org/stable/c/f969eb84ce482331a991079ab7a5c4dc3b7f89bf diff --git a/cve/published/2024/CVE-2024-27020.sha1 b/cve/published/2024/CVE-2024-27020.sha1 new file mode 100644 index 00000000..1a469a5a --- /dev/null +++ b/cve/published/2024/CVE-2024-27020.sha1 @@ -0,0 +1 @@ +f969eb84ce482331a991079ab7a5c4dc3b7f89bf diff --git a/cve/reserved/2024/CVE-2024-27021 b/cve/published/2024/CVE-2024-27021 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-27021 +++ b/cve/published/2024/CVE-2024-27021 diff --git a/cve/published/2024/CVE-2024-27021.json b/cve/published/2024/CVE-2024-27021.json new file mode 100644 index 00000000..36008d88 --- /dev/null +++ b/cve/published/2024/CVE-2024-27021.json @@ -0,0 +1,88 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nr8169: fix LED-related deadlock on module removal\n\nBinding devm_led_classdev_register() to the netdev is problematic\nbecause on module removal we get a RTNL-related deadlock. Fix this\nby avoiding the device-managed LED functions.\n\nNote: We can safely call led_classdev_unregister() for a LED even\nif registering it failed, because led_classdev_unregister() detects\nthis and is a no-op in this case." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "18764b883e15", + "lessThan": "53d986f39acd", + "status": "affected", + "versionType": "git" + }, + { + "version": "18764b883e15", + "lessThan": "19fa4f2a85d7", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "6.8", + "status": "affected" + }, + { + "version": "0", + "lessThan": "6.8", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8.8", + "lessThanOrEqual": "6.8.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.9-rc4", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/53d986f39acd8ea11c9e460732bfa5add66360d9" + }, + { + "url": "https://git.kernel.org/stable/c/19fa4f2a85d777a8052e869c1b892a2f7556569d" + } + ], + "title": "r8169: fix LED-related deadlock on module removal", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-27021", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-27021.mbox b/cve/published/2024/CVE-2024-27021.mbox new file mode 100644 index 00000000..c404a209 --- /dev/null +++ b/cve/published/2024/CVE-2024-27021.mbox @@ -0,0 +1,72 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-27021: r8169: fix LED-related deadlock on module removal +Message-Id: <2024050151-CVE-2024-27021-6a83@gregkh> +Content-Length: 2042 +Lines: 55 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2098; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=pUTaU5JzznNu/DJPWzOax75nmBUqPMkVXS96fbdbCsU=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGmGl7szbdv3vutdn7fJiWVG5S3j4k/aZZZz+euXnONyN + Huz/uLpjlgWBkEmBlkxRZYv23iO7q84pOhlaHsaZg4rE8gQBi5OAZiIiAbD/GJBk977rxQ9SyRm + POsW/1j7m2m9JcN857Yyt5xzhzbkBrLG1DpzlT3YsLwbAA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +r8169: fix LED-related deadlock on module removal + +Binding devm_led_classdev_register() to the netdev is problematic +because on module removal we get a RTNL-related deadlock. Fix this +by avoiding the device-managed LED functions. + +Note: We can safely call led_classdev_unregister() for a LED even +if registering it failed, because led_classdev_unregister() detects +this and is a no-op in this case. + +The Linux kernel CVE team has assigned CVE-2024-27021 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 6.8 with commit 18764b883e15 and fixed in 6.8.8 with commit 53d986f39acd + Issue introduced in 6.8 with commit 18764b883e15 and fixed in 6.9-rc4 with commit 19fa4f2a85d7 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-27021 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/net/ethernet/realtek/r8169.h + drivers/net/ethernet/realtek/r8169_leds.c + drivers/net/ethernet/realtek/r8169_main.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/53d986f39acd8ea11c9e460732bfa5add66360d9 + https://git.kernel.org/stable/c/19fa4f2a85d777a8052e869c1b892a2f7556569d diff --git a/cve/published/2024/CVE-2024-27021.sha1 b/cve/published/2024/CVE-2024-27021.sha1 new file mode 100644 index 00000000..46ac93dd --- /dev/null +++ b/cve/published/2024/CVE-2024-27021.sha1 @@ -0,0 +1 @@ +19fa4f2a85d777a8052e869c1b892a2f7556569d |