diff options
| author | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2024-04-10 20:58:32 +0200 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2024-04-10 20:58:32 +0200 |
| commit | 15afe91dc3ce78de6a2696042ce38ff8a95adbc3 (patch) | |
| tree | 2a10b5794d8ed837f03dbc573f4eb5437895ce46 | |
| parent | b4fee7ce2b347d3a87d8ef12354b1d7ea8b30922 (diff) | |
| download | vulns-15afe91dc3ce78de6a2696042ce38ff8a95adbc3.tar.gz | |
Some more GSD->CVE assignments completed
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
108 files changed, 5526 insertions, 0 deletions
diff --git a/cve/reserved/2021/CVE-2021-47181 b/cve/published/2021/CVE-2021-47181 index e69de29b..e69de29b 100644 --- a/cve/reserved/2021/CVE-2021-47181 +++ b/cve/published/2021/CVE-2021-47181 diff --git a/cve/published/2021/CVE-2021-47181.json b/cve/published/2021/CVE-2021-47181.json new file mode 100644 index 00000000..a18134f1 --- /dev/null +++ b/cve/published/2021/CVE-2021-47181.json @@ -0,0 +1,168 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: musb: tusb6010: check return value after calling platform_get_resource()\n\nIt will cause null-ptr-deref if platform_get_resource() returns NULL,\nwe need check the return value." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "1da177e4c3f4", + "lessThan": "1ba7605856e0", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "b3f43659eb0b", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "28be095eb612", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "f87a79c04a33", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "3ee15f1af174", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "679eee466d0f", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "06cfb4cb2241", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "14651496a3de", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "4.4.293", + "lessThanOrEqual": "4.4.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "4.9.291", + "lessThanOrEqual": "4.9.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "4.14.256", + "lessThanOrEqual": "4.14.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "4.19.218", + "lessThanOrEqual": "4.19.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.4.162", + "lessThanOrEqual": "5.4.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.10.82", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.5", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.16", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/1ba7605856e05fa991d4654ac69e5ace66c767b9" + }, + { + "url": "https://git.kernel.org/stable/c/b3f43659eb0b9af2e6ef18a8d829374610b19e7a" + }, + { + "url": "https://git.kernel.org/stable/c/28be095eb612a489705d38c210afaf1103c5f4f8" + }, + { + "url": "https://git.kernel.org/stable/c/f87a79c04a33ab4e5be598c7b0867e6ef193d702" + }, + { + "url": "https://git.kernel.org/stable/c/3ee15f1af17407be381bcf06a78fa60b471242dd" + }, + { + "url": "https://git.kernel.org/stable/c/679eee466d0f9ffa60a2b0c6ec19be5128927f04" + }, + { + "url": "https://git.kernel.org/stable/c/06cfb4cb2241e704d72e3045cf4d7dfb567fbce0" + }, + { + "url": "https://git.kernel.org/stable/c/14651496a3de6807a17c310f63c894ea0c5d858e" + } + ], + "title": "usb: musb: tusb6010: check return value after calling platform_get_resource()", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2021-47181", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2021/CVE-2021-47181.mbox b/cve/published/2021/CVE-2021-47181.mbox new file mode 100644 index 00000000..8a22980e --- /dev/null +++ b/cve/published/2021/CVE-2021-47181.mbox @@ -0,0 +1,77 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2021-47181: usb: musb: tusb6010: check return value after calling platform_get_resource() +Message-Id: <2024041029-CVE-2021-47181-13bb@gregkh> +Content-Length: 2325 +Lines: 60 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2386; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=UigZN89bopwqDK1Se7LmpxEb+FdmkpgBe2q8FbzVzJk=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGliDyU/9L1QXhT475R/3OV5IWubt1zOqWoI3mrwjGEdv + zC7duTbjlgWBkEmBlkxRZYv23iO7q84pOhlaHsaZg4rE8gQBi5OAZhIFwvDgt0d96sFc65LajPM + WKjumddtJvQxhWHBlLq+qcbMZeWGtV1nzc6t3LJUd/dDAA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +usb: musb: tusb6010: check return value after calling platform_get_resource() + +It will cause null-ptr-deref if platform_get_resource() returns NULL, +we need check the return value. + +The Linux kernel CVE team has assigned CVE-2021-47181 to this issue. + + +Affected and fixed versions +=========================== + + Fixed in 4.4.293 with commit 1ba7605856e0 + Fixed in 4.9.291 with commit b3f43659eb0b + Fixed in 4.14.256 with commit 28be095eb612 + Fixed in 4.19.218 with commit f87a79c04a33 + Fixed in 5.4.162 with commit 3ee15f1af174 + Fixed in 5.10.82 with commit 679eee466d0f + Fixed in 5.15.5 with commit 06cfb4cb2241 + Fixed in 5.16 with commit 14651496a3de + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2021-47181 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/usb/musb/tusb6010.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/1ba7605856e05fa991d4654ac69e5ace66c767b9 + https://git.kernel.org/stable/c/b3f43659eb0b9af2e6ef18a8d829374610b19e7a + https://git.kernel.org/stable/c/28be095eb612a489705d38c210afaf1103c5f4f8 + https://git.kernel.org/stable/c/f87a79c04a33ab4e5be598c7b0867e6ef193d702 + https://git.kernel.org/stable/c/3ee15f1af17407be381bcf06a78fa60b471242dd + https://git.kernel.org/stable/c/679eee466d0f9ffa60a2b0c6ec19be5128927f04 + https://git.kernel.org/stable/c/06cfb4cb2241e704d72e3045cf4d7dfb567fbce0 + https://git.kernel.org/stable/c/14651496a3de6807a17c310f63c894ea0c5d858e diff --git a/cve/published/2021/CVE-2021-47181.sha1 b/cve/published/2021/CVE-2021-47181.sha1 new file mode 100644 index 00000000..d156092e --- /dev/null +++ b/cve/published/2021/CVE-2021-47181.sha1 @@ -0,0 +1 @@ +14651496a3de6807a17c310f63c894ea0c5d858e diff --git a/cve/reserved/2021/CVE-2021-47182 b/cve/published/2021/CVE-2021-47182 index e69de29b..e69de29b 100644 --- a/cve/reserved/2021/CVE-2021-47182 +++ b/cve/published/2021/CVE-2021-47182 diff --git a/cve/published/2021/CVE-2021-47182.json b/cve/published/2021/CVE-2021-47182.json new file mode 100644 index 00000000..06ee26b3 --- /dev/null +++ b/cve/published/2021/CVE-2021-47182.json @@ -0,0 +1,78 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: core: Fix scsi_mode_sense() buffer length handling\n\nSeveral problems exist with scsi_mode_sense() buffer length handling:\n\n 1) The allocation length field of the MODE SENSE(10) command is 16-bits,\n occupying bytes 7 and 8 of the CDB. With this command, access to mode\n pages larger than 255 bytes is thus possible. However, the CDB\n allocation length field is set by assigning len to byte 8 only, thus\n truncating buffer length larger than 255.\n\n 2) If scsi_mode_sense() is called with len smaller than 8 with\n sdev->use_10_for_ms set, or smaller than 4 otherwise, the buffer length\n is increased to 8 and 4 respectively, and the buffer is zero filled\n with these increased values, thus corrupting the memory following the\n buffer.\n\nFix these 2 problems by using put_unaligned_be16() to set the allocation\nlength field of MODE SENSE(10) CDB and by returning an error when len is\ntoo small.\n\nFurthermore, if len is larger than 255B, always try MODE SENSE(10) first,\neven if the device driver did not set sdev->use_10_for_ms. In case of\ninvalid opcode error for MODE SENSE(10), access to mode pages larger than\n255 bytes are not retried using MODE SENSE(6). To avoid buffer length\noverflows for the MODE_SENSE(10) case, check that len is smaller than 65535\nbytes.\n\nWhile at it, also fix the folowing:\n\n * Use get_unaligned_be16() to retrieve the mode data length and block\n descriptor length fields of the mode sense reply header instead of using\n an open coded calculation.\n\n * Fix the kdoc dbd argument explanation: the DBD bit stands for Disable\n Block Descriptor, which is the opposite of what the dbd argument\n description was." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "1da177e4c3f4", + "lessThan": "e15de347faf4", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "17b49bcbf835", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.15.5", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.16", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/e15de347faf4a9f494cbd4e9a623d343dc1b5851" + }, + { + "url": "https://git.kernel.org/stable/c/17b49bcbf8351d3dbe57204468ac34f033ed60bc" + } + ], + "title": "scsi: core: Fix scsi_mode_sense() buffer length handling", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2021-47182", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2021/CVE-2021-47182.mbox b/cve/published/2021/CVE-2021-47182.mbox new file mode 100644 index 00000000..11185c86 --- /dev/null +++ b/cve/published/2021/CVE-2021-47182.mbox @@ -0,0 +1,97 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2021-47182: scsi: core: Fix scsi_mode_sense() buffer length handling +Message-Id: <2024041032-CVE-2021-47182-377e@gregkh> +Content-Length: 3105 +Lines: 80 +X-Developer-Signature: v=1; a=openpgp-sha256; l=3186; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=gSu/8q55ioBM4G7a2YOvWM8dwIe3lTT8sOvtF46A1Xc=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGliD2XmiL2+kC/G1m/N+od145dbTKc49f+JcWt4KH5W9 + L3st29iRwwLgyATg6yYIsuXbTxH91ccUvQytD0NM4eVCWQIAxenAEzkQifD9OIQTulb7DkZd98r + L30stc3VtT+VYcGVK5ds77a/PFW39Zq2WmnoL+nYKHMA +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +scsi: core: Fix scsi_mode_sense() buffer length handling + +Several problems exist with scsi_mode_sense() buffer length handling: + + 1) The allocation length field of the MODE SENSE(10) command is 16-bits, + occupying bytes 7 and 8 of the CDB. With this command, access to mode + pages larger than 255 bytes is thus possible. However, the CDB + allocation length field is set by assigning len to byte 8 only, thus + truncating buffer length larger than 255. + + 2) If scsi_mode_sense() is called with len smaller than 8 with + sdev->use_10_for_ms set, or smaller than 4 otherwise, the buffer length + is increased to 8 and 4 respectively, and the buffer is zero filled + with these increased values, thus corrupting the memory following the + buffer. + +Fix these 2 problems by using put_unaligned_be16() to set the allocation +length field of MODE SENSE(10) CDB and by returning an error when len is +too small. + +Furthermore, if len is larger than 255B, always try MODE SENSE(10) first, +even if the device driver did not set sdev->use_10_for_ms. In case of +invalid opcode error for MODE SENSE(10), access to mode pages larger than +255 bytes are not retried using MODE SENSE(6). To avoid buffer length +overflows for the MODE_SENSE(10) case, check that len is smaller than 65535 +bytes. + +While at it, also fix the folowing: + + * Use get_unaligned_be16() to retrieve the mode data length and block + descriptor length fields of the mode sense reply header instead of using + an open coded calculation. + + * Fix the kdoc dbd argument explanation: the DBD bit stands for Disable + Block Descriptor, which is the opposite of what the dbd argument + description was. + +The Linux kernel CVE team has assigned CVE-2021-47182 to this issue. + + +Affected and fixed versions +=========================== + + Fixed in 5.15.5 with commit e15de347faf4 + Fixed in 5.16 with commit 17b49bcbf835 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2021-47182 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/scsi/scsi_lib.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/e15de347faf4a9f494cbd4e9a623d343dc1b5851 + https://git.kernel.org/stable/c/17b49bcbf8351d3dbe57204468ac34f033ed60bc diff --git a/cve/published/2021/CVE-2021-47182.sha1 b/cve/published/2021/CVE-2021-47182.sha1 new file mode 100644 index 00000000..bfff046b --- /dev/null +++ b/cve/published/2021/CVE-2021-47182.sha1 @@ -0,0 +1 @@ +17b49bcbf8351d3dbe57204468ac34f033ed60bc diff --git a/cve/reserved/2021/CVE-2021-47183 b/cve/published/2021/CVE-2021-47183 index e69de29b..e69de29b 100644 --- a/cve/reserved/2021/CVE-2021-47183 +++ b/cve/published/2021/CVE-2021-47183 diff --git a/cve/published/2021/CVE-2021-47183.json b/cve/published/2021/CVE-2021-47183.json new file mode 100644 index 00000000..b7171435 --- /dev/null +++ b/cve/published/2021/CVE-2021-47183.json @@ -0,0 +1,78 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Fix link down processing to address NULL pointer dereference\n\nIf an FC link down transition while PLOGIs are outstanding to fabric well\nknown addresses, outstanding ABTS requests may result in a NULL pointer\ndereference. Driver unload requests may hang with repeated \"2878\" log\nmessages.\n\nThe Link down processing results in ABTS requests for outstanding ELS\nrequests. The Abort WQEs are sent for the ELSs before the driver had set\nthe link state to down. Thus the driver is sending the Abort with the\nexpectation that an ABTS will be sent on the wire. The Abort request is\nstalled waiting for the link to come up. In some conditions the driver may\nauto-complete the ELSs thus if the link does come up, the Abort completions\nmay reference an invalid structure.\n\nFix by ensuring that Abort set the flag to avoid link traffic if issued due\nto conditions where the link failed." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "1da177e4c3f4", + "lessThan": "28de48a7cea4", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "1854f53ccd88", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.15.5", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.16", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/28de48a7cea495ab48082d9ff4ef63f7cb4e563a" + }, + { + "url": "https://git.kernel.org/stable/c/1854f53ccd88ad4e7568ddfafafffe71f1ceb0a6" + } + ], + "title": "scsi: lpfc: Fix link down processing to address NULL pointer dereference", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2021-47183", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2021/CVE-2021-47183.mbox b/cve/published/2021/CVE-2021-47183.mbox new file mode 100644 index 00000000..fb0b396c --- /dev/null +++ b/cve/published/2021/CVE-2021-47183.mbox @@ -0,0 +1,78 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2021-47183: scsi: lpfc: Fix link down processing to address NULL pointer dereference +Message-Id: <2024041033-CVE-2021-47183-e130@gregkh> +Content-Length: 2328 +Lines: 61 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2390; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=FMsA1FP2z7Z0y/BFudwSZ7okPaihye1YhZksWxDpioU=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGliD2Wf/1ir1hKrpxS7Mp5ju1zja4n9T3grzn1g/Owzt + +q875vGjlgWBkEmBlkxRZYv23iO7q84pOhlaHsaZg4rE8gQBi5OAZjI+3MMs9nELVcL6P137uJv + 9jv8J6JKTPisIsN8X1/FebbHQysk1AqkJgSucFy2MeEDAA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +scsi: lpfc: Fix link down processing to address NULL pointer dereference + +If an FC link down transition while PLOGIs are outstanding to fabric well +known addresses, outstanding ABTS requests may result in a NULL pointer +dereference. Driver unload requests may hang with repeated "2878" log +messages. + +The Link down processing results in ABTS requests for outstanding ELS +requests. The Abort WQEs are sent for the ELSs before the driver had set +the link state to down. Thus the driver is sending the Abort with the +expectation that an ABTS will be sent on the wire. The Abort request is +stalled waiting for the link to come up. In some conditions the driver may +auto-complete the ELSs thus if the link does come up, the Abort completions +may reference an invalid structure. + +Fix by ensuring that Abort set the flag to avoid link traffic if issued due +to conditions where the link failed. + +The Linux kernel CVE team has assigned CVE-2021-47183 to this issue. + + +Affected and fixed versions +=========================== + + Fixed in 5.15.5 with commit 28de48a7cea4 + Fixed in 5.16 with commit 1854f53ccd88 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2021-47183 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/scsi/lpfc/lpfc_sli.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/28de48a7cea495ab48082d9ff4ef63f7cb4e563a + https://git.kernel.org/stable/c/1854f53ccd88ad4e7568ddfafafffe71f1ceb0a6 diff --git a/cve/published/2021/CVE-2021-47183.sha1 b/cve/published/2021/CVE-2021-47183.sha1 new file mode 100644 index 00000000..3bdff3d4 --- /dev/null +++ b/cve/published/2021/CVE-2021-47183.sha1 @@ -0,0 +1 @@ +1854f53ccd88ad4e7568ddfafafffe71f1ceb0a6 diff --git a/cve/reserved/2021/CVE-2021-47184 b/cve/published/2021/CVE-2021-47184 index e69de29b..e69de29b 100644 --- a/cve/reserved/2021/CVE-2021-47184 +++ b/cve/published/2021/CVE-2021-47184 diff --git a/cve/published/2021/CVE-2021-47184.json b/cve/published/2021/CVE-2021-47184.json new file mode 100644 index 00000000..38632738 --- /dev/null +++ b/cve/published/2021/CVE-2021-47184.json @@ -0,0 +1,148 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: Fix NULL ptr dereference on VSI filter sync\n\nRemove the reason of null pointer dereference in sync VSI filters.\nAdded new I40E_VSI_RELEASING flag to signalize deleting and releasing\nof VSI resources to sync this thread with sync filters subtask.\nWithout this patch it is possible to start update the VSI filter list\nafter VSI is removed, that's causing a kernel oops." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "41c445ff0f48", + "lessThan": "78f2a9e831f9", + "status": "affected", + "versionType": "git" + }, + { + "version": "41c445ff0f48", + "lessThan": "87c421ab4a43", + "status": "affected", + "versionType": "git" + }, + { + "version": "41c445ff0f48", + "lessThan": "c30162da9132", + "status": "affected", + "versionType": "git" + }, + { + "version": "41c445ff0f48", + "lessThan": "f866513ead43", + "status": "affected", + "versionType": "git" + }, + { + "version": "41c445ff0f48", + "lessThan": "e91e8427a1e1", + "status": "affected", + "versionType": "git" + }, + { + "version": "41c445ff0f48", + "lessThan": "37d9e304acd9", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "3.12", + "status": "affected" + }, + { + "version": "0", + "lessThan": "3.12", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "4.14.256", + "lessThanOrEqual": "4.14.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "4.19.218", + "lessThanOrEqual": "4.19.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.4.162", + "lessThanOrEqual": "5.4.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.10.82", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.5", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.16", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/78f2a9e831f9610e3655a0be5e675e1aa2472089" + }, + { + "url": "https://git.kernel.org/stable/c/87c421ab4a43433cb009fea44bbbc77f46913e1d" + }, + { + "url": "https://git.kernel.org/stable/c/c30162da91327e4cdf7cd03079f096bb3654738c" + }, + { + "url": "https://git.kernel.org/stable/c/f866513ead4370402428ef724b03c3312295c178" + }, + { + "url": "https://git.kernel.org/stable/c/e91e8427a1e1633a0261e3bb0201c836ac5b3890" + }, + { + "url": "https://git.kernel.org/stable/c/37d9e304acd903a445df8208b8a13d707902dea6" + } + ], + "title": "i40e: Fix NULL ptr dereference on VSI filter sync", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2021-47184", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2021/CVE-2021-47184.mbox b/cve/published/2021/CVE-2021-47184.mbox new file mode 100644 index 00000000..2d5d1fcc --- /dev/null +++ b/cve/published/2021/CVE-2021-47184.mbox @@ -0,0 +1,77 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2021-47184: i40e: Fix NULL ptr dereference on VSI filter sync +Message-Id: <2024041033-CVE-2021-47184-7544@gregkh> +Content-Length: 2664 +Lines: 60 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2725; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=Fcx1zJmw/yfeCt60TgdEGzPlBDz6mkZ7Fb1nqFE8ypo=; + b=kA0DAAIRMUfUDdst+ykByyZiAGYW4R2iM1s9rHXT5DaK3ZR6uAeLkQ5woPwhar8YSD9fn6Vtj + 4hdBAARAgAdFiEE9LYMxb94wiFKMT3LMUfUDdst+ykFAmYW4R0ACgkQMUfUDdst+ylGtgCaA/Ss + fYBZy2zhqAR+zSEKaAGuhAgAnipP80mvo2FLrzEa6/EbTLnBwHT6 +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +i40e: Fix NULL ptr dereference on VSI filter sync + +Remove the reason of null pointer dereference in sync VSI filters. +Added new I40E_VSI_RELEASING flag to signalize deleting and releasing +of VSI resources to sync this thread with sync filters subtask. +Without this patch it is possible to start update the VSI filter list +after VSI is removed, that's causing a kernel oops. + +The Linux kernel CVE team has assigned CVE-2021-47184 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 3.12 with commit 41c445ff0f48 and fixed in 4.14.256 with commit 78f2a9e831f9 + Issue introduced in 3.12 with commit 41c445ff0f48 and fixed in 4.19.218 with commit 87c421ab4a43 + Issue introduced in 3.12 with commit 41c445ff0f48 and fixed in 5.4.162 with commit c30162da9132 + Issue introduced in 3.12 with commit 41c445ff0f48 and fixed in 5.10.82 with commit f866513ead43 + Issue introduced in 3.12 with commit 41c445ff0f48 and fixed in 5.15.5 with commit e91e8427a1e1 + Issue introduced in 3.12 with commit 41c445ff0f48 and fixed in 5.16 with commit 37d9e304acd9 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2021-47184 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/net/ethernet/intel/i40e/i40e.h + drivers/net/ethernet/intel/i40e/i40e_main.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/78f2a9e831f9610e3655a0be5e675e1aa2472089 + https://git.kernel.org/stable/c/87c421ab4a43433cb009fea44bbbc77f46913e1d + https://git.kernel.org/stable/c/c30162da91327e4cdf7cd03079f096bb3654738c + https://git.kernel.org/stable/c/f866513ead4370402428ef724b03c3312295c178 + https://git.kernel.org/stable/c/e91e8427a1e1633a0261e3bb0201c836ac5b3890 + https://git.kernel.org/stable/c/37d9e304acd903a445df8208b8a13d707902dea6 diff --git a/cve/published/2021/CVE-2021-47184.sha1 b/cve/published/2021/CVE-2021-47184.sha1 new file mode 100644 index 00000000..09d0eeee --- /dev/null +++ b/cve/published/2021/CVE-2021-47184.sha1 @@ -0,0 +1 @@ +37d9e304acd903a445df8208b8a13d707902dea6 diff --git a/cve/reserved/2021/CVE-2021-47185 b/cve/published/2021/CVE-2021-47185 index e69de29b..e69de29b 100644 --- a/cve/reserved/2021/CVE-2021-47185 +++ b/cve/published/2021/CVE-2021-47185 diff --git a/cve/published/2021/CVE-2021-47185.json b/cve/published/2021/CVE-2021-47185.json new file mode 100644 index 00000000..9997aab1 --- /dev/null +++ b/cve/published/2021/CVE-2021-47185.json @@ -0,0 +1,168 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: tty_buffer: Fix the softlockup issue in flush_to_ldisc\n\nWhen running ltp testcase(ltp/testcases/kernel/pty/pty04.c) with arm64, there is a soft lockup,\nwhich look like this one:\n\n Workqueue: events_unbound flush_to_ldisc\n Call trace:\n dump_backtrace+0x0/0x1ec\n show_stack+0x24/0x30\n dump_stack+0xd0/0x128\n panic+0x15c/0x374\n watchdog_timer_fn+0x2b8/0x304\n __run_hrtimer+0x88/0x2c0\n __hrtimer_run_queues+0xa4/0x120\n hrtimer_interrupt+0xfc/0x270\n arch_timer_handler_phys+0x40/0x50\n handle_percpu_devid_irq+0x94/0x220\n __handle_domain_irq+0x88/0xf0\n gic_handle_irq+0x84/0xfc\n el1_irq+0xc8/0x180\n slip_unesc+0x80/0x214 [slip]\n tty_ldisc_receive_buf+0x64/0x80\n tty_port_default_receive_buf+0x50/0x90\n flush_to_ldisc+0xbc/0x110\n process_one_work+0x1d4/0x4b0\n worker_thread+0x180/0x430\n kthread+0x11c/0x120\n\nIn the testcase pty04, The first process call the write syscall to send\ndata to the pty master. At the same time, the workqueue will do the\nflush_to_ldisc to pop data in a loop until there is no more data left.\nWhen the sender and workqueue running in different core, the sender sends\ndata fastly in full time which will result in workqueue doing work in loop\nfor a long time and occuring softlockup in flush_to_ldisc with kernel\nconfigured without preempt. So I add need_resched check and cond_resched\nin the flush_to_ldisc loop to avoid it." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "1da177e4c3f4", + "lessThan": "0380f643f3a7", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "b1ffc16ec05a", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "4c1623651a09", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "4f300f47dbcf", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "d491c84df5c4", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "77e9fed33056", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "5c34486f0470", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "3968ddcf05fb", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "4.4.293", + "lessThanOrEqual": "4.4.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "4.9.291", + "lessThanOrEqual": "4.9.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "4.14.256", + "lessThanOrEqual": "4.14.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "4.19.218", + "lessThanOrEqual": "4.19.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.4.162", + "lessThanOrEqual": "5.4.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.10.82", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.5", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.16", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/0380f643f3a7a61b0845cdc738959c2ad5735d61" + }, + { + "url": "https://git.kernel.org/stable/c/b1ffc16ec05ae40d82b6e373322d62e9d6b54fbc" + }, + { + "url": "https://git.kernel.org/stable/c/4c1623651a0936ee197859824cdae6ebbd04d3ed" + }, + { + "url": "https://git.kernel.org/stable/c/4f300f47dbcf9c3d4b2ea76c8554c8f360400725" + }, + { + "url": "https://git.kernel.org/stable/c/d491c84df5c469dd9621863b6a770b3428137063" + }, + { + "url": "https://git.kernel.org/stable/c/77e9fed33056f2a88eba9dd4d2d5412f0c7d1f41" + }, + { + "url": "https://git.kernel.org/stable/c/5c34486f04700f1ba04907231dce0cc2705c2d7d" + }, + { + "url": "https://git.kernel.org/stable/c/3968ddcf05fb4b9409cd1859feb06a5b0550a1c1" + } + ], + "title": "tty: tty_buffer: Fix the softlockup issue in flush_to_ldisc", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2021-47185", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2021/CVE-2021-47185.mbox b/cve/published/2021/CVE-2021-47185.mbox new file mode 100644 index 00000000..130ef40b --- /dev/null +++ b/cve/published/2021/CVE-2021-47185.mbox @@ -0,0 +1,109 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2021-47185: tty: tty_buffer: Fix the softlockup issue in flush_to_ldisc +Message-Id: <2024041033-CVE-2021-47185-c363@gregkh> +Content-Length: 3532 +Lines: 92 +X-Developer-Signature: v=1; a=openpgp-sha256; l=3625; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=u857mcppAKQFOOt/WrQtdlqJBPFnKrRZzay0/bMe0Y0=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGliD2WfeyY9jNff3h++Qv5X1MR9EybXvqsweL3iV9cTJ + febZye3dcSyMAgyMciKKbJ82cZzdH/FIUUvQ9vTMHNYmUCGMHBxCsBEPhxhWHD+kYn+Q9bp/6US + OAWnLFacybTNbS3D/Ni3D2+eX3V9x52r8kevnL2xVirb7QkA +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +tty: tty_buffer: Fix the softlockup issue in flush_to_ldisc + +When running ltp testcase(ltp/testcases/kernel/pty/pty04.c) with arm64, there is a soft lockup, +which look like this one: + + Workqueue: events_unbound flush_to_ldisc + Call trace: + dump_backtrace+0x0/0x1ec + show_stack+0x24/0x30 + dump_stack+0xd0/0x128 + panic+0x15c/0x374 + watchdog_timer_fn+0x2b8/0x304 + __run_hrtimer+0x88/0x2c0 + __hrtimer_run_queues+0xa4/0x120 + hrtimer_interrupt+0xfc/0x270 + arch_timer_handler_phys+0x40/0x50 + handle_percpu_devid_irq+0x94/0x220 + __handle_domain_irq+0x88/0xf0 + gic_handle_irq+0x84/0xfc + el1_irq+0xc8/0x180 + slip_unesc+0x80/0x214 [slip] + tty_ldisc_receive_buf+0x64/0x80 + tty_port_default_receive_buf+0x50/0x90 + flush_to_ldisc+0xbc/0x110 + process_one_work+0x1d4/0x4b0 + worker_thread+0x180/0x430 + kthread+0x11c/0x120 + +In the testcase pty04, The first process call the write syscall to send +data to the pty master. At the same time, the workqueue will do the +flush_to_ldisc to pop data in a loop until there is no more data left. +When the sender and workqueue running in different core, the sender sends +data fastly in full time which will result in workqueue doing work in loop +for a long time and occuring softlockup in flush_to_ldisc with kernel +configured without preempt. So I add need_resched check and cond_resched +in the flush_to_ldisc loop to avoid it. + +The Linux kernel CVE team has assigned CVE-2021-47185 to this issue. + + +Affected and fixed versions +=========================== + + Fixed in 4.4.293 with commit 0380f643f3a7 + Fixed in 4.9.291 with commit b1ffc16ec05a + Fixed in 4.14.256 with commit 4c1623651a09 + Fixed in 4.19.218 with commit 4f300f47dbcf + Fixed in 5.4.162 with commit d491c84df5c4 + Fixed in 5.10.82 with commit 77e9fed33056 + Fixed in 5.15.5 with commit 5c34486f0470 + Fixed in 5.16 with commit 3968ddcf05fb + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2021-47185 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/tty/tty_buffer.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/0380f643f3a7a61b0845cdc738959c2ad5735d61 + https://git.kernel.org/stable/c/b1ffc16ec05ae40d82b6e373322d62e9d6b54fbc + https://git.kernel.org/stable/c/4c1623651a0936ee197859824cdae6ebbd04d3ed + https://git.kernel.org/stable/c/4f300f47dbcf9c3d4b2ea76c8554c8f360400725 + https://git.kernel.org/stable/c/d491c84df5c469dd9621863b6a770b3428137063 + https://git.kernel.org/stable/c/77e9fed33056f2a88eba9dd4d2d5412f0c7d1f41 + https://git.kernel.org/stable/c/5c34486f04700f1ba04907231dce0cc2705c2d7d + https://git.kernel.org/stable/c/3968ddcf05fb4b9409cd1859feb06a5b0550a1c1 diff --git a/cve/published/2021/CVE-2021-47185.sha1 b/cve/published/2021/CVE-2021-47185.sha1 new file mode 100644 index 00000000..d2a314ea --- /dev/null +++ b/cve/published/2021/CVE-2021-47185.sha1 @@ -0,0 +1 @@ +3968ddcf05fb4b9409cd1859feb06a5b0550a1c1 diff --git a/cve/reserved/2021/CVE-2021-47186 b/cve/published/2021/CVE-2021-47186 index e69de29b..e69de29b 100644 --- a/cve/reserved/2021/CVE-2021-47186 +++ b/cve/published/2021/CVE-2021-47186 diff --git a/cve/published/2021/CVE-2021-47186.json b/cve/published/2021/CVE-2021-47186.json new file mode 100644 index 00000000..1c30b29f --- /dev/null +++ b/cve/published/2021/CVE-2021-47186.json @@ -0,0 +1,93 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: check for null after calling kmemdup\n\nkmemdup can return a null pointer so need to check for it, otherwise\nthe null key will be dereferenced later in tipc_crypto_key_xmit as\ncan be seen in the trace [1].\n\n\n[1] https://syzkaller.appspot.com/bug?id=bca180abb29567b189efdbdb34cbf7ba851c2a58" + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "1da177e4c3f4", + "lessThan": "a7d91625863d", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "9404c4145542", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "3e6db079751a", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.10.82", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.5", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.16", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/a7d91625863d4ffed63b993b5e6dc1298b6430c9" + }, + { + "url": "https://git.kernel.org/stable/c/9404c4145542c23019a80ab1bb2ecf73cd057b10" + }, + { + "url": "https://git.kernel.org/stable/c/3e6db079751afd527bf3db32314ae938dc571916" + } + ], + "title": "tipc: check for null after calling kmemdup", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2021-47186", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2021/CVE-2021-47186.mbox b/cve/published/2021/CVE-2021-47186.mbox new file mode 100644 index 00000000..1b846582 --- /dev/null +++ b/cve/published/2021/CVE-2021-47186.mbox @@ -0,0 +1,71 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2021-47186: tipc: check for null after calling kmemdup +Message-Id: <2024041033-CVE-2021-47186-7287@gregkh> +Content-Length: 1841 +Lines: 54 +X-Developer-Signature: v=1; a=openpgp-sha256; l=1896; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=j8C5GKxwntog9mC5ClABekTS5rHSQUUtCWGUiIL3/88=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGliD2XNaq3zX5SyVB3uXKMkdefPGT3rFSm+qq1dc0osr + Dt+FW/oiGVhEGRikBVTZPmyjefo/opDil6Gtqdh5rAygQxh4OIUgIl0eDAs2FYekzmB8XD9wlmV + IW33bG+6sKm8Y5jv33zc4erNX4+Mz53x/JWhmmfbfj4KAA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +tipc: check for null after calling kmemdup + +kmemdup can return a null pointer so need to check for it, otherwise +the null key will be dereferenced later in tipc_crypto_key_xmit as +can be seen in the trace [1]. + + +[1] https://syzkaller.appspot.com/bug?id=bca180abb29567b189efdbdb34cbf7ba851c2a58 + +The Linux kernel CVE team has assigned CVE-2021-47186 to this issue. + + +Affected and fixed versions +=========================== + + Fixed in 5.10.82 with commit a7d91625863d + Fixed in 5.15.5 with commit 9404c4145542 + Fixed in 5.16 with commit 3e6db079751a + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2021-47186 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + net/tipc/crypto.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/a7d91625863d4ffed63b993b5e6dc1298b6430c9 + https://git.kernel.org/stable/c/9404c4145542c23019a80ab1bb2ecf73cd057b10 + https://git.kernel.org/stable/c/3e6db079751afd527bf3db32314ae938dc571916 diff --git a/cve/published/2021/CVE-2021-47186.sha1 b/cve/published/2021/CVE-2021-47186.sha1 new file mode 100644 index 00000000..f3a9a0e8 --- /dev/null +++ b/cve/published/2021/CVE-2021-47186.sha1 @@ -0,0 +1 @@ +3e6db079751afd527bf3db32314ae938dc571916 diff --git a/cve/reserved/2021/CVE-2021-47187 b/cve/published/2021/CVE-2021-47187 index e69de29b..e69de29b 100644 --- a/cve/reserved/2021/CVE-2021-47187 +++ b/cve/published/2021/CVE-2021-47187 diff --git a/cve/published/2021/CVE-2021-47187.json b/cve/published/2021/CVE-2021-47187.json new file mode 100644 index 00000000..7c647f72 --- /dev/null +++ b/cve/published/2021/CVE-2021-47187.json @@ -0,0 +1,108 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: dts: qcom: msm8998: Fix CPU/L2 idle state latency and residency\n\nThe entry/exit latency and minimum residency in state for the idle\nstates of MSM8998 were ..bad: first of all, for all of them the\ntimings were written for CPU sleep but the min-residency-us param\nwas miscalculated (supposedly, while porting this from downstream);\nThen, the power collapse states are setting PC on both the CPU\ncluster *and* the L2 cache, which have different timings: in the\nspecific case of L2 the times are higher so these ones should be\ntaken into account instead of the CPU ones.\n\nThis parameter misconfiguration was not giving particular issues\nbecause on MSM8998 there was no CPU scaling at all, so cluster/L2\npower collapse was rarely (if ever) hit.\nWhen CPU scaling is enabled, though, the wrong timings will produce\nSoC unstability shown to the user as random, apparently error-less,\nsudden reboots and/or lockups.\n\nThis set of parameters are stabilizing the SoC when CPU scaling is\nON and when power collapse is frequently hit." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "1da177e4c3f4", + "lessThan": "a14d7038ea20", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "e52fecdd0c14", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "118c826ef8b4", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "3f1dcaff642e", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.4.162", + "lessThanOrEqual": "5.4.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.10.82", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.5", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.16", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/a14d7038ea201c5526375becfc43b9ba281b1e82" + }, + { + "url": "https://git.kernel.org/stable/c/e52fecdd0c142b95c720683885b06ee3f0e065c8" + }, + { + "url": "https://git.kernel.org/stable/c/118c826ef8b43efe0fda8faf419673707ee8c5e5" + }, + { + "url": "https://git.kernel.org/stable/c/3f1dcaff642e75c1d2ad03f783fa8a3b1f56dd50" + } + ], + "title": "arm64: dts: qcom: msm8998: Fix CPU/L2 idle state latency and residency", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2021-47187", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2021/CVE-2021-47187.mbox b/cve/published/2021/CVE-2021-47187.mbox new file mode 100644 index 00000000..24aac9a5 --- /dev/null +++ b/cve/published/2021/CVE-2021-47187.mbox @@ -0,0 +1,85 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2021-47187: arm64: dts: qcom: msm8998: Fix CPU/L2 idle state latency and residency +Message-Id: <2024041034-CVE-2021-47187-b158@gregkh> +Content-Length: 2712 +Lines: 68 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2781; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=NrC62ak5WVRH/YWBcfI/dclxZ0cX7T581qRIZlARvJ8=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGliD+X+pp9OmHKHnUtN+vU9o8v588yabLZ1aE3kPLB42 + ikNBrO+jlgWBkEmBlkxRZYv23iO7q84pOhlaHsaZg4rE8gQBi5OAZjIz8kM83M81HvY7P+mP3Ka + vePx9b9PevhSzBkW3CjKzf0XuvPQWV82Pet5O9nUfj7OAwA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +arm64: dts: qcom: msm8998: Fix CPU/L2 idle state latency and residency + +The entry/exit latency and minimum residency in state for the idle +states of MSM8998 were ..bad: first of all, for all of them the +timings were written for CPU sleep but the min-residency-us param +was miscalculated (supposedly, while porting this from downstream); +Then, the power collapse states are setting PC on both the CPU +cluster *and* the L2 cache, which have different timings: in the +specific case of L2 the times are higher so these ones should be +taken into account instead of the CPU ones. + +This parameter misconfiguration was not giving particular issues +because on MSM8998 there was no CPU scaling at all, so cluster/L2 +power collapse was rarely (if ever) hit. +When CPU scaling is enabled, though, the wrong timings will produce +SoC unstability shown to the user as random, apparently error-less, +sudden reboots and/or lockups. + +This set of parameters are stabilizing the SoC when CPU scaling is +ON and when power collapse is frequently hit. + +The Linux kernel CVE team has assigned CVE-2021-47187 to this issue. + + +Affected and fixed versions +=========================== + + Fixed in 5.4.162 with commit a14d7038ea20 + Fixed in 5.10.82 with commit e52fecdd0c14 + Fixed in 5.15.5 with commit 118c826ef8b4 + Fixed in 5.16 with commit 3f1dcaff642e + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2021-47187 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + arch/arm64/boot/dts/qcom/msm8998.dtsi + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/a14d7038ea201c5526375becfc43b9ba281b1e82 + https://git.kernel.org/stable/c/e52fecdd0c142b95c720683885b06ee3f0e065c8 + https://git.kernel.org/stable/c/118c826ef8b43efe0fda8faf419673707ee8c5e5 + https://git.kernel.org/stable/c/3f1dcaff642e75c1d2ad03f783fa8a3b1f56dd50 diff --git a/cve/published/2021/CVE-2021-47187.sha1 b/cve/published/2021/CVE-2021-47187.sha1 new file mode 100644 index 00000000..8462d368 --- /dev/null +++ b/cve/published/2021/CVE-2021-47187.sha1 @@ -0,0 +1 @@ +3f1dcaff642e75c1d2ad03f783fa8a3b1f56dd50 diff --git a/cve/reserved/2021/CVE-2021-47188 b/cve/published/2021/CVE-2021-47188 index e69de29b..e69de29b 100644 --- a/cve/reserved/2021/CVE-2021-47188 +++ b/cve/published/2021/CVE-2021-47188 diff --git a/cve/published/2021/CVE-2021-47188.json b/cve/published/2021/CVE-2021-47188.json new file mode 100644 index 00000000..163bc369 --- /dev/null +++ b/cve/published/2021/CVE-2021-47188.json @@ -0,0 +1,88 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ufs: core: Improve SCSI abort handling\n\nThe following has been observed on a test setup:\n\nWARNING: CPU: 4 PID: 250 at drivers/scsi/ufs/ufshcd.c:2737 ufshcd_queuecommand+0x468/0x65c\nCall trace:\n ufshcd_queuecommand+0x468/0x65c\n scsi_send_eh_cmnd+0x224/0x6a0\n scsi_eh_test_devices+0x248/0x418\n scsi_eh_ready_devs+0xc34/0xe58\n scsi_error_handler+0x204/0x80c\n kthread+0x150/0x1b4\n ret_from_fork+0x10/0x30\n\nThat warning is triggered by the following statement:\n\n\tWARN_ON(lrbp->cmd);\n\nFix this warning by clearing lrbp->cmd from the abort handler." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "7a3e97b0dc4b", + "lessThan": "c36baca06efa", + "status": "affected", + "versionType": "git" + }, + { + "version": "7a3e97b0dc4b", + "lessThan": "3ff1f6b6ba6f", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "3.4", + "status": "affected" + }, + { + "version": "0", + "lessThan": "3.4", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.5", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.16", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/c36baca06efa833adaefba61f45fefdc49b6d070" + }, + { + "url": "https://git.kernel.org/stable/c/3ff1f6b6ba6f97f50862aa50e79959cc8ddc2566" + } + ], + "title": "scsi: ufs: core: Improve SCSI abort handling", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2021-47188", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2021/CVE-2021-47188.mbox b/cve/published/2021/CVE-2021-47188.mbox new file mode 100644 index 00000000..e1913367 --- /dev/null +++ b/cve/published/2021/CVE-2021-47188.mbox @@ -0,0 +1,80 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2021-47188: scsi: ufs: core: Improve SCSI abort handling +Message-Id: <2024041034-CVE-2021-47188-092a@gregkh> +Content-Length: 2092 +Lines: 63 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2156; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=RFS9BnBiwUhzxEx8gvwA+pulQmWmtMSYdZp5LWs9SwY=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGliD+VMt66bwM1qHizoe8JMXqLZdp45y1G/Peu0tr/8c + o95matmRywLgyATg6yYIsuXbTxH91ccUvQytD0NM4eVCWQIAxenAEzEYinDPFOGiP/z/70PNpGZ + cPS/6sPVyn2NUxjmWZSVhNSdX3KI3ejQK50zyfFSRZNuAgA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +scsi: ufs: core: Improve SCSI abort handling + +The following has been observed on a test setup: + +WARNING: CPU: 4 PID: 250 at drivers/scsi/ufs/ufshcd.c:2737 ufshcd_queuecommand+0x468/0x65c +Call trace: + ufshcd_queuecommand+0x468/0x65c + scsi_send_eh_cmnd+0x224/0x6a0 + scsi_eh_test_devices+0x248/0x418 + scsi_eh_ready_devs+0xc34/0xe58 + scsi_error_handler+0x204/0x80c + kthread+0x150/0x1b4 + ret_from_fork+0x10/0x30 + +That warning is triggered by the following statement: + + WARN_ON(lrbp->cmd); + +Fix this warning by clearing lrbp->cmd from the abort handler. + +The Linux kernel CVE team has assigned CVE-2021-47188 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 3.4 with commit 7a3e97b0dc4b and fixed in 5.15.5 with commit c36baca06efa + Issue introduced in 3.4 with commit 7a3e97b0dc4b and fixed in 5.16 with commit 3ff1f6b6ba6f + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2021-47188 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/scsi/ufs/ufshcd.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/c36baca06efa833adaefba61f45fefdc49b6d070 + https://git.kernel.org/stable/c/3ff1f6b6ba6f97f50862aa50e79959cc8ddc2566 diff --git a/cve/published/2021/CVE-2021-47188.sha1 b/cve/published/2021/CVE-2021-47188.sha1 new file mode 100644 index 00000000..9354a5f1 --- /dev/null +++ b/cve/published/2021/CVE-2021-47188.sha1 @@ -0,0 +1 @@ +3ff1f6b6ba6f97f50862aa50e79959cc8ddc2566 diff --git a/cve/reserved/2021/CVE-2021-47189 b/cve/published/2021/CVE-2021-47189 index e69de29b..e69de29b 100644 --- a/cve/reserved/2021/CVE-2021-47189 +++ b/cve/published/2021/CVE-2021-47189 diff --git a/cve/published/2021/CVE-2021-47189.json b/cve/published/2021/CVE-2021-47189.json new file mode 100644 index 00000000..10daca0e --- /dev/null +++ b/cve/published/2021/CVE-2021-47189.json @@ -0,0 +1,178 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix memory ordering between normal and ordered work functions\n\nOrdered work functions aren't guaranteed to be handled by the same thread\nwhich executed the normal work functions. The only way execution between\nnormal/ordered functions is synchronized is via the WORK_DONE_BIT,\nunfortunately the used bitops don't guarantee any ordering whatsoever.\n\nThis manifested as seemingly inexplicable crashes on ARM64, where\nasync_chunk::inode is seen as non-null in async_cow_submit which causes\nsubmit_compressed_extents to be called and crash occurs because\nasync_chunk::inode suddenly became NULL. The call trace was similar to:\n\n pc : submit_compressed_extents+0x38/0x3d0\n lr : async_cow_submit+0x50/0xd0\n sp : ffff800015d4bc20\n\n <registers omitted for brevity>\n\n Call trace:\n submit_compressed_extents+0x38/0x3d0\n async_cow_submit+0x50/0xd0\n run_ordered_work+0xc8/0x280\n btrfs_work_helper+0x98/0x250\n process_one_work+0x1f0/0x4ac\n worker_thread+0x188/0x504\n kthread+0x110/0x114\n ret_from_fork+0x10/0x18\n\nFix this by adding respective barrier calls which ensure that all\naccesses preceding setting of WORK_DONE_BIT are strictly ordered before\nsetting the flag. At the same time add a read barrier after reading of\nWORK_DONE_BIT in run_ordered_work which ensures all subsequent loads\nwould be strictly ordered after reading the bit. This in turn ensures\nare all accesses before WORK_DONE_BIT are going to be strictly ordered\nbefore any access that can occur in ordered_func." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "08a9ff326418", + "lessThan": "bd660a20fea3", + "status": "affected", + "versionType": "git" + }, + { + "version": "08a9ff326418", + "lessThan": "637d652d351f", + "status": "affected", + "versionType": "git" + }, + { + "version": "08a9ff326418", + "lessThan": "804a9d239ae9", + "status": "affected", + "versionType": "git" + }, + { + "version": "08a9ff326418", + "lessThan": "ed058d735a70", + "status": "affected", + "versionType": "git" + }, + { + "version": "08a9ff326418", + "lessThan": "670f6b3867c8", + "status": "affected", + "versionType": "git" + }, + { + "version": "08a9ff326418", + "lessThan": "6adbc07ebcaf", + "status": "affected", + "versionType": "git" + }, + { + "version": "08a9ff326418", + "lessThan": "47e6f9f69153", + "status": "affected", + "versionType": "git" + }, + { + "version": "08a9ff326418", + "lessThan": "45da9c1767ac", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "3.15", + "status": "affected" + }, + { + "version": "0", + "lessThan": "3.15", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "4.4.293", + "lessThanOrEqual": "4.4.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "4.9.291", + "lessThanOrEqual": "4.9.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "4.14.256", + "lessThanOrEqual": "4.14.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "4.19.218", + "lessThanOrEqual": "4.19.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.4.162", + "lessThanOrEqual": "5.4.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.10.82", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.5", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.16", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/bd660a20fea3ec60a49709ef5360f145ec0fe779" + }, + { + "url": "https://git.kernel.org/stable/c/637d652d351fd4f263ef302dc52f3971d314e500" + }, + { + "url": "https://git.kernel.org/stable/c/804a9d239ae9cbe88e861a7cd62319cc6ec7b136" + }, + { + "url": "https://git.kernel.org/stable/c/ed058d735a70f4b063323f1a7bb33cda0f987513" + }, + { + "url": "https://git.kernel.org/stable/c/670f6b3867c8f0f11e5097f353b164cecfec6179" + }, + { + "url": "https://git.kernel.org/stable/c/6adbc07ebcaf8bead08b21687d49e0fc94400987" + }, + { + "url": "https://git.kernel.org/stable/c/47e6f9f69153247109042010f3a77579e9dc61ff" + }, + { + "url": "https://git.kernel.org/stable/c/45da9c1767ac31857df572f0a909fbe88fd5a7e9" + } + ], + "title": "btrfs: fix memory ordering between normal and ordered work functions", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2021-47189", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2021/CVE-2021-47189.mbox b/cve/published/2021/CVE-2021-47189.mbox new file mode 100644 index 00000000..ffde7ea3 --- /dev/null +++ b/cve/published/2021/CVE-2021-47189.mbox @@ -0,0 +1,108 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2021-47189: btrfs: fix memory ordering between normal and ordered work functions +Message-Id: <2024041034-CVE-2021-47189-a3f4@gregkh> +Content-Length: 4095 +Lines: 91 +X-Developer-Signature: v=1; a=openpgp-sha256; l=4187; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=epdioKh963yINnPS4joby6xnZTmTZHU7ei8UcvC2JdA=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGliD+W+5ooVqfxjjBTIMHacxGhdX/Nlx2qOjZcNLJUyO + Iz9axQ7YlkYBJkYZMUUWb5s4zm6v+KQopeh7WmYOaxMIEMYuDgFYCIiEQzzPS233TWe8HdP9EqP + xGP9nlZMMdrmDAua/YSrb6k//vxy6ooel4mfPlVK7MoBAA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +btrfs: fix memory ordering between normal and ordered work functions + +Ordered work functions aren't guaranteed to be handled by the same thread +which executed the normal work functions. The only way execution between +normal/ordered functions is synchronized is via the WORK_DONE_BIT, +unfortunately the used bitops don't guarantee any ordering whatsoever. + +This manifested as seemingly inexplicable crashes on ARM64, where +async_chunk::inode is seen as non-null in async_cow_submit which causes +submit_compressed_extents to be called and crash occurs because +async_chunk::inode suddenly became NULL. The call trace was similar to: + + pc : submit_compressed_extents+0x38/0x3d0 + lr : async_cow_submit+0x50/0xd0 + sp : ffff800015d4bc20 + + <registers omitted for brevity> + + Call trace: + submit_compressed_extents+0x38/0x3d0 + async_cow_submit+0x50/0xd0 + run_ordered_work+0xc8/0x280 + btrfs_work_helper+0x98/0x250 + process_one_work+0x1f0/0x4ac + worker_thread+0x188/0x504 + kthread+0x110/0x114 + ret_from_fork+0x10/0x18 + +Fix this by adding respective barrier calls which ensure that all +accesses preceding setting of WORK_DONE_BIT are strictly ordered before +setting the flag. At the same time add a read barrier after reading of +WORK_DONE_BIT in run_ordered_work which ensures all subsequent loads +would be strictly ordered after reading the bit. This in turn ensures +are all accesses before WORK_DONE_BIT are going to be strictly ordered +before any access that can occur in ordered_func. + +The Linux kernel CVE team has assigned CVE-2021-47189 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 3.15 with commit 08a9ff326418 and fixed in 4.4.293 with commit bd660a20fea3 + Issue introduced in 3.15 with commit 08a9ff326418 and fixed in 4.9.291 with commit 637d652d351f + Issue introduced in 3.15 with commit 08a9ff326418 and fixed in 4.14.256 with commit 804a9d239ae9 + Issue introduced in 3.15 with commit 08a9ff326418 and fixed in 4.19.218 with commit ed058d735a70 + Issue introduced in 3.15 with commit 08a9ff326418 and fixed in 5.4.162 with commit 670f6b3867c8 + Issue introduced in 3.15 with commit 08a9ff326418 and fixed in 5.10.82 with commit 6adbc07ebcaf + Issue introduced in 3.15 with commit 08a9ff326418 and fixed in 5.15.5 with commit 47e6f9f69153 + Issue introduced in 3.15 with commit 08a9ff326418 and fixed in 5.16 with commit 45da9c1767ac + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2021-47189 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + fs/btrfs/async-thread.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/bd660a20fea3ec60a49709ef5360f145ec0fe779 + https://git.kernel.org/stable/c/637d652d351fd4f263ef302dc52f3971d314e500 + https://git.kernel.org/stable/c/804a9d239ae9cbe88e861a7cd62319cc6ec7b136 + https://git.kernel.org/stable/c/ed058d735a70f4b063323f1a7bb33cda0f987513 + https://git.kernel.org/stable/c/670f6b3867c8f0f11e5097f353b164cecfec6179 + https://git.kernel.org/stable/c/6adbc07ebcaf8bead08b21687d49e0fc94400987 + https://git.kernel.org/stable/c/47e6f9f69153247109042010f3a77579e9dc61ff + https://git.kernel.org/stable/c/45da9c1767ac31857df572f0a909fbe88fd5a7e9 diff --git a/cve/published/2021/CVE-2021-47189.sha1 b/cve/published/2021/CVE-2021-47189.sha1 new file mode 100644 index 00000000..35ac020a --- /dev/null +++ b/cve/published/2021/CVE-2021-47189.sha1 @@ -0,0 +1 @@ +45da9c1767ac31857df572f0a909fbe88fd5a7e9 diff --git a/cve/reserved/2021/CVE-2021-47190 b/cve/published/2021/CVE-2021-47190 index e69de29b..e69de29b 100644 --- a/cve/reserved/2021/CVE-2021-47190 +++ b/cve/published/2021/CVE-2021-47190 diff --git a/cve/published/2021/CVE-2021-47190.json b/cve/published/2021/CVE-2021-47190.json new file mode 100644 index 00000000..2b0c7fb9 --- /dev/null +++ b/cve/published/2021/CVE-2021-47190.json @@ -0,0 +1,118 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf bpf: Avoid memory leak from perf_env__insert_btf()\n\nperf_env__insert_btf() doesn't insert if a duplicate BTF id is\nencountered and this causes a memory leak. Modify the function to return\na success/error value and then free the memory if insertion didn't\nhappen.\n\nv2. Adds a return -1 when the insertion error occurs in\n perf_env__fetch_btf. This doesn't affect anything as the result is\n never checked." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "3792cb2ff43b", + "lessThan": "642fc22210a5", + "status": "affected", + "versionType": "git" + }, + { + "version": "3792cb2ff43b", + "lessThan": "11589d3144bc", + "status": "affected", + "versionType": "git" + }, + { + "version": "3792cb2ff43b", + "lessThan": "ab7c3d8d81c5", + "status": "affected", + "versionType": "git" + }, + { + "version": "3792cb2ff43b", + "lessThan": "4924b1f7c467", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.1", + "status": "affected" + }, + { + "version": "0", + "lessThan": "5.1", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.4.162", + "lessThanOrEqual": "5.4.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.10.82", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.5", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.16", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/642fc22210a5e59d40b1e4d56d21ec3effd401f2" + }, + { + "url": "https://git.kernel.org/stable/c/11589d3144bc4e272e0aae46ce8156162e99babc" + }, + { + "url": "https://git.kernel.org/stable/c/ab7c3d8d81c511ddfb27823fb07081c96422b56e" + }, + { + "url": "https://git.kernel.org/stable/c/4924b1f7c46711762fd0e65c135ccfbcfd6ded1f" + } + ], + "title": "perf bpf: Avoid memory leak from perf_env__insert_btf()", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2021-47190", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2021/CVE-2021-47190.mbox b/cve/published/2021/CVE-2021-47190.mbox new file mode 100644 index 00000000..f4c3893a --- /dev/null +++ b/cve/published/2021/CVE-2021-47190.mbox @@ -0,0 +1,77 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2021-47190: perf bpf: Avoid memory leak from perf_env__insert_btf() +Message-Id: <2024041034-CVE-2021-47190-0261@gregkh> +Content-Length: 2347 +Lines: 60 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2408; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=9S1SqgNmsUi39M5f25z87ECGqX3YySciEpweRqRJOlI=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGliD+V2t619NOPJZFEFxcunoqKXKOXF3MlvmWhXPnH2p + 2kuizsedMSyMAgyMciKKbJ82cZzdH/FIUUvQ9vTMHNYmUCGMHBxCsBE3n5mmMm4gPXk3CVPW8pf + 34xdIepo+GPJ07UM8z3/LUh2Kn155/+aoI837nYk3/n6phoA +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +perf bpf: Avoid memory leak from perf_env__insert_btf() + +perf_env__insert_btf() doesn't insert if a duplicate BTF id is +encountered and this causes a memory leak. Modify the function to return +a success/error value and then free the memory if insertion didn't +happen. + +v2. Adds a return -1 when the insertion error occurs in + perf_env__fetch_btf. This doesn't affect anything as the result is + never checked. + +The Linux kernel CVE team has assigned CVE-2021-47190 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 5.1 with commit 3792cb2ff43b and fixed in 5.4.162 with commit 642fc22210a5 + Issue introduced in 5.1 with commit 3792cb2ff43b and fixed in 5.10.82 with commit 11589d3144bc + Issue introduced in 5.1 with commit 3792cb2ff43b and fixed in 5.15.5 with commit ab7c3d8d81c5 + Issue introduced in 5.1 with commit 3792cb2ff43b and fixed in 5.16 with commit 4924b1f7c467 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2021-47190 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + tools/perf/util/bpf-event.c + tools/perf/util/env.c + tools/perf/util/env.h + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/642fc22210a5e59d40b1e4d56d21ec3effd401f2 + https://git.kernel.org/stable/c/11589d3144bc4e272e0aae46ce8156162e99babc + https://git.kernel.org/stable/c/ab7c3d8d81c511ddfb27823fb07081c96422b56e + https://git.kernel.org/stable/c/4924b1f7c46711762fd0e65c135ccfbcfd6ded1f diff --git a/cve/published/2021/CVE-2021-47190.sha1 b/cve/published/2021/CVE-2021-47190.sha1 new file mode 100644 index 00000000..434f6355 --- /dev/null +++ b/cve/published/2021/CVE-2021-47190.sha1 @@ -0,0 +1 @@ +4924b1f7c46711762fd0e65c135ccfbcfd6ded1f diff --git a/cve/reserved/2021/CVE-2021-47191 b/cve/published/2021/CVE-2021-47191 index e69de29b..e69de29b 100644 --- a/cve/reserved/2021/CVE-2021-47191 +++ b/cve/published/2021/CVE-2021-47191 diff --git a/cve/published/2021/CVE-2021-47191.json b/cve/published/2021/CVE-2021-47191.json new file mode 100644 index 00000000..f9df0597 --- /dev/null +++ b/cve/published/2021/CVE-2021-47191.json @@ -0,0 +1,93 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: scsi_debug: Fix out-of-bound read in resp_readcap16()\n\nThe following warning was observed running syzkaller:\n\n[ 3813.830724] sg_write: data in/out 65466/242 bytes for SCSI command 0x9e-- guessing data in;\n[ 3813.830724] program syz-executor not setting count and/or reply_len properly\n[ 3813.836956] ==================================================================\n[ 3813.839465] BUG: KASAN: stack-out-of-bounds in sg_copy_buffer+0x157/0x1e0\n[ 3813.841773] Read of size 4096 at addr ffff8883cf80f540 by task syz-executor/1549\n[ 3813.846612] Call Trace:\n[ 3813.846995] dump_stack+0x108/0x15f\n[ 3813.847524] print_address_description+0xa5/0x372\n[ 3813.848243] kasan_report.cold+0x236/0x2a8\n[ 3813.849439] check_memory_region+0x240/0x270\n[ 3813.850094] memcpy+0x30/0x80\n[ 3813.850553] sg_copy_buffer+0x157/0x1e0\n[ 3813.853032] sg_copy_from_buffer+0x13/0x20\n[ 3813.853660] fill_from_dev_buffer+0x135/0x370\n[ 3813.854329] resp_readcap16+0x1ac/0x280\n[ 3813.856917] schedule_resp+0x41f/0x1630\n[ 3813.858203] scsi_debug_queuecommand+0xb32/0x17e0\n[ 3813.862699] scsi_dispatch_cmd+0x330/0x950\n[ 3813.863329] scsi_request_fn+0xd8e/0x1710\n[ 3813.863946] __blk_run_queue+0x10b/0x230\n[ 3813.864544] blk_execute_rq_nowait+0x1d8/0x400\n[ 3813.865220] sg_common_write.isra.0+0xe61/0x2420\n[ 3813.871637] sg_write+0x6c8/0xef0\n[ 3813.878853] __vfs_write+0xe4/0x800\n[ 3813.883487] vfs_write+0x17b/0x530\n[ 3813.884008] ksys_write+0x103/0x270\n[ 3813.886268] __x64_sys_write+0x77/0xc0\n[ 3813.886841] do_syscall_64+0x106/0x360\n[ 3813.887415] entry_SYSCALL_64_after_hwframe+0x44/0xa9\n\nThis issue can be reproduced with the following syzkaller log:\n\nr0 = openat(0xffffffffffffff9c, &(0x7f0000000040)='./file0\\x00', 0x26e1, 0x0)\nr1 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000000)='fd/3\\x00')\nopen_by_handle_at(r1, &(0x7f00000003c0)=ANY=[@ANYRESHEX], 0x602000)\nr2 = syz_open_dev$sg(&(0x7f0000000000), 0x0, 0x40782)\nwrite$binfmt_aout(r2, &(0x7f0000000340)=ANY=[@ANYBLOB=\"00000000deff000000000000000000000000000000000000000000000000000047f007af9e107a41ec395f1bded7be24277a1501ff6196a83366f4e6362bc0ff2b247f68a972989b094b2da4fb3607fcf611a22dd04310d28c75039d\"], 0x126)\n\nIn resp_readcap16() we get \"int alloc_len\" value -1104926854, and then pass\nthe huge arr_len to fill_from_dev_buffer(), but arr is only 32 bytes. This\nleads to OOB in sg_copy_buffer().\n\nTo solve this issue, define alloc_len as u32." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "1da177e4c3f4", + "lessThan": "3e20cb072679", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "5b8bed6464ad", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "4e3ace0051e7", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.10.82", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.5", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.16", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/3e20cb072679bdb47747ccc8bee3233a4cf0765a" + }, + { + "url": "https://git.kernel.org/stable/c/5b8bed6464ad6653586e30df046185fd816ad999" + }, + { + "url": "https://git.kernel.org/stable/c/4e3ace0051e7e504b55d239daab8789dd89b863c" + } + ], + "title": "scsi: scsi_debug: Fix out-of-bound read in resp_readcap16()", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2021-47191", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2021/CVE-2021-47191.mbox b/cve/published/2021/CVE-2021-47191.mbox new file mode 100644 index 00000000..88724db4 --- /dev/null +++ b/cve/published/2021/CVE-2021-47191.mbox @@ -0,0 +1,110 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2021-47191: scsi: scsi_debug: Fix out-of-bound read in resp_readcap16() +Message-Id: <2024041034-CVE-2021-47191-ec4f@gregkh> +Content-Length: 3965 +Lines: 93 +X-Developer-Signature: v=1; a=openpgp-sha256; l=4059; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=7kRttD7ugJrANpnK6wh2jnQdsU82vHerSeh9O5fGidQ=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGliD+UPTm7kF1rieWZn6dcrHbN3L/VKLG58+S3RPc71H + 2PepcN7O2JZGASZGGTFFFm+bOM5ur/ikKKXoe1pmDmsTCBDGLg4BWAix68xzDPbvjCOgeHR4Vfs + 74xVtDSZBcOffmGYn/HPZNbdCp28SwLf1Nf6bVtZxZMwEQA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +scsi: scsi_debug: Fix out-of-bound read in resp_readcap16() + +The following warning was observed running syzkaller: + +[ 3813.830724] sg_write: data in/out 65466/242 bytes for SCSI command 0x9e-- guessing data in; +[ 3813.830724] program syz-executor not setting count and/or reply_len properly +[ 3813.836956] ================================================================== +[ 3813.839465] BUG: KASAN: stack-out-of-bounds in sg_copy_buffer+0x157/0x1e0 +[ 3813.841773] Read of size 4096 at addr ffff8883cf80f540 by task syz-executor/1549 +[ 3813.846612] Call Trace: +[ 3813.846995] dump_stack+0x108/0x15f +[ 3813.847524] print_address_description+0xa5/0x372 +[ 3813.848243] kasan_report.cold+0x236/0x2a8 +[ 3813.849439] check_memory_region+0x240/0x270 +[ 3813.850094] memcpy+0x30/0x80 +[ 3813.850553] sg_copy_buffer+0x157/0x1e0 +[ 3813.853032] sg_copy_from_buffer+0x13/0x20 +[ 3813.853660] fill_from_dev_buffer+0x135/0x370 +[ 3813.854329] resp_readcap16+0x1ac/0x280 +[ 3813.856917] schedule_resp+0x41f/0x1630 +[ 3813.858203] scsi_debug_queuecommand+0xb32/0x17e0 +[ 3813.862699] scsi_dispatch_cmd+0x330/0x950 +[ 3813.863329] scsi_request_fn+0xd8e/0x1710 +[ 3813.863946] __blk_run_queue+0x10b/0x230 +[ 3813.864544] blk_execute_rq_nowait+0x1d8/0x400 +[ 3813.865220] sg_common_write.isra.0+0xe61/0x2420 +[ 3813.871637] sg_write+0x6c8/0xef0 +[ 3813.878853] __vfs_write+0xe4/0x800 +[ 3813.883487] vfs_write+0x17b/0x530 +[ 3813.884008] ksys_write+0x103/0x270 +[ 3813.886268] __x64_sys_write+0x77/0xc0 +[ 3813.886841] do_syscall_64+0x106/0x360 +[ 3813.887415] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +This issue can be reproduced with the following syzkaller log: + +r0 = openat(0xffffffffffffff9c, &(0x7f0000000040)='./file0\x00', 0x26e1, 0x0) +r1 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000000)='fd/3\x00') +open_by_handle_at(r1, &(0x7f00000003c0)=ANY=[@ANYRESHEX], 0x602000) +r2 = syz_open_dev$sg(&(0x7f0000000000), 0x0, 0x40782) +write$binfmt_aout(r2, &(0x7f0000000340)=ANY=[@ANYBLOB="00000000deff000000000000000000000000000000000000000000000000000047f007af9e107a41ec395f1bded7be24277a1501ff6196a83366f4e6362bc0ff2b247f68a972989b094b2da4fb3607fcf611a22dd04310d28c75039d"], 0x126) + +In resp_readcap16() we get "int alloc_len" value -1104926854, and then pass +the huge arr_len to fill_from_dev_buffer(), but arr is only 32 bytes. This +leads to OOB in sg_copy_buffer(). + +To solve this issue, define alloc_len as u32. + +The Linux kernel CVE team has assigned CVE-2021-47191 to this issue. + + +Affected and fixed versions +=========================== + + Fixed in 5.10.82 with commit 3e20cb072679 + Fixed in 5.15.5 with commit 5b8bed6464ad + Fixed in 5.16 with commit 4e3ace0051e7 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2021-47191 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/scsi/scsi_debug.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/3e20cb072679bdb47747ccc8bee3233a4cf0765a + https://git.kernel.org/stable/c/5b8bed6464ad6653586e30df046185fd816ad999 + https://git.kernel.org/stable/c/4e3ace0051e7e504b55d239daab8789dd89b863c diff --git a/cve/published/2021/CVE-2021-47191.sha1 b/cve/published/2021/CVE-2021-47191.sha1 new file mode 100644 index 00000000..c9968940 --- /dev/null +++ b/cve/published/2021/CVE-2021-47191.sha1 @@ -0,0 +1 @@ +4e3ace0051e7e504b55d239daab8789dd89b863c diff --git a/cve/reserved/2021/CVE-2021-47192 b/cve/published/2021/CVE-2021-47192 index e69de29b..e69de29b 100644 --- a/cve/reserved/2021/CVE-2021-47192 +++ b/cve/published/2021/CVE-2021-47192 diff --git a/cve/published/2021/CVE-2021-47192.json b/cve/published/2021/CVE-2021-47192.json new file mode 100644 index 00000000..ba50ccbd --- /dev/null +++ b/cve/published/2021/CVE-2021-47192.json @@ -0,0 +1,118 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: core: sysfs: Fix hang when device state is set via sysfs\n\nThis fixes a regression added with:\n\ncommit f0f82e2476f6 (\"scsi: core: Fix capacity set to zero after\nofflinining device\")\n\nThe problem is that after iSCSI recovery, iscsid will call into the kernel\nto set the dev's state to running, and with that patch we now call\nscsi_rescan_device() with the state_mutex held. If the SCSI error handler\nthread is just starting to test the device in scsi_send_eh_cmnd() then it's\ngoing to try to grab the state_mutex.\n\nWe are then stuck, because when scsi_rescan_device() tries to send its I/O\nscsi_queue_rq() calls -> scsi_host_queue_ready() -> scsi_host_in_recovery()\nwhich will return true (the host state is still in recovery) and I/O will\njust be requeued. scsi_send_eh_cmnd() will then never be able to grab the\nstate_mutex to finish error handling.\n\nTo prevent the deadlock move the rescan-related code to after we drop the\nstate_mutex.\n\nThis also adds a check for if we are already in the running state. This\nprevents extra scans and helps the iscsid case where if the transport class\nhas already onlined the device during its recovery process then we don't\nneed userspace to do it again plus possibly block that daemon." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "69aa1a1a569f", + "lessThan": "edd783162bf2", + "status": "affected", + "versionType": "git" + }, + { + "version": "711459514e29", + "lessThan": "a792e0128d23", + "status": "affected", + "versionType": "git" + }, + { + "version": "f0f82e2476f6", + "lessThan": "bcc0e3175a97", + "status": "affected", + "versionType": "git" + }, + { + "version": "f0f82e2476f6", + "lessThan": "4edd8cd4e86d", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.14", + "status": "affected" + }, + { + "version": "0", + "lessThan": "5.14", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.4.162", + "lessThanOrEqual": "5.4.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.10.82", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.5", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.16", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/edd783162bf2385b43de6764f2d4c6e9f4f6be27" + }, + { + "url": "https://git.kernel.org/stable/c/a792e0128d232251edb5fdf42fb0f9fbb0b44a73" + }, + { + "url": "https://git.kernel.org/stable/c/bcc0e3175a976b7fa9a353960808adb0bb49ead8" + }, + { + "url": "https://git.kernel.org/stable/c/4edd8cd4e86dd3047e5294bbefcc0a08f66a430f" + } + ], + "title": "scsi: core: sysfs: Fix hang when device state is set via sysfs", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2021-47192", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2021/CVE-2021-47192.mbox b/cve/published/2021/CVE-2021-47192.mbox new file mode 100644 index 00000000..64e33e09 --- /dev/null +++ b/cve/published/2021/CVE-2021-47192.mbox @@ -0,0 +1,92 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2021-47192: scsi: core: sysfs: Fix hang when device state is set via sysfs +Message-Id: <2024041035-CVE-2021-47192-3d45@gregkh> +Content-Length: 3177 +Lines: 75 +X-Developer-Signature: v=1; a=openpgp-sha256; l=3253; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=Iq0/+3TNkPSVs5t2S3+pNmfAF5hc6QXM5sR8D5n17NM=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGliD+Undj+xtJKcNPuvWNDjG0zzplRLHnDeNr/6/xK5x + 9+nVotXdcSyMAgyMciKKbJ82cZzdH/FIUUvQ9vTMHNYmUCGMHBxCsBEVLcyzNPJjHzbEHw9coPH + gyshB3TmM81kv8Uw38lbePOTifKCG/+uYPE+Yn9g6XmNRQA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +scsi: core: sysfs: Fix hang when device state is set via sysfs + +This fixes a regression added with: + +commit f0f82e2476f6 ("scsi: core: Fix capacity set to zero after +offlinining device") + +The problem is that after iSCSI recovery, iscsid will call into the kernel +to set the dev's state to running, and with that patch we now call +scsi_rescan_device() with the state_mutex held. If the SCSI error handler +thread is just starting to test the device in scsi_send_eh_cmnd() then it's +going to try to grab the state_mutex. + +We are then stuck, because when scsi_rescan_device() tries to send its I/O +scsi_queue_rq() calls -> scsi_host_queue_ready() -> scsi_host_in_recovery() +which will return true (the host state is still in recovery) and I/O will +just be requeued. scsi_send_eh_cmnd() will then never be able to grab the +state_mutex to finish error handling. + +To prevent the deadlock move the rescan-related code to after we drop the +state_mutex. + +This also adds a check for if we are already in the running state. This +prevents extra scans and helps the iscsid case where if the transport class +has already onlined the device during its recovery process then we don't +need userspace to do it again plus possibly block that daemon. + +The Linux kernel CVE team has assigned CVE-2021-47192 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 5.4.143 with commit 69aa1a1a569f and fixed in 5.4.162 with commit edd783162bf2 + Issue introduced in 5.10.61 with commit 711459514e29 and fixed in 5.10.82 with commit a792e0128d23 + Issue introduced in 5.14 with commit f0f82e2476f6 and fixed in 5.15.5 with commit bcc0e3175a97 + Issue introduced in 5.14 with commit f0f82e2476f6 and fixed in 5.16 with commit 4edd8cd4e86d + Issue introduced in 5.13.13 with commit c6751ce1a2a4 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2021-47192 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/scsi/scsi_sysfs.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/edd783162bf2385b43de6764f2d4c6e9f4f6be27 + https://git.kernel.org/stable/c/a792e0128d232251edb5fdf42fb0f9fbb0b44a73 + https://git.kernel.org/stable/c/bcc0e3175a976b7fa9a353960808adb0bb49ead8 + https://git.kernel.org/stable/c/4edd8cd4e86dd3047e5294bbefcc0a08f66a430f diff --git a/cve/published/2021/CVE-2021-47192.sha1 b/cve/published/2021/CVE-2021-47192.sha1 new file mode 100644 index 00000000..fb54e8ef --- /dev/null +++ b/cve/published/2021/CVE-2021-47192.sha1 @@ -0,0 +1 @@ +4edd8cd4e86dd3047e5294bbefcc0a08f66a430f diff --git a/cve/reserved/2021/CVE-2021-47193 b/cve/published/2021/CVE-2021-47193 index e69de29b..e69de29b 100644 --- a/cve/reserved/2021/CVE-2021-47193 +++ b/cve/published/2021/CVE-2021-47193 diff --git a/cve/published/2021/CVE-2021-47193.json b/cve/published/2021/CVE-2021-47193.json new file mode 100644 index 00000000..ebb38a5d --- /dev/null +++ b/cve/published/2021/CVE-2021-47193.json @@ -0,0 +1,78 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: pm80xx: Fix memory leak during rmmod\n\nDriver failed to release all memory allocated. This would lead to memory\nleak during driver removal.\n\nProperly free memory when the module is removed." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "1da177e4c3f4", + "lessThan": "269a4311b15f", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "51e6ed83bb4a", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.15.5", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.16", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/269a4311b15f68d24e816f43f123888f241ed13d" + }, + { + "url": "https://git.kernel.org/stable/c/51e6ed83bb4ade7c360551fa4ae55c4eacea354b" + } + ], + "title": "scsi: pm80xx: Fix memory leak during rmmod", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2021-47193", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2021/CVE-2021-47193.mbox b/cve/published/2021/CVE-2021-47193.mbox new file mode 100644 index 00000000..df9ecbdc --- /dev/null +++ b/cve/published/2021/CVE-2021-47193.mbox @@ -0,0 +1,68 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2021-47193: scsi: pm80xx: Fix memory leak during rmmod +Message-Id: <2024041035-CVE-2021-47193-c4b0@gregkh> +Content-Length: 1675 +Lines: 51 +X-Developer-Signature: v=1; a=openpgp-sha256; l=1727; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=qhLXcdNYmkTZld4lwt2I+LweZm3P/ko5psDY9iPnAio=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGliD+Xb8zcxrl8VWXmpXa6/4rnF2ty0V3829V9hzLqQl + qBx6WRJRywLgyATg6yYIsuXbTxH91ccUvQytD0NM4eVCWQIAxenAEzkcT/D/NK91yw6/y7boPFv + 5TUdzWoXx1lXEhjmZ7uFH+rsYjvPtPfROoVvIlNcZfT9AA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +scsi: pm80xx: Fix memory leak during rmmod + +Driver failed to release all memory allocated. This would lead to memory +leak during driver removal. + +Properly free memory when the module is removed. + +The Linux kernel CVE team has assigned CVE-2021-47193 to this issue. + + +Affected and fixed versions +=========================== + + Fixed in 5.15.5 with commit 269a4311b15f + Fixed in 5.16 with commit 51e6ed83bb4a + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2021-47193 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/scsi/pm8001/pm8001_init.c + drivers/scsi/pm8001/pm8001_sas.h + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/269a4311b15f68d24e816f43f123888f241ed13d + https://git.kernel.org/stable/c/51e6ed83bb4ade7c360551fa4ae55c4eacea354b diff --git a/cve/published/2021/CVE-2021-47193.sha1 b/cve/published/2021/CVE-2021-47193.sha1 new file mode 100644 index 00000000..1872ffd0 --- /dev/null +++ b/cve/published/2021/CVE-2021-47193.sha1 @@ -0,0 +1 @@ +51e6ed83bb4ade7c360551fa4ae55c4eacea354b diff --git a/cve/reserved/2021/CVE-2021-47194 b/cve/published/2021/CVE-2021-47194 index e69de29b..e69de29b 100644 --- a/cve/reserved/2021/CVE-2021-47194 +++ b/cve/published/2021/CVE-2021-47194 diff --git a/cve/published/2021/CVE-2021-47194.json b/cve/published/2021/CVE-2021-47194.json new file mode 100644 index 00000000..6bfca553 --- /dev/null +++ b/cve/published/2021/CVE-2021-47194.json @@ -0,0 +1,178 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncfg80211: call cfg80211_stop_ap when switch from P2P_GO type\n\nIf the userspace tools switch from NL80211_IFTYPE_P2P_GO to\nNL80211_IFTYPE_ADHOC via send_msg(NL80211_CMD_SET_INTERFACE), it\ndoes not call the cleanup cfg80211_stop_ap(), this leads to the\ninitialization of in-use data. For example, this path re-init the\nsdata->assigned_chanctx_list while it is still an element of\nassigned_vifs list, and makes that linked list corrupt." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "ac800140c20e", + "lessThan": "8f06bb8c216b", + "status": "affected", + "versionType": "git" + }, + { + "version": "ac800140c20e", + "lessThan": "0738cdb636c2", + "status": "affected", + "versionType": "git" + }, + { + "version": "ac800140c20e", + "lessThan": "4e458abbb4a5", + "status": "affected", + "versionType": "git" + }, + { + "version": "ac800140c20e", + "lessThan": "b8a045e2a9b2", + "status": "affected", + "versionType": "git" + }, + { + "version": "ac800140c20e", + "lessThan": "52affc201fc2", + "status": "affected", + "versionType": "git" + }, + { + "version": "ac800140c20e", + "lessThan": "7b97b5776daa", + "status": "affected", + "versionType": "git" + }, + { + "version": "ac800140c20e", + "lessThan": "5a9b671c8d74", + "status": "affected", + "versionType": "git" + }, + { + "version": "ac800140c20e", + "lessThan": "563fbefed46a", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "3.6", + "status": "affected" + }, + { + "version": "0", + "lessThan": "3.6", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "4.4.293", + "lessThanOrEqual": "4.4.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "4.9.291", + "lessThanOrEqual": "4.9.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "4.14.256", + "lessThanOrEqual": "4.14.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "4.19.218", + "lessThanOrEqual": "4.19.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.4.162", + "lessThanOrEqual": "5.4.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.10.82", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.5", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.16", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/8f06bb8c216bcd172394f61e557727e691b4cb24" + }, + { + "url": "https://git.kernel.org/stable/c/0738cdb636c21ab552eaecf905efa4a6070e3ebc" + }, + { + "url": "https://git.kernel.org/stable/c/4e458abbb4a523f1413bfe15c079cf4e24c15b21" + }, + { + "url": "https://git.kernel.org/stable/c/b8a045e2a9b234cfbc06cf36923886164358ddec" + }, + { + "url": "https://git.kernel.org/stable/c/52affc201fc22a1ab9a59ef0ed641a9adfcb8d13" + }, + { + "url": "https://git.kernel.org/stable/c/7b97b5776daa0b39dbdadfea176f9cc0646d4a66" + }, + { + "url": "https://git.kernel.org/stable/c/5a9b671c8d74a3e1b999e7a0c7f366079bcc93dd" + }, + { + "url": "https://git.kernel.org/stable/c/563fbefed46ae4c1f70cffb8eb54c02df480b2c2" + } + ], + "title": "cfg80211: call cfg80211_stop_ap when switch from P2P_GO type", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2021-47194", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2021/CVE-2021-47194.mbox b/cve/published/2021/CVE-2021-47194.mbox new file mode 100644 index 00000000..dc528800 --- /dev/null +++ b/cve/published/2021/CVE-2021-47194.mbox @@ -0,0 +1,81 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2021-47194: cfg80211: call cfg80211_stop_ap when switch from P2P_GO type +Message-Id: <2024041035-CVE-2021-47194-51cd@gregkh> +Content-Length: 2994 +Lines: 64 +X-Developer-Signature: v=1; a=openpgp-sha256; l=3059; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=Eg4fp9cQrTV4/Wepx9Y165PNraYZKw/bs0PdOiNinCw=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGliD+WblvA8MKjOyUkuV5U+vayQqVvll8vkvXcMrs9RS + Pt2JPNjRywLgyATg6yYIsuXbTxH91ccUvQytD0NM4eVCWQIAxenAEzk0SmG+Qlh5800bi+J4i3Y + uO9fXyuv6ZU7XgwLdtea698W1Q9jiQw9s6D2vMqNBVZHAQ== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +cfg80211: call cfg80211_stop_ap when switch from P2P_GO type + +If the userspace tools switch from NL80211_IFTYPE_P2P_GO to +NL80211_IFTYPE_ADHOC via send_msg(NL80211_CMD_SET_INTERFACE), it +does not call the cleanup cfg80211_stop_ap(), this leads to the +initialization of in-use data. For example, this path re-init the +sdata->assigned_chanctx_list while it is still an element of +assigned_vifs list, and makes that linked list corrupt. + +The Linux kernel CVE team has assigned CVE-2021-47194 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 3.6 with commit ac800140c20e and fixed in 4.4.293 with commit 8f06bb8c216b + Issue introduced in 3.6 with commit ac800140c20e and fixed in 4.9.291 with commit 0738cdb636c2 + Issue introduced in 3.6 with commit ac800140c20e and fixed in 4.14.256 with commit 4e458abbb4a5 + Issue introduced in 3.6 with commit ac800140c20e and fixed in 4.19.218 with commit b8a045e2a9b2 + Issue introduced in 3.6 with commit ac800140c20e and fixed in 5.4.162 with commit 52affc201fc2 + Issue introduced in 3.6 with commit ac800140c20e and fixed in 5.10.82 with commit 7b97b5776daa + Issue introduced in 3.6 with commit ac800140c20e and fixed in 5.15.5 with commit 5a9b671c8d74 + Issue introduced in 3.6 with commit ac800140c20e and fixed in 5.16 with commit 563fbefed46a + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2021-47194 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + net/wireless/util.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/8f06bb8c216bcd172394f61e557727e691b4cb24 + https://git.kernel.org/stable/c/0738cdb636c21ab552eaecf905efa4a6070e3ebc + https://git.kernel.org/stable/c/4e458abbb4a523f1413bfe15c079cf4e24c15b21 + https://git.kernel.org/stable/c/b8a045e2a9b234cfbc06cf36923886164358ddec + https://git.kernel.org/stable/c/52affc201fc22a1ab9a59ef0ed641a9adfcb8d13 + https://git.kernel.org/stable/c/7b97b5776daa0b39dbdadfea176f9cc0646d4a66 + https://git.kernel.org/stable/c/5a9b671c8d74a3e1b999e7a0c7f366079bcc93dd + https://git.kernel.org/stable/c/563fbefed46ae4c1f70cffb8eb54c02df480b2c2 diff --git a/cve/published/2021/CVE-2021-47194.sha1 b/cve/published/2021/CVE-2021-47194.sha1 new file mode 100644 index 00000000..1122e889 --- /dev/null +++ b/cve/published/2021/CVE-2021-47194.sha1 @@ -0,0 +1 @@ +563fbefed46ae4c1f70cffb8eb54c02df480b2c2 diff --git a/cve/reserved/2021/CVE-2021-47195 b/cve/published/2021/CVE-2021-47195 index e69de29b..e69de29b 100644 --- a/cve/reserved/2021/CVE-2021-47195 +++ b/cve/published/2021/CVE-2021-47195 diff --git a/cve/published/2021/CVE-2021-47195.json b/cve/published/2021/CVE-2021-47195.json new file mode 100644 index 00000000..0d006911 --- /dev/null +++ b/cve/published/2021/CVE-2021-47195.json @@ -0,0 +1,88 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: fix use-after-free of the add_lock mutex\n\nCommit 6098475d4cb4 (\"spi: Fix deadlock when adding SPI controllers on\nSPI buses\") introduced a per-controller mutex. But mutex_unlock() of\nsaid lock is called after the controller is already freed:\n\n spi_unregister_controller(ctlr)\n -> put_device(&ctlr->dev)\n -> spi_controller_release(dev)\n -> mutex_unlock(&ctrl->add_lock)\n\nMove the put_device() after the mutex_unlock()." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "6098475d4cb4", + "lessThan": "37330f37f666", + "status": "affected", + "versionType": "git" + }, + { + "version": "6098475d4cb4", + "lessThan": "6c53b45c71b4", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.15", + "status": "affected" + }, + { + "version": "0", + "lessThan": "5.15", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.5", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.16", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/37330f37f6666c7739a44b2b6b95b047ccdbed2d" + }, + { + "url": "https://git.kernel.org/stable/c/6c53b45c71b4920b5e62f0ea8079a1da382b9434" + } + ], + "title": "spi: fix use-after-free of the add_lock mutex", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2021-47195", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2021/CVE-2021-47195.mbox b/cve/published/2021/CVE-2021-47195.mbox new file mode 100644 index 00000000..4050c0fd --- /dev/null +++ b/cve/published/2021/CVE-2021-47195.mbox @@ -0,0 +1,74 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2021-47195: spi: fix use-after-free of the add_lock mutex +Message-Id: <2024041035-CVE-2021-47195-38e8@gregkh> +Content-Length: 2020 +Lines: 57 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2078; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=rOIc4NhlrVk3UGZxb1Zia6+9TjoWpaWPGz7ib2hWLKE=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGliD+Vtds2w/1okZdNx87yDgM6ut9FRytJNWcp5QudYj + k2XmPa6I5aFQZCJQVZMkeXLNp6j+ysOKXoZ2p6GmcPKBDKEgYtTACZSasIwPyyCawbr4o96u3KF + lXjOvYhJiBc0YJgredMr7sXLHc8nhV025xO+lVSj0qIAAA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +spi: fix use-after-free of the add_lock mutex + +Commit 6098475d4cb4 ("spi: Fix deadlock when adding SPI controllers on +SPI buses") introduced a per-controller mutex. But mutex_unlock() of +said lock is called after the controller is already freed: + + spi_unregister_controller(ctlr) + -> put_device(&ctlr->dev) + -> spi_controller_release(dev) + -> mutex_unlock(&ctrl->add_lock) + +Move the put_device() after the mutex_unlock(). + +The Linux kernel CVE team has assigned CVE-2021-47195 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 5.15 with commit 6098475d4cb4 and fixed in 5.15.5 with commit 37330f37f666 + Issue introduced in 5.15 with commit 6098475d4cb4 and fixed in 5.16 with commit 6c53b45c71b4 + Issue introduced in 5.14.15 with commit 722ef19a161c + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2021-47195 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/spi/spi.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/37330f37f6666c7739a44b2b6b95b047ccdbed2d + https://git.kernel.org/stable/c/6c53b45c71b4920b5e62f0ea8079a1da382b9434 diff --git a/cve/published/2021/CVE-2021-47195.sha1 b/cve/published/2021/CVE-2021-47195.sha1 new file mode 100644 index 00000000..11305dd0 --- /dev/null +++ b/cve/published/2021/CVE-2021-47195.sha1 @@ -0,0 +1 @@ +6c53b45c71b4920b5e62f0ea8079a1da382b9434 diff --git a/cve/reserved/2021/CVE-2021-47196 b/cve/published/2021/CVE-2021-47196 index e69de29b..e69de29b 100644 --- a/cve/reserved/2021/CVE-2021-47196 +++ b/cve/published/2021/CVE-2021-47196 diff --git a/cve/published/2021/CVE-2021-47196.json b/cve/published/2021/CVE-2021-47196.json new file mode 100644 index 00000000..1c3b2b0f --- /dev/null +++ b/cve/published/2021/CVE-2021-47196.json @@ -0,0 +1,88 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/core: Set send and receive CQ before forwarding to the driver\n\nPreset both receive and send CQ pointers prior to call to the drivers and\noverwrite it later again till the mlx4 is going to be changed do not\noverwrite ibqp properties.\n\nThis change is needed for mlx5, because in case of QP creation failure, it\nwill go to the path of QP destroy which relies on proper CQ pointers.\n\n BUG: KASAN: use-after-free in create_qp.cold+0x164/0x16e [mlx5_ib]\n Write of size 8 at addr ffff8880064c55c0 by task a.out/246\n\n CPU: 0 PID: 246 Comm: a.out Not tainted 5.15.0+ #291\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n Call Trace:\n dump_stack_lvl+0x45/0x59\n print_address_description.constprop.0+0x1f/0x140\n kasan_report.cold+0x83/0xdf\n create_qp.cold+0x164/0x16e [mlx5_ib]\n mlx5_ib_create_qp+0x358/0x28a0 [mlx5_ib]\n create_qp.part.0+0x45b/0x6a0 [ib_core]\n ib_create_qp_user+0x97/0x150 [ib_core]\n ib_uverbs_handler_UVERBS_METHOD_QP_CREATE+0x92c/0x1250 [ib_uverbs]\n ib_uverbs_cmd_verbs+0x1c38/0x3150 [ib_uverbs]\n ib_uverbs_ioctl+0x169/0x260 [ib_uverbs]\n __x64_sys_ioctl+0x866/0x14d0\n do_syscall_64+0x3d/0x90\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\n Allocated by task 246:\n kasan_save_stack+0x1b/0x40\n __kasan_kmalloc+0xa4/0xd0\n create_qp.part.0+0x92/0x6a0 [ib_core]\n ib_create_qp_user+0x97/0x150 [ib_core]\n ib_uverbs_handler_UVERBS_METHOD_QP_CREATE+0x92c/0x1250 [ib_uverbs]\n ib_uverbs_cmd_verbs+0x1c38/0x3150 [ib_uverbs]\n ib_uverbs_ioctl+0x169/0x260 [ib_uverbs]\n __x64_sys_ioctl+0x866/0x14d0\n do_syscall_64+0x3d/0x90\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\n Freed by task 246:\n kasan_save_stack+0x1b/0x40\n kasan_set_track+0x1c/0x30\n kasan_set_free_info+0x20/0x30\n __kasan_slab_free+0x10c/0x150\n slab_free_freelist_hook+0xb4/0x1b0\n kfree+0xe7/0x2a0\n create_qp.part.0+0x52b/0x6a0 [ib_core]\n ib_create_qp_user+0x97/0x150 [ib_core]\n ib_uverbs_handler_UVERBS_METHOD_QP_CREATE+0x92c/0x1250 [ib_uverbs]\n ib_uverbs_cmd_verbs+0x1c38/0x3150 [ib_uverbs]\n ib_uverbs_ioctl+0x169/0x260 [ib_uverbs]\n __x64_sys_ioctl+0x866/0x14d0\n do_syscall_64+0x3d/0x90\n entry_SYSCALL_64_after_hwframe+0x44/0xae" + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "514aee660df4", + "lessThan": "b70e072feffa", + "status": "affected", + "versionType": "git" + }, + { + "version": "514aee660df4", + "lessThan": "6cd7397d01c4", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.15", + "status": "affected" + }, + { + "version": "0", + "lessThan": "5.15", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.5", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.16", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/b70e072feffa0ba5c41a99b9524b9878dee7748e" + }, + { + "url": "https://git.kernel.org/stable/c/6cd7397d01c4a3e09757840299e4f114f0aa5fa0" + } + ], + "title": "RDMA/core: Set send and receive CQ before forwarding to the driver", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2021-47196", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2021/CVE-2021-47196.mbox b/cve/published/2021/CVE-2021-47196.mbox new file mode 100644 index 00000000..9b74bb01 --- /dev/null +++ b/cve/published/2021/CVE-2021-47196.mbox @@ -0,0 +1,117 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2021-47196: RDMA/core: Set send and receive CQ before forwarding to the driver +Message-Id: <2024041036-CVE-2021-47196-d1b8@gregkh> +Content-Length: 3739 +Lines: 100 +X-Developer-Signature: v=1; a=openpgp-sha256; l=3840; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=l7lgLVdJyHrSf6SeaR9ky7JqkBAG4SSnECyEIfJKa2s=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGliDxVUtwjfDV3s7LOZxayu8amyxAHjzCkWVy2u9zK2G + 7yU/tHSEcvCIMjEICumyPJlG8/R/RWHFL0MbU/DzGFlAhnCwMUpABOpjWaYK/CmXv5KndB2/Va7 + XpcrK2Ij6mX3MCxo2c+qV8SndeNI4ZqWbzdjFiULxmcDAA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +RDMA/core: Set send and receive CQ before forwarding to the driver + +Preset both receive and send CQ pointers prior to call to the drivers and +overwrite it later again till the mlx4 is going to be changed do not +overwrite ibqp properties. + +This change is needed for mlx5, because in case of QP creation failure, it +will go to the path of QP destroy which relies on proper CQ pointers. + + BUG: KASAN: use-after-free in create_qp.cold+0x164/0x16e [mlx5_ib] + Write of size 8 at addr ffff8880064c55c0 by task a.out/246 + + CPU: 0 PID: 246 Comm: a.out Not tainted 5.15.0+ #291 + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 + Call Trace: + dump_stack_lvl+0x45/0x59 + print_address_description.constprop.0+0x1f/0x140 + kasan_report.cold+0x83/0xdf + create_qp.cold+0x164/0x16e [mlx5_ib] + mlx5_ib_create_qp+0x358/0x28a0 [mlx5_ib] + create_qp.part.0+0x45b/0x6a0 [ib_core] + ib_create_qp_user+0x97/0x150 [ib_core] + ib_uverbs_handler_UVERBS_METHOD_QP_CREATE+0x92c/0x1250 [ib_uverbs] + ib_uverbs_cmd_verbs+0x1c38/0x3150 [ib_uverbs] + ib_uverbs_ioctl+0x169/0x260 [ib_uverbs] + __x64_sys_ioctl+0x866/0x14d0 + do_syscall_64+0x3d/0x90 + entry_SYSCALL_64_after_hwframe+0x44/0xae + + Allocated by task 246: + kasan_save_stack+0x1b/0x40 + __kasan_kmalloc+0xa4/0xd0 + create_qp.part.0+0x92/0x6a0 [ib_core] + ib_create_qp_user+0x97/0x150 [ib_core] + ib_uverbs_handler_UVERBS_METHOD_QP_CREATE+0x92c/0x1250 [ib_uverbs] + ib_uverbs_cmd_verbs+0x1c38/0x3150 [ib_uverbs] + ib_uverbs_ioctl+0x169/0x260 [ib_uverbs] + __x64_sys_ioctl+0x866/0x14d0 + do_syscall_64+0x3d/0x90 + entry_SYSCALL_64_after_hwframe+0x44/0xae + + Freed by task 246: + kasan_save_stack+0x1b/0x40 + kasan_set_track+0x1c/0x30 + kasan_set_free_info+0x20/0x30 + __kasan_slab_free+0x10c/0x150 + slab_free_freelist_hook+0xb4/0x1b0 + kfree+0xe7/0x2a0 + create_qp.part.0+0x52b/0x6a0 [ib_core] + ib_create_qp_user+0x97/0x150 [ib_core] + ib_uverbs_handler_UVERBS_METHOD_QP_CREATE+0x92c/0x1250 [ib_uverbs] + ib_uverbs_cmd_verbs+0x1c38/0x3150 [ib_uverbs] + ib_uverbs_ioctl+0x169/0x260 [ib_uverbs] + __x64_sys_ioctl+0x866/0x14d0 + do_syscall_64+0x3d/0x90 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +The Linux kernel CVE team has assigned CVE-2021-47196 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 5.15 with commit 514aee660df4 and fixed in 5.15.5 with commit b70e072feffa + Issue introduced in 5.15 with commit 514aee660df4 and fixed in 5.16 with commit 6cd7397d01c4 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2021-47196 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/infiniband/core/verbs.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/b70e072feffa0ba5c41a99b9524b9878dee7748e + https://git.kernel.org/stable/c/6cd7397d01c4a3e09757840299e4f114f0aa5fa0 diff --git a/cve/published/2021/CVE-2021-47196.sha1 b/cve/published/2021/CVE-2021-47196.sha1 new file mode 100644 index 00000000..8504f3ff --- /dev/null +++ b/cve/published/2021/CVE-2021-47196.sha1 @@ -0,0 +1 @@ +6cd7397d01c4a3e09757840299e4f114f0aa5fa0 diff --git a/cve/reserved/2021/CVE-2021-47197 b/cve/published/2021/CVE-2021-47197 index e69de29b..e69de29b 100644 --- a/cve/reserved/2021/CVE-2021-47197 +++ b/cve/published/2021/CVE-2021-47197 diff --git a/cve/published/2021/CVE-2021-47197.json b/cve/published/2021/CVE-2021-47197.json new file mode 100644 index 00000000..cd99dae8 --- /dev/null +++ b/cve/published/2021/CVE-2021-47197.json @@ -0,0 +1,103 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: nullify cq->dbg pointer in mlx5_debug_cq_remove()\n\nPrior to this patch in case mlx5_core_destroy_cq() failed it proceeds\nto rest of destroy operations. mlx5_core_destroy_cq() could be called again\nby user and cause additional call of mlx5_debug_cq_remove().\ncq->dbg was not nullify in previous call and cause the crash.\n\nFix it by nullify cq->dbg pointer after removal.\n\nAlso proceed to destroy operations only if FW return 0\nfor MLX5_CMD_OP_DESTROY_CQ command.\n\ngeneral protection fault, probably for non-canonical address 0x2000300004058: 0000 [#1] SMP PTI\nCPU: 5 PID: 1228 Comm: python Not tainted 5.15.0-rc5_for_upstream_min_debug_2021_10_14_11_06 #1\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\nRIP: 0010:lockref_get+0x1/0x60\nCode: 5d e9 53 ff ff ff 48 8d 7f 70 e8 0a 2e 48 00 c7 85 d0 00 00 00 02\n00 00 00 c6 45 70 00 fb 5d c3 c3 cc cc cc cc cc cc cc cc 53 <48> 8b 17\n48 89 fb 85 d2 75 3d 48 89 d0 bf 64 00 00 00 48 89 c1 48\nRSP: 0018:ffff888137dd7a38 EFLAGS: 00010206\nRAX: 0000000000000000 RBX: ffff888107d5f458 RCX: 00000000fffffffe\nRDX: 000000000002c2b0 RSI: ffffffff8155e2e0 RDI: 0002000300004058\nRBP: ffff888137dd7a88 R08: 0002000300004058 R09: ffff8881144a9f88\nR10: 0000000000000000 R11: 0000000000000000 R12: ffff8881141d4000\nR13: ffff888137dd7c68 R14: ffff888137dd7d58 R15: ffff888137dd7cc0\nFS: 00007f4644f2a4c0(0000) GS:ffff8887a2d40000(0000)\nknlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000055b4500f4380 CR3: 0000000114f7a003 CR4: 0000000000170ea0\nCall Trace:\n simple_recursive_removal+0x33/0x2e0\n ? debugfs_remove+0x60/0x60\n debugfs_remove+0x40/0x60\n mlx5_debug_cq_remove+0x32/0x70 [mlx5_core]\n mlx5_core_destroy_cq+0x41/0x1d0 [mlx5_core]\n devx_obj_cleanup+0x151/0x330 [mlx5_ib]\n ? __pollwait+0xd0/0xd0\n ? xas_load+0x5/0x70\n ? xa_load+0x62/0xa0\n destroy_hw_idr_uobject+0x20/0x80 [ib_uverbs]\n uverbs_destroy_uobject+0x3b/0x360 [ib_uverbs]\n uobj_destroy+0x54/0xa0 [ib_uverbs]\n ib_uverbs_cmd_verbs+0xaf2/0x1160 [ib_uverbs]\n ? uverbs_finalize_object+0xd0/0xd0 [ib_uverbs]\n ib_uverbs_ioctl+0xc4/0x1b0 [ib_uverbs]\n __x64_sys_ioctl+0x3e4/0x8e0" + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "4f7bddf8c5c0", + "lessThan": "471c49289055", + "status": "affected", + "versionType": "git" + }, + { + "version": "94b960b9deff", + "lessThan": "2ae381570806", + "status": "affected", + "versionType": "git" + }, + { + "version": "94b960b9deff", + "lessThan": "76ded29d3fcd", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.15", + "status": "affected" + }, + { + "version": "0", + "lessThan": "5.15", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.10.82", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.5", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.16", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/471c492890557bd58f73314bb4ad85d5a8fd5026" + }, + { + "url": "https://git.kernel.org/stable/c/2ae38157080616a13a9fe3f0b4b6ec0070aa408a" + }, + { + "url": "https://git.kernel.org/stable/c/76ded29d3fcda4928da8849ffc446ea46871c1c2" + } + ], + "title": "net/mlx5e: nullify cq->dbg pointer in mlx5_debug_cq_remove()", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2021-47197", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2021/CVE-2021-47197.mbox b/cve/published/2021/CVE-2021-47197.mbox new file mode 100644 index 00000000..12735418 --- /dev/null +++ b/cve/published/2021/CVE-2021-47197.mbox @@ -0,0 +1,111 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2021-47197: net/mlx5e: nullify cq->dbg pointer in mlx5_debug_cq_remove() +Message-Id: <2024041036-CVE-2021-47197-aaec@gregkh> +Content-Length: 4027 +Lines: 94 +X-Developer-Signature: v=1; a=openpgp-sha256; l=4122; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=5J8wg26cWSQKeaqEgEr2ommPXCjV5/EaJdU18P/+vfk=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGliDxU0LxneXqs7oaLaZhm74OyAMxaTEko3efy+kjvNc + y2bZr9sRywLgyATg6yYIsuXbTxH91ccUvQytD0NM4eVCWQIAxenAEyEbS3DXLEuq4DuwrimXyK+ + 4RtjUt/kp64tZJinFT37SZrFHgYP2QnnXt05XJl03KsUAA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +net/mlx5e: nullify cq->dbg pointer in mlx5_debug_cq_remove() + +Prior to this patch in case mlx5_core_destroy_cq() failed it proceeds +to rest of destroy operations. mlx5_core_destroy_cq() could be called again +by user and cause additional call of mlx5_debug_cq_remove(). +cq->dbg was not nullify in previous call and cause the crash. + +Fix it by nullify cq->dbg pointer after removal. + +Also proceed to destroy operations only if FW return 0 +for MLX5_CMD_OP_DESTROY_CQ command. + +general protection fault, probably for non-canonical address 0x2000300004058: 0000 [#1] SMP PTI +CPU: 5 PID: 1228 Comm: python Not tainted 5.15.0-rc5_for_upstream_min_debug_2021_10_14_11_06 #1 +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 +RIP: 0010:lockref_get+0x1/0x60 +Code: 5d e9 53 ff ff ff 48 8d 7f 70 e8 0a 2e 48 00 c7 85 d0 00 00 00 02 +00 00 00 c6 45 70 00 fb 5d c3 c3 cc cc cc cc cc cc cc cc 53 <48> 8b 17 +48 89 fb 85 d2 75 3d 48 89 d0 bf 64 00 00 00 48 89 c1 48 +RSP: 0018:ffff888137dd7a38 EFLAGS: 00010206 +RAX: 0000000000000000 RBX: ffff888107d5f458 RCX: 00000000fffffffe +RDX: 000000000002c2b0 RSI: ffffffff8155e2e0 RDI: 0002000300004058 +RBP: ffff888137dd7a88 R08: 0002000300004058 R09: ffff8881144a9f88 +R10: 0000000000000000 R11: 0000000000000000 R12: ffff8881141d4000 +R13: ffff888137dd7c68 R14: ffff888137dd7d58 R15: ffff888137dd7cc0 +FS: 00007f4644f2a4c0(0000) GS:ffff8887a2d40000(0000) +knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 000055b4500f4380 CR3: 0000000114f7a003 CR4: 0000000000170ea0 +Call Trace: + simple_recursive_removal+0x33/0x2e0 + ? debugfs_remove+0x60/0x60 + debugfs_remove+0x40/0x60 + mlx5_debug_cq_remove+0x32/0x70 [mlx5_core] + mlx5_core_destroy_cq+0x41/0x1d0 [mlx5_core] + devx_obj_cleanup+0x151/0x330 [mlx5_ib] + ? __pollwait+0xd0/0xd0 + ? xas_load+0x5/0x70 + ? xa_load+0x62/0xa0 + destroy_hw_idr_uobject+0x20/0x80 [ib_uverbs] + uverbs_destroy_uobject+0x3b/0x360 [ib_uverbs] + uobj_destroy+0x54/0xa0 [ib_uverbs] + ib_uverbs_cmd_verbs+0xaf2/0x1160 [ib_uverbs] + ? uverbs_finalize_object+0xd0/0xd0 [ib_uverbs] + ib_uverbs_ioctl+0xc4/0x1b0 [ib_uverbs] + __x64_sys_ioctl+0x3e4/0x8e0 + +The Linux kernel CVE team has assigned CVE-2021-47197 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 5.10.75 with commit 4f7bddf8c5c0 and fixed in 5.10.82 with commit 471c49289055 + Issue introduced in 5.15 with commit 94b960b9deff and fixed in 5.15.5 with commit 2ae381570806 + Issue introduced in 5.15 with commit 94b960b9deff and fixed in 5.16 with commit 76ded29d3fcd + Issue introduced in 5.14.14 with commit ed8aafea4fec + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2021-47197 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/net/ethernet/mellanox/mlx5/core/cq.c + drivers/net/ethernet/mellanox/mlx5/core/debugfs.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/471c492890557bd58f73314bb4ad85d5a8fd5026 + https://git.kernel.org/stable/c/2ae38157080616a13a9fe3f0b4b6ec0070aa408a + https://git.kernel.org/stable/c/76ded29d3fcda4928da8849ffc446ea46871c1c2 diff --git a/cve/published/2021/CVE-2021-47197.sha1 b/cve/published/2021/CVE-2021-47197.sha1 new file mode 100644 index 00000000..881ff845 --- /dev/null +++ b/cve/published/2021/CVE-2021-47197.sha1 @@ -0,0 +1 @@ +76ded29d3fcda4928da8849ffc446ea46871c1c2 diff --git a/cve/reserved/2021/CVE-2021-47198 b/cve/published/2021/CVE-2021-47198 index e69de29b..e69de29b 100644 --- a/cve/reserved/2021/CVE-2021-47198 +++ b/cve/published/2021/CVE-2021-47198 diff --git a/cve/published/2021/CVE-2021-47198.json b/cve/published/2021/CVE-2021-47198.json new file mode 100644 index 00000000..a2b1bc4f --- /dev/null +++ b/cve/published/2021/CVE-2021-47198.json @@ -0,0 +1,78 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Fix use-after-free in lpfc_unreg_rpi() routine\n\nAn error is detected with the following report when unloading the driver:\n \"KASAN: use-after-free in lpfc_unreg_rpi+0x1b1b\"\n\nThe NLP_REG_LOGIN_SEND nlp_flag is set in lpfc_reg_fab_ctrl_node(), but the\nflag is not cleared upon completion of the login.\n\nThis allows a second call to lpfc_unreg_rpi() to proceed with nlp_rpi set\nto LPFC_RPI_ALLOW_ERROR. This results in a use after free access when used\nas an rpi_ids array index.\n\nFix by clearing the NLP_REG_LOGIN_SEND nlp_flag in\nlpfc_mbx_cmpl_fc_reg_login()." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "1da177e4c3f4", + "lessThan": "dbebf865b323", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "79b20beccea3", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.15.5", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.16", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/dbebf865b3239595c1d4dba063b122862583b52a" + }, + { + "url": "https://git.kernel.org/stable/c/79b20beccea3a3938a8500acef4e6b9d7c66142f" + } + ], + "title": "scsi: lpfc: Fix use-after-free in lpfc_unreg_rpi() routine", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2021-47198", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2021/CVE-2021-47198.mbox b/cve/published/2021/CVE-2021-47198.mbox new file mode 100644 index 00000000..1532174e --- /dev/null +++ b/cve/published/2021/CVE-2021-47198.mbox @@ -0,0 +1,75 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2021-47198: scsi: lpfc: Fix use-after-free in lpfc_unreg_rpi() routine +Message-Id: <2024041036-CVE-2021-47198-2426@gregkh> +Content-Length: 2017 +Lines: 58 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2076; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=+8/2RZtz0Exz/Zc6WTmsUaaZHuaObEIyAFDI/KnPrPY=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGliDxUmTmMOnGwftDXlYKiYhfvZwy93lPbqKq0VOVomI + nBTMzO+I5aFQZCJQVZMkeXLNp6j+ysOKXoZ2p6GmcPKBDKEgYtTACby7B/DgrOib43yX/R95FBu + 3nr6dBrblAWRHgwLJp28a6Ewu1ur4/CF9/vK74lJxbTbAAA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +scsi: lpfc: Fix use-after-free in lpfc_unreg_rpi() routine + +An error is detected with the following report when unloading the driver: + "KASAN: use-after-free in lpfc_unreg_rpi+0x1b1b" + +The NLP_REG_LOGIN_SEND nlp_flag is set in lpfc_reg_fab_ctrl_node(), but the +flag is not cleared upon completion of the login. + +This allows a second call to lpfc_unreg_rpi() to proceed with nlp_rpi set +to LPFC_RPI_ALLOW_ERROR. This results in a use after free access when used +as an rpi_ids array index. + +Fix by clearing the NLP_REG_LOGIN_SEND nlp_flag in +lpfc_mbx_cmpl_fc_reg_login(). + +The Linux kernel CVE team has assigned CVE-2021-47198 to this issue. + + +Affected and fixed versions +=========================== + + Fixed in 5.15.5 with commit dbebf865b323 + Fixed in 5.16 with commit 79b20beccea3 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2021-47198 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/scsi/lpfc/lpfc_hbadisc.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/dbebf865b3239595c1d4dba063b122862583b52a + https://git.kernel.org/stable/c/79b20beccea3a3938a8500acef4e6b9d7c66142f diff --git a/cve/published/2021/CVE-2021-47198.sha1 b/cve/published/2021/CVE-2021-47198.sha1 new file mode 100644 index 00000000..a03b2263 --- /dev/null +++ b/cve/published/2021/CVE-2021-47198.sha1 @@ -0,0 +1 @@ +79b20beccea3a3938a8500acef4e6b9d7c66142f diff --git a/cve/reserved/2021/CVE-2021-47199 b/cve/published/2021/CVE-2021-47199 index e69de29b..e69de29b 100644 --- a/cve/reserved/2021/CVE-2021-47199 +++ b/cve/published/2021/CVE-2021-47199 diff --git a/cve/published/2021/CVE-2021-47199.json b/cve/published/2021/CVE-2021-47199.json new file mode 100644 index 00000000..33b48be2 --- /dev/null +++ b/cve/published/2021/CVE-2021-47199.json @@ -0,0 +1,88 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: CT, Fix multiple allocations and memleak of mod acts\n\nCT clear action offload adds additional mod hdr actions to the\nflow's original mod actions in order to clear the registers which\nhold ct_state.\nWhen such flow also includes encap action, a neigh update event\ncan cause the driver to unoffload the flow and then reoffload it.\n\nEach time this happens, the ct clear handling adds that same set\nof mod hdr actions to reset ct_state until the max of mod hdr\nactions is reached.\n\nAlso the driver never releases the allocated mod hdr actions and\ncausing a memleak.\n\nFix above two issues by moving CT clear mod acts allocation\ninto the parsing actions phase and only use it when offloading the rule.\nThe release of mod acts will be done in the normal flow_put().\n\n backtrace:\n [<000000007316e2f3>] krealloc+0x83/0xd0\n [<00000000ef157de1>] mlx5e_mod_hdr_alloc+0x147/0x300 [mlx5_core]\n [<00000000970ce4ae>] mlx5e_tc_match_to_reg_set_and_get_id+0xd7/0x240 [mlx5_core]\n [<0000000067c5fa17>] mlx5e_tc_match_to_reg_set+0xa/0x20 [mlx5_core]\n [<00000000d032eb98>] mlx5_tc_ct_entry_set_registers.isra.0+0x36/0xc0 [mlx5_core]\n [<00000000fd23b869>] mlx5_tc_ct_flow_offload+0x272/0x1f10 [mlx5_core]\n [<000000004fc24acc>] mlx5e_tc_offload_fdb_rules.part.0+0x150/0x620 [mlx5_core]\n [<00000000dc741c17>] mlx5e_tc_encap_flows_add+0x489/0x690 [mlx5_core]\n [<00000000e92e49d7>] mlx5e_rep_update_flows+0x6e4/0x9b0 [mlx5_core]\n [<00000000f60f5602>] mlx5e_rep_neigh_update+0x39a/0x5d0 [mlx5_core]" + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "1ef3018f5af3", + "lessThan": "486e8de6e233", + "status": "affected", + "versionType": "git" + }, + { + "version": "1ef3018f5af3", + "lessThan": "806401c20a0f", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.7", + "status": "affected" + }, + { + "version": "0", + "lessThan": "5.7", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.5", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.16", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/486e8de6e233ff2999493533c6259d1cb538653b" + }, + { + "url": "https://git.kernel.org/stable/c/806401c20a0f9c51b6c8fd7035671e6ca841f6c2" + } + ], + "title": "net/mlx5e: CT, Fix multiple allocations and memleak of mod acts", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2021-47199", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2021/CVE-2021-47199.mbox b/cve/published/2021/CVE-2021-47199.mbox new file mode 100644 index 00000000..eca6bdd3 --- /dev/null +++ b/cve/published/2021/CVE-2021-47199.mbox @@ -0,0 +1,93 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2021-47199: net/mlx5e: CT, Fix multiple allocations and memleak of mod acts +Message-Id: <2024041036-CVE-2021-47199-604a@gregkh> +Content-Length: 3182 +Lines: 76 +X-Developer-Signature: v=1; a=openpgp-sha256; l=3259; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=JcXRi3rZH31XoS/EFndQjmhSCQgrudNz4yj3quNuLCU=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGliDxUmHIm51vrS57TWxW7ed3v+SyZXHmKT2cZw68o5q + YttRlG7OmJZGASZGGTFFFm+bOM5ur/ikKKXoe1pmDmsTCBDGLg4BWAiXEIMCzZwLBZ++9b1aee/ + /nj5FsPLRfZFEgwLdnq9y67PLpz95cC8r3HTAtcE7f7bCQA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +net/mlx5e: CT, Fix multiple allocations and memleak of mod acts + +CT clear action offload adds additional mod hdr actions to the +flow's original mod actions in order to clear the registers which +hold ct_state. +When such flow also includes encap action, a neigh update event +can cause the driver to unoffload the flow and then reoffload it. + +Each time this happens, the ct clear handling adds that same set +of mod hdr actions to reset ct_state until the max of mod hdr +actions is reached. + +Also the driver never releases the allocated mod hdr actions and +causing a memleak. + +Fix above two issues by moving CT clear mod acts allocation +into the parsing actions phase and only use it when offloading the rule. +The release of mod acts will be done in the normal flow_put(). + + backtrace: + [<000000007316e2f3>] krealloc+0x83/0xd0 + [<00000000ef157de1>] mlx5e_mod_hdr_alloc+0x147/0x300 [mlx5_core] + [<00000000970ce4ae>] mlx5e_tc_match_to_reg_set_and_get_id+0xd7/0x240 [mlx5_core] + [<0000000067c5fa17>] mlx5e_tc_match_to_reg_set+0xa/0x20 [mlx5_core] + [<00000000d032eb98>] mlx5_tc_ct_entry_set_registers.isra.0+0x36/0xc0 [mlx5_core] + [<00000000fd23b869>] mlx5_tc_ct_flow_offload+0x272/0x1f10 [mlx5_core] + [<000000004fc24acc>] mlx5e_tc_offload_fdb_rules.part.0+0x150/0x620 [mlx5_core] + [<00000000dc741c17>] mlx5e_tc_encap_flows_add+0x489/0x690 [mlx5_core] + [<00000000e92e49d7>] mlx5e_rep_update_flows+0x6e4/0x9b0 [mlx5_core] + [<00000000f60f5602>] mlx5e_rep_neigh_update+0x39a/0x5d0 [mlx5_core] + +The Linux kernel CVE team has assigned CVE-2021-47199 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 5.7 with commit 1ef3018f5af3 and fixed in 5.15.5 with commit 486e8de6e233 + Issue introduced in 5.7 with commit 1ef3018f5af3 and fixed in 5.16 with commit 806401c20a0f + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2021-47199 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c + drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.h + drivers/net/ethernet/mellanox/mlx5/core/en_tc.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/486e8de6e233ff2999493533c6259d1cb538653b + https://git.kernel.org/stable/c/806401c20a0f9c51b6c8fd7035671e6ca841f6c2 diff --git a/cve/published/2021/CVE-2021-47199.sha1 b/cve/published/2021/CVE-2021-47199.sha1 new file mode 100644 index 00000000..a9c1f573 --- /dev/null +++ b/cve/published/2021/CVE-2021-47199.sha1 @@ -0,0 +1 @@ +806401c20a0f9c51b6c8fd7035671e6ca841f6c2 diff --git a/cve/reserved/2021/CVE-2021-47200 b/cve/published/2021/CVE-2021-47200 index e69de29b..e69de29b 100644 --- a/cve/reserved/2021/CVE-2021-47200 +++ b/cve/published/2021/CVE-2021-47200 diff --git a/cve/published/2021/CVE-2021-47200.json b/cve/published/2021/CVE-2021-47200.json new file mode 100644 index 00000000..3d3704fe --- /dev/null +++ b/cve/published/2021/CVE-2021-47200.json @@ -0,0 +1,88 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/prime: Fix use after free in mmap with drm_gem_ttm_mmap\n\ndrm_gem_ttm_mmap() drops a reference to the gem object on success. If\nthe gem object's refcount == 1 on entry to drm_gem_prime_mmap(), that\ndrop will free the gem object, and the subsequent drm_gem_object_get()\nwill be a UAF. Fix by grabbing a reference before calling the mmap\nhelper.\n\nThis issue was forseen when the reference dropping was adding in\ncommit 9786b65bc61ac (\"drm/ttm: fix mmap refcounting\"):\n \"For that to work properly the drm_gem_object_get() call in\n drm_gem_ttm_mmap() must be moved so it happens before calling\n obj->funcs->mmap(), otherwise the gem refcount would go down\n to zero.\"" + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "9786b65bc61a", + "lessThan": "4f8e469a2384", + "status": "affected", + "versionType": "git" + }, + { + "version": "9786b65bc61a", + "lessThan": "8244a3bc27b3", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.5", + "status": "affected" + }, + { + "version": "0", + "lessThan": "5.5", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.5", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.16", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/4f8e469a2384dfa4047145b0093126462cbb6dc0" + }, + { + "url": "https://git.kernel.org/stable/c/8244a3bc27b3efd057da154b8d7e414670d5044f" + } + ], + "title": "drm/prime: Fix use after free in mmap with drm_gem_ttm_mmap", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2021-47200", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2021/CVE-2021-47200.mbox b/cve/published/2021/CVE-2021-47200.mbox new file mode 100644 index 00000000..147909a5 --- /dev/null +++ b/cve/published/2021/CVE-2021-47200.mbox @@ -0,0 +1,75 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2021-47200: drm/prime: Fix use after free in mmap with drm_gem_ttm_mmap +Message-Id: <2024041037-CVE-2021-47200-ae55@gregkh> +Content-Length: 2216 +Lines: 58 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2275; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=zMjX+r1Z0c3DWho69nOQRLW7IDjsQ6M8t9FuOMXDDuk=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGliDxVrBZxW3Ur/+j7kl+3zbZ8rXsZzOybXSH4WieOvz + 9kze9u3jlgWBkEmBlkxRZYv23iO7q84pOhlaHsaZg4rE8gQBi5OAZjIgy0MC+Zenr7zsJq07kTX + A21RKr93LjCVsWaYn3vb8yZb5JTGY1cSDrHGRzalnNoyBQA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +drm/prime: Fix use after free in mmap with drm_gem_ttm_mmap + +drm_gem_ttm_mmap() drops a reference to the gem object on success. If +the gem object's refcount == 1 on entry to drm_gem_prime_mmap(), that +drop will free the gem object, and the subsequent drm_gem_object_get() +will be a UAF. Fix by grabbing a reference before calling the mmap +helper. + +This issue was forseen when the reference dropping was adding in +commit 9786b65bc61ac ("drm/ttm: fix mmap refcounting"): + "For that to work properly the drm_gem_object_get() call in + drm_gem_ttm_mmap() must be moved so it happens before calling + obj->funcs->mmap(), otherwise the gem refcount would go down + to zero." + +The Linux kernel CVE team has assigned CVE-2021-47200 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 5.5 with commit 9786b65bc61a and fixed in 5.15.5 with commit 4f8e469a2384 + Issue introduced in 5.5 with commit 9786b65bc61a and fixed in 5.16 with commit 8244a3bc27b3 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2021-47200 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/gpu/drm/drm_prime.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/4f8e469a2384dfa4047145b0093126462cbb6dc0 + https://git.kernel.org/stable/c/8244a3bc27b3efd057da154b8d7e414670d5044f diff --git a/cve/published/2021/CVE-2021-47200.sha1 b/cve/published/2021/CVE-2021-47200.sha1 new file mode 100644 index 00000000..57a04414 --- /dev/null +++ b/cve/published/2021/CVE-2021-47200.sha1 @@ -0,0 +1 @@ +8244a3bc27b3efd057da154b8d7e414670d5044f diff --git a/cve/reserved/2021/CVE-2021-47201 b/cve/published/2021/CVE-2021-47201 index e69de29b..e69de29b 100644 --- a/cve/reserved/2021/CVE-2021-47201 +++ b/cve/published/2021/CVE-2021-47201 diff --git a/cve/published/2021/CVE-2021-47201.json b/cve/published/2021/CVE-2021-47201.json new file mode 100644 index 00000000..0b80dbe4 --- /dev/null +++ b/cve/published/2021/CVE-2021-47201.json @@ -0,0 +1,118 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\niavf: free q_vectors before queues in iavf_disable_vf\n\niavf_free_queues() clears adapter->num_active_queues, which\niavf_free_q_vectors() relies on, so swap the order of these two function\ncalls in iavf_disable_vf(). This resolves a panic encountered when the\ninterface is disabled and then later brought up again after PF\ncommunication is restored." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "65c7006f234c", + "lessThan": "926e8c83d4c1", + "status": "affected", + "versionType": "git" + }, + { + "version": "65c7006f234c", + "lessThan": "78638b471322", + "status": "affected", + "versionType": "git" + }, + { + "version": "65c7006f234c", + "lessThan": "9ef6589cac9a", + "status": "affected", + "versionType": "git" + }, + { + "version": "65c7006f234c", + "lessThan": "89f22f129696", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "4.13", + "status": "affected" + }, + { + "version": "0", + "lessThan": "4.13", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.4.162", + "lessThanOrEqual": "5.4.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.10.82", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.5", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.16", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/926e8c83d4c1c2dac0026637eb0d492df876489e" + }, + { + "url": "https://git.kernel.org/stable/c/78638b47132244e3934dc5dc79f6372d5ce8e98c" + }, + { + "url": "https://git.kernel.org/stable/c/9ef6589cac9a8c47f5544ccdf4c498093733bb3f" + }, + { + "url": "https://git.kernel.org/stable/c/89f22f129696ab53cfbc608e0a2184d0fea46ac1" + } + ], + "title": "iavf: free q_vectors before queues in iavf_disable_vf", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2021-47201", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2021/CVE-2021-47201.mbox b/cve/published/2021/CVE-2021-47201.mbox new file mode 100644 index 00000000..1de6e48d --- /dev/null +++ b/cve/published/2021/CVE-2021-47201.mbox @@ -0,0 +1,72 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2021-47201: iavf: free q_vectors before queues in iavf_disable_vf +Message-Id: <2024041037-CVE-2021-47201-d7c8@gregkh> +Content-Length: 2255 +Lines: 55 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2311; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=HfTMrml1XZjdh5EzefgItkKCGoI68Lu2zTyxKY3toPI=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGliDxXfp0ye0+WWy+gk9Xy/a5nDjYNzjzyRnLbjKvNSe + 5Nk2a31HbEsDIJMDLJiiixftvEc3V9xSNHL0PY0zBxWJpAhDFycAjARvR8M8xR/cZqUs/Afmb9g + yoXLO9MWLjdo1GdY0Od+6niE0WqTnb1aZem1Yp++J2wTAwA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +iavf: free q_vectors before queues in iavf_disable_vf + +iavf_free_queues() clears adapter->num_active_queues, which +iavf_free_q_vectors() relies on, so swap the order of these two function +calls in iavf_disable_vf(). This resolves a panic encountered when the +interface is disabled and then later brought up again after PF +communication is restored. + +The Linux kernel CVE team has assigned CVE-2021-47201 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 4.13 with commit 65c7006f234c and fixed in 5.4.162 with commit 926e8c83d4c1 + Issue introduced in 4.13 with commit 65c7006f234c and fixed in 5.10.82 with commit 78638b471322 + Issue introduced in 4.13 with commit 65c7006f234c and fixed in 5.15.5 with commit 9ef6589cac9a + Issue introduced in 4.13 with commit 65c7006f234c and fixed in 5.16 with commit 89f22f129696 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2021-47201 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/net/ethernet/intel/iavf/iavf_main.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/926e8c83d4c1c2dac0026637eb0d492df876489e + https://git.kernel.org/stable/c/78638b47132244e3934dc5dc79f6372d5ce8e98c + https://git.kernel.org/stable/c/9ef6589cac9a8c47f5544ccdf4c498093733bb3f + https://git.kernel.org/stable/c/89f22f129696ab53cfbc608e0a2184d0fea46ac1 diff --git a/cve/published/2021/CVE-2021-47201.sha1 b/cve/published/2021/CVE-2021-47201.sha1 new file mode 100644 index 00000000..ae0c0e97 --- /dev/null +++ b/cve/published/2021/CVE-2021-47201.sha1 @@ -0,0 +1 @@ +89f22f129696ab53cfbc608e0a2184d0fea46ac1 diff --git a/cve/reserved/2021/CVE-2021-47202 b/cve/published/2021/CVE-2021-47202 index e69de29b..e69de29b 100644 --- a/cve/reserved/2021/CVE-2021-47202 +++ b/cve/published/2021/CVE-2021-47202 diff --git a/cve/published/2021/CVE-2021-47202.json b/cve/published/2021/CVE-2021-47202.json new file mode 100644 index 00000000..74093c39 --- /dev/null +++ b/cve/published/2021/CVE-2021-47202.json @@ -0,0 +1,123 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nthermal: Fix NULL pointer dereferences in of_thermal_ functions\n\nof_parse_thermal_zones() parses the thermal-zones node and registers a\nthermal_zone device for each subnode. However, if a thermal zone is\nconsuming a thermal sensor and that thermal sensor device hasn't probed\nyet, an attempt to set trip_point_*_temp for that thermal zone device\ncan cause a NULL pointer dereference. Fix it.\n\n console:/sys/class/thermal/thermal_zone87 # echo 120000 > trip_point_0_temp\n ...\n Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020\n ...\n Call trace:\n of_thermal_set_trip_temp+0x40/0xc4\n trip_point_temp_store+0xc0/0x1dc\n dev_attr_store+0x38/0x88\n sysfs_kf_write+0x64/0xc0\n kernfs_fop_write_iter+0x108/0x1d0\n vfs_write+0x2f4/0x368\n ksys_write+0x7c/0xec\n __arm64_sys_write+0x20/0x30\n el0_svc_common.llvm.7279915941325364641+0xbc/0x1bc\n do_el0_svc+0x28/0xa0\n el0_svc+0x14/0x24\n el0_sync_handler+0x88/0xec\n el0_sync+0x1c0/0x200\n\nWhile at it, fix the possible NULL pointer dereference in other\nfunctions as well: of_thermal_get_temp(), of_thermal_set_emul_temp(),\nof_thermal_get_trend()." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "1da177e4c3f4", + "lessThan": "828f4c31684d", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "6a315471cb6a", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "0750f769b958", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "ef2590a5305e", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "96cfe05051fd", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.4.210", + "lessThanOrEqual": "5.4.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.10.81", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.14.21", + "lessThanOrEqual": "5.14.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.4", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.16", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/828f4c31684da94ecf0b44a2cbd35bbede04f0bd" + }, + { + "url": "https://git.kernel.org/stable/c/6a315471cb6a07f651e1d3adc8962730f4fcccac" + }, + { + "url": "https://git.kernel.org/stable/c/0750f769b95841b34a9fe8c418dd792ff526bf86" + }, + { + "url": "https://git.kernel.org/stable/c/ef2590a5305e0b8e9342f84c2214aa478ee7f28e" + }, + { + "url": "https://git.kernel.org/stable/c/96cfe05051fd8543cdedd6807ec59a0e6c409195" + } + ], + "title": "thermal: Fix NULL pointer dereferences in of_thermal_ functions", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2021-47202", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2021/CVE-2021-47202.mbox b/cve/published/2021/CVE-2021-47202.mbox new file mode 100644 index 00000000..727d3589 --- /dev/null +++ b/cve/published/2021/CVE-2021-47202.mbox @@ -0,0 +1,97 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2021-47202: thermal: Fix NULL pointer dereferences in of_thermal_ functions +Message-Id: <2024041037-CVE-2021-47202-58b2@gregkh> +Content-Length: 2917 +Lines: 80 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2998; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=m0INN0FNft4li8XfMU99NN6KK6KJHkIR5+tCgDAMF/E=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGliDxXdGPvq9ddsj3zEsy5uY7b1yolWnu/tBKe4GId6V + y+//D+0I5aFQZCJQVZMkeXLNp6j+ysOKXoZ2p6GmcPKBDKEgYtTACbC8I9hQduiXw4LD4YFPGzb + 9jc3aVXwZv9OeYb5CSKHhdnPZOr/dZnIkbd86UXv1cUXAQ== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +thermal: Fix NULL pointer dereferences in of_thermal_ functions + +of_parse_thermal_zones() parses the thermal-zones node and registers a +thermal_zone device for each subnode. However, if a thermal zone is +consuming a thermal sensor and that thermal sensor device hasn't probed +yet, an attempt to set trip_point_*_temp for that thermal zone device +can cause a NULL pointer dereference. Fix it. + + console:/sys/class/thermal/thermal_zone87 # echo 120000 > trip_point_0_temp + ... + Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 + ... + Call trace: + of_thermal_set_trip_temp+0x40/0xc4 + trip_point_temp_store+0xc0/0x1dc + dev_attr_store+0x38/0x88 + sysfs_kf_write+0x64/0xc0 + kernfs_fop_write_iter+0x108/0x1d0 + vfs_write+0x2f4/0x368 + ksys_write+0x7c/0xec + __arm64_sys_write+0x20/0x30 + el0_svc_common.llvm.7279915941325364641+0xbc/0x1bc + do_el0_svc+0x28/0xa0 + el0_svc+0x14/0x24 + el0_sync_handler+0x88/0xec + el0_sync+0x1c0/0x200 + +While at it, fix the possible NULL pointer dereference in other +functions as well: of_thermal_get_temp(), of_thermal_set_emul_temp(), +of_thermal_get_trend(). + +The Linux kernel CVE team has assigned CVE-2021-47202 to this issue. + + +Affected and fixed versions +=========================== + + Fixed in 5.4.210 with commit 828f4c31684d + Fixed in 5.10.81 with commit 6a315471cb6a + Fixed in 5.14.21 with commit 0750f769b958 + Fixed in 5.15.4 with commit ef2590a5305e + Fixed in 5.16 with commit 96cfe05051fd + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2021-47202 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/thermal/thermal_of.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/828f4c31684da94ecf0b44a2cbd35bbede04f0bd + https://git.kernel.org/stable/c/6a315471cb6a07f651e1d3adc8962730f4fcccac + https://git.kernel.org/stable/c/0750f769b95841b34a9fe8c418dd792ff526bf86 + https://git.kernel.org/stable/c/ef2590a5305e0b8e9342f84c2214aa478ee7f28e + https://git.kernel.org/stable/c/96cfe05051fd8543cdedd6807ec59a0e6c409195 diff --git a/cve/published/2021/CVE-2021-47202.sha1 b/cve/published/2021/CVE-2021-47202.sha1 new file mode 100644 index 00000000..6696787e --- /dev/null +++ b/cve/published/2021/CVE-2021-47202.sha1 @@ -0,0 +1 @@ +96cfe05051fd8543cdedd6807ec59a0e6c409195 diff --git a/cve/reserved/2021/CVE-2021-47203 b/cve/published/2021/CVE-2021-47203 index e69de29b..e69de29b 100644 --- a/cve/reserved/2021/CVE-2021-47203 +++ b/cve/published/2021/CVE-2021-47203 diff --git a/cve/published/2021/CVE-2021-47203.json b/cve/published/2021/CVE-2021-47203.json new file mode 100644 index 00000000..eca00f0b --- /dev/null +++ b/cve/published/2021/CVE-2021-47203.json @@ -0,0 +1,168 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Fix list_add() corruption in lpfc_drain_txq()\n\nWhen parsing the txq list in lpfc_drain_txq(), the driver attempts to pass\nthe requests to the adapter. If such an attempt fails, a local \"fail_msg\"\nstring is set and a log message output. The job is then added to a\ncompletions list for cancellation.\n\nProcessing of any further jobs from the txq list continues, but since\n\"fail_msg\" remains set, jobs are added to the completions list regardless\nof whether a wqe was passed to the adapter. If successfully added to\ntxcmplq, jobs are added to both lists resulting in list corruption.\n\nFix by clearing the fail_msg string after adding a job to the completions\nlist. This stops the subsequent jobs from being added to the completions\nlist unless they had an appropriate failure." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "1da177e4c3f4", + "lessThan": "ad4776b5eb2e", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "ec70d80a8642", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "f05a0191b901", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "b291d147d026", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "16bcbfb56d75", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "c097bd5a5916", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "814d3610c4ce", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "99154581b05c", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "4.4.293", + "lessThanOrEqual": "4.4.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "4.9.291", + "lessThanOrEqual": "4.9.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "4.14.256", + "lessThanOrEqual": "4.14.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "4.19.218", + "lessThanOrEqual": "4.19.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.4.162", + "lessThanOrEqual": "5.4.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.10.82", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.5", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.16", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/ad4776b5eb2e58af1226847fcd3b4f6d051674dd" + }, + { + "url": "https://git.kernel.org/stable/c/ec70d80a8642900086447ba0cdc79e3f44d42e8f" + }, + { + "url": "https://git.kernel.org/stable/c/f05a0191b90156e539cccc189b9d87ca2a4d9305" + }, + { + "url": "https://git.kernel.org/stable/c/b291d147d0268e93ad866f8bc820ea14497abc9b" + }, + { + "url": "https://git.kernel.org/stable/c/16bcbfb56d759c25665f786e33ec633b9508a08f" + }, + { + "url": "https://git.kernel.org/stable/c/c097bd5a59162156d9c2077a2f58732ffbaa9fca" + }, + { + "url": "https://git.kernel.org/stable/c/814d3610c4ce86e8cf285b2cdac0057a42e82de5" + }, + { + "url": "https://git.kernel.org/stable/c/99154581b05c8fb22607afb7c3d66c1bace6aa5d" + } + ], + "title": "scsi: lpfc: Fix list_add() corruption in lpfc_drain_txq()", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2021-47203", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2021/CVE-2021-47203.mbox b/cve/published/2021/CVE-2021-47203.mbox new file mode 100644 index 00000000..e475716b --- /dev/null +++ b/cve/published/2021/CVE-2021-47203.mbox @@ -0,0 +1,88 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2021-47203: scsi: lpfc: Fix list_add() corruption in lpfc_drain_txq() +Message-Id: <2024041037-CVE-2021-47203-ff72@gregkh> +Content-Length: 2932 +Lines: 71 +X-Developer-Signature: v=1; a=openpgp-sha256; l=3004; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=z5xitAjBVWGfCAh/ACRqa7GvELGyn3XJmTFpxlEWn5o=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGliDxWVW/KWLHj7x2zGziN53GlKig9+ej8t+v7BIGLGU + 8Hiw/rTO2JZGASZGGTFFFm+bOM5ur/ikKKXoe1pmDmsTCBDGLg4BWAi970Z5senrjrbdsBL7wov + V+GXlG3e507NYWRYsClrPvNhy313u89u1cqQnHwq+uOdlwA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +scsi: lpfc: Fix list_add() corruption in lpfc_drain_txq() + +When parsing the txq list in lpfc_drain_txq(), the driver attempts to pass +the requests to the adapter. If such an attempt fails, a local "fail_msg" +string is set and a log message output. The job is then added to a +completions list for cancellation. + +Processing of any further jobs from the txq list continues, but since +"fail_msg" remains set, jobs are added to the completions list regardless +of whether a wqe was passed to the adapter. If successfully added to +txcmplq, jobs are added to both lists resulting in list corruption. + +Fix by clearing the fail_msg string after adding a job to the completions +list. This stops the subsequent jobs from being added to the completions +list unless they had an appropriate failure. + +The Linux kernel CVE team has assigned CVE-2021-47203 to this issue. + + +Affected and fixed versions +=========================== + + Fixed in 4.4.293 with commit ad4776b5eb2e + Fixed in 4.9.291 with commit ec70d80a8642 + Fixed in 4.14.256 with commit f05a0191b901 + Fixed in 4.19.218 with commit b291d147d026 + Fixed in 5.4.162 with commit 16bcbfb56d75 + Fixed in 5.10.82 with commit c097bd5a5916 + Fixed in 5.15.5 with commit 814d3610c4ce + Fixed in 5.16 with commit 99154581b05c + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2021-47203 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/scsi/lpfc/lpfc_sli.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/ad4776b5eb2e58af1226847fcd3b4f6d051674dd + https://git.kernel.org/stable/c/ec70d80a8642900086447ba0cdc79e3f44d42e8f + https://git.kernel.org/stable/c/f05a0191b90156e539cccc189b9d87ca2a4d9305 + https://git.kernel.org/stable/c/b291d147d0268e93ad866f8bc820ea14497abc9b + https://git.kernel.org/stable/c/16bcbfb56d759c25665f786e33ec633b9508a08f + https://git.kernel.org/stable/c/c097bd5a59162156d9c2077a2f58732ffbaa9fca + https://git.kernel.org/stable/c/814d3610c4ce86e8cf285b2cdac0057a42e82de5 + https://git.kernel.org/stable/c/99154581b05c8fb22607afb7c3d66c1bace6aa5d diff --git a/cve/published/2021/CVE-2021-47203.sha1 b/cve/published/2021/CVE-2021-47203.sha1 new file mode 100644 index 00000000..a20ff7b3 --- /dev/null +++ b/cve/published/2021/CVE-2021-47203.sha1 @@ -0,0 +1 @@ +99154581b05c8fb22607afb7c3d66c1bace6aa5d diff --git a/cve/reserved/2021/CVE-2021-47204 b/cve/published/2021/CVE-2021-47204 index e69de29b..e69de29b 100644 --- a/cve/reserved/2021/CVE-2021-47204 +++ b/cve/published/2021/CVE-2021-47204 diff --git a/cve/published/2021/CVE-2021-47204.json b/cve/published/2021/CVE-2021-47204.json new file mode 100644 index 00000000..c5c79cac --- /dev/null +++ b/cve/published/2021/CVE-2021-47204.json @@ -0,0 +1,118 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dpaa2-eth: fix use-after-free in dpaa2_eth_remove\n\nAccess to netdev after free_netdev() will cause use-after-free bug.\nMove debug log before free_netdev() call to avoid it." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "7472dd9f6499", + "lessThan": "d74ff10ed2d9", + "status": "affected", + "versionType": "git" + }, + { + "version": "7472dd9f6499", + "lessThan": "1c4099dc0d6a", + "status": "affected", + "versionType": "git" + }, + { + "version": "7472dd9f6499", + "lessThan": "32d468622474", + "status": "affected", + "versionType": "git" + }, + { + "version": "7472dd9f6499", + "lessThan": "9b5a333272a4", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "4.17", + "status": "affected" + }, + { + "version": "0", + "lessThan": "4.17", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.4.162", + "lessThanOrEqual": "5.4.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.10.82", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.5", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.16", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/d74ff10ed2d93dc9b67e99a74b36fb9a83273d8a" + }, + { + "url": "https://git.kernel.org/stable/c/1c4099dc0d6a01e76e4f7dd98e4b3e0d55d80ad9" + }, + { + "url": "https://git.kernel.org/stable/c/32d4686224744819ddcae58b666c21d2a4ef4c88" + }, + { + "url": "https://git.kernel.org/stable/c/9b5a333272a48c2f8b30add7a874e46e8b26129c" + } + ], + "title": "net: dpaa2-eth: fix use-after-free in dpaa2_eth_remove", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2021-47204", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2021/CVE-2021-47204.mbox b/cve/published/2021/CVE-2021-47204.mbox new file mode 100644 index 00000000..e5057a60 --- /dev/null +++ b/cve/published/2021/CVE-2021-47204.mbox @@ -0,0 +1,69 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2021-47204: net: dpaa2-eth: fix use-after-free in dpaa2_eth_remove +Message-Id: <2024041037-CVE-2021-47204-82d1@gregkh> +Content-Length: 2089 +Lines: 52 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2142; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=yZ6dTusaNIJFoq6zJa8zzUGFnhr5gdAS72iVAv8/Vbw=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGliDxUZ56z7UbpH4B3Xdr58Ocalp44aHq6fwOV+S/ZXR + 3/psdnSHbEsDIJMDLJiiixftvEc3V9xSNHL0PY0zBxWJpAhDFycAjCRRjWGucLtv2IzoypixC4d + et5h3VgRZSdizrBgSiHrp9y2jf0nFLfJqJYZdzx9/eA9AA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +net: dpaa2-eth: fix use-after-free in dpaa2_eth_remove + +Access to netdev after free_netdev() will cause use-after-free bug. +Move debug log before free_netdev() call to avoid it. + +The Linux kernel CVE team has assigned CVE-2021-47204 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 4.17 with commit 7472dd9f6499 and fixed in 5.4.162 with commit d74ff10ed2d9 + Issue introduced in 4.17 with commit 7472dd9f6499 and fixed in 5.10.82 with commit 1c4099dc0d6a + Issue introduced in 4.17 with commit 7472dd9f6499 and fixed in 5.15.5 with commit 32d468622474 + Issue introduced in 4.17 with commit 7472dd9f6499 and fixed in 5.16 with commit 9b5a333272a4 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2021-47204 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/d74ff10ed2d93dc9b67e99a74b36fb9a83273d8a + https://git.kernel.org/stable/c/1c4099dc0d6a01e76e4f7dd98e4b3e0d55d80ad9 + https://git.kernel.org/stable/c/32d4686224744819ddcae58b666c21d2a4ef4c88 + https://git.kernel.org/stable/c/9b5a333272a48c2f8b30add7a874e46e8b26129c diff --git a/cve/published/2021/CVE-2021-47204.sha1 b/cve/published/2021/CVE-2021-47204.sha1 new file mode 100644 index 00000000..9a2561a0 --- /dev/null +++ b/cve/published/2021/CVE-2021-47204.sha1 @@ -0,0 +1 @@ +9b5a333272a48c2f8b30add7a874e46e8b26129c diff --git a/cve/reserved/2021/CVE-2021-47205 b/cve/published/2021/CVE-2021-47205 index e69de29b..e69de29b 100644 --- a/cve/reserved/2021/CVE-2021-47205 +++ b/cve/published/2021/CVE-2021-47205 diff --git a/cve/published/2021/CVE-2021-47205.json b/cve/published/2021/CVE-2021-47205.json new file mode 100644 index 00000000..7d2506ce --- /dev/null +++ b/cve/published/2021/CVE-2021-47205.json @@ -0,0 +1,78 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: sunxi-ng: Unregister clocks/resets when unbinding\n\nCurrently, unbinding a CCU driver unmaps the device's MMIO region, while\nleaving its clocks/resets and their providers registered. This can cause\na page fault later when some clock operation tries to perform MMIO. Fix\nthis by separating the CCU initialization from the memory allocation,\nand then using a devres callback to unregister the clocks and resets.\n\nThis also fixes a memory leak of the `struct ccu_reset`, and uses the\ncorrect owner (the specific platform driver) for the clocks and resets.\n\nEarly OF clock providers are never unregistered, and limited error\nhandling is possible, so they are mostly unchanged. The error reporting\nis made more consistent by moving the message inside of_sunxi_ccu_probe." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "1da177e4c3f4", + "lessThan": "b5dd513daa70", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "9bec2b9c6134", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.15.5", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.16", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/b5dd513daa70ee8f6d281a20bd28485ee9bb7db2" + }, + { + "url": "https://git.kernel.org/stable/c/9bec2b9c6134052994115d2d3374e96f2ccb9b9d" + } + ], + "title": "clk: sunxi-ng: Unregister clocks/resets when unbinding", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2021-47205", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2021/CVE-2021-47205.mbox b/cve/published/2021/CVE-2021-47205.mbox new file mode 100644 index 00000000..aad3bdbf --- /dev/null +++ b/cve/published/2021/CVE-2021-47205.mbox @@ -0,0 +1,97 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2021-47205: clk: sunxi-ng: Unregister clocks/resets when unbinding +Message-Id: <2024041038-CVE-2021-47205-3f43@gregkh> +Content-Length: 3065 +Lines: 80 +X-Developer-Signature: v=1; a=openpgp-sha256; l=3146; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=NR4SGiSs3gssOg8v4FgikuvrenckNHB41FO7PH+tt40=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGliD5WuNV/LnPPCoG6jb2LrjKIjlsr/NPd7x81TZNAuz + tqqwOjaEcvCIMjEICumyPJlG8/R/RWHFL0MbU/DzGFlAhnCwMUpABMJUmGYK19SEZ7BfPWl1Jlt + ZoLffBlTlyRoM8z3d457q7LptIbKv4Xzr4ux1u716ukFAA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +clk: sunxi-ng: Unregister clocks/resets when unbinding + +Currently, unbinding a CCU driver unmaps the device's MMIO region, while +leaving its clocks/resets and their providers registered. This can cause +a page fault later when some clock operation tries to perform MMIO. Fix +this by separating the CCU initialization from the memory allocation, +and then using a devres callback to unregister the clocks and resets. + +This also fixes a memory leak of the `struct ccu_reset`, and uses the +correct owner (the specific platform driver) for the clocks and resets. + +Early OF clock providers are never unregistered, and limited error +handling is possible, so they are mostly unchanged. The error reporting +is made more consistent by moving the message inside of_sunxi_ccu_probe. + +The Linux kernel CVE team has assigned CVE-2021-47205 to this issue. + + +Affected and fixed versions +=========================== + + Fixed in 5.15.5 with commit b5dd513daa70 + Fixed in 5.16 with commit 9bec2b9c6134 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2021-47205 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/clk/sunxi-ng/ccu-sun4i-a10.c + drivers/clk/sunxi-ng/ccu-sun50i-a100-r.c + drivers/clk/sunxi-ng/ccu-sun50i-a100.c + drivers/clk/sunxi-ng/ccu-sun50i-a64.c + drivers/clk/sunxi-ng/ccu-sun50i-h6-r.c + drivers/clk/sunxi-ng/ccu-sun50i-h6.c + drivers/clk/sunxi-ng/ccu-sun50i-h616.c + drivers/clk/sunxi-ng/ccu-sun5i.c + drivers/clk/sunxi-ng/ccu-sun6i-a31.c + drivers/clk/sunxi-ng/ccu-sun8i-a23.c + drivers/clk/sunxi-ng/ccu-sun8i-a33.c + drivers/clk/sunxi-ng/ccu-sun8i-a83t.c + drivers/clk/sunxi-ng/ccu-sun8i-de2.c + drivers/clk/sunxi-ng/ccu-sun8i-h3.c + drivers/clk/sunxi-ng/ccu-sun8i-r.c + drivers/clk/sunxi-ng/ccu-sun8i-r40.c + drivers/clk/sunxi-ng/ccu-sun8i-v3s.c + drivers/clk/sunxi-ng/ccu-sun9i-a80-de.c + drivers/clk/sunxi-ng/ccu-sun9i-a80-usb.c + drivers/clk/sunxi-ng/ccu-sun9i-a80.c + drivers/clk/sunxi-ng/ccu-suniv-f1c100s.c + drivers/clk/sunxi-ng/ccu_common.c + drivers/clk/sunxi-ng/ccu_common.h + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/b5dd513daa70ee8f6d281a20bd28485ee9bb7db2 + https://git.kernel.org/stable/c/9bec2b9c6134052994115d2d3374e96f2ccb9b9d diff --git a/cve/published/2021/CVE-2021-47205.sha1 b/cve/published/2021/CVE-2021-47205.sha1 new file mode 100644 index 00000000..cda61dae --- /dev/null +++ b/cve/published/2021/CVE-2021-47205.sha1 @@ -0,0 +1 @@ +9bec2b9c6134052994115d2d3374e96f2ccb9b9d diff --git a/cve/reserved/2021/CVE-2021-47206 b/cve/published/2021/CVE-2021-47206 index e69de29b..e69de29b 100644 --- a/cve/reserved/2021/CVE-2021-47206 +++ b/cve/published/2021/CVE-2021-47206 diff --git a/cve/published/2021/CVE-2021-47206.json b/cve/published/2021/CVE-2021-47206.json new file mode 100644 index 00000000..8f2ef67a --- /dev/null +++ b/cve/published/2021/CVE-2021-47206.json @@ -0,0 +1,168 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: host: ohci-tmio: check return value after calling platform_get_resource()\n\nIt will cause null-ptr-deref if platform_get_resource() returns NULL,\nwe need check the return value." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "1da177e4c3f4", + "lessThan": "28e016e02118", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "2f18f97a1a78", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "bb6ed2e05eb6", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "951b8239fd24", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "f98986b7acb4", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "2474eb7fc3bf", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "065334f6640d", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "9eff2b2e59fd", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "4.4.293", + "lessThanOrEqual": "4.4.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "4.9.291", + "lessThanOrEqual": "4.9.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "4.14.256", + "lessThanOrEqual": "4.14.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "4.19.218", + "lessThanOrEqual": "4.19.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.4.162", + "lessThanOrEqual": "5.4.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.10.82", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.5", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.16", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/28e016e02118917e50a667bc72fb80098cf2b460" + }, + { + "url": "https://git.kernel.org/stable/c/2f18f97a1a787154a372c0738f1576f14b693d91" + }, + { + "url": "https://git.kernel.org/stable/c/bb6ed2e05eb6e8619b30fa854f9becd50c11723f" + }, + { + "url": "https://git.kernel.org/stable/c/951b8239fd24678b56c995c5c0456ab12e059d19" + }, + { + "url": "https://git.kernel.org/stable/c/f98986b7acb4219f95789095eced93ed69d81d35" + }, + { + "url": "https://git.kernel.org/stable/c/2474eb7fc3bfbce10f7b8ea431fcffe5dd5f5100" + }, + { + "url": "https://git.kernel.org/stable/c/065334f6640d074a1caec2f8b0091467a22f9483" + }, + { + "url": "https://git.kernel.org/stable/c/9eff2b2e59fda25051ab36cd1cb5014661df657b" + } + ], + "title": "usb: host: ohci-tmio: check return value after calling platform_get_resource()", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2021-47206", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2021/CVE-2021-47206.mbox b/cve/published/2021/CVE-2021-47206.mbox new file mode 100644 index 00000000..bbaf5522 --- /dev/null +++ b/cve/published/2021/CVE-2021-47206.mbox @@ -0,0 +1,77 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2021-47206: usb: host: ohci-tmio: check return value after calling platform_get_resource() +Message-Id: <2024041038-CVE-2021-47206-fe4c@gregkh> +Content-Length: 2327 +Lines: 60 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2388; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=YIr4IEXK+MqUoceL999u9h+fDI+4jcIv2ahkf4jkPB8=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGliD5VimzxE9OWvMP/zi3xl4Prp+7l/Rjtj9zeV+nm4N + b64bxDQEcvCIMjEICumyPJlG8/R/RWHFL0MbU/DzGFlAhnCwMUpABPZbckwz8rGRtBPYGmGRbvu + jqcy96fc/r0ql2F+zJWahp0XppmHzWq7UT8j95Xhk9PiAA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +usb: host: ohci-tmio: check return value after calling platform_get_resource() + +It will cause null-ptr-deref if platform_get_resource() returns NULL, +we need check the return value. + +The Linux kernel CVE team has assigned CVE-2021-47206 to this issue. + + +Affected and fixed versions +=========================== + + Fixed in 4.4.293 with commit 28e016e02118 + Fixed in 4.9.291 with commit 2f18f97a1a78 + Fixed in 4.14.256 with commit bb6ed2e05eb6 + Fixed in 4.19.218 with commit 951b8239fd24 + Fixed in 5.4.162 with commit f98986b7acb4 + Fixed in 5.10.82 with commit 2474eb7fc3bf + Fixed in 5.15.5 with commit 065334f6640d + Fixed in 5.16 with commit 9eff2b2e59fd + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2021-47206 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/usb/host/ohci-tmio.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/28e016e02118917e50a667bc72fb80098cf2b460 + https://git.kernel.org/stable/c/2f18f97a1a787154a372c0738f1576f14b693d91 + https://git.kernel.org/stable/c/bb6ed2e05eb6e8619b30fa854f9becd50c11723f + https://git.kernel.org/stable/c/951b8239fd24678b56c995c5c0456ab12e059d19 + https://git.kernel.org/stable/c/f98986b7acb4219f95789095eced93ed69d81d35 + https://git.kernel.org/stable/c/2474eb7fc3bfbce10f7b8ea431fcffe5dd5f5100 + https://git.kernel.org/stable/c/065334f6640d074a1caec2f8b0091467a22f9483 + https://git.kernel.org/stable/c/9eff2b2e59fda25051ab36cd1cb5014661df657b diff --git a/cve/published/2021/CVE-2021-47206.sha1 b/cve/published/2021/CVE-2021-47206.sha1 new file mode 100644 index 00000000..af5596fa --- /dev/null +++ b/cve/published/2021/CVE-2021-47206.sha1 @@ -0,0 +1 @@ +9eff2b2e59fda25051ab36cd1cb5014661df657b diff --git a/cve/reserved/2021/CVE-2021-47207 b/cve/published/2021/CVE-2021-47207 index e69de29b..e69de29b 100644 --- a/cve/reserved/2021/CVE-2021-47207 +++ b/cve/published/2021/CVE-2021-47207 diff --git a/cve/published/2021/CVE-2021-47207.json b/cve/published/2021/CVE-2021-47207.json new file mode 100644 index 00000000..36424991 --- /dev/null +++ b/cve/published/2021/CVE-2021-47207.json @@ -0,0 +1,168 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: gus: fix null pointer dereference on pointer block\n\nThe pointer block return from snd_gf1_dma_next_block could be\nnull, so there is a potential null pointer dereference issue.\nFix this by adding a null check before dereference." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "1da177e4c3f4", + "lessThan": "3e28e083dcdf", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "cb09c760c201", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "542fa721594a", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "ab4c1ebc40f6", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "c6d2cefdd05c", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "1ac6cd87d8dd", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "16721797dcef", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "a0d21bb32794", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "4.4.293", + "lessThanOrEqual": "4.4.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "4.9.291", + "lessThanOrEqual": "4.9.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "4.14.256", + "lessThanOrEqual": "4.14.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "4.19.218", + "lessThanOrEqual": "4.19.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.4.162", + "lessThanOrEqual": "5.4.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.10.82", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.5", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.16", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/3e28e083dcdf03a18a083f8a47b6bb6b1604b5be" + }, + { + "url": "https://git.kernel.org/stable/c/cb09c760c201f82df83babc92a5ffea0a01807fc" + }, + { + "url": "https://git.kernel.org/stable/c/542fa721594a02d2aee0370a764d306ef48d030c" + }, + { + "url": "https://git.kernel.org/stable/c/ab4c1ebc40f699f48346f634d7b72b9c5193f315" + }, + { + "url": "https://git.kernel.org/stable/c/c6d2cefdd05c4810c416fb8d384b5c377bd977bc" + }, + { + "url": "https://git.kernel.org/stable/c/1ac6cd87d8ddd36c43620f82c4d65b058f725f0f" + }, + { + "url": "https://git.kernel.org/stable/c/16721797dcef2c7c030ffe73a07f39a65f9323c3" + }, + { + "url": "https://git.kernel.org/stable/c/a0d21bb3279476c777434c40d969ea88ca64f9aa" + } + ], + "title": "ALSA: gus: fix null pointer dereference on pointer block", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2021-47207", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2021/CVE-2021-47207.mbox b/cve/published/2021/CVE-2021-47207.mbox new file mode 100644 index 00000000..0888dfae --- /dev/null +++ b/cve/published/2021/CVE-2021-47207.mbox @@ -0,0 +1,78 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2021-47207: ALSA: gus: fix null pointer dereference on pointer block +Message-Id: <2024041038-CVE-2021-47207-7ac9@gregkh> +Content-Length: 2374 +Lines: 61 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2436; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=UNg4SLEAOd5N07Oih/IcYvFxvOw6XfO/DpNf5zQrAms=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGliD5UuPahQ551ueZD78pmEJadvR6+Q9ZTW4WOo+6Ckm + 8RwTXRRRywLgyATg6yYIsuXbTxH91ccUvQytD0NM4eVCWQIAxenAEzkaA7DgiM2gl5FiRPzc9Zu + 2iD6sbn2kMxaNoYFPbwdxo83XZ9lN6H//SymqIbV83I0AQ== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +ALSA: gus: fix null pointer dereference on pointer block + +The pointer block return from snd_gf1_dma_next_block could be +null, so there is a potential null pointer dereference issue. +Fix this by adding a null check before dereference. + +The Linux kernel CVE team has assigned CVE-2021-47207 to this issue. + + +Affected and fixed versions +=========================== + + Fixed in 4.4.293 with commit 3e28e083dcdf + Fixed in 4.9.291 with commit cb09c760c201 + Fixed in 4.14.256 with commit 542fa721594a + Fixed in 4.19.218 with commit ab4c1ebc40f6 + Fixed in 5.4.162 with commit c6d2cefdd05c + Fixed in 5.10.82 with commit 1ac6cd87d8dd + Fixed in 5.15.5 with commit 16721797dcef + Fixed in 5.16 with commit a0d21bb32794 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2021-47207 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + sound/isa/gus/gus_dma.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/3e28e083dcdf03a18a083f8a47b6bb6b1604b5be + https://git.kernel.org/stable/c/cb09c760c201f82df83babc92a5ffea0a01807fc + https://git.kernel.org/stable/c/542fa721594a02d2aee0370a764d306ef48d030c + https://git.kernel.org/stable/c/ab4c1ebc40f699f48346f634d7b72b9c5193f315 + https://git.kernel.org/stable/c/c6d2cefdd05c4810c416fb8d384b5c377bd977bc + https://git.kernel.org/stable/c/1ac6cd87d8ddd36c43620f82c4d65b058f725f0f + https://git.kernel.org/stable/c/16721797dcef2c7c030ffe73a07f39a65f9323c3 + https://git.kernel.org/stable/c/a0d21bb3279476c777434c40d969ea88ca64f9aa diff --git a/cve/published/2021/CVE-2021-47207.sha1 b/cve/published/2021/CVE-2021-47207.sha1 new file mode 100644 index 00000000..0dceb086 --- /dev/null +++ b/cve/published/2021/CVE-2021-47207.sha1 @@ -0,0 +1 @@ +a0d21bb3279476c777434c40d969ea88ca64f9aa |