diff options
| author | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2024-04-17 11:44:17 +0200 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2024-04-17 11:44:17 +0200 |
| commit | 9938eb2088b4fe570cf0623c43ddc19a838d6cb9 (patch) | |
| tree | 327e576f13667f95f728cfbd2221efb1b5f7719d | |
| parent | f7823e8e69521307e17f95a9d23d2fcf0cc7366a (diff) | |
| download | vulns-9938eb2088b4fe570cf0623c43ddc19a838d6cb9.tar.gz | |
publish some more 6.7.6 assigned CVEs
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
60 files changed, 3099 insertions, 0 deletions
diff --git a/cve/reserved/2023/CVE-2023-52642 b/cve/published/2023/CVE-2023-52642 index e69de29b..e69de29b 100644 --- a/cve/reserved/2023/CVE-2023-52642 +++ b/cve/published/2023/CVE-2023-52642 diff --git a/cve/published/2023/CVE-2023-52642.json b/cve/published/2023/CVE-2023-52642.json new file mode 100644 index 00000000..bae26b3b --- /dev/null +++ b/cve/published/2023/CVE-2023-52642.json @@ -0,0 +1,138 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: rc: bpf attach/detach requires write permission\n\nNote that bpf attach/detach also requires CAP_NET_ADMIN." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "1da177e4c3f4", + "lessThan": "93d8109bf182", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "d98210108e7b", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "9f6087851ec6", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "93136132d1b5", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "caf2da1d4562", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "6a9d552483d5", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.10.210", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.149", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.79", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.18", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.6", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/93d8109bf182510629bbefc8cd45296d2393987f" + }, + { + "url": "https://git.kernel.org/stable/c/d98210108e7b2ff64b332b0a3541c8ad6a0617b0" + }, + { + "url": "https://git.kernel.org/stable/c/9f6087851ec6dce5b15f694aeaf3e8ec8243224e" + }, + { + "url": "https://git.kernel.org/stable/c/93136132d1b5792bf44151e3494ae3691cd738e8" + }, + { + "url": "https://git.kernel.org/stable/c/caf2da1d4562de4e35eedec0be2b7f1ee25d83be" + }, + { + "url": "https://git.kernel.org/stable/c/6a9d552483d50953320b9d3b57abdee8d436f23f" + } + ], + "title": "media: rc: bpf attach/detach requires write permission", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2023-52642", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2023/CVE-2023-52642.mbox b/cve/published/2023/CVE-2023-52642.mbox new file mode 100644 index 00000000..c62422d7 --- /dev/null +++ b/cve/published/2023/CVE-2023-52642.mbox @@ -0,0 +1,74 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2023-52642: media: rc: bpf attach/detach requires write permission +Message-Id: <2024041758-CVE-2023-52642-3261@gregkh> +Content-Length: 2081 +Lines: 57 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2139; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=6JwRcB/ov4Bv7FSUOnFWHQWxIMaeeLawXNC4Bh1mN1U=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGnyM+/lPPVxYGtfM+Xk6v2MFzMWn/H+t5Pf4uQeu/3X/ + 0sc8bgc3xHLwiDIxCArpsjyZRvP0f0VhxS9DG1Pw8xhZQIZwsDFKQAT8VBkWDDr+eZ3l26wWnZH + 2N2YaSV8sXaNSyvD/DzJmh4tFy2OHaeCJBd3+sVOn/nAAAA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +media: rc: bpf attach/detach requires write permission + +Note that bpf attach/detach also requires CAP_NET_ADMIN. + +The Linux kernel CVE team has assigned CVE-2023-52642 to this issue. + + +Affected and fixed versions +=========================== + + Fixed in 5.10.210 with commit 93d8109bf182 + Fixed in 5.15.149 with commit d98210108e7b + Fixed in 6.1.79 with commit 9f6087851ec6 + Fixed in 6.6.18 with commit 93136132d1b5 + Fixed in 6.7.6 with commit caf2da1d4562 + Fixed in 6.8 with commit 6a9d552483d5 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2023-52642 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/media/rc/bpf-lirc.c + drivers/media/rc/lirc_dev.c + drivers/media/rc/rc-core-priv.h + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/93d8109bf182510629bbefc8cd45296d2393987f + https://git.kernel.org/stable/c/d98210108e7b2ff64b332b0a3541c8ad6a0617b0 + https://git.kernel.org/stable/c/9f6087851ec6dce5b15f694aeaf3e8ec8243224e + https://git.kernel.org/stable/c/93136132d1b5792bf44151e3494ae3691cd738e8 + https://git.kernel.org/stable/c/caf2da1d4562de4e35eedec0be2b7f1ee25d83be + https://git.kernel.org/stable/c/6a9d552483d50953320b9d3b57abdee8d436f23f diff --git a/cve/published/2023/CVE-2023-52642.sha1 b/cve/published/2023/CVE-2023-52642.sha1 new file mode 100644 index 00000000..3c7c3a61 --- /dev/null +++ b/cve/published/2023/CVE-2023-52642.sha1 @@ -0,0 +1 @@ +6a9d552483d50953320b9d3b57abdee8d436f23f diff --git a/cve/reserved/2023/CVE-2023-52643 b/cve/published/2023/CVE-2023-52643 index e69de29b..e69de29b 100644 --- a/cve/reserved/2023/CVE-2023-52643 +++ b/cve/published/2023/CVE-2023-52643 diff --git a/cve/published/2023/CVE-2023-52643.json b/cve/published/2023/CVE-2023-52643.json new file mode 100644 index 00000000..c7d7da5c --- /dev/null +++ b/cve/published/2023/CVE-2023-52643.json @@ -0,0 +1,133 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: core: fix memleak in iio_device_register_sysfs\n\nWhen iio_device_register_sysfs_group() fails, we should\nfree iio_dev_opaque->chan_attr_group.attrs to prevent\npotential memleak." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "32f171724e5c", + "lessThan": "1c6d19c8cbf6", + "status": "affected", + "versionType": "git" + }, + { + "version": "32f171724e5c", + "lessThan": "359f220d0e75", + "status": "affected", + "versionType": "git" + }, + { + "version": "32f171724e5c", + "lessThan": "b90126c86d83", + "status": "affected", + "versionType": "git" + }, + { + "version": "32f171724e5c", + "lessThan": "3db312e06851", + "status": "affected", + "versionType": "git" + }, + { + "version": "32f171724e5c", + "lessThan": "95a0d596bbd0", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.13", + "status": "affected" + }, + { + "version": "0", + "lessThan": "5.13", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.149", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.79", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.18", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.6", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/1c6d19c8cbf6abcea2c8fca2db26abca2cbf0363" + }, + { + "url": "https://git.kernel.org/stable/c/359f220d0e753bba840eac19ffedcdc816b532f2" + }, + { + "url": "https://git.kernel.org/stable/c/b90126c86d83912688501826643ea698f0df1728" + }, + { + "url": "https://git.kernel.org/stable/c/3db312e06851996e7fb27cb5a8ccab4c0f9cdb93" + }, + { + "url": "https://git.kernel.org/stable/c/95a0d596bbd0552a78e13ced43f2be1038883c81" + } + ], + "title": "iio: core: fix memleak in iio_device_register_sysfs", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2023-52643", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2023/CVE-2023-52643.mbox b/cve/published/2023/CVE-2023-52643.mbox new file mode 100644 index 00000000..e0786ca3 --- /dev/null +++ b/cve/published/2023/CVE-2023-52643.mbox @@ -0,0 +1,72 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2023-52643: iio: core: fix memleak in iio_device_register_sysfs +Message-Id: <2024041701-CVE-2023-52643-8834@gregkh> +Content-Length: 2244 +Lines: 55 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2300; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=LTZAOBG0xB+bCEe2/YSY4NgBz0IkbP4ksHnAK+zbwnE=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGnyMx/azWCce6l82u6S2caOryebq9iYx80uu9t/MzC38 + GlsyPM3HbEsDIJMDLJiiixftvEc3V9xSNHL0PY0zBxWJpAhDFycAjCRdakM81Q/dPpffbfgZ6fi + LZlZlzNZwxTtTzAsmHm81b3i5y0f1h3JR5/9favukGGrBgA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +iio: core: fix memleak in iio_device_register_sysfs + +When iio_device_register_sysfs_group() fails, we should +free iio_dev_opaque->chan_attr_group.attrs to prevent +potential memleak. + +The Linux kernel CVE team has assigned CVE-2023-52643 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 5.13 with commit 32f171724e5c and fixed in 5.15.149 with commit 1c6d19c8cbf6 + Issue introduced in 5.13 with commit 32f171724e5c and fixed in 6.1.79 with commit 359f220d0e75 + Issue introduced in 5.13 with commit 32f171724e5c and fixed in 6.6.18 with commit b90126c86d83 + Issue introduced in 5.13 with commit 32f171724e5c and fixed in 6.7.6 with commit 3db312e06851 + Issue introduced in 5.13 with commit 32f171724e5c and fixed in 6.8 with commit 95a0d596bbd0 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2023-52643 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/iio/industrialio-core.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/1c6d19c8cbf6abcea2c8fca2db26abca2cbf0363 + https://git.kernel.org/stable/c/359f220d0e753bba840eac19ffedcdc816b532f2 + https://git.kernel.org/stable/c/b90126c86d83912688501826643ea698f0df1728 + https://git.kernel.org/stable/c/3db312e06851996e7fb27cb5a8ccab4c0f9cdb93 + https://git.kernel.org/stable/c/95a0d596bbd0552a78e13ced43f2be1038883c81 diff --git a/cve/published/2023/CVE-2023-52643.sha1 b/cve/published/2023/CVE-2023-52643.sha1 new file mode 100644 index 00000000..65e9515c --- /dev/null +++ b/cve/published/2023/CVE-2023-52643.sha1 @@ -0,0 +1 @@ +95a0d596bbd0552a78e13ced43f2be1038883c81 diff --git a/cve/reserved/2024/CVE-2024-26818 b/cve/published/2024/CVE-2024-26818 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26818 +++ b/cve/published/2024/CVE-2024-26818 diff --git a/cve/published/2024/CVE-2024-26818.json b/cve/published/2024/CVE-2024-26818.json new file mode 100644 index 00000000..c1f35486 --- /dev/null +++ b/cve/published/2024/CVE-2024-26818.json @@ -0,0 +1,103 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntools/rtla: Fix clang warning about mount_point var size\n\nclang is reporting this warning:\n\n$ make HOSTCC=clang CC=clang LLVM_IAS=1\n[...]\nclang -O -g -DVERSION=\\\"6.8.0-rc3\\\" -flto=auto -fexceptions\n\t-fstack-protector-strong -fasynchronous-unwind-tables\n\t-fstack-clash-protection -Wall -Werror=format-security\n\t-Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS\n\t$(pkg-config --cflags libtracefs) -c -o src/utils.o src/utils.c\n\nsrc/utils.c:548:66: warning: 'fscanf' may overflow; destination buffer in argument 3 has size 1024, but the corresponding specifier may require size 1025 [-Wfortify-source]\n 548 | while (fscanf(fp, \"%*s %\" STR(MAX_PATH) \"s %99s %*s %*d %*d\\n\", mount_point, type) == 2) {\n | ^\n\nIncrease mount_point variable size to MAX_PATH+1 to avoid the overflow." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "a957cbc02531", + "lessThan": "8a585914c266", + "status": "affected", + "versionType": "git" + }, + { + "version": "a957cbc02531", + "lessThan": "6bdd43f62ab3", + "status": "affected", + "versionType": "git" + }, + { + "version": "a957cbc02531", + "lessThan": "30369084ac6e", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "6.5", + "status": "affected" + }, + { + "version": "0", + "lessThan": "6.5", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.18", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.6", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/8a585914c266dc044f53b5c83c170f79b45fcf9a" + }, + { + "url": "https://git.kernel.org/stable/c/6bdd43f62ab3bb5a306af7f0ab857af45777f5a8" + }, + { + "url": "https://git.kernel.org/stable/c/30369084ac6e27479a347899e74f523e6ca29b89" + } + ], + "title": "tools/rtla: Fix clang warning about mount_point var size", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26818", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26818.mbox b/cve/published/2024/CVE-2024-26818.mbox new file mode 100644 index 00000000..71d6a5ea --- /dev/null +++ b/cve/published/2024/CVE-2024-26818.mbox @@ -0,0 +1,80 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26818: tools/rtla: Fix clang warning about mount_point var size +Message-Id: <2024041701-CVE-2024-26818-d65b@gregkh> +Content-Length: 2581 +Lines: 63 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2645; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=fsektVLs2ifRoVdIa3STjoIAJmY5sseOrE/RNVlfXzw=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGnyMx9u68q49nzDyeq/WzdmNj+Y++uk7frrk67/PJ7Ap + Xv/7rTjDR2xLAyCTAyyYoosX7bxHN1fcUjRy9D2NMwcViaQIQxcnAIwkerVDHM4f745EXc+rvut + eMD6mVdLJ/P0WVczzI+238x7WFmQX95TZoLLNDWd916/3gIA +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +tools/rtla: Fix clang warning about mount_point var size + +clang is reporting this warning: + +$ make HOSTCC=clang CC=clang LLVM_IAS=1 +[...] +clang -O -g -DVERSION=\"6.8.0-rc3\" -flto=auto -fexceptions + -fstack-protector-strong -fasynchronous-unwind-tables + -fstack-clash-protection -Wall -Werror=format-security + -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS + $(pkg-config --cflags libtracefs) -c -o src/utils.o src/utils.c + +src/utils.c:548:66: warning: 'fscanf' may overflow; destination buffer in argument 3 has size 1024, but the corresponding specifier may require size 1025 [-Wfortify-source] + 548 | while (fscanf(fp, "%*s %" STR(MAX_PATH) "s %99s %*s %*d %*d\n", mount_point, type) == 2) { + | ^ + +Increase mount_point variable size to MAX_PATH+1 to avoid the overflow. + +The Linux kernel CVE team has assigned CVE-2024-26818 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 6.5 with commit a957cbc02531 and fixed in 6.6.18 with commit 8a585914c266 + Issue introduced in 6.5 with commit a957cbc02531 and fixed in 6.7.6 with commit 6bdd43f62ab3 + Issue introduced in 6.5 with commit a957cbc02531 and fixed in 6.8 with commit 30369084ac6e + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26818 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + tools/tracing/rtla/src/utils.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/8a585914c266dc044f53b5c83c170f79b45fcf9a + https://git.kernel.org/stable/c/6bdd43f62ab3bb5a306af7f0ab857af45777f5a8 + https://git.kernel.org/stable/c/30369084ac6e27479a347899e74f523e6ca29b89 diff --git a/cve/published/2024/CVE-2024-26818.sha1 b/cve/published/2024/CVE-2024-26818.sha1 new file mode 100644 index 00000000..214ddad0 --- /dev/null +++ b/cve/published/2024/CVE-2024-26818.sha1 @@ -0,0 +1 @@ +30369084ac6e27479a347899e74f523e6ca29b89 diff --git a/cve/reserved/2024/CVE-2024-26819 b/cve/published/2024/CVE-2024-26819 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26819 +++ b/cve/published/2024/CVE-2024-26819 diff --git a/cve/published/2024/CVE-2024-26819.json b/cve/published/2024/CVE-2024-26819.json new file mode 100644 index 00000000..d3499e49 --- /dev/null +++ b/cve/published/2024/CVE-2024-26819.json @@ -0,0 +1,138 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm: limit the number of targets and parameter size area\n\nThe kvmalloc function fails with a warning if the size is larger than\nINT_MAX. The warning was triggered by a syscall testing robot.\n\nIn order to avoid the warning, this commit limits the number of targets to\n1048576 and the size of the parameter area to 1073741824." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "1da177e4c3f4", + "lessThan": "a891a0621e72", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "888a0a46b80f", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "c5d83ac2bf6c", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "438d19492b7f", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "cd70175481f6", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "bd504bcfec41", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.10.210", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.149", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.79", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.18", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.6", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/a891a0621e725e85529985139cada8cb5a74a116" + }, + { + "url": "https://git.kernel.org/stable/c/888a0a46b80fa37eacfe81faf47ba0b83876251d" + }, + { + "url": "https://git.kernel.org/stable/c/c5d83ac2bf6ca668a39ffb1a576899a66153ba19" + }, + { + "url": "https://git.kernel.org/stable/c/438d19492b7f002334573bae43276297eb234c80" + }, + { + "url": "https://git.kernel.org/stable/c/cd70175481f63af31901dd463e44386f033c3f4c" + }, + { + "url": "https://git.kernel.org/stable/c/bd504bcfec41a503b32054da5472904b404341a4" + } + ], + "title": "dm: limit the number of targets and parameter size area", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26819", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26819.mbox b/cve/published/2024/CVE-2024-26819.mbox new file mode 100644 index 00000000..4e27e3f3 --- /dev/null +++ b/cve/published/2024/CVE-2024-26819.mbox @@ -0,0 +1,78 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26819: dm: limit the number of targets and parameter size area +Message-Id: <2024041701-CVE-2024-26819-1731@gregkh> +Content-Length: 2269 +Lines: 61 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2331; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=Jx74CqlEp6bgoBDfMt1R24GQwHqwVQMGDx6JBp7wdD4=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGnyMx+2qrqU6NkbqLd3bdNTWB1/K0Aj5lZIrnytzDdRh + hWsTwM7YlkYBJkYZMUUWb5s4zm6v+KQopeh7WmYOaxMIEMYuDgF4CLVDAumRR/a0rFfsnvx/Umc + Fud39ja/qTNlmF+ZybvXMzL4Ru/Zh/a/HpiEF1+M0wAA +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +dm: limit the number of targets and parameter size area + +The kvmalloc function fails with a warning if the size is larger than +INT_MAX. The warning was triggered by a syscall testing robot. + +In order to avoid the warning, this commit limits the number of targets to +1048576 and the size of the parameter area to 1073741824. + +The Linux kernel CVE team has assigned CVE-2024-26819 to this issue. + + +Affected and fixed versions +=========================== + + Fixed in 5.10.210 with commit a891a0621e72 + Fixed in 5.15.149 with commit 888a0a46b80f + Fixed in 6.1.79 with commit c5d83ac2bf6c + Fixed in 6.6.18 with commit 438d19492b7f + Fixed in 6.7.6 with commit cd70175481f6 + Fixed in 6.8 with commit bd504bcfec41 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26819 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/md/dm-core.h + drivers/md/dm-ioctl.c + drivers/md/dm-table.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/a891a0621e725e85529985139cada8cb5a74a116 + https://git.kernel.org/stable/c/888a0a46b80fa37eacfe81faf47ba0b83876251d + https://git.kernel.org/stable/c/c5d83ac2bf6ca668a39ffb1a576899a66153ba19 + https://git.kernel.org/stable/c/438d19492b7f002334573bae43276297eb234c80 + https://git.kernel.org/stable/c/cd70175481f63af31901dd463e44386f033c3f4c + https://git.kernel.org/stable/c/bd504bcfec41a503b32054da5472904b404341a4 diff --git a/cve/published/2024/CVE-2024-26819.sha1 b/cve/published/2024/CVE-2024-26819.sha1 new file mode 100644 index 00000000..1e77ac91 --- /dev/null +++ b/cve/published/2024/CVE-2024-26819.sha1 @@ -0,0 +1 @@ +bd504bcfec41a503b32054da5472904b404341a4 diff --git a/cve/reserved/2024/CVE-2024-26820 b/cve/published/2024/CVE-2024-26820 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26820 +++ b/cve/published/2024/CVE-2024-26820 diff --git a/cve/published/2024/CVE-2024-26820.json b/cve/published/2024/CVE-2024-26820.json new file mode 100644 index 00000000..096db57a --- /dev/null +++ b/cve/published/2024/CVE-2024-26820.json @@ -0,0 +1,178 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhv_netvsc: Register VF in netvsc_probe if NET_DEVICE_REGISTER missed\n\nIf hv_netvsc driver is unloaded and reloaded, the NET_DEVICE_REGISTER\nhandler cannot perform VF register successfully as the register call\nis received before netvsc_probe is finished. This is because we\nregister register_netdevice_notifier() very early( even before\nvmbus_driver_register()).\nTo fix this, we try to register each such matching VF( if it is visible\nas a netdevice) at the end of netvsc_probe." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "028aa21f9e92", + "lessThan": "bcb7164258d0", + "status": "affected", + "versionType": "git" + }, + { + "version": "997d895fa495", + "lessThan": "c7441c77c91e", + "status": "affected", + "versionType": "git" + }, + { + "version": "ff6c130e48a7", + "lessThan": "5b10a88f64c0", + "status": "affected", + "versionType": "git" + }, + { + "version": "97683466e24c", + "lessThan": "b6d46f306b39", + "status": "affected", + "versionType": "git" + }, + { + "version": "5dd83db613be", + "lessThan": "309ef7de5d84", + "status": "affected", + "versionType": "git" + }, + { + "version": "7350c460f7f4", + "lessThan": "a71302c86389", + "status": "affected", + "versionType": "git" + }, + { + "version": "85520856466e", + "lessThan": "4d29a58d96a7", + "status": "affected", + "versionType": "git" + }, + { + "version": "85520856466e", + "lessThan": "9cae43da9867", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "6.7", + "status": "affected" + }, + { + "version": "0", + "lessThan": "6.7", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "4.19.310", + "lessThanOrEqual": "4.19.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.4.272", + "lessThanOrEqual": "5.4.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.10.213", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.152", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.79", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.18", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.6", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/bcb7164258d0a9a8aa2e73ddccc2d78f67d2519d" + }, + { + "url": "https://git.kernel.org/stable/c/c7441c77c91e47f653104be8353b44a3366a5366" + }, + { + "url": "https://git.kernel.org/stable/c/5b10a88f64c0315cfdef45de0aaaa4eef57de0b7" + }, + { + "url": "https://git.kernel.org/stable/c/b6d46f306b3964d05055ddaa96b58cd8bd3a472c" + }, + { + "url": "https://git.kernel.org/stable/c/309ef7de5d840e17607e7d65cbf297c0564433ef" + }, + { + "url": "https://git.kernel.org/stable/c/a71302c8638939c45e4ba5a99ea438185fd3f418" + }, + { + "url": "https://git.kernel.org/stable/c/4d29a58d96a78728cb01ee29ed70dc4bd642f135" + }, + { + "url": "https://git.kernel.org/stable/c/9cae43da9867412f8bd09aee5c8a8dc5e8dc3dc2" + } + ], + "title": "hv_netvsc: Register VF in netvsc_probe if NET_DEVICE_REGISTER missed", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26820", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26820.mbox b/cve/published/2024/CVE-2024-26820.mbox new file mode 100644 index 00000000..f7b36bb0 --- /dev/null +++ b/cve/published/2024/CVE-2024-26820.mbox @@ -0,0 +1,82 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26820: hv_netvsc: Register VF in netvsc_probe if NET_DEVICE_REGISTER missed +Message-Id: <2024041701-CVE-2024-26820-fc5a@gregkh> +Content-Length: 3071 +Lines: 65 +X-Developer-Signature: v=1; a=openpgp-sha256; l=3137; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=mlxrHBtZ8AZR0r0hmRq8DzAMNEn6wM3JwoVBxghvF/U=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGnyMx+WebNU7igwOWfu4rIhLOgmj8TXwtIgnS1K82cyK + yXILhLsiGVhEGRikBVTZPmyjefo/opDil6Gtqdh5rAygQxh4OIUgIm0bGOYp5bAwJv12muulF5d + 74NV87WvL/hRyrBgqbDLZ7X/XC6fC/dp7ikXXig+8WU+AA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +hv_netvsc: Register VF in netvsc_probe if NET_DEVICE_REGISTER missed + +If hv_netvsc driver is unloaded and reloaded, the NET_DEVICE_REGISTER +handler cannot perform VF register successfully as the register call +is received before netvsc_probe is finished. This is because we +register register_netdevice_notifier() very early( even before +vmbus_driver_register()). +To fix this, we try to register each such matching VF( if it is visible +as a netdevice) at the end of netvsc_probe. + +The Linux kernel CVE team has assigned CVE-2024-26820 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 4.19.301 with commit 028aa21f9e92 and fixed in 4.19.310 with commit bcb7164258d0 + Issue introduced in 5.4.263 with commit 997d895fa495 and fixed in 5.4.272 with commit c7441c77c91e + Issue introduced in 5.10.203 with commit ff6c130e48a7 and fixed in 5.10.213 with commit 5b10a88f64c0 + Issue introduced in 5.15.141 with commit 97683466e24c and fixed in 5.15.152 with commit b6d46f306b39 + Issue introduced in 6.1.65 with commit 5dd83db613be and fixed in 6.1.79 with commit 309ef7de5d84 + Issue introduced in 6.6.4 with commit 7350c460f7f4 and fixed in 6.6.18 with commit a71302c86389 + Issue introduced in 6.7 with commit 85520856466e and fixed in 6.7.6 with commit 4d29a58d96a7 + Issue introduced in 6.7 with commit 85520856466e and fixed in 6.8 with commit 9cae43da9867 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26820 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/net/hyperv/netvsc_drv.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/bcb7164258d0a9a8aa2e73ddccc2d78f67d2519d + https://git.kernel.org/stable/c/c7441c77c91e47f653104be8353b44a3366a5366 + https://git.kernel.org/stable/c/5b10a88f64c0315cfdef45de0aaaa4eef57de0b7 + https://git.kernel.org/stable/c/b6d46f306b3964d05055ddaa96b58cd8bd3a472c + https://git.kernel.org/stable/c/309ef7de5d840e17607e7d65cbf297c0564433ef + https://git.kernel.org/stable/c/a71302c8638939c45e4ba5a99ea438185fd3f418 + https://git.kernel.org/stable/c/4d29a58d96a78728cb01ee29ed70dc4bd642f135 + https://git.kernel.org/stable/c/9cae43da9867412f8bd09aee5c8a8dc5e8dc3dc2 diff --git a/cve/published/2024/CVE-2024-26820.sha1 b/cve/published/2024/CVE-2024-26820.sha1 new file mode 100644 index 00000000..82987438 --- /dev/null +++ b/cve/published/2024/CVE-2024-26820.sha1 @@ -0,0 +1 @@ +9cae43da9867412f8bd09aee5c8a8dc5e8dc3dc2 diff --git a/cve/reserved/2024/CVE-2024-26821 b/cve/published/2024/CVE-2024-26821 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26821 +++ b/cve/published/2024/CVE-2024-26821 diff --git a/cve/published/2024/CVE-2024-26821.json b/cve/published/2024/CVE-2024-26821.json new file mode 100644 index 00000000..fe67000e --- /dev/null +++ b/cve/published/2024/CVE-2024-26821.json @@ -0,0 +1,108 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: relax mount_setattr() permission checks\n\nWhen we added mount_setattr() I added additional checks compared to the\nlegacy do_reconfigure_mnt() and do_change_type() helpers used by regular\nmount(2). If that mount had a parent then verify that the caller and the\nmount namespace the mount is attached to match and if not make sure that\nit's an anonymous mount.\n\nThe real rootfs falls into neither category. It is neither an anoymous\nmount because it is obviously attached to the initial mount namespace\nbut it also obviously doesn't have a parent mount. So that means legacy\nmount(2) allows changing mount properties on the real rootfs but\nmount_setattr(2) blocks this. I never thought much about this but of\ncourse someone on this planet of earth changes properties on the real\nrootfs as can be seen in [1].\n\nSince util-linux finally switched to the new mount api in 2.39 not so\nlong ago it also relies on mount_setattr() and that surfaced this issue\nwhen Fedora 39 finally switched to it. Fix this." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "1da177e4c3f4", + "lessThan": "95de4ad173ca", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "31f71f2d7a08", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "2a7a31e1fb97", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "46f5ab762d04", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "6.1.79", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.18", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.6", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/95de4ad173ca0e61034f3145d66917970961c210" + }, + { + "url": "https://git.kernel.org/stable/c/31f71f2d7a081fc6c6bdf06865beedf6db5b0ca4" + }, + { + "url": "https://git.kernel.org/stable/c/2a7a31e1fb9717845d9d5e2a8c6e48848147801e" + }, + { + "url": "https://git.kernel.org/stable/c/46f5ab762d048dad224436978315cbc2fa79c630" + } + ], + "title": "fs: relax mount_setattr() permission checks", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26821", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26821.mbox b/cve/published/2024/CVE-2024-26821.mbox new file mode 100644 index 00000000..1ec2c1f5 --- /dev/null +++ b/cve/published/2024/CVE-2024-26821.mbox @@ -0,0 +1,84 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26821: fs: relax mount_setattr() permission checks +Message-Id: <2024041702-CVE-2024-26821-de6b@gregkh> +Content-Length: 2658 +Lines: 67 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2726; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=eDRjQdhAbLE6BqN1Ud/CgR+Kdu9mwTXnPdJoS2CdeO8=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGnyMx+xJnxf2q/R6Ht/Q4nGphWbm2R3f/UxeJZ6t//+3 + z9yPDN6O2JZGASZGGTFFFm+bOM5ur/ikKKXoe1pmDmsTCBDGLg4BWAix40YFmy8dHJH2bP2TgWu + q8u33jp3SpHnrCHD/NrW1tWXPcTfz9cN2Lnx1SWli1OUmQA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +fs: relax mount_setattr() permission checks + +When we added mount_setattr() I added additional checks compared to the +legacy do_reconfigure_mnt() and do_change_type() helpers used by regular +mount(2). If that mount had a parent then verify that the caller and the +mount namespace the mount is attached to match and if not make sure that +it's an anonymous mount. + +The real rootfs falls into neither category. It is neither an anoymous +mount because it is obviously attached to the initial mount namespace +but it also obviously doesn't have a parent mount. So that means legacy +mount(2) allows changing mount properties on the real rootfs but +mount_setattr(2) blocks this. I never thought much about this but of +course someone on this planet of earth changes properties on the real +rootfs as can be seen in [1]. + +Since util-linux finally switched to the new mount api in 2.39 not so +long ago it also relies on mount_setattr() and that surfaced this issue +when Fedora 39 finally switched to it. Fix this. + +The Linux kernel CVE team has assigned CVE-2024-26821 to this issue. + + +Affected and fixed versions +=========================== + + Fixed in 6.1.79 with commit 95de4ad173ca + Fixed in 6.6.18 with commit 31f71f2d7a08 + Fixed in 6.7.6 with commit 2a7a31e1fb97 + Fixed in 6.8 with commit 46f5ab762d04 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26821 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + fs/namespace.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/95de4ad173ca0e61034f3145d66917970961c210 + https://git.kernel.org/stable/c/31f71f2d7a081fc6c6bdf06865beedf6db5b0ca4 + https://git.kernel.org/stable/c/2a7a31e1fb9717845d9d5e2a8c6e48848147801e + https://git.kernel.org/stable/c/46f5ab762d048dad224436978315cbc2fa79c630 diff --git a/cve/published/2024/CVE-2024-26821.sha1 b/cve/published/2024/CVE-2024-26821.sha1 new file mode 100644 index 00000000..e6949660 --- /dev/null +++ b/cve/published/2024/CVE-2024-26821.sha1 @@ -0,0 +1 @@ +46f5ab762d048dad224436978315cbc2fa79c630 diff --git a/cve/reserved/2024/CVE-2024-26822 b/cve/published/2024/CVE-2024-26822 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26822 +++ b/cve/published/2024/CVE-2024-26822 diff --git a/cve/published/2024/CVE-2024-26822.json b/cve/published/2024/CVE-2024-26822.json new file mode 100644 index 00000000..0e3a6b39 --- /dev/null +++ b/cve/published/2024/CVE-2024-26822.json @@ -0,0 +1,103 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: set correct id, uid and cruid for multiuser automounts\n\nWhen uid, gid and cruid are not specified, we need to dynamically\nset them into the filesystem context used for automounting otherwise\nthey'll end up reusing the values from the parent mount." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "9fd29a5bae6e", + "lessThan": "c2aa2718cda2", + "status": "affected", + "versionType": "git" + }, + { + "version": "9fd29a5bae6e", + "lessThan": "7590ba9057c6", + "status": "affected", + "versionType": "git" + }, + { + "version": "9fd29a5bae6e", + "lessThan": "4508ec173570", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "6.2", + "status": "affected" + }, + { + "version": "0", + "lessThan": "6.2", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.18", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.6", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/c2aa2718cda2d56b4a551cb40043e9abc9684626" + }, + { + "url": "https://git.kernel.org/stable/c/7590ba9057c6d74c66f3b909a383ec47cd2f27fb" + }, + { + "url": "https://git.kernel.org/stable/c/4508ec17357094e2075f334948393ddedbb75157" + } + ], + "title": "smb: client: set correct id, uid and cruid for multiuser automounts", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26822", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26822.mbox b/cve/published/2024/CVE-2024-26822.mbox new file mode 100644 index 00000000..8604f3a9 --- /dev/null +++ b/cve/published/2024/CVE-2024-26822.mbox @@ -0,0 +1,70 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26822: smb: client: set correct id, uid and cruid for multiuser automounts +Message-Id: <2024041702-CVE-2024-26822-04b5@gregkh> +Content-Length: 2080 +Lines: 53 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2134; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=9t5CpIJNBcZ/PI04lcgcI2Z9v3b34ZDgaXS8LD9CEVM=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGnyMx/NKNnhyn6N7WTOESeLG0I3ttypfZy+J7g9O6Dvv + 8KbuRNcO2JZGASZGGTFFFm+bOM5ur/ikKKXoe1pmDmsTCBDGLg4BWAibx8zzLO0kroiaGh6bNa2 + NR8v3d9S9E07mZ9hvg/fL+HtM76FZyhOSZoxX4TT0nHtJAA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +smb: client: set correct id, uid and cruid for multiuser automounts + +When uid, gid and cruid are not specified, we need to dynamically +set them into the filesystem context used for automounting otherwise +they'll end up reusing the values from the parent mount. + +The Linux kernel CVE team has assigned CVE-2024-26822 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 6.2 with commit 9fd29a5bae6e and fixed in 6.6.18 with commit c2aa2718cda2 + Issue introduced in 6.2 with commit 9fd29a5bae6e and fixed in 6.7.6 with commit 7590ba9057c6 + Issue introduced in 6.2 with commit 9fd29a5bae6e and fixed in 6.8 with commit 4508ec173570 + Issue introduced in 5.15.124 with commit c8117ac42303 + Issue introduced in 6.1.54 with commit 60e3318e3e90 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26822 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + fs/smb/client/namespace.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/c2aa2718cda2d56b4a551cb40043e9abc9684626 + https://git.kernel.org/stable/c/7590ba9057c6d74c66f3b909a383ec47cd2f27fb + https://git.kernel.org/stable/c/4508ec17357094e2075f334948393ddedbb75157 diff --git a/cve/published/2024/CVE-2024-26822.sha1 b/cve/published/2024/CVE-2024-26822.sha1 new file mode 100644 index 00000000..86c3a89d --- /dev/null +++ b/cve/published/2024/CVE-2024-26822.sha1 @@ -0,0 +1 @@ +4508ec17357094e2075f334948393ddedbb75157 diff --git a/cve/reserved/2024/CVE-2024-26823 b/cve/published/2024/CVE-2024-26823 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26823 +++ b/cve/published/2024/CVE-2024-26823 diff --git a/cve/published/2024/CVE-2024-26823.json b/cve/published/2024/CVE-2024-26823.json new file mode 100644 index 00000000..e644fd24 --- /dev/null +++ b/cve/published/2024/CVE-2024-26823.json @@ -0,0 +1,103 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nirqchip/gic-v3-its: Restore quirk probing for ACPI-based systems\n\nWhile refactoring the way the ITSs are probed, the handling of quirks\napplicable to ACPI-based platforms was lost. As a result, systems such as\nHIP07 lose their GICv4 functionnality, and some other may even fail to\nboot, unless they are configured to boot with DT.\n\nMove the enabling of quirks into its_probe_one(), making it common to all\nfirmware implementations." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "9585a495ac93", + "lessThan": "91a80fff3eee", + "status": "affected", + "versionType": "git" + }, + { + "version": "9585a495ac93", + "lessThan": "4c60c611441f", + "status": "affected", + "versionType": "git" + }, + { + "version": "9585a495ac93", + "lessThan": "8b02da04ad97", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "6.6", + "status": "affected" + }, + { + "version": "0", + "lessThan": "6.6", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.18", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.6", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/91a80fff3eeed928b6fba21271f6a9719b22a5d8" + }, + { + "url": "https://git.kernel.org/stable/c/4c60c611441f1f1e5de8e00e98ee5a4970778a00" + }, + { + "url": "https://git.kernel.org/stable/c/8b02da04ad978827e5ccd675acf170198f747a7a" + } + ], + "title": "irqchip/gic-v3-its: Restore quirk probing for ACPI-based systems", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26823", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26823.mbox b/cve/published/2024/CVE-2024-26823.mbox new file mode 100644 index 00000000..4fab69be --- /dev/null +++ b/cve/published/2024/CVE-2024-26823.mbox @@ -0,0 +1,72 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26823: irqchip/gic-v3-its: Restore quirk probing for ACPI-based systems +Message-Id: <2024041702-CVE-2024-26823-0e52@gregkh> +Content-Length: 2150 +Lines: 55 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2206; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=cRGvaQiswOgM3Jh0I2PVxoBJCoRFMAsETthFZp4aCIs=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGnyMx+9VWedPMX/T/POTu62DRq507yk7nm+vLBO/sWst + j+qO1f/7IhlYRBkYpAVU2T5so3n6P6KQ4pehranYeawMoEMYeDiFICJTHVgmF+kfebX2rfzRfKt + HrHNOHZ04nZmm2cMC6Z8n9h0+ZCDWP76d+vnXO/L8BZXzgQA +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +irqchip/gic-v3-its: Restore quirk probing for ACPI-based systems + +While refactoring the way the ITSs are probed, the handling of quirks +applicable to ACPI-based platforms was lost. As a result, systems such as +HIP07 lose their GICv4 functionnality, and some other may even fail to +boot, unless they are configured to boot with DT. + +Move the enabling of quirks into its_probe_one(), making it common to all +firmware implementations. + +The Linux kernel CVE team has assigned CVE-2024-26823 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 6.6 with commit 9585a495ac93 and fixed in 6.6.18 with commit 91a80fff3eee + Issue introduced in 6.6 with commit 9585a495ac93 and fixed in 6.7.6 with commit 4c60c611441f + Issue introduced in 6.6 with commit 9585a495ac93 and fixed in 6.8 with commit 8b02da04ad97 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26823 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/irqchip/irq-gic-v3-its.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/91a80fff3eeed928b6fba21271f6a9719b22a5d8 + https://git.kernel.org/stable/c/4c60c611441f1f1e5de8e00e98ee5a4970778a00 + https://git.kernel.org/stable/c/8b02da04ad978827e5ccd675acf170198f747a7a diff --git a/cve/published/2024/CVE-2024-26823.sha1 b/cve/published/2024/CVE-2024-26823.sha1 new file mode 100644 index 00000000..670babe4 --- /dev/null +++ b/cve/published/2024/CVE-2024-26823.sha1 @@ -0,0 +1 @@ +8b02da04ad978827e5ccd675acf170198f747a7a diff --git a/cve/reserved/2024/CVE-2024-26824 b/cve/published/2024/CVE-2024-26824 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26824 +++ b/cve/published/2024/CVE-2024-26824 diff --git a/cve/published/2024/CVE-2024-26824.json b/cve/published/2024/CVE-2024-26824.json new file mode 100644 index 00000000..1fa21c46 --- /dev/null +++ b/cve/published/2024/CVE-2024-26824.json @@ -0,0 +1,103 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: algif_hash - Remove bogus SGL free on zero-length error path\n\nWhen a zero-length message is hashed by algif_hash, and an error\nis triggered, it tries to free an SG list that was never allocated\nin the first place. Fix this by not freeing the SG list on the\nzero-length error path." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "b6d972f68983", + "lessThan": "9c82920359b7", + "status": "affected", + "versionType": "git" + }, + { + "version": "b6d972f68983", + "lessThan": "775f3c1882a4", + "status": "affected", + "versionType": "git" + }, + { + "version": "b6d972f68983", + "lessThan": "24c890dd712f", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "6.5", + "status": "affected" + }, + { + "version": "0", + "lessThan": "6.5", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.18", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.6", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/9c82920359b7c1eddaf72069bcfe0ffddf088cd0" + }, + { + "url": "https://git.kernel.org/stable/c/775f3c1882a493168e08fdb8cde0865c8f3a8a29" + }, + { + "url": "https://git.kernel.org/stable/c/24c890dd712f6345e382256cae8c97abb0406b70" + } + ], + "title": "crypto: algif_hash - Remove bogus SGL free on zero-length error path", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26824", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26824.mbox b/cve/published/2024/CVE-2024-26824.mbox new file mode 100644 index 00000000..4f123b87 --- /dev/null +++ b/cve/published/2024/CVE-2024-26824.mbox @@ -0,0 +1,69 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26824: crypto: algif_hash - Remove bogus SGL free on zero-length error path +Message-Id: <2024041702-CVE-2024-26824-98e1@gregkh> +Content-Length: 1995 +Lines: 52 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2048; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=N3p5CXSS0eY27a87pTAIhrMvOuWKUUyAhTEqaUbdj5c=; + b=kA0DAAIRMUfUDdst+ykByyZiAGYfmeKinKU44Jv7yycZyNEh+NoKGQ7Hh1YDJEurVgnPKnpEi + 4hdBAARAgAdFiEE9LYMxb94wiFKMT3LMUfUDdst+ykFAmYfmeIACgkQMUfUDdst+ykhVQCeO6cr + rm6PZgzKAdpFJFSccuLTiOQAni2bxNXcwhXMJ7fXnLLNS9QmBha8 +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +crypto: algif_hash - Remove bogus SGL free on zero-length error path + +When a zero-length message is hashed by algif_hash, and an error +is triggered, it tries to free an SG list that was never allocated +in the first place. Fix this by not freeing the SG list on the +zero-length error path. + +The Linux kernel CVE team has assigned CVE-2024-26824 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 6.5 with commit b6d972f68983 and fixed in 6.6.18 with commit 9c82920359b7 + Issue introduced in 6.5 with commit b6d972f68983 and fixed in 6.7.6 with commit 775f3c1882a4 + Issue introduced in 6.5 with commit b6d972f68983 and fixed in 6.8 with commit 24c890dd712f + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26824 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + crypto/algif_hash.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/9c82920359b7c1eddaf72069bcfe0ffddf088cd0 + https://git.kernel.org/stable/c/775f3c1882a493168e08fdb8cde0865c8f3a8a29 + https://git.kernel.org/stable/c/24c890dd712f6345e382256cae8c97abb0406b70 diff --git a/cve/published/2024/CVE-2024-26824.sha1 b/cve/published/2024/CVE-2024-26824.sha1 new file mode 100644 index 00000000..b8870bf2 --- /dev/null +++ b/cve/published/2024/CVE-2024-26824.sha1 @@ -0,0 +1 @@ +24c890dd712f6345e382256cae8c97abb0406b70 diff --git a/cve/reserved/2024/CVE-2024-26825 b/cve/published/2024/CVE-2024-26825 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26825 +++ b/cve/published/2024/CVE-2024-26825 diff --git a/cve/published/2024/CVE-2024-26825.json b/cve/published/2024/CVE-2024-26825.json new file mode 100644 index 00000000..41ac495c --- /dev/null +++ b/cve/published/2024/CVE-2024-26825.json @@ -0,0 +1,178 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: nci: free rx_data_reassembly skb on NCI device cleanup\n\nrx_data_reassembly skb is stored during NCI data exchange for processing\nfragmented packets. It is dropped only when the last fragment is processed\nor when an NTF packet with NCI_OP_RF_DEACTIVATE_NTF opcode is received.\nHowever, the NCI device may be deallocated before that which leads to skb\nleak.\n\nAs by design the rx_data_reassembly skb is bound to the NCI device and\nnothing prevents the device to be freed before the skb is processed in\nsome way and cleaned, free it on the NCI device cleanup.\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "6a2968aaf50c", + "lessThan": "7e9a8498658b", + "status": "affected", + "versionType": "git" + }, + { + "version": "6a2968aaf50c", + "lessThan": "71349abe3aba", + "status": "affected", + "versionType": "git" + }, + { + "version": "6a2968aaf50c", + "lessThan": "2f6d16f0520d", + "status": "affected", + "versionType": "git" + }, + { + "version": "6a2968aaf50c", + "lessThan": "471c9ede8061", + "status": "affected", + "versionType": "git" + }, + { + "version": "6a2968aaf50c", + "lessThan": "5c0c5ffaed73", + "status": "affected", + "versionType": "git" + }, + { + "version": "6a2968aaf50c", + "lessThan": "16d3f507b0fa", + "status": "affected", + "versionType": "git" + }, + { + "version": "6a2968aaf50c", + "lessThan": "a3d90fb5c23f", + "status": "affected", + "versionType": "git" + }, + { + "version": "6a2968aaf50c", + "lessThan": "bfb007aebe6b", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "3.2", + "status": "affected" + }, + { + "version": "0", + "lessThan": "3.2", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "4.19.307", + "lessThanOrEqual": "4.19.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.4.269", + "lessThanOrEqual": "5.4.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.10.210", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.149", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.79", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.18", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.6", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/7e9a8498658b398bf11b8e388005fa54e40aed81" + }, + { + "url": "https://git.kernel.org/stable/c/71349abe3aba7fedcab5b3fcd7aa82371fb5ccbf" + }, + { + "url": "https://git.kernel.org/stable/c/2f6d16f0520d6505241629ee2f5c131b547d5f9d" + }, + { + "url": "https://git.kernel.org/stable/c/471c9ede8061357b43a116fa692e70d91941ac23" + }, + { + "url": "https://git.kernel.org/stable/c/5c0c5ffaed73cbae6c317374dc32ba6cacc60895" + }, + { + "url": "https://git.kernel.org/stable/c/16d3f507b0fa70453dc54550df093d6e9ac630c1" + }, + { + "url": "https://git.kernel.org/stable/c/a3d90fb5c23f29ba59c04005ae76c5228cef2be9" + }, + { + "url": "https://git.kernel.org/stable/c/bfb007aebe6bff451f7f3a4be19f4f286d0d5d9c" + } + ], + "title": "nfc: nci: free rx_data_reassembly skb on NCI device cleanup", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26825", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26825.mbox b/cve/published/2024/CVE-2024-26825.mbox new file mode 100644 index 00000000..70687eec --- /dev/null +++ b/cve/published/2024/CVE-2024-26825.mbox @@ -0,0 +1,86 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26825: nfc: nci: free rx_data_reassembly skb on NCI device cleanup +Message-Id: <2024041702-CVE-2024-26825-408e@gregkh> +Content-Length: 3188 +Lines: 69 +X-Developer-Signature: v=1; a=openpgp-sha256; l=3258; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=9Ay+kEDDDAMBOs4hXERFNU4nrnT59GUb+4Z+Ax7sod4=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGnyMx93N7pwzk1boFj6KGXRl7qFiW1/A2b+u8bQFPW7L + vTtoeMRHbEsDIJMDLJiiixftvEc3V9xSNHL0PY0zBxWJpAhDFycAjCRdXYMc/jrmW/ppVVWXnzS + t/au5cdW1mWRLgxz5RoYmDkz7+QG867LX8LxkPdEXMc1AA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +nfc: nci: free rx_data_reassembly skb on NCI device cleanup + +rx_data_reassembly skb is stored during NCI data exchange for processing +fragmented packets. It is dropped only when the last fragment is processed +or when an NTF packet with NCI_OP_RF_DEACTIVATE_NTF opcode is received. +However, the NCI device may be deallocated before that which leads to skb +leak. + +As by design the rx_data_reassembly skb is bound to the NCI device and +nothing prevents the device to be freed before the skb is processed in +some way and cleaned, free it on the NCI device cleanup. + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +The Linux kernel CVE team has assigned CVE-2024-26825 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 3.2 with commit 6a2968aaf50c and fixed in 4.19.307 with commit 7e9a8498658b + Issue introduced in 3.2 with commit 6a2968aaf50c and fixed in 5.4.269 with commit 71349abe3aba + Issue introduced in 3.2 with commit 6a2968aaf50c and fixed in 5.10.210 with commit 2f6d16f0520d + Issue introduced in 3.2 with commit 6a2968aaf50c and fixed in 5.15.149 with commit 471c9ede8061 + Issue introduced in 3.2 with commit 6a2968aaf50c and fixed in 6.1.79 with commit 5c0c5ffaed73 + Issue introduced in 3.2 with commit 6a2968aaf50c and fixed in 6.6.18 with commit 16d3f507b0fa + Issue introduced in 3.2 with commit 6a2968aaf50c and fixed in 6.7.6 with commit a3d90fb5c23f + Issue introduced in 3.2 with commit 6a2968aaf50c and fixed in 6.8 with commit bfb007aebe6b + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26825 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + net/nfc/nci/core.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/7e9a8498658b398bf11b8e388005fa54e40aed81 + https://git.kernel.org/stable/c/71349abe3aba7fedcab5b3fcd7aa82371fb5ccbf + https://git.kernel.org/stable/c/2f6d16f0520d6505241629ee2f5c131b547d5f9d + https://git.kernel.org/stable/c/471c9ede8061357b43a116fa692e70d91941ac23 + https://git.kernel.org/stable/c/5c0c5ffaed73cbae6c317374dc32ba6cacc60895 + https://git.kernel.org/stable/c/16d3f507b0fa70453dc54550df093d6e9ac630c1 + https://git.kernel.org/stable/c/a3d90fb5c23f29ba59c04005ae76c5228cef2be9 + https://git.kernel.org/stable/c/bfb007aebe6bff451f7f3a4be19f4f286d0d5d9c diff --git a/cve/published/2024/CVE-2024-26825.sha1 b/cve/published/2024/CVE-2024-26825.sha1 new file mode 100644 index 00000000..196b29af --- /dev/null +++ b/cve/published/2024/CVE-2024-26825.sha1 @@ -0,0 +1 @@ +bfb007aebe6bff451f7f3a4be19f4f286d0d5d9c diff --git a/cve/reserved/2024/CVE-2024-26826 b/cve/published/2024/CVE-2024-26826 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26826 +++ b/cve/published/2024/CVE-2024-26826 diff --git a/cve/published/2024/CVE-2024-26826.json b/cve/published/2024/CVE-2024-26826.json new file mode 100644 index 00000000..432cb7d8 --- /dev/null +++ b/cve/published/2024/CVE-2024-26826.json @@ -0,0 +1,133 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix data re-injection from stale subflow\n\nWhen the MPTCP PM detects that a subflow is stale, all the packet\nscheduler must re-inject all the mptcp-level unacked data. To avoid\nacquiring unneeded locks, it first try to check if any unacked data\nis present at all in the RTX queue, but such check is currently\nbroken, as it uses TCP-specific helper on an MPTCP socket.\n\nFunnily enough fuzzers and static checkers are happy, as the accessed\nmemory still belongs to the mptcp_sock struct, and even from a\nfunctional perspective the recovery completed successfully, as\nthe short-cut test always failed.\n\nA recent unrelated TCP change - commit d5fed5addb2b (\"tcp: reorganize\ntcp_sock fast path variables\") - exposed the issue, as the tcp field\nreorganization makes the mptcp code always skip the re-inection.\n\nFix the issue dropping the bogus call: we are on a slow path, the early\noptimization proved once again to be evil." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "1e1d9d6f119c", + "lessThan": "6f95120f898b", + "status": "affected", + "versionType": "git" + }, + { + "version": "1e1d9d6f119c", + "lessThan": "6673d9f1c2cd", + "status": "affected", + "versionType": "git" + }, + { + "version": "1e1d9d6f119c", + "lessThan": "b609c783c535", + "status": "affected", + "versionType": "git" + }, + { + "version": "1e1d9d6f119c", + "lessThan": "624902eab7ab", + "status": "affected", + "versionType": "git" + }, + { + "version": "1e1d9d6f119c", + "lessThan": "b6c620dc43cc", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.15", + "status": "affected" + }, + { + "version": "0", + "lessThan": "5.15", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.149", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.79", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.18", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.6", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/6f95120f898b40d13fd441225ef511307853c9c2" + }, + { + "url": "https://git.kernel.org/stable/c/6673d9f1c2cd984390550dbdf7d5ae07b20abbf8" + }, + { + "url": "https://git.kernel.org/stable/c/b609c783c535493aa3fca22c7e40a120370b1ca5" + }, + { + "url": "https://git.kernel.org/stable/c/624902eab7abcb8731b333ec73f206d38d839cd8" + }, + { + "url": "https://git.kernel.org/stable/c/b6c620dc43ccb4e802894e54b651cf81495e9598" + } + ], + "title": "mptcp: fix data re-injection from stale subflow", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26826", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26826.mbox b/cve/published/2024/CVE-2024-26826.mbox new file mode 100644 index 00000000..71599abd --- /dev/null +++ b/cve/published/2024/CVE-2024-26826.mbox @@ -0,0 +1,86 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26826: mptcp: fix data re-injection from stale subflow +Message-Id: <2024041703-CVE-2024-26826-b984@gregkh> +Content-Length: 2977 +Lines: 69 +X-Developer-Signature: v=1; a=openpgp-sha256; l=3047; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=mSd0BGDS2+PdvzkqAZaibKNBZy551ckgCz9E9m44Hs8=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGnyMx8fOdWoEPTopU7Pm4kthzo64kRmsk1f/5lldbbCn + MXSmtLxHbEsDIJMDLJiiixftvEc3V9xSNHL0PY0zBxWJpAhDFycAjCRf44M8x3yPDKXPpsd9kZv + 4guTs3P32JQoTWJYsLK98wjPTb5DNwVlZplc/7DLP2S9LQA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +mptcp: fix data re-injection from stale subflow + +When the MPTCP PM detects that a subflow is stale, all the packet +scheduler must re-inject all the mptcp-level unacked data. To avoid +acquiring unneeded locks, it first try to check if any unacked data +is present at all in the RTX queue, but such check is currently +broken, as it uses TCP-specific helper on an MPTCP socket. + +Funnily enough fuzzers and static checkers are happy, as the accessed +memory still belongs to the mptcp_sock struct, and even from a +functional perspective the recovery completed successfully, as +the short-cut test always failed. + +A recent unrelated TCP change - commit d5fed5addb2b ("tcp: reorganize +tcp_sock fast path variables") - exposed the issue, as the tcp field +reorganization makes the mptcp code always skip the re-inection. + +Fix the issue dropping the bogus call: we are on a slow path, the early +optimization proved once again to be evil. + +The Linux kernel CVE team has assigned CVE-2024-26826 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 5.15 with commit 1e1d9d6f119c and fixed in 5.15.149 with commit 6f95120f898b + Issue introduced in 5.15 with commit 1e1d9d6f119c and fixed in 6.1.79 with commit 6673d9f1c2cd + Issue introduced in 5.15 with commit 1e1d9d6f119c and fixed in 6.6.18 with commit b609c783c535 + Issue introduced in 5.15 with commit 1e1d9d6f119c and fixed in 6.7.6 with commit 624902eab7ab + Issue introduced in 5.15 with commit 1e1d9d6f119c and fixed in 6.8 with commit b6c620dc43cc + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26826 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + net/mptcp/protocol.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/6f95120f898b40d13fd441225ef511307853c9c2 + https://git.kernel.org/stable/c/6673d9f1c2cd984390550dbdf7d5ae07b20abbf8 + https://git.kernel.org/stable/c/b609c783c535493aa3fca22c7e40a120370b1ca5 + https://git.kernel.org/stable/c/624902eab7abcb8731b333ec73f206d38d839cd8 + https://git.kernel.org/stable/c/b6c620dc43ccb4e802894e54b651cf81495e9598 diff --git a/cve/published/2024/CVE-2024-26826.sha1 b/cve/published/2024/CVE-2024-26826.sha1 new file mode 100644 index 00000000..81349727 --- /dev/null +++ b/cve/published/2024/CVE-2024-26826.sha1 @@ -0,0 +1 @@ +b6c620dc43ccb4e802894e54b651cf81495e9598 diff --git a/cve/reserved/2024/CVE-2024-26827 b/cve/published/2024/CVE-2024-26827 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26827 +++ b/cve/published/2024/CVE-2024-26827 diff --git a/cve/published/2024/CVE-2024-26827.json b/cve/published/2024/CVE-2024-26827.json new file mode 100644 index 00000000..6a4bb2ab --- /dev/null +++ b/cve/published/2024/CVE-2024-26827.json @@ -0,0 +1,118 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: qcom-geni: Correct I2C TRE sequence\n\nFor i2c read operation in GSI mode, we are getting timeout\ndue to malformed TRE basically incorrect TRE sequence\nin gpi(drivers/dma/qcom/gpi.c) driver.\n\nI2C driver has geni_i2c_gpi(I2C_WRITE) function which generates GO TRE and\ngeni_i2c_gpi(I2C_READ)generates DMA TRE. Hence to generate GO TRE before\nDMA TRE, we should move geni_i2c_gpi(I2C_WRITE) before\ngeni_i2c_gpi(I2C_READ) inside the I2C GSI mode transfer function\ni.e. geni_i2c_gpi_xfer().\n\nTRE stands for Transfer Ring Element - which is basically an element with\nsize of 4 words. It contains all information like slave address,\nclk divider, dma address value data size etc).\n\nMainly we have 3 TREs(Config, GO and DMA tre).\n- CONFIG TRE : consists of internal register configuration which is\n required before start of the transfer.\n- DMA TRE : contains DDR/Memory address, called as DMA descriptor.\n- GO TRE : contains Transfer directions, slave ID, Delay flags, Length\n of the transfer.\n\nI2c driver calls GPI driver API to config each TRE depending on the\nprotocol.\n\nFor read operation tre sequence will be as below which is not aligned\nto hardware programming guide.\n\n- CONFIG tre\n- DMA tre\n- GO tre\n\nAs per Qualcomm's internal Hardware Programming Guide, we should configure\nTREs in below sequence for any RX only transfer.\n\n- CONFIG tre\n- GO tre\n- DMA tre" + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "d8703554f4de", + "lessThan": "083870b029c0", + "status": "affected", + "versionType": "git" + }, + { + "version": "d8703554f4de", + "lessThan": "0589dff4fbf4", + "status": "affected", + "versionType": "git" + }, + { + "version": "d8703554f4de", + "lessThan": "9318483e99f2", + "status": "affected", + "versionType": "git" + }, + { + "version": "d8703554f4de", + "lessThan": "83ef106fa732", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.18", + "status": "affected" + }, + { + "version": "0", + "lessThan": "5.18", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.79", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.18", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.6", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/083870b029c06da6a9a49340dd78637eec35a1d4" + }, + { + "url": "https://git.kernel.org/stable/c/0589dff4fbf4a7b88a909a34ecfa7b5d3daf51f5" + }, + { + "url": "https://git.kernel.org/stable/c/9318483e99f242ec4059e2fa20887e1d28efd5ae" + }, + { + "url": "https://git.kernel.org/stable/c/83ef106fa732aea8558253641cd98e8a895604d7" + } + ], + "title": "i2c: qcom-geni: Correct I2C TRE sequence", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26827", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26827.mbox b/cve/published/2024/CVE-2024-26827.mbox new file mode 100644 index 00000000..037bbf15 --- /dev/null +++ b/cve/published/2024/CVE-2024-26827.mbox @@ -0,0 +1,104 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26827: i2c: qcom-geni: Correct I2C TRE sequence +Message-Id: <2024041703-CVE-2024-26827-67c1@gregkh> +Content-Length: 3288 +Lines: 87 +X-Developer-Signature: v=1; a=openpgp-sha256; l=3376; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=PoB6zK1I+e7WLaPb9lQN3Fx+QanOUo+yubEVQPH3e4w=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGnyMx87ndzwucjzq4CbdSOjSuMNt/3XXd57nM7qPlnwY + u7vxzMUO2JZGASZGGTFFFm+bOM5ur/ikKKXoe1pmDmsTCBDGLg4BWAiPPUMC46yFIqekfTOX/xp + SYNrxub595WjGRjmyiZGNTrWvZ/x3zbSWsK3MPD1ZacyAA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +i2c: qcom-geni: Correct I2C TRE sequence + +For i2c read operation in GSI mode, we are getting timeout +due to malformed TRE basically incorrect TRE sequence +in gpi(drivers/dma/qcom/gpi.c) driver. + +I2C driver has geni_i2c_gpi(I2C_WRITE) function which generates GO TRE and +geni_i2c_gpi(I2C_READ)generates DMA TRE. Hence to generate GO TRE before +DMA TRE, we should move geni_i2c_gpi(I2C_WRITE) before +geni_i2c_gpi(I2C_READ) inside the I2C GSI mode transfer function +i.e. geni_i2c_gpi_xfer(). + +TRE stands for Transfer Ring Element - which is basically an element with +size of 4 words. It contains all information like slave address, +clk divider, dma address value data size etc). + +Mainly we have 3 TREs(Config, GO and DMA tre). +- CONFIG TRE : consists of internal register configuration which is + required before start of the transfer. +- DMA TRE : contains DDR/Memory address, called as DMA descriptor. +- GO TRE : contains Transfer directions, slave ID, Delay flags, Length + of the transfer. + +I2c driver calls GPI driver API to config each TRE depending on the +protocol. + +For read operation tre sequence will be as below which is not aligned +to hardware programming guide. + +- CONFIG tre +- DMA tre +- GO tre + +As per Qualcomm's internal Hardware Programming Guide, we should configure +TREs in below sequence for any RX only transfer. + +- CONFIG tre +- GO tre +- DMA tre + +The Linux kernel CVE team has assigned CVE-2024-26827 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 5.18 with commit d8703554f4de and fixed in 6.1.79 with commit 083870b029c0 + Issue introduced in 5.18 with commit d8703554f4de and fixed in 6.6.18 with commit 0589dff4fbf4 + Issue introduced in 5.18 with commit d8703554f4de and fixed in 6.7.6 with commit 9318483e99f2 + Issue introduced in 5.18 with commit d8703554f4de and fixed in 6.8 with commit 83ef106fa732 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26827 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/i2c/busses/i2c-qcom-geni.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/083870b029c06da6a9a49340dd78637eec35a1d4 + https://git.kernel.org/stable/c/0589dff4fbf4a7b88a909a34ecfa7b5d3daf51f5 + https://git.kernel.org/stable/c/9318483e99f242ec4059e2fa20887e1d28efd5ae + https://git.kernel.org/stable/c/83ef106fa732aea8558253641cd98e8a895604d7 diff --git a/cve/published/2024/CVE-2024-26827.sha1 b/cve/published/2024/CVE-2024-26827.sha1 new file mode 100644 index 00000000..d9dd5bf2 --- /dev/null +++ b/cve/published/2024/CVE-2024-26827.sha1 @@ -0,0 +1 @@ +83ef106fa732aea8558253641cd98e8a895604d7 diff --git a/cve/reserved/2024/CVE-2024-26828 b/cve/published/2024/CVE-2024-26828 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26828 +++ b/cve/published/2024/CVE-2024-26828 diff --git a/cve/published/2024/CVE-2024-26828.json b/cve/published/2024/CVE-2024-26828.json new file mode 100644 index 00000000..63878cc2 --- /dev/null +++ b/cve/published/2024/CVE-2024-26828.json @@ -0,0 +1,118 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: fix underflow in parse_server_interfaces()\n\nIn this loop, we step through the buffer and after each item we check\nif the size_left is greater than the minimum size we need. However,\nthe problem is that \"bytes_left\" is type ssize_t while sizeof() is type\nsize_t. That means that because of type promotion, the comparison is\ndone as an unsigned and if we have negative bytes left the loop\ncontinues instead of ending." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "fe856be475f7", + "lessThan": "7190353835b4", + "status": "affected", + "versionType": "git" + }, + { + "version": "fe856be475f7", + "lessThan": "f7ff1c89fb6e", + "status": "affected", + "versionType": "git" + }, + { + "version": "fe856be475f7", + "lessThan": "df2af9fdbc4d", + "status": "affected", + "versionType": "git" + }, + { + "version": "fe856be475f7", + "lessThan": "cffe487026be", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "4.18", + "status": "affected" + }, + { + "version": "0", + "lessThan": "4.18", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.79", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.18", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.6", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/7190353835b4a219abb70f90b06cdcae97f11512" + }, + { + "url": "https://git.kernel.org/stable/c/f7ff1c89fb6e9610d2b01c1821727729e6609308" + }, + { + "url": "https://git.kernel.org/stable/c/df2af9fdbc4ddde18a3371c4ca1a86596e8be301" + }, + { + "url": "https://git.kernel.org/stable/c/cffe487026be13eaf37ea28b783d9638ab147204" + } + ], + "title": "cifs: fix underflow in parse_server_interfaces()", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26828", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26828.mbox b/cve/published/2024/CVE-2024-26828.mbox new file mode 100644 index 00000000..ea028137 --- /dev/null +++ b/cve/published/2024/CVE-2024-26828.mbox @@ -0,0 +1,73 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26828: cifs: fix underflow in parse_server_interfaces() +Message-Id: <2024041703-CVE-2024-26828-b2be@gregkh> +Content-Length: 2306 +Lines: 56 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2363; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=F4DhiHq5wMQpJSe+V8DJk4I0RZQqduBdYfIZhYJp8o4=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGnyMx+fdDIN47Z+rXZq/4zv5arXzqse7EzTz3hQG9f04 + Nudx2mnO2JZGASZGGTFFFm+bOM5ur/ikKKXoe1pmDmsTCBDGLg4BWAir/YyzDN0zMlPO6V3mJ91 + jaASt9oVj7NMtQzz67t/aXi/nPHnzEyn5iPK7yeoT2qYBwA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +cifs: fix underflow in parse_server_interfaces() + +In this loop, we step through the buffer and after each item we check +if the size_left is greater than the minimum size we need. However, +the problem is that "bytes_left" is type ssize_t while sizeof() is type +size_t. That means that because of type promotion, the comparison is +done as an unsigned and if we have negative bytes left the loop +continues instead of ending. + +The Linux kernel CVE team has assigned CVE-2024-26828 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 4.18 with commit fe856be475f7 and fixed in 6.1.79 with commit 7190353835b4 + Issue introduced in 4.18 with commit fe856be475f7 and fixed in 6.6.18 with commit f7ff1c89fb6e + Issue introduced in 4.18 with commit fe856be475f7 and fixed in 6.7.6 with commit df2af9fdbc4d + Issue introduced in 4.18 with commit fe856be475f7 and fixed in 6.8 with commit cffe487026be + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26828 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + fs/smb/client/smb2ops.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/7190353835b4a219abb70f90b06cdcae97f11512 + https://git.kernel.org/stable/c/f7ff1c89fb6e9610d2b01c1821727729e6609308 + https://git.kernel.org/stable/c/df2af9fdbc4ddde18a3371c4ca1a86596e8be301 + https://git.kernel.org/stable/c/cffe487026be13eaf37ea28b783d9638ab147204 diff --git a/cve/published/2024/CVE-2024-26828.sha1 b/cve/published/2024/CVE-2024-26828.sha1 new file mode 100644 index 00000000..9ed4aa0b --- /dev/null +++ b/cve/published/2024/CVE-2024-26828.sha1 @@ -0,0 +1 @@ +cffe487026be13eaf37ea28b783d9638ab147204 diff --git a/cve/reserved/2024/CVE-2024-26830 b/cve/published/2024/CVE-2024-26830 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26830 +++ b/cve/published/2024/CVE-2024-26830 diff --git a/cve/published/2024/CVE-2024-26830.json b/cve/published/2024/CVE-2024-26830.json new file mode 100644 index 00000000..60409755 --- /dev/null +++ b/cve/published/2024/CVE-2024-26830.json @@ -0,0 +1,118 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: Do not allow untrusted VF to remove administratively set MAC\n\nCurrently when PF administratively sets VF's MAC address and the VF\nis put down (VF tries to delete all MACs) then the MAC is removed\nfrom MAC filters and primary VF MAC is zeroed.\n\nDo not allow untrusted VF to remove primary MAC when it was set\nadministratively by PF.\n\nReproducer:\n1) Create VF\n2) Set VF interface up\n3) Administratively set the VF's MAC\n4) Put VF interface down\n\n[root@host ~]# echo 1 > /sys/class/net/enp2s0f0/device/sriov_numvfs\n[root@host ~]# ip link set enp2s0f0v0 up\n[root@host ~]# ip link set enp2s0f0 vf 0 mac fe:6c:b5:da:c7:7d\n[root@host ~]# ip link show enp2s0f0\n23: enp2s0f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000\n link/ether 3c:ec:ef:b7:dd:04 brd ff:ff:ff:ff:ff:ff\n vf 0 link/ether fe:6c:b5:da:c7:7d brd ff:ff:ff:ff:ff:ff, spoof checking on, link-state auto, trust off\n[root@host ~]# ip link set enp2s0f0v0 down\n[root@host ~]# ip link show enp2s0f0\n23: enp2s0f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000\n link/ether 3c:ec:ef:b7:dd:04 brd ff:ff:ff:ff:ff:ff\n vf 0 link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff, spoof checking on, link-state auto, trust off" + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "700bbf6c1f9e", + "lessThan": "1c981792e4cc", + "status": "affected", + "versionType": "git" + }, + { + "version": "700bbf6c1f9e", + "lessThan": "be147926140a", + "status": "affected", + "versionType": "git" + }, + { + "version": "700bbf6c1f9e", + "lessThan": "d250a81ba813", + "status": "affected", + "versionType": "git" + }, + { + "version": "700bbf6c1f9e", + "lessThan": "73d9629e1c8c", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "3.14", + "status": "affected" + }, + { + "version": "0", + "lessThan": "3.14", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.79", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.18", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.6", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/1c981792e4ccbc134b468797acdd7781959e6893" + }, + { + "url": "https://git.kernel.org/stable/c/be147926140ac48022c9605d7ab0a67387e4b404" + }, + { + "url": "https://git.kernel.org/stable/c/d250a81ba813a93563be68072c563aa1e346346d" + }, + { + "url": "https://git.kernel.org/stable/c/73d9629e1c8c1982f13688c4d1019c3994647ccc" + } + ], + "title": "i40e: Do not allow untrusted VF to remove administratively set MAC", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26830", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26830.mbox b/cve/published/2024/CVE-2024-26830.mbox new file mode 100644 index 00000000..8a8ee74e --- /dev/null +++ b/cve/published/2024/CVE-2024-26830.mbox @@ -0,0 +1,92 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26830: i40e: Do not allow untrusted VF to remove administratively set MAC +Message-Id: <2024041703-CVE-2024-26830-5bc0@gregkh> +Content-Length: 3204 +Lines: 75 +X-Developer-Signature: v=1; a=openpgp-sha256; l=3280; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=1saKej35I4PJ2M/7Q9uOUsX8dnpR6gEJi218XNiGKrM=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGnyMx/Pk/A6uofVJ2BKoUjaaafYnm8V31vuv7Stdlx27 + 2se0zy1jlgWBkEmBlkxRZYv23iO7q84pOhlaHsaZg4rE8gQBi5OAZiIz2WGeaqL7oQoTwtdcbn3 + CE/3loT1MRd4ZjPMD7eJk9O0bNxh+fLnvpsdDr4FEVpWAA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +i40e: Do not allow untrusted VF to remove administratively set MAC + +Currently when PF administratively sets VF's MAC address and the VF +is put down (VF tries to delete all MACs) then the MAC is removed +from MAC filters and primary VF MAC is zeroed. + +Do not allow untrusted VF to remove primary MAC when it was set +administratively by PF. + +Reproducer: +1) Create VF +2) Set VF interface up +3) Administratively set the VF's MAC +4) Put VF interface down + +[root@host ~]# echo 1 > /sys/class/net/enp2s0f0/device/sriov_numvfs +[root@host ~]# ip link set enp2s0f0v0 up +[root@host ~]# ip link set enp2s0f0 vf 0 mac fe:6c:b5:da:c7:7d +[root@host ~]# ip link show enp2s0f0 +23: enp2s0f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000 + link/ether 3c:ec:ef:b7:dd:04 brd ff:ff:ff:ff:ff:ff + vf 0 link/ether fe:6c:b5:da:c7:7d brd ff:ff:ff:ff:ff:ff, spoof checking on, link-state auto, trust off +[root@host ~]# ip link set enp2s0f0v0 down +[root@host ~]# ip link show enp2s0f0 +23: enp2s0f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000 + link/ether 3c:ec:ef:b7:dd:04 brd ff:ff:ff:ff:ff:ff + vf 0 link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff, spoof checking on, link-state auto, trust off + +The Linux kernel CVE team has assigned CVE-2024-26830 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 3.14 with commit 700bbf6c1f9e and fixed in 6.1.79 with commit 1c981792e4cc + Issue introduced in 3.14 with commit 700bbf6c1f9e and fixed in 6.6.18 with commit be147926140a + Issue introduced in 3.14 with commit 700bbf6c1f9e and fixed in 6.7.6 with commit d250a81ba813 + Issue introduced in 3.14 with commit 700bbf6c1f9e and fixed in 6.8 with commit 73d9629e1c8c + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26830 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/1c981792e4ccbc134b468797acdd7781959e6893 + https://git.kernel.org/stable/c/be147926140ac48022c9605d7ab0a67387e4b404 + https://git.kernel.org/stable/c/d250a81ba813a93563be68072c563aa1e346346d + https://git.kernel.org/stable/c/73d9629e1c8c1982f13688c4d1019c3994647ccc diff --git a/cve/published/2024/CVE-2024-26830.sha1 b/cve/published/2024/CVE-2024-26830.sha1 new file mode 100644 index 00000000..e306f3f2 --- /dev/null +++ b/cve/published/2024/CVE-2024-26830.sha1 @@ -0,0 +1 @@ +73d9629e1c8c1982f13688c4d1019c3994647ccc diff --git a/cve/reserved/2024/CVE-2024-26831 b/cve/published/2024/CVE-2024-26831 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26831 +++ b/cve/published/2024/CVE-2024-26831 diff --git a/cve/published/2024/CVE-2024-26831.json b/cve/published/2024/CVE-2024-26831.json new file mode 100644 index 00000000..85293ad3 --- /dev/null +++ b/cve/published/2024/CVE-2024-26831.json @@ -0,0 +1,103 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/handshake: Fix handshake_req_destroy_test1\n\nRecently, handshake_req_destroy_test1 started failing:\n\nExpected handshake_req_destroy_test == req, but\n handshake_req_destroy_test == 0000000000000000\n req == 0000000060f99b40\nnot ok 11 req_destroy works\n\nThis is because \"sock_release(sock)\" was replaced with \"fput(filp)\"\nto address a memory leak. Note that sock_release() is synchronous\nbut fput() usually delays the final close and clean-up.\n\nThe delay is not consequential in the other cases that were changed\nbut handshake_req_destroy_test1 is testing that handshake_req_cancel()\nfollowed by closing the file actually does call the ->hp_destroy\nmethod. Thus the PTR_EQ test at the end has to be sure that the\nfinal close is complete before it checks the pointer.\n\nWe cannot use a completion here because if ->hp_destroy is never\ncalled (ie, there is an API bug) then the test will hang.\n\nReported by: Guenter Roeck <linux@roeck-us.net>" + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "4a0f07d71b04", + "lessThan": "d74226e03df1", + "status": "affected", + "versionType": "git" + }, + { + "version": "4a0f07d71b04", + "lessThan": "7f97805b8df6", + "status": "affected", + "versionType": "git" + }, + { + "version": "4a0f07d71b04", + "lessThan": "4e1d71cabb19", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "6.6", + "status": "affected" + }, + { + "version": "0", + "lessThan": "6.6", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.18", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.6", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/d74226e03df1bf19848f18344401f254345af912" + }, + { + "url": "https://git.kernel.org/stable/c/7f97805b8df6e33850e225e6bd3ebd9e246920af" + }, + { + "url": "https://git.kernel.org/stable/c/4e1d71cabb19ec2586827adfc60d68689c68c194" + } + ], + "title": "net/handshake: Fix handshake_req_destroy_test1", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26831", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26831.mbox b/cve/published/2024/CVE-2024-26831.mbox new file mode 100644 index 00000000..43b8f89b --- /dev/null +++ b/cve/published/2024/CVE-2024-26831.mbox @@ -0,0 +1,87 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26831: net/handshake: Fix handshake_req_destroy_test1 +Message-Id: <2024041704-CVE-2024-26831-2e6e@gregkh> +Content-Length: 2714 +Lines: 70 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2785; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=7rfhW+eRFC8YTzKXym4XUA/a2Huybl2ATW0z2lHmf7A=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGnyM58YWv9PF5598PGlGTKvjyy0XGLTNP0x6zqRKVs5f + j+dJcywtSOWhUGQiUFWTJHlyzaeo/srDil6GdqehpnDygQyhIGLUwAmwpXIMD/sl72u9KTs1R1e + bO2N2lLptgY7JzHMTwzf7PexoXxxoM9Rlsv+2WyiD4ryAQ== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +net/handshake: Fix handshake_req_destroy_test1 + +Recently, handshake_req_destroy_test1 started failing: + +Expected handshake_req_destroy_test == req, but + handshake_req_destroy_test == 0000000000000000 + req == 0000000060f99b40 +not ok 11 req_destroy works + +This is because "sock_release(sock)" was replaced with "fput(filp)" +to address a memory leak. Note that sock_release() is synchronous +but fput() usually delays the final close and clean-up. + +The delay is not consequential in the other cases that were changed +but handshake_req_destroy_test1 is testing that handshake_req_cancel() +followed by closing the file actually does call the ->hp_destroy +method. Thus the PTR_EQ test at the end has to be sure that the +final close is complete before it checks the pointer. + +We cannot use a completion here because if ->hp_destroy is never +called (ie, there is an API bug) then the test will hang. + +Reported by: Guenter Roeck <linux@roeck-us.net> + +The Linux kernel CVE team has assigned CVE-2024-26831 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 6.6 with commit 4a0f07d71b04 and fixed in 6.6.18 with commit d74226e03df1 + Issue introduced in 6.6 with commit 4a0f07d71b04 and fixed in 6.7.6 with commit 7f97805b8df6 + Issue introduced in 6.6 with commit 4a0f07d71b04 and fixed in 6.8 with commit 4e1d71cabb19 + Issue introduced in 6.5.6 with commit 1751e4498046 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26831 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + net/handshake/handshake-test.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/d74226e03df1bf19848f18344401f254345af912 + https://git.kernel.org/stable/c/7f97805b8df6e33850e225e6bd3ebd9e246920af + https://git.kernel.org/stable/c/4e1d71cabb19ec2586827adfc60d68689c68c194 diff --git a/cve/published/2024/CVE-2024-26831.sha1 b/cve/published/2024/CVE-2024-26831.sha1 new file mode 100644 index 00000000..bc3b5c4d --- /dev/null +++ b/cve/published/2024/CVE-2024-26831.sha1 @@ -0,0 +1 @@ +4e1d71cabb19ec2586827adfc60d68689c68c194 |