diff options
| author | Lee Jones <lee@kernel.org> | 2024-03-18 10:09:50 +0000 |
|---|---|---|
| committer | Lee Jones <lee@kernel.org> | 2024-03-18 10:09:50 +0000 |
| commit | 900e07d83a888f65549c47071a83bbe6063bd6c0 (patch) | |
| tree | 619fee339589be770326ce539f335044eb144094 | |
| parent | b4963219af97796b1ab49d924ef48c6619d1f492 (diff) | |
| download | vulns-900e07d83a888f65549c47071a83bbe6063bd6c0.tar.gz | |
published: Create and publish a bunch of v6.7.2 re-reviews
Signed-off-by: Lee Jones <lee@kernel.org>
32 files changed, 2072 insertions, 0 deletions
diff --git a/cve/reserved/2023/CVE-2023-52609 b/cve/published/2023/CVE-2023-52609 index e69de29b..e69de29b 100644 --- a/cve/reserved/2023/CVE-2023-52609 +++ b/cve/published/2023/CVE-2023-52609 diff --git a/cve/published/2023/CVE-2023-52609.json b/cve/published/2023/CVE-2023-52609.json new file mode 100644 index 00000000..71887582 --- /dev/null +++ b/cve/published/2023/CVE-2023-52609.json @@ -0,0 +1,178 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbinder: fix race between mmput() and do_exit()\n\nTask A calls binder_update_page_range() to allocate and insert pages on\na remote address space from Task B. For this, Task A pins the remote mm\nvia mmget_not_zero() first. This can race with Task B do_exit() and the\nfinal mmput() refcount decrement will come from Task A.\n\n Task A | Task B\n ------------------+------------------\n mmget_not_zero() |\n | do_exit()\n | exit_mm()\n | mmput()\n mmput() |\n exit_mmap() |\n remove_vma() |\n fput() |\n\nIn this case, the work of ____fput() from Task B is queued up in Task A\nas TWA_RESUME. So in theory, Task A returns to userspace and the cleanup\nwork gets executed. However, Task A instead sleep, waiting for a reply\nfrom Task B that never comes (it's dead).\n\nThis means the binder_deferred_release() is blocked until an unrelated\nbinder event forces Task A to go back to userspace. All the associated\ndeath notifications will also be delayed until then.\n\nIn order to fix this use mmput_async() that will schedule the work in\nthe corresponding mm->async_put_work WQ instead of Task A." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "457b9a6f09f0", + "lessThan": "95b1d336b064", + "status": "affected", + "versionType": "git" + }, + { + "version": "457b9a6f09f0", + "lessThan": "252a2a5569eb", + "status": "affected", + "versionType": "git" + }, + { + "version": "457b9a6f09f0", + "lessThan": "7e7a0d86542b", + "status": "affected", + "versionType": "git" + }, + { + "version": "457b9a6f09f0", + "lessThan": "98fee5bee97a", + "status": "affected", + "versionType": "git" + }, + { + "version": "457b9a6f09f0", + "lessThan": "6696f76c32ff", + "status": "affected", + "versionType": "git" + }, + { + "version": "457b9a6f09f0", + "lessThan": "67f16bf2cc16", + "status": "affected", + "versionType": "git" + }, + { + "version": "457b9a6f09f0", + "lessThan": "77d210e8db4d", + "status": "affected", + "versionType": "git" + }, + { + "version": "457b9a6f09f0", + "lessThan": "9a9ab0d96362", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "2.6.29", + "status": "affected" + }, + { + "version": "0", + "lessThan": "2.6.29", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "4.19.306", + "lessThanOrEqual": "4.19.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.4.268", + "lessThanOrEqual": "5.4.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.10.209", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.148", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.75", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.14", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.2", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/95b1d336b0642198b56836b89908d07b9a0c9608" + }, + { + "url": "https://git.kernel.org/stable/c/252a2a5569eb9f8d16428872cc24dea1ac0bb097" + }, + { + "url": "https://git.kernel.org/stable/c/7e7a0d86542b0ea903006d3f42f33c4f7ead6918" + }, + { + "url": "https://git.kernel.org/stable/c/98fee5bee97ad47b527a997d5786410430d1f0e9" + }, + { + "url": "https://git.kernel.org/stable/c/6696f76c32ff67fec26823fc2df46498e70d9bf3" + }, + { + "url": "https://git.kernel.org/stable/c/67f16bf2cc1698fd50e01ee8a2becc5a8e6d3a3e" + }, + { + "url": "https://git.kernel.org/stable/c/77d210e8db4d61d43b2d16df66b1ec46fad2ee01" + }, + { + "url": "https://git.kernel.org/stable/c/9a9ab0d963621d9d12199df9817e66982582d5a5" + } + ], + "title": "binder: fix race between mmput() and do_exit()", + "x_generator": { + "engine": "bippy-8df59b4913de" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2023-52609", + "requesterUserId": "lee@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2023/CVE-2023-52609.mbox b/cve/published/2023/CVE-2023-52609.mbox new file mode 100644 index 00000000..11b78328 --- /dev/null +++ b/cve/published/2023/CVE-2023-52609.mbox @@ -0,0 +1,107 @@ +From bippy-8df59b4913de Mon Sep 17 00:00:00 2001 +From: Lee Jones <lee@kernel.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2023-52609: binder: fix race between mmput() and do_exit() +X-Developer-Signature: v=1; a=openpgp-sha256; l=3865; i=lee@kernel.org; + h=from:subject; bh=SKxxVVLrLgCMai9NymuNZ03A7FVr1sh5FEFl0ejBPYo=; + b=owEBbQKS/ZANAwAKAVGvii+H/HdhAcsmYgBl+BJ/x6y4kjNu7nsZb6/1YmC9i0vreEBvsUM/8 + 0jLEC0jHcyJAjMEAAEKAB0WIQR2tsk1o74gmpTwh0hRr4ovh/x3YQUCZfgSfwAKCRBRr4ovh/x3 + YXN1EACvCiwpYd+bCUcQtXEnEuoUok80UMyUtoWdjTRChrQh5Aj9ijkGXs6pZBFDMjrA4Xai/jt + xDk19gv04qgowiZpPY8VLs9t+FUf7QRWCu9MnB2RwntMxGkMn7ZULWT4yQJE+OQ1S9RApACW4uw + +hSx/4YoSNATWLLVo/IxRRw65hxDUFeJVLNNYn36atE8KaSz6Nsqeo7aOXzk8pqwI+Z6f0s234h + G1mUGBkZG2f4xw6+/43//U+yTazXTGDn+JdqHUL46WbUJiVHgREhxf38mUdUxZVPqomBWBB0ymW + GGUaDMC0c02k4UOMJeJw/buUB2YmgnMlsXyxmaFRnCbLo7mJX03Nf11TasIMVA9/Hlw2omH+fHw + 1TWmZvhckL4ORcZOK6fxNvuNTzmf8F9AyU1BSnXvJFyL530QICOMjSCGMyIEc1onE45HWVUm0ur + x8HFG43LMZc1mwjqGEPfszTUqxf/rFc2wXyi2s0wuszIaBmYrJUY3K7EFbyzNI8ceHTFaNaw8qD + p1e8axPwF/l6asQI+XZMYTZgC5XW2Q+GW+C2WJslHqbIWCBP6TGMZw8IeXN3GTR97kXU3vzIn75 + i9M0cT3LgfeXCnMx3z0hCZZ+E859f7dWthpcvehen24KOwFcdJgPW/hmoRa9fUT22ZYdO9hcZ77 + aq2wc0vMd6CZhdQ== +X-Developer-Key: i=lee@kernel.org; a=openpgp; + fpr=76B6C935A3BE209A94F0874851AF8A2F87FC7761 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +binder: fix race between mmput() and do_exit() + +Task A calls binder_update_page_range() to allocate and insert pages on +a remote address space from Task B. For this, Task A pins the remote mm +via mmget_not_zero() first. This can race with Task B do_exit() and the +final mmput() refcount decrement will come from Task A. + + Task A | Task B + ------------------+------------------ + mmget_not_zero() | + | do_exit() + | exit_mm() + | mmput() + mmput() | + exit_mmap() | + remove_vma() | + fput() | + +In this case, the work of ____fput() from Task B is queued up in Task A +as TWA_RESUME. So in theory, Task A returns to userspace and the cleanup +work gets executed. However, Task A instead sleep, waiting for a reply +from Task B that never comes (it's dead). + +This means the binder_deferred_release() is blocked until an unrelated +binder event forces Task A to go back to userspace. All the associated +death notifications will also be delayed until then. + +In order to fix this use mmput_async() that will schedule the work in +the corresponding mm->async_put_work WQ instead of Task A. + +The Linux kernel CVE team has assigned CVE-2023-52609 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 2.6.29 with commit 457b9a6f09f0 and fixed in 4.19.306 with commit 95b1d336b064 + Issue introduced in 2.6.29 with commit 457b9a6f09f0 and fixed in 5.4.268 with commit 252a2a5569eb + Issue introduced in 2.6.29 with commit 457b9a6f09f0 and fixed in 5.10.209 with commit 7e7a0d86542b + Issue introduced in 2.6.29 with commit 457b9a6f09f0 and fixed in 5.15.148 with commit 98fee5bee97a + Issue introduced in 2.6.29 with commit 457b9a6f09f0 and fixed in 6.1.75 with commit 6696f76c32ff + Issue introduced in 2.6.29 with commit 457b9a6f09f0 and fixed in 6.6.14 with commit 67f16bf2cc16 + Issue introduced in 2.6.29 with commit 457b9a6f09f0 and fixed in 6.7.2 with commit 77d210e8db4d + Issue introduced in 2.6.29 with commit 457b9a6f09f0 and fixed in 6.8 with commit 9a9ab0d96362 + +Please see https://www.kernel.org or a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2023-52609 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/android/binder_alloc.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/95b1d336b0642198b56836b89908d07b9a0c9608 + https://git.kernel.org/stable/c/252a2a5569eb9f8d16428872cc24dea1ac0bb097 + https://git.kernel.org/stable/c/7e7a0d86542b0ea903006d3f42f33c4f7ead6918 + https://git.kernel.org/stable/c/98fee5bee97ad47b527a997d5786410430d1f0e9 + https://git.kernel.org/stable/c/6696f76c32ff67fec26823fc2df46498e70d9bf3 + https://git.kernel.org/stable/c/67f16bf2cc1698fd50e01ee8a2becc5a8e6d3a3e + https://git.kernel.org/stable/c/77d210e8db4d61d43b2d16df66b1ec46fad2ee01 + https://git.kernel.org/stable/c/9a9ab0d963621d9d12199df9817e66982582d5a5 diff --git a/cve/published/2023/CVE-2023-52609.sha1 b/cve/published/2023/CVE-2023-52609.sha1 new file mode 100644 index 00000000..1a299cbb --- /dev/null +++ b/cve/published/2023/CVE-2023-52609.sha1 @@ -0,0 +1 @@ +9a9ab0d963621d9d12199df9817e66982582d5a5 diff --git a/cve/reserved/2023/CVE-2023-52610 b/cve/published/2023/CVE-2023-52610 index e69de29b..e69de29b 100644 --- a/cve/reserved/2023/CVE-2023-52610 +++ b/cve/published/2023/CVE-2023-52610 diff --git a/cve/published/2023/CVE-2023-52610.json b/cve/published/2023/CVE-2023-52610.json new file mode 100644 index 00000000..e8ac2fae --- /dev/null +++ b/cve/published/2023/CVE-2023-52610.json @@ -0,0 +1,133 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_ct: fix skb leak and crash on ooo frags\n\nact_ct adds skb->users before defragmentation. If frags arrive in order,\nthe last frag's reference is reset in:\n\n inet_frag_reasm_prepare\n skb_morph\n\nwhich is not straightforward.\n\nHowever when frags arrive out of order, nobody unref the last frag, and\nall frags are leaked. The situation is even worse, as initiating packet\ncapture can lead to a crash[0] when skb has been cloned and shared at the\nsame time.\n\nFix the issue by removing skb_get() before defragmentation. act_ct\nreturns TC_ACT_CONSUMED when defrag failed or in progress.\n\n[0]:\n[ 843.804823] ------------[ cut here ]------------\n[ 843.809659] kernel BUG at net/core/skbuff.c:2091!\n[ 843.814516] invalid opcode: 0000 [#1] PREEMPT SMP\n[ 843.819296] CPU: 7 PID: 0 Comm: swapper/7 Kdump: loaded Tainted: G S 6.7.0-rc3 #2\n[ 843.824107] Hardware name: XFUSION 1288H V6/BC13MBSBD, BIOS 1.29 11/25/2022\n[ 843.828953] RIP: 0010:pskb_expand_head+0x2ac/0x300\n[ 843.833805] Code: 8b 70 28 48 85 f6 74 82 48 83 c6 08 bf 01 00 00 00 e8 38 bd ff ff 8b 83 c0 00 00 00 48 03 83 c8 00 00 00 e9 62 ff ff ff 0f 0b <0f> 0b e8 8d d0 ff ff e9 b3 fd ff ff 81 7c 24 14 40 01 00 00 4c 89\n[ 843.843698] RSP: 0018:ffffc9000cce07c0 EFLAGS: 00010202\n[ 843.848524] RAX: 0000000000000002 RBX: ffff88811a211d00 RCX: 0000000000000820\n[ 843.853299] RDX: 0000000000000640 RSI: 0000000000000000 RDI: ffff88811a211d00\n[ 843.857974] RBP: ffff888127d39518 R08: 00000000bee97314 R09: 0000000000000000\n[ 843.862584] R10: 0000000000000000 R11: ffff8881109f0000 R12: 0000000000000880\n[ 843.867147] R13: ffff888127d39580 R14: 0000000000000640 R15: ffff888170f7b900\n[ 843.871680] FS: 0000000000000000(0000) GS:ffff889ffffc0000(0000) knlGS:0000000000000000\n[ 843.876242] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 843.880778] CR2: 00007fa42affcfb8 CR3: 000000011433a002 CR4: 0000000000770ef0\n[ 843.885336] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 843.889809] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 843.894229] PKRU: 55555554\n[ 843.898539] Call Trace:\n[ 843.902772] <IRQ>\n[ 843.906922] ? __die_body+0x1e/0x60\n[ 843.911032] ? die+0x3c/0x60\n[ 843.915037] ? do_trap+0xe2/0x110\n[ 843.918911] ? pskb_expand_head+0x2ac/0x300\n[ 843.922687] ? do_error_trap+0x65/0x80\n[ 843.926342] ? pskb_expand_head+0x2ac/0x300\n[ 843.929905] ? exc_invalid_op+0x50/0x60\n[ 843.933398] ? pskb_expand_head+0x2ac/0x300\n[ 843.936835] ? asm_exc_invalid_op+0x1a/0x20\n[ 843.940226] ? pskb_expand_head+0x2ac/0x300\n[ 843.943580] inet_frag_reasm_prepare+0xd1/0x240\n[ 843.946904] ip_defrag+0x5d4/0x870\n[ 843.950132] nf_ct_handle_fragments+0xec/0x130 [nf_conntrack]\n[ 843.953334] tcf_ct_act+0x252/0xd90 [act_ct]\n[ 843.956473] ? tcf_mirred_act+0x516/0x5a0 [act_mirred]\n[ 843.959657] tcf_action_exec+0xa1/0x160\n[ 843.962823] fl_classify+0x1db/0x1f0 [cls_flower]\n[ 843.966010] ? skb_clone+0x53/0xc0\n[ 843.969173] tcf_classify+0x24d/0x420\n[ 843.972333] tc_run+0x8f/0xf0\n[ 843.975465] __netif_receive_skb_core+0x67a/0x1080\n[ 843.978634] ? dev_gro_receive+0x249/0x730\n[ 843.981759] __netif_receive_skb_list_core+0x12d/0x260\n[ 843.984869] netif_receive_skb_list_internal+0x1cb/0x2f0\n[ 843.987957] ? mlx5e_handle_rx_cqe_mpwrq_rep+0xfa/0x1a0 [mlx5_core]\n[ 843.991170] napi_complete_done+0x72/0x1a0\n[ 843.994305] mlx5e_napi_poll+0x28c/0x6d0 [mlx5_core]\n[ 843.997501] __napi_poll+0x25/0x1b0\n[ 844.000627] net_rx_action+0x256/0x330\n[ 844.003705] __do_softirq+0xb3/0x29b\n[ 844.006718] irq_exit_rcu+0x9e/0xc0\n[ 844.009672] common_interrupt+0x86/0xa0\n[ 844.012537] </IRQ>\n[ 844.015285] <TASK>\n[ 844.017937] asm_common_interrupt+0x26/0x40\n[ 844.020591] RIP: 0010:acpi_safe_halt+0x1b/0x20\n[ 844.023247] Code: ff 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 65 48 8b 04 25 00 18 03 00 48 8b 00 a8 08 75 0c 66 90 0f 00 2d 81 d0 44 00 fb\n---truncated---" + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "b57dc7c13ea9", + "lessThan": "172ba7d46c20", + "status": "affected", + "versionType": "git" + }, + { + "version": "b57dc7c13ea9", + "lessThan": "0b5b831122fc", + "status": "affected", + "versionType": "git" + }, + { + "version": "b57dc7c13ea9", + "lessThan": "73f7da5fd124", + "status": "affected", + "versionType": "git" + }, + { + "version": "b57dc7c13ea9", + "lessThan": "f5346df0591d", + "status": "affected", + "versionType": "git" + }, + { + "version": "b57dc7c13ea9", + "lessThan": "3f14b377d01d", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.3", + "status": "affected" + }, + { + "version": "0", + "lessThan": "5.3", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.148", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.75", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.14", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.2", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/172ba7d46c202e679f3ccb10264c67416aaeb1c4" + }, + { + "url": "https://git.kernel.org/stable/c/0b5b831122fc3789fff75be433ba3e4dd7b779d4" + }, + { + "url": "https://git.kernel.org/stable/c/73f7da5fd124f2cda9161e2e46114915e6e82e97" + }, + { + "url": "https://git.kernel.org/stable/c/f5346df0591d10bc948761ca854b1fae6d2ef441" + }, + { + "url": "https://git.kernel.org/stable/c/3f14b377d01d8357eba032b4cabc8c1149b458b6" + } + ], + "title": "net/sched: act_ct: fix skb leak and crash on ooo frags", + "x_generator": { + "engine": "bippy-8df59b4913de" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2023-52610", + "requesterUserId": "lee@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2023/CVE-2023-52610.mbox b/cve/published/2023/CVE-2023-52610.mbox new file mode 100644 index 00000000..6b4b575a --- /dev/null +++ b/cve/published/2023/CVE-2023-52610.mbox @@ -0,0 +1,163 @@ +From bippy-8df59b4913de Mon Sep 17 00:00:00 2001 +From: Lee Jones <lee@kernel.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2023-52610: net/sched: act_ct: fix skb leak and crash on ooo frags +X-Developer-Signature: v=1; a=openpgp-sha256; l=6970; i=lee@kernel.org; + h=from:subject; bh=ZGt5XCH8awS2Trzr1kYNo7cRddz5VAYAztwW/Fd1vwo=; + b=owEBbQKS/ZANAwAKAVGvii+H/HdhAcsmYgBl+BJ/RCdb6sjG67bjP4v1/dzPAVHiWAgtuVUe4 + OWQwGEOcF6JAjMEAAEKAB0WIQR2tsk1o74gmpTwh0hRr4ovh/x3YQUCZfgSfwAKCRBRr4ovh/x3 + YZvID/0Srqq0Ulit9Ebqwg6ADZQXnXvSwzeBQz8z85tVvDBtIdw3GXds+WCb+wT3DfVPp8/Wrpx + pSmHU0Bxa87FI1KX0ey6z96bEtFT4KwWPWLEjjBaZBli+nJo9+j9TXAOKXZs/MwdY5EEdbhcR// + FMdEjtWxLXvrHyDi/tjel+tLdEG2Ua1Fj+RmOePS8QTYq/V/Au5tPrR1fYOmCGw/0vSvR1XkDSI + Gzd0Q706UzdoTSbcnGYk+ot6PY6eTXgwrz+Xv+tCA1LwJgbewZmzVdA3YCCKhpoFDyIkRpv5vpV + k60x8qrgut5jdZTI6Z0wRFguzhByW7u6Bj49Lvqte7z+Nw339qkO9c4wVzMOuycuN0+Lb4DYCD8 + kXeuiC5hPhcV30XW+ZKgcsBXH7MZSOvOq8Fv1VYB3liBB6avN4mvmPBRQZg6D1gTSlRaCyiGYvq + DdjhCtpkQEQmruYoDQlujeF+Pu2lyQbR2vGhzrJleM+27sQzBl7kGlT+Pn77rSGNwwpz++FIgZw + 9nB/u8/dK+dSDEuWWncAvGo7yqBgK90lm7+9pBBi4xsFHkTR2Ik4ADkJSsuJ4C4j5P4wsCcLCGe + rKhBg+jriga0xs0YE5gaPfjFB+HzMr+6ZHkDLi+ShkSSMAN6LfqfQkGcRrc+YT7tHU1ZS0+X7TM + ePTqZiLw7uI3uxQ== +X-Developer-Key: i=lee@kernel.org; a=openpgp; + fpr=76B6C935A3BE209A94F0874851AF8A2F87FC7761 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +net/sched: act_ct: fix skb leak and crash on ooo frags + +act_ct adds skb->users before defragmentation. If frags arrive in order, +the last frag's reference is reset in: + + inet_frag_reasm_prepare + skb_morph + +which is not straightforward. + +However when frags arrive out of order, nobody unref the last frag, and +all frags are leaked. The situation is even worse, as initiating packet +capture can lead to a crash[0] when skb has been cloned and shared at the +same time. + +Fix the issue by removing skb_get() before defragmentation. act_ct +returns TC_ACT_CONSUMED when defrag failed or in progress. + +[0]: +[ 843.804823] ------------[ cut here ]------------ +[ 843.809659] kernel BUG at net/core/skbuff.c:2091! +[ 843.814516] invalid opcode: 0000 [#1] PREEMPT SMP +[ 843.819296] CPU: 7 PID: 0 Comm: swapper/7 Kdump: loaded Tainted: G S 6.7.0-rc3 #2 +[ 843.824107] Hardware name: XFUSION 1288H V6/BC13MBSBD, BIOS 1.29 11/25/2022 +[ 843.828953] RIP: 0010:pskb_expand_head+0x2ac/0x300 +[ 843.833805] Code: 8b 70 28 48 85 f6 74 82 48 83 c6 08 bf 01 00 00 00 e8 38 bd ff ff 8b 83 c0 00 00 00 48 03 83 c8 00 00 00 e9 62 ff ff ff 0f 0b <0f> 0b e8 8d d0 ff ff e9 b3 fd ff ff 81 7c 24 14 40 01 00 00 4c 89 +[ 843.843698] RSP: 0018:ffffc9000cce07c0 EFLAGS: 00010202 +[ 843.848524] RAX: 0000000000000002 RBX: ffff88811a211d00 RCX: 0000000000000820 +[ 843.853299] RDX: 0000000000000640 RSI: 0000000000000000 RDI: ffff88811a211d00 +[ 843.857974] RBP: ffff888127d39518 R08: 00000000bee97314 R09: 0000000000000000 +[ 843.862584] R10: 0000000000000000 R11: ffff8881109f0000 R12: 0000000000000880 +[ 843.867147] R13: ffff888127d39580 R14: 0000000000000640 R15: ffff888170f7b900 +[ 843.871680] FS: 0000000000000000(0000) GS:ffff889ffffc0000(0000) knlGS:0000000000000000 +[ 843.876242] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 843.880778] CR2: 00007fa42affcfb8 CR3: 000000011433a002 CR4: 0000000000770ef0 +[ 843.885336] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 843.889809] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 843.894229] PKRU: 55555554 +[ 843.898539] Call Trace: +[ 843.902772] <IRQ> +[ 843.906922] ? __die_body+0x1e/0x60 +[ 843.911032] ? die+0x3c/0x60 +[ 843.915037] ? do_trap+0xe2/0x110 +[ 843.918911] ? pskb_expand_head+0x2ac/0x300 +[ 843.922687] ? do_error_trap+0x65/0x80 +[ 843.926342] ? pskb_expand_head+0x2ac/0x300 +[ 843.929905] ? exc_invalid_op+0x50/0x60 +[ 843.933398] ? pskb_expand_head+0x2ac/0x300 +[ 843.936835] ? asm_exc_invalid_op+0x1a/0x20 +[ 843.940226] ? pskb_expand_head+0x2ac/0x300 +[ 843.943580] inet_frag_reasm_prepare+0xd1/0x240 +[ 843.946904] ip_defrag+0x5d4/0x870 +[ 843.950132] nf_ct_handle_fragments+0xec/0x130 [nf_conntrack] +[ 843.953334] tcf_ct_act+0x252/0xd90 [act_ct] +[ 843.956473] ? tcf_mirred_act+0x516/0x5a0 [act_mirred] +[ 843.959657] tcf_action_exec+0xa1/0x160 +[ 843.962823] fl_classify+0x1db/0x1f0 [cls_flower] +[ 843.966010] ? skb_clone+0x53/0xc0 +[ 843.969173] tcf_classify+0x24d/0x420 +[ 843.972333] tc_run+0x8f/0xf0 +[ 843.975465] __netif_receive_skb_core+0x67a/0x1080 +[ 843.978634] ? dev_gro_receive+0x249/0x730 +[ 843.981759] __netif_receive_skb_list_core+0x12d/0x260 +[ 843.984869] netif_receive_skb_list_internal+0x1cb/0x2f0 +[ 843.987957] ? mlx5e_handle_rx_cqe_mpwrq_rep+0xfa/0x1a0 [mlx5_core] +[ 843.991170] napi_complete_done+0x72/0x1a0 +[ 843.994305] mlx5e_napi_poll+0x28c/0x6d0 [mlx5_core] +[ 843.997501] __napi_poll+0x25/0x1b0 +[ 844.000627] net_rx_action+0x256/0x330 +[ 844.003705] __do_softirq+0xb3/0x29b +[ 844.006718] irq_exit_rcu+0x9e/0xc0 +[ 844.009672] common_interrupt+0x86/0xa0 +[ 844.012537] </IRQ> +[ 844.015285] <TASK> +[ 844.017937] asm_common_interrupt+0x26/0x40 +[ 844.020591] RIP: 0010:acpi_safe_halt+0x1b/0x20 +[ 844.023247] Code: ff 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 65 48 8b 04 25 00 18 03 00 48 8b 00 a8 08 75 0c 66 90 0f 00 2d 81 d0 44 00 fb f4 <fa> c3 0f 1f 00 89 fa ec 48 8b 05 ee 88 ed 00 a9 00 00 00 80 75 11 +[ 844.028900] RSP: 0018:ffffc90000533e70 EFLAGS: 00000246 +[ 844.031725] RAX: 0000000000004000 RBX: 0000000000000001 RCX: 0000000000000000 +[ 844.034553] RDX: ffff889ffffc0000 RSI: ffffffff828b7f20 RDI: ffff88a090f45c64 +[ 844.037368] RBP: ffff88a0901a2800 R08: ffff88a090f45c00 R09: 00000000000317c0 +[ 844.040155] R10: 00ec812281150475 R11: ffff889fffff0e04 R12: ffffffff828b7fa0 +[ 844.042962] R13: ffffffff828b7f20 R14: 0000000000000001 R15: 0000000000000000 +[ 844.045819] acpi_idle_enter+0x7b/0xc0 +[ 844.048621] cpuidle_enter_state+0x7f/0x430 +[ 844.051451] cpuidle_enter+0x2d/0x40 +[ 844.054279] do_idle+0x1d4/0x240 +[ 844.057096] cpu_startup_entry+0x2a/0x30 +[ 844.059934] start_secondary+0x104/0x130 +[ 844.062787] secondary_startup_64_no_verify+0x16b/0x16b +[ 844.065674] </TASK> + +The Linux kernel CVE team has assigned CVE-2023-52610 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 5.3 with commit b57dc7c13ea9 and fixed in 5.15.148 with commit 172ba7d46c20 + Issue introduced in 5.3 with commit b57dc7c13ea9 and fixed in 6.1.75 with commit 0b5b831122fc + Issue introduced in 5.3 with commit b57dc7c13ea9 and fixed in 6.6.14 with commit 73f7da5fd124 + Issue introduced in 5.3 with commit b57dc7c13ea9 and fixed in 6.7.2 with commit f5346df0591d + Issue introduced in 5.3 with commit b57dc7c13ea9 and fixed in 6.8 with commit 3f14b377d01d + +Please see https://www.kernel.org or a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2023-52610 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + net/sched/act_ct.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/172ba7d46c202e679f3ccb10264c67416aaeb1c4 + https://git.kernel.org/stable/c/0b5b831122fc3789fff75be433ba3e4dd7b779d4 + https://git.kernel.org/stable/c/73f7da5fd124f2cda9161e2e46114915e6e82e97 + https://git.kernel.org/stable/c/f5346df0591d10bc948761ca854b1fae6d2ef441 + https://git.kernel.org/stable/c/3f14b377d01d8357eba032b4cabc8c1149b458b6 diff --git a/cve/published/2023/CVE-2023-52610.sha1 b/cve/published/2023/CVE-2023-52610.sha1 new file mode 100644 index 00000000..5e891105 --- /dev/null +++ b/cve/published/2023/CVE-2023-52610.sha1 @@ -0,0 +1 @@ +3f14b377d01d8357eba032b4cabc8c1149b458b6 diff --git a/cve/reserved/2023/CVE-2023-52611 b/cve/published/2023/CVE-2023-52611 index e69de29b..e69de29b 100644 --- a/cve/reserved/2023/CVE-2023-52611 +++ b/cve/published/2023/CVE-2023-52611 diff --git a/cve/published/2023/CVE-2023-52611.json b/cve/published/2023/CVE-2023-52611.json new file mode 100644 index 00000000..5051d0ed --- /dev/null +++ b/cve/published/2023/CVE-2023-52611.json @@ -0,0 +1,103 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw88: sdio: Honor the host max_req_size in the RX path\n\nLukas reports skb_over_panic errors on his Banana Pi BPI-CM4 which comes\nwith an Amlogic A311D (G12B) SoC and a RTL8822CS SDIO wifi/Bluetooth\ncombo card. The error he observed is identical to what has been fixed\nin commit e967229ead0e (\"wifi: rtw88: sdio: Check the HISR RX_REQUEST\nbit in rtw_sdio_rx_isr()\") but that commit didn't fix Lukas' problem.\n\nLukas found that disabling or limiting RX aggregation works around the\nproblem for some time (but does not fully fix it). In the following\ndiscussion a few key topics have been discussed which have an impact on\nthis problem:\n- The Amlogic A311D (G12B) SoC has a hardware bug in the SDIO controller\n which prevents DMA transfers. Instead all transfers need to go through\n the controller SRAM which limits transfers to 1536 bytes\n- rtw88 chips don't split incoming (RX) packets, so if a big packet is\n received this is forwarded to the host in it's original form\n- rtw88 chips can do RX aggregation, meaning more multiple incoming\n packets can be pulled by the host from the card with one MMC/SDIO\n transfer. This Depends on settings in the REG_RXDMA_AGG_PG_TH\n register (BIT_RXDMA_AGG_PG_TH limits the number of packets that will\n be aggregated, BIT_DMA_AGG_TO_V1 configures a timeout for aggregation\n and BIT_EN_PRE_CALC makes the chip honor the limits more effectively)\n\nUse multiple consecutive reads in rtw_sdio_read_port() and limit the\nnumber of bytes which are copied by the host from the card in one\nMMC/SDIO transfer. This allows receiving a buffer that's larger than\nthe hosts max_req_size (number of bytes which can be transferred in\none MMC/SDIO transfer). As a result of this the skb_over_panic error\nis gone as the rtw88 driver is now able to receive more than 1536 bytes\nfrom the card (either because the incoming packet is larger than that\nor because multiple packets have been aggregated).\n\nIn case of an receive errors (-EILSEQ has been observed by Lukas) we\nneed to drain the remaining data from the card's buffer, otherwise the\ncard will return corrupt data for the next rtw_sdio_read_port() call." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "65371a3f14e7", + "lessThan": "5b5ddf21b978", + "status": "affected", + "versionType": "git" + }, + { + "version": "65371a3f14e7", + "lessThan": "0e9ffff72a06", + "status": "affected", + "versionType": "git" + }, + { + "version": "65371a3f14e7", + "lessThan": "00384f565a91", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "6.4", + "status": "affected" + }, + { + "version": "0", + "lessThan": "6.4", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.14", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.2", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/5b5ddf21b978ec315cab9d9e7e6ac7374791a8c7" + }, + { + "url": "https://git.kernel.org/stable/c/0e9ffff72a0674cd6656314dbd99cdd2123a3030" + }, + { + "url": "https://git.kernel.org/stable/c/00384f565a91c08c4bedae167f749b093d10e3fe" + } + ], + "title": "wifi: rtw88: sdio: Honor the host max_req_size in the RX path", + "x_generator": { + "engine": "bippy-8df59b4913de" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2023-52611", + "requesterUserId": "lee@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2023/CVE-2023-52611.mbox b/cve/published/2023/CVE-2023-52611.mbox new file mode 100644 index 00000000..27b036d4 --- /dev/null +++ b/cve/published/2023/CVE-2023-52611.mbox @@ -0,0 +1,104 @@ +From bippy-8df59b4913de Mon Sep 17 00:00:00 2001 +From: Lee Jones <lee@kernel.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2023-52611: wifi: rtw88: sdio: Honor the host max_req_size in the RX path +X-Developer-Signature: v=1; a=openpgp-sha256; l=3950; i=lee@kernel.org; + h=from:subject; bh=Q+3wKrE347W9AqOkjFI+Blcp2XOggufKAukpPozqX0I=; + b=owEBbQKS/ZANAwAKAVGvii+H/HdhAcsmYgBl+BJ/cbbzEHBnQAIR9rNNn8ew0ld5CcpheiaMK + TOc1o6UrwaJAjMEAAEKAB0WIQR2tsk1o74gmpTwh0hRr4ovh/x3YQUCZfgSfwAKCRBRr4ovh/x3 + YS19D/9d+bGZDUEkR44LXSijJk1koo2K/uncKwPG7HjwivdiRf7NzRaKRbIhC5Fya25U0MPOEZ8 + mIoi8POd9dkGPhdi/9chTofbjh0x8TPT63tkMUbCG+NyTQzVX9Li6ke7RYysiQY/XKQMlZLd/FY + Rfo1DVb2fV4Pv4uAbTlrMViyH69RfqqoSEjnvgtZdKoNqi6k/ZN/MJQKSpIvBiiOBZ9M+AVmfTZ + V18GQkC5LwhkRoHw6yQYlV1ZM7nQ7YCcepQ9J+/tSutEUtRs2crY4cyR/7Kde1dn5knYsFBoi5b + HW5omEJRgsraP9hXWqLE44punhLGYdQo9/MkW+4SU+OKxEv6LaStB91EVG9E1gScVS5VQellkdh + sttUbCn8Cou4gkNEvOS0ezuudQ2xinY0sK0oJKBpx7nT4v6SEh5SAdAnOHSN4BoftS/+6GxhhZ/ + 3Nrbc9wf+MuIAN4VaO+2HMmsBOAKjF5dmLh+Qs8PcCBrZvilWwYjckoidrl0tGSV3rjYemS9Kes + 9EYkPJ9csdALsG9tE81EhHku1mkzXC2dfFX6D0kzKch/Q4D260vvzW4SLbCKSi/CcPIWGwsB7r4 + ZpbX+4UYPG3MGRDdz4ehTnzZR1yw7FAEeLZ1WKtFVwrGN+Vgp1CJzjq2eGkTxqY3vrSBOfkuZdc + GLSwQEQyiynRrpg== +X-Developer-Key: i=lee@kernel.org; a=openpgp; + fpr=76B6C935A3BE209A94F0874851AF8A2F87FC7761 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +wifi: rtw88: sdio: Honor the host max_req_size in the RX path + +Lukas reports skb_over_panic errors on his Banana Pi BPI-CM4 which comes +with an Amlogic A311D (G12B) SoC and a RTL8822CS SDIO wifi/Bluetooth +combo card. The error he observed is identical to what has been fixed +in commit e967229ead0e ("wifi: rtw88: sdio: Check the HISR RX_REQUEST +bit in rtw_sdio_rx_isr()") but that commit didn't fix Lukas' problem. + +Lukas found that disabling or limiting RX aggregation works around the +problem for some time (but does not fully fix it). In the following +discussion a few key topics have been discussed which have an impact on +this problem: +- The Amlogic A311D (G12B) SoC has a hardware bug in the SDIO controller + which prevents DMA transfers. Instead all transfers need to go through + the controller SRAM which limits transfers to 1536 bytes +- rtw88 chips don't split incoming (RX) packets, so if a big packet is + received this is forwarded to the host in it's original form +- rtw88 chips can do RX aggregation, meaning more multiple incoming + packets can be pulled by the host from the card with one MMC/SDIO + transfer. This Depends on settings in the REG_RXDMA_AGG_PG_TH + register (BIT_RXDMA_AGG_PG_TH limits the number of packets that will + be aggregated, BIT_DMA_AGG_TO_V1 configures a timeout for aggregation + and BIT_EN_PRE_CALC makes the chip honor the limits more effectively) + +Use multiple consecutive reads in rtw_sdio_read_port() and limit the +number of bytes which are copied by the host from the card in one +MMC/SDIO transfer. This allows receiving a buffer that's larger than +the hosts max_req_size (number of bytes which can be transferred in +one MMC/SDIO transfer). As a result of this the skb_over_panic error +is gone as the rtw88 driver is now able to receive more than 1536 bytes +from the card (either because the incoming packet is larger than that +or because multiple packets have been aggregated). + +In case of an receive errors (-EILSEQ has been observed by Lukas) we +need to drain the remaining data from the card's buffer, otherwise the +card will return corrupt data for the next rtw_sdio_read_port() call. + +The Linux kernel CVE team has assigned CVE-2023-52611 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 6.4 with commit 65371a3f14e7 and fixed in 6.6.14 with commit 5b5ddf21b978 + Issue introduced in 6.4 with commit 65371a3f14e7 and fixed in 6.7.2 with commit 0e9ffff72a06 + Issue introduced in 6.4 with commit 65371a3f14e7 and fixed in 6.8 with commit 00384f565a91 + +Please see https://www.kernel.org or a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2023-52611 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/net/wireless/realtek/rtw88/sdio.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/5b5ddf21b978ec315cab9d9e7e6ac7374791a8c7 + https://git.kernel.org/stable/c/0e9ffff72a0674cd6656314dbd99cdd2123a3030 + https://git.kernel.org/stable/c/00384f565a91c08c4bedae167f749b093d10e3fe diff --git a/cve/published/2023/CVE-2023-52611.sha1 b/cve/published/2023/CVE-2023-52611.sha1 new file mode 100644 index 00000000..f4659a34 --- /dev/null +++ b/cve/published/2023/CVE-2023-52611.sha1 @@ -0,0 +1 @@ +00384f565a91c08c4bedae167f749b093d10e3fe diff --git a/cve/reserved/2023/CVE-2023-52612 b/cve/published/2023/CVE-2023-52612 index e69de29b..e69de29b 100644 --- a/cve/reserved/2023/CVE-2023-52612 +++ b/cve/published/2023/CVE-2023-52612 diff --git a/cve/published/2023/CVE-2023-52612.json b/cve/published/2023/CVE-2023-52612.json new file mode 100644 index 00000000..a0449fb9 --- /dev/null +++ b/cve/published/2023/CVE-2023-52612.json @@ -0,0 +1,178 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: scomp - fix req->dst buffer overflow\n\nThe req->dst buffer size should be checked before copying from the\nscomp_scratch->dst to avoid req->dst buffer overflow problem." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "1ab53a77b772", + "lessThan": "1142d65c5b88", + "status": "affected", + "versionType": "git" + }, + { + "version": "1ab53a77b772", + "lessThan": "e0e3f4a18784", + "status": "affected", + "versionType": "git" + }, + { + "version": "1ab53a77b772", + "lessThan": "4518dc468cdd", + "status": "affected", + "versionType": "git" + }, + { + "version": "1ab53a77b772", + "lessThan": "a5f2f91b3fd7", + "status": "affected", + "versionType": "git" + }, + { + "version": "1ab53a77b772", + "lessThan": "4df0c942d04a", + "status": "affected", + "versionType": "git" + }, + { + "version": "1ab53a77b772", + "lessThan": "7d9e5bed036a", + "status": "affected", + "versionType": "git" + }, + { + "version": "1ab53a77b772", + "lessThan": "71c6670f9f03", + "status": "affected", + "versionType": "git" + }, + { + "version": "1ab53a77b772", + "lessThan": "744e1885922a", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "4.10", + "status": "affected" + }, + { + "version": "0", + "lessThan": "4.10", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "4.19.306", + "lessThanOrEqual": "4.19.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.4.268", + "lessThanOrEqual": "5.4.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.10.209", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.148", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.75", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.14", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.2", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/1142d65c5b881590962ad763f94505b6dd67d2fe" + }, + { + "url": "https://git.kernel.org/stable/c/e0e3f4a18784182cfe34e20c00eca11e78d53e76" + }, + { + "url": "https://git.kernel.org/stable/c/4518dc468cdd796757190515a9be7408adc8911e" + }, + { + "url": "https://git.kernel.org/stable/c/a5f2f91b3fd7387e5102060809316a0f8f0bc625" + }, + { + "url": "https://git.kernel.org/stable/c/4df0c942d04a67df174195ad8082f6e30e7f71a5" + }, + { + "url": "https://git.kernel.org/stable/c/7d9e5bed036a7f9e2062a137e97e3c1e77fb8759" + }, + { + "url": "https://git.kernel.org/stable/c/71c6670f9f032ec67d8f4e3f8db4646bf5a62883" + }, + { + "url": "https://git.kernel.org/stable/c/744e1885922a9943458954cfea917b31064b4131" + } + ], + "title": "crypto: scomp - fix req->dst buffer overflow", + "x_generator": { + "engine": "bippy-8df59b4913de" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2023-52612", + "requesterUserId": "lee@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2023/CVE-2023-52612.mbox b/cve/published/2023/CVE-2023-52612.mbox new file mode 100644 index 00000000..914db10e --- /dev/null +++ b/cve/published/2023/CVE-2023-52612.mbox @@ -0,0 +1,82 @@ +From bippy-8df59b4913de Mon Sep 17 00:00:00 2001 +From: Lee Jones <lee@kernel.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2023-52612: crypto: scomp - fix req->dst buffer overflow +X-Developer-Signature: v=1; a=openpgp-sha256; l=2799; i=lee@kernel.org; + h=from:subject; bh=95CUoBo22+Yf7w5ydHdRdmqVJA8PE/Ul/9KvWVRQvvU=; + b=owEBbQKS/ZANAwAKAVGvii+H/HdhAcsmYgBl+BJ/uI76tgqo89CAUtjfjlWXzupTOXl1KFReP + jbaipi9VsyJAjMEAAEKAB0WIQR2tsk1o74gmpTwh0hRr4ovh/x3YQUCZfgSfwAKCRBRr4ovh/x3 + YVuZD/44GXEwBIkyAGZMIfyFbsLp18Yi4mMGO8W+7YFTk+43/O9aWMLXxzn6jCA8TeoEsGFayI3 + X6FVo/pgUmfuYG+3TqJDbjM5vdLazDWfnoPZU1qEGc5fEJZUClbtWBXm9hhIUMzCPfpopfYoIIc + wputfvSrw6FrXHuBKGszGWapr2eGgY8zzBJMRzxuC9iFAB+fL4YUBYVUMd5bLMVD2/l+XdZJQsl + ElsQCTAkj0c7Bn3NrHOJLEc2uSXEb0FUWsGE3c780/chr56Q3P8Wtn4T13Xgat5IqfU0U8RQAaX + G4oaXajvKK6DNMN6n/l7UBvQC4MBNhd4DqcETRvJ4gOOvyFU3+cz4xMCrs3eU/ZkzHK3M0RhUsB + R02Vy/cMzVMKOOcE51Acvsl4GWd7uzcuhArxs9hbIM9Z+kCQAuQdkiND2yY+WgqhDubBnMKJNkX + KQqR15RmxMLqo3HRjAUu5UlcaNttw89ngd9xSrtruOD+hcfWDbuljwlwWUb+ApSk6PyT3+MM1P5 + gLD68QCbVX7WHA5h6Pzxc0GFT1h8bL8TZLfUDgrT6/1wMdlJJqV2FMP19NfRFDVcpwvjC1WeK8Q + WuS0UJ4KC8pkQQVhFC44JX2YnPcJsIOIdcjcbAefxtD22DZ/f4aF08Cb+cLwsz0r3JLSizGiIsW + uJk7m0QkX2+MQnQ== +X-Developer-Key: i=lee@kernel.org; a=openpgp; + fpr=76B6C935A3BE209A94F0874851AF8A2F87FC7761 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +crypto: scomp - fix req->dst buffer overflow + +The req->dst buffer size should be checked before copying from the +scomp_scratch->dst to avoid req->dst buffer overflow problem. + +The Linux kernel CVE team has assigned CVE-2023-52612 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 4.10 with commit 1ab53a77b772 and fixed in 4.19.306 with commit 1142d65c5b88 + Issue introduced in 4.10 with commit 1ab53a77b772 and fixed in 5.4.268 with commit e0e3f4a18784 + Issue introduced in 4.10 with commit 1ab53a77b772 and fixed in 5.10.209 with commit 4518dc468cdd + Issue introduced in 4.10 with commit 1ab53a77b772 and fixed in 5.15.148 with commit a5f2f91b3fd7 + Issue introduced in 4.10 with commit 1ab53a77b772 and fixed in 6.1.75 with commit 4df0c942d04a + Issue introduced in 4.10 with commit 1ab53a77b772 and fixed in 6.6.14 with commit 7d9e5bed036a + Issue introduced in 4.10 with commit 1ab53a77b772 and fixed in 6.7.2 with commit 71c6670f9f03 + Issue introduced in 4.10 with commit 1ab53a77b772 and fixed in 6.8 with commit 744e1885922a + +Please see https://www.kernel.org or a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2023-52612 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + crypto/scompress.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/1142d65c5b881590962ad763f94505b6dd67d2fe + https://git.kernel.org/stable/c/e0e3f4a18784182cfe34e20c00eca11e78d53e76 + https://git.kernel.org/stable/c/4518dc468cdd796757190515a9be7408adc8911e + https://git.kernel.org/stable/c/a5f2f91b3fd7387e5102060809316a0f8f0bc625 + https://git.kernel.org/stable/c/4df0c942d04a67df174195ad8082f6e30e7f71a5 + https://git.kernel.org/stable/c/7d9e5bed036a7f9e2062a137e97e3c1e77fb8759 + https://git.kernel.org/stable/c/71c6670f9f032ec67d8f4e3f8db4646bf5a62883 + https://git.kernel.org/stable/c/744e1885922a9943458954cfea917b31064b4131 diff --git a/cve/published/2023/CVE-2023-52612.sha1 b/cve/published/2023/CVE-2023-52612.sha1 new file mode 100644 index 00000000..cf3c779f --- /dev/null +++ b/cve/published/2023/CVE-2023-52612.sha1 @@ -0,0 +1 @@ +744e1885922a9943458954cfea917b31064b4131 diff --git a/cve/reserved/2023/CVE-2023-52613 b/cve/published/2023/CVE-2023-52613 index e69de29b..e69de29b 100644 --- a/cve/reserved/2023/CVE-2023-52613 +++ b/cve/published/2023/CVE-2023-52613 diff --git a/cve/published/2023/CVE-2023-52613.json b/cve/published/2023/CVE-2023-52613.json new file mode 100644 index 00000000..660a0466 --- /dev/null +++ b/cve/published/2023/CVE-2023-52613.json @@ -0,0 +1,103 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrivers/thermal/loongson2_thermal: Fix incorrect PTR_ERR() judgment\n\nPTR_ERR() returns -ENODEV when thermal-zones are undefined, and we need\n-ENODEV as the right value for comparison.\n\nOtherwise, tz->type is NULL when thermal-zones is undefined, resulting\nin the following error:\n\n[ 12.290030] CPU 1 Unable to handle kernel paging request at virtual address fffffffffffffff1, era == 900000000355f410, ra == 90000000031579b8\n[ 12.302877] Oops[#1]:\n[ 12.305190] CPU: 1 PID: 181 Comm: systemd-udevd Not tainted 6.6.0-rc7+ #5385\n[ 12.312304] pc 900000000355f410 ra 90000000031579b8 tp 90000001069e8000 sp 90000001069eba10\n[ 12.320739] a0 0000000000000000 a1 fffffffffffffff1 a2 0000000000000014 a3 0000000000000001\n[ 12.329173] a4 90000001069eb990 a5 0000000000000001 a6 0000000000001001 a7 900000010003431c\n[ 12.337606] t0 fffffffffffffff1 t1 54567fd5da9b4fd4 t2 900000010614ec40 t3 00000000000dc901\n[ 12.346041] t4 0000000000000000 t5 0000000000000004 t6 900000010614ee20 t7 900000000d00b790\n[ 12.354472] t8 00000000000dc901 u0 54567fd5da9b4fd4 s9 900000000402ae10 s0 900000010614ec40\n[ 12.362916] s1 90000000039fced0 s2 ffffffffffffffed s3 ffffffffffffffed s4 9000000003acc000\n[ 12.362931] s5 0000000000000004 s6 fffffffffffff000 s7 0000000000000490 s8 90000001028b2ec8\n[ 12.362938] ra: 90000000031579b8 thermal_add_hwmon_sysfs+0x258/0x300\n[ 12.386411] ERA: 900000000355f410 strscpy+0xf0/0x160\n[ 12.391626] CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE)\n[ 12.397898] PRMD: 00000004 (PPLV0 +PIE -PWE)\n[ 12.403678] EUEN: 00000000 (-FPE -SXE -ASXE -BTE)\n[ 12.409859] ECFG: 00071c1c (LIE=2-4,10-12 VS=7)\n[ 12.415882] ESTAT: 00010000 [PIL] (IS= ECode=1 EsubCode=0)\n[ 12.415907] BADV: fffffffffffffff1\n[ 12.415911] PRID: 0014a000 (Loongson-64bit, Loongson-2K1000)\n[ 12.415917] Modules linked in: loongson2_thermal(+) vfat fat uio_pdrv_genirq uio fuse zram zsmalloc\n[ 12.415950] Process systemd-udevd (pid: 181, threadinfo=00000000358b9718, task=00000000ace72fe3)\n[ 12.415961] Stack : 0000000000000dc0 54567fd5da9b4fd4 900000000402ae10 9000000002df9358\n[ 12.415982] ffffffffffffffed 0000000000000004 9000000107a10aa8 90000001002a3410\n[ 12.415999] ffffffffffffffed ffffffffffffffed 9000000107a11268 9000000003157ab0\n[ 12.416016] 9000000107a10aa8 ffffff80020fc0c8 90000001002a3410 ffffffffffffffed\n[ 12.416032] 0000000000000024 ffffff80020cc1e8 900000000402b2a0 9000000003acc000\n[ 12.416048] 90000001002a3410 0000000000000000 ffffff80020f4030 90000001002a3410\n[ 12.416065] 0000000000000000 9000000002df6808 90000001002a3410 0000000000000000\n[ 12.416081] ffffff80020f4030 0000000000000000 90000001002a3410 9000000002df2ba8\n[ 12.416097] 00000000000000b4 90000001002a34f4 90000001002a3410 0000000000000002\n[ 12.416114] ffffff80020f4030 fffffffffffffff0 90000001002a3410 9000000002df2f30\n[ 12.416131] ...\n[ 12.416138] Call Trace:\n[ 12.416142] [<900000000355f410>] strscpy+0xf0/0x160\n[ 12.416167] [<90000000031579b8>] thermal_add_hwmon_sysfs+0x258/0x300\n[ 12.416183] [<9000000003157ab0>] devm_thermal_add_hwmon_sysfs+0x50/0xe0\n[ 12.416200] [<ffffff80020cc1e8>] loongson2_thermal_probe+0x128/0x200 [loongson2_thermal]\n[ 12.416232] [<9000000002df6808>] platform_probe+0x68/0x140\n[ 12.416249] [<9000000002df2ba8>] really_probe+0xc8/0x3c0\n[ 12.416269] [<9000000002df2f30>] __driver_probe_device+0x90/0x180\n[ 12.416286] [<9000000002df3058>] driver_probe_device+0x38/0x160\n[ 12.416302] [<9000000002df33a8>] __driver_attach+0xa8/0x200\n[ 12.416314] [<9000000002deffec>] bus_for_each_dev+0x8c/0x120\n[ 12.416330] [<9000000002df198c>] bus_add_driver+0x10c/0x2a0\n[ 12.416346] [<9000000002df46b4>] driver_register+0x74/0x160\n[ 12.416358] [<90000000022201a4>] do_one_initcall+0x84/0x220\n[ 12.416372] [<90000000022f3ab8>] do_init_module+0x58/0x2c0\n[\n---truncated---" + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "e7e3a7c35791", + "lessThan": "70481755ed77", + "status": "affected", + "versionType": "git" + }, + { + "version": "e7e3a7c35791", + "lessThan": "6010a9fc14eb", + "status": "affected", + "versionType": "git" + }, + { + "version": "e7e3a7c35791", + "lessThan": "15ef92e9c411", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "6.6", + "status": "affected" + }, + { + "version": "0", + "lessThan": "6.6", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.14", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.2", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/70481755ed77400e783200e2d022e5fea16060ce" + }, + { + "url": "https://git.kernel.org/stable/c/6010a9fc14eb1feab5cafd84422001134fe8ec58" + }, + { + "url": "https://git.kernel.org/stable/c/15ef92e9c41124ee9d88b01208364f3fe1f45f84" + } + ], + "title": "drivers/thermal/loongson2_thermal: Fix incorrect PTR_ERR() judgment", + "x_generator": { + "engine": "bippy-8df59b4913de" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2023-52613", + "requesterUserId": "lee@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2023/CVE-2023-52613.mbox b/cve/published/2023/CVE-2023-52613.mbox new file mode 100644 index 00000000..5b404661 --- /dev/null +++ b/cve/published/2023/CVE-2023-52613.mbox @@ -0,0 +1,128 @@ +From bippy-8df59b4913de Mon Sep 17 00:00:00 2001 +From: Lee Jones <lee@kernel.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2023-52613: drivers/thermal/loongson2_thermal: Fix incorrect PTR_ERR() judgment +X-Developer-Signature: v=1; a=openpgp-sha256; l=5992; i=lee@kernel.org; + h=from:subject; bh=pkGR7kgfNyBkW027tknaoh8bSa9ki1zH2qYUUdhivsg=; + b=owEBbQKS/ZANAwAKAVGvii+H/HdhAcsmYgBl+BJ/I+Ju7kEImA33+KIj5jJ9iAxGDm/5zL9zP + yR+YkVBc4mJAjMEAAEKAB0WIQR2tsk1o74gmpTwh0hRr4ovh/x3YQUCZfgSfwAKCRBRr4ovh/x3 + YVL9D/wL+eVVyKjLGYyY2eqyV3a7ap8vUWYc30NtenHA7ozz69zdHTOQLsDNMx8WUXgeE+txp0Z + gO5H+msvdtaCvfyaJ432I3mh5WqSQNd/R7sV4itlLA7vNCYHFv1WkRSj15HVAba4xAsQy6pzc22 + 9Q0QhoNUeyI92y7gphO3UQF6Ih0dYJMglVXZiU8FMlBLo1dWkhNXdhgeqH5hVdaa4sCD/5FKXzp + 6+X5+FsTUpnEe+NzeAvK5yiHrFSjL88fIgHzswHS9STW4EyEd1NeeRXVgpc9c82404M3TFvHNEj + HtBrVsvAF98MtONA6++76N+u/jTAht/QJssyDvWr2wYw5ETUYe2OHMt4z+p9PovTqGRftaItHtD + AjkXH4ymUwItpRnmyF8bwZGCmupub+YHlnQiIq/OZ/Dp+A3RDk8qO8Oyyn4AVzsyLXUy+Cs8GdF + sv5ONLIl+hpWmLtL8UQ+9Ek4p0qZ/81KK9QBwyAbeyNhicVlSaNxApHffttkfk1HsxqRybm/NjT + G+GQU8dRshPxpxysIzQ2ybO67SxpvUj3MqkrhPMFqt7CqbEvL15jtwz+p16nQPrBRihAzx7usVV + OjPOyk/7+KU29VkuN26ZXHFkfCM4Bfzo5a/NPa3u3WSQO/Nm1ORP6Ot5lsAMp9FZ7uT0LHK/1U4 + AbLEbgkcIL77nnQ== +X-Developer-Key: i=lee@kernel.org; a=openpgp; + fpr=76B6C935A3BE209A94F0874851AF8A2F87FC7761 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +drivers/thermal/loongson2_thermal: Fix incorrect PTR_ERR() judgment + +PTR_ERR() returns -ENODEV when thermal-zones are undefined, and we need +-ENODEV as the right value for comparison. + +Otherwise, tz->type is NULL when thermal-zones is undefined, resulting +in the following error: + +[ 12.290030] CPU 1 Unable to handle kernel paging request at virtual address fffffffffffffff1, era == 900000000355f410, ra == 90000000031579b8 +[ 12.302877] Oops[#1]: +[ 12.305190] CPU: 1 PID: 181 Comm: systemd-udevd Not tainted 6.6.0-rc7+ #5385 +[ 12.312304] pc 900000000355f410 ra 90000000031579b8 tp 90000001069e8000 sp 90000001069eba10 +[ 12.320739] a0 0000000000000000 a1 fffffffffffffff1 a2 0000000000000014 a3 0000000000000001 +[ 12.329173] a4 90000001069eb990 a5 0000000000000001 a6 0000000000001001 a7 900000010003431c +[ 12.337606] t0 fffffffffffffff1 t1 54567fd5da9b4fd4 t2 900000010614ec40 t3 00000000000dc901 +[ 12.346041] t4 0000000000000000 t5 0000000000000004 t6 900000010614ee20 t7 900000000d00b790 +[ 12.354472] t8 00000000000dc901 u0 54567fd5da9b4fd4 s9 900000000402ae10 s0 900000010614ec40 +[ 12.362916] s1 90000000039fced0 s2 ffffffffffffffed s3 ffffffffffffffed s4 9000000003acc000 +[ 12.362931] s5 0000000000000004 s6 fffffffffffff000 s7 0000000000000490 s8 90000001028b2ec8 +[ 12.362938] ra: 90000000031579b8 thermal_add_hwmon_sysfs+0x258/0x300 +[ 12.386411] ERA: 900000000355f410 strscpy+0xf0/0x160 +[ 12.391626] CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE) +[ 12.397898] PRMD: 00000004 (PPLV0 +PIE -PWE) +[ 12.403678] EUEN: 00000000 (-FPE -SXE -ASXE -BTE) +[ 12.409859] ECFG: 00071c1c (LIE=2-4,10-12 VS=7) +[ 12.415882] ESTAT: 00010000 [PIL] (IS= ECode=1 EsubCode=0) +[ 12.415907] BADV: fffffffffffffff1 +[ 12.415911] PRID: 0014a000 (Loongson-64bit, Loongson-2K1000) +[ 12.415917] Modules linked in: loongson2_thermal(+) vfat fat uio_pdrv_genirq uio fuse zram zsmalloc +[ 12.415950] Process systemd-udevd (pid: 181, threadinfo=00000000358b9718, task=00000000ace72fe3) +[ 12.415961] Stack : 0000000000000dc0 54567fd5da9b4fd4 900000000402ae10 9000000002df9358 +[ 12.415982] ffffffffffffffed 0000000000000004 9000000107a10aa8 90000001002a3410 +[ 12.415999] ffffffffffffffed ffffffffffffffed 9000000107a11268 9000000003157ab0 +[ 12.416016] 9000000107a10aa8 ffffff80020fc0c8 90000001002a3410 ffffffffffffffed +[ 12.416032] 0000000000000024 ffffff80020cc1e8 900000000402b2a0 9000000003acc000 +[ 12.416048] 90000001002a3410 0000000000000000 ffffff80020f4030 90000001002a3410 +[ 12.416065] 0000000000000000 9000000002df6808 90000001002a3410 0000000000000000 +[ 12.416081] ffffff80020f4030 0000000000000000 90000001002a3410 9000000002df2ba8 +[ 12.416097] 00000000000000b4 90000001002a34f4 90000001002a3410 0000000000000002 +[ 12.416114] ffffff80020f4030 fffffffffffffff0 90000001002a3410 9000000002df2f30 +[ 12.416131] ... +[ 12.416138] Call Trace: +[ 12.416142] [<900000000355f410>] strscpy+0xf0/0x160 +[ 12.416167] [<90000000031579b8>] thermal_add_hwmon_sysfs+0x258/0x300 +[ 12.416183] [<9000000003157ab0>] devm_thermal_add_hwmon_sysfs+0x50/0xe0 +[ 12.416200] [<ffffff80020cc1e8>] loongson2_thermal_probe+0x128/0x200 [loongson2_thermal] +[ 12.416232] [<9000000002df6808>] platform_probe+0x68/0x140 +[ 12.416249] [<9000000002df2ba8>] really_probe+0xc8/0x3c0 +[ 12.416269] [<9000000002df2f30>] __driver_probe_device+0x90/0x180 +[ 12.416286] [<9000000002df3058>] driver_probe_device+0x38/0x160 +[ 12.416302] [<9000000002df33a8>] __driver_attach+0xa8/0x200 +[ 12.416314] [<9000000002deffec>] bus_for_each_dev+0x8c/0x120 +[ 12.416330] [<9000000002df198c>] bus_add_driver+0x10c/0x2a0 +[ 12.416346] [<9000000002df46b4>] driver_register+0x74/0x160 +[ 12.416358] [<90000000022201a4>] do_one_initcall+0x84/0x220 +[ 12.416372] [<90000000022f3ab8>] do_init_module+0x58/0x2c0 +[ 12.416386] [<90000000022f6538>] init_module_from_file+0x98/0x100 +[ 12.416399] [<90000000022f67f0>] sys_finit_module+0x230/0x3c0 +[ 12.416412] [<900000000358f7c8>] do_syscall+0x88/0xc0 +[ 12.416431] [<900000000222137c>] handle_syscall+0xbc/0x158 + +The Linux kernel CVE team has assigned CVE-2023-52613 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 6.6 with commit e7e3a7c35791 and fixed in 6.6.14 with commit 70481755ed77 + Issue introduced in 6.6 with commit e7e3a7c35791 and fixed in 6.7.2 with commit 6010a9fc14eb + Issue introduced in 6.6 with commit e7e3a7c35791 and fixed in 6.8 with commit 15ef92e9c411 + +Please see https://www.kernel.org or a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2023-52613 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/thermal/loongson2_thermal.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/70481755ed77400e783200e2d022e5fea16060ce + https://git.kernel.org/stable/c/6010a9fc14eb1feab5cafd84422001134fe8ec58 + https://git.kernel.org/stable/c/15ef92e9c41124ee9d88b01208364f3fe1f45f84 diff --git a/cve/published/2023/CVE-2023-52613.sha1 b/cve/published/2023/CVE-2023-52613.sha1 new file mode 100644 index 00000000..55501cee --- /dev/null +++ b/cve/published/2023/CVE-2023-52613.sha1 @@ -0,0 +1 @@ +15ef92e9c41124ee9d88b01208364f3fe1f45f84 diff --git a/cve/reserved/2024/CVE-2024-26631 b/cve/published/2024/CVE-2024-26631 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26631 +++ b/cve/published/2024/CVE-2024-26631 diff --git a/cve/published/2024/CVE-2024-26631.json b/cve/published/2024/CVE-2024-26631.json new file mode 100644 index 00000000..2900a3fe --- /dev/null +++ b/cve/published/2024/CVE-2024-26631.json @@ -0,0 +1,133 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: mcast: fix data-race in ipv6_mc_down / mld_ifc_work\n\nidev->mc_ifc_count can be written over without proper locking.\n\nOriginally found by syzbot [1], fix this issue by encapsulating calls\nto mld_ifc_stop_work() (and mld_gq_stop_work() for good measure) with\nmutex_lock() and mutex_unlock() accordingly as these functions\nshould only be called with mc_lock per their declarations.\n\n[1]\nBUG: KCSAN: data-race in ipv6_mc_down / mld_ifc_work\n\nwrite to 0xffff88813a80c832 of 1 bytes by task 3771 on cpu 0:\n mld_ifc_stop_work net/ipv6/mcast.c:1080 [inline]\n ipv6_mc_down+0x10a/0x280 net/ipv6/mcast.c:2725\n addrconf_ifdown+0xe32/0xf10 net/ipv6/addrconf.c:3949\n addrconf_notify+0x310/0x980\n notifier_call_chain kernel/notifier.c:93 [inline]\n raw_notifier_call_chain+0x6b/0x1c0 kernel/notifier.c:461\n __dev_notify_flags+0x205/0x3d0\n dev_change_flags+0xab/0xd0 net/core/dev.c:8685\n do_setlink+0x9f6/0x2430 net/core/rtnetlink.c:2916\n rtnl_group_changelink net/core/rtnetlink.c:3458 [inline]\n __rtnl_newlink net/core/rtnetlink.c:3717 [inline]\n rtnl_newlink+0xbb3/0x1670 net/core/rtnetlink.c:3754\n rtnetlink_rcv_msg+0x807/0x8c0 net/core/rtnetlink.c:6558\n netlink_rcv_skb+0x126/0x220 net/netlink/af_netlink.c:2545\n rtnetlink_rcv+0x1c/0x20 net/core/rtnetlink.c:6576\n netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]\n netlink_unicast+0x589/0x650 net/netlink/af_netlink.c:1368\n netlink_sendmsg+0x66e/0x770 net/netlink/af_netlink.c:1910\n ...\n\nwrite to 0xffff88813a80c832 of 1 bytes by task 22 on cpu 1:\n mld_ifc_work+0x54c/0x7b0 net/ipv6/mcast.c:2653\n process_one_work kernel/workqueue.c:2627 [inline]\n process_scheduled_works+0x5b8/0xa30 kernel/workqueue.c:2700\n worker_thread+0x525/0x730 kernel/workqueue.c:2781\n ..." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "2d9a93b4902b", + "lessThan": "62b3387beef1", + "status": "affected", + "versionType": "git" + }, + { + "version": "2d9a93b4902b", + "lessThan": "380540bb06bb", + "status": "affected", + "versionType": "git" + }, + { + "version": "2d9a93b4902b", + "lessThan": "3cc283fd16fb", + "status": "affected", + "versionType": "git" + }, + { + "version": "2d9a93b4902b", + "lessThan": "3bb5849675ae", + "status": "affected", + "versionType": "git" + }, + { + "version": "2d9a93b4902b", + "lessThan": "2e7ef287f07c", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.13", + "status": "affected" + }, + { + "version": "0", + "lessThan": "5.13", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.148", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.75", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.14", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.2", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/62b3387beef11738eb6ce667601a28fa089fa02c" + }, + { + "url": "https://git.kernel.org/stable/c/380540bb06bb1d1b12bdc947d1b8f56cda6b5663" + }, + { + "url": "https://git.kernel.org/stable/c/3cc283fd16fba72e2cefe3a6f48d7a36b0438900" + }, + { + "url": "https://git.kernel.org/stable/c/3bb5849675ae1d592929798a2b37ea450879c855" + }, + { + "url": "https://git.kernel.org/stable/c/2e7ef287f07c74985f1bf2858bedc62bd9ebf155" + } + ], + "title": "ipv6: mcast: fix data-race in ipv6_mc_down / mld_ifc_work", + "x_generator": { + "engine": "bippy-8df59b4913de" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26631", + "requesterUserId": "lee@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26631.mbox b/cve/published/2024/CVE-2024-26631.mbox new file mode 100644 index 00000000..e1e3920c --- /dev/null +++ b/cve/published/2024/CVE-2024-26631.mbox @@ -0,0 +1,111 @@ +From bippy-8df59b4913de Mon Sep 17 00:00:00 2001 +From: Lee Jones <lee@kernel.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26631: ipv6: mcast: fix data-race in ipv6_mc_down / mld_ifc_work +X-Developer-Signature: v=1; a=openpgp-sha256; l=3855; i=lee@kernel.org; + h=from:subject; bh=V6OOBA7k6o/GCzIvm17FtGsaf3B+dhTNWlBhzOdxjks=; + b=owEBbQKS/ZANAwAKAVGvii+H/HdhAcsmYgBl+BJ/knLFImgvq6u9G0Ej1c9xXShjRwF2nWEFt + kAHh1GsjKGJAjMEAAEKAB0WIQR2tsk1o74gmpTwh0hRr4ovh/x3YQUCZfgSfwAKCRBRr4ovh/x3 + YeQ/D/4nKSEK8Iw1W/Rtb5Si1zQnwbioChJsqqPd5BIrvwCHKn6MiyaJwBnILOQY4+M4pdMWiwF + EpIAvKZiSIOQZlTGm8mLNb/Hl0WBfYGjpFqWBjUo+hby+Rp+vZWKvEtYDmwO/LavyAedJEDkVUc + zZs5DZj8nzWvm5Ky/IERuIsuJzuGrzcjuBip2wz+MNSNREuSXVJJNscumz0Zdvp2aP4k2eXnvqu + l2gg5IL/PD+Phiw5vpYv0W3OOIV9QAu6f840hyB+Bt2hvbKrJ1B21hHnIglO/CvN5JCZRaaGHPf + i89+56V3Wwx/NxkdwSGHtAyFJc9nydFFpQ3A2/j+86eocIz/8TfmHQpqFE/az+tRwqX/BFxfa3r + SEi0FnDssECE8/bMJZixhI1xlnTocXAkN3HyXmmSBBbCXBAjmgIr6LGD4JjzjdEmfMSNbkVtNCX + nq2Mn1XAmZocvUOOrfpBSio6/4viA9u7XMfl36Mq/r1CqnvN3r/14AXr8ZAA5OsaoK8W7XJu8zi + /PGYaTWu1rFYI8knsncgL1H8yPY4upsW6ssOOYk/7jInqtnbviLHuKRJm24beNtCniv/4+pc8rd + lSRDn/z6bUAx72RNxSLmIqfwozp18Io5NKbR6sTVXZFvni+yTJWr6RHhPbGPILp/TwTvvIg+YR4 + dWJSJ1kJbWn7Yzw== +X-Developer-Key: i=lee@kernel.org; a=openpgp; + fpr=76B6C935A3BE209A94F0874851AF8A2F87FC7761 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +ipv6: mcast: fix data-race in ipv6_mc_down / mld_ifc_work + +idev->mc_ifc_count can be written over without proper locking. + +Originally found by syzbot [1], fix this issue by encapsulating calls +to mld_ifc_stop_work() (and mld_gq_stop_work() for good measure) with +mutex_lock() and mutex_unlock() accordingly as these functions +should only be called with mc_lock per their declarations. + +[1] +BUG: KCSAN: data-race in ipv6_mc_down / mld_ifc_work + +write to 0xffff88813a80c832 of 1 bytes by task 3771 on cpu 0: + mld_ifc_stop_work net/ipv6/mcast.c:1080 [inline] + ipv6_mc_down+0x10a/0x280 net/ipv6/mcast.c:2725 + addrconf_ifdown+0xe32/0xf10 net/ipv6/addrconf.c:3949 + addrconf_notify+0x310/0x980 + notifier_call_chain kernel/notifier.c:93 [inline] + raw_notifier_call_chain+0x6b/0x1c0 kernel/notifier.c:461 + __dev_notify_flags+0x205/0x3d0 + dev_change_flags+0xab/0xd0 net/core/dev.c:8685 + do_setlink+0x9f6/0x2430 net/core/rtnetlink.c:2916 + rtnl_group_changelink net/core/rtnetlink.c:3458 [inline] + __rtnl_newlink net/core/rtnetlink.c:3717 [inline] + rtnl_newlink+0xbb3/0x1670 net/core/rtnetlink.c:3754 + rtnetlink_rcv_msg+0x807/0x8c0 net/core/rtnetlink.c:6558 + netlink_rcv_skb+0x126/0x220 net/netlink/af_netlink.c:2545 + rtnetlink_rcv+0x1c/0x20 net/core/rtnetlink.c:6576 + netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline] + netlink_unicast+0x589/0x650 net/netlink/af_netlink.c:1368 + netlink_sendmsg+0x66e/0x770 net/netlink/af_netlink.c:1910 + ... + +write to 0xffff88813a80c832 of 1 bytes by task 22 on cpu 1: + mld_ifc_work+0x54c/0x7b0 net/ipv6/mcast.c:2653 + process_one_work kernel/workqueue.c:2627 [inline] + process_scheduled_works+0x5b8/0xa30 kernel/workqueue.c:2700 + worker_thread+0x525/0x730 kernel/workqueue.c:2781 + ... + +The Linux kernel CVE team has assigned CVE-2024-26631 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 5.13 with commit 2d9a93b4902b and fixed in 5.15.148 with commit 62b3387beef1 + Issue introduced in 5.13 with commit 2d9a93b4902b and fixed in 6.1.75 with commit 380540bb06bb + Issue introduced in 5.13 with commit 2d9a93b4902b and fixed in 6.6.14 with commit 3cc283fd16fb + Issue introduced in 5.13 with commit 2d9a93b4902b and fixed in 6.7.2 with commit 3bb5849675ae + Issue introduced in 5.13 with commit 2d9a93b4902b and fixed in 6.8 with commit 2e7ef287f07c + +Please see https://www.kernel.org or a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26631 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + net/ipv6/mcast.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/62b3387beef11738eb6ce667601a28fa089fa02c + https://git.kernel.org/stable/c/380540bb06bb1d1b12bdc947d1b8f56cda6b5663 + https://git.kernel.org/stable/c/3cc283fd16fba72e2cefe3a6f48d7a36b0438900 + https://git.kernel.org/stable/c/3bb5849675ae1d592929798a2b37ea450879c855 + https://git.kernel.org/stable/c/2e7ef287f07c74985f1bf2858bedc62bd9ebf155 diff --git a/cve/published/2024/CVE-2024-26631.sha1 b/cve/published/2024/CVE-2024-26631.sha1 new file mode 100644 index 00000000..215a4b24 --- /dev/null +++ b/cve/published/2024/CVE-2024-26631.sha1 @@ -0,0 +1 @@ +2e7ef287f07c74985f1bf2858bedc62bd9ebf155 diff --git a/cve/reserved/2024/CVE-2024-26632 b/cve/published/2024/CVE-2024-26632 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26632 +++ b/cve/published/2024/CVE-2024-26632 diff --git a/cve/published/2024/CVE-2024-26632.json b/cve/published/2024/CVE-2024-26632.json new file mode 100644 index 00000000..22e40b53 --- /dev/null +++ b/cve/published/2024/CVE-2024-26632.json @@ -0,0 +1,118 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: Fix iterating over an empty bio with bio_for_each_folio_all\n\nIf the bio contains no data, bio_first_folio() calls page_folio() on a\nNULL pointer and oopses. Move the test that we've reached the end of\nthe bio from bio_next_folio() to bio_first_folio().\n\n[axboe: add unlikely() to error case]" + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "640d1930bef4", + "lessThan": "c6350b5cb78e", + "status": "affected", + "versionType": "git" + }, + { + "version": "640d1930bef4", + "lessThan": "a6bd8182137a", + "status": "affected", + "versionType": "git" + }, + { + "version": "640d1930bef4", + "lessThan": "ca3ede3f5893", + "status": "affected", + "versionType": "git" + }, + { + "version": "640d1930bef4", + "lessThan": "7bed6f3d08b7", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.17", + "status": "affected" + }, + { + "version": "0", + "lessThan": "5.17", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.75", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.14", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.2", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/c6350b5cb78e9024c49eaee6fdb914ad2903a5fe" + }, + { + "url": "https://git.kernel.org/stable/c/a6bd8182137a12d22d3f2cee463271bdcb491659" + }, + { + "url": "https://git.kernel.org/stable/c/ca3ede3f5893e2d26d4dbdef1eec28a8487fafde" + }, + { + "url": "https://git.kernel.org/stable/c/7bed6f3d08b7af27b7015da8dc3acf2b9c1f21d7" + } + ], + "title": "block: Fix iterating over an empty bio with bio_for_each_folio_all", + "x_generator": { + "engine": "bippy-8df59b4913de" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26632", + "requesterUserId": "lee@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26632.mbox b/cve/published/2024/CVE-2024-26632.mbox new file mode 100644 index 00000000..8333183e --- /dev/null +++ b/cve/published/2024/CVE-2024-26632.mbox @@ -0,0 +1,77 @@ +From bippy-8df59b4913de Mon Sep 17 00:00:00 2001 +From: Lee Jones <lee@kernel.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26632: block: Fix iterating over an empty bio with bio_for_each_folio_all +X-Developer-Signature: v=1; a=openpgp-sha256; l=2233; i=lee@kernel.org; + h=from:subject; bh=L1jzKvNZY/qdMYeugO3kL77oyIGE6tlaoLv5eHp6348=; + b=owEBbQKS/ZANAwAKAVGvii+H/HdhAcsmYgBl+BJ/3s6M+IqeG+3aA7oQZd4URa7g2KgN8Oi7e + OWraWrnwJiJAjMEAAEKAB0WIQR2tsk1o74gmpTwh0hRr4ovh/x3YQUCZfgSfwAKCRBRr4ovh/x3 + YWc6D/9HfAK5iP/Veny+hh5AswD1eBAdNWRyxmGNPyCt1Qgi0kIwubhZl658iLS++j6vy4sxllA + tFvg2/aAYSwJpoWuchtKEYdDtx6Zxhl3oBCcLlcQkJSA16KblAnkbq3VDE4YMH3yqt4LWOeI20n + 6HWS2Ls0/D8yBxpr/UZ/Ex/bfpezX/S7oPGzGEByqAwK1x9AhFBeX2xhjFqVq21dn7PKUtOQVHK + vKqgtV4QkcN6g0WuIANOLoGBsZ/d435u5iQzB+BV4WBCfwVXcyLvn7yB3i7xBorRX/cEKCvc6Pe + NNG9Sov9+2A/o5zw4edgJsQr3ZRwDye9G6lYxVM/L/9YpOYfR0ZNjsXTC3+68veTdUQkz47Tgs5 + u5pWeCO+QhaC7fWLQe1DK3IHdibAkhPwt+yT0KUFcfl+8nWyef3Lx0VK96m5ukOdaoILxdAYvgV + DW+R4WPcstBZ7V18IOIf8nwDx4Rq7j6APY4R2NdpNd1EvkiJV5faNOP6LZfhrsUCshoy+ftYysu + OejUsZPlAJ5v4ZykyjzviPibi3cnMtf5bchanIm9SF0TZVJsyiZgKJ/z28IkBwg4OUSAUU1+Bo0 + YwRVRiN5p7Fl7yUv78ichXpMTiKLbyOLARfQLBItrajtcRUMfV434O6/I3Vd5EAUdRd/N4AGl+o + 7LSgBpBpaWz6MTw== +X-Developer-Key: i=lee@kernel.org; a=openpgp; + fpr=76B6C935A3BE209A94F0874851AF8A2F87FC7761 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +block: Fix iterating over an empty bio with bio_for_each_folio_all + +If the bio contains no data, bio_first_folio() calls page_folio() on a +NULL pointer and oopses. Move the test that we've reached the end of +the bio from bio_next_folio() to bio_first_folio(). + +[axboe: add unlikely() to error case] + +The Linux kernel CVE team has assigned CVE-2024-26632 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 5.17 with commit 640d1930bef4 and fixed in 6.1.75 with commit c6350b5cb78e + Issue introduced in 5.17 with commit 640d1930bef4 and fixed in 6.6.14 with commit a6bd8182137a + Issue introduced in 5.17 with commit 640d1930bef4 and fixed in 6.7.2 with commit ca3ede3f5893 + Issue introduced in 5.17 with commit 640d1930bef4 and fixed in 6.8 with commit 7bed6f3d08b7 + +Please see https://www.kernel.org or a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26632 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + include/linux/bio.h + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/c6350b5cb78e9024c49eaee6fdb914ad2903a5fe + https://git.kernel.org/stable/c/a6bd8182137a12d22d3f2cee463271bdcb491659 + https://git.kernel.org/stable/c/ca3ede3f5893e2d26d4dbdef1eec28a8487fafde + https://git.kernel.org/stable/c/7bed6f3d08b7af27b7015da8dc3acf2b9c1f21d7 diff --git a/cve/published/2024/CVE-2024-26632.sha1 b/cve/published/2024/CVE-2024-26632.sha1 new file mode 100644 index 00000000..e2a4e43a --- /dev/null +++ b/cve/published/2024/CVE-2024-26632.sha1 @@ -0,0 +1 @@ +7bed6f3d08b7af27b7015da8dc3acf2b9c1f21d7 diff --git a/cve/reserved/2024/CVE-2024-26633 b/cve/published/2024/CVE-2024-26633 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26633 +++ b/cve/published/2024/CVE-2024-26633 diff --git a/cve/published/2024/CVE-2024-26633.json b/cve/published/2024/CVE-2024-26633.json new file mode 100644 index 00000000..7f72c525 --- /dev/null +++ b/cve/published/2024/CVE-2024-26633.json @@ -0,0 +1,178 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nip6_tunnel: fix NEXTHDR_FRAGMENT handling in ip6_tnl_parse_tlv_enc_lim()\n\nsyzbot pointed out [1] that NEXTHDR_FRAGMENT handling is broken.\n\nReading frag_off can only be done if we pulled enough bytes\nto skb->head. Currently we might access garbage.\n\n[1]\nBUG: KMSAN: uninit-value in ip6_tnl_parse_tlv_enc_lim+0x94f/0xbb0\nip6_tnl_parse_tlv_enc_lim+0x94f/0xbb0\nipxip6_tnl_xmit net/ipv6/ip6_tunnel.c:1326 [inline]\nip6_tnl_start_xmit+0xab2/0x1a70 net/ipv6/ip6_tunnel.c:1432\n__netdev_start_xmit include/linux/netdevice.h:4940 [inline]\nnetdev_start_xmit include/linux/netdevice.h:4954 [inline]\nxmit_one net/core/dev.c:3548 [inline]\ndev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3564\n__dev_queue_xmit+0x33b8/0x5130 net/core/dev.c:4349\ndev_queue_xmit include/linux/netdevice.h:3134 [inline]\nneigh_connected_output+0x569/0x660 net/core/neighbour.c:1592\nneigh_output include/net/neighbour.h:542 [inline]\nip6_finish_output2+0x23a9/0x2b30 net/ipv6/ip6_output.c:137\nip6_finish_output+0x855/0x12b0 net/ipv6/ip6_output.c:222\nNF_HOOK_COND include/linux/netfilter.h:303 [inline]\nip6_output+0x323/0x610 net/ipv6/ip6_output.c:243\ndst_output include/net/dst.h:451 [inline]\nip6_local_out+0xe9/0x140 net/ipv6/output_core.c:155\nip6_send_skb net/ipv6/ip6_output.c:1952 [inline]\nip6_push_pending_frames+0x1f9/0x560 net/ipv6/ip6_output.c:1972\nrawv6_push_pending_frames+0xbe8/0xdf0 net/ipv6/raw.c:582\nrawv6_sendmsg+0x2b66/0x2e70 net/ipv6/raw.c:920\ninet_sendmsg+0x105/0x190 net/ipv4/af_inet.c:847\nsock_sendmsg_nosec net/socket.c:730 [inline]\n__sock_sendmsg net/socket.c:745 [inline]\n____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584\n___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638\n__sys_sendmsg net/socket.c:2667 [inline]\n__do_sys_sendmsg net/socket.c:2676 [inline]\n__se_sys_sendmsg net/socket.c:2674 [inline]\n__x64_sys_sendmsg+0x307/0x490 net/socket.c:2674\ndo_syscall_x64 arch/x86/entry/common.c:52 [inline]\ndo_syscall_64+0x44/0x110 arch/x86/entry/common.c:83\nentry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nUninit was created at:\nslab_post_alloc_hook+0x129/0xa70 mm/slab.h:768\nslab_alloc_node mm/slub.c:3478 [inline]\n__kmem_cache_alloc_node+0x5c9/0x970 mm/slub.c:3517\n__do_kmalloc_node mm/slab_common.c:1006 [inline]\n__kmalloc_node_track_caller+0x118/0x3c0 mm/slab_common.c:1027\nkmalloc_reserve+0x249/0x4a0 net/core/skbuff.c:582\npskb_expand_head+0x226/0x1a00 net/core/skbuff.c:2098\n__pskb_pull_tail+0x13b/0x2310 net/core/skbuff.c:2655\npskb_may_pull_reason include/linux/skbuff.h:2673 [inline]\npskb_may_pull include/linux/skbuff.h:2681 [inline]\nip6_tnl_parse_tlv_enc_lim+0x901/0xbb0 net/ipv6/ip6_tunnel.c:408\nipxip6_tnl_xmit net/ipv6/ip6_tunnel.c:1326 [inline]\nip6_tnl_start_xmit+0xab2/0x1a70 net/ipv6/ip6_tunnel.c:1432\n__netdev_start_xmit include/linux/netdevice.h:4940 [inline]\nnetdev_start_xmit include/linux/netdevice.h:4954 [inline]\nxmit_one net/core/dev.c:3548 [inline]\ndev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3564\n__dev_queue_xmit+0x33b8/0x5130 net/core/dev.c:4349\ndev_queue_xmit include/linux/netdevice.h:3134 [inline]\nneigh_connected_output+0x569/0x660 net/core/neighbour.c:1592\nneigh_output include/net/neighbour.h:542 [inline]\nip6_finish_output2+0x23a9/0x2b30 net/ipv6/ip6_output.c:137\nip6_finish_output+0x855/0x12b0 net/ipv6/ip6_output.c:222\nNF_HOOK_COND include/linux/netfilter.h:303 [inline]\nip6_output+0x323/0x610 net/ipv6/ip6_output.c:243\ndst_output include/net/dst.h:451 [inline]\nip6_local_out+0xe9/0x140 net/ipv6/output_core.c:155\nip6_send_skb net/ipv6/ip6_output.c:1952 [inline]\nip6_push_pending_frames+0x1f9/0x560 net/ipv6/ip6_output.c:1972\nrawv6_push_pending_frames+0xbe8/0xdf0 net/ipv6/raw.c:582\nrawv6_sendmsg+0x2b66/0x2e70 net/ipv6/raw.c:920\ninet_sendmsg+0x105/0x190 net/ipv4/af_inet.c:847\nsock_sendmsg_nosec net/socket.c:730 [inline]\n__sock_sendmsg net/socket.c:745 [inline]\n____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584\n___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638\n__sys_sendmsg net/socket.c:2667 [inline]\n__do_sys_sendms\n---truncated---" + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "fbfa743a9d2a", + "lessThan": "135414f300c5", + "status": "affected", + "versionType": "git" + }, + { + "version": "fbfa743a9d2a", + "lessThan": "3f15ba3dc14e", + "status": "affected", + "versionType": "git" + }, + { + "version": "fbfa743a9d2a", + "lessThan": "da23bd709b46", + "status": "affected", + "versionType": "git" + }, + { + "version": "fbfa743a9d2a", + "lessThan": "4329426cf6b8", + "status": "affected", + "versionType": "git" + }, + { + "version": "fbfa743a9d2a", + "lessThan": "62a1fedeb14c", + "status": "affected", + "versionType": "git" + }, + { + "version": "fbfa743a9d2a", + "lessThan": "687c5d52fe53", + "status": "affected", + "versionType": "git" + }, + { + "version": "fbfa743a9d2a", + "lessThan": "ba8d904c2742", + "status": "affected", + "versionType": "git" + }, + { + "version": "fbfa743a9d2a", + "lessThan": "d375b98e0248", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "4.10", + "status": "affected" + }, + { + "version": "0", + "lessThan": "4.10", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "4.19.306", + "lessThanOrEqual": "4.19.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.4.268", + "lessThanOrEqual": "5.4.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.10.209", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.148", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.75", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.14", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.2", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/135414f300c5db995e2a2f3bf0f455de9d014aee" + }, + { + "url": "https://git.kernel.org/stable/c/3f15ba3dc14e6ee002ea01b4faddc3d49200377c" + }, + { + "url": "https://git.kernel.org/stable/c/da23bd709b46168f7dfc36055801011222b076cd" + }, + { + "url": "https://git.kernel.org/stable/c/4329426cf6b8e22b798db2331c7ef1dd2a9c748d" + }, + { + "url": "https://git.kernel.org/stable/c/62a1fedeb14c7ac0947ef33fadbabd35ed2400a2" + }, + { + "url": "https://git.kernel.org/stable/c/687c5d52fe53e602e76826dbd4d7af412747e183" + }, + { + "url": "https://git.kernel.org/stable/c/ba8d904c274268b18ef3dc11d3ca7b24a96cb087" + }, + { + "url": "https://git.kernel.org/stable/c/d375b98e0248980681e5e56b712026174d617198" + } + ], + "title": "ip6_tunnel: fix NEXTHDR_FRAGMENT handling in ip6_tnl_parse_tlv_enc_lim()", + "x_generator": { + "engine": "bippy-8df59b4913de" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26633", + "requesterUserId": "lee@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26633.mbox b/cve/published/2024/CVE-2024-26633.mbox new file mode 100644 index 00000000..39493454 --- /dev/null +++ b/cve/published/2024/CVE-2024-26633.mbox @@ -0,0 +1,168 @@ +From bippy-8df59b4913de Mon Sep 17 00:00:00 2001 +From: Lee Jones <lee@kernel.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26633: ip6_tunnel: fix NEXTHDR_FRAGMENT handling in ip6_tnl_parse_tlv_enc_lim() +X-Developer-Signature: v=1; a=openpgp-sha256; l=7075; i=lee@kernel.org; + h=from:subject; bh=CXb2B+I96DjKSURtfamnAUE5cmIToa7QMn8Sj0wYpWc=; + b=owEBbQKS/ZANAwAKAVGvii+H/HdhAcsmYgBl+BJ/lnjdOwjBVvVJNIUW/McGPZtcTrPBHFLPp + zNQa1UzhL6JAjMEAAEKAB0WIQR2tsk1o74gmpTwh0hRr4ovh/x3YQUCZfgSfwAKCRBRr4ovh/x3 + YSpfEACrr+eYczWyXN+JTQIqzW8V9bgFAighT3a5+Vb3QTKlGzW9+bq4D4IyDqoFU5ryDDI2f7+ + UmyBvfHp7Z8n+NVG1v7XvjB60bAdjgFFvKedNh8N5x4Q5XT8vLDRz/ZChxsv40JnbgvdDJKyp3+ + XDbhSTu+m8rFET6abDrqsyEeTUd6R8SPnkCDuk0xx7+WLuHRc/wUKyvKyGjbmt1hVSHLKLD2ieC + LJ3zqNDSBrt0nRTK+bM1rCAavvLJnruQT+EOtAqIRR6IY8Sg3L7v17lBVAgyf86GEK4eOWxMp2j + pNQX/YBeKFm1Z762tSqIYIwaRHHUrvzsrN8SRDz5/8LaGD3hrQfVepTj5YfkCiMiqLap5GuB4wt + 9xf6hQgZlo173Dlh5CTyAkdG5IIWy8klh0SLzUDuit4JUAFgV21wDM4mzolP3+RS6nZIJoA7HBm + WImhlII2UhKxErkMT6LMxD7zu2hr1H3/CXeb7U2BEN7tnqBKE/Qjn2dt2LxWdRH+hIvf2A9w4yx + sgkgyzocOZOqTg4R2qK4kpWtCifLNlY8nqufG0ljLeNQmgd++lOYRyrotN1aSp37KUqgrnwOTXr + MhWKWgIZt80YUgI/q3obpdxXhez8NZ5HrAA5y68hiWNmMu4auBRonaLGoAl1/851IvKLieTg5Q9 + K3mpb5mhSxhJXrA== +X-Developer-Key: i=lee@kernel.org; a=openpgp; + fpr=76B6C935A3BE209A94F0874851AF8A2F87FC7761 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +ip6_tunnel: fix NEXTHDR_FRAGMENT handling in ip6_tnl_parse_tlv_enc_lim() + +syzbot pointed out [1] that NEXTHDR_FRAGMENT handling is broken. + +Reading frag_off can only be done if we pulled enough bytes +to skb->head. Currently we might access garbage. + +[1] +BUG: KMSAN: uninit-value in ip6_tnl_parse_tlv_enc_lim+0x94f/0xbb0 +ip6_tnl_parse_tlv_enc_lim+0x94f/0xbb0 +ipxip6_tnl_xmit net/ipv6/ip6_tunnel.c:1326 [inline] +ip6_tnl_start_xmit+0xab2/0x1a70 net/ipv6/ip6_tunnel.c:1432 +__netdev_start_xmit include/linux/netdevice.h:4940 [inline] +netdev_start_xmit include/linux/netdevice.h:4954 [inline] +xmit_one net/core/dev.c:3548 [inline] +dev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3564 +__dev_queue_xmit+0x33b8/0x5130 net/core/dev.c:4349 +dev_queue_xmit include/linux/netdevice.h:3134 [inline] +neigh_connected_output+0x569/0x660 net/core/neighbour.c:1592 +neigh_output include/net/neighbour.h:542 [inline] +ip6_finish_output2+0x23a9/0x2b30 net/ipv6/ip6_output.c:137 +ip6_finish_output+0x855/0x12b0 net/ipv6/ip6_output.c:222 +NF_HOOK_COND include/linux/netfilter.h:303 [inline] +ip6_output+0x323/0x610 net/ipv6/ip6_output.c:243 +dst_output include/net/dst.h:451 [inline] +ip6_local_out+0xe9/0x140 net/ipv6/output_core.c:155 +ip6_send_skb net/ipv6/ip6_output.c:1952 [inline] +ip6_push_pending_frames+0x1f9/0x560 net/ipv6/ip6_output.c:1972 +rawv6_push_pending_frames+0xbe8/0xdf0 net/ipv6/raw.c:582 +rawv6_sendmsg+0x2b66/0x2e70 net/ipv6/raw.c:920 +inet_sendmsg+0x105/0x190 net/ipv4/af_inet.c:847 +sock_sendmsg_nosec net/socket.c:730 [inline] +__sock_sendmsg net/socket.c:745 [inline] +____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584 +___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638 +__sys_sendmsg net/socket.c:2667 [inline] +__do_sys_sendmsg net/socket.c:2676 [inline] +__se_sys_sendmsg net/socket.c:2674 [inline] +__x64_sys_sendmsg+0x307/0x490 net/socket.c:2674 +do_syscall_x64 arch/x86/entry/common.c:52 [inline] +do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83 +entry_SYSCALL_64_after_hwframe+0x63/0x6b + +Uninit was created at: +slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768 +slab_alloc_node mm/slub.c:3478 [inline] +__kmem_cache_alloc_node+0x5c9/0x970 mm/slub.c:3517 +__do_kmalloc_node mm/slab_common.c:1006 [inline] +__kmalloc_node_track_caller+0x118/0x3c0 mm/slab_common.c:1027 +kmalloc_reserve+0x249/0x4a0 net/core/skbuff.c:582 +pskb_expand_head+0x226/0x1a00 net/core/skbuff.c:2098 +__pskb_pull_tail+0x13b/0x2310 net/core/skbuff.c:2655 +pskb_may_pull_reason include/linux/skbuff.h:2673 [inline] +pskb_may_pull include/linux/skbuff.h:2681 [inline] +ip6_tnl_parse_tlv_enc_lim+0x901/0xbb0 net/ipv6/ip6_tunnel.c:408 +ipxip6_tnl_xmit net/ipv6/ip6_tunnel.c:1326 [inline] +ip6_tnl_start_xmit+0xab2/0x1a70 net/ipv6/ip6_tunnel.c:1432 +__netdev_start_xmit include/linux/netdevice.h:4940 [inline] +netdev_start_xmit include/linux/netdevice.h:4954 [inline] +xmit_one net/core/dev.c:3548 [inline] +dev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3564 +__dev_queue_xmit+0x33b8/0x5130 net/core/dev.c:4349 +dev_queue_xmit include/linux/netdevice.h:3134 [inline] +neigh_connected_output+0x569/0x660 net/core/neighbour.c:1592 +neigh_output include/net/neighbour.h:542 [inline] +ip6_finish_output2+0x23a9/0x2b30 net/ipv6/ip6_output.c:137 +ip6_finish_output+0x855/0x12b0 net/ipv6/ip6_output.c:222 +NF_HOOK_COND include/linux/netfilter.h:303 [inline] +ip6_output+0x323/0x610 net/ipv6/ip6_output.c:243 +dst_output include/net/dst.h:451 [inline] +ip6_local_out+0xe9/0x140 net/ipv6/output_core.c:155 +ip6_send_skb net/ipv6/ip6_output.c:1952 [inline] +ip6_push_pending_frames+0x1f9/0x560 net/ipv6/ip6_output.c:1972 +rawv6_push_pending_frames+0xbe8/0xdf0 net/ipv6/raw.c:582 +rawv6_sendmsg+0x2b66/0x2e70 net/ipv6/raw.c:920 +inet_sendmsg+0x105/0x190 net/ipv4/af_inet.c:847 +sock_sendmsg_nosec net/socket.c:730 [inline] +__sock_sendmsg net/socket.c:745 [inline] +____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584 +___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638 +__sys_sendmsg net/socket.c:2667 [inline] +__do_sys_sendmsg net/socket.c:2676 [inline] +__se_sys_sendmsg net/socket.c:2674 [inline] +__x64_sys_sendmsg+0x307/0x490 net/socket.c:2674 +do_syscall_x64 arch/x86/entry/common.c:52 [inline] +do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83 +entry_SYSCALL_64_after_hwframe+0x63/0x6b + +CPU: 0 PID: 7345 Comm: syz-executor.3 Not tainted 6.7.0-rc8-syzkaller-00024-gac865f00af29 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 + +The Linux kernel CVE team has assigned CVE-2024-26633 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 4.10 with commit fbfa743a9d2a and fixed in 4.19.306 with commit 135414f300c5 + Issue introduced in 4.10 with commit fbfa743a9d2a and fixed in 5.4.268 with commit 3f15ba3dc14e + Issue introduced in 4.10 with commit fbfa743a9d2a and fixed in 5.10.209 with commit da23bd709b46 + Issue introduced in 4.10 with commit fbfa743a9d2a and fixed in 5.15.148 with commit 4329426cf6b8 + Issue introduced in 4.10 with commit fbfa743a9d2a and fixed in 6.1.75 with commit 62a1fedeb14c + Issue introduced in 4.10 with commit fbfa743a9d2a and fixed in 6.6.14 with commit 687c5d52fe53 + Issue introduced in 4.10 with commit fbfa743a9d2a and fixed in 6.7.2 with commit ba8d904c2742 + Issue introduced in 4.10 with commit fbfa743a9d2a and fixed in 6.8 with commit d375b98e0248 + +Please see https://www.kernel.org or a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26633 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + net/ipv6/ip6_tunnel.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/135414f300c5db995e2a2f3bf0f455de9d014aee + https://git.kernel.org/stable/c/3f15ba3dc14e6ee002ea01b4faddc3d49200377c + https://git.kernel.org/stable/c/da23bd709b46168f7dfc36055801011222b076cd + https://git.kernel.org/stable/c/4329426cf6b8e22b798db2331c7ef1dd2a9c748d + https://git.kernel.org/stable/c/62a1fedeb14c7ac0947ef33fadbabd35ed2400a2 + https://git.kernel.org/stable/c/687c5d52fe53e602e76826dbd4d7af412747e183 + https://git.kernel.org/stable/c/ba8d904c274268b18ef3dc11d3ca7b24a96cb087 + https://git.kernel.org/stable/c/d375b98e0248980681e5e56b712026174d617198 diff --git a/cve/published/2024/CVE-2024-26633.sha1 b/cve/published/2024/CVE-2024-26633.sha1 new file mode 100644 index 00000000..ff48201e --- /dev/null +++ b/cve/published/2024/CVE-2024-26633.sha1 @@ -0,0 +1 @@ +d375b98e0248980681e5e56b712026174d617198 |