diff options
| author | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2024-04-03 19:31:22 +0200 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2024-04-03 19:31:22 +0200 |
| commit | 56dc680ca8ba636fa58b77d90fdc1152f204c36e (patch) | |
| tree | 1bd492791d72e3059eca8689986bdc293c4c317b | |
| parent | 532cc28bcd1279172d31acbc6cafbfeba63f54c1 (diff) | |
| download | vulns-56dc680ca8ba636fa58b77d90fdc1152f204c36e.tar.gz | |
assign CVEs for some 6.7.7 commits
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
204 files changed, 11531 insertions, 0 deletions
diff --git a/cve/reserved/2023/CVE-2023-52640 b/cve/published/2023/CVE-2023-52640 index e69de29b..e69de29b 100644 --- a/cve/reserved/2023/CVE-2023-52640 +++ b/cve/published/2023/CVE-2023-52640 diff --git a/cve/published/2023/CVE-2023-52640.json b/cve/published/2023/CVE-2023-52640.json new file mode 100644 index 00000000..ff899fdf --- /dev/null +++ b/cve/published/2023/CVE-2023-52640.json @@ -0,0 +1,123 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Fix oob in ntfs_listxattr\n\nThe length of name cannot exceed the space occupied by ea." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "1da177e4c3f4", + "lessThan": "a585faf05915", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "6ed6cdbe8833", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "52fff5799e3d", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "0830c5cf19bd", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "731ab1f98288", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.15.150", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.80", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.19", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.7", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/a585faf0591548fe0920641950ebfa8a6eefe1cd" + }, + { + "url": "https://git.kernel.org/stable/c/6ed6cdbe88334ca3430c5aee7754dc4597498dfb" + }, + { + "url": "https://git.kernel.org/stable/c/52fff5799e3d1b5803ecd2f5f19c13c65f4f7b23" + }, + { + "url": "https://git.kernel.org/stable/c/0830c5cf19bdec50d0ede4755ddc463663deb21c" + }, + { + "url": "https://git.kernel.org/stable/c/731ab1f9828800df871c5a7ab9ffe965317d3f15" + } + ], + "title": "fs/ntfs3: Fix oob in ntfs_listxattr", + "x_generator": { + "engine": "bippy-d3b290d2becc" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2023-52640", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2023/CVE-2023-52640.mbox b/cve/published/2023/CVE-2023-52640.mbox new file mode 100644 index 00000000..82ac3892 --- /dev/null +++ b/cve/published/2023/CVE-2023-52640.mbox @@ -0,0 +1,70 @@ +From bippy-d3b290d2becc Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2023-52640: fs/ntfs3: Fix oob in ntfs_listxattr +Message-Id: <2024040355-CVE-2023-52640-2657@gregkh> +Content-Length: 1873 +Lines: 53 +X-Developer-Signature: v=1; a=openpgp-sha256; l=1927; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=1qC6iAU9Ykdd5hMfQ+sPMbCPoiz+MFsYjZfpea/Y6KE=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGm8k/y/+DsVcvKbx+x9N03aIO3Si7D3T29Pex7SavJq5 + 5ypgvNcO2JZGASZGGTFFFm+bOM5ur/ikKKXoe1pmDmsTCBDGLg4BWAiDrcYFhwXm/ToKmP7jofM + 57pmXZ5ZWrlQvYxhnvZ/kdJ5V20dkh/rJyX1Bx1pvlw1DwA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +fs/ntfs3: Fix oob in ntfs_listxattr + +The length of name cannot exceed the space occupied by ea. + +The Linux kernel CVE team has assigned CVE-2023-52640 to this issue. + + +Affected and fixed versions +=========================== + + Fixed in 5.15.150 with commit a585faf05915 + Fixed in 6.1.80 with commit 6ed6cdbe8833 + Fixed in 6.6.19 with commit 52fff5799e3d + Fixed in 6.7.7 with commit 0830c5cf19bd + Fixed in 6.8 with commit 731ab1f98288 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2023-52640 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + fs/ntfs3/xattr.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/a585faf0591548fe0920641950ebfa8a6eefe1cd + https://git.kernel.org/stable/c/6ed6cdbe88334ca3430c5aee7754dc4597498dfb + https://git.kernel.org/stable/c/52fff5799e3d1b5803ecd2f5f19c13c65f4f7b23 + https://git.kernel.org/stable/c/0830c5cf19bdec50d0ede4755ddc463663deb21c + https://git.kernel.org/stable/c/731ab1f9828800df871c5a7ab9ffe965317d3f15 diff --git a/cve/published/2023/CVE-2023-52640.sha1 b/cve/published/2023/CVE-2023-52640.sha1 new file mode 100644 index 00000000..e9c6114e --- /dev/null +++ b/cve/published/2023/CVE-2023-52640.sha1 @@ -0,0 +1 @@ +731ab1f9828800df871c5a7ab9ffe965317d3f15 diff --git a/cve/reserved/2023/CVE-2023-52641 b/cve/published/2023/CVE-2023-52641 index e69de29b..e69de29b 100644 --- a/cve/reserved/2023/CVE-2023-52641 +++ b/cve/published/2023/CVE-2023-52641 diff --git a/cve/published/2023/CVE-2023-52641.json b/cve/published/2023/CVE-2023-52641.json new file mode 100644 index 00000000..e2fd2783 --- /dev/null +++ b/cve/published/2023/CVE-2023-52641.json @@ -0,0 +1,123 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Add NULL ptr dereference checking at the end of attr_allocate_frame()\n\nIt is preferable to exit through the out: label because\ninternal debugging functions are located there." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "1da177e4c3f4", + "lessThan": "ee8db6475cb1", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "50545eb6cd5f", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "947c3f3d31ea", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "847b68f58c21", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "aaab47f204aa", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.15.150", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.80", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.19", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.7", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/ee8db6475cb15c8122855f72ad4cfa5375af6a7b" + }, + { + "url": "https://git.kernel.org/stable/c/50545eb6cd5f7ff852a01fa29b7372524ef948cc" + }, + { + "url": "https://git.kernel.org/stable/c/947c3f3d31ea185ddc8e7f198873f17d36deb24c" + }, + { + "url": "https://git.kernel.org/stable/c/847b68f58c212f0439c5a8101b3841f32caffccd" + }, + { + "url": "https://git.kernel.org/stable/c/aaab47f204aaf47838241d57bf8662c8840de60a" + } + ], + "title": "fs/ntfs3: Add NULL ptr dereference checking at the end of attr_allocate_frame()", + "x_generator": { + "engine": "bippy-d3b290d2becc" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2023-52641", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2023/CVE-2023-52641.mbox b/cve/published/2023/CVE-2023-52641.mbox new file mode 100644 index 00000000..42c80cc3 --- /dev/null +++ b/cve/published/2023/CVE-2023-52641.mbox @@ -0,0 +1,71 @@ +From bippy-d3b290d2becc Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2023-52641: fs/ntfs3: Add NULL ptr dereference checking at the end of attr_allocate_frame() +Message-Id: <2024040357-CVE-2023-52641-1c18@gregkh> +Content-Length: 1963 +Lines: 54 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2018; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=RH83nE8THziEUTL/5CzphgTzJU5Dti9Pe7nO6jhe1Bo=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGm8kwI3rk7n5QvVfturfmvZt4o1RgHJgvN3F88/sS2/a + Zt3lmxzRywLgyATg6yYIsuXbTxH91ccUvQytD0NM4eVCWQIAxenAEzEMYZhwbXO+6YFRa+8vvyP + fPvn7lKvL0pztBgW7Ja89+lx83Z1pt+5atzLf1rMf712GwA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +fs/ntfs3: Add NULL ptr dereference checking at the end of attr_allocate_frame() + +It is preferable to exit through the out: label because +internal debugging functions are located there. + +The Linux kernel CVE team has assigned CVE-2023-52641 to this issue. + + +Affected and fixed versions +=========================== + + Fixed in 5.15.150 with commit ee8db6475cb1 + Fixed in 6.1.80 with commit 50545eb6cd5f + Fixed in 6.6.19 with commit 947c3f3d31ea + Fixed in 6.7.7 with commit 847b68f58c21 + Fixed in 6.8 with commit aaab47f204aa + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2023-52641 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + fs/ntfs3/attrib.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/ee8db6475cb15c8122855f72ad4cfa5375af6a7b + https://git.kernel.org/stable/c/50545eb6cd5f7ff852a01fa29b7372524ef948cc + https://git.kernel.org/stable/c/947c3f3d31ea185ddc8e7f198873f17d36deb24c + https://git.kernel.org/stable/c/847b68f58c212f0439c5a8101b3841f32caffccd + https://git.kernel.org/stable/c/aaab47f204aaf47838241d57bf8662c8840de60a diff --git a/cve/published/2023/CVE-2023-52641.sha1 b/cve/published/2023/CVE-2023-52641.sha1 new file mode 100644 index 00000000..fb4d8300 --- /dev/null +++ b/cve/published/2023/CVE-2023-52641.sha1 @@ -0,0 +1 @@ +aaab47f204aaf47838241d57bf8662c8840de60a diff --git a/cve/reserved/2024/CVE-2024-26728 b/cve/published/2024/CVE-2024-26728 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26728 +++ b/cve/published/2024/CVE-2024-26728 diff --git a/cve/published/2024/CVE-2024-26728.json b/cve/published/2024/CVE-2024-26728.json new file mode 100644 index 00000000..312f6650 --- /dev/null +++ b/cve/published/2024/CVE-2024-26728.json @@ -0,0 +1,88 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: fix null-pointer dereference on edid reading\n\nUse i2c adapter when there isn't aux_mode in dc_link to fix a\nnull-pointer derefence that happens when running\nigt@kms_force_connector_basic in a system with DCN2.1 and HDMI connector\ndetected as below:\n\n[ +0.178146] BUG: kernel NULL pointer dereference, address: 00000000000004c0\n[ +0.000010] #PF: supervisor read access in kernel mode\n[ +0.000005] #PF: error_code(0x0000) - not-present page\n[ +0.000004] PGD 0 P4D 0\n[ +0.000006] Oops: 0000 [#1] PREEMPT SMP NOPTI\n[ +0.000006] CPU: 15 PID: 2368 Comm: kms_force_conne Not tainted 6.5.0-asdn+ #152\n[ +0.000005] Hardware name: HP HP ENVY x360 Convertible 13-ay1xxx/8929, BIOS F.01 07/14/2021\n[ +0.000004] RIP: 0010:i2c_transfer+0xd/0x100\n[ +0.000011] Code: ea fc ff ff 66 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 41 54 55 53 <48> 8b 47 10 48 89 fb 48 83 38 00 0f 84 b3 00 00 00 83 3d 2f 80 16\n[ +0.000004] RSP: 0018:ffff9c4f89c0fad0 EFLAGS: 00010246\n[ +0.000005] RAX: 0000000000000000 RBX: 0000000000000005 RCX: 0000000000000080\n[ +0.000003] RDX: 0000000000000002 RSI: ffff9c4f89c0fb20 RDI: 00000000000004b0\n[ +0.000003] RBP: ffff9c4f89c0fb80 R08: 0000000000000080 R09: ffff8d8e0b15b980\n[ +0.000003] R10: 00000000000380e0 R11: 0000000000000000 R12: 0000000000000080\n[ +0.000002] R13: 0000000000000002 R14: ffff9c4f89c0fb0e R15: ffff9c4f89c0fb0f\n[ +0.000004] FS: 00007f9ad2176c40(0000) GS:ffff8d90fe9c0000(0000) knlGS:0000000000000000\n[ +0.000003] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ +0.000004] CR2: 00000000000004c0 CR3: 0000000121bc4000 CR4: 0000000000750ee0\n[ +0.000003] PKRU: 55555554\n[ +0.000003] Call Trace:\n[ +0.000006] <TASK>\n[ +0.000006] ? __die+0x23/0x70\n[ +0.000011] ? page_fault_oops+0x17d/0x4c0\n[ +0.000008] ? preempt_count_add+0x6e/0xa0\n[ +0.000008] ? srso_alias_return_thunk+0x5/0x7f\n[ +0.000011] ? exc_page_fault+0x7f/0x180\n[ +0.000009] ? asm_exc_page_fault+0x26/0x30\n[ +0.000013] ? i2c_transfer+0xd/0x100\n[ +0.000010] drm_do_probe_ddc_edid+0xc2/0x140 [drm]\n[ +0.000067] ? srso_alias_return_thunk+0x5/0x7f\n[ +0.000006] ? _drm_do_get_edid+0x97/0x3c0 [drm]\n[ +0.000043] ? __pfx_drm_do_probe_ddc_edid+0x10/0x10 [drm]\n[ +0.000042] edid_block_read+0x3b/0xd0 [drm]\n[ +0.000043] _drm_do_get_edid+0xb6/0x3c0 [drm]\n[ +0.000041] ? __pfx_drm_do_probe_ddc_edid+0x10/0x10 [drm]\n[ +0.000043] drm_edid_read_custom+0x37/0xd0 [drm]\n[ +0.000044] amdgpu_dm_connector_mode_valid+0x129/0x1d0 [amdgpu]\n[ +0.000153] drm_connector_mode_valid+0x3b/0x60 [drm_kms_helper]\n[ +0.000000] __drm_helper_update_and_validate+0xfe/0x3c0 [drm_kms_helper]\n[ +0.000000] ? amdgpu_dm_connector_get_modes+0xb6/0x520 [amdgpu]\n[ +0.000000] ? srso_alias_return_thunk+0x5/0x7f\n[ +0.000000] drm_helper_probe_single_connector_modes+0x2ab/0x540 [drm_kms_helper]\n[ +0.000000] status_store+0xb2/0x1f0 [drm]\n[ +0.000000] kernfs_fop_write_iter+0x136/0x1d0\n[ +0.000000] vfs_write+0x24d/0x440\n[ +0.000000] ksys_write+0x6f/0xf0\n[ +0.000000] do_syscall_64+0x60/0xc0\n[ +0.000000] ? srso_alias_return_thunk+0x5/0x7f\n[ +0.000000] ? syscall_exit_to_user_mode+0x2b/0x40\n[ +0.000000] ? srso_alias_return_thunk+0x5/0x7f\n[ +0.000000] ? do_syscall_64+0x6c/0xc0\n[ +0.000000] ? do_syscall_64+0x6c/0xc0\n[ +0.000000] entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n[ +0.000000] RIP: 0033:0x7f9ad46b4b00\n[ +0.000000] Code: 40 00 48 8b 15 19 b3 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 80 3d e1 3a 0e 00 00 74 17 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 48 83 ec 28 48 89\n[ +0.000000] RSP: 002b:00007ffcbd3bd6d8 EFLAGS: 00000202 ORIG_RAX: 0000000000000001\n[ +0.000000] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f9ad46b4b00\n[ +0.000000] RDX: 0000000000000002 RSI: 00007f9ad48a7417 RDI: 0000000000000009\n[ +0.000000] RBP: 0000000000000002 R08\n---truncated---" + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "0e859faf8670", + "lessThan": "2d392f7268a1", + "status": "affected", + "versionType": "git" + }, + { + "version": "0e859faf8670", + "lessThan": "967176179215", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "6.7", + "status": "affected" + }, + { + "version": "0", + "lessThan": "6.7", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.7", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/2d392f7268a1a9bfbd98c831f0f4c964e59aa145" + }, + { + "url": "https://git.kernel.org/stable/c/9671761792156f2339627918bafcd713a8a6f777" + } + ], + "title": "drm/amd/display: fix null-pointer dereference on edid reading", + "x_generator": { + "engine": "bippy-d3b290d2becc" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26728", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26728.mbox b/cve/published/2024/CVE-2024-26728.mbox new file mode 100644 index 00000000..f2d286c2 --- /dev/null +++ b/cve/published/2024/CVE-2024-26728.mbox @@ -0,0 +1,135 @@ +From bippy-d3b290d2becc Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26728: drm/amd/display: fix null-pointer dereference on edid reading +Message-Id: <2024040357-CVE-2024-26728-316a@gregkh> +Content-Length: 7907 +Lines: 118 +X-Developer-Signature: v=1; a=openpgp-sha256; l=8026; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=nZnv+HIegfSItFgdXwHjjs/KcfQqM7YuQhuIYR73HtQ=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGm8kwJNP3Ftv2F598ddYd61nnvUjYOuzv+33DhISW7vz + U+sZ0/874hlYRBkYpAVU2T5so3n6P6KQ4pehranYeawMoEMYeDiFICJrPBimO//299bqG3nHPnn + JxYFrjybtT88pJhhftRvty/ssz7OjVBt83z7kJWjWE59EwA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +drm/amd/display: fix null-pointer dereference on edid reading + +Use i2c adapter when there isn't aux_mode in dc_link to fix a +null-pointer derefence that happens when running +igt@kms_force_connector_basic in a system with DCN2.1 and HDMI connector +detected as below: + +[ +0.178146] BUG: kernel NULL pointer dereference, address: 00000000000004c0 +[ +0.000010] #PF: supervisor read access in kernel mode +[ +0.000005] #PF: error_code(0x0000) - not-present page +[ +0.000004] PGD 0 P4D 0 +[ +0.000006] Oops: 0000 [#1] PREEMPT SMP NOPTI +[ +0.000006] CPU: 15 PID: 2368 Comm: kms_force_conne Not tainted 6.5.0-asdn+ #152 +[ +0.000005] Hardware name: HP HP ENVY x360 Convertible 13-ay1xxx/8929, BIOS F.01 07/14/2021 +[ +0.000004] RIP: 0010:i2c_transfer+0xd/0x100 +[ +0.000011] Code: ea fc ff ff 66 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 41 54 55 53 <48> 8b 47 10 48 89 fb 48 83 38 00 0f 84 b3 00 00 00 83 3d 2f 80 16 +[ +0.000004] RSP: 0018:ffff9c4f89c0fad0 EFLAGS: 00010246 +[ +0.000005] RAX: 0000000000000000 RBX: 0000000000000005 RCX: 0000000000000080 +[ +0.000003] RDX: 0000000000000002 RSI: ffff9c4f89c0fb20 RDI: 00000000000004b0 +[ +0.000003] RBP: ffff9c4f89c0fb80 R08: 0000000000000080 R09: ffff8d8e0b15b980 +[ +0.000003] R10: 00000000000380e0 R11: 0000000000000000 R12: 0000000000000080 +[ +0.000002] R13: 0000000000000002 R14: ffff9c4f89c0fb0e R15: ffff9c4f89c0fb0f +[ +0.000004] FS: 00007f9ad2176c40(0000) GS:ffff8d90fe9c0000(0000) knlGS:0000000000000000 +[ +0.000003] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ +0.000004] CR2: 00000000000004c0 CR3: 0000000121bc4000 CR4: 0000000000750ee0 +[ +0.000003] PKRU: 55555554 +[ +0.000003] Call Trace: +[ +0.000006] <TASK> +[ +0.000006] ? __die+0x23/0x70 +[ +0.000011] ? page_fault_oops+0x17d/0x4c0 +[ +0.000008] ? preempt_count_add+0x6e/0xa0 +[ +0.000008] ? srso_alias_return_thunk+0x5/0x7f +[ +0.000011] ? exc_page_fault+0x7f/0x180 +[ +0.000009] ? asm_exc_page_fault+0x26/0x30 +[ +0.000013] ? i2c_transfer+0xd/0x100 +[ +0.000010] drm_do_probe_ddc_edid+0xc2/0x140 [drm] +[ +0.000067] ? srso_alias_return_thunk+0x5/0x7f +[ +0.000006] ? _drm_do_get_edid+0x97/0x3c0 [drm] +[ +0.000043] ? __pfx_drm_do_probe_ddc_edid+0x10/0x10 [drm] +[ +0.000042] edid_block_read+0x3b/0xd0 [drm] +[ +0.000043] _drm_do_get_edid+0xb6/0x3c0 [drm] +[ +0.000041] ? __pfx_drm_do_probe_ddc_edid+0x10/0x10 [drm] +[ +0.000043] drm_edid_read_custom+0x37/0xd0 [drm] +[ +0.000044] amdgpu_dm_connector_mode_valid+0x129/0x1d0 [amdgpu] +[ +0.000153] drm_connector_mode_valid+0x3b/0x60 [drm_kms_helper] +[ +0.000000] __drm_helper_update_and_validate+0xfe/0x3c0 [drm_kms_helper] +[ +0.000000] ? amdgpu_dm_connector_get_modes+0xb6/0x520 [amdgpu] +[ +0.000000] ? srso_alias_return_thunk+0x5/0x7f +[ +0.000000] drm_helper_probe_single_connector_modes+0x2ab/0x540 [drm_kms_helper] +[ +0.000000] status_store+0xb2/0x1f0 [drm] +[ +0.000000] kernfs_fop_write_iter+0x136/0x1d0 +[ +0.000000] vfs_write+0x24d/0x440 +[ +0.000000] ksys_write+0x6f/0xf0 +[ +0.000000] do_syscall_64+0x60/0xc0 +[ +0.000000] ? srso_alias_return_thunk+0x5/0x7f +[ +0.000000] ? syscall_exit_to_user_mode+0x2b/0x40 +[ +0.000000] ? srso_alias_return_thunk+0x5/0x7f +[ +0.000000] ? do_syscall_64+0x6c/0xc0 +[ +0.000000] ? do_syscall_64+0x6c/0xc0 +[ +0.000000] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 +[ +0.000000] RIP: 0033:0x7f9ad46b4b00 +[ +0.000000] Code: 40 00 48 8b 15 19 b3 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 80 3d e1 3a 0e 00 00 74 17 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 48 83 ec 28 48 89 +[ +0.000000] RSP: 002b:00007ffcbd3bd6d8 EFLAGS: 00000202 ORIG_RAX: 0000000000000001 +[ +0.000000] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f9ad46b4b00 +[ +0.000000] RDX: 0000000000000002 RSI: 00007f9ad48a7417 RDI: 0000000000000009 +[ +0.000000] RBP: 0000000000000002 R08: 0000000000000064 R09: 0000000000000000 +[ +0.000000] R10: 0000000000000000 R11: 0000000000000202 R12: 00007f9ad48a7417 +[ +0.000000] R13: 0000000000000009 R14: 00007ffcbd3bd760 R15: 0000000000000001 +[ +0.000000] </TASK> +[ +0.000000] Modules linked in: ctr ccm rfcomm snd_seq_dummy snd_hrtimer snd_seq snd_seq_device cmac algif_hash algif_skcipher af_alg bnep btusb btrtl btbcm btintel btmtk bluetooth uvcvideo videobuf2_vmalloc sha3_generic videobuf2_memops uvc jitterentropy_rng videobuf2_v4l2 videodev drbg videobuf2_common ansi_cprng mc ecdh_generic ecc qrtr binfmt_misc hid_sensor_accel_3d hid_sensor_magn_3d hid_sensor_gyro_3d hid_sensor_trigger industrialio_triggered_buffer kfifo_buf industrialio snd_ctl_led joydev hid_sensor_iio_common rtw89_8852ae rtw89_8852a rtw89_pci snd_hda_codec_realtek rtw89_core snd_hda_codec_generic intel_rapl_msr ledtrig_audio intel_rapl_common snd_hda_codec_hdmi mac80211 snd_hda_intel snd_intel_dspcfg kvm_amd snd_hda_codec snd_soc_dmic snd_acp3x_rn snd_acp3x_pdm_dma libarc4 snd_hwdep snd_soc_core kvm snd_hda_core cfg80211 snd_pci_acp6x snd_pcm nls_ascii snd_timer hp_wmi snd_pci_acp5x nls_cp437 snd_rn_pci_acp3x ucsi_acpi sparse_keymap ccp snd platform_profile snd_acp_config typec_ucsi irqbypass vfat sp5100_tco +[ +0.000000] snd_soc_acpi fat rapl pcspkr wmi_bmof roles rfkill rng_core snd_pci_acp3x soundcore k10temp watchdog typec battery ac amd_pmc acpi_tad button hid_sensor_hub hid_multitouch evdev serio_raw msr parport_pc ppdev lp parport fuse loop efi_pstore configfs ip_tables x_tables autofs4 ext4 crc16 mbcache jbd2 btrfs blake2b_generic dm_crypt dm_mod efivarfs raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx libcrc32c crc32c_generic xor raid6_pq raid1 raid0 multipath linear md_mod amdgpu amdxcp i2c_algo_bit drm_ttm_helper ttm crc32_pclmul crc32c_intel drm_exec gpu_sched drm_suballoc_helper nvme ghash_clmulni_intel drm_buddy drm_display_helper sha512_ssse3 nvme_core ahci xhci_pci sha512_generic hid_generic xhci_hcd libahci rtsx_pci_sdmmc t10_pi i2c_hid_acpi drm_kms_helper i2c_hid mmc_core libata aesni_intel crc64_rocksoft_generic crypto_simd amd_sfh crc64_rocksoft scsi_mod usbcore cryptd crc_t10dif cec drm crct10dif_generic hid rtsx_pci crct10dif_pclmul scsi_common rc_core crc64 i2c_piix4 +[ +0.000000] usb_common crct10dif_common video wmi +[ +0.000000] CR2: 00000000000004c0 +[ +0.000000] ---[ end trace 0000000000000000 ]--- + +The Linux kernel CVE team has assigned CVE-2024-26728 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 6.7 with commit 0e859faf8670 and fixed in 6.7.7 with commit 2d392f7268a1 + Issue introduced in 6.7 with commit 0e859faf8670 and fixed in 6.8 with commit 967176179215 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26728 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/2d392f7268a1a9bfbd98c831f0f4c964e59aa145 + https://git.kernel.org/stable/c/9671761792156f2339627918bafcd713a8a6f777 diff --git a/cve/published/2024/CVE-2024-26728.sha1 b/cve/published/2024/CVE-2024-26728.sha1 new file mode 100644 index 00000000..357b65a1 --- /dev/null +++ b/cve/published/2024/CVE-2024-26728.sha1 @@ -0,0 +1 @@ +9671761792156f2339627918bafcd713a8a6f777 diff --git a/cve/reserved/2024/CVE-2024-26729 b/cve/published/2024/CVE-2024-26729 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26729 +++ b/cve/published/2024/CVE-2024-26729 diff --git a/cve/published/2024/CVE-2024-26729.json b/cve/published/2024/CVE-2024-26729.json new file mode 100644 index 00000000..e9c3f89d --- /dev/null +++ b/cve/published/2024/CVE-2024-26729.json @@ -0,0 +1,88 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix potential null pointer dereference in dc_dmub_srv\n\nFixes potential null pointer dereference warnings in the\ndc_dmub_srv_cmd_list_queue_execute() and dc_dmub_srv_is_hw_pwr_up()\nfunctions.\n\nIn both functions, the 'dc_dmub_srv' variable was being dereferenced\nbefore it was checked for null. This could lead to a null pointer\ndereference if 'dc_dmub_srv' is null. The fix is to check if\n'dc_dmub_srv' is null before dereferencing it.\n\nThus moving the null checks for 'dc_dmub_srv' to the beginning of the\nfunctions to ensure that 'dc_dmub_srv' is not null when it is\ndereferenced.\n\nFound by smatch & thus fixing the below:\ndrivers/gpu/drm/amd/amdgpu/../display/dc/dc_dmub_srv.c:133 dc_dmub_srv_cmd_list_queue_execute() warn: variable dereferenced before check 'dc_dmub_srv' (see line 128)\ndrivers/gpu/drm/amd/amdgpu/../display/dc/dc_dmub_srv.c:1167 dc_dmub_srv_is_hw_pwr_up() warn: variable dereferenced before check 'dc_dmub_srv' (see line 1164)" + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "65138eb72e1f", + "lessThan": "351080ba3414", + "status": "affected", + "versionType": "git" + }, + { + "version": "65138eb72e1f", + "lessThan": "d2b48f340d9e", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "6.7", + "status": "affected" + }, + { + "version": "0", + "lessThan": "6.7", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.7", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/351080ba3414c96afff0f1338b4aeb2983195b80" + }, + { + "url": "https://git.kernel.org/stable/c/d2b48f340d9e4a8fbeb1cdc84cd8da6ad143a907" + } + ], + "title": "drm/amd/display: Fix potential null pointer dereference in dc_dmub_srv", + "x_generator": { + "engine": "bippy-d3b290d2becc" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26729", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26729.mbox b/cve/published/2024/CVE-2024-26729.mbox new file mode 100644 index 00000000..3ed386c2 --- /dev/null +++ b/cve/published/2024/CVE-2024-26729.mbox @@ -0,0 +1,79 @@ +From bippy-d3b290d2becc Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26729: drm/amd/display: Fix potential null pointer dereference in dc_dmub_srv +Message-Id: <2024040357-CVE-2024-26729-2f3e@gregkh> +Content-Length: 2526 +Lines: 62 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2589; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=YmQX3Z3Y1MqRgW3oMV0g58G8a8BCQn59RPxf21aBbqE=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGm8kwItXqY51eZcDE8MuxXS9iK0adUlziMXJnx8Eb9av + uJYrlhLRywLgyATg6yYIsuXbTxH91ccUvQytD0NM4eVCWQIAxenAEzEdQLDgoPvTWsSD8wXE1vi + +XVqgIWe/V71pQxzZadxRugob5XVn/zfy3Vn+1QTHllWAA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +drm/amd/display: Fix potential null pointer dereference in dc_dmub_srv + +Fixes potential null pointer dereference warnings in the +dc_dmub_srv_cmd_list_queue_execute() and dc_dmub_srv_is_hw_pwr_up() +functions. + +In both functions, the 'dc_dmub_srv' variable was being dereferenced +before it was checked for null. This could lead to a null pointer +dereference if 'dc_dmub_srv' is null. The fix is to check if +'dc_dmub_srv' is null before dereferencing it. + +Thus moving the null checks for 'dc_dmub_srv' to the beginning of the +functions to ensure that 'dc_dmub_srv' is not null when it is +dereferenced. + +Found by smatch & thus fixing the below: +drivers/gpu/drm/amd/amdgpu/../display/dc/dc_dmub_srv.c:133 dc_dmub_srv_cmd_list_queue_execute() warn: variable dereferenced before check 'dc_dmub_srv' (see line 128) +drivers/gpu/drm/amd/amdgpu/../display/dc/dc_dmub_srv.c:1167 dc_dmub_srv_is_hw_pwr_up() warn: variable dereferenced before check 'dc_dmub_srv' (see line 1164) + +The Linux kernel CVE team has assigned CVE-2024-26729 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 6.7 with commit 028bac583449 and fixed in 6.7.7 with commit 351080ba3414 + Issue introduced in 6.7 with commit 028bac583449 and fixed in 6.8 with commit d2b48f340d9e + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26729 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/gpu/drm/amd/display/dc/dc_dmub_srv.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/351080ba3414c96afff0f1338b4aeb2983195b80 + https://git.kernel.org/stable/c/d2b48f340d9e4a8fbeb1cdc84cd8da6ad143a907 diff --git a/cve/published/2024/CVE-2024-26729.sha1 b/cve/published/2024/CVE-2024-26729.sha1 new file mode 100644 index 00000000..981a76a6 --- /dev/null +++ b/cve/published/2024/CVE-2024-26729.sha1 @@ -0,0 +1 @@ +d2b48f340d9e4a8fbeb1cdc84cd8da6ad143a907 diff --git a/cve/reserved/2024/CVE-2024-26730 b/cve/published/2024/CVE-2024-26730 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26730 +++ b/cve/published/2024/CVE-2024-26730 diff --git a/cve/published/2024/CVE-2024-26730.json b/cve/published/2024/CVE-2024-26730.json new file mode 100644 index 00000000..31d5b136 --- /dev/null +++ b/cve/published/2024/CVE-2024-26730.json @@ -0,0 +1,103 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhwmon: (nct6775) Fix access to temperature configuration registers\n\nThe number of temperature configuration registers does\nnot always match the total number of temperature registers.\nThis can result in access errors reported if KASAN is enabled.\n\nBUG: KASAN: global-out-of-bounds in nct6775_probe+0x5654/0x6fe9 nct6775_core" + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "b7f1f7b2523a", + "lessThan": "f006c45a3ea4", + "status": "affected", + "versionType": "git" + }, + { + "version": "b7f1f7b2523a", + "lessThan": "c196387820c9", + "status": "affected", + "versionType": "git" + }, + { + "version": "b7f1f7b2523a", + "lessThan": "d56e460e19ea", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "6.6", + "status": "affected" + }, + { + "version": "0", + "lessThan": "6.6", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.19", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.7", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/f006c45a3ea424f8f6c8e4b9283bc245ce2a4d0f" + }, + { + "url": "https://git.kernel.org/stable/c/c196387820c9214c5ceaff56d77303c82514b8b1" + }, + { + "url": "https://git.kernel.org/stable/c/d56e460e19ea8382f813eb489730248ec8d7eb73" + } + ], + "title": "hwmon: (nct6775) Fix access to temperature configuration registers", + "x_generator": { + "engine": "bippy-d3b290d2becc" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26730", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26730.mbox b/cve/published/2024/CVE-2024-26730.mbox new file mode 100644 index 00000000..cfb375fc --- /dev/null +++ b/cve/published/2024/CVE-2024-26730.mbox @@ -0,0 +1,70 @@ +From bippy-d3b290d2becc Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26730: hwmon: (nct6775) Fix access to temperature configuration registers +Message-Id: <2024040358-CVE-2024-26730-4c35@gregkh> +Content-Length: 2038 +Lines: 53 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2092; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=D+07ztUJOt3oZ3wfes9IxKS+i1evUrVWCAKiTmlG3jM=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGm8k4L8lpYFny5sZrCYWuj8dJtD95oXNnsrwpRtpkd+v + 5Me0hrYEcvCIMjEICumyPJlG8/R/RWHFL0MbU/DzGFlAhnCwMUpABNpUGKY76pzceLjplrlCq2Z + 3D9Wqf0y62NQYpgrHT8vItDCXcr70jeLArMd227lvpYAAA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +hwmon: (nct6775) Fix access to temperature configuration registers + +The number of temperature configuration registers does +not always match the total number of temperature registers. +This can result in access errors reported if KASAN is enabled. + +BUG: KASAN: global-out-of-bounds in nct6775_probe+0x5654/0x6fe9 nct6775_core + +The Linux kernel CVE team has assigned CVE-2024-26730 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 6.6 with commit b7f1f7b2523a and fixed in 6.6.19 with commit f006c45a3ea4 + Issue introduced in 6.6 with commit b7f1f7b2523a and fixed in 6.7.7 with commit c196387820c9 + Issue introduced in 6.6 with commit b7f1f7b2523a and fixed in 6.8 with commit d56e460e19ea + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26730 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/hwmon/nct6775-core.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/f006c45a3ea424f8f6c8e4b9283bc245ce2a4d0f + https://git.kernel.org/stable/c/c196387820c9214c5ceaff56d77303c82514b8b1 + https://git.kernel.org/stable/c/d56e460e19ea8382f813eb489730248ec8d7eb73 diff --git a/cve/published/2024/CVE-2024-26730.sha1 b/cve/published/2024/CVE-2024-26730.sha1 new file mode 100644 index 00000000..77362c8d --- /dev/null +++ b/cve/published/2024/CVE-2024-26730.sha1 @@ -0,0 +1 @@ +d56e460e19ea8382f813eb489730248ec8d7eb73 diff --git a/cve/reserved/2024/CVE-2024-26731 b/cve/published/2024/CVE-2024-26731 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26731 +++ b/cve/published/2024/CVE-2024-26731 diff --git a/cve/published/2024/CVE-2024-26731.json b/cve/published/2024/CVE-2024-26731.json new file mode 100644 index 00000000..c2dcd76b --- /dev/null +++ b/cve/published/2024/CVE-2024-26731.json @@ -0,0 +1,108 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, sockmap: Fix NULL pointer dereference in sk_psock_verdict_data_ready()\n\nsyzbot reported the following NULL pointer dereference issue [1]:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000000\n [...]\n RIP: 0010:0x0\n [...]\n Call Trace:\n <TASK>\n sk_psock_verdict_data_ready+0x232/0x340 net/core/skmsg.c:1230\n unix_stream_sendmsg+0x9b4/0x1230 net/unix/af_unix.c:2293\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x221/0x270 net/socket.c:745\n ____sys_sendmsg+0x525/0x7d0 net/socket.c:2584\n ___sys_sendmsg net/socket.c:2638 [inline]\n __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667\n do_syscall_64+0xf9/0x240\n entry_SYSCALL_64_after_hwframe+0x6f/0x77\n\nIf sk_psock_verdict_data_ready() and sk_psock_stop_verdict() are called\nconcurrently, psock->saved_data_ready can be NULL, causing the above issue.\n\nThis patch fixes this issue by calling the appropriate data ready function\nusing the sk_psock_data_ready() helper and protecting it from concurrency\nwith sk->sk_callback_lock." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "dd628fc697ee", + "lessThan": "4588b13abcbd", + "status": "affected", + "versionType": "git" + }, + { + "version": "6df7f764cd3c", + "lessThan": "9b099ed46dca", + "status": "affected", + "versionType": "git" + }, + { + "version": "6df7f764cd3c", + "lessThan": "d61608a4e394", + "status": "affected", + "versionType": "git" + }, + { + "version": "6df7f764cd3c", + "lessThan": "4cd12c6065df", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "6.1.80", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.19", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.7", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/4588b13abcbd561ec67f5b3c1cb2eff690990a54" + }, + { + "url": "https://git.kernel.org/stable/c/9b099ed46dcaf1403c531ff02c3d7400fa37fa26" + }, + { + "url": "https://git.kernel.org/stable/c/d61608a4e394f23e0dca099df9eb8e555453d949" + }, + { + "url": "https://git.kernel.org/stable/c/4cd12c6065dfcdeba10f49949bffcf383b3952d8" + } + ], + "title": "bpf, sockmap: Fix NULL pointer dereference in sk_psock_verdict_data_ready()", + "x_generator": { + "engine": "bippy-d3b290d2becc" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26731", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26731.mbox b/cve/published/2024/CVE-2024-26731.mbox new file mode 100644 index 00000000..225e8ae3 --- /dev/null +++ b/cve/published/2024/CVE-2024-26731.mbox @@ -0,0 +1,92 @@ +From bippy-d3b290d2becc Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26731: bpf, sockmap: Fix NULL pointer dereference in sk_psock_verdict_data_ready() +Message-Id: <2024040358-CVE-2024-26731-e084@gregkh> +Content-Length: 2951 +Lines: 75 +X-Developer-Signature: v=1; a=openpgp-sha256; l=3027; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=nsMYORN9nRPdCegEiPLPzLC2vqOS6iGOoXlg48kWXp8=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGm8k4KqX5ikvpnCxmfX+/xYQtiFQ0UtEZOFvhzymqe89 + dnp64oTO2JZGASZGGTFFFm+bOM5ur/ikKKXoe1pmDmsTCBDGLg4BWAiOUcZZjL+evUp3lsiSs6a + YdEMH7faeqFpxgwLNn5Y4t4gWHp4p8DVrdc7N0+elXL9CgA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +bpf, sockmap: Fix NULL pointer dereference in sk_psock_verdict_data_ready() + +syzbot reported the following NULL pointer dereference issue [1]: + + BUG: kernel NULL pointer dereference, address: 0000000000000000 + [...] + RIP: 0010:0x0 + [...] + Call Trace: + <TASK> + sk_psock_verdict_data_ready+0x232/0x340 net/core/skmsg.c:1230 + unix_stream_sendmsg+0x9b4/0x1230 net/unix/af_unix.c:2293 + sock_sendmsg_nosec net/socket.c:730 [inline] + __sock_sendmsg+0x221/0x270 net/socket.c:745 + ____sys_sendmsg+0x525/0x7d0 net/socket.c:2584 + ___sys_sendmsg net/socket.c:2638 [inline] + __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667 + do_syscall_64+0xf9/0x240 + entry_SYSCALL_64_after_hwframe+0x6f/0x77 + +If sk_psock_verdict_data_ready() and sk_psock_stop_verdict() are called +concurrently, psock->saved_data_ready can be NULL, causing the above issue. + +This patch fixes this issue by calling the appropriate data ready function +using the sk_psock_data_ready() helper and protecting it from concurrency +with sk->sk_callback_lock. + +The Linux kernel CVE team has assigned CVE-2024-26731 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 6.1.32 with commit dd628fc697ee and fixed in 6.1.80 with commit 4588b13abcbd + Issue introduced in 6.4 with commit 6df7f764cd3c and fixed in 6.6.19 with commit 9b099ed46dca + Issue introduced in 6.4 with commit 6df7f764cd3c and fixed in 6.7.7 with commit d61608a4e394 + Issue introduced in 6.4 with commit 6df7f764cd3c and fixed in 6.8 with commit 4cd12c6065df + Issue introduced in 6.3.6 with commit d3cbd7c57144 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26731 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + net/core/skmsg.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/4588b13abcbd561ec67f5b3c1cb2eff690990a54 + https://git.kernel.org/stable/c/9b099ed46dcaf1403c531ff02c3d7400fa37fa26 + https://git.kernel.org/stable/c/d61608a4e394f23e0dca099df9eb8e555453d949 + https://git.kernel.org/stable/c/4cd12c6065dfcdeba10f49949bffcf383b3952d8 diff --git a/cve/published/2024/CVE-2024-26731.sha1 b/cve/published/2024/CVE-2024-26731.sha1 new file mode 100644 index 00000000..73e14c95 --- /dev/null +++ b/cve/published/2024/CVE-2024-26731.sha1 @@ -0,0 +1 @@ +4cd12c6065dfcdeba10f49949bffcf383b3952d8 diff --git a/cve/reserved/2024/CVE-2024-26732 b/cve/published/2024/CVE-2024-26732 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26732 +++ b/cve/published/2024/CVE-2024-26732 diff --git a/cve/published/2024/CVE-2024-26732.json b/cve/published/2024/CVE-2024-26732.json new file mode 100644 index 00000000..58c472b6 --- /dev/null +++ b/cve/published/2024/CVE-2024-26732.json @@ -0,0 +1,88 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: implement lockless setsockopt(SO_PEEK_OFF)\n\nsyzbot reported a lockdep violation [1] involving af_unix\nsupport of SO_PEEK_OFF.\n\nSince SO_PEEK_OFF is inherently not thread safe (it uses a per-socket\nsk_peek_off field), there is really no point to enforce a pointless\nthread safety in the kernel.\n\nAfter this patch :\n\n- setsockopt(SO_PEEK_OFF) no longer acquires the socket lock.\n\n- skb_consume_udp() no longer has to acquire the socket lock.\n\n- af_unix no longer needs a special version of sk_set_peek_off(),\n because it does not lock u->iolock anymore.\n\nAs a followup, we could replace prot->set_peek_off to be a boolean\nand avoid an indirect call, since we always use sk_set_peek_off().\n\n[1]\n\nWARNING: possible circular locking dependency detected\n6.8.0-rc4-syzkaller-00267-g0f1dd5e91e2b #0 Not tainted\n\nsyz-executor.2/30025 is trying to acquire lock:\n ffff8880765e7d80 (&u->iolock){+.+.}-{3:3}, at: unix_set_peek_off+0x26/0xa0 net/unix/af_unix.c:789\n\nbut task is already holding lock:\n ffff8880765e7930 (sk_lock-AF_UNIX){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1691 [inline]\n ffff8880765e7930 (sk_lock-AF_UNIX){+.+.}-{0:0}, at: sockopt_lock_sock net/core/sock.c:1060 [inline]\n ffff8880765e7930 (sk_lock-AF_UNIX){+.+.}-{0:0}, at: sk_setsockopt+0xe52/0x3360 net/core/sock.c:1193\n\nwhich lock already depends on the new lock.\n\nthe existing dependency chain (in reverse order) is:\n\n-> #1 (sk_lock-AF_UNIX){+.+.}-{0:0}:\n lock_acquire+0x1e3/0x530 kernel/locking/lockdep.c:5754\n lock_sock_nested+0x48/0x100 net/core/sock.c:3524\n lock_sock include/net/sock.h:1691 [inline]\n __unix_dgram_recvmsg+0x1275/0x12c0 net/unix/af_unix.c:2415\n sock_recvmsg_nosec+0x18e/0x1d0 net/socket.c:1046\n ____sys_recvmsg+0x3c0/0x470 net/socket.c:2801\n ___sys_recvmsg net/socket.c:2845 [inline]\n do_recvmmsg+0x474/0xae0 net/socket.c:2939\n __sys_recvmmsg net/socket.c:3018 [inline]\n __do_sys_recvmmsg net/socket.c:3041 [inline]\n __se_sys_recvmmsg net/socket.c:3034 [inline]\n __x64_sys_recvmmsg+0x199/0x250 net/socket.c:3034\n do_syscall_64+0xf9/0x240\n entry_SYSCALL_64_after_hwframe+0x6f/0x77\n\n-> #0 (&u->iolock){+.+.}-{3:3}:\n check_prev_add kernel/locking/lockdep.c:3134 [inline]\n check_prevs_add kernel/locking/lockdep.c:3253 [inline]\n validate_chain+0x18ca/0x58e0 kernel/locking/lockdep.c:3869\n __lock_acquire+0x1345/0x1fd0 kernel/locking/lockdep.c:5137\n lock_acquire+0x1e3/0x530 kernel/locking/lockdep.c:5754\n __mutex_lock_common kernel/locking/mutex.c:608 [inline]\n __mutex_lock+0x136/0xd70 kernel/locking/mutex.c:752\n unix_set_peek_off+0x26/0xa0 net/unix/af_unix.c:789\n sk_setsockopt+0x207e/0x3360\n do_sock_setsockopt+0x2fb/0x720 net/socket.c:2307\n __sys_setsockopt+0x1ad/0x250 net/socket.c:2334\n __do_sys_setsockopt net/socket.c:2343 [inline]\n __se_sys_setsockopt net/socket.c:2340 [inline]\n __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340\n do_syscall_64+0xf9/0x240\n entry_SYSCALL_64_after_hwframe+0x6f/0x77\n\nother info that might help us debug this:\n\n Possible unsafe locking scenario:\n\n CPU0 CPU1\n ---- ----\n lock(sk_lock-AF_UNIX);\n lock(&u->iolock);\n lock(sk_lock-AF_UNIX);\n lock(&u->iolock);\n\n *** DEADLOCK ***\n\n1 lock held by syz-executor.2/30025:\n #0: ffff8880765e7930 (sk_lock-AF_UNIX){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1691 [inline]\n #0: ffff8880765e7930 (sk_lock-AF_UNIX){+.+.}-{0:0}, at: sockopt_lock_sock net/core/sock.c:1060 [inline]\n #0: ffff8880765e7930 (sk_lock-AF_UNIX){+.+.}-{0:0}, at: sk_setsockopt+0xe52/0x3360 net/core/sock.c:1193\n\nstack backtrace:\nCPU: 0 PID: 30025 Comm: syz-executor.2 Not tainted 6.8.0-rc4-syzkaller-00267-g0f1dd5e91e2b #0\nHardware name: Google Google C\n---truncated---" + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "859051dd165e", + "lessThan": "897f75e2cde8", + "status": "affected", + "versionType": "git" + }, + { + "version": "859051dd165e", + "lessThan": "56667da7399e", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "6.7", + "status": "affected" + }, + { + "version": "0", + "lessThan": "6.7", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.7", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/897f75e2cde8a5f9f7529b55249af1fa4248c83b" + }, + { + "url": "https://git.kernel.org/stable/c/56667da7399eb19af857e30f41bea89aa6fa812c" + } + ], + "title": "net: implement lockless setsockopt(SO_PEEK_OFF)", + "x_generator": { + "engine": "bippy-d3b290d2becc" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26732", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26732.mbox b/cve/published/2024/CVE-2024-26732.mbox new file mode 100644 index 00000000..64fadc1f --- /dev/null +++ b/cve/published/2024/CVE-2024-26732.mbox @@ -0,0 +1,185 @@ +From bippy-d3b290d2becc Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26732: net: implement lockless setsockopt(SO_PEEK_OFF) +Message-Id: <2024040358-CVE-2024-26732-8cda@gregkh> +Content-Length: 7146 +Lines: 168 +X-Developer-Signature: v=1; a=openpgp-sha256; l=7315; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=qSgY7o7iL8I5zjUGh87BJksCTaq0Aj1cyxpC+bwj6+w=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGm8k4J0P/gz/WJ5pPsgcEdaxuknkl3B4XXRV7Yw/D3bE + nmsW4y1I5aFQZCJQVZMkeXLNp6j+ysOKXoZ2p6GmcPKBDKEgYtTACainM2w4JKkdsJl06790s1N + xy3FRObUTncWZVhw2XbvpILL/AsjBBffOv5CXXwFd+I5AA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +net: implement lockless setsockopt(SO_PEEK_OFF) + +syzbot reported a lockdep violation [1] involving af_unix +support of SO_PEEK_OFF. + +Since SO_PEEK_OFF is inherently not thread safe (it uses a per-socket +sk_peek_off field), there is really no point to enforce a pointless +thread safety in the kernel. + +After this patch : + +- setsockopt(SO_PEEK_OFF) no longer acquires the socket lock. + +- skb_consume_udp() no longer has to acquire the socket lock. + +- af_unix no longer needs a special version of sk_set_peek_off(), + because it does not lock u->iolock anymore. + +As a followup, we could replace prot->set_peek_off to be a boolean +and avoid an indirect call, since we always use sk_set_peek_off(). + +[1] + +WARNING: possible circular locking dependency detected +6.8.0-rc4-syzkaller-00267-g0f1dd5e91e2b #0 Not tainted + +syz-executor.2/30025 is trying to acquire lock: + ffff8880765e7d80 (&u->iolock){+.+.}-{3:3}, at: unix_set_peek_off+0x26/0xa0 net/unix/af_unix.c:789 + +but task is already holding lock: + ffff8880765e7930 (sk_lock-AF_UNIX){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1691 [inline] + ffff8880765e7930 (sk_lock-AF_UNIX){+.+.}-{0:0}, at: sockopt_lock_sock net/core/sock.c:1060 [inline] + ffff8880765e7930 (sk_lock-AF_UNIX){+.+.}-{0:0}, at: sk_setsockopt+0xe52/0x3360 net/core/sock.c:1193 + +which lock already depends on the new lock. + +the existing dependency chain (in reverse order) is: + +-> #1 (sk_lock-AF_UNIX){+.+.}-{0:0}: + lock_acquire+0x1e3/0x530 kernel/locking/lockdep.c:5754 + lock_sock_nested+0x48/0x100 net/core/sock.c:3524 + lock_sock include/net/sock.h:1691 [inline] + __unix_dgram_recvmsg+0x1275/0x12c0 net/unix/af_unix.c:2415 + sock_recvmsg_nosec+0x18e/0x1d0 net/socket.c:1046 + ____sys_recvmsg+0x3c0/0x470 net/socket.c:2801 + ___sys_recvmsg net/socket.c:2845 [inline] + do_recvmmsg+0x474/0xae0 net/socket.c:2939 + __sys_recvmmsg net/socket.c:3018 [inline] + __do_sys_recvmmsg net/socket.c:3041 [inline] + __se_sys_recvmmsg net/socket.c:3034 [inline] + __x64_sys_recvmmsg+0x199/0x250 net/socket.c:3034 + do_syscall_64+0xf9/0x240 + entry_SYSCALL_64_after_hwframe+0x6f/0x77 + +-> #0 (&u->iolock){+.+.}-{3:3}: + check_prev_add kernel/locking/lockdep.c:3134 [inline] + check_prevs_add kernel/locking/lockdep.c:3253 [inline] + validate_chain+0x18ca/0x58e0 kernel/locking/lockdep.c:3869 + __lock_acquire+0x1345/0x1fd0 kernel/locking/lockdep.c:5137 + lock_acquire+0x1e3/0x530 kernel/locking/lockdep.c:5754 + __mutex_lock_common kernel/locking/mutex.c:608 [inline] + __mutex_lock+0x136/0xd70 kernel/locking/mutex.c:752 + unix_set_peek_off+0x26/0xa0 net/unix/af_unix.c:789 + sk_setsockopt+0x207e/0x3360 + do_sock_setsockopt+0x2fb/0x720 net/socket.c:2307 + __sys_setsockopt+0x1ad/0x250 net/socket.c:2334 + __do_sys_setsockopt net/socket.c:2343 [inline] + __se_sys_setsockopt net/socket.c:2340 [inline] + __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340 + do_syscall_64+0xf9/0x240 + entry_SYSCALL_64_after_hwframe+0x6f/0x77 + +other info that might help us debug this: + + Possible unsafe locking scenario: + + CPU0 CPU1 + ---- ---- + lock(sk_lock-AF_UNIX); + lock(&u->iolock); + lock(sk_lock-AF_UNIX); + lock(&u->iolock); + + *** DEADLOCK *** + +1 lock held by syz-executor.2/30025: + #0: ffff8880765e7930 (sk_lock-AF_UNIX){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1691 [inline] + #0: ffff8880765e7930 (sk_lock-AF_UNIX){+.+.}-{0:0}, at: sockopt_lock_sock net/core/sock.c:1060 [inline] + #0: ffff8880765e7930 (sk_lock-AF_UNIX){+.+.}-{0:0}, at: sk_setsockopt+0xe52/0x3360 net/core/sock.c:1193 + +stack backtrace: +CPU: 0 PID: 30025 Comm: syz-executor.2 Not tainted 6.8.0-rc4-syzkaller-00267-g0f1dd5e91e2b #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 +Call Trace: + <TASK> + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x1e7/0x2e0 lib/dump_stack.c:106 + check_noncircular+0x36a/0x4a0 kernel/locking/lockdep.c:2187 + check_prev_add kernel/locking/lockdep.c:3134 [inline] + check_prevs_add kernel/locking/lockdep.c:3253 [inline] + validate_chain+0x18ca/0x58e0 kernel/locking/lockdep.c:3869 + __lock_acquire+0x1345/0x1fd0 kernel/locking/lockdep.c:5137 + lock_acquire+0x1e3/0x530 kernel/locking/lockdep.c:5754 + __mutex_lock_common kernel/locking/mutex.c:608 [inline] + __mutex_lock+0x136/0xd70 kernel/locking/mutex.c:752 + unix_set_peek_off+0x26/0xa0 net/unix/af_unix.c:789 + sk_setsockopt+0x207e/0x3360 + do_sock_setsockopt+0x2fb/0x720 net/socket.c:2307 + __sys_setsockopt+0x1ad/0x250 net/socket.c:2334 + __do_sys_setsockopt net/socket.c:2343 [inline] + __se_sys_setsockopt net/socket.c:2340 [inline] + __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340 + do_syscall_64+0xf9/0x240 + entry_SYSCALL_64_after_hwframe+0x6f/0x77 +RIP: 0033:0x7f78a1c7dda9 +Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007f78a0fde0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 +RAX: ffffffffffffffda RBX: 00007f78a1dac050 RCX: 00007f78a1c7dda9 +RDX: 000000000000002a RSI: 0000000000000001 RDI: 0000000000000006 +RBP: 00007f78a1cca47a R08: 0000000000000004 R09: 0000000000000000 +R10: 0000000020000180 R11: 0000000000000246 R12: 0000000000000000 +R13: 000000000000006e R14: 00007f78a1dac050 R15: 00007ffe5cd81ae8 + +The Linux kernel CVE team has assigned CVE-2024-26732 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 6.7 with commit 859051dd165e and fixed in 6.7.7 with commit 897f75e2cde8 + Issue introduced in 6.7 with commit 859051dd165e and fixed in 6.8 with commit 56667da7399e + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26732 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + net/core/sock.c + net/ipv4/udp.c + net/unix/af_unix.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/897f75e2cde8a5f9f7529b55249af1fa4248c83b + https://git.kernel.org/stable/c/56667da7399eb19af857e30f41bea89aa6fa812c diff --git a/cve/published/2024/CVE-2024-26732.sha1 b/cve/published/2024/CVE-2024-26732.sha1 new file mode 100644 index 00000000..8c2734d6 --- /dev/null +++ b/cve/published/2024/CVE-2024-26732.sha1 @@ -0,0 +1 @@ +56667da7399eb19af857e30f41bea89aa6fa812c diff --git a/cve/reserved/2024/CVE-2024-26733 b/cve/published/2024/CVE-2024-26733 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26733 +++ b/cve/published/2024/CVE-2024-26733 diff --git a/cve/published/2024/CVE-2024-26733.json b/cve/published/2024/CVE-2024-26733.json new file mode 100644 index 00000000..58a9165d --- /dev/null +++ b/cve/published/2024/CVE-2024-26733.json @@ -0,0 +1,148 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\narp: Prevent overflow in arp_req_get().\n\nsyzkaller reported an overflown write in arp_req_get(). [0]\n\nWhen ioctl(SIOCGARP) is issued, arp_req_get() looks up an neighbour\nentry and copies neigh->ha to struct arpreq.arp_ha.sa_data.\n\nThe arp_ha here is struct sockaddr, not struct sockaddr_storage, so\nthe sa_data buffer is just 14 bytes.\n\nIn the splat below, 2 bytes are overflown to the next int field,\narp_flags. We initialise the field just after the memcpy(), so it's\nnot a problem.\n\nHowever, when dev->addr_len is greater than 22 (e.g. MAX_ADDR_LEN),\narp_netmask is overwritten, which could be set as htonl(0xFFFFFFFFUL)\nin arp_ioctl() before calling arp_req_get().\n\nTo avoid the overflow, let's limit the max length of memcpy().\n\nNote that commit b5f0de6df6dc (\"net: dev: Convert sa_data to flexible\narray in struct sockaddr\") just silenced syzkaller.\n\n[0]:\nmemcpy: detected field-spanning write (size 16) of single field \"r->arp_ha.sa_data\" at net/ipv4/arp.c:1128 (size 14)\nWARNING: CPU: 0 PID: 144638 at net/ipv4/arp.c:1128 arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128\nModules linked in:\nCPU: 0 PID: 144638 Comm: syz-executor.4 Not tainted 6.1.74 #31\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-5 04/01/2014\nRIP: 0010:arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128\nCode: fd ff ff e8 41 42 de fb b9 0e 00 00 00 4c 89 fe 48 c7 c2 20 6d ab 87 48 c7 c7 80 6d ab 87 c6 05 25 af 72 04 01 e8 5f 8d ad fb <0f> 0b e9 6c fd ff ff e8 13 42 de fb be 03 00 00 00 4c 89 e7 e8 a6\nRSP: 0018:ffffc900050b7998 EFLAGS: 00010286\nRAX: 0000000000000000 RBX: ffff88803a815000 RCX: 0000000000000000\nRDX: 0000000000000000 RSI: ffffffff8641a44a RDI: 0000000000000001\nRBP: ffffc900050b7a98 R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000000000000 R11: 203a7970636d656d R12: ffff888039c54000\nR13: 1ffff92000a16f37 R14: ffff88803a815084 R15: 0000000000000010\nFS: 00007f172bf306c0(0000) GS:ffff88805aa00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f172b3569f0 CR3: 0000000057f12005 CR4: 0000000000770ef0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nPKRU: 55555554\nCall Trace:\n <TASK>\n arp_ioctl+0x33f/0x4b0 net/ipv4/arp.c:1261\n inet_ioctl+0x314/0x3a0 net/ipv4/af_inet.c:981\n sock_do_ioctl+0xdf/0x260 net/socket.c:1204\n sock_ioctl+0x3ef/0x650 net/socket.c:1321\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:870 [inline]\n __se_sys_ioctl fs/ioctl.c:856 [inline]\n __x64_sys_ioctl+0x18e/0x220 fs/ioctl.c:856\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x37/0x90 arch/x86/entry/common.c:81\n entry_SYSCALL_64_after_hwframe+0x64/0xce\nRIP: 0033:0x7f172b262b8d\nCode: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f172bf300b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 00007f172b3abf80 RCX: 00007f172b262b8d\nRDX: 0000000020000000 RSI: 0000000000008954 RDI: 0000000000000003\nRBP: 00007f172b2d3493 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 000000000000000b R14: 00007f172b3abf80 R15: 00007f172bf10000\n </TASK>" + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "1da177e4c3f4", + "lessThan": "dbc9b22d0ed3", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "97eaa2955db4", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "f119f2325ba7", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "a3f2c083cb57", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "3ab0d6f8289b", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "a7d6027790ac", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "2.6.12", + "status": "affected" + }, + { + "version": "0", + "lessThan": "2.6.12", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.10.211", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.150", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.80", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.19", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.7", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/dbc9b22d0ed319b4e29034ce0a3fe32a3ee2c587" + }, + { + "url": "https://git.kernel.org/stable/c/97eaa2955db4120ce6ec2ef123e860bc32232c50" + }, + { + "url": "https://git.kernel.org/stable/c/f119f2325ba70cbfdec701000dcad4d88805d5b0" + }, + { + "url": "https://git.kernel.org/stable/c/a3f2c083cb575d80a7627baf3339e78fedccbb91" + }, + { + "url": "https://git.kernel.org/stable/c/3ab0d6f8289ba8402ca95a9fc61a34909d5e1f3a" + }, + { + "url": "https://git.kernel.org/stable/c/a7d6027790acea24446ddd6632d394096c0f4667" + } + ], + "title": "arp: Prevent overflow in arp_req_get().", + "x_generator": { + "engine": "bippy-d3b290d2becc" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26733", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26733.mbox b/cve/published/2024/CVE-2024-26733.mbox new file mode 100644 index 00000000..25951385 --- /dev/null +++ b/cve/published/2024/CVE-2024-26733.mbox @@ -0,0 +1,134 @@ +From bippy-d3b290d2becc Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26733: arp: Prevent overflow in arp_req_get(). +Message-Id: <2024040358-CVE-2024-26733-617f@gregkh> +Content-Length: 5583 +Lines: 117 +X-Developer-Signature: v=1; a=openpgp-sha256; l=5701; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=XDaO/+QnXElwvdrSwwNGCtzQVO9W8wFJMhxooX9iegg=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGm8k4IOzLnyce/Dhf/+BvznOXDpzvPmFXtnndq2wlrpE + D//2X3R2h2xLAyCTAyyYoosX7bxHN1fcUjRy9D2NMwcViaQIQxcnAIwkb+LGBac89+8mWnRmaye + fTWhPiInHzKwC5kxzM9sS/8bbq8ltVueoffoWTedSVdNEgE= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +arp: Prevent overflow in arp_req_get(). + +syzkaller reported an overflown write in arp_req_get(). [0] + +When ioctl(SIOCGARP) is issued, arp_req_get() looks up an neighbour +entry and copies neigh->ha to struct arpreq.arp_ha.sa_data. + +The arp_ha here is struct sockaddr, not struct sockaddr_storage, so +the sa_data buffer is just 14 bytes. + +In the splat below, 2 bytes are overflown to the next int field, +arp_flags. We initialise the field just after the memcpy(), so it's +not a problem. + +However, when dev->addr_len is greater than 22 (e.g. MAX_ADDR_LEN), +arp_netmask is overwritten, which could be set as htonl(0xFFFFFFFFUL) +in arp_ioctl() before calling arp_req_get(). + +To avoid the overflow, let's limit the max length of memcpy(). + +Note that commit b5f0de6df6dc ("net: dev: Convert sa_data to flexible +array in struct sockaddr") just silenced syzkaller. + +[0]: +memcpy: detected field-spanning write (size 16) of single field "r->arp_ha.sa_data" at net/ipv4/arp.c:1128 (size 14) +WARNING: CPU: 0 PID: 144638 at net/ipv4/arp.c:1128 arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128 +Modules linked in: +CPU: 0 PID: 144638 Comm: syz-executor.4 Not tainted 6.1.74 #31 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-5 04/01/2014 +RIP: 0010:arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128 +Code: fd ff ff e8 41 42 de fb b9 0e 00 00 00 4c 89 fe 48 c7 c2 20 6d ab 87 48 c7 c7 80 6d ab 87 c6 05 25 af 72 04 01 e8 5f 8d ad fb <0f> 0b e9 6c fd ff ff e8 13 42 de fb be 03 00 00 00 4c 89 e7 e8 a6 +RSP: 0018:ffffc900050b7998 EFLAGS: 00010286 +RAX: 0000000000000000 RBX: ffff88803a815000 RCX: 0000000000000000 +RDX: 0000000000000000 RSI: ffffffff8641a44a RDI: 0000000000000001 +RBP: ffffc900050b7a98 R08: 0000000000000001 R09: 0000000000000000 +R10: 0000000000000000 R11: 203a7970636d656d R12: ffff888039c54000 +R13: 1ffff92000a16f37 R14: ffff88803a815084 R15: 0000000000000010 +FS: 00007f172bf306c0(0000) GS:ffff88805aa00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f172b3569f0 CR3: 0000000057f12005 CR4: 0000000000770ef0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +PKRU: 55555554 +Call Trace: + <TASK> + arp_ioctl+0x33f/0x4b0 net/ipv4/arp.c:1261 + inet_ioctl+0x314/0x3a0 net/ipv4/af_inet.c:981 + sock_do_ioctl+0xdf/0x260 net/socket.c:1204 + sock_ioctl+0x3ef/0x650 net/socket.c:1321 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:870 [inline] + __se_sys_ioctl fs/ioctl.c:856 [inline] + __x64_sys_ioctl+0x18e/0x220 fs/ioctl.c:856 + do_syscall_x64 arch/x86/entry/common.c:51 [inline] + do_syscall_64+0x37/0x90 arch/x86/entry/common.c:81 + entry_SYSCALL_64_after_hwframe+0x64/0xce +RIP: 0033:0x7f172b262b8d +Code: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007f172bf300b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 +RAX: ffffffffffffffda RBX: 00007f172b3abf80 RCX: 00007f172b262b8d +RDX: 0000000020000000 RSI: 0000000000008954 RDI: 0000000000000003 +RBP: 00007f172b2d3493 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: 000000000000000b R14: 00007f172b3abf80 R15: 00007f172bf10000 + </TASK> + +The Linux kernel CVE team has assigned CVE-2024-26733 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 2.6.12 with commit 1da177e4c3f4 and fixed in 5.10.211 with commit dbc9b22d0ed3 + Issue introduced in 2.6.12 with commit 1da177e4c3f4 and fixed in 5.15.150 with commit 97eaa2955db4 + Issue introduced in 2.6.12 with commit 1da177e4c3f4 and fixed in 6.1.80 with commit f119f2325ba7 + Issue introduced in 2.6.12 with commit 1da177e4c3f4 and fixed in 6.6.19 with commit a3f2c083cb57 + Issue introduced in 2.6.12 with commit 1da177e4c3f4 and fixed in 6.7.7 with commit 3ab0d6f8289b + Issue introduced in 2.6.12 with commit 1da177e4c3f4 and fixed in 6.8 with commit a7d6027790ac + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26733 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + net/ipv4/arp.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/dbc9b22d0ed319b4e29034ce0a3fe32a3ee2c587 + https://git.kernel.org/stable/c/97eaa2955db4120ce6ec2ef123e860bc32232c50 + https://git.kernel.org/stable/c/f119f2325ba70cbfdec701000dcad4d88805d5b0 + https://git.kernel.org/stable/c/a3f2c083cb575d80a7627baf3339e78fedccbb91 + https://git.kernel.org/stable/c/3ab0d6f8289ba8402ca95a9fc61a34909d5e1f3a + https://git.kernel.org/stable/c/a7d6027790acea24446ddd6632d394096c0f4667 diff --git a/cve/published/2024/CVE-2024-26733.sha1 b/cve/published/2024/CVE-2024-26733.sha1 new file mode 100644 index 00000000..9211c1b8 --- /dev/null +++ b/cve/published/2024/CVE-2024-26733.sha1 @@ -0,0 +1 @@ +a7d6027790acea24446ddd6632d394096c0f4667 diff --git a/cve/reserved/2024/CVE-2024-26734 b/cve/published/2024/CVE-2024-26734 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26734 +++ b/cve/published/2024/CVE-2024-26734 diff --git a/cve/published/2024/CVE-2024-26734.json b/cve/published/2024/CVE-2024-26734.json new file mode 100644 index 00000000..296b2c81 --- /dev/null +++ b/cve/published/2024/CVE-2024-26734.json @@ -0,0 +1,103 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndevlink: fix possible use-after-free and memory leaks in devlink_init()\n\nThe pernet operations structure for the subsystem must be registered\nbefore registering the generic netlink family.\n\nMake an unregister in case of unsuccessful registration." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "687125b5799c", + "lessThan": "919092bd5482", + "status": "affected", + "versionType": "git" + }, + { + "version": "687125b5799c", + "lessThan": "e91d3561e28d", + "status": "affected", + "versionType": "git" + }, + { + "version": "687125b5799c", + "lessThan": "def689fc26b9", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "6.3", + "status": "affected" + }, + { + "version": "0", + "lessThan": "6.3", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.19", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.7", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/919092bd5482b7070ae66d1daef73b600738f3a2" + }, + { + "url": "https://git.kernel.org/stable/c/e91d3561e28d7665f4f837880501dc8755f635a9" + }, + { + "url": "https://git.kernel.org/stable/c/def689fc26b9a9622d2e2cb0c4933dd3b1c8071c" + } + ], + "title": "devlink: fix possible use-after-free and memory leaks in devlink_init()", + "x_generator": { + "engine": "bippy-d3b290d2becc" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26734", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26734.mbox b/cve/published/2024/CVE-2024-26734.mbox new file mode 100644 index 00000000..a6484761 --- /dev/null +++ b/cve/published/2024/CVE-2024-26734.mbox @@ -0,0 +1,69 @@ +From bippy-d3b290d2becc Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26734: devlink: fix possible use-after-free and memory leaks in devlink_init() +Message-Id: <2024040359-CVE-2024-26734-277b@gregkh> +Content-Length: 1951 +Lines: 52 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2004; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=leKWH18xzS6X0xtMI1602czpiAhNtBVF9uzrBgsHedY=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGm8k4Ir04u+au5hunS416J2e23/mx2OM53D5KPK5Fm5p + z56pvilI5aFQZCJQVZMkeXLNp6j+ysOKXoZ2p6GmcPKBDKEgYtTACay8wbD/OSnU0+tSU7fIrLy + kvcRlqfz/87nK2CYK73Ket5/Lh2995IF3XFtyWp8y93OAwA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +devlink: fix possible use-after-free and memory leaks in devlink_init() + +The pernet operations structure for the subsystem must be registered +before registering the generic netlink family. + +Make an unregister in case of unsuccessful registration. + +The Linux kernel CVE team has assigned CVE-2024-26734 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 6.3 with commit 687125b5799c and fixed in 6.6.19 with commit 919092bd5482 + Issue introduced in 6.3 with commit 687125b5799c and fixed in 6.7.7 with commit e91d3561e28d + Issue introduced in 6.3 with commit 687125b5799c and fixed in 6.8 with commit def689fc26b9 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26734 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + net/devlink/core.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/919092bd5482b7070ae66d1daef73b600738f3a2 + https://git.kernel.org/stable/c/e91d3561e28d7665f4f837880501dc8755f635a9 + https://git.kernel.org/stable/c/def689fc26b9a9622d2e2cb0c4933dd3b1c8071c diff --git a/cve/published/2024/CVE-2024-26734.sha1 b/cve/published/2024/CVE-2024-26734.sha1 new file mode 100644 index 00000000..450d69e2 --- /dev/null +++ b/cve/published/2024/CVE-2024-26734.sha1 @@ -0,0 +1 @@ +def689fc26b9a9622d2e2cb0c4933dd3b1c8071c diff --git a/cve/reserved/2024/CVE-2024-26735 b/cve/published/2024/CVE-2024-26735 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26735 +++ b/cve/published/2024/CVE-2024-26735 diff --git a/cve/published/2024/CVE-2024-26735.json b/cve/published/2024/CVE-2024-26735.json new file mode 100644 index 00000000..bf78558f --- /dev/null +++ b/cve/published/2024/CVE-2024-26735.json @@ -0,0 +1,178 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: sr: fix possible use-after-free and null-ptr-deref\n\nThe pernet operations structure for the subsystem must be registered\nbefore registering the generic netlink family." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "915d7e5e5930", + "lessThan": "953f42934533", + "status": "affected", + "versionType": "git" + }, + { + "version": "915d7e5e5930", + "lessThan": "82831e3ff76e", + "status": "affected", + "versionType": "git" + }, + { + "version": "915d7e5e5930", + "lessThan": "65c38f23d10f", + "status": "affected", + "versionType": "git" + }, + { + "version": "915d7e5e5930", + "lessThan": "91b020aaa1e5", + "status": "affected", + "versionType": "git" + }, + { + "version": "915d7e5e5930", + "lessThan": "8391b9b651cf", + "status": "affected", + "versionType": "git" + }, + { + "version": "915d7e5e5930", + "lessThan": "9e02973dbc6a", + "status": "affected", + "versionType": "git" + }, + { + "version": "915d7e5e5930", + "lessThan": "02b08db594e8", + "status": "affected", + "versionType": "git" + }, + { + "version": "915d7e5e5930", + "lessThan": "5559cea2d5aa", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "4.10", + "status": "affected" + }, + { + "version": "0", + "lessThan": "4.10", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "4.19.308", + "lessThanOrEqual": "4.19.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.4.270", + "lessThanOrEqual": "5.4.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.10.211", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.150", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.80", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.19", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.7", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/953f42934533c151f440cd32390044d2396b87aa" + }, + { + "url": "https://git.kernel.org/stable/c/82831e3ff76ef09fb184eb93b79a3eb3fb284f1d" + }, + { + "url": "https://git.kernel.org/stable/c/65c38f23d10ff79feea1e5d50b76dc7af383c1e6" + }, + { + "url": "https://git.kernel.org/stable/c/91b020aaa1e59bfb669d34c968e3db3d5416bcee" + }, + { + "url": "https://git.kernel.org/stable/c/8391b9b651cfdf80ab0f1dc4a489f9d67386e197" + }, + { + "url": "https://git.kernel.org/stable/c/9e02973dbc6a91e40aa4f5d87b8c47446fbfce44" + }, + { + "url": "https://git.kernel.org/stable/c/02b08db594e8218cfbc0e4680d4331b457968a9b" + }, + { + "url": "https://git.kernel.org/stable/c/5559cea2d5aa3018a5f00dd2aca3427ba09b386b" + } + ], + "title": "ipv6: sr: fix possible use-after-free and null-ptr-deref", + "x_generator": { + "engine": "bippy-d3b290d2becc" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26735", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26735.mbox b/cve/published/2024/CVE-2024-26735.mbox new file mode 100644 index 00000000..8b75dba8 --- /dev/null +++ b/cve/published/2024/CVE-2024-26735.mbox @@ -0,0 +1,77 @@ +From bippy-d3b290d2becc Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26735: ipv6: sr: fix possible use-after-free and null-ptr-deref +Message-Id: <2024040359-CVE-2024-26735-462f@gregkh> +Content-Length: 2735 +Lines: 60 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2796; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=Q4wBh3oezCkuP/V9cmFAs99CXaVga9rxg5Z7yNub2Vg=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGm8k4IbsgJWLJ0w3T/b+u2LyV5pG1TvXzv/c9KW9549T + bGZKlpnOmJZGASZGGTFFFm+bOM5ur/ikKKXoe1pmDmsTCBDGLg4BWAiP3IZ5jsKnPdL3b9eYNoH + PZvf0x82hp0x5mGYw8XUUL/xXZCEM1d2Z/KO1WpNX361AAA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +ipv6: sr: fix possible use-after-free and null-ptr-deref + +The pernet operations structure for the subsystem must be registered +before registering the generic netlink family. + +The Linux kernel CVE team has assigned CVE-2024-26735 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 4.10 with commit 915d7e5e5930 and fixed in 4.19.308 with commit 953f42934533 + Issue introduced in 4.10 with commit 915d7e5e5930 and fixed in 5.4.270 with commit 82831e3ff76e + Issue introduced in 4.10 with commit 915d7e5e5930 and fixed in 5.10.211 with commit 65c38f23d10f + Issue introduced in 4.10 with commit 915d7e5e5930 and fixed in 5.15.150 with commit 91b020aaa1e5 + Issue introduced in 4.10 with commit 915d7e5e5930 and fixed in 6.1.80 with commit 8391b9b651cf + Issue introduced in 4.10 with commit 915d7e5e5930 and fixed in 6.6.19 with commit 9e02973dbc6a + Issue introduced in 4.10 with commit 915d7e5e5930 and fixed in 6.7.7 with commit 02b08db594e8 + Issue introduced in 4.10 with commit 915d7e5e5930 and fixed in 6.8 with commit 5559cea2d5aa + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26735 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + net/ipv6/seg6.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/953f42934533c151f440cd32390044d2396b87aa + https://git.kernel.org/stable/c/82831e3ff76ef09fb184eb93b79a3eb3fb284f1d + https://git.kernel.org/stable/c/65c38f23d10ff79feea1e5d50b76dc7af383c1e6 + https://git.kernel.org/stable/c/91b020aaa1e59bfb669d34c968e3db3d5416bcee + https://git.kernel.org/stable/c/8391b9b651cfdf80ab0f1dc4a489f9d67386e197 + https://git.kernel.org/stable/c/9e02973dbc6a91e40aa4f5d87b8c47446fbfce44 + https://git.kernel.org/stable/c/02b08db594e8218cfbc0e4680d4331b457968a9b + https://git.kernel.org/stable/c/5559cea2d5aa3018a5f00dd2aca3427ba09b386b diff --git a/cve/published/2024/CVE-2024-26735.sha1 b/cve/published/2024/CVE-2024-26735.sha1 new file mode 100644 index 00000000..b17e7861 --- /dev/null +++ b/cve/published/2024/CVE-2024-26735.sha1 @@ -0,0 +1 @@ +5559cea2d5aa3018a5f00dd2aca3427ba09b386b diff --git a/cve/reserved/2024/CVE-2024-26736 b/cve/published/2024/CVE-2024-26736 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26736 +++ b/cve/published/2024/CVE-2024-26736 diff --git a/cve/published/2024/CVE-2024-26736.json b/cve/published/2024/CVE-2024-26736.json new file mode 100644 index 00000000..74b4d453 --- /dev/null +++ b/cve/published/2024/CVE-2024-26736.json @@ -0,0 +1,163 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nafs: Increase buffer size in afs_update_volume_status()\n\nThe max length of volume->vid value is 20 characters.\nSo increase idbuf[] size up to 24 to avoid overflow.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.\n\n[DH: Actually, it's 20 + NUL, so increase it to 24 and use snprintf()]" + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "d2ddc776a458", + "lessThan": "5c27d85a69fa", + "status": "affected", + "versionType": "git" + }, + { + "version": "d2ddc776a458", + "lessThan": "d9b5e2b7a819", + "status": "affected", + "versionType": "git" + }, + { + "version": "d2ddc776a458", + "lessThan": "e56662160fc2", + "status": "affected", + "versionType": "git" + }, + { + "version": "d2ddc776a458", + "lessThan": "e8530b170e46", + "status": "affected", + "versionType": "git" + }, + { + "version": "d2ddc776a458", + "lessThan": "6e6065dd25b6", + "status": "affected", + "versionType": "git" + }, + { + "version": "d2ddc776a458", + "lessThan": "d34a5e57632b", + "status": "affected", + "versionType": "git" + }, + { + "version": "d2ddc776a458", + "lessThan": "6ea38e2aeb72", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "4.15", + "status": "affected" + }, + { + "version": "0", + "lessThan": "4.15", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.4.270", + "lessThanOrEqual": "5.4.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.10.211", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.150", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.80", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.19", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.7", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/5c27d85a69fa16a08813ba37ddfb4bbc9a1ed6b5" + }, + { + "url": "https://git.kernel.org/stable/c/d9b5e2b7a8196850383c70d099bfd39e81ab6637" + }, + { + "url": "https://git.kernel.org/stable/c/e56662160fc24d28cb75ac095cc6415ae1bda43e" + }, + { + "url": "https://git.kernel.org/stable/c/e8530b170e464017203e3b8c6c49af6e916aece1" + }, + { + "url": "https://git.kernel.org/stable/c/6e6065dd25b661420fac19c34282b6c626fcd35e" + }, + { + "url": "https://git.kernel.org/stable/c/d34a5e57632bb5ff825196ddd9a48ca403626dfa" + }, + { + "url": "https://git.kernel.org/stable/c/6ea38e2aeb72349cad50e38899b0ba6fbcb2af3d" + } + ], + "title": "afs: Increase buffer size in afs_update_volume_status()", + "x_generator": { + "engine": "bippy-d3b290d2becc" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26736", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26736.mbox b/cve/published/2024/CVE-2024-26736.mbox new file mode 100644 index 00000000..1fd0b29b --- /dev/null +++ b/cve/published/2024/CVE-2024-26736.mbox @@ -0,0 +1,79 @@ +From bippy-d3b290d2becc Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26736: afs: Increase buffer size in afs_update_volume_status() +Message-Id: <2024040359-CVE-2024-26736-284d@gregkh> +Content-Length: 2692 +Lines: 62 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2755; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=YhAFXGxbBzDnQIU+Wu17jqGDiXUVPkcEv0iGm30aVmY=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGm8k4Kz/mlksD0O8XROX3xzQ+2MhzqH58mIff45I/2G2 + Z+fggcLOmJZGASZGGTFFFm+bOM5ur/ikKKXoe1pmDmsTCBDGLg4BWAiDJcY5gpxfNrroHpaYXlL + jfep0EmF72oj+RkWrJ5cdDFY3m32Zmml+TcaOmskvm7UAAA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +afs: Increase buffer size in afs_update_volume_status() + +The max length of volume->vid value is 20 characters. +So increase idbuf[] size up to 24 to avoid overflow. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +[DH: Actually, it's 20 + NUL, so increase it to 24 and use snprintf()] + +The Linux kernel CVE team has assigned CVE-2024-26736 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 4.15 with commit d2ddc776a458 and fixed in 5.4.270 with commit 5c27d85a69fa + Issue introduced in 4.15 with commit d2ddc776a458 and fixed in 5.10.211 with commit d9b5e2b7a819 + Issue introduced in 4.15 with commit d2ddc776a458 and fixed in 5.15.150 with commit e56662160fc2 + Issue introduced in 4.15 with commit d2ddc776a458 and fixed in 6.1.80 with commit e8530b170e46 + Issue introduced in 4.15 with commit d2ddc776a458 and fixed in 6.6.19 with commit 6e6065dd25b6 + Issue introduced in 4.15 with commit d2ddc776a458 and fixed in 6.7.7 with commit d34a5e57632b + Issue introduced in 4.15 with commit d2ddc776a458 and fixed in 6.8 with commit 6ea38e2aeb72 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26736 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + fs/afs/volume.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/5c27d85a69fa16a08813ba37ddfb4bbc9a1ed6b5 + https://git.kernel.org/stable/c/d9b5e2b7a8196850383c70d099bfd39e81ab6637 + https://git.kernel.org/stable/c/e56662160fc24d28cb75ac095cc6415ae1bda43e + https://git.kernel.org/stable/c/e8530b170e464017203e3b8c6c49af6e916aece1 + https://git.kernel.org/stable/c/6e6065dd25b661420fac19c34282b6c626fcd35e + https://git.kernel.org/stable/c/d34a5e57632bb5ff825196ddd9a48ca403626dfa + https://git.kernel.org/stable/c/6ea38e2aeb72349cad50e38899b0ba6fbcb2af3d diff --git a/cve/published/2024/CVE-2024-26736.sha1 b/cve/published/2024/CVE-2024-26736.sha1 new file mode 100644 index 00000000..ad427e67 --- /dev/null +++ b/cve/published/2024/CVE-2024-26736.sha1 @@ -0,0 +1 @@ +6ea38e2aeb72349cad50e38899b0ba6fbcb2af3d diff --git a/cve/reserved/2024/CVE-2024-26737 b/cve/published/2024/CVE-2024-26737 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26737 +++ b/cve/published/2024/CVE-2024-26737 diff --git a/cve/published/2024/CVE-2024-26737.json b/cve/published/2024/CVE-2024-26737.json new file mode 100644 index 00000000..7141ed35 --- /dev/null +++ b/cve/published/2024/CVE-2024-26737.json @@ -0,0 +1,133 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix racing between bpf_timer_cancel_and_free and bpf_timer_cancel\n\nThe following race is possible between bpf_timer_cancel_and_free\nand bpf_timer_cancel. It will lead a UAF on the timer->timer.\n\nbpf_timer_cancel();\n\tspin_lock();\n\tt = timer->time;\n\tspin_unlock();\n\n\t\t\t\t\tbpf_timer_cancel_and_free();\n\t\t\t\t\t\tspin_lock();\n\t\t\t\t\t\tt = timer->timer;\n\t\t\t\t\t\ttimer->timer = NULL;\n\t\t\t\t\t\tspin_unlock();\n\t\t\t\t\t\thrtimer_cancel(&t->timer);\n\t\t\t\t\t\tkfree(t);\n\n\t/* UAF on t */\n\thrtimer_cancel(&t->timer);\n\nIn bpf_timer_cancel_and_free, this patch frees the timer->timer\nafter a rcu grace period. This requires a rcu_head addition\nto the \"struct bpf_hrtimer\". Another kfree(t) happens in bpf_timer_init,\nthis does not need a kfree_rcu because it is still under the\nspin_lock and timer->timer has not been visible by others yet.\n\nIn bpf_timer_cancel, rcu_read_lock() is added because this helper\ncan be used in a non rcu critical section context (e.g. from\na sleepable bpf prog). Other timer->timer usages in helpers.c\nhave been audited, bpf_timer_cancel() is the only place where\ntimer->timer is used outside of the spin_lock.\n\nAnother solution considered is to mark a t->flag in bpf_timer_cancel\nand clear it after hrtimer_cancel() is done. In bpf_timer_cancel_and_free,\nit busy waits for the flag to be cleared before kfree(t). This patch\ngoes with a straight forward solution and frees timer->timer after\na rcu grace period." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "b00628b1c7d5", + "lessThan": "5268bb02107b", + "status": "affected", + "versionType": "git" + }, + { + "version": "b00628b1c7d5", + "lessThan": "addf5e297e6c", + "status": "affected", + "versionType": "git" + }, + { + "version": "b00628b1c7d5", + "lessThan": "8327ed12e8eb", + "status": "affected", + "versionType": "git" + }, + { + "version": "b00628b1c7d5", + "lessThan": "7d80a9e745fa", + "status": "affected", + "versionType": "git" + }, + { + "version": "b00628b1c7d5", + "lessThan": "0281b919e175", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.15", + "status": "affected" + }, + { + "version": "0", + "lessThan": "5.15", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.150", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.80", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.19", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.7", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/5268bb02107b9eedfdcd51db75b407d10043368c" + }, + { + "url": "https://git.kernel.org/stable/c/addf5e297e6cbf5341f9c07720693ca9ba0057b5" + }, + { + "url": "https://git.kernel.org/stable/c/8327ed12e8ebc5436bfaa1786c49988894f9c8a6" + }, + { + "url": "https://git.kernel.org/stable/c/7d80a9e745fa5b47da3bca001f186c02485c7c33" + }, + { + "url": "https://git.kernel.org/stable/c/0281b919e175bb9c3128bd3872ac2903e9436e3f" + } + ], + "title": "bpf: Fix racing between bpf_timer_cancel_and_free and bpf_timer_cancel", + "x_generator": { + "engine": "bippy-d3b290d2becc" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26737", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26737.mbox b/cve/published/2024/CVE-2024-26737.mbox new file mode 100644 index 00000000..1e19affb --- /dev/null +++ b/cve/published/2024/CVE-2024-26737.mbox @@ -0,0 +1,105 @@ +From bippy-d3b290d2becc Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26737: bpf: Fix racing between bpf_timer_cancel_and_free and bpf_timer_cancel +Message-Id: <2024040359-CVE-2024-26737-a9c3@gregkh> +Content-Length: 3462 +Lines: 88 +X-Developer-Signature: v=1; a=openpgp-sha256; l=3551; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=eASFuwIqaJqgSF9uwVIZXdmLhXi5W9uRKO+XL7sLNSI=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGm8k4J/trfuYs9Zu+ti3XFvBdF7PWbfHfc65R161aa0Q + DbAcVV8RywLgyATg6yYIsuXbTxH91ccUvQytD0NM4eVCWQIAxenAExEMYJhftrWHxc56gq07oYy + HnS89udf3uoVVxnml1y0cn6QrPAv8H3KIv1+u3lBx/3+AQA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +bpf: Fix racing between bpf_timer_cancel_and_free and bpf_timer_cancel + +The following race is possible between bpf_timer_cancel_and_free +and bpf_timer_cancel. It will lead a UAF on the timer->timer. + +bpf_timer_cancel(); + spin_lock(); + t = timer->time; + spin_unlock(); + + bpf_timer_cancel_and_free(); + spin_lock(); + t = timer->timer; + timer->timer = NULL; + spin_unlock(); + hrtimer_cancel(&t->timer); + kfree(t); + + /* UAF on t */ + hrtimer_cancel(&t->timer); + +In bpf_timer_cancel_and_free, this patch frees the timer->timer +after a rcu grace period. This requires a rcu_head addition +to the "struct bpf_hrtimer". Another kfree(t) happens in bpf_timer_init, +this does not need a kfree_rcu because it is still under the +spin_lock and timer->timer has not been visible by others yet. + +In bpf_timer_cancel, rcu_read_lock() is added because this helper +can be used in a non rcu critical section context (e.g. from +a sleepable bpf prog). Other timer->timer usages in helpers.c +have been audited, bpf_timer_cancel() is the only place where +timer->timer is used outside of the spin_lock. + +Another solution considered is to mark a t->flag in bpf_timer_cancel +and clear it after hrtimer_cancel() is done. In bpf_timer_cancel_and_free, +it busy waits for the flag to be cleared before kfree(t). This patch +goes with a straight forward solution and frees timer->timer after +a rcu grace period. + +The Linux kernel CVE team has assigned CVE-2024-26737 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 5.15 with commit b00628b1c7d5 and fixed in 5.15.150 with commit 5268bb02107b + Issue introduced in 5.15 with commit b00628b1c7d5 and fixed in 6.1.80 with commit addf5e297e6c + Issue introduced in 5.15 with commit b00628b1c7d5 and fixed in 6.6.19 with commit 8327ed12e8eb + Issue introduced in 5.15 with commit b00628b1c7d5 and fixed in 6.7.7 with commit 7d80a9e745fa + Issue introduced in 5.15 with commit b00628b1c7d5 and fixed in 6.8 with commit 0281b919e175 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26737 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + kernel/bpf/helpers.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/5268bb02107b9eedfdcd51db75b407d10043368c + https://git.kernel.org/stable/c/addf5e297e6cbf5341f9c07720693ca9ba0057b5 + https://git.kernel.org/stable/c/8327ed12e8ebc5436bfaa1786c49988894f9c8a6 + https://git.kernel.org/stable/c/7d80a9e745fa5b47da3bca001f186c02485c7c33 + https://git.kernel.org/stable/c/0281b919e175bb9c3128bd3872ac2903e9436e3f diff --git a/cve/published/2024/CVE-2024-26737.sha1 b/cve/published/2024/CVE-2024-26737.sha1 new file mode 100644 index 00000000..b4b9de7d --- /dev/null +++ b/cve/published/2024/CVE-2024-26737.sha1 @@ -0,0 +1 @@ +0281b919e175bb9c3128bd3872ac2903e9436e3f diff --git a/cve/reserved/2024/CVE-2024-26738 b/cve/published/2024/CVE-2024-26738 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26738 +++ b/cve/published/2024/CVE-2024-26738 diff --git a/cve/published/2024/CVE-2024-26738.json b/cve/published/2024/CVE-2024-26738.json new file mode 100644 index 00000000..7e8065de --- /dev/null +++ b/cve/published/2024/CVE-2024-26738.json @@ -0,0 +1,103 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/pseries/iommu: DLPAR add doesn't completely initialize pci_controller\n\nWhen a PCI device is dynamically added, the kernel oopses with a NULL\npointer dereference:\n\n BUG: Kernel NULL pointer dereference on read at 0x00000030\n Faulting instruction address: 0xc0000000006bbe5c\n Oops: Kernel access of bad area, sig: 11 [#1]\n LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries\n Modules linked in: rpadlpar_io rpaphp rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache netfs xsk_diag bonding nft_compat nf_tables nfnetlink rfkill binfmt_misc dm_multipath rpcrdma sunrpc rdma_ucm ib_srpt ib_isert iscsi_target_mod target_core_mod ib_umad ib_iser libiscsi scsi_transport_iscsi ib_ipoib rdma_cm iw_cm ib_cm mlx5_ib ib_uverbs ib_core pseries_rng drm drm_panel_orientation_quirks xfs libcrc32c mlx5_core mlxfw sd_mod t10_pi sg tls ibmvscsi ibmveth scsi_transport_srp vmx_crypto pseries_wdt psample dm_mirror dm_region_hash dm_log dm_mod fuse\n CPU: 17 PID: 2685 Comm: drmgr Not tainted 6.7.0-203405+ #66\n Hardware name: IBM,9080-HEX POWER10 (raw) 0x800200 0xf000006 of:IBM,FW1060.00 (NH1060_008) hv:phyp pSeries\n NIP: c0000000006bbe5c LR: c000000000a13e68 CTR: c0000000000579f8\n REGS: c00000009924f240 TRAP: 0300 Not tainted (6.7.0-203405+)\n MSR: 8000000000009033 <SF,EE,ME,IR,DR,RI,LE> CR: 24002220 XER: 20040006\n CFAR: c000000000a13e64 DAR: 0000000000000030 DSISR: 40000000 IRQMASK: 0\n ...\n NIP sysfs_add_link_to_group+0x34/0x94\n LR iommu_device_link+0x5c/0x118\n Call Trace:\n iommu_init_device+0x26c/0x318 (unreliable)\n iommu_device_link+0x5c/0x118\n iommu_init_device+0xa8/0x318\n iommu_probe_device+0xc0/0x134\n iommu_bus_notifier+0x44/0x104\n notifier_call_chain+0xb8/0x19c\n blocking_notifier_call_chain+0x64/0x98\n bus_notify+0x50/0x7c\n device_add+0x640/0x918\n pci_device_add+0x23c/0x298\n of_create_pci_dev+0x400/0x884\n of_scan_pci_dev+0x124/0x1b0\n __of_scan_bus+0x78/0x18c\n pcibios_scan_phb+0x2a4/0x3b0\n init_phb_dynamic+0xb8/0x110\n dlpar_add_slot+0x170/0x3b8 [rpadlpar_io]\n add_slot_store.part.0+0xb4/0x130 [rpadlpar_io]\n kobj_attr_store+0x2c/0x48\n sysfs_kf_write+0x64/0x78\n kernfs_fop_write_iter+0x1b0/0x290\n vfs_write+0x350/0x4a0\n ksys_write+0x84/0x140\n system_call_exception+0x124/0x330\n system_call_vectored_common+0x15c/0x2ec\n\nCommit a940904443e4 (\"powerpc/iommu: Add iommu_ops to report capabilities\nand allow blocking domains\") broke DLPAR add of PCI devices.\n\nThe above added iommu_device structure to pci_controller. During\nsystem boot, PCI devices are discovered and this newly added iommu_device\nstructure is initialized by a call to iommu_device_register().\n\nDuring DLPAR add of a PCI device, a new pci_controller structure is\nallocated but there are no calls made to iommu_device_register()\ninterface.\n\nFix is to register the iommu device during DLPAR add as well." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "a940904443e4", + "lessThan": "b8315b2e25b4", + "status": "affected", + "versionType": "git" + }, + { + "version": "a940904443e4", + "lessThan": "46e36ebd5e00", + "status": "affected", + "versionType": "git" + }, + { + "version": "a940904443e4", + "lessThan": "a5c57fd2e9bd", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "6.4", + "status": "affected" + }, + { + "version": "0", + "lessThan": "6.4", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.19", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.7", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/b8315b2e25b4e68e42fcb74630f824b9a5067765" + }, + { + "url": "https://git.kernel.org/stable/c/46e36ebd5e00a148b67ed77c1d31675996f77c25" + }, + { + "url": "https://git.kernel.org/stable/c/a5c57fd2e9bd1c8ea8613a8f94fd0be5eccbf321" + } + ], + "title": "powerpc/pseries/iommu: DLPAR add doesn't completely initialize pci_controller", + "x_generator": { + "engine": "bippy-d3b290d2becc" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26738", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26738.mbox b/cve/published/2024/CVE-2024-26738.mbox new file mode 100644 index 00000000..7ce1bb8b --- /dev/null +++ b/cve/published/2024/CVE-2024-26738.mbox @@ -0,0 +1,122 @@ +From bippy-d3b290d2becc Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26738: powerpc/pseries/iommu: DLPAR add doesn't completely initialize pci_controller +Message-Id: <2024040300-CVE-2024-26738-844b@gregkh> +Content-Length: 4666 +Lines: 105 +X-Developer-Signature: v=1; a=openpgp-sha256; l=4772; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=4k6QZz1BtjTEkAUlEQ1mnEoRNzPoNzR/oTYTDaemiOQ=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGm8k0I48xjeyh5aPf/Rm0JPEe7Nqz86S+n0mN6+V7229 + uGtizLeHbEsDIJMDLJiiixftvEc3V9xSNHL0PY0zBxWJpAhDFycAjCRVcUMCxq23/50fkehiujc + KWa/nI9ckLNcLcewYMf9zRKPUi6+WXlQy/qtkkZxj4ibBwA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +powerpc/pseries/iommu: DLPAR add doesn't completely initialize pci_controller + +When a PCI device is dynamically added, the kernel oopses with a NULL +pointer dereference: + + BUG: Kernel NULL pointer dereference on read at 0x00000030 + Faulting instruction address: 0xc0000000006bbe5c + Oops: Kernel access of bad area, sig: 11 [#1] + LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries + Modules linked in: rpadlpar_io rpaphp rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache netfs xsk_diag bonding nft_compat nf_tables nfnetlink rfkill binfmt_misc dm_multipath rpcrdma sunrpc rdma_ucm ib_srpt ib_isert iscsi_target_mod target_core_mod ib_umad ib_iser libiscsi scsi_transport_iscsi ib_ipoib rdma_cm iw_cm ib_cm mlx5_ib ib_uverbs ib_core pseries_rng drm drm_panel_orientation_quirks xfs libcrc32c mlx5_core mlxfw sd_mod t10_pi sg tls ibmvscsi ibmveth scsi_transport_srp vmx_crypto pseries_wdt psample dm_mirror dm_region_hash dm_log dm_mod fuse + CPU: 17 PID: 2685 Comm: drmgr Not tainted 6.7.0-203405+ #66 + Hardware name: IBM,9080-HEX POWER10 (raw) 0x800200 0xf000006 of:IBM,FW1060.00 (NH1060_008) hv:phyp pSeries + NIP: c0000000006bbe5c LR: c000000000a13e68 CTR: c0000000000579f8 + REGS: c00000009924f240 TRAP: 0300 Not tainted (6.7.0-203405+) + MSR: 8000000000009033 <SF,EE,ME,IR,DR,RI,LE> CR: 24002220 XER: 20040006 + CFAR: c000000000a13e64 DAR: 0000000000000030 DSISR: 40000000 IRQMASK: 0 + ... + NIP sysfs_add_link_to_group+0x34/0x94 + LR iommu_device_link+0x5c/0x118 + Call Trace: + iommu_init_device+0x26c/0x318 (unreliable) + iommu_device_link+0x5c/0x118 + iommu_init_device+0xa8/0x318 + iommu_probe_device+0xc0/0x134 + iommu_bus_notifier+0x44/0x104 + notifier_call_chain+0xb8/0x19c + blocking_notifier_call_chain+0x64/0x98 + bus_notify+0x50/0x7c + device_add+0x640/0x918 + pci_device_add+0x23c/0x298 + of_create_pci_dev+0x400/0x884 + of_scan_pci_dev+0x124/0x1b0 + __of_scan_bus+0x78/0x18c + pcibios_scan_phb+0x2a4/0x3b0 + init_phb_dynamic+0xb8/0x110 + dlpar_add_slot+0x170/0x3b8 [rpadlpar_io] + add_slot_store.part.0+0xb4/0x130 [rpadlpar_io] + kobj_attr_store+0x2c/0x48 + sysfs_kf_write+0x64/0x78 + kernfs_fop_write_iter+0x1b0/0x290 + vfs_write+0x350/0x4a0 + ksys_write+0x84/0x140 + system_call_exception+0x124/0x330 + system_call_vectored_common+0x15c/0x2ec + +Commit a940904443e4 ("powerpc/iommu: Add iommu_ops to report capabilities +and allow blocking domains") broke DLPAR add of PCI devices. + +The above added iommu_device structure to pci_controller. During +system boot, PCI devices are discovered and this newly added iommu_device +structure is initialized by a call to iommu_device_register(). + +During DLPAR add of a PCI device, a new pci_controller structure is +allocated but there are no calls made to iommu_device_register() +interface. + +Fix is to register the iommu device during DLPAR add as well. + +The Linux kernel CVE team has assigned CVE-2024-26738 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 6.4 with commit a940904443e4 and fixed in 6.6.19 with commit b8315b2e25b4 + Issue introduced in 6.4 with commit a940904443e4 and fixed in 6.7.7 with commit 46e36ebd5e00 + Issue introduced in 6.4 with commit a940904443e4 and fixed in 6.8 with commit a5c57fd2e9bd + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26738 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + arch/powerpc/include/asm/ppc-pci.h + arch/powerpc/kernel/iommu.c + arch/powerpc/platforms/pseries/pci_dlpar.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/b8315b2e25b4e68e42fcb74630f824b9a5067765 + https://git.kernel.org/stable/c/46e36ebd5e00a148b67ed77c1d31675996f77c25 + https://git.kernel.org/stable/c/a5c57fd2e9bd1c8ea8613a8f94fd0be5eccbf321 diff --git a/cve/published/2024/CVE-2024-26738.sha1 b/cve/published/2024/CVE-2024-26738.sha1 new file mode 100644 index 00000000..0c3836fd --- /dev/null +++ b/cve/published/2024/CVE-2024-26738.sha1 @@ -0,0 +1 @@ +a5c57fd2e9bd1c8ea8613a8f94fd0be5eccbf321 diff --git a/cve/reserved/2024/CVE-2024-26739 b/cve/published/2024/CVE-2024-26739 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26739 +++ b/cve/published/2024/CVE-2024-26739 diff --git a/cve/published/2024/CVE-2024-26739.json b/cve/published/2024/CVE-2024-26739.json new file mode 100644 index 00000000..096c60bb --- /dev/null +++ b/cve/published/2024/CVE-2024-26739.json @@ -0,0 +1,103 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_mirred: don't override retval if we already lost the skb\n\nIf we're redirecting the skb, and haven't called tcf_mirred_forward(),\nyet, we need to tell the core to drop the skb by setting the retcode\nto SHOT. If we have called tcf_mirred_forward(), however, the skb\nis out of our hands and returning SHOT will lead to UaF.\n\nMove the retval override to the error path which actually need it." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "e5cf1baf92cb", + "lessThan": "28cdbbd38a44", + "status": "affected", + "versionType": "git" + }, + { + "version": "e5cf1baf92cb", + "lessThan": "f4e294bbdca8", + "status": "affected", + "versionType": "git" + }, + { + "version": "e5cf1baf92cb", + "lessThan": "166c2c8a6a4d", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "4.19", + "status": "affected" + }, + { + "version": "0", + "lessThan": "4.19", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.19", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.7", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/28cdbbd38a4413b8eff53399b3f872fd4e80db9d" + }, + { + "url": "https://git.kernel.org/stable/c/f4e294bbdca8ac8757db436fc82214f3882fc7e7" + }, + { + "url": "https://git.kernel.org/stable/c/166c2c8a6a4dc2e4ceba9e10cfe81c3e469e3210" + } + ], + "title": "net/sched: act_mirred: don't override retval if we already lost the skb", + "x_generator": { + "engine": "bippy-d3b290d2becc" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26739", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26739.mbox b/cve/published/2024/CVE-2024-26739.mbox new file mode 100644 index 00000000..a5ae00d5 --- /dev/null +++ b/cve/published/2024/CVE-2024-26739.mbox @@ -0,0 +1,71 @@ +From bippy-d3b290d2becc Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26739: net/sched: act_mirred: don't override retval if we already lost the skb +Message-Id: <2024040300-CVE-2024-26739-170e@gregkh> +Content-Length: 2115 +Lines: 54 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2170; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=qMGFp9At34AoLgoHZnZ9hy92dFmdn3o1a8UkFB5rr5I=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGm8k0K6nsxO3SX7xVlMLvUsX4DSIi0FJ910rscuXzJfi + Sx49MKxI5aFQZCJQVZMkeXLNp6j+ysOKXoZ2p6GmcPKBDKEgYtTACbyOY5hfoZ4hdNfvt2/KzT2 + tXrXcvE8FWM7wrCgdWrZEtfP0o5/L+to7hZ47LJs6QYJAA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +net/sched: act_mirred: don't override retval if we already lost the skb + +If we're redirecting the skb, and haven't called tcf_mirred_forward(), +yet, we need to tell the core to drop the skb by setting the retcode +to SHOT. If we have called tcf_mirred_forward(), however, the skb +is out of our hands and returning SHOT will lead to UaF. + +Move the retval override to the error path which actually need it. + +The Linux kernel CVE team has assigned CVE-2024-26739 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 4.19 with commit e5cf1baf92cb and fixed in 6.6.19 with commit 28cdbbd38a44 + Issue introduced in 4.19 with commit e5cf1baf92cb and fixed in 6.7.7 with commit f4e294bbdca8 + Issue introduced in 4.19 with commit e5cf1baf92cb and fixed in 6.8 with commit 166c2c8a6a4d + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26739 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + net/sched/act_mirred.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/28cdbbd38a4413b8eff53399b3f872fd4e80db9d + https://git.kernel.org/stable/c/f4e294bbdca8ac8757db436fc82214f3882fc7e7 + https://git.kernel.org/stable/c/166c2c8a6a4dc2e4ceba9e10cfe81c3e469e3210 diff --git a/cve/published/2024/CVE-2024-26739.sha1 b/cve/published/2024/CVE-2024-26739.sha1 new file mode 100644 index 00000000..8ac29941 --- /dev/null +++ b/cve/published/2024/CVE-2024-26739.sha1 @@ -0,0 +1 @@ +166c2c8a6a4dc2e4ceba9e10cfe81c3e469e3210 diff --git a/cve/reserved/2024/CVE-2024-26740 b/cve/published/2024/CVE-2024-26740 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26740 +++ b/cve/published/2024/CVE-2024-26740 diff --git a/cve/published/2024/CVE-2024-26740.json b/cve/published/2024/CVE-2024-26740.json new file mode 100644 index 00000000..6f84b1f1 --- /dev/null +++ b/cve/published/2024/CVE-2024-26740.json @@ -0,0 +1,103 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_mirred: use the backlog for mirred ingress\n\nThe test Davide added in commit ca22da2fbd69 (\"act_mirred: use the backlog\nfor nested calls to mirred ingress\") hangs our testing VMs every 10 or so\nruns, with the familiar tcp_v4_rcv -> tcp_v4_rcv deadlock reported by\nlockdep.\n\nThe problem as previously described by Davide (see Link) is that\nif we reverse flow of traffic with the redirect (egress -> ingress)\nwe may reach the same socket which generated the packet. And we may\nstill be holding its socket lock. The common solution to such deadlocks\nis to put the packet in the Rx backlog, rather than run the Rx path\ninline. Do that for all egress -> ingress reversals, not just once\nwe started to nest mirred calls.\n\nIn the past there was a concern that the backlog indirection will\nlead to loss of error reporting / less accurate stats. But the current\nworkaround does not seem to address the issue." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "53592b364001", + "lessThan": "7c787888d164", + "status": "affected", + "versionType": "git" + }, + { + "version": "53592b364001", + "lessThan": "60ddea1600bc", + "status": "affected", + "versionType": "git" + }, + { + "version": "53592b364001", + "lessThan": "52f671db1882", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "4.10", + "status": "affected" + }, + { + "version": "0", + "lessThan": "4.10", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.19", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.7", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/7c787888d164689da8b1b115f3ef562c1e843af4" + }, + { + "url": "https://git.kernel.org/stable/c/60ddea1600bc476e0f5e02bce0e29a460ccbf0be" + }, + { + "url": "https://git.kernel.org/stable/c/52f671db18823089a02f07efc04efdb2272ddc17" + } + ], + "title": "net/sched: act_mirred: use the backlog for mirred ingress", + "x_generator": { + "engine": "bippy-d3b290d2becc" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26740", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26740.mbox b/cve/published/2024/CVE-2024-26740.mbox new file mode 100644 index 00000000..0269a7ea --- /dev/null +++ b/cve/published/2024/CVE-2024-26740.mbox @@ -0,0 +1,82 @@ +From bippy-d3b290d2becc Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26740: net/sched: act_mirred: use the backlog for mirred ingress +Message-Id: <2024040300-CVE-2024-26740-4d6f@gregkh> +Content-Length: 2679 +Lines: 65 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2745; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=Nq/FZCQ5BuMkZh6xOgqkaoJ+iRTN1IcRIuLQUvzRtzM=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGm8k0IOuVSJe/KH3flotYMzp1w/rFk8fpfR+xaXVFW5C + nbDJZs6YlkYBJkYZMUUWb5s4zm6v+KQopeh7WmYOaxMIEMYuDgFYCLbTBgWHOS7fO7+tYYA3/ev + 1aUfTDXW2c9ZzTBXLvj8jhk3p5UvWJfs3DxxoVKi25l2AA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +net/sched: act_mirred: use the backlog for mirred ingress + +The test Davide added in commit ca22da2fbd69 ("act_mirred: use the backlog +for nested calls to mirred ingress") hangs our testing VMs every 10 or so +runs, with the familiar tcp_v4_rcv -> tcp_v4_rcv deadlock reported by +lockdep. + +The problem as previously described by Davide (see Link) is that +if we reverse flow of traffic with the redirect (egress -> ingress) +we may reach the same socket which generated the packet. And we may +still be holding its socket lock. The common solution to such deadlocks +is to put the packet in the Rx backlog, rather than run the Rx path +inline. Do that for all egress -> ingress reversals, not just once +we started to nest mirred calls. + +In the past there was a concern that the backlog indirection will +lead to loss of error reporting / less accurate stats. But the current +workaround does not seem to address the issue. + +The Linux kernel CVE team has assigned CVE-2024-26740 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 4.10 with commit 53592b364001 and fixed in 6.6.19 with commit 7c787888d164 + Issue introduced in 4.10 with commit 53592b364001 and fixed in 6.7.7 with commit 60ddea1600bc + Issue introduced in 4.10 with commit 53592b364001 and fixed in 6.8 with commit 52f671db1882 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26740 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + net/sched/act_mirred.c + tools/testing/selftests/net/forwarding/tc_actions.sh + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/7c787888d164689da8b1b115f3ef562c1e843af4 + https://git.kernel.org/stable/c/60ddea1600bc476e0f5e02bce0e29a460ccbf0be + https://git.kernel.org/stable/c/52f671db18823089a02f07efc04efdb2272ddc17 diff --git a/cve/published/2024/CVE-2024-26740.sha1 b/cve/published/2024/CVE-2024-26740.sha1 new file mode 100644 index 00000000..2f85f56b --- /dev/null +++ b/cve/published/2024/CVE-2024-26740.sha1 @@ -0,0 +1 @@ +52f671db18823089a02f07efc04efdb2272ddc17 diff --git a/cve/reserved/2024/CVE-2024-26741 b/cve/published/2024/CVE-2024-26741 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26741 +++ b/cve/published/2024/CVE-2024-26741 diff --git a/cve/published/2024/CVE-2024-26741.json b/cve/published/2024/CVE-2024-26741.json new file mode 100644 index 00000000..40ebe9c0 --- /dev/null +++ b/cve/published/2024/CVE-2024-26741.json @@ -0,0 +1,118 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndccp/tcp: Unhash sk from ehash for tb2 alloc failure after check_estalblished().\n\nsyzkaller reported a warning [0] in inet_csk_destroy_sock() with no\nrepro.\n\n WARN_ON(inet_sk(sk)->inet_num && !inet_csk(sk)->icsk_bind_hash);\n\nHowever, the syzkaller's log hinted that connect() failed just before\nthe warning due to FAULT_INJECTION. [1]\n\nWhen connect() is called for an unbound socket, we search for an\navailable ephemeral port. If a bhash bucket exists for the port, we\ncall __inet_check_established() or __inet6_check_established() to check\nif the bucket is reusable.\n\nIf reusable, we add the socket into ehash and set inet_sk(sk)->inet_num.\n\nLater, we look up the corresponding bhash2 bucket and try to allocate\nit if it does not exist.\n\nAlthough it rarely occurs in real use, if the allocation fails, we must\nrevert the changes by check_established(). Otherwise, an unconnected\nsocket could illegally occupy an ehash entry.\n\nNote that we do not put tw back into ehash because sk might have\nalready responded to a packet for tw and it would be better to free\ntw earlier under such memory presure.\n\n[0]:\nWARNING: CPU: 0 PID: 350830 at net/ipv4/inet_connection_sock.c:1193 inet_csk_destroy_sock (net/ipv4/inet_connection_sock.c:1193)\nModules linked in:\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nRIP: 0010:inet_csk_destroy_sock (net/ipv4/inet_connection_sock.c:1193)\nCode: 41 5c 41 5d 41 5e e9 2d 4a 3d fd e8 28 4a 3d fd 48 89 ef e8 f0 cd 7d ff 5b 5d 41 5c 41 5d 41 5e e9 13 4a 3d fd e8 0e 4a 3d fd <0f> 0b e9 61 fe ff ff e8 02 4a 3d fd 4c 89 e7 be 03 00 00 00 e8 05\nRSP: 0018:ffffc9000b21fd38 EFLAGS: 00010293\nRAX: 0000000000000000 RBX: 0000000000009e78 RCX: ffffffff840bae40\nRDX: ffff88806e46c600 RSI: ffffffff840bb012 RDI: ffff88811755cca8\nRBP: ffff88811755c880 R08: 0000000000000003 R09: 0000000000000000\nR10: 0000000000009e78 R11: 0000000000000000 R12: ffff88811755c8e0\nR13: ffff88811755c892 R14: ffff88811755c918 R15: 0000000000000000\nFS: 00007f03e5243800(0000) GS:ffff88811ae00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000001b32f21000 CR3: 0000000112ffe001 CR4: 0000000000770ef0\nPKRU: 55555554\nCall Trace:\n <TASK>\n ? inet_csk_destroy_sock (net/ipv4/inet_connection_sock.c:1193)\n dccp_close (net/dccp/proto.c:1078)\n inet_release (net/ipv4/af_inet.c:434)\n __sock_release (net/socket.c:660)\n sock_close (net/socket.c:1423)\n __fput (fs/file_table.c:377)\n __fput_sync (fs/file_table.c:462)\n __x64_sys_close (fs/open.c:1557 fs/open.c:1539 fs/open.c:1539)\n do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:129)\nRIP: 0033:0x7f03e53852bb\nCode: 03 00 00 00 0f 05 48 3d 00 f0 ff ff 77 41 c3 48 83 ec 18 89 7c 24 0c e8 43 c9 f5 ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 a1 c9 f5 ff 8b 44\nRSP: 002b:00000000005dfba0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003\nRAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007f03e53852bb\nRDX: 0000000000000002 RSI: 0000000000000002 RDI: 0000000000000003\nRBP: 0000000000000000 R08: 0000000000000000 R09: 000000000000167c\nR10: 0000000008a79680 R11: 0000000000000293 R12: 00007f03e4e43000\nR13: 00007f03e4e43170 R14: 00007f03e4e43178 R15: 00007f03e4e43170\n </TASK>\n\n[1]:\nFAULT_INJECTION: forcing a failure.\nname failslab, interval 1, probability 0, space 0, times 0\nCPU: 0 PID: 350833 Comm: syz-executor.1 Not tainted 6.7.0-12272-g2121c43f88f5 #9\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nCall Trace:\n <TASK>\n dump_stack_lvl (lib/dump_stack.c:107 (discriminator 1))\n should_fail_ex (lib/fault-inject.c:52 lib/fault-inject.c:153)\n should_failslab (mm/slub.c:3748)\n kmem_cache_alloc (mm/slub.c:3763 mm/slub.c:3842 mm/slub.c:3867)\n inet_bind2_bucket_create \n---truncated---" + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "28044fc1d495", + "lessThan": "729bc77af438", + "status": "affected", + "versionType": "git" + }, + { + "version": "28044fc1d495", + "lessThan": "334a8348b2df", + "status": "affected", + "versionType": "git" + }, + { + "version": "28044fc1d495", + "lessThan": "f8c4a6b85088", + "status": "affected", + "versionType": "git" + }, + { + "version": "28044fc1d495", + "lessThan": "66b60b0c8c4a", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "6.1", + "status": "affected" + }, + { + "version": "0", + "lessThan": "6.1", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.80", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.19", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.7", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/729bc77af438a6e67914c97f6f3d3af8f72c0131" + }, + { + "url": "https://git.kernel.org/stable/c/334a8348b2df26526f3298848ad6864285592caf" + }, + { + "url": "https://git.kernel.org/stable/c/f8c4a6b850882bc47aaa864b720c7a2ee3102f39" + }, + { + "url": "https://git.kernel.org/stable/c/66b60b0c8c4a163b022a9f0ad6769b0fd3dc662f" + } + ], + "title": "dccp/tcp: Unhash sk from ehash for tb2 alloc failure after check_estalblished().", + "x_generator": { + "engine": "bippy-d3b290d2becc" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26741", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26741.mbox b/cve/published/2024/CVE-2024-26741.mbox new file mode 100644 index 00000000..13a51d12 --- /dev/null +++ b/cve/published/2024/CVE-2024-26741.mbox @@ -0,0 +1,161 @@ +From bippy-d3b290d2becc Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26741: dccp/tcp: Unhash sk from ehash for tb2 alloc failure after check_estalblished(). +Message-Id: <2024040300-CVE-2024-26741-961e@gregkh> +Content-Length: 6917 +Lines: 144 +X-Developer-Signature: v=1; a=openpgp-sha256; l=7062; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=YWSLOi4vsNj1OrxQTU4Jq5T03w14V+QS3IZlhQQS2lg=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGm8k0J6Tupn/GL/kXpq81xZ1Y/u/CfnC3w0kj76O/JZ9 + /7m/jq2jlgWBkEmBlkxRZYv23iO7q84pOhlaHsaZg4rE8gQBi5OAZjI6hMM80ynh6WvC2IP9zGr + nOyTcyOE08CknGHBDEHtL5lnufuOadSFvfGouhcX3XsTAA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +dccp/tcp: Unhash sk from ehash for tb2 alloc failure after check_estalblished(). + +syzkaller reported a warning [0] in inet_csk_destroy_sock() with no +repro. + + WARN_ON(inet_sk(sk)->inet_num && !inet_csk(sk)->icsk_bind_hash); + +However, the syzkaller's log hinted that connect() failed just before +the warning due to FAULT_INJECTION. [1] + +When connect() is called for an unbound socket, we search for an +available ephemeral port. If a bhash bucket exists for the port, we +call __inet_check_established() or __inet6_check_established() to check +if the bucket is reusable. + +If reusable, we add the socket into ehash and set inet_sk(sk)->inet_num. + +Later, we look up the corresponding bhash2 bucket and try to allocate +it if it does not exist. + +Although it rarely occurs in real use, if the allocation fails, we must +revert the changes by check_established(). Otherwise, an unconnected +socket could illegally occupy an ehash entry. + +Note that we do not put tw back into ehash because sk might have +already responded to a packet for tw and it would be better to free +tw earlier under such memory presure. + +[0]: +WARNING: CPU: 0 PID: 350830 at net/ipv4/inet_connection_sock.c:1193 inet_csk_destroy_sock (net/ipv4/inet_connection_sock.c:1193) +Modules linked in: +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 +RIP: 0010:inet_csk_destroy_sock (net/ipv4/inet_connection_sock.c:1193) +Code: 41 5c 41 5d 41 5e e9 2d 4a 3d fd e8 28 4a 3d fd 48 89 ef e8 f0 cd 7d ff 5b 5d 41 5c 41 5d 41 5e e9 13 4a 3d fd e8 0e 4a 3d fd <0f> 0b e9 61 fe ff ff e8 02 4a 3d fd 4c 89 e7 be 03 00 00 00 e8 05 +RSP: 0018:ffffc9000b21fd38 EFLAGS: 00010293 +RAX: 0000000000000000 RBX: 0000000000009e78 RCX: ffffffff840bae40 +RDX: ffff88806e46c600 RSI: ffffffff840bb012 RDI: ffff88811755cca8 +RBP: ffff88811755c880 R08: 0000000000000003 R09: 0000000000000000 +R10: 0000000000009e78 R11: 0000000000000000 R12: ffff88811755c8e0 +R13: ffff88811755c892 R14: ffff88811755c918 R15: 0000000000000000 +FS: 00007f03e5243800(0000) GS:ffff88811ae00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000001b32f21000 CR3: 0000000112ffe001 CR4: 0000000000770ef0 +PKRU: 55555554 +Call Trace: + <TASK> + ? inet_csk_destroy_sock (net/ipv4/inet_connection_sock.c:1193) + dccp_close (net/dccp/proto.c:1078) + inet_release (net/ipv4/af_inet.c:434) + __sock_release (net/socket.c:660) + sock_close (net/socket.c:1423) + __fput (fs/file_table.c:377) + __fput_sync (fs/file_table.c:462) + __x64_sys_close (fs/open.c:1557 fs/open.c:1539 fs/open.c:1539) + do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) + entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:129) +RIP: 0033:0x7f03e53852bb +Code: 03 00 00 00 0f 05 48 3d 00 f0 ff ff 77 41 c3 48 83 ec 18 89 7c 24 0c e8 43 c9 f5 ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 a1 c9 f5 ff 8b 44 +RSP: 002b:00000000005dfba0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 +RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007f03e53852bb +RDX: 0000000000000002 RSI: 0000000000000002 RDI: 0000000000000003 +RBP: 0000000000000000 R08: 0000000000000000 R09: 000000000000167c +R10: 0000000008a79680 R11: 0000000000000293 R12: 00007f03e4e43000 +R13: 00007f03e4e43170 R14: 00007f03e4e43178 R15: 00007f03e4e43170 + </TASK> + +[1]: +FAULT_INJECTION: forcing a failure. +name failslab, interval 1, probability 0, space 0, times 0 +CPU: 0 PID: 350833 Comm: syz-executor.1 Not tainted 6.7.0-12272-g2121c43f88f5 #9 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 +Call Trace: + <TASK> + dump_stack_lvl (lib/dump_stack.c:107 (discriminator 1)) + should_fail_ex (lib/fault-inject.c:52 lib/fault-inject.c:153) + should_failslab (mm/slub.c:3748) + kmem_cache_alloc (mm/slub.c:3763 mm/slub.c:3842 mm/slub.c:3867) + inet_bind2_bucket_create (net/ipv4/inet_hashtables.c:135) + __inet_hash_connect (net/ipv4/inet_hashtables.c:1100) + dccp_v4_connect (net/dccp/ipv4.c:116) + __inet_stream_connect (net/ipv4/af_inet.c:676) + inet_stream_connect (net/ipv4/af_inet.c:747) + __sys_connect_file (net/socket.c:2048 (discriminator 2)) + __sys_connect (net/socket.c:2065) + __x64_sys_connect (net/socket.c:2072) + do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) + entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:129) +RIP: 0033:0x7f03e5284e5d +Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 9f 1b 00 f7 d8 64 89 01 48 +RSP: 002b:00007f03e4641cc8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a +RAX: ffffffffffffffda RBX: 00000000004bbf80 RCX: 00007f03e5284e5d +RDX: 0000000000000010 RSI: 0000000020000000 RDI: 0000000000000003 +RBP: 00000000004bbf80 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 +R13: 000000000000000b R14: 00007f03e52e5530 R15: 0000000000000000 + </TASK> + +The Linux kernel CVE team has assigned CVE-2024-26741 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 6.1 with commit 28044fc1d495 and fixed in 6.1.80 with commit 729bc77af438 + Issue introduced in 6.1 with commit 28044fc1d495 and fixed in 6.6.19 with commit 334a8348b2df + Issue introduced in 6.1 with commit 28044fc1d495 and fixed in 6.7.7 with commit f8c4a6b85088 + Issue introduced in 6.1 with commit 28044fc1d495 and fixed in 6.8 with commit 66b60b0c8c4a + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26741 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + net/ipv4/inet_hashtables.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/729bc77af438a6e67914c97f6f3d3af8f72c0131 + https://git.kernel.org/stable/c/334a8348b2df26526f3298848ad6864285592caf + https://git.kernel.org/stable/c/f8c4a6b850882bc47aaa864b720c7a2ee3102f39 + https://git.kernel.org/stable/c/66b60b0c8c4a163b022a9f0ad6769b0fd3dc662f diff --git a/cve/published/2024/CVE-2024-26741.sha1 b/cve/published/2024/CVE-2024-26741.sha1 new file mode 100644 index 00000000..13e0e35e --- /dev/null +++ b/cve/published/2024/CVE-2024-26741.sha1 @@ -0,0 +1 @@ +66b60b0c8c4a163b022a9f0ad6769b0fd3dc662f diff --git a/cve/reserved/2024/CVE-2024-26742 b/cve/published/2024/CVE-2024-26742 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26742 +++ b/cve/published/2024/CVE-2024-26742 diff --git a/cve/published/2024/CVE-2024-26742.json b/cve/published/2024/CVE-2024-26742.json new file mode 100644 index 00000000..4e46697f --- /dev/null +++ b/cve/published/2024/CVE-2024-26742.json @@ -0,0 +1,118 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: smartpqi: Fix disable_managed_interrupts\n\nCorrect blk-mq registration issue with module parameter\ndisable_managed_interrupts enabled.\n\nWhen we turn off the default PCI_IRQ_AFFINITY flag, the driver needs to\nregister with blk-mq using blk_mq_map_queues(). The driver is currently\ncalling blk_mq_pci_map_queues() which results in a stack trace and possibly\nundefined behavior.\n\nStack Trace:\n[ 7.860089] scsi host2: smartpqi\n[ 7.871934] WARNING: CPU: 0 PID: 238 at block/blk-mq-pci.c:52 blk_mq_pci_map_queues+0xca/0xd0\n[ 7.889231] Modules linked in: sd_mod t10_pi sg uas smartpqi(+) crc32c_intel scsi_transport_sas usb_storage dm_mirror dm_region_hash dm_log dm_mod ipmi_devintf ipmi_msghandler fuse\n[ 7.924755] CPU: 0 PID: 238 Comm: kworker/0:3 Not tainted 4.18.0-372.88.1.el8_6_smartpqi_test.x86_64 #1\n[ 7.944336] Hardware name: HPE ProLiant DL380 Gen10/ProLiant DL380 Gen10, BIOS U30 03/08/2022\n[ 7.963026] Workqueue: events work_for_cpu_fn\n[ 7.978275] RIP: 0010:blk_mq_pci_map_queues+0xca/0xd0\n[ 7.978278] Code: 48 89 de 89 c7 e8 f6 0f 4f 00 3b 05 c4 b7 8e 01 72 e1 5b 31 c0 5d 41 5c 41 5d 41 5e 41 5f e9 7d df 73 00 31 c0 e9 76 df 73 00 <0f> 0b eb bc 90 90 0f 1f 44 00 00 41 57 49 89 ff 41 56 41 55 41 54\n[ 7.978280] RSP: 0018:ffffa95fc3707d50 EFLAGS: 00010216\n[ 7.978283] RAX: 00000000ffffffff RBX: 0000000000000000 RCX: 0000000000000010\n[ 7.978284] RDX: 0000000000000004 RSI: 0000000000000000 RDI: ffff9190c32d4310\n[ 7.978286] RBP: 0000000000000000 R08: ffffa95fc3707d38 R09: ffff91929b81ac00\n[ 7.978287] R10: 0000000000000001 R11: ffffa95fc3707ac0 R12: 0000000000000000\n[ 7.978288] R13: ffff9190c32d4000 R14: 00000000ffffffff R15: ffff9190c4c950a8\n[ 7.978290] FS: 0000000000000000(0000) GS:ffff9193efc00000(0000) knlGS:0000000000000000\n[ 7.978292] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 8.172814] CR2: 000055d11166c000 CR3: 00000002dae10002 CR4: 00000000007706f0\n[ 8.172816] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 8.172817] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 8.172818] PKRU: 55555554\n[ 8.172819] Call Trace:\n[ 8.172823] blk_mq_alloc_tag_set+0x12e/0x310\n[ 8.264339] scsi_add_host_with_dma.cold.9+0x30/0x245\n[ 8.279302] pqi_ctrl_init+0xacf/0xc8e [smartpqi]\n[ 8.294085] ? pqi_pci_probe+0x480/0x4c8 [smartpqi]\n[ 8.309015] pqi_pci_probe+0x480/0x4c8 [smartpqi]\n[ 8.323286] local_pci_probe+0x42/0x80\n[ 8.337855] work_for_cpu_fn+0x16/0x20\n[ 8.351193] process_one_work+0x1a7/0x360\n[ 8.364462] ? create_worker+0x1a0/0x1a0\n[ 8.379252] worker_thread+0x1ce/0x390\n[ 8.392623] ? create_worker+0x1a0/0x1a0\n[ 8.406295] kthread+0x10a/0x120\n[ 8.418428] ? set_kthread_struct+0x50/0x50\n[ 8.431532] ret_from_fork+0x1f/0x40\n[ 8.444137] ---[ end trace 1bf0173d39354506 ]---" + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "cf15c3e734e8", + "lessThan": "3c31b18a8dd8", + "status": "affected", + "versionType": "git" + }, + { + "version": "cf15c3e734e8", + "lessThan": "4f5b15c15e60", + "status": "affected", + "versionType": "git" + }, + { + "version": "cf15c3e734e8", + "lessThan": "b9433b25cb06", + "status": "affected", + "versionType": "git" + }, + { + "version": "cf15c3e734e8", + "lessThan": "5761eb9761d2", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "6.0", + "status": "affected" + }, + { + "version": "0", + "lessThan": "6.0", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.80", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.19", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.7", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/3c31b18a8dd8b7bf36af1cd723d455853b8f94fe" + }, + { + "url": "https://git.kernel.org/stable/c/4f5b15c15e6016efb3e14582d02cc4ddf57227df" + }, + { + "url": "https://git.kernel.org/stable/c/b9433b25cb06c415c9cb24782599649a406c8d6d" + }, + { + "url": "https://git.kernel.org/stable/c/5761eb9761d2d5fe8248a9b719efc4d8baf1f24a" + } + ], + "title": "scsi: smartpqi: Fix disable_managed_interrupts", + "x_generator": { + "engine": "bippy-d3b290d2becc" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26742", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26742.mbox b/cve/published/2024/CVE-2024-26742.mbox new file mode 100644 index 00000000..58b4d7fc --- /dev/null +++ b/cve/published/2024/CVE-2024-26742.mbox @@ -0,0 +1,112 @@ +From bippy-d3b290d2becc Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26742: scsi: smartpqi: Fix disable_managed_interrupts +Message-Id: <2024040301-CVE-2024-26742-1b19@gregkh> +Content-Length: 4751 +Lines: 95 +X-Developer-Signature: v=1; a=openpgp-sha256; l=4847; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=gS3g6xsjLIpzk7J44q10tSAg/Ew8FCtqqmLLf8k+6gk=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGm8k0JZAkStjXV5tDumG80TLmWp/R0x8ywvo+/fyzdzV + rcfVbLuiGVhEGRikBVTZPmyjefo/opDil6Gtqdh5rAygQxh4OIUgIlU9zAsOHv3kxODq8Rsk9h7 + 9vwfTPbyJ+6RYVgwacnv65Kzcndu3G17qKgkv2ZDWFIEAA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +scsi: smartpqi: Fix disable_managed_interrupts + +Correct blk-mq registration issue with module parameter +disable_managed_interrupts enabled. + +When we turn off the default PCI_IRQ_AFFINITY flag, the driver needs to +register with blk-mq using blk_mq_map_queues(). The driver is currently +calling blk_mq_pci_map_queues() which results in a stack trace and possibly +undefined behavior. + +Stack Trace: +[ 7.860089] scsi host2: smartpqi +[ 7.871934] WARNING: CPU: 0 PID: 238 at block/blk-mq-pci.c:52 blk_mq_pci_map_queues+0xca/0xd0 +[ 7.889231] Modules linked in: sd_mod t10_pi sg uas smartpqi(+) crc32c_intel scsi_transport_sas usb_storage dm_mirror dm_region_hash dm_log dm_mod ipmi_devintf ipmi_msghandler fuse +[ 7.924755] CPU: 0 PID: 238 Comm: kworker/0:3 Not tainted 4.18.0-372.88.1.el8_6_smartpqi_test.x86_64 #1 +[ 7.944336] Hardware name: HPE ProLiant DL380 Gen10/ProLiant DL380 Gen10, BIOS U30 03/08/2022 +[ 7.963026] Workqueue: events work_for_cpu_fn +[ 7.978275] RIP: 0010:blk_mq_pci_map_queues+0xca/0xd0 +[ 7.978278] Code: 48 89 de 89 c7 e8 f6 0f 4f 00 3b 05 c4 b7 8e 01 72 e1 5b 31 c0 5d 41 5c 41 5d 41 5e 41 5f e9 7d df 73 00 31 c0 e9 76 df 73 00 <0f> 0b eb bc 90 90 0f 1f 44 00 00 41 57 49 89 ff 41 56 41 55 41 54 +[ 7.978280] RSP: 0018:ffffa95fc3707d50 EFLAGS: 00010216 +[ 7.978283] RAX: 00000000ffffffff RBX: 0000000000000000 RCX: 0000000000000010 +[ 7.978284] RDX: 0000000000000004 RSI: 0000000000000000 RDI: ffff9190c32d4310 +[ 7.978286] RBP: 0000000000000000 R08: ffffa95fc3707d38 R09: ffff91929b81ac00 +[ 7.978287] R10: 0000000000000001 R11: ffffa95fc3707ac0 R12: 0000000000000000 +[ 7.978288] R13: ffff9190c32d4000 R14: 00000000ffffffff R15: ffff9190c4c950a8 +[ 7.978290] FS: 0000000000000000(0000) GS:ffff9193efc00000(0000) knlGS:0000000000000000 +[ 7.978292] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 8.172814] CR2: 000055d11166c000 CR3: 00000002dae10002 CR4: 00000000007706f0 +[ 8.172816] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 8.172817] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 8.172818] PKRU: 55555554 +[ 8.172819] Call Trace: +[ 8.172823] blk_mq_alloc_tag_set+0x12e/0x310 +[ 8.264339] scsi_add_host_with_dma.cold.9+0x30/0x245 +[ 8.279302] pqi_ctrl_init+0xacf/0xc8e [smartpqi] +[ 8.294085] ? pqi_pci_probe+0x480/0x4c8 [smartpqi] +[ 8.309015] pqi_pci_probe+0x480/0x4c8 [smartpqi] +[ 8.323286] local_pci_probe+0x42/0x80 +[ 8.337855] work_for_cpu_fn+0x16/0x20 +[ 8.351193] process_one_work+0x1a7/0x360 +[ 8.364462] ? create_worker+0x1a0/0x1a0 +[ 8.379252] worker_thread+0x1ce/0x390 +[ 8.392623] ? create_worker+0x1a0/0x1a0 +[ 8.406295] kthread+0x10a/0x120 +[ 8.418428] ? set_kthread_struct+0x50/0x50 +[ 8.431532] ret_from_fork+0x1f/0x40 +[ 8.444137] ---[ end trace 1bf0173d39354506 ]--- + +The Linux kernel CVE team has assigned CVE-2024-26742 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 6.0 with commit cf15c3e734e8 and fixed in 6.1.80 with commit 3c31b18a8dd8 + Issue introduced in 6.0 with commit cf15c3e734e8 and fixed in 6.6.19 with commit 4f5b15c15e60 + Issue introduced in 6.0 with commit cf15c3e734e8 and fixed in 6.7.7 with commit b9433b25cb06 + Issue introduced in 6.0 with commit cf15c3e734e8 and fixed in 6.8 with commit 5761eb9761d2 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26742 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/scsi/smartpqi/smartpqi_init.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/3c31b18a8dd8b7bf36af1cd723d455853b8f94fe + https://git.kernel.org/stable/c/4f5b15c15e6016efb3e14582d02cc4ddf57227df + https://git.kernel.org/stable/c/b9433b25cb06c415c9cb24782599649a406c8d6d + https://git.kernel.org/stable/c/5761eb9761d2d5fe8248a9b719efc4d8baf1f24a diff --git a/cve/published/2024/CVE-2024-26742.sha1 b/cve/published/2024/CVE-2024-26742.sha1 new file mode 100644 index 00000000..1d768e96 --- /dev/null +++ b/cve/published/2024/CVE-2024-26742.sha1 @@ -0,0 +1 @@ +5761eb9761d2d5fe8248a9b719efc4d8baf1f24a diff --git a/cve/reserved/2024/CVE-2024-26743 b/cve/published/2024/CVE-2024-26743 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26743 +++ b/cve/published/2024/CVE-2024-26743 diff --git a/cve/published/2024/CVE-2024-26743.json b/cve/published/2024/CVE-2024-26743.json new file mode 100644 index 00000000..51d7f63b --- /dev/null +++ b/cve/published/2024/CVE-2024-26743.json @@ -0,0 +1,148 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/qedr: Fix qedr_create_user_qp error flow\n\nAvoid the following warning by making sure to free the allocated\nresources in case that qedr_init_user_queue() fail.\n\n-----------[ cut here ]-----------\nWARNING: CPU: 0 PID: 143192 at drivers/infiniband/core/rdma_core.c:874 uverbs_destroy_ufile_hw+0xcf/0xf0 [ib_uverbs]\nModules linked in: tls target_core_user uio target_core_pscsi target_core_file target_core_iblock ib_srpt ib_srp scsi_transport_srp nfsd nfs_acl rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache netfs 8021q garp mrp stp llc ext4 mbcache jbd2 opa_vnic ib_umad ib_ipoib sunrpc rdma_ucm ib_isert iscsi_target_mod target_core_mod ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_cm hfi1 intel_rapl_msr intel_rapl_common mgag200 qedr sb_edac drm_shmem_helper rdmavt x86_pkg_temp_thermal drm_kms_helper intel_powerclamp ib_uverbs coretemp i2c_algo_bit kvm_intel dell_wmi_descriptor ipmi_ssif sparse_keymap kvm ib_core rfkill syscopyarea sysfillrect video sysimgblt irqbypass ipmi_si ipmi_devintf fb_sys_fops rapl iTCO_wdt mxm_wmi iTCO_vendor_support intel_cstate pcspkr dcdbas intel_uncore ipmi_msghandler lpc_ich acpi_power_meter mei_me mei fuse drm xfs libcrc32c qede sd_mod ahci libahci t10_pi sg crct10dif_pclmul crc32_pclmul crc32c_intel qed libata tg3\nghash_clmulni_intel megaraid_sas crc8 wmi [last unloaded: ib_srpt]\nCPU: 0 PID: 143192 Comm: fi_rdm_tagged_p Kdump: loaded Not tainted 5.14.0-408.el9.x86_64 #1\nHardware name: Dell Inc. PowerEdge R430/03XKDV, BIOS 2.14.0 01/25/2022\nRIP: 0010:uverbs_destroy_ufile_hw+0xcf/0xf0 [ib_uverbs]\nCode: 5d 41 5c 41 5d 41 5e e9 0f 26 1b dd 48 89 df e8 67 6a ff ff 49 8b 86 10 01 00 00 48 85 c0 74 9c 4c 89 e7 e8 83 c0 cb dd eb 92 <0f> 0b eb be 0f 0b be 04 00 00 00 48 89 df e8 8e f5 ff ff e9 6d ff\nRSP: 0018:ffffb7c6cadfbc60 EFLAGS: 00010286\nRAX: ffff8f0889ee3f60 RBX: ffff8f088c1a5200 RCX: 00000000802a0016\nRDX: 00000000802a0017 RSI: 0000000000000001 RDI: ffff8f0880042600\nRBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000000\nR10: ffff8f11fffd5000 R11: 0000000000039000 R12: ffff8f0d5b36cd80\nR13: ffff8f088c1a5250 R14: ffff8f1206d91000 R15: 0000000000000000\nFS: 0000000000000000(0000) GS:ffff8f11d7c00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000147069200e20 CR3: 00000001c7210002 CR4: 00000000001706f0\nCall Trace:\n<TASK>\n? show_trace_log_lvl+0x1c4/0x2df\n? show_trace_log_lvl+0x1c4/0x2df\n? ib_uverbs_close+0x1f/0xb0 [ib_uverbs]\n? uverbs_destroy_ufile_hw+0xcf/0xf0 [ib_uverbs]\n? __warn+0x81/0x110\n? uverbs_destroy_ufile_hw+0xcf/0xf0 [ib_uverbs]\n? report_bug+0x10a/0x140\n? handle_bug+0x3c/0x70\n? exc_invalid_op+0x14/0x70\n? asm_exc_invalid_op+0x16/0x20\n? uverbs_destroy_ufile_hw+0xcf/0xf0 [ib_uverbs]\nib_uverbs_close+0x1f/0xb0 [ib_uverbs]\n__fput+0x94/0x250\ntask_work_run+0x5c/0x90\ndo_exit+0x270/0x4a0\ndo_group_exit+0x2d/0x90\nget_signal+0x87c/0x8c0\narch_do_signal_or_restart+0x25/0x100\n? ib_uverbs_ioctl+0xc2/0x110 [ib_uverbs]\nexit_to_user_mode_loop+0x9c/0x130\nexit_to_user_mode_prepare+0xb6/0x100\nsyscall_exit_to_user_mode+0x12/0x40\ndo_syscall_64+0x69/0x90\n? syscall_exit_work+0x103/0x130\n? syscall_exit_to_user_mode+0x22/0x40\n? do_syscall_64+0x69/0x90\n? syscall_exit_work+0x103/0x130\n? syscall_exit_to_user_mode+0x22/0x40\n? do_syscall_64+0x69/0x90\n? do_syscall_64+0x69/0x90\n? common_interrupt+0x43/0xa0\nentry_SYSCALL_64_after_hwframe+0x72/0xdc\nRIP: 0033:0x1470abe3ec6b\nCode: Unable to access opcode bytes at RIP 0x1470abe3ec41.\nRSP: 002b:00007fff13ce9108 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: fffffffffffffffc RBX: 00007fff13ce9218 RCX: 00001470abe3ec6b\nRDX: 00007fff13ce9200 RSI: 00000000c0181b01 RDI: 0000000000000004\nRBP: 00007fff13ce91e0 R08: 0000558d9655da10 R09: 0000558d9655dd00\nR10: 00007fff13ce95c0 R11: 0000000000000246 R12: 00007fff13ce9358\nR13: 0000000000000013 R14: 0000558d9655db50 R15: 00007fff13ce9470\n</TASK>\n--[ end trace 888a9b92e04c5c97 ]--" + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "df15856132bc", + "lessThan": "5639414a52a2", + "status": "affected", + "versionType": "git" + }, + { + "version": "df15856132bc", + "lessThan": "135e5465fefa", + "status": "affected", + "versionType": "git" + }, + { + "version": "df15856132bc", + "lessThan": "7f31a244c753", + "status": "affected", + "versionType": "git" + }, + { + "version": "df15856132bc", + "lessThan": "95175dda017c", + "status": "affected", + "versionType": "git" + }, + { + "version": "df15856132bc", + "lessThan": "bab8875c06eb", + "status": "affected", + "versionType": "git" + }, + { + "version": "df15856132bc", + "lessThan": "5ba4e6d5863c", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "4.11", + "status": "affected" + }, + { + "version": "0", + "lessThan": "4.11", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.10.211", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.150", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.80", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.19", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.7", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/5639414a52a29336ffa1ede80a67c6d927acbc5a" + }, + { + "url": "https://git.kernel.org/stable/c/135e5465fefa463c5ec93c4eede48b9fedac894a" + }, + { + "url": "https://git.kernel.org/stable/c/7f31a244c753aacf40b71d01f03ca6742f81bbbc" + }, + { + "url": "https://git.kernel.org/stable/c/95175dda017cd4982cd47960536fa1de003d3298" + }, + { + "url": "https://git.kernel.org/stable/c/bab8875c06ebda5e01c5c4cab30022aed85c14e6" + }, + { + "url": "https://git.kernel.org/stable/c/5ba4e6d5863c53e937f49932dee0ecb004c65928" + } + ], + "title": "RDMA/qedr: Fix qedr_create_user_qp error flow", + "x_generator": { + "engine": "bippy-d3b290d2becc" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26743", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26743.mbox b/cve/published/2024/CVE-2024-26743.mbox new file mode 100644 index 00000000..e921966a --- /dev/null +++ b/cve/published/2024/CVE-2024-26743.mbox @@ -0,0 +1,135 @@ +From bippy-d3b290d2becc Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26743: RDMA/qedr: Fix qedr_create_user_qp error flow +Message-Id: <2024040301-CVE-2024-26743-6034@gregkh> +Content-Length: 6151 +Lines: 118 +X-Developer-Signature: v=1; a=openpgp-sha256; l=6270; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=NgfuQFh7fL2YkoxIsaSBf+Eg5hT/ehyaMseDKabLyLM=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGm8k0IbLvKJptf+Vd/7JF1ZpEXeTVBmt7jXg/+fV7nPm + z1hYwFLRywLgyATg6yYIsuXbTxH91ccUvQytD0NM4eVCWQIAxenAEykRohhNquzrJTxznjnn6// + LnCyceS46X3pKsOCmVNWFcRmK135VVLEx6TW7S6d3/ILAA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +RDMA/qedr: Fix qedr_create_user_qp error flow + +Avoid the following warning by making sure to free the allocated +resources in case that qedr_init_user_queue() fail. + +-----------[ cut here ]----------- +WARNING: CPU: 0 PID: 143192 at drivers/infiniband/core/rdma_core.c:874 uverbs_destroy_ufile_hw+0xcf/0xf0 [ib_uverbs] +Modules linked in: tls target_core_user uio target_core_pscsi target_core_file target_core_iblock ib_srpt ib_srp scsi_transport_srp nfsd nfs_acl rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache netfs 8021q garp mrp stp llc ext4 mbcache jbd2 opa_vnic ib_umad ib_ipoib sunrpc rdma_ucm ib_isert iscsi_target_mod target_core_mod ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_cm hfi1 intel_rapl_msr intel_rapl_common mgag200 qedr sb_edac drm_shmem_helper rdmavt x86_pkg_temp_thermal drm_kms_helper intel_powerclamp ib_uverbs coretemp i2c_algo_bit kvm_intel dell_wmi_descriptor ipmi_ssif sparse_keymap kvm ib_core rfkill syscopyarea sysfillrect video sysimgblt irqbypass ipmi_si ipmi_devintf fb_sys_fops rapl iTCO_wdt mxm_wmi iTCO_vendor_support intel_cstate pcspkr dcdbas intel_uncore ipmi_msghandler lpc_ich acpi_power_meter mei_me mei fuse drm xfs libcrc32c qede sd_mod ahci libahci t10_pi sg crct10dif_pclmul crc32_pclmul crc32c_intel qed libata tg3 +ghash_clmulni_intel megaraid_sas crc8 wmi [last unloaded: ib_srpt] +CPU: 0 PID: 143192 Comm: fi_rdm_tagged_p Kdump: loaded Not tainted 5.14.0-408.el9.x86_64 #1 +Hardware name: Dell Inc. PowerEdge R430/03XKDV, BIOS 2.14.0 01/25/2022 +RIP: 0010:uverbs_destroy_ufile_hw+0xcf/0xf0 [ib_uverbs] +Code: 5d 41 5c 41 5d 41 5e e9 0f 26 1b dd 48 89 df e8 67 6a ff ff 49 8b 86 10 01 00 00 48 85 c0 74 9c 4c 89 e7 e8 83 c0 cb dd eb 92 <0f> 0b eb be 0f 0b be 04 00 00 00 48 89 df e8 8e f5 ff ff e9 6d ff +RSP: 0018:ffffb7c6cadfbc60 EFLAGS: 00010286 +RAX: ffff8f0889ee3f60 RBX: ffff8f088c1a5200 RCX: 00000000802a0016 +RDX: 00000000802a0017 RSI: 0000000000000001 RDI: ffff8f0880042600 +RBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000000 +R10: ffff8f11fffd5000 R11: 0000000000039000 R12: ffff8f0d5b36cd80 +R13: ffff8f088c1a5250 R14: ffff8f1206d91000 R15: 0000000000000000 +FS: 0000000000000000(0000) GS:ffff8f11d7c00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000147069200e20 CR3: 00000001c7210002 CR4: 00000000001706f0 +Call Trace: +<TASK> +? show_trace_log_lvl+0x1c4/0x2df +? show_trace_log_lvl+0x1c4/0x2df +? ib_uverbs_close+0x1f/0xb0 [ib_uverbs] +? uverbs_destroy_ufile_hw+0xcf/0xf0 [ib_uverbs] +? __warn+0x81/0x110 +? uverbs_destroy_ufile_hw+0xcf/0xf0 [ib_uverbs] +? report_bug+0x10a/0x140 +? handle_bug+0x3c/0x70 +? exc_invalid_op+0x14/0x70 +? asm_exc_invalid_op+0x16/0x20 +? uverbs_destroy_ufile_hw+0xcf/0xf0 [ib_uverbs] +ib_uverbs_close+0x1f/0xb0 [ib_uverbs] +__fput+0x94/0x250 +task_work_run+0x5c/0x90 +do_exit+0x270/0x4a0 +do_group_exit+0x2d/0x90 +get_signal+0x87c/0x8c0 +arch_do_signal_or_restart+0x25/0x100 +? ib_uverbs_ioctl+0xc2/0x110 [ib_uverbs] +exit_to_user_mode_loop+0x9c/0x130 +exit_to_user_mode_prepare+0xb6/0x100 +syscall_exit_to_user_mode+0x12/0x40 +do_syscall_64+0x69/0x90 +? syscall_exit_work+0x103/0x130 +? syscall_exit_to_user_mode+0x22/0x40 +? do_syscall_64+0x69/0x90 +? syscall_exit_work+0x103/0x130 +? syscall_exit_to_user_mode+0x22/0x40 +? do_syscall_64+0x69/0x90 +? do_syscall_64+0x69/0x90 +? common_interrupt+0x43/0xa0 +entry_SYSCALL_64_after_hwframe+0x72/0xdc +RIP: 0033:0x1470abe3ec6b +Code: Unable to access opcode bytes at RIP 0x1470abe3ec41. +RSP: 002b:00007fff13ce9108 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 +RAX: fffffffffffffffc RBX: 00007fff13ce9218 RCX: 00001470abe3ec6b +RDX: 00007fff13ce9200 RSI: 00000000c0181b01 RDI: 0000000000000004 +RBP: 00007fff13ce91e0 R08: 0000558d9655da10 R09: 0000558d9655dd00 +R10: 00007fff13ce95c0 R11: 0000000000000246 R12: 00007fff13ce9358 +R13: 0000000000000013 R14: 0000558d9655db50 R15: 00007fff13ce9470 +</TASK> +--[ end trace 888a9b92e04c5c97 ]-- + +The Linux kernel CVE team has assigned CVE-2024-26743 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 4.11 with commit df15856132bc and fixed in 5.10.211 with commit 5639414a52a2 + Issue introduced in 4.11 with commit df15856132bc and fixed in 5.15.150 with commit 135e5465fefa + Issue introduced in 4.11 with commit df15856132bc and fixed in 6.1.80 with commit 7f31a244c753 + Issue introduced in 4.11 with commit df15856132bc and fixed in 6.6.19 with commit 95175dda017c + Issue introduced in 4.11 with commit df15856132bc and fixed in 6.7.7 with commit bab8875c06eb + Issue introduced in 4.11 with commit df15856132bc and fixed in 6.8 with commit 5ba4e6d5863c + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26743 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/infiniband/hw/qedr/verbs.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/5639414a52a29336ffa1ede80a67c6d927acbc5a + https://git.kernel.org/stable/c/135e5465fefa463c5ec93c4eede48b9fedac894a + https://git.kernel.org/stable/c/7f31a244c753aacf40b71d01f03ca6742f81bbbc + https://git.kernel.org/stable/c/95175dda017cd4982cd47960536fa1de003d3298 + https://git.kernel.org/stable/c/bab8875c06ebda5e01c5c4cab30022aed85c14e6 + https://git.kernel.org/stable/c/5ba4e6d5863c53e937f49932dee0ecb004c65928 diff --git a/cve/published/2024/CVE-2024-26743.sha1 b/cve/published/2024/CVE-2024-26743.sha1 new file mode 100644 index 00000000..28d0f801 --- /dev/null +++ b/cve/published/2024/CVE-2024-26743.sha1 @@ -0,0 +1 @@ +5ba4e6d5863c53e937f49932dee0ecb004c65928 diff --git a/cve/reserved/2024/CVE-2024-26744 b/cve/published/2024/CVE-2024-26744 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26744 +++ b/cve/published/2024/CVE-2024-26744 diff --git a/cve/published/2024/CVE-2024-26744.json b/cve/published/2024/CVE-2024-26744.json new file mode 100644 index 00000000..0dcffe06 --- /dev/null +++ b/cve/published/2024/CVE-2024-26744.json @@ -0,0 +1,163 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/srpt: Support specifying the srpt_service_guid parameter\n\nMake loading ib_srpt with this parameter set work. The current behavior is\nthat setting that parameter while loading the ib_srpt kernel module\ntriggers the following kernel crash:\n\nBUG: kernel NULL pointer dereference, address: 0000000000000000\nCall Trace:\n <TASK>\n parse_one+0x18c/0x1d0\n parse_args+0xe1/0x230\n load_module+0x8de/0xa60\n init_module_from_file+0x8b/0xd0\n idempotent_init_module+0x181/0x240\n __x64_sys_finit_module+0x5a/0xb0\n do_syscall_64+0x5f/0xe0\n entry_SYSCALL_64_after_hwframe+0x6e/0x76" + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "a42d985bd5b2", + "lessThan": "84f1dac960cf", + "status": "affected", + "versionType": "git" + }, + { + "version": "a42d985bd5b2", + "lessThan": "5a5c039dac1b", + "status": "affected", + "versionType": "git" + }, + { + "version": "a42d985bd5b2", + "lessThan": "989af2f29342", + "status": "affected", + "versionType": "git" + }, + { + "version": "a42d985bd5b2", + "lessThan": "aee4dcfe1721", + "status": "affected", + "versionType": "git" + }, + { + "version": "a42d985bd5b2", + "lessThan": "fe2a73d57319", + "status": "affected", + "versionType": "git" + }, + { + "version": "a42d985bd5b2", + "lessThan": "c99a827d3cff", + "status": "affected", + "versionType": "git" + }, + { + "version": "a42d985bd5b2", + "lessThan": "fdfa083549de", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "3.3", + "status": "affected" + }, + { + "version": "0", + "lessThan": "3.3", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "4.19.308", + "lessThanOrEqual": "4.19.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.10.211", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.150", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.80", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.19", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.7", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/84f1dac960cfa210a3b7a7522e6c2320ae91932b" + }, + { + "url": "https://git.kernel.org/stable/c/5a5c039dac1b1b7ba3e91c791f4421052bf79b82" + }, + { + "url": "https://git.kernel.org/stable/c/989af2f29342a9a7c7515523d879b698ac8465f4" + }, + { + "url": "https://git.kernel.org/stable/c/aee4dcfe17219fe60f2821923adea98549060af8" + }, + { + "url": "https://git.kernel.org/stable/c/fe2a73d57319feab4b3b175945671ce43492172f" + }, + { + "url": "https://git.kernel.org/stable/c/c99a827d3cff9f84e1cb997b7cc6386d107aa74d" + }, + { + "url": "https://git.kernel.org/stable/c/fdfa083549de5d50ebf7f6811f33757781e838c0" + } + ], + "title": "RDMA/srpt: Support specifying the srpt_service_guid parameter", + "x_generator": { + "engine": "bippy-d3b290d2becc" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26744", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26744.mbox b/cve/published/2024/CVE-2024-26744.mbox new file mode 100644 index 00000000..add843b1 --- /dev/null +++ b/cve/published/2024/CVE-2024-26744.mbox @@ -0,0 +1,88 @@ +From bippy-d3b290d2becc Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26744: RDMA/srpt: Support specifying the srpt_service_guid parameter +Message-Id: <2024040301-CVE-2024-26744-d344@gregkh> +Content-Length: 2974 +Lines: 71 +X-Developer-Signature: v=1; a=openpgp-sha256; l=3046; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=US2Nldjxr+PSrwREFRwiGWU2aBb0Au7HCTf7BnMfjrU=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGm8k0I7bpVLcDa8n79ZrHbeXw0FhjkTKzYv/p8/W25fs + nuacS5jRywLgyATg6yYIsuXbTxH91ccUvQytD0NM4eVCWQIAxenAEyEIYBhNovvlKw/GkfCUgsj + DT7zZBYFL920jmF+2Zol35RkNhs3cojNti16vGDNoSPLAA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +RDMA/srpt: Support specifying the srpt_service_guid parameter + +Make loading ib_srpt with this parameter set work. The current behavior is +that setting that parameter while loading the ib_srpt kernel module +triggers the following kernel crash: + +BUG: kernel NULL pointer dereference, address: 0000000000000000 +Call Trace: + <TASK> + parse_one+0x18c/0x1d0 + parse_args+0xe1/0x230 + load_module+0x8de/0xa60 + init_module_from_file+0x8b/0xd0 + idempotent_init_module+0x181/0x240 + __x64_sys_finit_module+0x5a/0xb0 + do_syscall_64+0x5f/0xe0 + entry_SYSCALL_64_after_hwframe+0x6e/0x76 + +The Linux kernel CVE team has assigned CVE-2024-26744 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 3.3 with commit a42d985bd5b2 and fixed in 4.19.308 with commit 84f1dac960cf + Issue introduced in 3.3 with commit a42d985bd5b2 and fixed in 5.10.211 with commit 5a5c039dac1b + Issue introduced in 3.3 with commit a42d985bd5b2 and fixed in 5.15.150 with commit 989af2f29342 + Issue introduced in 3.3 with commit a42d985bd5b2 and fixed in 6.1.80 with commit aee4dcfe1721 + Issue introduced in 3.3 with commit a42d985bd5b2 and fixed in 6.6.19 with commit fe2a73d57319 + Issue introduced in 3.3 with commit a42d985bd5b2 and fixed in 6.7.7 with commit c99a827d3cff + Issue introduced in 3.3 with commit a42d985bd5b2 and fixed in 6.8 with commit fdfa083549de + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26744 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/infiniband/ulp/srpt/ib_srpt.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/84f1dac960cfa210a3b7a7522e6c2320ae91932b + https://git.kernel.org/stable/c/5a5c039dac1b1b7ba3e91c791f4421052bf79b82 + https://git.kernel.org/stable/c/989af2f29342a9a7c7515523d879b698ac8465f4 + https://git.kernel.org/stable/c/aee4dcfe17219fe60f2821923adea98549060af8 + https://git.kernel.org/stable/c/fe2a73d57319feab4b3b175945671ce43492172f + https://git.kernel.org/stable/c/c99a827d3cff9f84e1cb997b7cc6386d107aa74d + https://git.kernel.org/stable/c/fdfa083549de5d50ebf7f6811f33757781e838c0 diff --git a/cve/published/2024/CVE-2024-26744.sha1 b/cve/published/2024/CVE-2024-26744.sha1 new file mode 100644 index 00000000..7eb5f6d6 --- /dev/null +++ b/cve/published/2024/CVE-2024-26744.sha1 @@ -0,0 +1 @@ +fdfa083549de5d50ebf7f6811f33757781e838c0 diff --git a/cve/reserved/2024/CVE-2024-26747 b/cve/published/2024/CVE-2024-26747 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26747 +++ b/cve/published/2024/CVE-2024-26747 diff --git a/cve/published/2024/CVE-2024-26747.json b/cve/published/2024/CVE-2024-26747.json new file mode 100644 index 00000000..26e1071f --- /dev/null +++ b/cve/published/2024/CVE-2024-26747.json @@ -0,0 +1,148 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: roles: fix NULL pointer issue when put module's reference\n\nIn current design, usb role class driver will get usb_role_switch parent's\nmodule reference after the user get usb_role_switch device and put the\nreference after the user put the usb_role_switch device. However, the\nparent device of usb_role_switch may be removed before the user put the\nusb_role_switch. If so, then, NULL pointer issue will be met when the user\nput the parent module's reference.\n\nThis will save the module pointer in structure of usb_role_switch. Then,\nwe don't need to find module by iterating long relations." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5c54fcac9a9d", + "lessThan": "e279bf8e5189", + "status": "affected", + "versionType": "git" + }, + { + "version": "5c54fcac9a9d", + "lessThan": "ef982fc41055", + "status": "affected", + "versionType": "git" + }, + { + "version": "5c54fcac9a9d", + "lessThan": "0158216805ca", + "status": "affected", + "versionType": "git" + }, + { + "version": "5c54fcac9a9d", + "lessThan": "4b45829440b1", + "status": "affected", + "versionType": "git" + }, + { + "version": "5c54fcac9a9d", + "lessThan": "01f82de440f2", + "status": "affected", + "versionType": "git" + }, + { + "version": "5c54fcac9a9d", + "lessThan": "1c9be13846c0", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "4.19", + "status": "affected" + }, + { + "version": "0", + "lessThan": "4.19", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.10.211", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.150", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.80", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.19", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.7", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/e279bf8e51893e1fe160b3d8126ef2dd00f661e1" + }, + { + "url": "https://git.kernel.org/stable/c/ef982fc41055fcebb361a92288d3225783d12913" + }, + { + "url": "https://git.kernel.org/stable/c/0158216805ca7e498d07de38840d2732166ae5fa" + }, + { + "url": "https://git.kernel.org/stable/c/4b45829440b1b208948b39cc71f77a37a2536734" + }, + { + "url": "https://git.kernel.org/stable/c/01f82de440f2ab07c259b7573371e1c42e5565db" + }, + { + "url": "https://git.kernel.org/stable/c/1c9be13846c0b2abc2480602f8ef421360e1ad9e" + } + ], + "title": "usb: roles: fix NULL pointer issue when put module's reference", + "x_generator": { + "engine": "bippy-d3b290d2becc" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26747", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26747.mbox b/cve/published/2024/CVE-2024-26747.mbox new file mode 100644 index 00000000..b3fc05f6 --- /dev/null +++ b/cve/published/2024/CVE-2024-26747.mbox @@ -0,0 +1,81 @@ +From bippy-d3b290d2becc Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26747: usb: roles: fix NULL pointer issue when put module's reference +Message-Id: <2024040301-CVE-2024-26747-50b0@gregkh> +Content-Length: 2876 +Lines: 64 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2941; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=5l9AYOpgfP2OzPsnUeKdYMfv7Z+nQZztGGNXKx6NF6Y=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGm8k8LevEi+7727rHnFN4ZJrtMehxsv3PV+6/ppq8vPr + /R5vlb+V0csC4MgE4OsmCLLl208R/dXHFL0MrQ9DTOHlQlkCAMXpwBM5Js9w4I1urPX/DTavpjn + 14+wTM34s/Y/N8kzzFMz/7Axo/dxwuyafZqChpPEOHdJ+QIA +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +usb: roles: fix NULL pointer issue when put module's reference + +In current design, usb role class driver will get usb_role_switch parent's +module reference after the user get usb_role_switch device and put the +reference after the user put the usb_role_switch device. However, the +parent device of usb_role_switch may be removed before the user put the +usb_role_switch. If so, then, NULL pointer issue will be met when the user +put the parent module's reference. + +This will save the module pointer in structure of usb_role_switch. Then, +we don't need to find module by iterating long relations. + +The Linux kernel CVE team has assigned CVE-2024-26747 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 4.19 with commit 5c54fcac9a9d and fixed in 5.10.211 with commit e279bf8e5189 + Issue introduced in 4.19 with commit 5c54fcac9a9d and fixed in 5.15.150 with commit ef982fc41055 + Issue introduced in 4.19 with commit 5c54fcac9a9d and fixed in 6.1.80 with commit 0158216805ca + Issue introduced in 4.19 with commit 5c54fcac9a9d and fixed in 6.6.19 with commit 4b45829440b1 + Issue introduced in 4.19 with commit 5c54fcac9a9d and fixed in 6.7.7 with commit 01f82de440f2 + Issue introduced in 4.19 with commit 5c54fcac9a9d and fixed in 6.8 with commit 1c9be13846c0 + Issue introduced in 4.18.12 with commit 7b169e33a3bc + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26747 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/usb/roles/class.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/e279bf8e51893e1fe160b3d8126ef2dd00f661e1 + https://git.kernel.org/stable/c/ef982fc41055fcebb361a92288d3225783d12913 + https://git.kernel.org/stable/c/0158216805ca7e498d07de38840d2732166ae5fa + https://git.kernel.org/stable/c/4b45829440b1b208948b39cc71f77a37a2536734 + https://git.kernel.org/stable/c/01f82de440f2ab07c259b7573371e1c42e5565db + https://git.kernel.org/stable/c/1c9be13846c0b2abc2480602f8ef421360e1ad9e diff --git a/cve/published/2024/CVE-2024-26747.sha1 b/cve/published/2024/CVE-2024-26747.sha1 new file mode 100644 index 00000000..34d58930 --- /dev/null +++ b/cve/published/2024/CVE-2024-26747.sha1 @@ -0,0 +1 @@ +1c9be13846c0b2abc2480602f8ef421360e1ad9e diff --git a/cve/reserved/2024/CVE-2024-26748 b/cve/published/2024/CVE-2024-26748 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26748 +++ b/cve/published/2024/CVE-2024-26748 diff --git a/cve/published/2024/CVE-2024-26748.json b/cve/published/2024/CVE-2024-26748.json new file mode 100644 index 00000000..490416b9 --- /dev/null +++ b/cve/published/2024/CVE-2024-26748.json @@ -0,0 +1,163 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: cdns3: fix memory double free when handle zero packet\n\n829 if (request->complete) {\n830 spin_unlock(&priv_dev->lock);\n831 usb_gadget_giveback_request(&priv_ep->endpoint,\n832 request);\n833 spin_lock(&priv_dev->lock);\n834 }\n835\n836 if (request->buf == priv_dev->zlp_buf)\n837 cdns3_gadget_ep_free_request(&priv_ep->endpoint, request);\n\nDriver append an additional zero packet request when queue a packet, which\nlength mod max packet size is 0. When transfer complete, run to line 831,\nusb_gadget_giveback_request() will free this requestion. 836 condition is\ntrue, so cdns3_gadget_ep_free_request() free this request again.\n\nLog:\n\n[ 1920.140696][ T150] BUG: KFENCE: use-after-free read in cdns3_gadget_giveback+0x134/0x2c0 [cdns3]\n[ 1920.140696][ T150]\n[ 1920.151837][ T150] Use-after-free read at 0x000000003d1cd10b (in kfence-#36):\n[ 1920.159082][ T150] cdns3_gadget_giveback+0x134/0x2c0 [cdns3]\n[ 1920.164988][ T150] cdns3_transfer_completed+0x438/0x5f8 [cdns3]\n\nAdd check at line 829, skip call usb_gadget_giveback_request() if it is\nadditional zero length packet request. Needn't call\nusb_gadget_giveback_request() because it is allocated in this driver." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "7733f6c32e36", + "lessThan": "aad6132ae6e4", + "status": "affected", + "versionType": "git" + }, + { + "version": "7733f6c32e36", + "lessThan": "1e204a8e9eb5", + "status": "affected", + "versionType": "git" + }, + { + "version": "7733f6c32e36", + "lessThan": "3a2a909942b5", + "status": "affected", + "versionType": "git" + }, + { + "version": "7733f6c32e36", + "lessThan": "9a52b694b066", + "status": "affected", + "versionType": "git" + }, + { + "version": "7733f6c32e36", + "lessThan": "70e8038813f9", + "status": "affected", + "versionType": "git" + }, + { + "version": "7733f6c32e36", + "lessThan": "92d20406a3d4", + "status": "affected", + "versionType": "git" + }, + { + "version": "7733f6c32e36", + "lessThan": "5fd9e45f1ebc", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.4", + "status": "affected" + }, + { + "version": "0", + "lessThan": "5.4", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.4.270", + "lessThanOrEqual": "5.4.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.10.211", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.150", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.80", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.19", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.7", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/aad6132ae6e4809e375431f8defd1521985e44e7" + }, + { + "url": "https://git.kernel.org/stable/c/1e204a8e9eb514e22a6567fb340ebb47df3f3a48" + }, + { + "url": "https://git.kernel.org/stable/c/3a2a909942b5335b7ea66366d84261b3ed5f89c8" + }, + { + "url": "https://git.kernel.org/stable/c/9a52b694b066f299d8b9800854a8503457a8b64c" + }, + { + "url": "https://git.kernel.org/stable/c/70e8038813f9d3e72df966748ebbc40efe466019" + }, + { + "url": "https://git.kernel.org/stable/c/92d20406a3d4ff3e8be667c79209dc9ed31df5b3" + }, + { + "url": "https://git.kernel.org/stable/c/5fd9e45f1ebcd57181358af28506e8a661a260b3" + } + ], + "title": "usb: cdns3: fix memory double free when handle zero packet", + "x_generator": { + "engine": "bippy-d3b290d2becc" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26748", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26748.mbox b/cve/published/2024/CVE-2024-26748.mbox new file mode 100644 index 00000000..877eef36 --- /dev/null +++ b/cve/published/2024/CVE-2024-26748.mbox @@ -0,0 +1,99 @@ +From bippy-d3b290d2becc Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26748: usb: cdns3: fix memory double free when handle zero packet +Message-Id: <2024040302-CVE-2024-26748-f000@gregkh> +Content-Length: 3638 +Lines: 82 +X-Developer-Signature: v=1; a=openpgp-sha256; l=3721; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=fXiU8fQuGL08sWEfXBGodHW2j0DwaK8qVVBBNDghAVQ=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGm8k8Lk35p4NkaczjSfdnAdz4rdGQFa9Ypp282z/iuke + E/5EfinI5aFQZCJQVZMkeXLNp6j+ysOKXoZ2p6GmcPKBDKEgYtTACbi2M4w3/cdd/ecvp5/dy3n + xefPdGCvPX/ZiWGeSd2tB29dRc70PT1h03B+krDgDPGDAA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +usb: cdns3: fix memory double free when handle zero packet + +829 if (request->complete) { +830 spin_unlock(&priv_dev->lock); +831 usb_gadget_giveback_request(&priv_ep->endpoint, +832 request); +833 spin_lock(&priv_dev->lock); +834 } +835 +836 if (request->buf == priv_dev->zlp_buf) +837 cdns3_gadget_ep_free_request(&priv_ep->endpoint, request); + +Driver append an additional zero packet request when queue a packet, which +length mod max packet size is 0. When transfer complete, run to line 831, +usb_gadget_giveback_request() will free this requestion. 836 condition is +true, so cdns3_gadget_ep_free_request() free this request again. + +Log: + +[ 1920.140696][ T150] BUG: KFENCE: use-after-free read in cdns3_gadget_giveback+0x134/0x2c0 [cdns3] +[ 1920.140696][ T150] +[ 1920.151837][ T150] Use-after-free read at 0x000000003d1cd10b (in kfence-#36): +[ 1920.159082][ T150] cdns3_gadget_giveback+0x134/0x2c0 [cdns3] +[ 1920.164988][ T150] cdns3_transfer_completed+0x438/0x5f8 [cdns3] + +Add check at line 829, skip call usb_gadget_giveback_request() if it is +additional zero length packet request. Needn't call +usb_gadget_giveback_request() because it is allocated in this driver. + +The Linux kernel CVE team has assigned CVE-2024-26748 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 5.4 with commit 7733f6c32e36 and fixed in 5.4.270 with commit aad6132ae6e4 + Issue introduced in 5.4 with commit 7733f6c32e36 and fixed in 5.10.211 with commit 1e204a8e9eb5 + Issue introduced in 5.4 with commit 7733f6c32e36 and fixed in 5.15.150 with commit 3a2a909942b5 + Issue introduced in 5.4 with commit 7733f6c32e36 and fixed in 6.1.80 with commit 9a52b694b066 + Issue introduced in 5.4 with commit 7733f6c32e36 and fixed in 6.6.19 with commit 70e8038813f9 + Issue introduced in 5.4 with commit 7733f6c32e36 and fixed in 6.7.7 with commit 92d20406a3d4 + Issue introduced in 5.4 with commit 7733f6c32e36 and fixed in 6.8 with commit 5fd9e45f1ebc + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26748 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/usb/cdns3/cdns3-gadget.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/aad6132ae6e4809e375431f8defd1521985e44e7 + https://git.kernel.org/stable/c/1e204a8e9eb514e22a6567fb340ebb47df3f3a48 + https://git.kernel.org/stable/c/3a2a909942b5335b7ea66366d84261b3ed5f89c8 + https://git.kernel.org/stable/c/9a52b694b066f299d8b9800854a8503457a8b64c + https://git.kernel.org/stable/c/70e8038813f9d3e72df966748ebbc40efe466019 + https://git.kernel.org/stable/c/92d20406a3d4ff3e8be667c79209dc9ed31df5b3 + https://git.kernel.org/stable/c/5fd9e45f1ebcd57181358af28506e8a661a260b3 diff --git a/cve/published/2024/CVE-2024-26748.sha1 b/cve/published/2024/CVE-2024-26748.sha1 new file mode 100644 index 00000000..805d8013 --- /dev/null +++ b/cve/published/2024/CVE-2024-26748.sha1 @@ -0,0 +1 @@ +5fd9e45f1ebcd57181358af28506e8a661a260b3 diff --git a/cve/reserved/2024/CVE-2024-26749 b/cve/published/2024/CVE-2024-26749 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26749 +++ b/cve/published/2024/CVE-2024-26749 diff --git a/cve/published/2024/CVE-2024-26749.json b/cve/published/2024/CVE-2024-26749.json new file mode 100644 index 00000000..43803d43 --- /dev/null +++ b/cve/published/2024/CVE-2024-26749.json @@ -0,0 +1,163 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: cdns3: fixed memory use after free at cdns3_gadget_ep_disable()\n\n ...\n cdns3_gadget_ep_free_request(&priv_ep->endpoint, &priv_req->request);\n list_del_init(&priv_req->list);\n ...\n\n'priv_req' actually free at cdns3_gadget_ep_free_request(). But\nlist_del_init() use priv_req->list after it.\n\n[ 1542.642868][ T534] BUG: KFENCE: use-after-free read in __list_del_entry_valid+0x10/0xd4\n[ 1542.642868][ T534]\n[ 1542.653162][ T534] Use-after-free read at 0x000000009ed0ba99 (in kfence-#3):\n[ 1542.660311][ T534] __list_del_entry_valid+0x10/0xd4\n[ 1542.665375][ T534] cdns3_gadget_ep_disable+0x1f8/0x388 [cdns3]\n[ 1542.671571][ T534] usb_ep_disable+0x44/0xe4\n[ 1542.675948][ T534] ffs_func_eps_disable+0x64/0xc8\n[ 1542.680839][ T534] ffs_func_set_alt+0x74/0x368\n[ 1542.685478][ T534] ffs_func_disable+0x18/0x28\n\nMove list_del_init() before cdns3_gadget_ep_free_request() to resolve this\nproblem." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "7733f6c32e36", + "lessThan": "cfa9abb5570c", + "status": "affected", + "versionType": "git" + }, + { + "version": "7733f6c32e36", + "lessThan": "b40328eea93c", + "status": "affected", + "versionType": "git" + }, + { + "version": "7733f6c32e36", + "lessThan": "4e5c73b15d95", + "status": "affected", + "versionType": "git" + }, + { + "version": "7733f6c32e36", + "lessThan": "2134e9906e17", + "status": "affected", + "versionType": "git" + }, + { + "version": "7733f6c32e36", + "lessThan": "29e42e1578a1", + "status": "affected", + "versionType": "git" + }, + { + "version": "7733f6c32e36", + "lessThan": "9a07244f614b", + "status": "affected", + "versionType": "git" + }, + { + "version": "7733f6c32e36", + "lessThan": "cd45f99034b0", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.4", + "status": "affected" + }, + { + "version": "0", + "lessThan": "5.4", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.4.270", + "lessThanOrEqual": "5.4.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.10.211", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.150", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.80", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.19", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.7", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/cfa9abb5570c489dabf6f7fb3a066cc576fc8824" + }, + { + "url": "https://git.kernel.org/stable/c/b40328eea93c75a5645891408010141a0159f643" + }, + { + "url": "https://git.kernel.org/stable/c/4e5c73b15d95452c1ba9c771dd013a3fbe052ff3" + }, + { + "url": "https://git.kernel.org/stable/c/2134e9906e17b1e5284300fab547869ebacfd7d9" + }, + { + "url": "https://git.kernel.org/stable/c/29e42e1578a10c611b3f1a38f3229b2d664b5d16" + }, + { + "url": "https://git.kernel.org/stable/c/9a07244f614bc417de527b799da779dcae780b5d" + }, + { + "url": "https://git.kernel.org/stable/c/cd45f99034b0c8c9cb346dd0d6407a95ca3d36f6" + } + ], + "title": "usb: cdns3: fixed memory use after free at cdns3_gadget_ep_disable()", + "x_generator": { + "engine": "bippy-d3b290d2becc" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26749", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26749.mbox b/cve/published/2024/CVE-2024-26749.mbox new file mode 100644 index 00000000..85620d28 --- /dev/null +++ b/cve/published/2024/CVE-2024-26749.mbox @@ -0,0 +1,93 @@ +From bippy-d3b290d2becc Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26749: usb: cdns3: fixed memory use after free at cdns3_gadget_ep_disable() +Message-Id: <2024040302-CVE-2024-26749-eac4@gregkh> +Content-Length: 3311 +Lines: 76 +X-Developer-Signature: v=1; a=openpgp-sha256; l=3388; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=e+R5M6Qi3Qg4jMyZu8YlZGFuUd1HdFI4WT0DSe8MPoc=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGm8k8J+HJ+wyK1uQpt+lfJK93d7y5a5L3fRbtrAceHMI + RuLs57SHbEsDIJMDLJiiixftvEc3V9xSNHL0PY0zBxWJpAhDFycAjCRSVcZ5hn2yfSevbrOUWOV + nNt77XXFt43e/GJYsD9gzUWe+nmTVrhfbY6eX25+NdniMgA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +usb: cdns3: fixed memory use after free at cdns3_gadget_ep_disable() + + ... + cdns3_gadget_ep_free_request(&priv_ep->endpoint, &priv_req->request); + list_del_init(&priv_req->list); + ... + +'priv_req' actually free at cdns3_gadget_ep_free_request(). But +list_del_init() use priv_req->list after it. + +[ 1542.642868][ T534] BUG: KFENCE: use-after-free read in __list_del_entry_valid+0x10/0xd4 +[ 1542.642868][ T534] +[ 1542.653162][ T534] Use-after-free read at 0x000000009ed0ba99 (in kfence-#3): +[ 1542.660311][ T534] __list_del_entry_valid+0x10/0xd4 +[ 1542.665375][ T534] cdns3_gadget_ep_disable+0x1f8/0x388 [cdns3] +[ 1542.671571][ T534] usb_ep_disable+0x44/0xe4 +[ 1542.675948][ T534] ffs_func_eps_disable+0x64/0xc8 +[ 1542.680839][ T534] ffs_func_set_alt+0x74/0x368 +[ 1542.685478][ T534] ffs_func_disable+0x18/0x28 + +Move list_del_init() before cdns3_gadget_ep_free_request() to resolve this +problem. + +The Linux kernel CVE team has assigned CVE-2024-26749 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 5.4 with commit 7733f6c32e36 and fixed in 5.4.270 with commit cfa9abb5570c + Issue introduced in 5.4 with commit 7733f6c32e36 and fixed in 5.10.211 with commit b40328eea93c + Issue introduced in 5.4 with commit 7733f6c32e36 and fixed in 5.15.150 with commit 4e5c73b15d95 + Issue introduced in 5.4 with commit 7733f6c32e36 and fixed in 6.1.80 with commit 2134e9906e17 + Issue introduced in 5.4 with commit 7733f6c32e36 and fixed in 6.6.19 with commit 29e42e1578a1 + Issue introduced in 5.4 with commit 7733f6c32e36 and fixed in 6.7.7 with commit 9a07244f614b + Issue introduced in 5.4 with commit 7733f6c32e36 and fixed in 6.8 with commit cd45f99034b0 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26749 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/usb/cdns3/cdns3-gadget.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/cfa9abb5570c489dabf6f7fb3a066cc576fc8824 + https://git.kernel.org/stable/c/b40328eea93c75a5645891408010141a0159f643 + https://git.kernel.org/stable/c/4e5c73b15d95452c1ba9c771dd013a3fbe052ff3 + https://git.kernel.org/stable/c/2134e9906e17b1e5284300fab547869ebacfd7d9 + https://git.kernel.org/stable/c/29e42e1578a10c611b3f1a38f3229b2d664b5d16 + https://git.kernel.org/stable/c/9a07244f614bc417de527b799da779dcae780b5d + https://git.kernel.org/stable/c/cd45f99034b0c8c9cb346dd0d6407a95ca3d36f6 diff --git a/cve/published/2024/CVE-2024-26749.sha1 b/cve/published/2024/CVE-2024-26749.sha1 new file mode 100644 index 00000000..14484614 --- /dev/null +++ b/cve/published/2024/CVE-2024-26749.sha1 @@ -0,0 +1 @@ +cd45f99034b0c8c9cb346dd0d6407a95ca3d36f6 diff --git a/cve/reserved/2024/CVE-2024-26751 b/cve/published/2024/CVE-2024-26751 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26751 +++ b/cve/published/2024/CVE-2024-26751 diff --git a/cve/published/2024/CVE-2024-26751.json b/cve/published/2024/CVE-2024-26751.json new file mode 100644 index 00000000..d62e2c24 --- /dev/null +++ b/cve/published/2024/CVE-2024-26751.json @@ -0,0 +1,178 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nARM: ep93xx: Add terminator to gpiod_lookup_table\n\nWithout the terminator, if a con_id is passed to gpio_find() that\ndoes not exist in the lookup table the function will not stop looping\ncorrectly, and eventually cause an oops." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "b2e63555592f", + "lessThan": "9e200a06ae2a", + "status": "affected", + "versionType": "git" + }, + { + "version": "b2e63555592f", + "lessThan": "999a8bb70da2", + "status": "affected", + "versionType": "git" + }, + { + "version": "b2e63555592f", + "lessThan": "70d92abbe296", + "status": "affected", + "versionType": "git" + }, + { + "version": "b2e63555592f", + "lessThan": "eec6cbbfa1e8", + "status": "affected", + "versionType": "git" + }, + { + "version": "b2e63555592f", + "lessThan": "786f089086b5", + "status": "affected", + "versionType": "git" + }, + { + "version": "b2e63555592f", + "lessThan": "97ba7c1f9c0a", + "status": "affected", + "versionType": "git" + }, + { + "version": "b2e63555592f", + "lessThan": "6abe0895b63c", + "status": "affected", + "versionType": "git" + }, + { + "version": "b2e63555592f", + "lessThan": "fdf87a0dc26d", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "4.15", + "status": "affected" + }, + { + "version": "0", + "lessThan": "4.15", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "4.19.308", + "lessThanOrEqual": "4.19.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.4.270", + "lessThanOrEqual": "5.4.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.10.211", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.150", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.80", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.19", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.7", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/9e200a06ae2abb321939693008290af32b33dd6e" + }, + { + "url": "https://git.kernel.org/stable/c/999a8bb70da2946336327b4480824d1691cae1fa" + }, + { + "url": "https://git.kernel.org/stable/c/70d92abbe29692a3de8697ae082c60f2d21ab482" + }, + { + "url": "https://git.kernel.org/stable/c/eec6cbbfa1e8d685cc245cfd5626d0715a127a48" + }, + { + "url": "https://git.kernel.org/stable/c/786f089086b505372fb3f4f008d57e7845fff0d8" + }, + { + "url": "https://git.kernel.org/stable/c/97ba7c1f9c0a2401e644760d857b2386aa895997" + }, + { + "url": "https://git.kernel.org/stable/c/6abe0895b63c20de06685c8544b908c7e413efa8" + }, + { + "url": "https://git.kernel.org/stable/c/fdf87a0dc26d0550c60edc911cda42f9afec3557" + } + ], + "title": "ARM: ep93xx: Add terminator to gpiod_lookup_table", + "x_generator": { + "engine": "bippy-d3b290d2becc" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26751", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26751.mbox b/cve/published/2024/CVE-2024-26751.mbox new file mode 100644 index 00000000..a79e33cc --- /dev/null +++ b/cve/published/2024/CVE-2024-26751.mbox @@ -0,0 +1,78 @@ +From bippy-d3b290d2becc Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26751: ARM: ep93xx: Add terminator to gpiod_lookup_table +Message-Id: <2024040302-CVE-2024-26751-fd31@gregkh> +Content-Length: 2801 +Lines: 61 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2863; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=dKTJFrLNc3o78KZa2iPpEkNxzNxMLN8cKeqGSxkSvDE=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGm8k8LEt1bsXDxfdLLBusuXElPaqt8cOv1bxtLk6jnmU + K3CWeYXOmJZGASZGGTFFFm+bOM5ur/ikKKXoe1pmDmsTCBDGLg4BWAi//4wLFj/3HIPA9P3L1/Y + CzISjN5d36Aq5M+wYO76NZUL531jLHSVklI6c8M3i2PtUgA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +ARM: ep93xx: Add terminator to gpiod_lookup_table + +Without the terminator, if a con_id is passed to gpio_find() that +does not exist in the lookup table the function will not stop looping +correctly, and eventually cause an oops. + +The Linux kernel CVE team has assigned CVE-2024-26751 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 4.15 with commit b2e63555592f and fixed in 4.19.308 with commit 9e200a06ae2a + Issue introduced in 4.15 with commit b2e63555592f and fixed in 5.4.270 with commit 999a8bb70da2 + Issue introduced in 4.15 with commit b2e63555592f and fixed in 5.10.211 with commit 70d92abbe296 + Issue introduced in 4.15 with commit b2e63555592f and fixed in 5.15.150 with commit eec6cbbfa1e8 + Issue introduced in 4.15 with commit b2e63555592f and fixed in 6.1.80 with commit 786f089086b5 + Issue introduced in 4.15 with commit b2e63555592f and fixed in 6.6.19 with commit 97ba7c1f9c0a + Issue introduced in 4.15 with commit b2e63555592f and fixed in 6.7.7 with commit 6abe0895b63c + Issue introduced in 4.15 with commit b2e63555592f and fixed in 6.8 with commit fdf87a0dc26d + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26751 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + arch/arm/mach-ep93xx/core.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/9e200a06ae2abb321939693008290af32b33dd6e + https://git.kernel.org/stable/c/999a8bb70da2946336327b4480824d1691cae1fa + https://git.kernel.org/stable/c/70d92abbe29692a3de8697ae082c60f2d21ab482 + https://git.kernel.org/stable/c/eec6cbbfa1e8d685cc245cfd5626d0715a127a48 + https://git.kernel.org/stable/c/786f089086b505372fb3f4f008d57e7845fff0d8 + https://git.kernel.org/stable/c/97ba7c1f9c0a2401e644760d857b2386aa895997 + https://git.kernel.org/stable/c/6abe0895b63c20de06685c8544b908c7e413efa8 + https://git.kernel.org/stable/c/fdf87a0dc26d0550c60edc911cda42f9afec3557 diff --git a/cve/published/2024/CVE-2024-26751.sha1 b/cve/published/2024/CVE-2024-26751.sha1 new file mode 100644 index 00000000..0dbf7d3e --- /dev/null +++ b/cve/published/2024/CVE-2024-26751.sha1 @@ -0,0 +1 @@ +fdf87a0dc26d0550c60edc911cda42f9afec3557 diff --git a/cve/reserved/2024/CVE-2024-26752 b/cve/published/2024/CVE-2024-26752 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26752 +++ b/cve/published/2024/CVE-2024-26752 diff --git a/cve/published/2024/CVE-2024-26752.json b/cve/published/2024/CVE-2024-26752.json new file mode 100644 index 00000000..1881ab10 --- /dev/null +++ b/cve/published/2024/CVE-2024-26752.json @@ -0,0 +1,168 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nl2tp: pass correct message length to ip6_append_data\n\nl2tp_ip6_sendmsg needs to avoid accounting for the transport header\ntwice when splicing more data into an already partially-occupied skbuff.\n\nTo manage this, we check whether the skbuff contains data using\nskb_queue_empty when deciding how much data to append using\nip6_append_data.\n\nHowever, the code which performed the calculation was incorrect:\n\n ulen = len + skb_queue_empty(&sk->sk_write_queue) ? transhdrlen : 0;\n\n...due to C operator precedence, this ends up setting ulen to\ntranshdrlen for messages with a non-zero length, which results in\ncorrupted packets on the wire.\n\nAdd parentheses to correct the calculation in line with the original\nintent." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "559d697c5d07", + "lessThan": "4c3ce64bc9d3", + "status": "affected", + "versionType": "git" + }, + { + "version": "1fc793d68d50", + "lessThan": "c1d3a84a67db", + "status": "affected", + "versionType": "git" + }, + { + "version": "96b2e1090397", + "lessThan": "dcb4d1426859", + "status": "affected", + "versionType": "git" + }, + { + "version": "cd1189956393", + "lessThan": "0da15a703951", + "status": "affected", + "versionType": "git" + }, + { + "version": "f6a7182179c0", + "lessThan": "13cd1daeea84", + "status": "affected", + "versionType": "git" + }, + { + "version": "9d4c75800f61", + "lessThan": "804bd8650a3a", + "status": "affected", + "versionType": "git" + }, + { + "version": "9d4c75800f61", + "lessThan": "83340c66b498", + "status": "affected", + "versionType": "git" + }, + { + "version": "9d4c75800f61", + "lessThan": "359e54a93ab4", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "4.19.308", + "lessThanOrEqual": "4.19.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.4.270", + "lessThanOrEqual": "5.4.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.10.211", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.150", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.80", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.19", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.7", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/4c3ce64bc9d36ca9164dd6c77ff144c121011aae" + }, + { + "url": "https://git.kernel.org/stable/c/c1d3a84a67db910ce28a871273c992c3d7f9efb5" + }, + { + "url": "https://git.kernel.org/stable/c/dcb4d14268595065c85dc5528056713928e17243" + }, + { + "url": "https://git.kernel.org/stable/c/0da15a70395182ee8cb75716baf00dddc0bea38d" + }, + { + "url": "https://git.kernel.org/stable/c/13cd1daeea848614e585b2c6ecc11ca9c8ab2500" + }, + { + "url": "https://git.kernel.org/stable/c/804bd8650a3a2bf3432375f8c97d5049d845ce56" + }, + { + "url": "https://git.kernel.org/stable/c/83340c66b498e49353530e41542500fc8a4782d6" + }, + { + "url": "https://git.kernel.org/stable/c/359e54a93ab43d32ee1bff3c2f9f10cb9f6b6e79" + } + ], + "title": "l2tp: pass correct message length to ip6_append_data", + "x_generator": { + "engine": "bippy-d3b290d2becc" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26752", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26752.mbox b/cve/published/2024/CVE-2024-26752.mbox new file mode 100644 index 00000000..57e28418 --- /dev/null +++ b/cve/published/2024/CVE-2024-26752.mbox @@ -0,0 +1,94 @@ +From bippy-d3b290d2becc Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26752: l2tp: pass correct message length to ip6_append_data +Message-Id: <2024040302-CVE-2024-26752-cb0a@gregkh> +Content-Length: 3402 +Lines: 77 +X-Developer-Signature: v=1; a=openpgp-sha256; l=3480; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=7HlEoqsPR3DQ7lZpxGt563GCBIQkrapaATGjfYqPvzQ=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGm8k8IVFjYLT9R8FqOnnNmaIBkn+fHfJuWgD3GhGse9w + 3a91V/REcvCIMjEICumyPJlG8/R/RWHFL0MbU/DzGFlAhnCwMUpABOJK2NY0C3p+VPh8BaGAAVl + Dh8Po9OSwqx7GRacK4o1V5x0YWtZ0YeeAKEr28T4K1IB +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +l2tp: pass correct message length to ip6_append_data + +l2tp_ip6_sendmsg needs to avoid accounting for the transport header +twice when splicing more data into an already partially-occupied skbuff. + +To manage this, we check whether the skbuff contains data using +skb_queue_empty when deciding how much data to append using +ip6_append_data. + +However, the code which performed the calculation was incorrect: + + ulen = len + skb_queue_empty(&sk->sk_write_queue) ? transhdrlen : 0; + +...due to C operator precedence, this ends up setting ulen to +transhdrlen for messages with a non-zero length, which results in +corrupted packets on the wire. + +Add parentheses to correct the calculation in line with the original +intent. + +The Linux kernel CVE team has assigned CVE-2024-26752 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 4.19.296 with commit 559d697c5d07 and fixed in 4.19.308 with commit 4c3ce64bc9d3 + Issue introduced in 5.4.258 with commit 1fc793d68d50 and fixed in 5.4.270 with commit c1d3a84a67db + Issue introduced in 5.10.198 with commit 96b2e1090397 and fixed in 5.10.211 with commit dcb4d1426859 + Issue introduced in 5.15.135 with commit cd1189956393 and fixed in 5.15.150 with commit 0da15a703951 + Issue introduced in 6.1.57 with commit f6a7182179c0 and fixed in 6.1.80 with commit 13cd1daeea84 + Issue introduced in 6.6 with commit 9d4c75800f61 and fixed in 6.6.19 with commit 804bd8650a3a + Issue introduced in 6.6 with commit 9d4c75800f61 and fixed in 6.7.7 with commit 83340c66b498 + Issue introduced in 6.6 with commit 9d4c75800f61 and fixed in 6.8 with commit 359e54a93ab4 + Issue introduced in 4.14.327 with commit 7626b9fed530 + Issue introduced in 6.5.7 with commit fe80658c08e3 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26752 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + net/l2tp/l2tp_ip6.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/4c3ce64bc9d36ca9164dd6c77ff144c121011aae + https://git.kernel.org/stable/c/c1d3a84a67db910ce28a871273c992c3d7f9efb5 + https://git.kernel.org/stable/c/dcb4d14268595065c85dc5528056713928e17243 + https://git.kernel.org/stable/c/0da15a70395182ee8cb75716baf00dddc0bea38d + https://git.kernel.org/stable/c/13cd1daeea848614e585b2c6ecc11ca9c8ab2500 + https://git.kernel.org/stable/c/804bd8650a3a2bf3432375f8c97d5049d845ce56 + https://git.kernel.org/stable/c/83340c66b498e49353530e41542500fc8a4782d6 + https://git.kernel.org/stable/c/359e54a93ab43d32ee1bff3c2f9f10cb9f6b6e79 diff --git a/cve/published/2024/CVE-2024-26752.sha1 b/cve/published/2024/CVE-2024-26752.sha1 new file mode 100644 index 00000000..ec7a135e --- /dev/null +++ b/cve/published/2024/CVE-2024-26752.sha1 @@ -0,0 +1 @@ +359e54a93ab43d32ee1bff3c2f9f10cb9f6b6e79 diff --git a/cve/reserved/2024/CVE-2024-26753 b/cve/published/2024/CVE-2024-26753 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26753 +++ b/cve/published/2024/CVE-2024-26753 diff --git a/cve/published/2024/CVE-2024-26753.json b/cve/published/2024/CVE-2024-26753.json new file mode 100644 index 00000000..22b229e3 --- /dev/null +++ b/cve/published/2024/CVE-2024-26753.json @@ -0,0 +1,123 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: virtio/akcipher - Fix stack overflow on memcpy\n\nsizeof(struct virtio_crypto_akcipher_session_para) is less than\nsizeof(struct virtio_crypto_op_ctrl_req::u), copying more bytes from\nstack variable leads stack overflow. Clang reports this issue by\ncommands:\nmake -j CC=clang-14 mrproper >/dev/null 2>&1\nmake -j O=/tmp/crypto-build CC=clang-14 allmodconfig >/dev/null 2>&1\nmake -j O=/tmp/crypto-build W=1 CC=clang-14 drivers/crypto/virtio/\n virtio_crypto_akcipher_algs.o" + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "dfdb686d1b43", + "lessThan": "37077ed16c77", + "status": "affected", + "versionType": "git" + }, + { + "version": "59ca6c93387d", + "lessThan": "62f361bfea60", + "status": "affected", + "versionType": "git" + }, + { + "version": "59ca6c93387d", + "lessThan": "b0365460e945", + "status": "affected", + "versionType": "git" + }, + { + "version": "59ca6c93387d", + "lessThan": "ef1e47d50324", + "status": "affected", + "versionType": "git" + }, + { + "version": "59ca6c93387d", + "lessThan": "c0ec2a712daf", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.10.212", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.80", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.19", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.7", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/37077ed16c7793e21b005979d33f8a61565b7e86" + }, + { + "url": "https://git.kernel.org/stable/c/62f361bfea60c6afc3df09c1ad4152e6507f6f47" + }, + { + "url": "https://git.kernel.org/stable/c/b0365460e945e1117b47cf7329d86de752daff63" + }, + { + "url": "https://git.kernel.org/stable/c/ef1e47d50324e232d2da484fe55a54274eeb9bc1" + }, + { + "url": "https://git.kernel.org/stable/c/c0ec2a712daf133d9996a8a1b7ee2d4996080363" + } + ], + "title": "crypto: virtio/akcipher - Fix stack overflow on memcpy", + "x_generator": { + "engine": "bippy-d3b290d2becc" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26753", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26753.mbox b/cve/published/2024/CVE-2024-26753.mbox new file mode 100644 index 00000000..4a9ff230 --- /dev/null +++ b/cve/published/2024/CVE-2024-26753.mbox @@ -0,0 +1,77 @@ +From bippy-d3b290d2becc Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26753: crypto: virtio/akcipher - Fix stack overflow on memcpy +Message-Id: <2024040303-CVE-2024-26753-b93a@gregkh> +Content-Length: 2563 +Lines: 60 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2624; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=Ff2lyuP8XuHSi3v4oL0pSxMqOw3WLCoGUYLEIhVgN2E=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGm8k8Kv/BGpvd08/c48gcArCRGNe+Qbfx+WiH5c5Gm2W + rZvl3NERywLgyATg6yYIsuXbTxH91ccUvQytD0NM4eVCWQIAxenAExE4zDD/MRN0wIf75PM+7hJ + QWqqV2nCNkWbEwwLzgpwpvit3qQYtK30JO9i0ZrpAS4LAQ== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +crypto: virtio/akcipher - Fix stack overflow on memcpy + +sizeof(struct virtio_crypto_akcipher_session_para) is less than +sizeof(struct virtio_crypto_op_ctrl_req::u), copying more bytes from +stack variable leads stack overflow. Clang reports this issue by +commands: +make -j CC=clang-14 mrproper >/dev/null 2>&1 +make -j O=/tmp/crypto-build CC=clang-14 allmodconfig >/dev/null 2>&1 +make -j O=/tmp/crypto-build W=1 CC=clang-14 drivers/crypto/virtio/ + virtio_crypto_akcipher_algs.o + +The Linux kernel CVE team has assigned CVE-2024-26753 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 5.10.209 with commit 1ff57428894f and fixed in 5.10.212 with commit 37077ed16c77 + Issue introduced in 5.18 with commit 59ca6c93387d and fixed in 6.1.80 with commit 62f361bfea60 + Issue introduced in 5.18 with commit 59ca6c93387d and fixed in 6.6.19 with commit b0365460e945 + Issue introduced in 5.18 with commit 59ca6c93387d and fixed in 6.7.7 with commit ef1e47d50324 + Issue introduced in 5.18 with commit 59ca6c93387d and fixed in 6.8 with commit c0ec2a712daf + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26753 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/crypto/virtio/virtio_crypto_akcipher_algs.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/37077ed16c7793e21b005979d33f8a61565b7e86 + https://git.kernel.org/stable/c/62f361bfea60c6afc3df09c1ad4152e6507f6f47 + https://git.kernel.org/stable/c/b0365460e945e1117b47cf7329d86de752daff63 + https://git.kernel.org/stable/c/ef1e47d50324e232d2da484fe55a54274eeb9bc1 + https://git.kernel.org/stable/c/c0ec2a712daf133d9996a8a1b7ee2d4996080363 diff --git a/cve/published/2024/CVE-2024-26753.sha1 b/cve/published/2024/CVE-2024-26753.sha1 new file mode 100644 index 00000000..31efd821 --- /dev/null +++ b/cve/published/2024/CVE-2024-26753.sha1 @@ -0,0 +1 @@ +c0ec2a712daf133d9996a8a1b7ee2d4996080363 diff --git a/cve/reserved/2024/CVE-2024-26754 b/cve/published/2024/CVE-2024-26754 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26754 +++ b/cve/published/2024/CVE-2024-26754 diff --git a/cve/published/2024/CVE-2024-26754.json b/cve/published/2024/CVE-2024-26754.json new file mode 100644 index 00000000..ee2b3d6e --- /dev/null +++ b/cve/published/2024/CVE-2024-26754.json @@ -0,0 +1,178 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngtp: fix use-after-free and null-ptr-deref in gtp_genl_dump_pdp()\n\nThe gtp_net_ops pernet operations structure for the subsystem must be\nregistered before registering the generic netlink family.\n\nSyzkaller hit 'general protection fault in gtp_genl_dump_pdp' bug:\n\ngeneral protection fault, probably for non-canonical address\n0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN NOPTI\nKASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]\nCPU: 1 PID: 5826 Comm: gtp Not tainted 6.8.0-rc3-std-def-alt1 #1\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-alt1 04/01/2014\nRIP: 0010:gtp_genl_dump_pdp+0x1be/0x800 [gtp]\nCode: c6 89 c6 e8 64 e9 86 df 58 45 85 f6 0f 85 4e 04 00 00 e8 c5 ee 86\n df 48 8b 54 24 18 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80>\n 3c 02 00 0f 85 de 05 00 00 48 8b 44 24 18 4c 8b 30 4c 39 f0 74\nRSP: 0018:ffff888014107220 EFLAGS: 00010202\nRAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000\nRDX: 0000000000000002 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\nR13: ffff88800fcda588 R14: 0000000000000001 R15: 0000000000000000\nFS: 00007f1be4eb05c0(0000) GS:ffff88806ce80000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f1be4e766cf CR3: 000000000c33e000 CR4: 0000000000750ef0\nPKRU: 55555554\nCall Trace:\n <TASK>\n ? show_regs+0x90/0xa0\n ? die_addr+0x50/0xd0\n ? exc_general_protection+0x148/0x220\n ? asm_exc_general_protection+0x22/0x30\n ? gtp_genl_dump_pdp+0x1be/0x800 [gtp]\n ? __alloc_skb+0x1dd/0x350\n ? __pfx___alloc_skb+0x10/0x10\n genl_dumpit+0x11d/0x230\n netlink_dump+0x5b9/0xce0\n ? lockdep_hardirqs_on_prepare+0x253/0x430\n ? __pfx_netlink_dump+0x10/0x10\n ? kasan_save_track+0x10/0x40\n ? __kasan_kmalloc+0x9b/0xa0\n ? genl_start+0x675/0x970\n __netlink_dump_start+0x6fc/0x9f0\n genl_family_rcv_msg_dumpit+0x1bb/0x2d0\n ? __pfx_genl_family_rcv_msg_dumpit+0x10/0x10\n ? genl_op_from_small+0x2a/0x440\n ? cap_capable+0x1d0/0x240\n ? __pfx_genl_start+0x10/0x10\n ? __pfx_genl_dumpit+0x10/0x10\n ? __pfx_genl_done+0x10/0x10\n ? security_capable+0x9d/0xe0" + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "459aa660eb1d", + "lessThan": "f0ecdfa67918", + "status": "affected", + "versionType": "git" + }, + { + "version": "459aa660eb1d", + "lessThan": "f8cbd1791900", + "status": "affected", + "versionType": "git" + }, + { + "version": "459aa660eb1d", + "lessThan": "2e534fd15e5c", + "status": "affected", + "versionType": "git" + }, + { + "version": "459aa660eb1d", + "lessThan": "a576308800be", + "status": "affected", + "versionType": "git" + }, + { + "version": "459aa660eb1d", + "lessThan": "3963f16cc764", + "status": "affected", + "versionType": "git" + }, + { + "version": "459aa660eb1d", + "lessThan": "ba6b8b02a331", + "status": "affected", + "versionType": "git" + }, + { + "version": "459aa660eb1d", + "lessThan": "5013bd54d283", + "status": "affected", + "versionType": "git" + }, + { + "version": "459aa660eb1d", + "lessThan": "136cfaca2256", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "4.7", + "status": "affected" + }, + { + "version": "0", + "lessThan": "4.7", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "4.19.308", + "lessThanOrEqual": "4.19.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.4.270", + "lessThanOrEqual": "5.4.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.10.211", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.150", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.80", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.19", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.7", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/f0ecdfa679189d26aedfe24212d4e69e42c2c861" + }, + { + "url": "https://git.kernel.org/stable/c/f8cbd1791900b5d96466eede8e9439a5b9ca4de7" + }, + { + "url": "https://git.kernel.org/stable/c/2e534fd15e5c2ca15821c897352cf0e8a3e30dca" + }, + { + "url": "https://git.kernel.org/stable/c/a576308800be28f2eaa099e7caad093b97d66e77" + }, + { + "url": "https://git.kernel.org/stable/c/3963f16cc7643b461271989b712329520374ad2a" + }, + { + "url": "https://git.kernel.org/stable/c/ba6b8b02a3314e62571a540efa96560888c5f03e" + }, + { + "url": "https://git.kernel.org/stable/c/5013bd54d283eda5262c9ae3bcc966d01daf8576" + }, + { + "url": "https://git.kernel.org/stable/c/136cfaca22567a03bbb3bf53a43d8cb5748b80ec" + } + ], + "title": "gtp: fix use-after-free and null-ptr-deref in gtp_genl_dump_pdp()", + "x_generator": { + "engine": "bippy-d3b290d2becc" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26754", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26754.mbox b/cve/published/2024/CVE-2024-26754.mbox new file mode 100644 index 00000000..85d734ff --- /dev/null +++ b/cve/published/2024/CVE-2024-26754.mbox @@ -0,0 +1,124 @@ +From bippy-d3b290d2becc Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26754: gtp: fix use-after-free and null-ptr-deref in gtp_genl_dump_pdp() +Message-Id: <2024040303-CVE-2024-26754-b34f@gregkh> +Content-Length: 4741 +Lines: 107 +X-Developer-Signature: v=1; a=openpgp-sha256; l=4849; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=EmJqhw8gMg+hdoAObWrNivoe1mOnUuNxbk2TJ0SbmmQ=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGm8k8Jn/HnBvCB69bpzioIfxbt9euK899RN+tC7guPFm + 6Xf1wo97IhlYRBkYpAVU2T5so3n6P6KQ4pehranYeawMoEMYeDiFICJ6J1gmJ8/qWhXstYz9Ruh + 2s7skxXlIzQ+qzEsWMg9x3vft8l1PCVOuq0umfE825j8AA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +gtp: fix use-after-free and null-ptr-deref in gtp_genl_dump_pdp() + +The gtp_net_ops pernet operations structure for the subsystem must be +registered before registering the generic netlink family. + +Syzkaller hit 'general protection fault in gtp_genl_dump_pdp' bug: + +general protection fault, probably for non-canonical address +0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN NOPTI +KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] +CPU: 1 PID: 5826 Comm: gtp Not tainted 6.8.0-rc3-std-def-alt1 #1 +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-alt1 04/01/2014 +RIP: 0010:gtp_genl_dump_pdp+0x1be/0x800 [gtp] +Code: c6 89 c6 e8 64 e9 86 df 58 45 85 f6 0f 85 4e 04 00 00 e8 c5 ee 86 + df 48 8b 54 24 18 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> + 3c 02 00 0f 85 de 05 00 00 48 8b 44 24 18 4c 8b 30 4c 39 f0 74 +RSP: 0018:ffff888014107220 EFLAGS: 00010202 +RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000 +RDX: 0000000000000002 RSI: 0000000000000000 RDI: 0000000000000000 +RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 +R13: ffff88800fcda588 R14: 0000000000000001 R15: 0000000000000000 +FS: 00007f1be4eb05c0(0000) GS:ffff88806ce80000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f1be4e766cf CR3: 000000000c33e000 CR4: 0000000000750ef0 +PKRU: 55555554 +Call Trace: + <TASK> + ? show_regs+0x90/0xa0 + ? die_addr+0x50/0xd0 + ? exc_general_protection+0x148/0x220 + ? asm_exc_general_protection+0x22/0x30 + ? gtp_genl_dump_pdp+0x1be/0x800 [gtp] + ? __alloc_skb+0x1dd/0x350 + ? __pfx___alloc_skb+0x10/0x10 + genl_dumpit+0x11d/0x230 + netlink_dump+0x5b9/0xce0 + ? lockdep_hardirqs_on_prepare+0x253/0x430 + ? __pfx_netlink_dump+0x10/0x10 + ? kasan_save_track+0x10/0x40 + ? __kasan_kmalloc+0x9b/0xa0 + ? genl_start+0x675/0x970 + __netlink_dump_start+0x6fc/0x9f0 + genl_family_rcv_msg_dumpit+0x1bb/0x2d0 + ? __pfx_genl_family_rcv_msg_dumpit+0x10/0x10 + ? genl_op_from_small+0x2a/0x440 + ? cap_capable+0x1d0/0x240 + ? __pfx_genl_start+0x10/0x10 + ? __pfx_genl_dumpit+0x10/0x10 + ? __pfx_genl_done+0x10/0x10 + ? security_capable+0x9d/0xe0 + +The Linux kernel CVE team has assigned CVE-2024-26754 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 4.7 with commit 459aa660eb1d and fixed in 4.19.308 with commit f0ecdfa67918 + Issue introduced in 4.7 with commit 459aa660eb1d and fixed in 5.4.270 with commit f8cbd1791900 + Issue introduced in 4.7 with commit 459aa660eb1d and fixed in 5.10.211 with commit 2e534fd15e5c + Issue introduced in 4.7 with commit 459aa660eb1d and fixed in 5.15.150 with commit a576308800be + Issue introduced in 4.7 with commit 459aa660eb1d and fixed in 6.1.80 with commit 3963f16cc764 + Issue introduced in 4.7 with commit 459aa660eb1d and fixed in 6.6.19 with commit ba6b8b02a331 + Issue introduced in 4.7 with commit 459aa660eb1d and fixed in 6.7.7 with commit 5013bd54d283 + Issue introduced in 4.7 with commit 459aa660eb1d and fixed in 6.8 with commit 136cfaca2256 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26754 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/net/gtp.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/f0ecdfa679189d26aedfe24212d4e69e42c2c861 + https://git.kernel.org/stable/c/f8cbd1791900b5d96466eede8e9439a5b9ca4de7 + https://git.kernel.org/stable/c/2e534fd15e5c2ca15821c897352cf0e8a3e30dca + https://git.kernel.org/stable/c/a576308800be28f2eaa099e7caad093b97d66e77 + https://git.kernel.org/stable/c/3963f16cc7643b461271989b712329520374ad2a + https://git.kernel.org/stable/c/ba6b8b02a3314e62571a540efa96560888c5f03e + https://git.kernel.org/stable/c/5013bd54d283eda5262c9ae3bcc966d01daf8576 + https://git.kernel.org/stable/c/136cfaca22567a03bbb3bf53a43d8cb5748b80ec diff --git a/cve/published/2024/CVE-2024-26754.sha1 b/cve/published/2024/CVE-2024-26754.sha1 new file mode 100644 index 00000000..134cfbb1 --- /dev/null +++ b/cve/published/2024/CVE-2024-26754.sha1 @@ -0,0 +1 @@ +136cfaca22567a03bbb3bf53a43d8cb5748b80ec diff --git a/cve/reserved/2024/CVE-2024-26755 b/cve/published/2024/CVE-2024-26755 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26755 +++ b/cve/published/2024/CVE-2024-26755 diff --git a/cve/published/2024/CVE-2024-26755.json b/cve/published/2024/CVE-2024-26755.json new file mode 100644 index 00000000..6798bfc3 --- /dev/null +++ b/cve/published/2024/CVE-2024-26755.json @@ -0,0 +1,88 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd: Don't suspend the array for interrupted reshape\n\nmd_start_sync() will suspend the array if there are spares that can be\nadded or removed from conf, however, if reshape is still in progress,\nthis won't happen at all or data will be corrupted(remove_and_add_spares\nwon't be called from md_choose_sync_action for reshape), hence there is\nno need to suspend the array if reshape is not done yet.\n\nMeanwhile, there is a potential deadlock for raid456:\n\n1) reshape is interrupted;\n\n2) set one of the disk WantReplacement, and add a new disk to the array,\n however, recovery won't start until the reshape is finished;\n\n3) then issue an IO across reshpae position, this IO will wait for\n reshape to make progress;\n\n4) continue to reshape, then md_start_sync() found there is a spare disk\n that can be added to conf, mddev_suspend() is called;\n\nStep 4 and step 3 is waiting for each other, deadlock triggered. Noted\nthis problem is found by code review, and it's not reporduced yet.\n\nFix this porblem by don't suspend the array for interrupted reshape,\nthis is safe because conf won't be changed until reshape is done." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "bc08041b32ab", + "lessThan": "60d6130d0ac1", + "status": "affected", + "versionType": "git" + }, + { + "version": "bc08041b32ab", + "lessThan": "9e46c70e829b", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "6.7", + "status": "affected" + }, + { + "version": "0", + "lessThan": "6.7", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.7", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/60d6130d0ac1d883ed93c2a1e10aadb60967fd48" + }, + { + "url": "https://git.kernel.org/stable/c/9e46c70e829bddc24e04f963471e9983a11598b7" + } + ], + "title": "md: Don't suspend the array for interrupted reshape", + "x_generator": { + "engine": "bippy-d3b290d2becc" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26755", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26755.mbox b/cve/published/2024/CVE-2024-26755.mbox new file mode 100644 index 00000000..8994e85e --- /dev/null +++ b/cve/published/2024/CVE-2024-26755.mbox @@ -0,0 +1,87 @@ +From bippy-d3b290d2becc Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26755: md: Don't suspend the array for interrupted reshape +Message-Id: <2024040303-CVE-2024-26755-947e@gregkh> +Content-Length: 2652 +Lines: 70 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2723; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=jjHbPtP1AL2Ovp2HaQ1kJwvyoBCzBq0Oa+NLscxnGlQ=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGm8k8ITFjw8u1xczcOP9Z01Q8qJ60du1e8s3fqI+9BGx + hnzUnWiO2JZGASZGGTFFFm+bOM5ur/ikKKXoe1pmDmsTCBDGLg4BWAij0wZ5pd7XQxYfqJQb+GS + i2vs5667yN8ueYFhvmvcz/enftv3TWSY59Kzcd9yDv0ZBwA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +md: Don't suspend the array for interrupted reshape + +md_start_sync() will suspend the array if there are spares that can be +added or removed from conf, however, if reshape is still in progress, +this won't happen at all or data will be corrupted(remove_and_add_spares +won't be called from md_choose_sync_action for reshape), hence there is +no need to suspend the array if reshape is not done yet. + +Meanwhile, there is a potential deadlock for raid456: + +1) reshape is interrupted; + +2) set one of the disk WantReplacement, and add a new disk to the array, + however, recovery won't start until the reshape is finished; + +3) then issue an IO across reshpae position, this IO will wait for + reshape to make progress; + +4) continue to reshape, then md_start_sync() found there is a spare disk + that can be added to conf, mddev_suspend() is called; + +Step 4 and step 3 is waiting for each other, deadlock triggered. Noted +this problem is found by code review, and it's not reporduced yet. + +Fix this porblem by don't suspend the array for interrupted reshape, +this is safe because conf won't be changed until reshape is done. + +The Linux kernel CVE team has assigned CVE-2024-26755 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 6.7 with commit bc08041b32ab and fixed in 6.7.7 with commit 60d6130d0ac1 + Issue introduced in 6.7 with commit bc08041b32ab and fixed in 6.8 with commit 9e46c70e829b + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26755 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/md/md.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/60d6130d0ac1d883ed93c2a1e10aadb60967fd48 + https://git.kernel.org/stable/c/9e46c70e829bddc24e04f963471e9983a11598b7 diff --git a/cve/published/2024/CVE-2024-26755.sha1 b/cve/published/2024/CVE-2024-26755.sha1 new file mode 100644 index 00000000..622d0adc --- /dev/null +++ b/cve/published/2024/CVE-2024-26755.sha1 @@ -0,0 +1 @@ +9e46c70e829bddc24e04f963471e9983a11598b7 diff --git a/cve/reserved/2024/CVE-2024-26756 b/cve/published/2024/CVE-2024-26756 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26756 +++ b/cve/published/2024/CVE-2024-26756 diff --git a/cve/published/2024/CVE-2024-26756.json b/cve/published/2024/CVE-2024-26756.json new file mode 100644 index 00000000..6d98d4ce --- /dev/null +++ b/cve/published/2024/CVE-2024-26756.json @@ -0,0 +1,88 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd: Don't register sync_thread for reshape directly\n\nCurrently, if reshape is interrupted, then reassemble the array will\nregister sync_thread directly from pers->run(), in this case\n'MD_RECOVERY_RUNNING' is set directly, however, there is no guarantee\nthat md_do_sync() will be executed, hence stop_sync_thread() will hang\nbecause 'MD_RECOVERY_RUNNING' can't be cleared.\n\nLast patch make sure that md_do_sync() will set MD_RECOVERY_DONE,\nhowever, following hang can still be triggered by dm-raid test\nshell/lvconvert-raid-reshape.sh occasionally:\n\n[root@fedora ~]# cat /proc/1982/stack\n[<0>] stop_sync_thread+0x1ab/0x270 [md_mod]\n[<0>] md_frozen_sync_thread+0x5c/0xa0 [md_mod]\n[<0>] raid_presuspend+0x1e/0x70 [dm_raid]\n[<0>] dm_table_presuspend_targets+0x40/0xb0 [dm_mod]\n[<0>] __dm_destroy+0x2a5/0x310 [dm_mod]\n[<0>] dm_destroy+0x16/0x30 [dm_mod]\n[<0>] dev_remove+0x165/0x290 [dm_mod]\n[<0>] ctl_ioctl+0x4bb/0x7b0 [dm_mod]\n[<0>] dm_ctl_ioctl+0x11/0x20 [dm_mod]\n[<0>] vfs_ioctl+0x21/0x60\n[<0>] __x64_sys_ioctl+0xb9/0xe0\n[<0>] do_syscall_64+0xc6/0x230\n[<0>] entry_SYSCALL_64_after_hwframe+0x6c/0x74\n\nMeanwhile mddev->recovery is:\nMD_RECOVERY_RUNNING |\nMD_RECOVERY_INTR |\nMD_RECOVERY_RESHAPE |\nMD_RECOVERY_FROZEN\n\nFix this problem by remove the code to register sync_thread directly\nfrom raid10 and raid5. And let md_check_recovery() to register\nsync_thread." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "f52f5c71f3d4", + "lessThan": "13b520fb62b7", + "status": "affected", + "versionType": "git" + }, + { + "version": "f52f5c71f3d4", + "lessThan": "ad39c08186f8", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "2.6.17", + "status": "affected" + }, + { + "version": "0", + "lessThan": "2.6.17", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.7", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/13b520fb62b772e408f9b79c5fe18ad414e90417" + }, + { + "url": "https://git.kernel.org/stable/c/ad39c08186f8a0f221337985036ba86731d6aafe" + } + ], + "title": "md: Don't register sync_thread for reshape directly", + "x_generator": { + "engine": "bippy-d3b290d2becc" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26756", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26756.mbox b/cve/published/2024/CVE-2024-26756.mbox new file mode 100644 index 00000000..c65471a1 --- /dev/null +++ b/cve/published/2024/CVE-2024-26756.mbox @@ -0,0 +1,99 @@ +From bippy-d3b290d2becc Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26756: md: Don't register sync_thread for reshape directly +Message-Id: <2024040303-CVE-2024-26756-135f@gregkh> +Content-Length: 2936 +Lines: 82 +X-Developer-Signature: v=1; a=openpgp-sha256; l=3019; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=UFh24MHhotrF7JXNXXQFEm4xESOlqpFRdQmCclx8LOA=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGm8kyK2H9lYIlj/1Gn6GqEi73suK3cfnvDBrmxnQ9/qm + z8lDP9c6ohlYRBkYpAVU2T5so3n6P6KQ4pehranYeawMoEMYeDiFICJhBYzzNN2b5n9qCrDQjOs + pyF1h02+lqSMNMP84tPfvA79W3qxunYxx4M979Zo3i+eAwA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +md: Don't register sync_thread for reshape directly + +Currently, if reshape is interrupted, then reassemble the array will +register sync_thread directly from pers->run(), in this case +'MD_RECOVERY_RUNNING' is set directly, however, there is no guarantee +that md_do_sync() will be executed, hence stop_sync_thread() will hang +because 'MD_RECOVERY_RUNNING' can't be cleared. + +Last patch make sure that md_do_sync() will set MD_RECOVERY_DONE, +however, following hang can still be triggered by dm-raid test +shell/lvconvert-raid-reshape.sh occasionally: + +[root@fedora ~]# cat /proc/1982/stack +[<0>] stop_sync_thread+0x1ab/0x270 [md_mod] +[<0>] md_frozen_sync_thread+0x5c/0xa0 [md_mod] +[<0>] raid_presuspend+0x1e/0x70 [dm_raid] +[<0>] dm_table_presuspend_targets+0x40/0xb0 [dm_mod] +[<0>] __dm_destroy+0x2a5/0x310 [dm_mod] +[<0>] dm_destroy+0x16/0x30 [dm_mod] +[<0>] dev_remove+0x165/0x290 [dm_mod] +[<0>] ctl_ioctl+0x4bb/0x7b0 [dm_mod] +[<0>] dm_ctl_ioctl+0x11/0x20 [dm_mod] +[<0>] vfs_ioctl+0x21/0x60 +[<0>] __x64_sys_ioctl+0xb9/0xe0 +[<0>] do_syscall_64+0xc6/0x230 +[<0>] entry_SYSCALL_64_after_hwframe+0x6c/0x74 + +Meanwhile mddev->recovery is: +MD_RECOVERY_RUNNING | +MD_RECOVERY_INTR | +MD_RECOVERY_RESHAPE | +MD_RECOVERY_FROZEN + +Fix this problem by remove the code to register sync_thread directly +from raid10 and raid5. And let md_check_recovery() to register +sync_thread. + +The Linux kernel CVE team has assigned CVE-2024-26756 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 2.6.17 with commit f67055780caa and fixed in 6.7.7 with commit 13b520fb62b7 + Issue introduced in 2.6.17 with commit f67055780caa and fixed in 6.8 with commit ad39c08186f8 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26756 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/md/md.c + drivers/md/raid10.c + drivers/md/raid5.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/13b520fb62b772e408f9b79c5fe18ad414e90417 + https://git.kernel.org/stable/c/ad39c08186f8a0f221337985036ba86731d6aafe diff --git a/cve/published/2024/CVE-2024-26756.sha1 b/cve/published/2024/CVE-2024-26756.sha1 new file mode 100644 index 00000000..b50184b4 --- /dev/null +++ b/cve/published/2024/CVE-2024-26756.sha1 @@ -0,0 +1 @@ +ad39c08186f8a0f221337985036ba86731d6aafe diff --git a/cve/reserved/2024/CVE-2024-26757 b/cve/published/2024/CVE-2024-26757 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26757 +++ b/cve/published/2024/CVE-2024-26757 diff --git a/cve/published/2024/CVE-2024-26757.json b/cve/published/2024/CVE-2024-26757.json new file mode 100644 index 00000000..4b221962 --- /dev/null +++ b/cve/published/2024/CVE-2024-26757.json @@ -0,0 +1,88 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd: Don't ignore read-only array in md_check_recovery()\n\nUsually if the array is not read-write, md_check_recovery() won't\nregister new sync_thread in the first place. And if the array is\nread-write and sync_thread is registered, md_set_readonly() will\nunregister sync_thread before setting the array read-only. md/raid\nfollow this behavior hence there is no problem.\n\nAfter commit f52f5c71f3d4 (\"md: fix stopping sync thread\"), following\nhang can be triggered by test shell/integrity-caching.sh:\n\n1) array is read-only. dm-raid update super block:\nrs_update_sbs\n ro = mddev->ro\n mddev->ro = 0\n -> set array read-write\n md_update_sb\n\n2) register new sync thread concurrently.\n\n3) dm-raid set array back to read-only:\nrs_update_sbs\n mddev->ro = ro\n\n4) stop the array:\nraid_dtr\n md_stop\n stop_sync_thread\n set_bit(MD_RECOVERY_INTR, &mddev->recovery);\n md_wakeup_thread_directly(mddev->sync_thread);\n wait_event(..., !test_bit(MD_RECOVERY_RUNNING, &mddev->recovery))\n\n5) sync thread done:\n md_do_sync\n set_bit(MD_RECOVERY_DONE, &mddev->recovery);\n md_wakeup_thread(mddev->thread);\n\n6) daemon thread can't unregister sync thread:\n md_check_recovery\n if (!md_is_rdwr(mddev) &&\n !test_bit(MD_RECOVERY_NEEDED, &mddev->recovery))\n return;\n -> -> MD_RECOVERY_RUNNING can't be cleared, hence step 4 hang;\n\nThe root cause is that dm-raid manipulate 'mddev->ro' by itself,\nhowever, dm-raid really should stop sync thread before setting the\narray read-only. Unfortunately, I need to read more code before I\ncan refacter the handler of 'mddev->ro' in dm-raid, hence let's fix\nthe problem the easy way for now to prevent dm-raid regression." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "f52f5c71f3d4", + "lessThan": "2ea169c5a0b1", + "status": "affected", + "versionType": "git" + }, + { + "version": "f52f5c71f3d4", + "lessThan": "55a48ad2db64", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "4.8", + "status": "affected" + }, + { + "version": "0", + "lessThan": "4.8", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.7", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/2ea169c5a0b1134d573d07fc27a16f327ad0e7d3" + }, + { + "url": "https://git.kernel.org/stable/c/55a48ad2db64737f7ffc0407634218cc6e4c513b" + } + ], + "title": "md: Don't ignore read-only array in md_check_recovery()", + "x_generator": { + "engine": "bippy-d3b290d2becc" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26757", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26757.mbox b/cve/published/2024/CVE-2024-26757.mbox new file mode 100644 index 00000000..b60fc5d7 --- /dev/null +++ b/cve/published/2024/CVE-2024-26757.mbox @@ -0,0 +1,110 @@ +From bippy-d3b290d2becc Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26757: md: Don't ignore read-only array in md_check_recovery() +Message-Id: <2024040304-CVE-2024-26757-7f96@gregkh> +Content-Length: 3178 +Lines: 93 +X-Developer-Signature: v=1; a=openpgp-sha256; l=3272; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=6uoTuGjxhaJV2FRhH+z5MLDWHbhG8qHGQkpuj2pYW78=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGm8kyK+xy6c0Pji+ZL320v8rT4GMB1RKfn4cdnGb8u5f + ql16uz93xHLwiDIxCArpsjyZRvP0f0VhxS9DG1Pw8xhZQIZwsDFKQAT0XVmmCv6bEWVtdvm/6dv + iFdNv7nWMYS7249hwVHpN5aC/x5XLdDfd4h3UsfEZ8tvnAAA +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +md: Don't ignore read-only array in md_check_recovery() + +Usually if the array is not read-write, md_check_recovery() won't +register new sync_thread in the first place. And if the array is +read-write and sync_thread is registered, md_set_readonly() will +unregister sync_thread before setting the array read-only. md/raid +follow this behavior hence there is no problem. + +After commit f52f5c71f3d4 ("md: fix stopping sync thread"), following +hang can be triggered by test shell/integrity-caching.sh: + +1) array is read-only. dm-raid update super block: +rs_update_sbs + ro = mddev->ro + mddev->ro = 0 + -> set array read-write + md_update_sb + +2) register new sync thread concurrently. + +3) dm-raid set array back to read-only: +rs_update_sbs + mddev->ro = ro + +4) stop the array: +raid_dtr + md_stop + stop_sync_thread + set_bit(MD_RECOVERY_INTR, &mddev->recovery); + md_wakeup_thread_directly(mddev->sync_thread); + wait_event(..., !test_bit(MD_RECOVERY_RUNNING, &mddev->recovery)) + +5) sync thread done: + md_do_sync + set_bit(MD_RECOVERY_DONE, &mddev->recovery); + md_wakeup_thread(mddev->thread); + +6) daemon thread can't unregister sync thread: + md_check_recovery + if (!md_is_rdwr(mddev) && + !test_bit(MD_RECOVERY_NEEDED, &mddev->recovery)) + return; + -> -> MD_RECOVERY_RUNNING can't be cleared, hence step 4 hang; + +The root cause is that dm-raid manipulate 'mddev->ro' by itself, +however, dm-raid really should stop sync thread before setting the +array read-only. Unfortunately, I need to read more code before I +can refacter the handler of 'mddev->ro' in dm-raid, hence let's fix +the problem the easy way for now to prevent dm-raid regression. + +The Linux kernel CVE team has assigned CVE-2024-26757 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 4.8 with commit ecbfb9f118bc and fixed in 6.7.7 with commit 2ea169c5a0b1 + Issue introduced in 4.8 with commit ecbfb9f118bc and fixed in 6.8 with commit 55a48ad2db64 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26757 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/md/md.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/2ea169c5a0b1134d573d07fc27a16f327ad0e7d3 + https://git.kernel.org/stable/c/55a48ad2db64737f7ffc0407634218cc6e4c513b diff --git a/cve/published/2024/CVE-2024-26757.sha1 b/cve/published/2024/CVE-2024-26757.sha1 new file mode 100644 index 00000000..54f86088 --- /dev/null +++ b/cve/published/2024/CVE-2024-26757.sha1 @@ -0,0 +1 @@ +55a48ad2db64737f7ffc0407634218cc6e4c513b diff --git a/cve/reserved/2024/CVE-2024-26758 b/cve/published/2024/CVE-2024-26758 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26758 +++ b/cve/published/2024/CVE-2024-26758 diff --git a/cve/published/2024/CVE-2024-26758.json b/cve/published/2024/CVE-2024-26758.json new file mode 100644 index 00000000..0ebee9f2 --- /dev/null +++ b/cve/published/2024/CVE-2024-26758.json @@ -0,0 +1,88 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd: Don't ignore suspended array in md_check_recovery()\n\nmddev_suspend() never stop sync_thread, hence it doesn't make sense to\nignore suspended array in md_check_recovery(), which might cause\nsync_thread can't be unregistered.\n\nAfter commit f52f5c71f3d4 (\"md: fix stopping sync thread\"), following\nhang can be triggered by test shell/integrity-caching.sh:\n\n1) suspend the array:\nraid_postsuspend\n mddev_suspend\n\n2) stop the array:\nraid_dtr\n md_stop\n __md_stop_writes\n stop_sync_thread\n set_bit(MD_RECOVERY_INTR, &mddev->recovery);\n md_wakeup_thread_directly(mddev->sync_thread);\n wait_event(..., !test_bit(MD_RECOVERY_RUNNING, &mddev->recovery))\n\n3) sync thread done:\nmd_do_sync\n set_bit(MD_RECOVERY_DONE, &mddev->recovery);\n md_wakeup_thread(mddev->thread);\n\n4) daemon thread can't unregister sync thread:\nmd_check_recovery\n if (mddev->suspended)\n return; -> return directly\n md_read_sync_thread\n clear_bit(MD_RECOVERY_RUNNING, &mddev->recovery);\n -> MD_RECOVERY_RUNNING can't be cleared, hence step 2 hang;\n\nThis problem is not just related to dm-raid, fix it by ignoring\nsuspended array in md_check_recovery(). And follow up patches will\nimprove dm-raid better to frozen sync thread during suspend." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "f52f5c71f3d4", + "lessThan": "a55f0d6179a1", + "status": "affected", + "versionType": "git" + }, + { + "version": "f52f5c71f3d4", + "lessThan": "1baae052cccd", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "3.0", + "status": "affected" + }, + { + "version": "0", + "lessThan": "3.0", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.7", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/a55f0d6179a19c6b982e2dc344d58c98647a3be0" + }, + { + "url": "https://git.kernel.org/stable/c/1baae052cccd08daf9a9d64c3f959d8cdb689757" + } + ], + "title": "md: Don't ignore suspended array in md_check_recovery()", + "x_generator": { + "engine": "bippy-d3b290d2becc" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26758", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26758.mbox b/cve/published/2024/CVE-2024-26758.mbox new file mode 100644 index 00000000..2483a5a4 --- /dev/null +++ b/cve/published/2024/CVE-2024-26758.mbox @@ -0,0 +1,99 @@ +From bippy-d3b290d2becc Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26758: md: Don't ignore suspended array in md_check_recovery() +Message-Id: <2024040304-CVE-2024-26758-dcc3@gregkh> +Content-Length: 2749 +Lines: 82 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2832; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=QTem4Lb9s38RUXJrZaTHnRS1hVo/7eXLppImqag6jN0=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGm8kyICngoVR7FMP3NIbMNT1tsreXQ/r5+wKEDYRc+zK + Oji9eN3O2JZGASZGGTFFFm+bOM5ur/ikKKXoe1pmDmsTCBDGLg4BWAiHr8Z5uesn9m1a/eEGN2l + 7WmGfFO64vOtnRgWXPxjuEBq8evJvMf4zu9/tv++XNaOJwA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +md: Don't ignore suspended array in md_check_recovery() + +mddev_suspend() never stop sync_thread, hence it doesn't make sense to +ignore suspended array in md_check_recovery(), which might cause +sync_thread can't be unregistered. + +After commit f52f5c71f3d4 ("md: fix stopping sync thread"), following +hang can be triggered by test shell/integrity-caching.sh: + +1) suspend the array: +raid_postsuspend + mddev_suspend + +2) stop the array: +raid_dtr + md_stop + __md_stop_writes + stop_sync_thread + set_bit(MD_RECOVERY_INTR, &mddev->recovery); + md_wakeup_thread_directly(mddev->sync_thread); + wait_event(..., !test_bit(MD_RECOVERY_RUNNING, &mddev->recovery)) + +3) sync thread done: +md_do_sync + set_bit(MD_RECOVERY_DONE, &mddev->recovery); + md_wakeup_thread(mddev->thread); + +4) daemon thread can't unregister sync thread: +md_check_recovery + if (mddev->suspended) + return; -> return directly + md_read_sync_thread + clear_bit(MD_RECOVERY_RUNNING, &mddev->recovery); + -> MD_RECOVERY_RUNNING can't be cleared, hence step 2 hang; + +This problem is not just related to dm-raid, fix it by ignoring +suspended array in md_check_recovery(). And follow up patches will +improve dm-raid better to frozen sync thread during suspend. + +The Linux kernel CVE team has assigned CVE-2024-26758 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 3.0 with commit 68866e425be2 and fixed in 6.7.7 with commit a55f0d6179a1 + Issue introduced in 3.0 with commit 68866e425be2 and fixed in 6.8 with commit 1baae052cccd + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26758 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/md/md.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/a55f0d6179a19c6b982e2dc344d58c98647a3be0 + https://git.kernel.org/stable/c/1baae052cccd08daf9a9d64c3f959d8cdb689757 diff --git a/cve/published/2024/CVE-2024-26758.sha1 b/cve/published/2024/CVE-2024-26758.sha1 new file mode 100644 index 00000000..02f2589a --- /dev/null +++ b/cve/published/2024/CVE-2024-26758.sha1 @@ -0,0 +1 @@ +1baae052cccd08daf9a9d64c3f959d8cdb689757 diff --git a/cve/reserved/2024/CVE-2024-26759 b/cve/published/2024/CVE-2024-26759 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26759 +++ b/cve/published/2024/CVE-2024-26759 diff --git a/cve/published/2024/CVE-2024-26759.json b/cve/published/2024/CVE-2024-26759.json new file mode 100644 index 00000000..ac7242e5 --- /dev/null +++ b/cve/published/2024/CVE-2024-26759.json @@ -0,0 +1,118 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/swap: fix race when skipping swapcache\n\nWhen skipping swapcache for SWP_SYNCHRONOUS_IO, if two or more threads\nswapin the same entry at the same time, they get different pages (A, B). \nBefore one thread (T0) finishes the swapin and installs page (A) to the\nPTE, another thread (T1) could finish swapin of page (B), swap_free the\nentry, then swap out the possibly modified page reusing the same entry. \nIt breaks the pte_same check in (T0) because PTE value is unchanged,\ncausing ABA problem. Thread (T0) will install a stalled page (A) into the\nPTE and cause data corruption.\n\nOne possible callstack is like this:\n\nCPU0 CPU1\n---- ----\ndo_swap_page() do_swap_page() with same entry\n<direct swapin path> <direct swapin path>\n<alloc page A> <alloc page B>\nswap_read_folio() <- read to page A swap_read_folio() <- read to page B\n<slow on later locks or interrupt> <finished swapin first>\n... set_pte_at()\n swap_free() <- entry is free\n <write to page B, now page A stalled>\n <swap out page B to same swap entry>\npte_same() <- Check pass, PTE seems\n unchanged, but page A\n is stalled!\nswap_free() <- page B content lost!\nset_pte_at() <- staled page A installed!\n\nAnd besides, for ZRAM, swap_free() allows the swap device to discard the\nentry content, so even if page (B) is not modified, if swap_read_folio()\non CPU0 happens later than swap_free() on CPU1, it may also cause data\nloss.\n\nTo fix this, reuse swapcache_prepare which will pin the swap entry using\nthe cache flag, and allow only one thread to swap it in, also prevent any\nparallel code from putting the entry in the cache. Release the pin after\nPT unlocked.\n\nRacers just loop and wait since it's a rare and very short event. A\nschedule_timeout_uninterruptible(1) call is added to avoid repeated page\nfaults wasting too much CPU, causing livelock or adding too much noise to\nperf statistics. A similar livelock issue was described in commit\n029c4628b2eb (\"mm: swap: get rid of livelock in swapin readahead\")\n\nReproducer:\n\nThis race issue can be triggered easily using a well constructed\nreproducer and patched brd (with a delay in read path) [1]:\n\nWith latest 6.8 mainline, race caused data loss can be observed easily:\n$ gcc -g -lpthread test-thread-swap-race.c && ./a.out\n Polulating 32MB of memory region...\n Keep swapping out...\n Starting round 0...\n Spawning 65536 workers...\n 32746 workers spawned, wait for done...\n Round 0: Error on 0x5aa00, expected 32746, got 32743, 3 data loss!\n Round 0: Error on 0x395200, expected 32746, got 32743, 3 data loss!\n Round 0: Error on 0x3fd000, expected 32746, got 32737, 9 data loss!\n Round 0 Failed, 15 data loss!\n\nThis reproducer spawns multiple threads sharing the same memory region\nusing a small swap device. Every two threads updates mapped pages one by\none in opposite direction trying to create a race, with one dedicated\nthread keep swapping out the data out using madvise.\n\nThe reproducer created a reproduce rate of about once every 5 minutes, so\nthe race should be totally possible in production.\n\nAfter this patch, I ran the reproducer for over a few hundred rounds and\nno data loss observed.\n\nPerformance overhead is minimal, microbenchmark swapin 10G from 32G\nzram:\n\nBefore: 10934698 us\nAfter: 11157121 us\nCached: 13155355 us (Dropping SWP_SYNCHRONOUS_IO flag)\n\n[kasong@tencent.com: v4]\n Link: https://lkml.kernel.org/r/20240219082040.7495-1-ryncsn@gmail.com" + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "0bcac06f27d7", + "lessThan": "2dedda77d449", + "status": "affected", + "versionType": "git" + }, + { + "version": "0bcac06f27d7", + "lessThan": "305152314df8", + "status": "affected", + "versionType": "git" + }, + { + "version": "0bcac06f27d7", + "lessThan": "d183a4631acf", + "status": "affected", + "versionType": "git" + }, + { + "version": "0bcac06f27d7", + "lessThan": "13ddaf26be32", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "4.15", + "status": "affected" + }, + { + "version": "0", + "lessThan": "4.15", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.80", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.19", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.7", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/2dedda77d4493f3e92e414b272bfa60f1f51ed95" + }, + { + "url": "https://git.kernel.org/stable/c/305152314df82b22cf9b181f3dc5fc411002079a" + }, + { + "url": "https://git.kernel.org/stable/c/d183a4631acfc7af955c02a02e739cec15f5234d" + }, + { + "url": "https://git.kernel.org/stable/c/13ddaf26be324a7f951891ecd9ccd04466d27458" + } + ], + "title": "mm/swap: fix race when skipping swapcache", + "x_generator": { + "engine": "bippy-d3b290d2becc" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26759", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26759.mbox b/cve/published/2024/CVE-2024-26759.mbox new file mode 100644 index 00000000..8164163e --- /dev/null +++ b/cve/published/2024/CVE-2024-26759.mbox @@ -0,0 +1,151 @@ +From bippy-d3b290d2becc Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26759: mm/swap: fix race when skipping swapcache +Message-Id: <2024040304-CVE-2024-26759-45f1@gregkh> +Content-Length: 5617 +Lines: 134 +X-Developer-Signature: v=1; a=openpgp-sha256; l=5752; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=Vj8iQSUBMsVQccT6wIfM7cth+K3NuLTC5BnyE7UqtFQ=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGm8kyJsfk3Ykp4YLmL3mTM+701xwvNZ8tu3bj375li84 + /TTB7LzO2JZGASZGGTFFFm+bOM5ur/ikKKXoe1pmDmsTCBDGLg4BWAia/YxzPc0fP+gJUHo+gIN + S5b9teZLEuZuO8iwYNH8lQuVzgRPLDl4dapt0eLJSdVdzgA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +mm/swap: fix race when skipping swapcache + +When skipping swapcache for SWP_SYNCHRONOUS_IO, if two or more threads +swapin the same entry at the same time, they get different pages (A, B). +Before one thread (T0) finishes the swapin and installs page (A) to the +PTE, another thread (T1) could finish swapin of page (B), swap_free the +entry, then swap out the possibly modified page reusing the same entry. +It breaks the pte_same check in (T0) because PTE value is unchanged, +causing ABA problem. Thread (T0) will install a stalled page (A) into the +PTE and cause data corruption. + +One possible callstack is like this: + +CPU0 CPU1 +---- ---- +do_swap_page() do_swap_page() with same entry +<direct swapin path> <direct swapin path> +<alloc page A> <alloc page B> +swap_read_folio() <- read to page A swap_read_folio() <- read to page B +<slow on later locks or interrupt> <finished swapin first> +... set_pte_at() + swap_free() <- entry is free + <write to page B, now page A stalled> + <swap out page B to same swap entry> +pte_same() <- Check pass, PTE seems + unchanged, but page A + is stalled! +swap_free() <- page B content lost! +set_pte_at() <- staled page A installed! + +And besides, for ZRAM, swap_free() allows the swap device to discard the +entry content, so even if page (B) is not modified, if swap_read_folio() +on CPU0 happens later than swap_free() on CPU1, it may also cause data +loss. + +To fix this, reuse swapcache_prepare which will pin the swap entry using +the cache flag, and allow only one thread to swap it in, also prevent any +parallel code from putting the entry in the cache. Release the pin after +PT unlocked. + +Racers just loop and wait since it's a rare and very short event. A +schedule_timeout_uninterruptible(1) call is added to avoid repeated page +faults wasting too much CPU, causing livelock or adding too much noise to +perf statistics. A similar livelock issue was described in commit +029c4628b2eb ("mm: swap: get rid of livelock in swapin readahead") + +Reproducer: + +This race issue can be triggered easily using a well constructed +reproducer and patched brd (with a delay in read path) [1]: + +With latest 6.8 mainline, race caused data loss can be observed easily: +$ gcc -g -lpthread test-thread-swap-race.c && ./a.out + Polulating 32MB of memory region... + Keep swapping out... + Starting round 0... + Spawning 65536 workers... + 32746 workers spawned, wait for done... + Round 0: Error on 0x5aa00, expected 32746, got 32743, 3 data loss! + Round 0: Error on 0x395200, expected 32746, got 32743, 3 data loss! + Round 0: Error on 0x3fd000, expected 32746, got 32737, 9 data loss! + Round 0 Failed, 15 data loss! + +This reproducer spawns multiple threads sharing the same memory region +using a small swap device. Every two threads updates mapped pages one by +one in opposite direction trying to create a race, with one dedicated +thread keep swapping out the data out using madvise. + +The reproducer created a reproduce rate of about once every 5 minutes, so +the race should be totally possible in production. + +After this patch, I ran the reproducer for over a few hundred rounds and +no data loss observed. + +Performance overhead is minimal, microbenchmark swapin 10G from 32G +zram: + +Before: 10934698 us +After: 11157121 us +Cached: 13155355 us (Dropping SWP_SYNCHRONOUS_IO flag) + +[kasong@tencent.com: v4] + Link: https://lkml.kernel.org/r/20240219082040.7495-1-ryncsn@gmail.com + +The Linux kernel CVE team has assigned CVE-2024-26759 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 4.15 with commit 0bcac06f27d7 and fixed in 6.1.80 with commit 2dedda77d449 + Issue introduced in 4.15 with commit 0bcac06f27d7 and fixed in 6.6.19 with commit 305152314df8 + Issue introduced in 4.15 with commit 0bcac06f27d7 and fixed in 6.7.7 with commit d183a4631acf + Issue introduced in 4.15 with commit 0bcac06f27d7 and fixed in 6.8 with commit 13ddaf26be32 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26759 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + include/linux/swap.h + mm/memory.c + mm/swap.h + mm/swapfile.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/2dedda77d4493f3e92e414b272bfa60f1f51ed95 + https://git.kernel.org/stable/c/305152314df82b22cf9b181f3dc5fc411002079a + https://git.kernel.org/stable/c/d183a4631acfc7af955c02a02e739cec15f5234d + https://git.kernel.org/stable/c/13ddaf26be324a7f951891ecd9ccd04466d27458 diff --git a/cve/published/2024/CVE-2024-26759.sha1 b/cve/published/2024/CVE-2024-26759.sha1 new file mode 100644 index 00000000..c6a4cebb --- /dev/null +++ b/cve/published/2024/CVE-2024-26759.sha1 @@ -0,0 +1 @@ +13ddaf26be324a7f951891ecd9ccd04466d27458 diff --git a/cve/reserved/2024/CVE-2024-26760 b/cve/published/2024/CVE-2024-26760 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26760 +++ b/cve/published/2024/CVE-2024-26760 diff --git a/cve/published/2024/CVE-2024-26760.json b/cve/published/2024/CVE-2024-26760.json new file mode 100644 index 00000000..ff9469c9 --- /dev/null +++ b/cve/published/2024/CVE-2024-26760.json @@ -0,0 +1,118 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: pscsi: Fix bio_put() for error case\n\nAs of commit 066ff571011d (\"block: turn bio_kmalloc into a simple kmalloc\nwrapper\"), a bio allocated by bio_kmalloc() must be freed by bio_uninit()\nand kfree(). That is not done properly for the error case, hitting WARN and\nNULL pointer dereference in bio_free()." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "066ff571011d", + "lessThan": "f49b20fd0134", + "status": "affected", + "versionType": "git" + }, + { + "version": "066ff571011d", + "lessThan": "4ebc079f0c7d", + "status": "affected", + "versionType": "git" + }, + { + "version": "066ff571011d", + "lessThan": "1cfe9489fb56", + "status": "affected", + "versionType": "git" + }, + { + "version": "066ff571011d", + "lessThan": "de959094eb21", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.19", + "status": "affected" + }, + { + "version": "0", + "lessThan": "5.19", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.80", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.19", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.7", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/f49b20fd0134da84a6bd8108f9e73c077b7d6231" + }, + { + "url": "https://git.kernel.org/stable/c/4ebc079f0c7dcda1270843ab0f38ab4edb8f7921" + }, + { + "url": "https://git.kernel.org/stable/c/1cfe9489fb563e9a0c9cdc5ca68257a44428c2ec" + }, + { + "url": "https://git.kernel.org/stable/c/de959094eb2197636f7c803af0943cb9d3b35804" + } + ], + "title": "scsi: target: pscsi: Fix bio_put() for error case", + "x_generator": { + "engine": "bippy-d3b290d2becc" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26760", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26760.mbox b/cve/published/2024/CVE-2024-26760.mbox new file mode 100644 index 00000000..a8017ccc --- /dev/null +++ b/cve/published/2024/CVE-2024-26760.mbox @@ -0,0 +1,71 @@ +From bippy-d3b290d2becc Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26760: scsi: target: pscsi: Fix bio_put() for error case +Message-Id: <2024040305-CVE-2024-26760-560a@gregkh> +Content-Length: 2208 +Lines: 54 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2263; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=cDyni4FM9gBpOjaQ8UC+jEViLPijxVNCpYcB+Q4osTw=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGm8kyJXPjC8dawz/6Kjz7uvz/tu7VYPF1Er9nP+WbHy4 + cLAbJvujlgWBkEmBlkxRZYv23iO7q84pOhlaHsaZg4rE8gQBi5OAZiIbTvDPONVu5bv+Obk/b/W + LCn5xYblb7/0lDHMFc8Myy4Sf9nU5PZwxal/kkZ6E6tlAA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +scsi: target: pscsi: Fix bio_put() for error case + +As of commit 066ff571011d ("block: turn bio_kmalloc into a simple kmalloc +wrapper"), a bio allocated by bio_kmalloc() must be freed by bio_uninit() +and kfree(). That is not done properly for the error case, hitting WARN and +NULL pointer dereference in bio_free(). + +The Linux kernel CVE team has assigned CVE-2024-26760 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 5.19 with commit 066ff571011d and fixed in 6.1.80 with commit f49b20fd0134 + Issue introduced in 5.19 with commit 066ff571011d and fixed in 6.6.19 with commit 4ebc079f0c7d + Issue introduced in 5.19 with commit 066ff571011d and fixed in 6.7.7 with commit 1cfe9489fb56 + Issue introduced in 5.19 with commit 066ff571011d and fixed in 6.8 with commit de959094eb21 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26760 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/target/target_core_pscsi.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/f49b20fd0134da84a6bd8108f9e73c077b7d6231 + https://git.kernel.org/stable/c/4ebc079f0c7dcda1270843ab0f38ab4edb8f7921 + https://git.kernel.org/stable/c/1cfe9489fb563e9a0c9cdc5ca68257a44428c2ec + https://git.kernel.org/stable/c/de959094eb2197636f7c803af0943cb9d3b35804 diff --git a/cve/published/2024/CVE-2024-26760.sha1 b/cve/published/2024/CVE-2024-26760.sha1 new file mode 100644 index 00000000..9fc98a5f --- /dev/null +++ b/cve/published/2024/CVE-2024-26760.sha1 @@ -0,0 +1 @@ +de959094eb2197636f7c803af0943cb9d3b35804 diff --git a/cve/reserved/2024/CVE-2024-26761 b/cve/published/2024/CVE-2024-26761 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26761 +++ b/cve/published/2024/CVE-2024-26761 diff --git a/cve/published/2024/CVE-2024-26761.json b/cve/published/2024/CVE-2024-26761.json new file mode 100644 index 00000000..67b2dfea --- /dev/null +++ b/cve/published/2024/CVE-2024-26761.json @@ -0,0 +1,118 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncxl/pci: Fix disabling memory if DVSEC CXL Range does not match a CFMWS window\n\nThe Linux CXL subsystem is built on the assumption that HPA == SPA.\nThat is, the host physical address (HPA) the HDM decoder registers are\nprogrammed with are system physical addresses (SPA).\n\nDuring HDM decoder setup, the DVSEC CXL range registers (cxl-3.1,\n8.1.3.8) are checked if the memory is enabled and the CXL range is in\na HPA window that is described in a CFMWS structure of the CXL host\nbridge (cxl-3.1, 9.18.1.3).\n\nNow, if the HPA is not an SPA, the CXL range does not match a CFMWS\nwindow and the CXL memory range will be disabled then. The HDM decoder\nstops working which causes system memory being disabled and further a\nsystem hang during HDM decoder initialization, typically when a CXL\nenabled kernel boots.\n\nPrevent a system hang and do not disable the HDM decoder if the\ndecoder's CXL range is not found in a CFMWS window.\n\nNote the change only fixes a hardware hang, but does not implement\nHPA/SPA translation. Support for this can be added in a follow on\npatch series." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "34e37b4c432c", + "lessThan": "031217128990", + "status": "affected", + "versionType": "git" + }, + { + "version": "34e37b4c432c", + "lessThan": "2cc1a530ab31", + "status": "affected", + "versionType": "git" + }, + { + "version": "34e37b4c432c", + "lessThan": "3a3181a71935", + "status": "affected", + "versionType": "git" + }, + { + "version": "34e37b4c432c", + "lessThan": "0cab68720598", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.19", + "status": "affected" + }, + { + "version": "0", + "lessThan": "5.19", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.80", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.19", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.7", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/031217128990d7f0ab8c46db1afb3cf1e075fd29" + }, + { + "url": "https://git.kernel.org/stable/c/2cc1a530ab31c65b52daf3cb5d0883c8b614ea69" + }, + { + "url": "https://git.kernel.org/stable/c/3a3181a71935774bda2398451256d7441426420b" + }, + { + "url": "https://git.kernel.org/stable/c/0cab687205986491302cd2e440ef1d253031c221" + } + ], + "title": "cxl/pci: Fix disabling memory if DVSEC CXL Range does not match a CFMWS window", + "x_generator": { + "engine": "bippy-d3b290d2becc" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26761", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26761.mbox b/cve/published/2024/CVE-2024-26761.mbox new file mode 100644 index 00000000..a4af0976 --- /dev/null +++ b/cve/published/2024/CVE-2024-26761.mbox @@ -0,0 +1,88 @@ +From bippy-d3b290d2becc Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26761: cxl/pci: Fix disabling memory if DVSEC CXL Range does not match a CFMWS window +Message-Id: <2024040305-CVE-2024-26761-0646@gregkh> +Content-Length: 2951 +Lines: 71 +X-Developer-Signature: v=1; a=openpgp-sha256; l=3023; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=SaHhIjDMGN2sdtrmTd3Fh8arHAhb6c5UIYH5H/GZZf8=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGm8kyI/fF8me4jRN0DuhxojM//OTZMKD3VKTRPa/K803 + v7ZzSP8HbEsDIJMDLJiiixftvEc3V9xSNHL0PY0zBxWJpAhDFycAjARXXGG+cnr07rsElwTFOTY + j751/8S9vXzuC4a58vHbz0hqp74WkZj/Wfv1HrewzSIvAA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +cxl/pci: Fix disabling memory if DVSEC CXL Range does not match a CFMWS window + +The Linux CXL subsystem is built on the assumption that HPA == SPA. +That is, the host physical address (HPA) the HDM decoder registers are +programmed with are system physical addresses (SPA). + +During HDM decoder setup, the DVSEC CXL range registers (cxl-3.1, +8.1.3.8) are checked if the memory is enabled and the CXL range is in +a HPA window that is described in a CFMWS structure of the CXL host +bridge (cxl-3.1, 9.18.1.3). + +Now, if the HPA is not an SPA, the CXL range does not match a CFMWS +window and the CXL memory range will be disabled then. The HDM decoder +stops working which causes system memory being disabled and further a +system hang during HDM decoder initialization, typically when a CXL +enabled kernel boots. + +Prevent a system hang and do not disable the HDM decoder if the +decoder's CXL range is not found in a CFMWS window. + +Note the change only fixes a hardware hang, but does not implement +HPA/SPA translation. Support for this can be added in a follow on +patch series. + +The Linux kernel CVE team has assigned CVE-2024-26761 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 5.19 with commit 34e37b4c432c and fixed in 6.1.80 with commit 031217128990 + Issue introduced in 5.19 with commit 34e37b4c432c and fixed in 6.6.19 with commit 2cc1a530ab31 + Issue introduced in 5.19 with commit 34e37b4c432c and fixed in 6.7.7 with commit 3a3181a71935 + Issue introduced in 5.19 with commit 34e37b4c432c and fixed in 6.8 with commit 0cab68720598 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26761 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/cxl/core/pci.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/031217128990d7f0ab8c46db1afb3cf1e075fd29 + https://git.kernel.org/stable/c/2cc1a530ab31c65b52daf3cb5d0883c8b614ea69 + https://git.kernel.org/stable/c/3a3181a71935774bda2398451256d7441426420b + https://git.kernel.org/stable/c/0cab687205986491302cd2e440ef1d253031c221 diff --git a/cve/published/2024/CVE-2024-26761.sha1 b/cve/published/2024/CVE-2024-26761.sha1 new file mode 100644 index 00000000..c0e4c8b5 --- /dev/null +++ b/cve/published/2024/CVE-2024-26761.sha1 @@ -0,0 +1 @@ +0cab687205986491302cd2e440ef1d253031c221 diff --git a/cve/reserved/2024/CVE-2024-26762 b/cve/published/2024/CVE-2024-26762 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26762 +++ b/cve/published/2024/CVE-2024-26762 diff --git a/cve/published/2024/CVE-2024-26762.json b/cve/published/2024/CVE-2024-26762.json new file mode 100644 index 00000000..9e4d4e5d --- /dev/null +++ b/cve/published/2024/CVE-2024-26762.json @@ -0,0 +1,88 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncxl/pci: Skip to handle RAS errors if CXL.mem device is detached\n\nThe PCI AER model is an awkward fit for CXL error handling. While the\nexpectation is that a PCI device can escalate to link reset to recover\nfrom an AER event, the same reset on CXL amounts to a surprise memory\nhotplug of massive amounts of memory.\n\nAt present, the CXL error handler attempts some optimistic error\nhandling to unbind the device from the cxl_mem driver after reaping some\nRAS register values. This results in a \"hopeful\" attempt to unplug the\nmemory, but there is no guarantee that will succeed.\n\nA subsequent AER notification after the memdev unbind event can no\nlonger assume the registers are mapped. Check for memdev bind before\nreaping status register values to avoid crashes of the form:\n\n BUG: unable to handle page fault for address: ffa00000195e9100\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n [...]\n RIP: 0010:__cxl_handle_ras+0x30/0x110 [cxl_core]\n [...]\n Call Trace:\n <TASK>\n ? __die+0x24/0x70\n ? page_fault_oops+0x82/0x160\n ? kernelmode_fixup_or_oops+0x84/0x110\n ? exc_page_fault+0x113/0x170\n ? asm_exc_page_fault+0x26/0x30\n ? __pfx_dpc_reset_link+0x10/0x10\n ? __cxl_handle_ras+0x30/0x110 [cxl_core]\n ? find_cxl_port+0x59/0x80 [cxl_core]\n cxl_handle_rp_ras+0xbc/0xd0 [cxl_core]\n cxl_error_detected+0x6c/0xf0 [cxl_core]\n report_error_detected+0xc7/0x1c0\n pci_walk_bus+0x73/0x90\n pcie_do_recovery+0x23f/0x330\n\nLonger term, the unbind and PCI_ERS_RESULT_DISCONNECT behavior might\nneed to be replaced with a new PCI_ERS_RESULT_PANIC." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "6ac07883dbb5", + "lessThan": "21e5e84f3f63", + "status": "affected", + "versionType": "git" + }, + { + "version": "6ac07883dbb5", + "lessThan": "eef5c7b28dbe", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "6.7", + "status": "affected" + }, + { + "version": "0", + "lessThan": "6.7", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.7", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/21e5e84f3f63fdf44e49642a6e45cd895e921a84" + }, + { + "url": "https://git.kernel.org/stable/c/eef5c7b28dbecd6b141987a96db6c54e49828102" + } + ], + "title": "cxl/pci: Skip to handle RAS errors if CXL.mem device is detached", + "x_generator": { + "engine": "bippy-d3b290d2becc" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26762", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26762.mbox b/cve/published/2024/CVE-2024-26762.mbox new file mode 100644 index 00000000..cf205acc --- /dev/null +++ b/cve/published/2024/CVE-2024-26762.mbox @@ -0,0 +1,101 @@ +From bippy-d3b290d2becc Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26762: cxl/pci: Skip to handle RAS errors if CXL.mem device is detached +Message-Id: <2024040305-CVE-2024-26762-b719@gregkh> +Content-Length: 3123 +Lines: 84 +X-Developer-Signature: v=1; a=openpgp-sha256; l=3208; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=3NdfSdwIeEPav5BTMddH3nfS+Gd5ZRB8fPLOeH0GARY=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGm8kyKvnrhW07bIZE34de0CcYYdc2bpvs74cmepvvjpQ + 4kyV0yOdsSyMAgyMciKKbJ82cZzdH/FIUUvQ9vTMHNYmUCGMHBxCsBEcgIZ5oe0LK+V1G3dsnnq + 5i8167YdDpbacoBhvt/jMKkr8ccferKu7y7sd3jkJBDGCgA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +cxl/pci: Skip to handle RAS errors if CXL.mem device is detached + +The PCI AER model is an awkward fit for CXL error handling. While the +expectation is that a PCI device can escalate to link reset to recover +from an AER event, the same reset on CXL amounts to a surprise memory +hotplug of massive amounts of memory. + +At present, the CXL error handler attempts some optimistic error +handling to unbind the device from the cxl_mem driver after reaping some +RAS register values. This results in a "hopeful" attempt to unplug the +memory, but there is no guarantee that will succeed. + +A subsequent AER notification after the memdev unbind event can no +longer assume the registers are mapped. Check for memdev bind before +reaping status register values to avoid crashes of the form: + + BUG: unable to handle page fault for address: ffa00000195e9100 + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page + [...] + RIP: 0010:__cxl_handle_ras+0x30/0x110 [cxl_core] + [...] + Call Trace: + <TASK> + ? __die+0x24/0x70 + ? page_fault_oops+0x82/0x160 + ? kernelmode_fixup_or_oops+0x84/0x110 + ? exc_page_fault+0x113/0x170 + ? asm_exc_page_fault+0x26/0x30 + ? __pfx_dpc_reset_link+0x10/0x10 + ? __cxl_handle_ras+0x30/0x110 [cxl_core] + ? find_cxl_port+0x59/0x80 [cxl_core] + cxl_handle_rp_ras+0xbc/0xd0 [cxl_core] + cxl_error_detected+0x6c/0xf0 [cxl_core] + report_error_detected+0xc7/0x1c0 + pci_walk_bus+0x73/0x90 + pcie_do_recovery+0x23f/0x330 + +Longer term, the unbind and PCI_ERS_RESULT_DISCONNECT behavior might +need to be replaced with a new PCI_ERS_RESULT_PANIC. + +The Linux kernel CVE team has assigned CVE-2024-26762 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 6.7 with commit 6ac07883dbb5 and fixed in 6.7.7 with commit 21e5e84f3f63 + Issue introduced in 6.7 with commit 6ac07883dbb5 and fixed in 6.8 with commit eef5c7b28dbe + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26762 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/cxl/core/pci.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/21e5e84f3f63fdf44e49642a6e45cd895e921a84 + https://git.kernel.org/stable/c/eef5c7b28dbecd6b141987a96db6c54e49828102 diff --git a/cve/published/2024/CVE-2024-26762.sha1 b/cve/published/2024/CVE-2024-26762.sha1 new file mode 100644 index 00000000..63db0989 --- /dev/null +++ b/cve/published/2024/CVE-2024-26762.sha1 @@ -0,0 +1 @@ +eef5c7b28dbecd6b141987a96db6c54e49828102 diff --git a/cve/reserved/2024/CVE-2024-26763 b/cve/published/2024/CVE-2024-26763 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26763 +++ b/cve/published/2024/CVE-2024-26763 diff --git a/cve/published/2024/CVE-2024-26763.json b/cve/published/2024/CVE-2024-26763.json new file mode 100644 index 00000000..eaad19a2 --- /dev/null +++ b/cve/published/2024/CVE-2024-26763.json @@ -0,0 +1,168 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm-crypt: don't modify the data when using authenticated encryption\n\nIt was said that authenticated encryption could produce invalid tag when\nthe data that is being encrypted is modified [1]. So, fix this problem by\ncopying the data into the clone bio first and then encrypt them inside the\nclone bio.\n\nThis may reduce performance, but it is needed to prevent the user from\ncorrupting the device by writing data with O_DIRECT and modifying them at\nthe same time.\n\n[1] https://lore.kernel.org/all/20240207004723.GA35324@sol.localdomain/T/" + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "1da177e4c3f4", + "lessThan": "43a202bd5529", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "0dccbb93538f", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "3c652f6fa1e1", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "1a4371db68a3", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "e08c2a8d27e9", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "64ba01a36598", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "d9e3763a505e", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "50c70240097c", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "4.19.308", + "lessThanOrEqual": "4.19.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.4.270", + "lessThanOrEqual": "5.4.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.10.211", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.150", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.80", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.19", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.7", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/43a202bd552976497474ae144942e32cc5f34d7e" + }, + { + "url": "https://git.kernel.org/stable/c/0dccbb93538fe89a86c6de31d4b1c8c560848eaa" + }, + { + "url": "https://git.kernel.org/stable/c/3c652f6fa1e1f9f02c3fbf359d260ad153ec5f90" + }, + { + "url": "https://git.kernel.org/stable/c/1a4371db68a31076afbe56ecce34fbbe6c80c529" + }, + { + "url": "https://git.kernel.org/stable/c/e08c2a8d27e989f0f5b0888792643027d7e691e6" + }, + { + "url": "https://git.kernel.org/stable/c/64ba01a365980755732972523600a961c4266b75" + }, + { + "url": "https://git.kernel.org/stable/c/d9e3763a505e50ba3bd22846f2a8db99429fb857" + }, + { + "url": "https://git.kernel.org/stable/c/50c70240097ce41fe6bce6478b80478281e4d0f7" + } + ], + "title": "dm-crypt: don't modify the data when using authenticated encryption", + "x_generator": { + "engine": "bippy-d3b290d2becc" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26763", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26763.mbox b/cve/published/2024/CVE-2024-26763.mbox new file mode 100644 index 00000000..6b6960cf --- /dev/null +++ b/cve/published/2024/CVE-2024-26763.mbox @@ -0,0 +1,85 @@ +From bippy-d3b290d2becc Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26763: dm-crypt: don't modify the data when using authenticated encryption +Message-Id: <2024040305-CVE-2024-26763-4627@gregkh> +Content-Length: 2673 +Lines: 68 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2742; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=qiZyaYKiWWfd8fcmxVQS+2O/+idaozgrsD78BHuNhY8=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGm8kyK50rrtS5I5d9pUdtu/irTbv9Pi1/zWfr39Mxbbm + HBtFmjuiGVhEGRikBVTZPmyjefo/opDil6Gtqdh5rAygQxh4OIUgIn0T2BYsK1L+3zJh6LoGUWu + fU/3yYitmHY1kmF+uN2e1ZudzKPaxZU/CscdOGlpOV8dAA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +dm-crypt: don't modify the data when using authenticated encryption + +It was said that authenticated encryption could produce invalid tag when +the data that is being encrypted is modified [1]. So, fix this problem by +copying the data into the clone bio first and then encrypt them inside the +clone bio. + +This may reduce performance, but it is needed to prevent the user from +corrupting the device by writing data with O_DIRECT and modifying them at +the same time. + +[1] https://lore.kernel.org/all/20240207004723.GA35324@sol.localdomain/T/ + +The Linux kernel CVE team has assigned CVE-2024-26763 to this issue. + + +Affected and fixed versions +=========================== + + Fixed in 4.19.308 with commit 43a202bd5529 + Fixed in 5.4.270 with commit 0dccbb93538f + Fixed in 5.10.211 with commit 3c652f6fa1e1 + Fixed in 5.15.150 with commit 1a4371db68a3 + Fixed in 6.1.80 with commit e08c2a8d27e9 + Fixed in 6.6.19 with commit 64ba01a36598 + Fixed in 6.7.7 with commit d9e3763a505e + Fixed in 6.8 with commit 50c70240097c + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26763 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/md/dm-crypt.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/43a202bd552976497474ae144942e32cc5f34d7e + https://git.kernel.org/stable/c/0dccbb93538fe89a86c6de31d4b1c8c560848eaa + https://git.kernel.org/stable/c/3c652f6fa1e1f9f02c3fbf359d260ad153ec5f90 + https://git.kernel.org/stable/c/1a4371db68a31076afbe56ecce34fbbe6c80c529 + https://git.kernel.org/stable/c/e08c2a8d27e989f0f5b0888792643027d7e691e6 + https://git.kernel.org/stable/c/64ba01a365980755732972523600a961c4266b75 + https://git.kernel.org/stable/c/d9e3763a505e50ba3bd22846f2a8db99429fb857 + https://git.kernel.org/stable/c/50c70240097ce41fe6bce6478b80478281e4d0f7 diff --git a/cve/published/2024/CVE-2024-26763.sha1 b/cve/published/2024/CVE-2024-26763.sha1 new file mode 100644 index 00000000..3b8f7afe --- /dev/null +++ b/cve/published/2024/CVE-2024-26763.sha1 @@ -0,0 +1 @@ +50c70240097ce41fe6bce6478b80478281e4d0f7 diff --git a/cve/reserved/2024/CVE-2024-26764 b/cve/published/2024/CVE-2024-26764 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26764 +++ b/cve/published/2024/CVE-2024-26764 diff --git a/cve/published/2024/CVE-2024-26764.json b/cve/published/2024/CVE-2024-26764.json new file mode 100644 index 00000000..8948182c --- /dev/null +++ b/cve/published/2024/CVE-2024-26764.json @@ -0,0 +1,168 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/aio: Restrict kiocb_set_cancel_fn() to I/O submitted via libaio\n\nIf kiocb_set_cancel_fn() is called for I/O submitted via io_uring, the\nfollowing kernel warning appears:\n\nWARNING: CPU: 3 PID: 368 at fs/aio.c:598 kiocb_set_cancel_fn+0x9c/0xa8\nCall trace:\n kiocb_set_cancel_fn+0x9c/0xa8\n ffs_epfile_read_iter+0x144/0x1d0\n io_read+0x19c/0x498\n io_issue_sqe+0x118/0x27c\n io_submit_sqes+0x25c/0x5fc\n __arm64_sys_io_uring_enter+0x104/0xab0\n invoke_syscall+0x58/0x11c\n el0_svc_common+0xb4/0xf4\n do_el0_svc+0x2c/0xb0\n el0_svc+0x2c/0xa4\n el0t_64_sync_handler+0x68/0xb4\n el0t_64_sync+0x1a4/0x1a8\n\nFix this by setting the IOCB_AIO_RW flag for read and write I/O that is\nsubmitted by libaio." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "1da177e4c3f4", + "lessThan": "337b543e274f", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "b4eea7a05ee0", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "ea1cd64d59f2", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "d7b6fa97ec89", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "18f614369def", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "e7e23fc5d5fe", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "1dc7d74fe456", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "b820de741ae4", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "4.19.308", + "lessThanOrEqual": "4.19.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.4.270", + "lessThanOrEqual": "5.4.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.10.211", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.150", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.80", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.19", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.7", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/337b543e274fe7a8f47df3c8293cc6686ffa620f" + }, + { + "url": "https://git.kernel.org/stable/c/b4eea7a05ee0ab5ab0514421e6ba8c5d249cf942" + }, + { + "url": "https://git.kernel.org/stable/c/ea1cd64d59f22d6d13f367d62ec6e27b9344695f" + }, + { + "url": "https://git.kernel.org/stable/c/d7b6fa97ec894edd02f64b83e5e72e1aa352f353" + }, + { + "url": "https://git.kernel.org/stable/c/18f614369def2a11a52f569fe0f910b199d13487" + }, + { + "url": "https://git.kernel.org/stable/c/e7e23fc5d5fe422827c9a43ecb579448f73876c7" + }, + { + "url": "https://git.kernel.org/stable/c/1dc7d74fe456944a9b1c57bd776280249f441ac6" + }, + { + "url": "https://git.kernel.org/stable/c/b820de741ae48ccf50dd95e297889c286ff4f760" + } + ], + "title": "fs/aio: Restrict kiocb_set_cancel_fn() to I/O submitted via libaio", + "x_generator": { + "engine": "bippy-d3b290d2becc" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26764", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26764.mbox b/cve/published/2024/CVE-2024-26764.mbox new file mode 100644 index 00000000..1d1c5b6c --- /dev/null +++ b/cve/published/2024/CVE-2024-26764.mbox @@ -0,0 +1,96 @@ +From bippy-d3b290d2becc Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26764: fs/aio: Restrict kiocb_set_cancel_fn() to I/O submitted via libaio +Message-Id: <2024040306-CVE-2024-26764-c1e7@gregkh> +Content-Length: 2825 +Lines: 79 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2905; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=Y8XXmr7+diExytf+QT1KlgzBksCetACjoWyWnw9he2U=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGm8k6JCfu5iO6+s9lA4qfZs9qpDyVuPrvD8fe5deBlD9 + iVr8fTejlgWBkEmBlkxRZYv23iO7q84pOhlaHsaZg4rE8gQBi5OAZjI5ksMC1qX5/Mah06f+Hid + KPetfXleWxir/Rjm2Qf4F+9S1Z3odI3ve8MR1rLvDuarAA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +fs/aio: Restrict kiocb_set_cancel_fn() to I/O submitted via libaio + +If kiocb_set_cancel_fn() is called for I/O submitted via io_uring, the +following kernel warning appears: + +WARNING: CPU: 3 PID: 368 at fs/aio.c:598 kiocb_set_cancel_fn+0x9c/0xa8 +Call trace: + kiocb_set_cancel_fn+0x9c/0xa8 + ffs_epfile_read_iter+0x144/0x1d0 + io_read+0x19c/0x498 + io_issue_sqe+0x118/0x27c + io_submit_sqes+0x25c/0x5fc + __arm64_sys_io_uring_enter+0x104/0xab0 + invoke_syscall+0x58/0x11c + el0_svc_common+0xb4/0xf4 + do_el0_svc+0x2c/0xb0 + el0_svc+0x2c/0xa4 + el0t_64_sync_handler+0x68/0xb4 + el0t_64_sync+0x1a4/0x1a8 + +Fix this by setting the IOCB_AIO_RW flag for read and write I/O that is +submitted by libaio. + +The Linux kernel CVE team has assigned CVE-2024-26764 to this issue. + + +Affected and fixed versions +=========================== + + Fixed in 4.19.308 with commit 337b543e274f + Fixed in 5.4.270 with commit b4eea7a05ee0 + Fixed in 5.10.211 with commit ea1cd64d59f2 + Fixed in 5.15.150 with commit d7b6fa97ec89 + Fixed in 6.1.80 with commit 18f614369def + Fixed in 6.6.19 with commit e7e23fc5d5fe + Fixed in 6.7.7 with commit 1dc7d74fe456 + Fixed in 6.8 with commit b820de741ae4 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26764 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + fs/aio.c + include/linux/fs.h + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/337b543e274fe7a8f47df3c8293cc6686ffa620f + https://git.kernel.org/stable/c/b4eea7a05ee0ab5ab0514421e6ba8c5d249cf942 + https://git.kernel.org/stable/c/ea1cd64d59f22d6d13f367d62ec6e27b9344695f + https://git.kernel.org/stable/c/d7b6fa97ec894edd02f64b83e5e72e1aa352f353 + https://git.kernel.org/stable/c/18f614369def2a11a52f569fe0f910b199d13487 + https://git.kernel.org/stable/c/e7e23fc5d5fe422827c9a43ecb579448f73876c7 + https://git.kernel.org/stable/c/1dc7d74fe456944a9b1c57bd776280249f441ac6 + https://git.kernel.org/stable/c/b820de741ae48ccf50dd95e297889c286ff4f760 diff --git a/cve/published/2024/CVE-2024-26764.sha1 b/cve/published/2024/CVE-2024-26764.sha1 new file mode 100644 index 00000000..6b3eed06 --- /dev/null +++ b/cve/published/2024/CVE-2024-26764.sha1 @@ -0,0 +1 @@ +b820de741ae48ccf50dd95e297889c286ff4f760 diff --git a/cve/reserved/2024/CVE-2024-26765 b/cve/published/2024/CVE-2024-26765 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26765 +++ b/cve/published/2024/CVE-2024-26765 diff --git a/cve/published/2024/CVE-2024-26765.json b/cve/published/2024/CVE-2024-26765.json new file mode 100644 index 00000000..95fd80c9 --- /dev/null +++ b/cve/published/2024/CVE-2024-26765.json @@ -0,0 +1,108 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nLoongArch: Disable IRQ before init_fn() for nonboot CPUs\n\nDisable IRQ before init_fn() for nonboot CPUs when hotplug, in order to\nsilence such warnings (and also avoid potential errors due to unexpected\ninterrupts):\n\nWARNING: CPU: 1 PID: 0 at kernel/rcu/tree.c:4503 rcu_cpu_starting+0x214/0x280\nCPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.6.17+ #1198\npc 90000000048e3334 ra 90000000047bd56c tp 900000010039c000 sp 900000010039fdd0\na0 0000000000000001 a1 0000000000000006 a2 900000000802c040 a3 0000000000000000\na4 0000000000000001 a5 0000000000000004 a6 0000000000000000 a7 90000000048e3f4c\nt0 0000000000000001 t1 9000000005c70968 t2 0000000004000000 t3 000000000005e56e\nt4 00000000000002e4 t5 0000000000001000 t6 ffffffff80000000 t7 0000000000040000\nt8 9000000007931638 u0 0000000000000006 s9 0000000000000004 s0 0000000000000001\ns1 9000000006356ac0 s2 9000000007244000 s3 0000000000000001 s4 0000000000000001\ns5 900000000636f000 s6 7fffffffffffffff s7 9000000002123940 s8 9000000001ca55f8\n ra: 90000000047bd56c tlb_init+0x24c/0x528\n ERA: 90000000048e3334 rcu_cpu_starting+0x214/0x280\n CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE)\n PRMD: 00000000 (PPLV0 -PIE -PWE)\n EUEN: 00000000 (-FPE -SXE -ASXE -BTE)\n ECFG: 00071000 (LIE=12 VS=7)\nESTAT: 000c0000 [BRK] (IS= ECode=12 EsubCode=0)\n PRID: 0014c010 (Loongson-64bit, Loongson-3A5000)\nCPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.6.17+ #1198\nStack : 0000000000000000 9000000006375000 9000000005b61878 900000010039c000\n 900000010039fa30 0000000000000000 900000010039fa38 900000000619a140\n 9000000006456888 9000000006456880 900000010039f950 0000000000000001\n 0000000000000001 cb0cb028ec7e52e1 0000000002b90000 9000000100348700\n 0000000000000000 0000000000000001 ffffffff916d12f1 0000000000000003\n 0000000000040000 9000000007930370 0000000002b90000 0000000000000004\n 9000000006366000 900000000619a140 0000000000000000 0000000000000004\n 0000000000000000 0000000000000009 ffffffffffc681f2 9000000002123940\n 9000000001ca55f8 9000000006366000 90000000047a4828 00007ffff057ded8\n 00000000000000b0 0000000000000000 0000000000000000 0000000000071000\n ...\nCall Trace:\n[<90000000047a4828>] show_stack+0x48/0x1a0\n[<9000000005b61874>] dump_stack_lvl+0x84/0xcc\n[<90000000047f60ac>] __warn+0x8c/0x1e0\n[<9000000005b0ab34>] report_bug+0x1b4/0x280\n[<9000000005b63110>] do_bp+0x2d0/0x480\n[<90000000047a2e20>] handle_bp+0x120/0x1c0\n[<90000000048e3334>] rcu_cpu_starting+0x214/0x280\n[<90000000047bd568>] tlb_init+0x248/0x528\n[<90000000047a4c44>] per_cpu_trap_init+0x124/0x160\n[<90000000047a19f4>] cpu_probe+0x494/0xa00\n[<90000000047b551c>] start_secondary+0x3c/0xc0\n[<9000000005b66134>] smpboot_entry+0x50/0x58" + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "1da177e4c3f4", + "lessThan": "a262b78dd085", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "dffdf7c783ef", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "8bf2ca8c6071", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "1001db6c42e4", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "6.1.80", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.19", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.7", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/a262b78dd085dbe9b3c75dc1d9c4cd102b110b53" + }, + { + "url": "https://git.kernel.org/stable/c/dffdf7c783ef291eef38a5a0037584fd1a7fa464" + }, + { + "url": "https://git.kernel.org/stable/c/8bf2ca8c60712af288b88ba80f8e4df4573d923f" + }, + { + "url": "https://git.kernel.org/stable/c/1001db6c42e4012b55e5ee19405490f23e033b5a" + } + ], + "title": "LoongArch: Disable IRQ before init_fn() for nonboot CPUs", + "x_generator": { + "engine": "bippy-d3b290d2becc" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26765", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26765.mbox b/cve/published/2024/CVE-2024-26765.mbox new file mode 100644 index 00000000..8f7fcd29 --- /dev/null +++ b/cve/published/2024/CVE-2024-26765.mbox @@ -0,0 +1,114 @@ +From bippy-d3b290d2becc Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26765: LoongArch: Disable IRQ before init_fn() for nonboot CPUs +Message-Id: <2024040306-CVE-2024-26765-157f@gregkh> +Content-Length: 4387 +Lines: 97 +X-Developer-Signature: v=1; a=openpgp-sha256; l=4485; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=+ZxRSQeHL35LRUzd0jP+bWFdxBURXlxS/Iv6fKK8I3c=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGm8k6ICflT15d5OCvx0+dWTC8961bTW7pthtvHbJMP2x + mnLug8qdsSyMAgyMciKKbJ82cZzdH/FIUUvQ9vTMHNYmUCGMHBxCsBEfDUY5tkxe307lxmgaFqk + fNYwUb9tJVfUZIb57nlfrr7VUZzh7VD1JfWf8I6XBVXXAA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +LoongArch: Disable IRQ before init_fn() for nonboot CPUs + +Disable IRQ before init_fn() for nonboot CPUs when hotplug, in order to +silence such warnings (and also avoid potential errors due to unexpected +interrupts): + +WARNING: CPU: 1 PID: 0 at kernel/rcu/tree.c:4503 rcu_cpu_starting+0x214/0x280 +CPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.6.17+ #1198 +pc 90000000048e3334 ra 90000000047bd56c tp 900000010039c000 sp 900000010039fdd0 +a0 0000000000000001 a1 0000000000000006 a2 900000000802c040 a3 0000000000000000 +a4 0000000000000001 a5 0000000000000004 a6 0000000000000000 a7 90000000048e3f4c +t0 0000000000000001 t1 9000000005c70968 t2 0000000004000000 t3 000000000005e56e +t4 00000000000002e4 t5 0000000000001000 t6 ffffffff80000000 t7 0000000000040000 +t8 9000000007931638 u0 0000000000000006 s9 0000000000000004 s0 0000000000000001 +s1 9000000006356ac0 s2 9000000007244000 s3 0000000000000001 s4 0000000000000001 +s5 900000000636f000 s6 7fffffffffffffff s7 9000000002123940 s8 9000000001ca55f8 + ra: 90000000047bd56c tlb_init+0x24c/0x528 + ERA: 90000000048e3334 rcu_cpu_starting+0x214/0x280 + CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE) + PRMD: 00000000 (PPLV0 -PIE -PWE) + EUEN: 00000000 (-FPE -SXE -ASXE -BTE) + ECFG: 00071000 (LIE=12 VS=7) +ESTAT: 000c0000 [BRK] (IS= ECode=12 EsubCode=0) + PRID: 0014c010 (Loongson-64bit, Loongson-3A5000) +CPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.6.17+ #1198 +Stack : 0000000000000000 9000000006375000 9000000005b61878 900000010039c000 + 900000010039fa30 0000000000000000 900000010039fa38 900000000619a140 + 9000000006456888 9000000006456880 900000010039f950 0000000000000001 + 0000000000000001 cb0cb028ec7e52e1 0000000002b90000 9000000100348700 + 0000000000000000 0000000000000001 ffffffff916d12f1 0000000000000003 + 0000000000040000 9000000007930370 0000000002b90000 0000000000000004 + 9000000006366000 900000000619a140 0000000000000000 0000000000000004 + 0000000000000000 0000000000000009 ffffffffffc681f2 9000000002123940 + 9000000001ca55f8 9000000006366000 90000000047a4828 00007ffff057ded8 + 00000000000000b0 0000000000000000 0000000000000000 0000000000071000 + ... +Call Trace: +[<90000000047a4828>] show_stack+0x48/0x1a0 +[<9000000005b61874>] dump_stack_lvl+0x84/0xcc +[<90000000047f60ac>] __warn+0x8c/0x1e0 +[<9000000005b0ab34>] report_bug+0x1b4/0x280 +[<9000000005b63110>] do_bp+0x2d0/0x480 +[<90000000047a2e20>] handle_bp+0x120/0x1c0 +[<90000000048e3334>] rcu_cpu_starting+0x214/0x280 +[<90000000047bd568>] tlb_init+0x248/0x528 +[<90000000047a4c44>] per_cpu_trap_init+0x124/0x160 +[<90000000047a19f4>] cpu_probe+0x494/0xa00 +[<90000000047b551c>] start_secondary+0x3c/0xc0 +[<9000000005b66134>] smpboot_entry+0x50/0x58 + +The Linux kernel CVE team has assigned CVE-2024-26765 to this issue. + + +Affected and fixed versions +=========================== + + Fixed in 6.1.80 with commit a262b78dd085 + Fixed in 6.6.19 with commit dffdf7c783ef + Fixed in 6.7.7 with commit 8bf2ca8c6071 + Fixed in 6.8 with commit 1001db6c42e4 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26765 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + arch/loongarch/kernel/smp.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/a262b78dd085dbe9b3c75dc1d9c4cd102b110b53 + https://git.kernel.org/stable/c/dffdf7c783ef291eef38a5a0037584fd1a7fa464 + https://git.kernel.org/stable/c/8bf2ca8c60712af288b88ba80f8e4df4573d923f + https://git.kernel.org/stable/c/1001db6c42e4012b55e5ee19405490f23e033b5a diff --git a/cve/published/2024/CVE-2024-26765.sha1 b/cve/published/2024/CVE-2024-26765.sha1 new file mode 100644 index 00000000..91cf02f9 --- /dev/null +++ b/cve/published/2024/CVE-2024-26765.sha1 @@ -0,0 +1 @@ +1001db6c42e4012b55e5ee19405490f23e033b5a diff --git a/cve/reserved/2024/CVE-2024-26766 b/cve/published/2024/CVE-2024-26766 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26766 +++ b/cve/published/2024/CVE-2024-26766 diff --git a/cve/published/2024/CVE-2024-26766.json b/cve/published/2024/CVE-2024-26766.json new file mode 100644 index 00000000..70c17c40 --- /dev/null +++ b/cve/published/2024/CVE-2024-26766.json @@ -0,0 +1,168 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nIB/hfi1: Fix sdma.h tx->num_descs off-by-one error\n\nUnfortunately the commit `fd8958efe877` introduced another error\ncausing the `descs` array to overflow. This reults in further crashes\neasily reproducible by `sendmsg` system call.\n\n[ 1080.836473] general protection fault, probably for non-canonical address 0x400300015528b00a: 0000 [#1] PREEMPT SMP PTI\n[ 1080.869326] RIP: 0010:hfi1_ipoib_build_ib_tx_headers.constprop.0+0xe1/0x2b0 [hfi1]\n--\n[ 1080.974535] Call Trace:\n[ 1080.976990] <TASK>\n[ 1081.021929] hfi1_ipoib_send_dma_common+0x7a/0x2e0 [hfi1]\n[ 1081.027364] hfi1_ipoib_send_dma_list+0x62/0x270 [hfi1]\n[ 1081.032633] hfi1_ipoib_send+0x112/0x300 [hfi1]\n[ 1081.042001] ipoib_start_xmit+0x2a9/0x2d0 [ib_ipoib]\n[ 1081.046978] dev_hard_start_xmit+0xc4/0x210\n--\n[ 1081.148347] __sys_sendmsg+0x59/0xa0\n\ncrash> ipoib_txreq 0xffff9cfeba229f00\nstruct ipoib_txreq {\n txreq = {\n list = {\n next = 0xffff9cfeba229f00,\n prev = 0xffff9cfeba229f00\n },\n descp = 0xffff9cfeba229f40,\n coalesce_buf = 0x0,\n wait = 0xffff9cfea4e69a48,\n complete = 0xffffffffc0fe0760 <hfi1_ipoib_sdma_complete>,\n packet_len = 0x46d,\n tlen = 0x0,\n num_desc = 0x0,\n desc_limit = 0x6,\n next_descq_idx = 0x45c,\n coalesce_idx = 0x0,\n flags = 0x0,\n descs = {{\n qw = {0x8024000120dffb00, 0x4} # SDMA_DESC0_FIRST_DESC_FLAG (bit 63)\n }, {\n qw = { 0x3800014231b108, 0x4}\n }, {\n qw = { 0x310000e4ee0fcf0, 0x8}\n }, {\n qw = { 0x3000012e9f8000, 0x8}\n }, {\n qw = { 0x59000dfb9d0000, 0x8}\n }, {\n qw = { 0x78000e02e40000, 0x8}\n }}\n },\n sdma_hdr = 0x400300015528b000, <<< invalid pointer in the tx request structure\n sdma_status = 0x0, SDMA_DESC0_LAST_DESC_FLAG (bit 62)\n complete = 0x0,\n priv = 0x0,\n txq = 0xffff9cfea4e69880,\n skb = 0xffff9d099809f400\n}\n\nIf an SDMA send consists of exactly 6 descriptors and requires dword\npadding (in the 7th descriptor), the sdma_txreq descriptor array is not\nproperly expanded and the packet will overflow into the container\nstructure. This results in a panic when the send completion runs. The\nexact panic varies depending on what elements of the container structure\nget corrupted. The fix is to use the correct expression in\n_pad_sdma_tx_descs() to test the need to expand the descriptor array.\n\nWith this patch the crashes are no longer reproducible and the machine is\nstable." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "d1c1ee052d25", + "lessThan": "115b7f3bc1dc", + "status": "affected", + "versionType": "git" + }, + { + "version": "40ac5cb6cbb0", + "lessThan": "5833024a9856", + "status": "affected", + "versionType": "git" + }, + { + "version": "6cf8f3d690bb", + "lessThan": "3f38d22e645e", + "status": "affected", + "versionType": "git" + }, + { + "version": "bd57756a7e43", + "lessThan": "47ae64df23ed", + "status": "affected", + "versionType": "git" + }, + { + "version": "eeaf35f4e3b3", + "lessThan": "52dc9a7a573d", + "status": "affected", + "versionType": "git" + }, + { + "version": "fd8958efe877", + "lessThan": "a2fef1d81bec", + "status": "affected", + "versionType": "git" + }, + { + "version": "fd8958efe877", + "lessThan": "9034a1bec35e", + "status": "affected", + "versionType": "git" + }, + { + "version": "fd8958efe877", + "lessThan": "e6f57c688191", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "4.19.308", + "lessThanOrEqual": "4.19.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.4.270", + "lessThanOrEqual": "5.4.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.10.211", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.150", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.80", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.19", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.7", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/115b7f3bc1dce590a6851a2dcf23dc1100c49790" + }, + { + "url": "https://git.kernel.org/stable/c/5833024a9856f454a964a198c63a57e59e07baf5" + }, + { + "url": "https://git.kernel.org/stable/c/3f38d22e645e2e994979426ea5a35186102ff3c2" + }, + { + "url": "https://git.kernel.org/stable/c/47ae64df23ed1318e27bd9844e135a5e1c0e6e39" + }, + { + "url": "https://git.kernel.org/stable/c/52dc9a7a573dbf778625a0efca0fca55489f084b" + }, + { + "url": "https://git.kernel.org/stable/c/a2fef1d81becf4ff60e1a249477464eae3c3bc2a" + }, + { + "url": "https://git.kernel.org/stable/c/9034a1bec35e9f725315a3bb6002ef39666114d9" + }, + { + "url": "https://git.kernel.org/stable/c/e6f57c6881916df39db7d95981a8ad2b9c3458d6" + } + ], + "title": "IB/hfi1: Fix sdma.h tx->num_descs off-by-one error", + "x_generator": { + "engine": "bippy-d3b290d2becc" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26766", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26766.mbox b/cve/published/2024/CVE-2024-26766.mbox new file mode 100644 index 00000000..691daa88 --- /dev/null +++ b/cve/published/2024/CVE-2024-26766.mbox @@ -0,0 +1,143 @@ +From bippy-d3b290d2becc Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26766: IB/hfi1: Fix sdma.h tx->num_descs off-by-one error +Message-Id: <2024040306-CVE-2024-26766-6b6a@gregkh> +Content-Length: 5079 +Lines: 126 +X-Developer-Signature: v=1; a=openpgp-sha256; l=5206; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=M3jZShr4PScL080QA62qkDUXdlcNkhQA78NnsEeyZD0=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGm8k6KO6Lv2MBbff6AiLejFrxZ7/5VJmKDWvVXnJQ9Xx + Wy1PdLeEcvCIMjEICumyPJlG8/R/RWHFL0MbU/DzGFlAhnCwMUpABO5dodhfopih9/lz1ZiX+R2 + Xlk1qTEqZalsIcM8y9ucXhuzbyxRuZvg4Rmbc5e5WKsOAA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +IB/hfi1: Fix sdma.h tx->num_descs off-by-one error + +Unfortunately the commit `fd8958efe877` introduced another error +causing the `descs` array to overflow. This reults in further crashes +easily reproducible by `sendmsg` system call. + +[ 1080.836473] general protection fault, probably for non-canonical address 0x400300015528b00a: 0000 [#1] PREEMPT SMP PTI +[ 1080.869326] RIP: 0010:hfi1_ipoib_build_ib_tx_headers.constprop.0+0xe1/0x2b0 [hfi1] +-- +[ 1080.974535] Call Trace: +[ 1080.976990] <TASK> +[ 1081.021929] hfi1_ipoib_send_dma_common+0x7a/0x2e0 [hfi1] +[ 1081.027364] hfi1_ipoib_send_dma_list+0x62/0x270 [hfi1] +[ 1081.032633] hfi1_ipoib_send+0x112/0x300 [hfi1] +[ 1081.042001] ipoib_start_xmit+0x2a9/0x2d0 [ib_ipoib] +[ 1081.046978] dev_hard_start_xmit+0xc4/0x210 +-- +[ 1081.148347] __sys_sendmsg+0x59/0xa0 + +crash> ipoib_txreq 0xffff9cfeba229f00 +struct ipoib_txreq { + txreq = { + list = { + next = 0xffff9cfeba229f00, + prev = 0xffff9cfeba229f00 + }, + descp = 0xffff9cfeba229f40, + coalesce_buf = 0x0, + wait = 0xffff9cfea4e69a48, + complete = 0xffffffffc0fe0760 <hfi1_ipoib_sdma_complete>, + packet_len = 0x46d, + tlen = 0x0, + num_desc = 0x0, + desc_limit = 0x6, + next_descq_idx = 0x45c, + coalesce_idx = 0x0, + flags = 0x0, + descs = {{ + qw = {0x8024000120dffb00, 0x4} # SDMA_DESC0_FIRST_DESC_FLAG (bit 63) + }, { + qw = { 0x3800014231b108, 0x4} + }, { + qw = { 0x310000e4ee0fcf0, 0x8} + }, { + qw = { 0x3000012e9f8000, 0x8} + }, { + qw = { 0x59000dfb9d0000, 0x8} + }, { + qw = { 0x78000e02e40000, 0x8} + }} + }, + sdma_hdr = 0x400300015528b000, <<< invalid pointer in the tx request structure + sdma_status = 0x0, SDMA_DESC0_LAST_DESC_FLAG (bit 62) + complete = 0x0, + priv = 0x0, + txq = 0xffff9cfea4e69880, + skb = 0xffff9d099809f400 +} + +If an SDMA send consists of exactly 6 descriptors and requires dword +padding (in the 7th descriptor), the sdma_txreq descriptor array is not +properly expanded and the packet will overflow into the container +structure. This results in a panic when the send completion runs. The +exact panic varies depending on what elements of the container structure +get corrupted. The fix is to use the correct expression in +_pad_sdma_tx_descs() to test the need to expand the descriptor array. + +With this patch the crashes are no longer reproducible and the machine is +stable. + +The Linux kernel CVE team has assigned CVE-2024-26766 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 4.19.291 with commit d1c1ee052d25 and fixed in 4.19.308 with commit 115b7f3bc1dc + Issue introduced in 5.4.251 with commit 40ac5cb6cbb0 and fixed in 5.4.270 with commit 5833024a9856 + Issue introduced in 5.10.188 with commit 6cf8f3d690bb and fixed in 5.10.211 with commit 3f38d22e645e + Issue introduced in 5.15.99 with commit bd57756a7e43 and fixed in 5.15.150 with commit 47ae64df23ed + Issue introduced in 6.1.16 with commit eeaf35f4e3b3 and fixed in 6.1.80 with commit 52dc9a7a573d + Issue introduced in 6.3 with commit fd8958efe877 and fixed in 6.6.19 with commit a2fef1d81bec + Issue introduced in 6.3 with commit fd8958efe877 and fixed in 6.7.7 with commit 9034a1bec35e + Issue introduced in 6.3 with commit fd8958efe877 and fixed in 6.8 with commit e6f57c688191 + Issue introduced in 6.2.3 with commit 0ef9594936d1 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26766 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/infiniband/hw/hfi1/sdma.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/115b7f3bc1dce590a6851a2dcf23dc1100c49790 + https://git.kernel.org/stable/c/5833024a9856f454a964a198c63a57e59e07baf5 + https://git.kernel.org/stable/c/3f38d22e645e2e994979426ea5a35186102ff3c2 + https://git.kernel.org/stable/c/47ae64df23ed1318e27bd9844e135a5e1c0e6e39 + https://git.kernel.org/stable/c/52dc9a7a573dbf778625a0efca0fca55489f084b + https://git.kernel.org/stable/c/a2fef1d81becf4ff60e1a249477464eae3c3bc2a + https://git.kernel.org/stable/c/9034a1bec35e9f725315a3bb6002ef39666114d9 + https://git.kernel.org/stable/c/e6f57c6881916df39db7d95981a8ad2b9c3458d6 diff --git a/cve/published/2024/CVE-2024-26766.sha1 b/cve/published/2024/CVE-2024-26766.sha1 new file mode 100644 index 00000000..5312364d --- /dev/null +++ b/cve/published/2024/CVE-2024-26766.sha1 @@ -0,0 +1 @@ +e6f57c6881916df39db7d95981a8ad2b9c3458d6 diff --git a/cve/reserved/2024/CVE-2024-26767 b/cve/published/2024/CVE-2024-26767 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26767 +++ b/cve/published/2024/CVE-2024-26767 diff --git a/cve/published/2024/CVE-2024-26767.json b/cve/published/2024/CVE-2024-26767.json new file mode 100644 index 00000000..cb285042 --- /dev/null +++ b/cve/published/2024/CVE-2024-26767.json @@ -0,0 +1,93 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: fixed integer types and null check locations\n\n[why]:\nissues fixed:\n- comparison with wider integer type in loop condition which can cause\ninfinite loops\n- pointer dereference before null check" + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "1da177e4c3f4", + "lessThan": "71783d1ff652", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "beea9ab9080c", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "0484e05d048b", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "6.6.19", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.7", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/71783d1ff65204d69207fd156d4b2eb1d3882375" + }, + { + "url": "https://git.kernel.org/stable/c/beea9ab9080cd2ef46296070bb327af066ee09d7" + }, + { + "url": "https://git.kernel.org/stable/c/0484e05d048b66d01d1f3c1d2306010bb57d8738" + } + ], + "title": "drm/amd/display: fixed integer types and null check locations", + "x_generator": { + "engine": "bippy-d3b290d2becc" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26767", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26767.mbox b/cve/published/2024/CVE-2024-26767.mbox new file mode 100644 index 00000000..2fc06a15 --- /dev/null +++ b/cve/published/2024/CVE-2024-26767.mbox @@ -0,0 +1,71 @@ +From bippy-d3b290d2becc Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26767: drm/amd/display: fixed integer types and null check locations +Message-Id: <2024040306-CVE-2024-26767-bdac@gregkh> +Content-Length: 1842 +Lines: 54 +X-Developer-Signature: v=1; a=openpgp-sha256; l=1897; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=jvnh6G3zsaPZZaLoICPezXkN1qlreGc+/WOmv31XXWk=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGm8k6KVm6Z0PmC/Kl0bn6C7fMnaR5ttTP9vNP3N5L88Y + cXNzvqOjlgWBkEmBlkxRZYv23iO7q84pOhlaHsaZg4rE8gQBi5OAZjIhfcMC3qfHpV+WTotX7Kj + KDbw4LSuJRWTmhnmV4Z/2XIpdxmfwKJ6admVHW18H2bcBQA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +drm/amd/display: fixed integer types and null check locations + +[why]: +issues fixed: +- comparison with wider integer type in loop condition which can cause +infinite loops +- pointer dereference before null check + +The Linux kernel CVE team has assigned CVE-2024-26767 to this issue. + + +Affected and fixed versions +=========================== + + Fixed in 6.6.19 with commit 71783d1ff652 + Fixed in 6.7.7 with commit beea9ab9080c + Fixed in 6.8 with commit 0484e05d048b + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26767 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c + drivers/gpu/drm/amd/display/dc/link/link_validation.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/71783d1ff65204d69207fd156d4b2eb1d3882375 + https://git.kernel.org/stable/c/beea9ab9080cd2ef46296070bb327af066ee09d7 + https://git.kernel.org/stable/c/0484e05d048b66d01d1f3c1d2306010bb57d8738 diff --git a/cve/published/2024/CVE-2024-26767.sha1 b/cve/published/2024/CVE-2024-26767.sha1 new file mode 100644 index 00000000..faaee087 --- /dev/null +++ b/cve/published/2024/CVE-2024-26767.sha1 @@ -0,0 +1 @@ +0484e05d048b66d01d1f3c1d2306010bb57d8738 diff --git a/cve/reserved/2024/CVE-2024-26768 b/cve/published/2024/CVE-2024-26768 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26768 +++ b/cve/published/2024/CVE-2024-26768 diff --git a/cve/published/2024/CVE-2024-26768.json b/cve/published/2024/CVE-2024-26768.json new file mode 100644 index 00000000..d8902e43 --- /dev/null +++ b/cve/published/2024/CVE-2024-26768.json @@ -0,0 +1,93 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nLoongArch: Change acpi_core_pic[NR_CPUS] to acpi_core_pic[MAX_CORE_PIC]\n\nWith default config, the value of NR_CPUS is 64. When HW platform has\nmore then 64 cpus, system will crash on these platforms. MAX_CORE_PIC\nis the maximum cpu number in MADT table (max physical number) which can\nexceed the supported maximum cpu number (NR_CPUS, max logical number),\nbut kernel should not crash. Kernel should boot cpus with NR_CPUS, let\nthe remainder cpus stay in BIOS.\n\nThe potential crash reason is that the array acpi_core_pic[NR_CPUS] can\nbe overflowed when parsing MADT table, and it is obvious that CORE_PIC\nshould be corresponding to physical core rather than logical core, so it\nis better to define the array as acpi_core_pic[MAX_CORE_PIC].\n\nWith the patch, system can boot up 64 vcpus with qemu parameter -smp 128,\notherwise system will crash with the following message.\n\n[ 0.000000] CPU 0 Unable to handle kernel paging request at virtual address 0000420000004259, era == 90000000037a5f0c, ra == 90000000037a46ec\n[ 0.000000] Oops[#1]:\n[ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 6.8.0-rc2+ #192\n[ 0.000000] Hardware name: QEMU QEMU Virtual Machine, BIOS unknown 2/2/2022\n[ 0.000000] pc 90000000037a5f0c ra 90000000037a46ec tp 9000000003c90000 sp 9000000003c93d60\n[ 0.000000] a0 0000000000000019 a1 9000000003d93bc0 a2 0000000000000000 a3 9000000003c93bd8\n[ 0.000000] a4 9000000003c93a74 a5 9000000083c93a67 a6 9000000003c938f0 a7 0000000000000005\n[ 0.000000] t0 0000420000004201 t1 0000000000000000 t2 0000000000000001 t3 0000000000000001\n[ 0.000000] t4 0000000000000003 t5 0000000000000000 t6 0000000000000030 t7 0000000000000063\n[ 0.000000] t8 0000000000000014 u0 ffffffffffffffff s9 0000000000000000 s0 9000000003caee98\n[ 0.000000] s1 90000000041b0480 s2 9000000003c93da0 s3 9000000003c93d98 s4 9000000003c93d90\n[ 0.000000] s5 9000000003caa000 s6 000000000a7fd000 s7 000000000f556b60 s8 000000000e0a4330\n[ 0.000000] ra: 90000000037a46ec platform_init+0x214/0x250\n[ 0.000000] ERA: 90000000037a5f0c efi_runtime_init+0x30/0x94\n[ 0.000000] CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE)\n[ 0.000000] PRMD: 00000000 (PPLV0 -PIE -PWE)\n[ 0.000000] EUEN: 00000000 (-FPE -SXE -ASXE -BTE)\n[ 0.000000] ECFG: 00070800 (LIE=11 VS=7)\n[ 0.000000] ESTAT: 00010000 [PIL] (IS= ECode=1 EsubCode=0)\n[ 0.000000] BADV: 0000420000004259\n[ 0.000000] PRID: 0014c010 (Loongson-64bit, Loongson-3A5000)\n[ 0.000000] Modules linked in:\n[ 0.000000] Process swapper (pid: 0, threadinfo=(____ptrval____), task=(____ptrval____))\n[ 0.000000] Stack : 9000000003c93a14 9000000003800898 90000000041844f8 90000000037a46ec\n[ 0.000000] 000000000a7fd000 0000000008290000 0000000000000000 0000000000000000\n[ 0.000000] 0000000000000000 0000000000000000 00000000019d8000 000000000f556b60\n[ 0.000000] 000000000a7fd000 000000000f556b08 9000000003ca7700 9000000003800000\n[ 0.000000] 9000000003c93e50 9000000003800898 9000000003800108 90000000037a484c\n[ 0.000000] 000000000e0a4330 000000000f556b60 000000000a7fd000 000000000f556b08\n[ 0.000000] 9000000003ca7700 9000000004184000 0000000000200000 000000000e02b018\n[ 0.000000] 000000000a7fd000 90000000037a0790 9000000003800108 0000000000000000\n[ 0.000000] 0000000000000000 000000000e0a4330 000000000f556b60 000000000a7fd000\n[ 0.000000] 000000000f556b08 000000000eaae298 000000000eaa5040 0000000000200000\n[ 0.000000] ...\n[ 0.000000] Call Trace:\n[ 0.000000] [<90000000037a5f0c>] efi_runtime_init+0x30/0x94\n[ 0.000000] [<90000000037a46ec>] platform_init+0x214/0x250\n[ 0.000000] [<90000000037a484c>] setup_arch+0x124/0x45c\n[ 0.000000] [<90000000037a0790>] start_kernel+0x90/0x670\n[ 0.000000] [<900000000378b0d8>] kernel_entry+0xd8/0xdc" + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "1da177e4c3f4", + "lessThan": "88e189bd16e5", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "0f6810e39898", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "4551b30525cf", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "6.6.19", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.7", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/88e189bd16e5889e44a41b3309558ebab78b9280" + }, + { + "url": "https://git.kernel.org/stable/c/0f6810e39898af2d2cabd9313e4dbc945fb5dfdd" + }, + { + "url": "https://git.kernel.org/stable/c/4551b30525cf3d2f026b92401ffe241eb04dfebe" + } + ], + "title": "LoongArch: Change acpi_core_pic[NR_CPUS] to acpi_core_pic[MAX_CORE_PIC]", + "x_generator": { + "engine": "bippy-d3b290d2becc" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26768", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26768.mbox b/cve/published/2024/CVE-2024-26768.mbox new file mode 100644 index 00000000..2ed740fd --- /dev/null +++ b/cve/published/2024/CVE-2024-26768.mbox @@ -0,0 +1,121 @@ +From bippy-d3b290d2becc Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26768: LoongArch: Change acpi_core_pic[NR_CPUS] to acpi_core_pic[MAX_CORE_PIC] +Message-Id: <2024040307-CVE-2024-26768-efa4@gregkh> +Content-Length: 5449 +Lines: 104 +X-Developer-Signature: v=1; a=openpgp-sha256; l=5554; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=i4xg3XsVNrFqEmQNY0J5rgCB9uGfjiSFuMVsBLsc4kM=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGm8k6In99/Qdsr3NzaKVKn2rXunY9XVrvRGRKPJut75/ + 7qvduIdsSwMgkwMsmKKLF+28RzdX3FI0cvQ9jTMHFYmkCEMXJwCMJGjEQxzRVoFtCI3TNr6rX3X + 9VVv9qrN3ZanyrBgl/D2s1mztUoyDkao+R15trJ+3tZkAA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +LoongArch: Change acpi_core_pic[NR_CPUS] to acpi_core_pic[MAX_CORE_PIC] + +With default config, the value of NR_CPUS is 64. When HW platform has +more then 64 cpus, system will crash on these platforms. MAX_CORE_PIC +is the maximum cpu number in MADT table (max physical number) which can +exceed the supported maximum cpu number (NR_CPUS, max logical number), +but kernel should not crash. Kernel should boot cpus with NR_CPUS, let +the remainder cpus stay in BIOS. + +The potential crash reason is that the array acpi_core_pic[NR_CPUS] can +be overflowed when parsing MADT table, and it is obvious that CORE_PIC +should be corresponding to physical core rather than logical core, so it +is better to define the array as acpi_core_pic[MAX_CORE_PIC]. + +With the patch, system can boot up 64 vcpus with qemu parameter -smp 128, +otherwise system will crash with the following message. + +[ 0.000000] CPU 0 Unable to handle kernel paging request at virtual address 0000420000004259, era == 90000000037a5f0c, ra == 90000000037a46ec +[ 0.000000] Oops[#1]: +[ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 6.8.0-rc2+ #192 +[ 0.000000] Hardware name: QEMU QEMU Virtual Machine, BIOS unknown 2/2/2022 +[ 0.000000] pc 90000000037a5f0c ra 90000000037a46ec tp 9000000003c90000 sp 9000000003c93d60 +[ 0.000000] a0 0000000000000019 a1 9000000003d93bc0 a2 0000000000000000 a3 9000000003c93bd8 +[ 0.000000] a4 9000000003c93a74 a5 9000000083c93a67 a6 9000000003c938f0 a7 0000000000000005 +[ 0.000000] t0 0000420000004201 t1 0000000000000000 t2 0000000000000001 t3 0000000000000001 +[ 0.000000] t4 0000000000000003 t5 0000000000000000 t6 0000000000000030 t7 0000000000000063 +[ 0.000000] t8 0000000000000014 u0 ffffffffffffffff s9 0000000000000000 s0 9000000003caee98 +[ 0.000000] s1 90000000041b0480 s2 9000000003c93da0 s3 9000000003c93d98 s4 9000000003c93d90 +[ 0.000000] s5 9000000003caa000 s6 000000000a7fd000 s7 000000000f556b60 s8 000000000e0a4330 +[ 0.000000] ra: 90000000037a46ec platform_init+0x214/0x250 +[ 0.000000] ERA: 90000000037a5f0c efi_runtime_init+0x30/0x94 +[ 0.000000] CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE) +[ 0.000000] PRMD: 00000000 (PPLV0 -PIE -PWE) +[ 0.000000] EUEN: 00000000 (-FPE -SXE -ASXE -BTE) +[ 0.000000] ECFG: 00070800 (LIE=11 VS=7) +[ 0.000000] ESTAT: 00010000 [PIL] (IS= ECode=1 EsubCode=0) +[ 0.000000] BADV: 0000420000004259 +[ 0.000000] PRID: 0014c010 (Loongson-64bit, Loongson-3A5000) +[ 0.000000] Modules linked in: +[ 0.000000] Process swapper (pid: 0, threadinfo=(____ptrval____), task=(____ptrval____)) +[ 0.000000] Stack : 9000000003c93a14 9000000003800898 90000000041844f8 90000000037a46ec +[ 0.000000] 000000000a7fd000 0000000008290000 0000000000000000 0000000000000000 +[ 0.000000] 0000000000000000 0000000000000000 00000000019d8000 000000000f556b60 +[ 0.000000] 000000000a7fd000 000000000f556b08 9000000003ca7700 9000000003800000 +[ 0.000000] 9000000003c93e50 9000000003800898 9000000003800108 90000000037a484c +[ 0.000000] 000000000e0a4330 000000000f556b60 000000000a7fd000 000000000f556b08 +[ 0.000000] 9000000003ca7700 9000000004184000 0000000000200000 000000000e02b018 +[ 0.000000] 000000000a7fd000 90000000037a0790 9000000003800108 0000000000000000 +[ 0.000000] 0000000000000000 000000000e0a4330 000000000f556b60 000000000a7fd000 +[ 0.000000] 000000000f556b08 000000000eaae298 000000000eaa5040 0000000000200000 +[ 0.000000] ... +[ 0.000000] Call Trace: +[ 0.000000] [<90000000037a5f0c>] efi_runtime_init+0x30/0x94 +[ 0.000000] [<90000000037a46ec>] platform_init+0x214/0x250 +[ 0.000000] [<90000000037a484c>] setup_arch+0x124/0x45c +[ 0.000000] [<90000000037a0790>] start_kernel+0x90/0x670 +[ 0.000000] [<900000000378b0d8>] kernel_entry+0xd8/0xdc + +The Linux kernel CVE team has assigned CVE-2024-26768 to this issue. + + +Affected and fixed versions +=========================== + + Fixed in 6.6.19 with commit 88e189bd16e5 + Fixed in 6.7.7 with commit 0f6810e39898 + Fixed in 6.8 with commit 4551b30525cf + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26768 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + arch/loongarch/include/asm/acpi.h + arch/loongarch/kernel/acpi.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/88e189bd16e5889e44a41b3309558ebab78b9280 + https://git.kernel.org/stable/c/0f6810e39898af2d2cabd9313e4dbc945fb5dfdd + https://git.kernel.org/stable/c/4551b30525cf3d2f026b92401ffe241eb04dfebe diff --git a/cve/published/2024/CVE-2024-26768.sha1 b/cve/published/2024/CVE-2024-26768.sha1 new file mode 100644 index 00000000..b6da3fbf --- /dev/null +++ b/cve/published/2024/CVE-2024-26768.sha1 @@ -0,0 +1 @@ +4551b30525cf3d2f026b92401ffe241eb04dfebe diff --git a/cve/reserved/2024/CVE-2024-26769 b/cve/published/2024/CVE-2024-26769 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26769 +++ b/cve/published/2024/CVE-2024-26769 diff --git a/cve/published/2024/CVE-2024-26769.json b/cve/published/2024/CVE-2024-26769.json new file mode 100644 index 00000000..2e6559e7 --- /dev/null +++ b/cve/published/2024/CVE-2024-26769.json @@ -0,0 +1,123 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet-fc: avoid deadlock on delete association path\n\nWhen deleting an association the shutdown path is deadlocking because we\ntry to flush the nvmet_wq nested. Avoid this by deadlock by deferring\nthe put work into its own work item." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "1da177e4c3f4", + "lessThan": "5e0bc09a52b6", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "9e6987f8937a", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "eaf0971fdabf", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "1d86f7928720", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "710c69dbaccd", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.15.150", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.80", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.19", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.7", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/5e0bc09a52b6169ce90f7ac6e195791adb16cec4" + }, + { + "url": "https://git.kernel.org/stable/c/9e6987f8937a7bd7516aa52f25cb7e12c0c92ee8" + }, + { + "url": "https://git.kernel.org/stable/c/eaf0971fdabf2a93c1429dc6bedf3bbe85dffa30" + }, + { + "url": "https://git.kernel.org/stable/c/1d86f79287206deec36d63b89c741cf542b6cadd" + }, + { + "url": "https://git.kernel.org/stable/c/710c69dbaccdac312e32931abcb8499c1525d397" + } + ], + "title": "nvmet-fc: avoid deadlock on delete association path", + "x_generator": { + "engine": "bippy-d3b290d2becc" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26769", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26769.mbox b/cve/published/2024/CVE-2024-26769.mbox new file mode 100644 index 00000000..e432ef27 --- /dev/null +++ b/cve/published/2024/CVE-2024-26769.mbox @@ -0,0 +1,72 @@ +From bippy-d3b290d2becc Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26769: nvmet-fc: avoid deadlock on delete association path +Message-Id: <2024040307-CVE-2024-26769-e9cc@gregkh> +Content-Length: 2018 +Lines: 55 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2074; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=LhgInaNiML2XM1nZzlK9kv1RCr7Z+Rcpq6QLtTMi5Ys=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGm8k6I58ptjtF8I1F8Sadtcs3mxfD9jbJmCKy9T4YmEV + rl2H+WOWBYGQSYGWTFFli/beI7urzik6GVoexpmDisTyBAGLk4BmIh5JcP8rFCTjcd5ZtX2nlhj + 3hLC7Tvl7ruFDAs2er85yDCj+7yn9z67A2+WLF+bEyAIAA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +nvmet-fc: avoid deadlock on delete association path + +When deleting an association the shutdown path is deadlocking because we +try to flush the nvmet_wq nested. Avoid this by deadlock by deferring +the put work into its own work item. + +The Linux kernel CVE team has assigned CVE-2024-26769 to this issue. + + +Affected and fixed versions +=========================== + + Fixed in 5.15.150 with commit 5e0bc09a52b6 + Fixed in 6.1.80 with commit 9e6987f8937a + Fixed in 6.6.19 with commit eaf0971fdabf + Fixed in 6.7.7 with commit 1d86f7928720 + Fixed in 6.8 with commit 710c69dbaccd + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26769 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/nvme/target/fc.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/5e0bc09a52b6169ce90f7ac6e195791adb16cec4 + https://git.kernel.org/stable/c/9e6987f8937a7bd7516aa52f25cb7e12c0c92ee8 + https://git.kernel.org/stable/c/eaf0971fdabf2a93c1429dc6bedf3bbe85dffa30 + https://git.kernel.org/stable/c/1d86f79287206deec36d63b89c741cf542b6cadd + https://git.kernel.org/stable/c/710c69dbaccdac312e32931abcb8499c1525d397 diff --git a/cve/published/2024/CVE-2024-26769.sha1 b/cve/published/2024/CVE-2024-26769.sha1 new file mode 100644 index 00000000..76bc669c --- /dev/null +++ b/cve/published/2024/CVE-2024-26769.sha1 @@ -0,0 +1 @@ +710c69dbaccdac312e32931abcb8499c1525d397 diff --git a/cve/reserved/2024/CVE-2024-26770 b/cve/published/2024/CVE-2024-26770 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26770 +++ b/cve/published/2024/CVE-2024-26770 diff --git a/cve/published/2024/CVE-2024-26770.json b/cve/published/2024/CVE-2024-26770.json new file mode 100644 index 00000000..eda6439f --- /dev/null +++ b/cve/published/2024/CVE-2024-26770.json @@ -0,0 +1,93 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: nvidia-shield: Add missing null pointer checks to LED initialization\n\ndevm_kasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure. Ensure the allocation was successful\nby checking the pointer validity.\n\n[jkosina@suse.com: tweak changelog a bit]" + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "1da177e4c3f4", + "lessThan": "83527a13740f", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "e71cc4a1e584", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "b6eda11c44dc", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "6.6.19", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.7", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/83527a13740f57b45f162e3af4c7db4b88521100" + }, + { + "url": "https://git.kernel.org/stable/c/e71cc4a1e584293deafff1a7dea614b0210d0443" + }, + { + "url": "https://git.kernel.org/stable/c/b6eda11c44dc89a681e1c105f0f4660e69b1e183" + } + ], + "title": "HID: nvidia-shield: Add missing null pointer checks to LED initialization", + "x_generator": { + "engine": "bippy-d3b290d2becc" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26770", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26770.mbox b/cve/published/2024/CVE-2024-26770.mbox new file mode 100644 index 00000000..521ea8e2 --- /dev/null +++ b/cve/published/2024/CVE-2024-26770.mbox @@ -0,0 +1,70 @@ +From bippy-d3b290d2becc Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26770: HID: nvidia-shield: Add missing null pointer checks to LED initialization +Message-Id: <2024040307-CVE-2024-26770-1c08@gregkh> +Content-Length: 1846 +Lines: 53 +X-Developer-Signature: v=1; a=openpgp-sha256; l=1900; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=HnXXXrMzvT3u0HWgvAmbqzQ9Zcm12vpX1L1wb/kHMM4=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGm8k6L1wrex6LxXXM0epd91fsfq+zkFj++ZLVQ6ocLz/ + njrzi+ZHbEsDIJMDLJiiixftvEc3V9xSNHL0PY0zBxWJpAhDFycAjCRjUEM8+zWpDUctu+UTlwk + 5/lHZILmo/XHchnmmR+Rvr/TyPrMPf92jpCwfeb2TJ/+AQA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +HID: nvidia-shield: Add missing null pointer checks to LED initialization + +devm_kasprintf() returns a pointer to dynamically allocated memory +which can be NULL upon failure. Ensure the allocation was successful +by checking the pointer validity. + +[jkosina@suse.com: tweak changelog a bit] + +The Linux kernel CVE team has assigned CVE-2024-26770 to this issue. + + +Affected and fixed versions +=========================== + + Fixed in 6.6.19 with commit 83527a13740f + Fixed in 6.7.7 with commit e71cc4a1e584 + Fixed in 6.8 with commit b6eda11c44dc + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26770 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/hid/hid-nvidia-shield.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/83527a13740f57b45f162e3af4c7db4b88521100 + https://git.kernel.org/stable/c/e71cc4a1e584293deafff1a7dea614b0210d0443 + https://git.kernel.org/stable/c/b6eda11c44dc89a681e1c105f0f4660e69b1e183 diff --git a/cve/published/2024/CVE-2024-26770.sha1 b/cve/published/2024/CVE-2024-26770.sha1 new file mode 100644 index 00000000..efe7caa1 --- /dev/null +++ b/cve/published/2024/CVE-2024-26770.sha1 @@ -0,0 +1 @@ +b6eda11c44dc89a681e1c105f0f4660e69b1e183 diff --git a/cve/reserved/2024/CVE-2024-26771 b/cve/published/2024/CVE-2024-26771 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26771 +++ b/cve/published/2024/CVE-2024-26771 diff --git a/cve/published/2024/CVE-2024-26771.json b/cve/published/2024/CVE-2024-26771.json new file mode 100644 index 00000000..f670e35a --- /dev/null +++ b/cve/published/2024/CVE-2024-26771.json @@ -0,0 +1,138 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: ti: edma: Add some null pointer checks to the edma_probe\n\ndevm_kasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure. Ensure the allocation was successful\nby checking the pointer validity." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "1da177e4c3f4", + "lessThan": "c432094aa7c9", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "4fe4e5adc7d2", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "9d508c897153", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "7b24760f3a3c", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "f2a5e30d1e9a", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "6e2276203ac9", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.10.211", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.150", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.80", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.19", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.7", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/c432094aa7c9970f2fa10d2305d550d3810657ce" + }, + { + "url": "https://git.kernel.org/stable/c/4fe4e5adc7d29d214c59b59f61db73dec505ca3d" + }, + { + "url": "https://git.kernel.org/stable/c/9d508c897153ae8dd79303f7f035f078139f6b49" + }, + { + "url": "https://git.kernel.org/stable/c/7b24760f3a3c7ae1a176d343136b6c25174b7b27" + }, + { + "url": "https://git.kernel.org/stable/c/f2a5e30d1e9a629de6179fa23923a318d5feb29e" + }, + { + "url": "https://git.kernel.org/stable/c/6e2276203ac9ff10fc76917ec9813c660f627369" + } + ], + "title": "dmaengine: ti: edma: Add some null pointer checks to the edma_probe", + "x_generator": { + "engine": "bippy-d3b290d2becc" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26771", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26771.mbox b/cve/published/2024/CVE-2024-26771.mbox new file mode 100644 index 00000000..d2776ca3 --- /dev/null +++ b/cve/published/2024/CVE-2024-26771.mbox @@ -0,0 +1,74 @@ +From bippy-d3b290d2becc Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26771: dmaengine: ti: edma: Add some null pointer checks to the edma_probe +Message-Id: <2024040307-CVE-2024-26771-b6de@gregkh> +Content-Length: 2139 +Lines: 57 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2197; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=enXfd0sGj75sgjvw55bQFv3akHvHg0/6Ad5IVqReNdM=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGm8k2JSRZKlG+We6hxuXP39D6uBUfsVvbuLXf/b9XC9+ + BbksnRtRywLgyATg6yYIsuXbTxH91ccUvQytD0NM4eVCWQIAxenAEyELYJhrvA/9dUnPX/Ib6g4 + /vzV52ZltuSzygwLmlS3dt2I6BGaeaWpbade7/TuaNEuAA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +dmaengine: ti: edma: Add some null pointer checks to the edma_probe + +devm_kasprintf() returns a pointer to dynamically allocated memory +which can be NULL upon failure. Ensure the allocation was successful +by checking the pointer validity. + +The Linux kernel CVE team has assigned CVE-2024-26771 to this issue. + + +Affected and fixed versions +=========================== + + Fixed in 5.10.211 with commit c432094aa7c9 + Fixed in 5.15.150 with commit 4fe4e5adc7d2 + Fixed in 6.1.80 with commit 9d508c897153 + Fixed in 6.6.19 with commit 7b24760f3a3c + Fixed in 6.7.7 with commit f2a5e30d1e9a + Fixed in 6.8 with commit 6e2276203ac9 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26771 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/dma/ti/edma.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/c432094aa7c9970f2fa10d2305d550d3810657ce + https://git.kernel.org/stable/c/4fe4e5adc7d29d214c59b59f61db73dec505ca3d + https://git.kernel.org/stable/c/9d508c897153ae8dd79303f7f035f078139f6b49 + https://git.kernel.org/stable/c/7b24760f3a3c7ae1a176d343136b6c25174b7b27 + https://git.kernel.org/stable/c/f2a5e30d1e9a629de6179fa23923a318d5feb29e + https://git.kernel.org/stable/c/6e2276203ac9ff10fc76917ec9813c660f627369 diff --git a/cve/published/2024/CVE-2024-26771.sha1 b/cve/published/2024/CVE-2024-26771.sha1 new file mode 100644 index 00000000..385f967b --- /dev/null +++ b/cve/published/2024/CVE-2024-26771.sha1 @@ -0,0 +1 @@ +6e2276203ac9ff10fc76917ec9813c660f627369 diff --git a/cve/reserved/2024/CVE-2024-26772 b/cve/published/2024/CVE-2024-26772 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26772 +++ b/cve/published/2024/CVE-2024-26772 diff --git a/cve/published/2024/CVE-2024-26772.json b/cve/published/2024/CVE-2024-26772.json new file mode 100644 index 00000000..5b5cf9d5 --- /dev/null +++ b/cve/published/2024/CVE-2024-26772.json @@ -0,0 +1,168 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: avoid allocating blocks from corrupted group in ext4_mb_find_by_goal()\n\nPlaces the logic for checking if the group's block bitmap is corrupt under\nthe protection of the group lock to avoid allocating blocks from the group\nwith a corrupted block bitmap." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "1da177e4c3f4", + "lessThan": "5a6dcc4ad0f7", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "6b92b1bc16d6", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "ffeb72a80a82", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "8de8305a25bf", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "d639102f4cbd", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "d3bbe77a76bc", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "21dbe20589c7", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "832698373a25", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "4.19.308", + "lessThanOrEqual": "4.19.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.4.270", + "lessThanOrEqual": "5.4.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.10.211", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.150", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.80", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.19", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.7", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/5a6dcc4ad0f7f7fa8e8d127b5526e7c5f2d38a43" + }, + { + "url": "https://git.kernel.org/stable/c/6b92b1bc16d691c95b152c6dbf027ad64315668d" + }, + { + "url": "https://git.kernel.org/stable/c/ffeb72a80a82aba59a6774b0611f792e0ed3b0b7" + }, + { + "url": "https://git.kernel.org/stable/c/8de8305a25bfda607fc13475ebe84b978c96d7ff" + }, + { + "url": "https://git.kernel.org/stable/c/d639102f4cbd4cb65d1225dba3b9265596aab586" + }, + { + "url": "https://git.kernel.org/stable/c/d3bbe77a76bc52e9d4d0a120f1509be36e25c916" + }, + { + "url": "https://git.kernel.org/stable/c/21dbe20589c7f48e9c5d336ce6402bcebfa6d76a" + }, + { + "url": "https://git.kernel.org/stable/c/832698373a25950942c04a512daa652c18a9b513" + } + ], + "title": "ext4: avoid allocating blocks from corrupted group in ext4_mb_find_by_goal()", + "x_generator": { + "engine": "bippy-d3b290d2becc" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26772", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26772.mbox b/cve/published/2024/CVE-2024-26772.mbox new file mode 100644 index 00000000..5791b070 --- /dev/null +++ b/cve/published/2024/CVE-2024-26772.mbox @@ -0,0 +1,78 @@ +From bippy-d3b290d2becc Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26772: ext4: avoid allocating blocks from corrupted group in ext4_mb_find_by_goal() +Message-Id: <2024040308-CVE-2024-26772-5168@gregkh> +Content-Length: 2390 +Lines: 61 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2452; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=pmXTZI2EdALtY7P18hbv1n9PIynpHJ52RQc3/qyvQO0=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGm8k2Jy1k9XmMi5NNvd0cl0ucO3q/Gmpe9zw96xf3501 + OnXnZWXO2JZGASZGGTFFFm+bOM5ur/ikKKXoe1pmDmsTCBDGLg4BWAi5xMZ5mdw965T/mOfG/+q + 88wC1eyEq1+4LRgWLD6d3MEy5Xm4eS3b94Dt0roPYpaHAQA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +ext4: avoid allocating blocks from corrupted group in ext4_mb_find_by_goal() + +Places the logic for checking if the group's block bitmap is corrupt under +the protection of the group lock to avoid allocating blocks from the group +with a corrupted block bitmap. + +The Linux kernel CVE team has assigned CVE-2024-26772 to this issue. + + +Affected and fixed versions +=========================== + + Fixed in 4.19.308 with commit 5a6dcc4ad0f7 + Fixed in 5.4.270 with commit 6b92b1bc16d6 + Fixed in 5.10.211 with commit ffeb72a80a82 + Fixed in 5.15.150 with commit 8de8305a25bf + Fixed in 6.1.80 with commit d639102f4cbd + Fixed in 6.6.19 with commit d3bbe77a76bc + Fixed in 6.7.7 with commit 21dbe20589c7 + Fixed in 6.8 with commit 832698373a25 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26772 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + fs/ext4/mballoc.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/5a6dcc4ad0f7f7fa8e8d127b5526e7c5f2d38a43 + https://git.kernel.org/stable/c/6b92b1bc16d691c95b152c6dbf027ad64315668d + https://git.kernel.org/stable/c/ffeb72a80a82aba59a6774b0611f792e0ed3b0b7 + https://git.kernel.org/stable/c/8de8305a25bfda607fc13475ebe84b978c96d7ff + https://git.kernel.org/stable/c/d639102f4cbd4cb65d1225dba3b9265596aab586 + https://git.kernel.org/stable/c/d3bbe77a76bc52e9d4d0a120f1509be36e25c916 + https://git.kernel.org/stable/c/21dbe20589c7f48e9c5d336ce6402bcebfa6d76a + https://git.kernel.org/stable/c/832698373a25950942c04a512daa652c18a9b513 diff --git a/cve/published/2024/CVE-2024-26772.sha1 b/cve/published/2024/CVE-2024-26772.sha1 new file mode 100644 index 00000000..409322f5 --- /dev/null +++ b/cve/published/2024/CVE-2024-26772.sha1 @@ -0,0 +1 @@ +832698373a25950942c04a512daa652c18a9b513 diff --git a/cve/reserved/2024/CVE-2024-26773 b/cve/published/2024/CVE-2024-26773 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26773 +++ b/cve/published/2024/CVE-2024-26773 diff --git a/cve/published/2024/CVE-2024-26773.json b/cve/published/2024/CVE-2024-26773.json new file mode 100644 index 00000000..e0f6a100 --- /dev/null +++ b/cve/published/2024/CVE-2024-26773.json @@ -0,0 +1,168 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: avoid allocating blocks from corrupted group in ext4_mb_try_best_found()\n\nDetermine if the group block bitmap is corrupted before using ac_b_ex in\next4_mb_try_best_found() to avoid allocating blocks from a group with a\ncorrupted block bitmap in the following concurrency and making the\nsituation worse.\n\next4_mb_regular_allocator\n ext4_lock_group(sb, group)\n ext4_mb_good_group\n // check if the group bbitmap is corrupted\n ext4_mb_complex_scan_group\n // Scan group gets ac_b_ex but doesn't use it\n ext4_unlock_group(sb, group)\n ext4_mark_group_bitmap_corrupted(group)\n // The block bitmap was corrupted during\n // the group unlock gap.\n ext4_mb_try_best_found\n ext4_lock_group(ac->ac_sb, group)\n ext4_mb_use_best_found\n mb_mark_used\n // Allocating blocks in block bitmap corrupted group" + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "1da177e4c3f4", + "lessThan": "21f8cfe79f77", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "260fc96283c0", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "927794a02169", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "4c21fa60a6f4", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "f97e75fa4e12", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "0184747b552d", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "a2576ae9a35c", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "4530b3660d39", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "4.19.308", + "lessThanOrEqual": "4.19.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.4.270", + "lessThanOrEqual": "5.4.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.10.211", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.150", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.80", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.19", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.7", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/21f8cfe79f776287459343e9cfa6055af61328ea" + }, + { + "url": "https://git.kernel.org/stable/c/260fc96283c0f594de18a1b045faf6d8fb42874d" + }, + { + "url": "https://git.kernel.org/stable/c/927794a02169778c9c2e7b25c768ab3ea8c1dc03" + }, + { + "url": "https://git.kernel.org/stable/c/4c21fa60a6f4606f6214a38f50612b17b2f738f5" + }, + { + "url": "https://git.kernel.org/stable/c/f97e75fa4e12b0aa0224e83fcbda8853ac2adf36" + }, + { + "url": "https://git.kernel.org/stable/c/0184747b552d6b5a14db3b7fcc3b792ce64dedd1" + }, + { + "url": "https://git.kernel.org/stable/c/a2576ae9a35c078e488f2c573e9e6821d651fbbe" + }, + { + "url": "https://git.kernel.org/stable/c/4530b3660d396a646aad91a787b6ab37cf604b53" + } + ], + "title": "ext4: avoid allocating blocks from corrupted group in ext4_mb_try_best_found()", + "x_generator": { + "engine": "bippy-d3b290d2becc" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26773", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26773.mbox b/cve/published/2024/CVE-2024-26773.mbox new file mode 100644 index 00000000..95e80890 --- /dev/null +++ b/cve/published/2024/CVE-2024-26773.mbox @@ -0,0 +1,95 @@ +From bippy-d3b290d2becc Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26773: ext4: avoid allocating blocks from corrupted group in ext4_mb_try_best_found() +Message-Id: <2024040308-CVE-2024-26773-a314@gregkh> +Content-Length: 3027 +Lines: 78 +X-Developer-Signature: v=1; a=openpgp-sha256; l=3106; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=XmmRHDbYsMZSoTfqVAw0m6fbnY6SQdAzFs9QoaH2OGc=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGm8k2JcO350K7RtMW6YsGLXrU+u2eUx6nEZqTIqq5fJ2 + DpqtSZ0xLIwCDIxyIopsnzZxnN0f8UhRS9D29Mwc1iZQIYwcHEKwER6JzHM97vpfev1Vz4rV6Mq + lhXt1289NfgkxzCH6++h1f5nv/7VdA2RsOqVLDsYz8cJAA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +ext4: avoid allocating blocks from corrupted group in ext4_mb_try_best_found() + +Determine if the group block bitmap is corrupted before using ac_b_ex in +ext4_mb_try_best_found() to avoid allocating blocks from a group with a +corrupted block bitmap in the following concurrency and making the +situation worse. + +ext4_mb_regular_allocator + ext4_lock_group(sb, group) + ext4_mb_good_group + // check if the group bbitmap is corrupted + ext4_mb_complex_scan_group + // Scan group gets ac_b_ex but doesn't use it + ext4_unlock_group(sb, group) + ext4_mark_group_bitmap_corrupted(group) + // The block bitmap was corrupted during + // the group unlock gap. + ext4_mb_try_best_found + ext4_lock_group(ac->ac_sb, group) + ext4_mb_use_best_found + mb_mark_used + // Allocating blocks in block bitmap corrupted group + +The Linux kernel CVE team has assigned CVE-2024-26773 to this issue. + + +Affected and fixed versions +=========================== + + Fixed in 4.19.308 with commit 21f8cfe79f77 + Fixed in 5.4.270 with commit 260fc96283c0 + Fixed in 5.10.211 with commit 927794a02169 + Fixed in 5.15.150 with commit 4c21fa60a6f4 + Fixed in 6.1.80 with commit f97e75fa4e12 + Fixed in 6.6.19 with commit 0184747b552d + Fixed in 6.7.7 with commit a2576ae9a35c + Fixed in 6.8 with commit 4530b3660d39 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26773 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + fs/ext4/mballoc.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/21f8cfe79f776287459343e9cfa6055af61328ea + https://git.kernel.org/stable/c/260fc96283c0f594de18a1b045faf6d8fb42874d + https://git.kernel.org/stable/c/927794a02169778c9c2e7b25c768ab3ea8c1dc03 + https://git.kernel.org/stable/c/4c21fa60a6f4606f6214a38f50612b17b2f738f5 + https://git.kernel.org/stable/c/f97e75fa4e12b0aa0224e83fcbda8853ac2adf36 + https://git.kernel.org/stable/c/0184747b552d6b5a14db3b7fcc3b792ce64dedd1 + https://git.kernel.org/stable/c/a2576ae9a35c078e488f2c573e9e6821d651fbbe + https://git.kernel.org/stable/c/4530b3660d396a646aad91a787b6ab37cf604b53 diff --git a/cve/published/2024/CVE-2024-26773.sha1 b/cve/published/2024/CVE-2024-26773.sha1 new file mode 100644 index 00000000..6f84d52f --- /dev/null +++ b/cve/published/2024/CVE-2024-26773.sha1 @@ -0,0 +1 @@ +4530b3660d396a646aad91a787b6ab37cf604b53 diff --git a/cve/reserved/2024/CVE-2024-26774 b/cve/published/2024/CVE-2024-26774 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26774 +++ b/cve/published/2024/CVE-2024-26774 diff --git a/cve/published/2024/CVE-2024-26774.json b/cve/published/2024/CVE-2024-26774.json new file mode 100644 index 00000000..ac6d7384 --- /dev/null +++ b/cve/published/2024/CVE-2024-26774.json @@ -0,0 +1,123 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: avoid dividing by 0 in mb_update_avg_fragment_size() when block bitmap corrupt\n\nDetermine if bb_fragments is 0 instead of determining bb_free to eliminate\nthe risk of dividing by zero when the block bitmap is corrupted." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "1da177e4c3f4", + "lessThan": "687061cfaa2a", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "8b40eb2e716b", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "f32d2a745b02", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "8cf9cc602cfb", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "993bf0f4c393", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.15.150", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.80", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.19", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.7", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/687061cfaa2ac3095170e136dd9c29a4974f41d4" + }, + { + "url": "https://git.kernel.org/stable/c/8b40eb2e716b503f7a4e1090815a17b1341b2150" + }, + { + "url": "https://git.kernel.org/stable/c/f32d2a745b02123258026e105a008f474f896d6a" + }, + { + "url": "https://git.kernel.org/stable/c/8cf9cc602cfb40085967c0d140e32691c8b71cf3" + }, + { + "url": "https://git.kernel.org/stable/c/993bf0f4c393b3667830918f9247438a8f6fdb5b" + } + ], + "title": "ext4: avoid dividing by 0 in mb_update_avg_fragment_size() when block bitmap corrupt", + "x_generator": { + "engine": "bippy-d3b290d2becc" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26774", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26774.mbox b/cve/published/2024/CVE-2024-26774.mbox new file mode 100644 index 00000000..1f91aa62 --- /dev/null +++ b/cve/published/2024/CVE-2024-26774.mbox @@ -0,0 +1,71 @@ +From bippy-d3b290d2becc Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26774: ext4: avoid dividing by 0 in mb_update_avg_fragment_size() when block bitmap corrupt +Message-Id: <2024040308-CVE-2024-26774-52d9@gregkh> +Content-Length: 2004 +Lines: 54 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2059; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=+PJF6zPqNW359vge20WMvVNKpqTCoF0Rz5iXLCSgzoI=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGm8k2JC4t22iUzYYHRn3r3NU8O6Vu5U+DDhm9XTJk2Ou + p2nGb8u7ohlYRBkYpAVU2T5so3n6P6KQ4pehranYeawMoEMYeDiFICJJBxjmF90J6xlxbp4V8XT + cx/ftTt04PVzliSG+SH5T29MShdJeZapr/6CYVf+pFauEgA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +ext4: avoid dividing by 0 in mb_update_avg_fragment_size() when block bitmap corrupt + +Determine if bb_fragments is 0 instead of determining bb_free to eliminate +the risk of dividing by zero when the block bitmap is corrupted. + +The Linux kernel CVE team has assigned CVE-2024-26774 to this issue. + + +Affected and fixed versions +=========================== + + Fixed in 5.15.150 with commit 687061cfaa2a + Fixed in 6.1.80 with commit 8b40eb2e716b + Fixed in 6.6.19 with commit f32d2a745b02 + Fixed in 6.7.7 with commit 8cf9cc602cfb + Fixed in 6.8 with commit 993bf0f4c393 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26774 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + fs/ext4/mballoc.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/687061cfaa2ac3095170e136dd9c29a4974f41d4 + https://git.kernel.org/stable/c/8b40eb2e716b503f7a4e1090815a17b1341b2150 + https://git.kernel.org/stable/c/f32d2a745b02123258026e105a008f474f896d6a + https://git.kernel.org/stable/c/8cf9cc602cfb40085967c0d140e32691c8b71cf3 + https://git.kernel.org/stable/c/993bf0f4c393b3667830918f9247438a8f6fdb5b diff --git a/cve/published/2024/CVE-2024-26774.sha1 b/cve/published/2024/CVE-2024-26774.sha1 new file mode 100644 index 00000000..5a08a638 --- /dev/null +++ b/cve/published/2024/CVE-2024-26774.sha1 @@ -0,0 +1 @@ +993bf0f4c393b3667830918f9247438a8f6fdb5b diff --git a/cve/reserved/2024/CVE-2024-26775 b/cve/published/2024/CVE-2024-26775 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26775 +++ b/cve/published/2024/CVE-2024-26775 diff --git a/cve/published/2024/CVE-2024-26775.json b/cve/published/2024/CVE-2024-26775.json new file mode 100644 index 00000000..5422cbdd --- /dev/null +++ b/cve/published/2024/CVE-2024-26775.json @@ -0,0 +1,108 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\naoe: avoid potential deadlock at set_capacity\n\nMove set_capacity() outside of the section procected by (&d->lock).\nTo avoid possible interrupt unsafe locking scenario:\n\n CPU0 CPU1\n ---- ----\n[1] lock(&bdev->bd_size_lock);\n local_irq_disable();\n [2] lock(&d->lock);\n [3] lock(&bdev->bd_size_lock);\n <Interrupt>\n[4] lock(&d->lock);\n\n *** DEADLOCK ***\n\nWhere [1](&bdev->bd_size_lock) hold by zram_add()->set_capacity().\n[2]lock(&d->lock) hold by aoeblk_gdalloc(). And aoeblk_gdalloc()\nis trying to acquire [3](&bdev->bd_size_lock) at set_capacity() call.\nIn this situation an attempt to acquire [4]lock(&d->lock) from\naoecmd_cfg_rsp() will lead to deadlock.\n\nSo the simplest solution is breaking lock dependency\n[2](&d->lock) -> [3](&bdev->bd_size_lock) by moving set_capacity()\noutside." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "1da177e4c3f4", + "lessThan": "2d623c94fbba", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "673629018ba0", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "19a77b271638", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "e169bd4fb2b3", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "6.1.80", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.19", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.7", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/2d623c94fbba3554f4446ba6f3c764994e8b0d26" + }, + { + "url": "https://git.kernel.org/stable/c/673629018ba04906899dcb631beec34d871f709c" + }, + { + "url": "https://git.kernel.org/stable/c/19a77b27163820f793b4d022979ffdca8f659b77" + }, + { + "url": "https://git.kernel.org/stable/c/e169bd4fb2b36c4b2bee63c35c740c85daeb2e86" + } + ], + "title": "aoe: avoid potential deadlock at set_capacity", + "x_generator": { + "engine": "bippy-d3b290d2becc" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26775", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26775.mbox b/cve/published/2024/CVE-2024-26775.mbox new file mode 100644 index 00000000..eed10f13 --- /dev/null +++ b/cve/published/2024/CVE-2024-26775.mbox @@ -0,0 +1,90 @@ +From bippy-d3b290d2becc Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26775: aoe: avoid potential deadlock at set_capacity +Message-Id: <2024040309-CVE-2024-26775-8dc1@gregkh> +Content-Length: 2595 +Lines: 73 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2669; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=XgGeM99czrP+qwBrf1VMzfazqYuLQ8XWwkA6gkJhgdE=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGm8k2I3bNy3+K+WjuAnZi3lM2VMPRvvuUgdLpzdzrA09 + ZCb8IR5HbEsDIJMDLJiiixftvEc3V9xSNHL0PY0zBxWJpAhDFycAjCRPn2G+fH/JrzNvcOwf3bx + rC1msevOPr132JZhQV/nmbXGuw5PbJumKcPk+EtWqKA+FgA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +aoe: avoid potential deadlock at set_capacity + +Move set_capacity() outside of the section procected by (&d->lock). +To avoid possible interrupt unsafe locking scenario: + + CPU0 CPU1 + ---- ---- +[1] lock(&bdev->bd_size_lock); + local_irq_disable(); + [2] lock(&d->lock); + [3] lock(&bdev->bd_size_lock); + <Interrupt> +[4] lock(&d->lock); + + *** DEADLOCK *** + +Where [1](&bdev->bd_size_lock) hold by zram_add()->set_capacity(). +[2]lock(&d->lock) hold by aoeblk_gdalloc(). And aoeblk_gdalloc() +is trying to acquire [3](&bdev->bd_size_lock) at set_capacity() call. +In this situation an attempt to acquire [4]lock(&d->lock) from +aoecmd_cfg_rsp() will lead to deadlock. + +So the simplest solution is breaking lock dependency +[2](&d->lock) -> [3](&bdev->bd_size_lock) by moving set_capacity() +outside. + +The Linux kernel CVE team has assigned CVE-2024-26775 to this issue. + + +Affected and fixed versions +=========================== + + Fixed in 6.1.80 with commit 2d623c94fbba + Fixed in 6.6.19 with commit 673629018ba0 + Fixed in 6.7.7 with commit 19a77b271638 + Fixed in 6.8 with commit e169bd4fb2b3 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26775 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/block/aoe/aoeblk.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/2d623c94fbba3554f4446ba6f3c764994e8b0d26 + https://git.kernel.org/stable/c/673629018ba04906899dcb631beec34d871f709c + https://git.kernel.org/stable/c/19a77b27163820f793b4d022979ffdca8f659b77 + https://git.kernel.org/stable/c/e169bd4fb2b36c4b2bee63c35c740c85daeb2e86 diff --git a/cve/published/2024/CVE-2024-26775.sha1 b/cve/published/2024/CVE-2024-26775.sha1 new file mode 100644 index 00000000..dbfb8aca --- /dev/null +++ b/cve/published/2024/CVE-2024-26775.sha1 @@ -0,0 +1 @@ +e169bd4fb2b36c4b2bee63c35c740c85daeb2e86 diff --git a/cve/reserved/2024/CVE-2024-26776 b/cve/published/2024/CVE-2024-26776 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26776 +++ b/cve/published/2024/CVE-2024-26776 diff --git a/cve/published/2024/CVE-2024-26776.json b/cve/published/2024/CVE-2024-26776.json new file mode 100644 index 00000000..022bb958 --- /dev/null +++ b/cve/published/2024/CVE-2024-26776.json @@ -0,0 +1,138 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: hisi-sfc-v3xx: Return IRQ_NONE if no interrupts were detected\n\nReturn IRQ_NONE from the interrupt handler when no interrupt was\ndetected. Because an empty interrupt will cause a null pointer error:\n\n Unable to handle kernel NULL pointer dereference at virtual\n address 0000000000000008\n Call trace:\n complete+0x54/0x100\n hisi_sfc_v3xx_isr+0x2c/0x40 [spi_hisi_sfc_v3xx]\n __handle_irq_event_percpu+0x64/0x1e0\n handle_irq_event+0x7c/0x1cc" + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "1da177e4c3f4", + "lessThan": "e94da8aca2e7", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "0399d7eba41d", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "f19361d570c6", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "d637b5118274", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "e4168ac25b4b", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "de8b6e1c231a", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.10.211", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.150", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.80", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.19", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.7", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/e94da8aca2e78ef9ecca02eb211869eacd5504e5" + }, + { + "url": "https://git.kernel.org/stable/c/0399d7eba41d9b28f5bdd7757ec21a5b7046858d" + }, + { + "url": "https://git.kernel.org/stable/c/f19361d570c67e7e014896fa2dacd7d721bf0aa8" + }, + { + "url": "https://git.kernel.org/stable/c/d637b5118274701e8448f35953877daf04df18b4" + }, + { + "url": "https://git.kernel.org/stable/c/e4168ac25b4bd378bd7dda322d589482a136c1fd" + }, + { + "url": "https://git.kernel.org/stable/c/de8b6e1c231a95abf95ad097b993d34b31458ec9" + } + ], + "title": "spi: hisi-sfc-v3xx: Return IRQ_NONE if no interrupts were detected", + "x_generator": { + "engine": "bippy-d3b290d2becc" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26776", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26776.mbox b/cve/published/2024/CVE-2024-26776.mbox new file mode 100644 index 00000000..e2eb2abe --- /dev/null +++ b/cve/published/2024/CVE-2024-26776.mbox @@ -0,0 +1,81 @@ +From bippy-d3b290d2becc Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26776: spi: hisi-sfc-v3xx: Return IRQ_NONE if no interrupts were detected +Message-Id: <2024040309-CVE-2024-26776-8119@gregkh> +Content-Length: 2386 +Lines: 64 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2451; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=nITdqCi/jk5SB6w8jrh1bQIu/ZBXoYNrNmYLAPvjHJs=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGm8k2JZJ/+ovB874e/N18eddR7v+fKn8Li04v5jYRNfz + PMQusSm3RHLwiDIxCArpsjyZRvP0f0VhxS9DG1Pw8xhZQIZwsDFKQATCTVkmB/l/7twa1Hea9fL + LVobVDYemrOGYwbD/OIpjCxMLAGW2hVfFaS7mD77SW2YDwA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +spi: hisi-sfc-v3xx: Return IRQ_NONE if no interrupts were detected + +Return IRQ_NONE from the interrupt handler when no interrupt was +detected. Because an empty interrupt will cause a null pointer error: + + Unable to handle kernel NULL pointer dereference at virtual + address 0000000000000008 + Call trace: + complete+0x54/0x100 + hisi_sfc_v3xx_isr+0x2c/0x40 [spi_hisi_sfc_v3xx] + __handle_irq_event_percpu+0x64/0x1e0 + handle_irq_event+0x7c/0x1cc + +The Linux kernel CVE team has assigned CVE-2024-26776 to this issue. + + +Affected and fixed versions +=========================== + + Fixed in 5.10.211 with commit e94da8aca2e7 + Fixed in 5.15.150 with commit 0399d7eba41d + Fixed in 6.1.80 with commit f19361d570c6 + Fixed in 6.6.19 with commit d637b5118274 + Fixed in 6.7.7 with commit e4168ac25b4b + Fixed in 6.8 with commit de8b6e1c231a + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26776 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/spi/spi-hisi-sfc-v3xx.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/e94da8aca2e78ef9ecca02eb211869eacd5504e5 + https://git.kernel.org/stable/c/0399d7eba41d9b28f5bdd7757ec21a5b7046858d + https://git.kernel.org/stable/c/f19361d570c67e7e014896fa2dacd7d721bf0aa8 + https://git.kernel.org/stable/c/d637b5118274701e8448f35953877daf04df18b4 + https://git.kernel.org/stable/c/e4168ac25b4bd378bd7dda322d589482a136c1fd + https://git.kernel.org/stable/c/de8b6e1c231a95abf95ad097b993d34b31458ec9 diff --git a/cve/published/2024/CVE-2024-26776.sha1 b/cve/published/2024/CVE-2024-26776.sha1 new file mode 100644 index 00000000..b77bdc93 --- /dev/null +++ b/cve/published/2024/CVE-2024-26776.sha1 @@ -0,0 +1 @@ +de8b6e1c231a95abf95ad097b993d34b31458ec9 diff --git a/cve/reserved/2024/CVE-2024-26777 b/cve/published/2024/CVE-2024-26777 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26777 +++ b/cve/published/2024/CVE-2024-26777 diff --git a/cve/published/2024/CVE-2024-26777.json b/cve/published/2024/CVE-2024-26777.json new file mode 100644 index 00000000..d2dfc2c6 --- /dev/null +++ b/cve/published/2024/CVE-2024-26777.json @@ -0,0 +1,168 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: sis: Error out if pixclock equals zero\n\nThe userspace program could pass any values to the driver through\nioctl() interface. If the driver doesn't check the value of pixclock,\nit may cause divide-by-zero error.\n\nIn sisfb_check_var(), var->pixclock is used as a divisor to caculate\ndrate before it is checked against zero. Fix this by checking it\nat the beginning.\n\nThis is similar to CVE-2022-3061 in i740fb which was fixed by\ncommit 15cf0b8." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "1da177e4c3f4", + "lessThan": "84246c35ca34", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "6db07619d173", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "cd36da760bd1", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "df6e2088c6f4", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "f329523f6a65", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "99f1abc34a6d", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "1d11dd3ea5d0", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "e421946be7d9", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "4.19.308", + "lessThanOrEqual": "4.19.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.4.270", + "lessThanOrEqual": "5.4.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.10.211", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.150", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.80", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.19", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.7", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/84246c35ca34207114055a87552a1c4289c8fd7e" + }, + { + "url": "https://git.kernel.org/stable/c/6db07619d173765bd8622d63809cbfe361f04207" + }, + { + "url": "https://git.kernel.org/stable/c/cd36da760bd1f78c63c7078407baf01dd724f313" + }, + { + "url": "https://git.kernel.org/stable/c/df6e2088c6f4cad539cf67cba2d6764461e798d1" + }, + { + "url": "https://git.kernel.org/stable/c/f329523f6a65c3bbce913ad35473d83a319d5d99" + }, + { + "url": "https://git.kernel.org/stable/c/99f1abc34a6dde248d2219d64aa493c76bbdd9eb" + }, + { + "url": "https://git.kernel.org/stable/c/1d11dd3ea5d039c7da089f309f39c4cd363b924b" + }, + { + "url": "https://git.kernel.org/stable/c/e421946be7d9bf545147bea8419ef8239cb7ca52" + } + ], + "title": "fbdev: sis: Error out if pixclock equals zero", + "x_generator": { + "engine": "bippy-d3b290d2becc" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26777", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26777.mbox b/cve/published/2024/CVE-2024-26777.mbox new file mode 100644 index 00000000..dde34cf5 --- /dev/null +++ b/cve/published/2024/CVE-2024-26777.mbox @@ -0,0 +1,85 @@ +From bippy-d3b290d2becc Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26777: fbdev: sis: Error out if pixclock equals zero +Message-Id: <2024040309-CVE-2024-26777-3c7c@gregkh> +Content-Length: 2598 +Lines: 68 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2667; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=7sPMPtOZf0HnCICm01eryqzd7UV4GNwbmWG3rNtZt6g=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGm8k2IfvnT4x5ZvlS8c9fD501sXnzE0Zgr21C3UuLTik + 9nE6RcXdcSyMAgyMciKKbJ82cZzdH/FIUUvQ9vTMHNYmUCGMHBxCsBEFm9gmB+0ZXrUoZMKp/on + 2b+24WToeSzysp9hfrL7mqAbDJriyp3baxdvjFmUePDIIQA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +fbdev: sis: Error out if pixclock equals zero + +The userspace program could pass any values to the driver through +ioctl() interface. If the driver doesn't check the value of pixclock, +it may cause divide-by-zero error. + +In sisfb_check_var(), var->pixclock is used as a divisor to caculate +drate before it is checked against zero. Fix this by checking it +at the beginning. + +This is similar to CVE-2022-3061 in i740fb which was fixed by +commit 15cf0b8. + +The Linux kernel CVE team has assigned CVE-2024-26777 to this issue. + + +Affected and fixed versions +=========================== + + Fixed in 4.19.308 with commit 84246c35ca34 + Fixed in 5.4.270 with commit 6db07619d173 + Fixed in 5.10.211 with commit cd36da760bd1 + Fixed in 5.15.150 with commit df6e2088c6f4 + Fixed in 6.1.80 with commit f329523f6a65 + Fixed in 6.6.19 with commit 99f1abc34a6d + Fixed in 6.7.7 with commit 1d11dd3ea5d0 + Fixed in 6.8 with commit e421946be7d9 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26777 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/video/fbdev/sis/sis_main.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/84246c35ca34207114055a87552a1c4289c8fd7e + https://git.kernel.org/stable/c/6db07619d173765bd8622d63809cbfe361f04207 + https://git.kernel.org/stable/c/cd36da760bd1f78c63c7078407baf01dd724f313 + https://git.kernel.org/stable/c/df6e2088c6f4cad539cf67cba2d6764461e798d1 + https://git.kernel.org/stable/c/f329523f6a65c3bbce913ad35473d83a319d5d99 + https://git.kernel.org/stable/c/99f1abc34a6dde248d2219d64aa493c76bbdd9eb + https://git.kernel.org/stable/c/1d11dd3ea5d039c7da089f309f39c4cd363b924b + https://git.kernel.org/stable/c/e421946be7d9bf545147bea8419ef8239cb7ca52 diff --git a/cve/published/2024/CVE-2024-26777.sha1 b/cve/published/2024/CVE-2024-26777.sha1 new file mode 100644 index 00000000..6a6f5274 --- /dev/null +++ b/cve/published/2024/CVE-2024-26777.sha1 @@ -0,0 +1 @@ +e421946be7d9bf545147bea8419ef8239cb7ca52 diff --git a/cve/reserved/2024/CVE-2024-26778 b/cve/published/2024/CVE-2024-26778 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26778 +++ b/cve/published/2024/CVE-2024-26778 diff --git a/cve/published/2024/CVE-2024-26778.json b/cve/published/2024/CVE-2024-26778.json new file mode 100644 index 00000000..ac969f15 --- /dev/null +++ b/cve/published/2024/CVE-2024-26778.json @@ -0,0 +1,168 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: savage: Error out if pixclock equals zero\n\nThe userspace program could pass any values to the driver through\nioctl() interface. If the driver doesn't check the value of pixclock,\nit may cause divide-by-zero error.\n\nAlthough pixclock is checked in savagefb_decode_var(), but it is not\nchecked properly in savagefb_probe(). Fix this by checking whether\npixclock is zero in the function savagefb_check_var() before\ninfo->var.pixclock is used as the divisor.\n\nThis is similar to CVE-2022-3061 in i740fb which was fixed by\ncommit 15cf0b8." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "1da177e4c3f4", + "lessThan": "224453de8505", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "84dce0f6a4cc", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "512ee6d6041e", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "8c54acf33e5a", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "070398d32c5f", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "bc3c2e58d73b", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "a9ca4e80d234", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "04e5eac8f3ab", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "4.19.308", + "lessThanOrEqual": "4.19.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.4.270", + "lessThanOrEqual": "5.4.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.10.211", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.150", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.80", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.19", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.7", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/224453de8505aede1890f007be973925a3edf6a1" + }, + { + "url": "https://git.kernel.org/stable/c/84dce0f6a4cc5b7bfd7242ef9290db8ac1dd77ff" + }, + { + "url": "https://git.kernel.org/stable/c/512ee6d6041e007ef5bf200c6e388e172a2c5b24" + }, + { + "url": "https://git.kernel.org/stable/c/8c54acf33e5adaad6374bf3ec1e3aff0591cc8e1" + }, + { + "url": "https://git.kernel.org/stable/c/070398d32c5f3ab0e890374904ad94551c76aec4" + }, + { + "url": "https://git.kernel.org/stable/c/bc3c2e58d73b28b9a8789fca84778ee165a72d13" + }, + { + "url": "https://git.kernel.org/stable/c/a9ca4e80d23474f90841251f4ac0d941fa337a01" + }, + { + "url": "https://git.kernel.org/stable/c/04e5eac8f3ab2ff52fa191c187a46d4fdbc1e288" + } + ], + "title": "fbdev: savage: Error out if pixclock equals zero", + "x_generator": { + "engine": "bippy-d3b290d2becc" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26778", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26778.mbox b/cve/published/2024/CVE-2024-26778.mbox new file mode 100644 index 00000000..35104cb7 --- /dev/null +++ b/cve/published/2024/CVE-2024-26778.mbox @@ -0,0 +1,86 @@ +From bippy-d3b290d2becc Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26778: fbdev: savage: Error out if pixclock equals zero +Message-Id: <2024040309-CVE-2024-26778-8137@gregkh> +Content-Length: 2699 +Lines: 69 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2769; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=JAH2gq7bH26N45a/FwyQlDtdHyHl+YPj3rqGFleaLUE=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGm8k2LDEm6EaU1b83xSdsWCnotRE/bkv3TP+zBPpeC3O + NvZ3ktJHbEsDIJMDLJiiixftvEc3V9xSNHL0PY0zBxWJpAhDFycAjCR6CMM87RCjO5vVX99k51z + xiFFzs5rP+L++DPM03nhImayS3ex3qTg9bsWesWaFG8IBAA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +fbdev: savage: Error out if pixclock equals zero + +The userspace program could pass any values to the driver through +ioctl() interface. If the driver doesn't check the value of pixclock, +it may cause divide-by-zero error. + +Although pixclock is checked in savagefb_decode_var(), but it is not +checked properly in savagefb_probe(). Fix this by checking whether +pixclock is zero in the function savagefb_check_var() before +info->var.pixclock is used as the divisor. + +This is similar to CVE-2022-3061 in i740fb which was fixed by +commit 15cf0b8. + +The Linux kernel CVE team has assigned CVE-2024-26778 to this issue. + + +Affected and fixed versions +=========================== + + Fixed in 4.19.308 with commit 224453de8505 + Fixed in 5.4.270 with commit 84dce0f6a4cc + Fixed in 5.10.211 with commit 512ee6d6041e + Fixed in 5.15.150 with commit 8c54acf33e5a + Fixed in 6.1.80 with commit 070398d32c5f + Fixed in 6.6.19 with commit bc3c2e58d73b + Fixed in 6.7.7 with commit a9ca4e80d234 + Fixed in 6.8 with commit 04e5eac8f3ab + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26778 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/video/fbdev/savage/savagefb_driver.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/224453de8505aede1890f007be973925a3edf6a1 + https://git.kernel.org/stable/c/84dce0f6a4cc5b7bfd7242ef9290db8ac1dd77ff + https://git.kernel.org/stable/c/512ee6d6041e007ef5bf200c6e388e172a2c5b24 + https://git.kernel.org/stable/c/8c54acf33e5adaad6374bf3ec1e3aff0591cc8e1 + https://git.kernel.org/stable/c/070398d32c5f3ab0e890374904ad94551c76aec4 + https://git.kernel.org/stable/c/bc3c2e58d73b28b9a8789fca84778ee165a72d13 + https://git.kernel.org/stable/c/a9ca4e80d23474f90841251f4ac0d941fa337a01 + https://git.kernel.org/stable/c/04e5eac8f3ab2ff52fa191c187a46d4fdbc1e288 diff --git a/cve/published/2024/CVE-2024-26778.sha1 b/cve/published/2024/CVE-2024-26778.sha1 new file mode 100644 index 00000000..9c4c96b8 --- /dev/null +++ b/cve/published/2024/CVE-2024-26778.sha1 @@ -0,0 +1 @@ +04e5eac8f3ab2ff52fa191c187a46d4fdbc1e288 diff --git a/cve/reserved/2024/CVE-2024-26779 b/cve/published/2024/CVE-2024-26779 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26779 +++ b/cve/published/2024/CVE-2024-26779 diff --git a/cve/published/2024/CVE-2024-26779.json b/cve/published/2024/CVE-2024-26779.json new file mode 100644 index 00000000..1e34b440 --- /dev/null +++ b/cve/published/2024/CVE-2024-26779.json @@ -0,0 +1,168 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: fix race condition on enabling fast-xmit\n\nfast-xmit must only be enabled after the sta has been uploaded to the driver,\notherwise it could end up passing the not-yet-uploaded sta via drv_tx calls\nto the driver, leading to potential crashes because of uninitialized drv_priv\ndata.\nAdd a missing sta->uploaded check and re-check fast xmit after inserting a sta." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "1da177e4c3f4", + "lessThan": "76fad1174a0c", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "85720b69aef1", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "5ffab99e070b", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "88c18fd06608", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "eb39bb548bf9", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "54b79d878696", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "281280276b70", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "bcbc84af1183", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "4.19.308", + "lessThanOrEqual": "4.19.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.4.270", + "lessThanOrEqual": "5.4.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.10.211", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.150", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.80", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.19", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.7", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/76fad1174a0cae6fc857b9f88b261a2e4f07d587" + }, + { + "url": "https://git.kernel.org/stable/c/85720b69aef177318f4a18efbcc4302228a340e5" + }, + { + "url": "https://git.kernel.org/stable/c/5ffab99e070b9f8ae0cf60c3c3602b84eee818dd" + }, + { + "url": "https://git.kernel.org/stable/c/88c18fd06608b3adee547102505d715f21075c9d" + }, + { + "url": "https://git.kernel.org/stable/c/eb39bb548bf974acad7bd6780fe11f9e6652d696" + }, + { + "url": "https://git.kernel.org/stable/c/54b79d8786964e2f840e8a2ec4a9f9a50f3d4954" + }, + { + "url": "https://git.kernel.org/stable/c/281280276b70c822f55ce15b661f6d1d3228aaa9" + }, + { + "url": "https://git.kernel.org/stable/c/bcbc84af1183c8cf3d1ca9b78540c2185cd85e7f" + } + ], + "title": "wifi: mac80211: fix race condition on enabling fast-xmit", + "x_generator": { + "engine": "bippy-d3b290d2becc" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26779", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26779.mbox b/cve/published/2024/CVE-2024-26779.mbox new file mode 100644 index 00000000..12fcdf73 --- /dev/null +++ b/cve/published/2024/CVE-2024-26779.mbox @@ -0,0 +1,81 @@ +From bippy-d3b290d2becc Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26779: wifi: mac80211: fix race condition on enabling fast-xmit +Message-Id: <2024040310-CVE-2024-26779-8030@gregkh> +Content-Length: 2532 +Lines: 64 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2597; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=9Ml5Do+WhffeRw1VEhmdLdVyrTBcG7uRRqMs5XkfY7I=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGm8k+IO2vOqRZw7z/vTurB+duxy06/VIfkrbMuUTnQ66 + q8717aiI5aFQZCJQVZMkeXLNp6j+ysOKXoZ2p6GmcPKBDKEgYtTACbCtY1hvh/fO9UPDwSNd59P + URWct0h8xfnXDxjm6XxdHlRk/WSGoQXTG0FDCfn1/YziAA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +wifi: mac80211: fix race condition on enabling fast-xmit + +fast-xmit must only be enabled after the sta has been uploaded to the driver, +otherwise it could end up passing the not-yet-uploaded sta via drv_tx calls +to the driver, leading to potential crashes because of uninitialized drv_priv +data. +Add a missing sta->uploaded check and re-check fast xmit after inserting a sta. + +The Linux kernel CVE team has assigned CVE-2024-26779 to this issue. + + +Affected and fixed versions +=========================== + + Fixed in 4.19.308 with commit 76fad1174a0c + Fixed in 5.4.270 with commit 85720b69aef1 + Fixed in 5.10.211 with commit 5ffab99e070b + Fixed in 5.15.150 with commit 88c18fd06608 + Fixed in 6.1.80 with commit eb39bb548bf9 + Fixed in 6.6.19 with commit 54b79d878696 + Fixed in 6.7.7 with commit 281280276b70 + Fixed in 6.8 with commit bcbc84af1183 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26779 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + net/mac80211/sta_info.c + net/mac80211/tx.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/76fad1174a0cae6fc857b9f88b261a2e4f07d587 + https://git.kernel.org/stable/c/85720b69aef177318f4a18efbcc4302228a340e5 + https://git.kernel.org/stable/c/5ffab99e070b9f8ae0cf60c3c3602b84eee818dd + https://git.kernel.org/stable/c/88c18fd06608b3adee547102505d715f21075c9d + https://git.kernel.org/stable/c/eb39bb548bf974acad7bd6780fe11f9e6652d696 + https://git.kernel.org/stable/c/54b79d8786964e2f840e8a2ec4a9f9a50f3d4954 + https://git.kernel.org/stable/c/281280276b70c822f55ce15b661f6d1d3228aaa9 + https://git.kernel.org/stable/c/bcbc84af1183c8cf3d1ca9b78540c2185cd85e7f diff --git a/cve/published/2024/CVE-2024-26779.sha1 b/cve/published/2024/CVE-2024-26779.sha1 new file mode 100644 index 00000000..86238945 --- /dev/null +++ b/cve/published/2024/CVE-2024-26779.sha1 @@ -0,0 +1 @@ +bcbc84af1183c8cf3d1ca9b78540c2185cd85e7f |