diff options
| author | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2024-03-25 10:08:46 +0100 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2024-03-25 10:08:46 +0100 |
| commit | c0b2da1b8d68b7e64029a6dbef5be751a8c4a67d (patch) | |
| tree | c0c1f4ef5c4e5fbffffb32eea79b05161ec89121 | |
| parent | 7135ff203cf4cae87ff29803c133768adf3155ac (diff) | |
| download | vulns-c0b2da1b8d68b7e64029a6dbef5be751a8c4a67d.tar.gz | |
publish some gsd cve entries
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
72 files changed, 3887 insertions, 0 deletions
diff --git a/cve/reserved/2021/CVE-2021-47136 b/cve/published/2021/CVE-2021-47136 index e69de29b..e69de29b 100644 --- a/cve/reserved/2021/CVE-2021-47136 +++ b/cve/published/2021/CVE-2021-47136 diff --git a/cve/published/2021/CVE-2021-47136.json b/cve/published/2021/CVE-2021-47136.json new file mode 100644 index 00000000..5a122e82 --- /dev/null +++ b/cve/published/2021/CVE-2021-47136.json @@ -0,0 +1,103 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: zero-initialize tc skb extension on allocation\n\nFunction skb_ext_add() doesn't initialize created skb extension with any\nvalue and leaves it up to the user. However, since extension of type\nTC_SKB_EXT originally contained only single value tc_skb_ext->chain its\nusers used to just assign the chain value without setting whole extension\nmemory to zero first. This assumption changed when TC_SKB_EXT extension was\nextended with additional fields but not all users were updated to\ninitialize the new fields which leads to use of uninitialized memory\nafterwards. UBSAN log:\n\n[ 778.299821] UBSAN: invalid-load in net/openvswitch/flow.c:899:28\n[ 778.301495] load of value 107 is not a valid value for type '_Bool'\n[ 778.303215] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.12.0-rc7+ #2\n[ 778.304933] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n[ 778.307901] Call Trace:\n[ 778.308680] <IRQ>\n[ 778.309358] dump_stack+0xbb/0x107\n[ 778.310307] ubsan_epilogue+0x5/0x40\n[ 778.311167] __ubsan_handle_load_invalid_value.cold+0x43/0x48\n[ 778.312454] ? memset+0x20/0x40\n[ 778.313230] ovs_flow_key_extract.cold+0xf/0x14 [openvswitch]\n[ 778.314532] ovs_vport_receive+0x19e/0x2e0 [openvswitch]\n[ 778.315749] ? ovs_vport_find_upcall_portid+0x330/0x330 [openvswitch]\n[ 778.317188] ? create_prof_cpu_mask+0x20/0x20\n[ 778.318220] ? arch_stack_walk+0x82/0xf0\n[ 778.319153] ? secondary_startup_64_no_verify+0xb0/0xbb\n[ 778.320399] ? stack_trace_save+0x91/0xc0\n[ 778.321362] ? stack_trace_consume_entry+0x160/0x160\n[ 778.322517] ? lock_release+0x52e/0x760\n[ 778.323444] netdev_frame_hook+0x323/0x610 [openvswitch]\n[ 778.324668] ? ovs_netdev_get_vport+0xe0/0xe0 [openvswitch]\n[ 778.325950] __netif_receive_skb_core+0x771/0x2db0\n[ 778.327067] ? lock_downgrade+0x6e0/0x6f0\n[ 778.328021] ? lock_acquire+0x565/0x720\n[ 778.328940] ? generic_xdp_tx+0x4f0/0x4f0\n[ 778.329902] ? inet_gro_receive+0x2a7/0x10a0\n[ 778.330914] ? lock_downgrade+0x6f0/0x6f0\n[ 778.331867] ? udp4_gro_receive+0x4c4/0x13e0\n[ 778.332876] ? lock_release+0x52e/0x760\n[ 778.333808] ? dev_gro_receive+0xcc8/0x2380\n[ 778.334810] ? lock_downgrade+0x6f0/0x6f0\n[ 778.335769] __netif_receive_skb_list_core+0x295/0x820\n[ 778.336955] ? process_backlog+0x780/0x780\n[ 778.337941] ? mlx5e_rep_tc_netdevice_event_unregister+0x20/0x20 [mlx5_core]\n[ 778.339613] ? seqcount_lockdep_reader_access.constprop.0+0xa7/0xc0\n[ 778.341033] ? kvm_clock_get_cycles+0x14/0x20\n[ 778.342072] netif_receive_skb_list_internal+0x5f5/0xcb0\n[ 778.343288] ? __kasan_kmalloc+0x7a/0x90\n[ 778.344234] ? mlx5e_handle_rx_cqe_mpwrq+0x9e0/0x9e0 [mlx5_core]\n[ 778.345676] ? mlx5e_xmit_xdp_frame_mpwqe+0x14d0/0x14d0 [mlx5_core]\n[ 778.347140] ? __netif_receive_skb_list_core+0x820/0x820\n[ 778.348351] ? mlx5e_post_rx_mpwqes+0xa6/0x25d0 [mlx5_core]\n[ 778.349688] ? napi_gro_flush+0x26c/0x3c0\n[ 778.350641] napi_complete_done+0x188/0x6b0\n[ 778.351627] mlx5e_napi_poll+0x373/0x1b80 [mlx5_core]\n[ 778.352853] __napi_poll+0x9f/0x510\n[ 778.353704] ? mlx5_flow_namespace_set_mode+0x260/0x260 [mlx5_core]\n[ 778.355158] net_rx_action+0x34c/0xa40\n[ 778.356060] ? napi_threaded_poll+0x3d0/0x3d0\n[ 778.357083] ? sched_clock_cpu+0x18/0x190\n[ 778.358041] ? __common_interrupt+0x8e/0x1a0\n[ 778.359045] __do_softirq+0x1ce/0x984\n[ 778.359938] __irq_exit_rcu+0x137/0x1d0\n[ 778.360865] irq_exit_rcu+0xa/0x20\n[ 778.361708] common_interrupt+0x80/0xa0\n[ 778.362640] </IRQ>\n[ 778.363212] asm_common_interrupt+0x1e/0x40\n[ 778.364204] RIP: 0010:native_safe_halt+0xe/0x10\n[ 778.365273] Code: 4f ff ff ff 4c 89 e7 e8 50 3f 40 fe e9 dc fe ff ff 48 89 df e8 43 3f 40 fe eb 90 cc e9 07 00 00 00 0f 00 2d 74 05 62 00 fb f4 <c3> 90 e9 07 00 00 00 0f 00 2d 64 05 62 00 f4 c3 cc cc 0f 1f 44 00\n[ 778.369355] RSP: 0018:ffffffff84407e48 EFLAGS: 00000246\n[ 778.370570] RAX\n---truncated---" + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "d29334c15d33", + "lessThan": "ac493452e937", + "status": "affected", + "versionType": "git" + }, + { + "version": "d29334c15d33", + "lessThan": "86ab133b695e", + "status": "affected", + "versionType": "git" + }, + { + "version": "d29334c15d33", + "lessThan": "9453d45ecb6c", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.9", + "status": "affected" + }, + { + "version": "0", + "lessThan": "5.9", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.10.42", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.12.9", + "lessThanOrEqual": "5.12.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.13", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/ac493452e937b8939eaf2d24cac51a4804b6c20e" + }, + { + "url": "https://git.kernel.org/stable/c/86ab133b695ed7ba1f8786b12f4ca43137ad8c18" + }, + { + "url": "https://git.kernel.org/stable/c/9453d45ecb6c2199d72e73c993e9d98677a2801b" + } + ], + "title": "net: zero-initialize tc skb extension on allocation", + "x_generator": { + "engine": "bippy-b4257b672505" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2021-47136", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2021/CVE-2021-47136.mbox b/cve/published/2021/CVE-2021-47136.mbox new file mode 100644 index 00000000..945d615b --- /dev/null +++ b/cve/published/2021/CVE-2021-47136.mbox @@ -0,0 +1,156 @@ +From bippy-b4257b672505 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2021-47136: net: zero-initialize tc skb extension on allocation +Message-Id: <2024032553-CVE-2021-47136-407d@gregkh> +Content-Length: 6783 +Lines: 139 +X-Developer-Signature: v=1; a=openpgp-sha256; l=6923; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=KDzzl2ga59kGSf9VccHxu84O9Qq30KTkh3yr5MsGMcs=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGmMdi/vVf5md30u/PPLkhsKtn7Jhwsceu9HGMaduF+7s + H1rbUtvRywLgyATg6yYIsuXbTxH91ccUvQytD0NM4eVCWQIAxenAEyEYzPDHL5Z529s88o7H/Bk + ksnEO/aHTusY1jPMjyhb/DtvZd3bVwX9z/52lH2/xT75OwA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +net: zero-initialize tc skb extension on allocation + +Function skb_ext_add() doesn't initialize created skb extension with any +value and leaves it up to the user. However, since extension of type +TC_SKB_EXT originally contained only single value tc_skb_ext->chain its +users used to just assign the chain value without setting whole extension +memory to zero first. This assumption changed when TC_SKB_EXT extension was +extended with additional fields but not all users were updated to +initialize the new fields which leads to use of uninitialized memory +afterwards. UBSAN log: + +[ 778.299821] UBSAN: invalid-load in net/openvswitch/flow.c:899:28 +[ 778.301495] load of value 107 is not a valid value for type '_Bool' +[ 778.303215] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.12.0-rc7+ #2 +[ 778.304933] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 +[ 778.307901] Call Trace: +[ 778.308680] <IRQ> +[ 778.309358] dump_stack+0xbb/0x107 +[ 778.310307] ubsan_epilogue+0x5/0x40 +[ 778.311167] __ubsan_handle_load_invalid_value.cold+0x43/0x48 +[ 778.312454] ? memset+0x20/0x40 +[ 778.313230] ovs_flow_key_extract.cold+0xf/0x14 [openvswitch] +[ 778.314532] ovs_vport_receive+0x19e/0x2e0 [openvswitch] +[ 778.315749] ? ovs_vport_find_upcall_portid+0x330/0x330 [openvswitch] +[ 778.317188] ? create_prof_cpu_mask+0x20/0x20 +[ 778.318220] ? arch_stack_walk+0x82/0xf0 +[ 778.319153] ? secondary_startup_64_no_verify+0xb0/0xbb +[ 778.320399] ? stack_trace_save+0x91/0xc0 +[ 778.321362] ? stack_trace_consume_entry+0x160/0x160 +[ 778.322517] ? lock_release+0x52e/0x760 +[ 778.323444] netdev_frame_hook+0x323/0x610 [openvswitch] +[ 778.324668] ? ovs_netdev_get_vport+0xe0/0xe0 [openvswitch] +[ 778.325950] __netif_receive_skb_core+0x771/0x2db0 +[ 778.327067] ? lock_downgrade+0x6e0/0x6f0 +[ 778.328021] ? lock_acquire+0x565/0x720 +[ 778.328940] ? generic_xdp_tx+0x4f0/0x4f0 +[ 778.329902] ? inet_gro_receive+0x2a7/0x10a0 +[ 778.330914] ? lock_downgrade+0x6f0/0x6f0 +[ 778.331867] ? udp4_gro_receive+0x4c4/0x13e0 +[ 778.332876] ? lock_release+0x52e/0x760 +[ 778.333808] ? dev_gro_receive+0xcc8/0x2380 +[ 778.334810] ? lock_downgrade+0x6f0/0x6f0 +[ 778.335769] __netif_receive_skb_list_core+0x295/0x820 +[ 778.336955] ? process_backlog+0x780/0x780 +[ 778.337941] ? mlx5e_rep_tc_netdevice_event_unregister+0x20/0x20 [mlx5_core] +[ 778.339613] ? seqcount_lockdep_reader_access.constprop.0+0xa7/0xc0 +[ 778.341033] ? kvm_clock_get_cycles+0x14/0x20 +[ 778.342072] netif_receive_skb_list_internal+0x5f5/0xcb0 +[ 778.343288] ? __kasan_kmalloc+0x7a/0x90 +[ 778.344234] ? mlx5e_handle_rx_cqe_mpwrq+0x9e0/0x9e0 [mlx5_core] +[ 778.345676] ? mlx5e_xmit_xdp_frame_mpwqe+0x14d0/0x14d0 [mlx5_core] +[ 778.347140] ? __netif_receive_skb_list_core+0x820/0x820 +[ 778.348351] ? mlx5e_post_rx_mpwqes+0xa6/0x25d0 [mlx5_core] +[ 778.349688] ? napi_gro_flush+0x26c/0x3c0 +[ 778.350641] napi_complete_done+0x188/0x6b0 +[ 778.351627] mlx5e_napi_poll+0x373/0x1b80 [mlx5_core] +[ 778.352853] __napi_poll+0x9f/0x510 +[ 778.353704] ? mlx5_flow_namespace_set_mode+0x260/0x260 [mlx5_core] +[ 778.355158] net_rx_action+0x34c/0xa40 +[ 778.356060] ? napi_threaded_poll+0x3d0/0x3d0 +[ 778.357083] ? sched_clock_cpu+0x18/0x190 +[ 778.358041] ? __common_interrupt+0x8e/0x1a0 +[ 778.359045] __do_softirq+0x1ce/0x984 +[ 778.359938] __irq_exit_rcu+0x137/0x1d0 +[ 778.360865] irq_exit_rcu+0xa/0x20 +[ 778.361708] common_interrupt+0x80/0xa0 +[ 778.362640] </IRQ> +[ 778.363212] asm_common_interrupt+0x1e/0x40 +[ 778.364204] RIP: 0010:native_safe_halt+0xe/0x10 +[ 778.365273] Code: 4f ff ff ff 4c 89 e7 e8 50 3f 40 fe e9 dc fe ff ff 48 89 df e8 43 3f 40 fe eb 90 cc e9 07 00 00 00 0f 00 2d 74 05 62 00 fb f4 <c3> 90 e9 07 00 00 00 0f 00 2d 64 05 62 00 f4 c3 cc cc 0f 1f 44 00 +[ 778.369355] RSP: 0018:ffffffff84407e48 EFLAGS: 00000246 +[ 778.370570] RAX: ffff88842de46a80 RBX: ffffffff84425840 RCX: ffffffff83418468 +[ 778.372143] RDX: 000000000026f1da RSI: 0000000000000004 RDI: ffffffff8343af5e +[ 778.373722] RBP: fffffbfff0884b08 R08: 0000000000000000 R09: ffff88842de46bcb +[ 778.375292] R10: ffffed1085bc8d79 R11: 0000000000000001 R12: 0000000000000000 +[ 778.376860] R13: ffffffff851124a0 R14: 0000000000000000 R15: dffffc0000000000 +[ 778.378491] ? rcu_eqs_enter.constprop.0+0xb8/0xe0 +[ 778.379606] ? default_idle_call+0x5e/0xe0 +[ 778.380578] default_idle+0xa/0x10 +[ 778.381406] default_idle_call+0x96/0xe0 +[ 778.382350] do_idle+0x3d4/0x550 +[ 778.383153] ? arch_cpu_idle_exit+0x40/0x40 +[ 778.384143] cpu_startup_entry+0x19/0x20 +[ 778.385078] start_kernel+0x3c7/0x3e5 +[ 778.385978] secondary_startup_64_no_verify+0xb0/0xbb + +Fix the issue by providing new function tc_skb_ext_alloc() that allocates +tc skb extension and initializes its memory to 0 before returning it to the +caller. Change all existing users to use new API instead of calling +skb_ext_add() directly. + +The Linux kernel CVE team has assigned CVE-2021-47136 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 5.9 with commit d29334c15d33 and fixed in 5.10.42 with commit ac493452e937 + Issue introduced in 5.9 with commit d29334c15d33 and fixed in 5.12.9 with commit 86ab133b695e + Issue introduced in 5.9 with commit d29334c15d33 and fixed in 5.13 with commit 9453d45ecb6c + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2021-47136 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/net/ethernet/mellanox/mlx5/core/en/rep/tc.c + drivers/net/ethernet/mellanox/mlx5/core/en_tc.c + include/net/pkt_cls.h + net/sched/cls_api.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/ac493452e937b8939eaf2d24cac51a4804b6c20e + https://git.kernel.org/stable/c/86ab133b695ed7ba1f8786b12f4ca43137ad8c18 + https://git.kernel.org/stable/c/9453d45ecb6c2199d72e73c993e9d98677a2801b diff --git a/cve/published/2021/CVE-2021-47136.sha1 b/cve/published/2021/CVE-2021-47136.sha1 new file mode 100644 index 00000000..56d1bedb --- /dev/null +++ b/cve/published/2021/CVE-2021-47136.sha1 @@ -0,0 +1 @@ +9453d45ecb6c2199d72e73c993e9d98677a2801b diff --git a/cve/reserved/2021/CVE-2021-47137 b/cve/published/2021/CVE-2021-47137 index e69de29b..e69de29b 100644 --- a/cve/reserved/2021/CVE-2021-47137 +++ b/cve/published/2021/CVE-2021-47137 diff --git a/cve/published/2021/CVE-2021-47137.json b/cve/published/2021/CVE-2021-47137.json new file mode 100644 index 00000000..69932ae9 --- /dev/null +++ b/cve/published/2021/CVE-2021-47137.json @@ -0,0 +1,118 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: lantiq: fix memory corruption in RX ring\n\nIn a situation where memory allocation or dma mapping fails, an\ninvalid address is programmed into the descriptor. This can lead\nto memory corruption. If the memory allocation fails, DMA should\nreuse the previous skb and mapping and drop the packet. This patch\nalso increments rx drop counter." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "fe1a56420cf2", + "lessThan": "8bb1077448d4", + "status": "affected", + "versionType": "git" + }, + { + "version": "fe1a56420cf2", + "lessThan": "5ac72351655f", + "status": "affected", + "versionType": "git" + }, + { + "version": "fe1a56420cf2", + "lessThan": "46dd4abced3c", + "status": "affected", + "versionType": "git" + }, + { + "version": "fe1a56420cf2", + "lessThan": "c7718ee96dbc", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "4.20", + "status": "affected" + }, + { + "version": "0", + "lessThan": "4.20", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.4.124", + "lessThanOrEqual": "5.4.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.10.42", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.12.9", + "lessThanOrEqual": "5.12.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.13", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/8bb1077448d43a871ed667520763e3b9f9b7975d" + }, + { + "url": "https://git.kernel.org/stable/c/5ac72351655f8b033a2935646f53b7465c903418" + }, + { + "url": "https://git.kernel.org/stable/c/46dd4abced3cb2c912916f4a5353e0927db0c4a2" + }, + { + "url": "https://git.kernel.org/stable/c/c7718ee96dbc2f9c5fc3b578abdf296dd44b9c20" + } + ], + "title": "net: lantiq: fix memory corruption in RX ring", + "x_generator": { + "engine": "bippy-b4257b672505" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2021-47137", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2021/CVE-2021-47137.mbox b/cve/published/2021/CVE-2021-47137.mbox new file mode 100644 index 00000000..f69f813f --- /dev/null +++ b/cve/published/2021/CVE-2021-47137.mbox @@ -0,0 +1,72 @@ +From bippy-b4257b672505 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2021-47137: net: lantiq: fix memory corruption in RX ring +Message-Id: <2024032556-CVE-2021-47137-7c8e@gregkh> +Content-Length: 2240 +Lines: 55 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2296; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=UpbjF2+KJDb0tHfoFAqFxp6Fvoex/E1paS+V4ku9b9E=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGmMdm/Y3vN+kW7zvpPc2RwpXre97eNs+8z6py+2Ly2Yd + 1OorU6sI5aFQZCJQVZMkeXLNp6j+ysOKXoZ2p6GmcPKBDKEgYtTACaSV8gwT2Gz+s2fFXtmxc35 + tnAjk5Z888VvWgwLDt04178/Z2fX7qpJR89an7Z4f3BDIwA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +net: lantiq: fix memory corruption in RX ring + +In a situation where memory allocation or dma mapping fails, an +invalid address is programmed into the descriptor. This can lead +to memory corruption. If the memory allocation fails, DMA should +reuse the previous skb and mapping and drop the packet. This patch +also increments rx drop counter. + +The Linux kernel CVE team has assigned CVE-2021-47137 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 4.20 with commit fe1a56420cf2 and fixed in 5.4.124 with commit 8bb1077448d4 + Issue introduced in 4.20 with commit fe1a56420cf2 and fixed in 5.10.42 with commit 5ac72351655f + Issue introduced in 4.20 with commit fe1a56420cf2 and fixed in 5.12.9 with commit 46dd4abced3c + Issue introduced in 4.20 with commit fe1a56420cf2 and fixed in 5.13 with commit c7718ee96dbc + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2021-47137 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/net/ethernet/lantiq_xrx200.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/8bb1077448d43a871ed667520763e3b9f9b7975d + https://git.kernel.org/stable/c/5ac72351655f8b033a2935646f53b7465c903418 + https://git.kernel.org/stable/c/46dd4abced3cb2c912916f4a5353e0927db0c4a2 + https://git.kernel.org/stable/c/c7718ee96dbc2f9c5fc3b578abdf296dd44b9c20 diff --git a/cve/published/2021/CVE-2021-47137.sha1 b/cve/published/2021/CVE-2021-47137.sha1 new file mode 100644 index 00000000..5dde09cc --- /dev/null +++ b/cve/published/2021/CVE-2021-47137.sha1 @@ -0,0 +1 @@ +c7718ee96dbc2f9c5fc3b578abdf296dd44b9c20 diff --git a/cve/reserved/2021/CVE-2021-47138 b/cve/published/2021/CVE-2021-47138 index e69de29b..e69de29b 100644 --- a/cve/reserved/2021/CVE-2021-47138 +++ b/cve/published/2021/CVE-2021-47138 diff --git a/cve/published/2021/CVE-2021-47138.json b/cve/published/2021/CVE-2021-47138.json new file mode 100644 index 00000000..f0f87c36 --- /dev/null +++ b/cve/published/2021/CVE-2021-47138.json @@ -0,0 +1,118 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncxgb4: avoid accessing registers when clearing filters\n\nHardware register having the server TID base can contain\ninvalid values when adapter is in bad state (for example,\ndue to AER fatal error). Reading these invalid values in the\nregister can lead to out-of-bound memory access. So, fix\nby using the saved server TID base when clearing filters." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "b1a79360ee86", + "lessThan": "0bf49b3c8d8b", + "status": "affected", + "versionType": "git" + }, + { + "version": "b1a79360ee86", + "lessThan": "02f03883fdb1", + "status": "affected", + "versionType": "git" + }, + { + "version": "b1a79360ee86", + "lessThan": "285207a558ab", + "status": "affected", + "versionType": "git" + }, + { + "version": "b1a79360ee86", + "lessThan": "88c380df84fb", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.2", + "status": "affected" + }, + { + "version": "0", + "lessThan": "5.2", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.4.124", + "lessThanOrEqual": "5.4.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.10.42", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.12.9", + "lessThanOrEqual": "5.12.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.13", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/0bf49b3c8d8b3a43ce09f1b2db70e5484d31fcdf" + }, + { + "url": "https://git.kernel.org/stable/c/02f03883fdb10ad7e66717c70ea163a8d27ae6e7" + }, + { + "url": "https://git.kernel.org/stable/c/285207a558ab456aa7d8aa877ecc7e91fcc51710" + }, + { + "url": "https://git.kernel.org/stable/c/88c380df84fbd03f9b137c2b9d0a44b9f2f553b0" + } + ], + "title": "cxgb4: avoid accessing registers when clearing filters", + "x_generator": { + "engine": "bippy-b4257b672505" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2021-47138", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2021/CVE-2021-47138.mbox b/cve/published/2021/CVE-2021-47138.mbox new file mode 100644 index 00000000..7964dfd0 --- /dev/null +++ b/cve/published/2021/CVE-2021-47138.mbox @@ -0,0 +1,72 @@ +From bippy-b4257b672505 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2021-47138: cxgb4: avoid accessing registers when clearing filters +Message-Id: <2024032557-CVE-2021-47138-9241@gregkh> +Content-Length: 2255 +Lines: 55 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2311; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=qp9s3AOisLRwmLGd9gGWsTRl/E49+1zSmRAz8NuOahQ=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGmMdm/DXQ96BeY+1vh2QILhaAH7wrVzkgM/yqf91pEIP + FYgVXigI5aFQZCJQVZMkeXLNp6j+ysOKXoZ2p6GmcPKBDKEgYtTACbyYjXDgoVsEZ/X1sj/P3nE + I+fb9DDWgwF6qxgWLNbaMt9Y909X9mShboOqzUtW9hs8AQA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +cxgb4: avoid accessing registers when clearing filters + +Hardware register having the server TID base can contain +invalid values when adapter is in bad state (for example, +due to AER fatal error). Reading these invalid values in the +register can lead to out-of-bound memory access. So, fix +by using the saved server TID base when clearing filters. + +The Linux kernel CVE team has assigned CVE-2021-47138 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 5.2 with commit b1a79360ee86 and fixed in 5.4.124 with commit 0bf49b3c8d8b + Issue introduced in 5.2 with commit b1a79360ee86 and fixed in 5.10.42 with commit 02f03883fdb1 + Issue introduced in 5.2 with commit b1a79360ee86 and fixed in 5.12.9 with commit 285207a558ab + Issue introduced in 5.2 with commit b1a79360ee86 and fixed in 5.13 with commit 88c380df84fb + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2021-47138 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/net/ethernet/chelsio/cxgb4/cxgb4_filter.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/0bf49b3c8d8b3a43ce09f1b2db70e5484d31fcdf + https://git.kernel.org/stable/c/02f03883fdb10ad7e66717c70ea163a8d27ae6e7 + https://git.kernel.org/stable/c/285207a558ab456aa7d8aa877ecc7e91fcc51710 + https://git.kernel.org/stable/c/88c380df84fbd03f9b137c2b9d0a44b9f2f553b0 diff --git a/cve/published/2021/CVE-2021-47138.sha1 b/cve/published/2021/CVE-2021-47138.sha1 new file mode 100644 index 00000000..b5ca51ff --- /dev/null +++ b/cve/published/2021/CVE-2021-47138.sha1 @@ -0,0 +1 @@ +88c380df84fbd03f9b137c2b9d0a44b9f2f553b0 diff --git a/cve/reserved/2021/CVE-2021-47139 b/cve/published/2021/CVE-2021-47139 index e69de29b..e69de29b 100644 --- a/cve/reserved/2021/CVE-2021-47139 +++ b/cve/published/2021/CVE-2021-47139 diff --git a/cve/published/2021/CVE-2021-47139.json b/cve/published/2021/CVE-2021-47139.json new file mode 100644 index 00000000..1111a2da --- /dev/null +++ b/cve/published/2021/CVE-2021-47139.json @@ -0,0 +1,103 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hns3: put off calling register_netdev() until client initialize complete\n\nCurrently, the netdevice is registered before client initializing\ncomplete. So there is a timewindow between netdevice available\nand usable. In this case, if user try to change the channel number\nor ring param, it may cause the hns3_set_rx_cpu_rmap() being called\ntwice, and report bug.\n\n[47199.416502] hns3 0000:35:00.0 eth1: set channels: tqp_num=1, rxfh=0\n[47199.430340] hns3 0000:35:00.0 eth1: already uninitialized\n[47199.438554] hns3 0000:35:00.0: rss changes from 4 to 1\n[47199.511854] hns3 0000:35:00.0: Channels changed, rss_size from 4 to 1, tqps from 4 to 1\n[47200.163524] ------------[ cut here ]------------\n[47200.171674] kernel BUG at lib/cpu_rmap.c:142!\n[47200.177847] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP\n[47200.185259] Modules linked in: hclge(+) hns3(-) hns3_cae(O) hns_roce_hw_v2 hnae3 vfio_iommu_type1 vfio_pci vfio_virqfd vfio pv680_mii(O) [last unloaded: hclge]\n[47200.205912] CPU: 1 PID: 8260 Comm: ethtool Tainted: G O 5.11.0-rc3+ #1\n[47200.215601] Hardware name: , xxxxxx 02/04/2021\n[47200.223052] pstate: 60400009 (nZCv daif +PAN -UAO -TCO BTYPE=--)\n[47200.230188] pc : cpu_rmap_add+0x38/0x40\n[47200.237472] lr : irq_cpu_rmap_add+0x84/0x140\n[47200.243291] sp : ffff800010e93a30\n[47200.247295] x29: ffff800010e93a30 x28: ffff082100584880\n[47200.254155] x27: 0000000000000000 x26: 0000000000000000\n[47200.260712] x25: 0000000000000000 x24: 0000000000000004\n[47200.267241] x23: ffff08209ba03000 x22: ffff08209ba038c0\n[47200.273789] x21: 000000000000003f x20: ffff0820e2bc1680\n[47200.280400] x19: ffff0820c970ec80 x18: 00000000000000c0\n[47200.286944] x17: 0000000000000000 x16: ffffb43debe4a0d0\n[47200.293456] x15: fffffc2082990600 x14: dead000000000122\n[47200.300059] x13: ffffffffffffffff x12: 000000000000003e\n[47200.306606] x11: ffff0820815b8080 x10: ffff53e411988000\n[47200.313171] x9 : 0000000000000000 x8 : ffff0820e2bc1700\n[47200.319682] x7 : 0000000000000000 x6 : 000000000000003f\n[47200.326170] x5 : 0000000000000040 x4 : ffff800010e93a20\n[47200.332656] x3 : 0000000000000004 x2 : ffff0820c970ec80\n[47200.339168] x1 : ffff0820e2bc1680 x0 : 0000000000000004\n[47200.346058] Call trace:\n[47200.349324] cpu_rmap_add+0x38/0x40\n[47200.354300] hns3_set_rx_cpu_rmap+0x6c/0xe0 [hns3]\n[47200.362294] hns3_reset_notify_init_enet+0x1cc/0x340 [hns3]\n[47200.370049] hns3_change_channels+0x40/0xb0 [hns3]\n[47200.376770] hns3_set_channels+0x12c/0x2a0 [hns3]\n[47200.383353] ethtool_set_channels+0x140/0x250\n[47200.389772] dev_ethtool+0x714/0x23d0\n[47200.394440] dev_ioctl+0x4cc/0x640\n[47200.399277] sock_do_ioctl+0x100/0x2a0\n[47200.404574] sock_ioctl+0x28c/0x470\n[47200.409079] __arm64_sys_ioctl+0xb4/0x100\n[47200.415217] el0_svc_common.constprop.0+0x84/0x210\n[47200.422088] do_el0_svc+0x28/0x34\n[47200.426387] el0_svc+0x28/0x70\n[47200.431308] el0_sync_handler+0x1a4/0x1b0\n[47200.436477] el0_sync+0x174/0x180\n[47200.441562] Code: 11000405 79000c45 f8247861 d65f03c0 (d4210000)\n[47200.448869] ---[ end trace a01efe4ce42e5f34 ]---\n\nThe process is like below:\nexcuting hns3_client_init\n|\nregister_netdev()\n| hns3_set_channels()\n| |\nhns3_set_rx_cpu_rmap() hns3_reset_notify_uninit_enet()\n| |\n| quit without calling function\n| hns3_free_rx_cpu_rmap for flag\n| HNS3_NIC_STATE_INITED is unset.\n| |\n| hns3_reset_notify_init_enet()\n| |\nset HNS3_NIC_STATE_INITED call hns3_set_rx_cpu_rmap()-- crash\n\nFix it by calling register_netdev() at the end of function\nhns3_client_init()." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "08a100689d4b", + "lessThan": "a663c1e418a3", + "status": "affected", + "versionType": "git" + }, + { + "version": "08a100689d4b", + "lessThan": "0921a0620b50", + "status": "affected", + "versionType": "git" + }, + { + "version": "08a100689d4b", + "lessThan": "a289a7e5c1d4", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.6", + "status": "affected" + }, + { + "version": "0", + "lessThan": "5.6", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.10.42", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.12.9", + "lessThanOrEqual": "5.12.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.13", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/a663c1e418a3b5b8e8edfad4bc8e7278c312d6fc" + }, + { + "url": "https://git.kernel.org/stable/c/0921a0620b5077796fddffb22a8e6bc635a4bb50" + }, + { + "url": "https://git.kernel.org/stable/c/a289a7e5c1d49b7d47df9913c1cc81fb48fab613" + } + ], + "title": "net: hns3: put off calling register_netdev() until client initialize complete", + "x_generator": { + "engine": "bippy-b4257b672505" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2021-47139", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2021/CVE-2021-47139.mbox b/cve/published/2021/CVE-2021-47139.mbox new file mode 100644 index 00000000..9a4db92d --- /dev/null +++ b/cve/published/2021/CVE-2021-47139.mbox @@ -0,0 +1,138 @@ +From bippy-b4257b672505 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2021-47139: net: hns3: put off calling register_netdev() until client initialize complete +Message-Id: <2024032557-CVE-2021-47139-994d@gregkh> +Content-Length: 5495 +Lines: 121 +X-Developer-Signature: v=1; a=openpgp-sha256; l=5617; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=u74KuGePYdwhO65xkT8m/7eawvCVddPUqbUsdgV9Iq0=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGmMdm9TWIUDdzzaL+3z4eHZNz9uTt9ms79ijxe7o6jM2 + eCFZ84+7ohlYRBkYpAVU2T5so3n6P6KQ4pehranYeawMoEMYeDiFICJbPJmmO94VOLhhZbcmd+6 + vzdVl2btiDE57smwYPfXfYovrGXvBrnqdz9ytpeIvW09AwA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +net: hns3: put off calling register_netdev() until client initialize complete + +Currently, the netdevice is registered before client initializing +complete. So there is a timewindow between netdevice available +and usable. In this case, if user try to change the channel number +or ring param, it may cause the hns3_set_rx_cpu_rmap() being called +twice, and report bug. + +[47199.416502] hns3 0000:35:00.0 eth1: set channels: tqp_num=1, rxfh=0 +[47199.430340] hns3 0000:35:00.0 eth1: already uninitialized +[47199.438554] hns3 0000:35:00.0: rss changes from 4 to 1 +[47199.511854] hns3 0000:35:00.0: Channels changed, rss_size from 4 to 1, tqps from 4 to 1 +[47200.163524] ------------[ cut here ]------------ +[47200.171674] kernel BUG at lib/cpu_rmap.c:142! +[47200.177847] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP +[47200.185259] Modules linked in: hclge(+) hns3(-) hns3_cae(O) hns_roce_hw_v2 hnae3 vfio_iommu_type1 vfio_pci vfio_virqfd vfio pv680_mii(O) [last unloaded: hclge] +[47200.205912] CPU: 1 PID: 8260 Comm: ethtool Tainted: G O 5.11.0-rc3+ #1 +[47200.215601] Hardware name: , xxxxxx 02/04/2021 +[47200.223052] pstate: 60400009 (nZCv daif +PAN -UAO -TCO BTYPE=--) +[47200.230188] pc : cpu_rmap_add+0x38/0x40 +[47200.237472] lr : irq_cpu_rmap_add+0x84/0x140 +[47200.243291] sp : ffff800010e93a30 +[47200.247295] x29: ffff800010e93a30 x28: ffff082100584880 +[47200.254155] x27: 0000000000000000 x26: 0000000000000000 +[47200.260712] x25: 0000000000000000 x24: 0000000000000004 +[47200.267241] x23: ffff08209ba03000 x22: ffff08209ba038c0 +[47200.273789] x21: 000000000000003f x20: ffff0820e2bc1680 +[47200.280400] x19: ffff0820c970ec80 x18: 00000000000000c0 +[47200.286944] x17: 0000000000000000 x16: ffffb43debe4a0d0 +[47200.293456] x15: fffffc2082990600 x14: dead000000000122 +[47200.300059] x13: ffffffffffffffff x12: 000000000000003e +[47200.306606] x11: ffff0820815b8080 x10: ffff53e411988000 +[47200.313171] x9 : 0000000000000000 x8 : ffff0820e2bc1700 +[47200.319682] x7 : 0000000000000000 x6 : 000000000000003f +[47200.326170] x5 : 0000000000000040 x4 : ffff800010e93a20 +[47200.332656] x3 : 0000000000000004 x2 : ffff0820c970ec80 +[47200.339168] x1 : ffff0820e2bc1680 x0 : 0000000000000004 +[47200.346058] Call trace: +[47200.349324] cpu_rmap_add+0x38/0x40 +[47200.354300] hns3_set_rx_cpu_rmap+0x6c/0xe0 [hns3] +[47200.362294] hns3_reset_notify_init_enet+0x1cc/0x340 [hns3] +[47200.370049] hns3_change_channels+0x40/0xb0 [hns3] +[47200.376770] hns3_set_channels+0x12c/0x2a0 [hns3] +[47200.383353] ethtool_set_channels+0x140/0x250 +[47200.389772] dev_ethtool+0x714/0x23d0 +[47200.394440] dev_ioctl+0x4cc/0x640 +[47200.399277] sock_do_ioctl+0x100/0x2a0 +[47200.404574] sock_ioctl+0x28c/0x470 +[47200.409079] __arm64_sys_ioctl+0xb4/0x100 +[47200.415217] el0_svc_common.constprop.0+0x84/0x210 +[47200.422088] do_el0_svc+0x28/0x34 +[47200.426387] el0_svc+0x28/0x70 +[47200.431308] el0_sync_handler+0x1a4/0x1b0 +[47200.436477] el0_sync+0x174/0x180 +[47200.441562] Code: 11000405 79000c45 f8247861 d65f03c0 (d4210000) +[47200.448869] ---[ end trace a01efe4ce42e5f34 ]--- + +The process is like below: +excuting hns3_client_init +| +register_netdev() +| hns3_set_channels() +| | +hns3_set_rx_cpu_rmap() hns3_reset_notify_uninit_enet() +| | +| quit without calling function +| hns3_free_rx_cpu_rmap for flag +| HNS3_NIC_STATE_INITED is unset. +| | +| hns3_reset_notify_init_enet() +| | +set HNS3_NIC_STATE_INITED call hns3_set_rx_cpu_rmap()-- crash + +Fix it by calling register_netdev() at the end of function +hns3_client_init(). + +The Linux kernel CVE team has assigned CVE-2021-47139 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 5.6 with commit 08a100689d4b and fixed in 5.10.42 with commit a663c1e418a3 + Issue introduced in 5.6 with commit 08a100689d4b and fixed in 5.12.9 with commit 0921a0620b50 + Issue introduced in 5.6 with commit 08a100689d4b and fixed in 5.13 with commit a289a7e5c1d4 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2021-47139 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/net/ethernet/hisilicon/hns3/hns3_enet.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/a663c1e418a3b5b8e8edfad4bc8e7278c312d6fc + https://git.kernel.org/stable/c/0921a0620b5077796fddffb22a8e6bc635a4bb50 + https://git.kernel.org/stable/c/a289a7e5c1d49b7d47df9913c1cc81fb48fab613 diff --git a/cve/published/2021/CVE-2021-47139.sha1 b/cve/published/2021/CVE-2021-47139.sha1 new file mode 100644 index 00000000..3c09896f --- /dev/null +++ b/cve/published/2021/CVE-2021-47139.sha1 @@ -0,0 +1 @@ +a289a7e5c1d49b7d47df9913c1cc81fb48fab613 diff --git a/cve/reserved/2021/CVE-2021-47140 b/cve/published/2021/CVE-2021-47140 index e69de29b..e69de29b 100644 --- a/cve/reserved/2021/CVE-2021-47140 +++ b/cve/published/2021/CVE-2021-47140 diff --git a/cve/published/2021/CVE-2021-47140.json b/cve/published/2021/CVE-2021-47140.json new file mode 100644 index 00000000..97e1b403 --- /dev/null +++ b/cve/published/2021/CVE-2021-47140.json @@ -0,0 +1,88 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/amd: Clear DMA ops when switching domain\n\nSince commit 08a27c1c3ecf (\"iommu: Add support to change default domain\nof an iommu group\") a user can switch a device between IOMMU and direct\nDMA through sysfs. This doesn't work for AMD IOMMU at the moment because\ndev->dma_ops is not cleared when switching from a DMA to an identity\nIOMMU domain. The DMA layer thus attempts to use the dma-iommu ops on an\nidentity domain, causing an oops:\n\n # echo 0000:00:05.0 > /sys/sys/bus/pci/drivers/e1000e/unbind\n # echo identity > /sys/bus/pci/devices/0000:00:05.0/iommu_group/type\n # echo 0000:00:05.0 > /sys/sys/bus/pci/drivers/e1000e/bind\n ...\n BUG: kernel NULL pointer dereference, address: 0000000000000028\n ...\n Call Trace:\n iommu_dma_alloc\n e1000e_setup_tx_resources\n e1000e_open\n\nSince iommu_change_dev_def_domain() calls probe_finalize() again, clear\nthe dma_ops there like Vt-d does." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "08a27c1c3ecf", + "lessThan": "f3f2cf46291a", + "status": "affected", + "versionType": "git" + }, + { + "version": "08a27c1c3ecf", + "lessThan": "d6177a6556f8", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.11", + "status": "affected" + }, + { + "version": "0", + "lessThan": "5.11", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.12.9", + "lessThanOrEqual": "5.12.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.13", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/f3f2cf46291a693eab21adb94171b0128c2a9ec1" + }, + { + "url": "https://git.kernel.org/stable/c/d6177a6556f853785867e2ec6d5b7f4906f0d809" + } + ], + "title": "iommu/amd: Clear DMA ops when switching domain", + "x_generator": { + "engine": "bippy-b4257b672505" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2021-47140", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2021/CVE-2021-47140.mbox b/cve/published/2021/CVE-2021-47140.mbox new file mode 100644 index 00000000..77d293ec --- /dev/null +++ b/cve/published/2021/CVE-2021-47140.mbox @@ -0,0 +1,83 @@ +From bippy-b4257b672505 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2021-47140: iommu/amd: Clear DMA ops when switching domain +Message-Id: <2024032557-CVE-2021-47140-5dd4@gregkh> +Content-Length: 2451 +Lines: 66 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2518; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=ReWgKhO3bL/0lXzUcyfuXqqCHI5ZW24rkK1O75u21VU=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGmMdm+N58yMP3H/5kztF5ve7+FkfmPR23d2c/1KpdAVs + e/WCKY3dMSyMAgyMciKKbJ82cZzdH/FIUUvQ9vTMHNYmUCGMHBxCsBEFh1kmF+wnm9ixu8VZhn+ + +/enO0Q8EFmUlsyw4HDOclV3PfYn+Q+ezkkrXf/spO5qLgA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +iommu/amd: Clear DMA ops when switching domain + +Since commit 08a27c1c3ecf ("iommu: Add support to change default domain +of an iommu group") a user can switch a device between IOMMU and direct +DMA through sysfs. This doesn't work for AMD IOMMU at the moment because +dev->dma_ops is not cleared when switching from a DMA to an identity +IOMMU domain. The DMA layer thus attempts to use the dma-iommu ops on an +identity domain, causing an oops: + + # echo 0000:00:05.0 > /sys/sys/bus/pci/drivers/e1000e/unbind + # echo identity > /sys/bus/pci/devices/0000:00:05.0/iommu_group/type + # echo 0000:00:05.0 > /sys/sys/bus/pci/drivers/e1000e/bind + ... + BUG: kernel NULL pointer dereference, address: 0000000000000028 + ... + Call Trace: + iommu_dma_alloc + e1000e_setup_tx_resources + e1000e_open + +Since iommu_change_dev_def_domain() calls probe_finalize() again, clear +the dma_ops there like Vt-d does. + +The Linux kernel CVE team has assigned CVE-2021-47140 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 5.11 with commit 08a27c1c3ecf and fixed in 5.12.9 with commit f3f2cf46291a + Issue introduced in 5.11 with commit 08a27c1c3ecf and fixed in 5.13 with commit d6177a6556f8 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2021-47140 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/iommu/amd/iommu.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/f3f2cf46291a693eab21adb94171b0128c2a9ec1 + https://git.kernel.org/stable/c/d6177a6556f853785867e2ec6d5b7f4906f0d809 diff --git a/cve/published/2021/CVE-2021-47140.sha1 b/cve/published/2021/CVE-2021-47140.sha1 new file mode 100644 index 00000000..9b22346e --- /dev/null +++ b/cve/published/2021/CVE-2021-47140.sha1 @@ -0,0 +1 @@ +d6177a6556f853785867e2ec6d5b7f4906f0d809 diff --git a/cve/reserved/2021/CVE-2021-47141 b/cve/published/2021/CVE-2021-47141 index e69de29b..e69de29b 100644 --- a/cve/reserved/2021/CVE-2021-47141 +++ b/cve/published/2021/CVE-2021-47141 diff --git a/cve/published/2021/CVE-2021-47141.json b/cve/published/2021/CVE-2021-47141.json new file mode 100644 index 00000000..0aa2897f --- /dev/null +++ b/cve/published/2021/CVE-2021-47141.json @@ -0,0 +1,118 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngve: Add NULL pointer checks when freeing irqs.\n\nWhen freeing notification blocks, we index priv->msix_vectors.\nIf we failed to allocate priv->msix_vectors (see abort_with_msix_vectors)\nthis could lead to a NULL pointer dereference if the driver is unloaded." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "893ce44df565", + "lessThan": "821149ee88c2", + "status": "affected", + "versionType": "git" + }, + { + "version": "893ce44df565", + "lessThan": "da21a35c00ff", + "status": "affected", + "versionType": "git" + }, + { + "version": "893ce44df565", + "lessThan": "5278c75266c5", + "status": "affected", + "versionType": "git" + }, + { + "version": "893ce44df565", + "lessThan": "5218e919c8d0", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.3", + "status": "affected" + }, + { + "version": "0", + "lessThan": "5.3", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.4.124", + "lessThanOrEqual": "5.4.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.10.42", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.12.9", + "lessThanOrEqual": "5.12.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.13", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/821149ee88c206fa37e79c1868cc270518484876" + }, + { + "url": "https://git.kernel.org/stable/c/da21a35c00ff1a1794d4f166d3b3fa8db4d0f6fb" + }, + { + "url": "https://git.kernel.org/stable/c/5278c75266c5094d3c0958793bf12fc90300e580" + }, + { + "url": "https://git.kernel.org/stable/c/5218e919c8d06279884aa0baf76778a6817d5b93" + } + ], + "title": "gve: Add NULL pointer checks when freeing irqs.", + "x_generator": { + "engine": "bippy-b4257b672505" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2021-47141", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2021/CVE-2021-47141.mbox b/cve/published/2021/CVE-2021-47141.mbox new file mode 100644 index 00000000..e8d6c8c2 --- /dev/null +++ b/cve/published/2021/CVE-2021-47141.mbox @@ -0,0 +1,70 @@ +From bippy-b4257b672505 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2021-47141: gve: Add NULL pointer checks when freeing irqs. +Message-Id: <2024032557-CVE-2021-47141-ce47@gregkh> +Content-Length: 2160 +Lines: 53 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2214; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=C0EA1NQwxoC6uNgAZ0XCioosvLu0kpgvZqvDynKPKok=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGmMdu8U2MRcK+Yr/1H7oBS3qz0yp2WG88Voe6ZVv/87b + nt7XHRxRywLgyATg6yYIsuXbTxH91ccUvQytD0NM4eVCWQIAxenAEwkwo5hftzaytzGEI5z177N + /f5x2qonAT9e1TLMU38iuvxR/Ka7Fyax/OEOWdugkffYAAA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +gve: Add NULL pointer checks when freeing irqs. + +When freeing notification blocks, we index priv->msix_vectors. +If we failed to allocate priv->msix_vectors (see abort_with_msix_vectors) +this could lead to a NULL pointer dereference if the driver is unloaded. + +The Linux kernel CVE team has assigned CVE-2021-47141 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 5.3 with commit 893ce44df565 and fixed in 5.4.124 with commit 821149ee88c2 + Issue introduced in 5.3 with commit 893ce44df565 and fixed in 5.10.42 with commit da21a35c00ff + Issue introduced in 5.3 with commit 893ce44df565 and fixed in 5.12.9 with commit 5278c75266c5 + Issue introduced in 5.3 with commit 893ce44df565 and fixed in 5.13 with commit 5218e919c8d0 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2021-47141 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/net/ethernet/google/gve/gve_main.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/821149ee88c206fa37e79c1868cc270518484876 + https://git.kernel.org/stable/c/da21a35c00ff1a1794d4f166d3b3fa8db4d0f6fb + https://git.kernel.org/stable/c/5278c75266c5094d3c0958793bf12fc90300e580 + https://git.kernel.org/stable/c/5218e919c8d06279884aa0baf76778a6817d5b93 diff --git a/cve/published/2021/CVE-2021-47141.sha1 b/cve/published/2021/CVE-2021-47141.sha1 new file mode 100644 index 00000000..052c15a6 --- /dev/null +++ b/cve/published/2021/CVE-2021-47141.sha1 @@ -0,0 +1 @@ +5218e919c8d06279884aa0baf76778a6817d5b93 diff --git a/cve/reserved/2021/CVE-2021-47142 b/cve/published/2021/CVE-2021-47142 index e69de29b..e69de29b 100644 --- a/cve/reserved/2021/CVE-2021-47142 +++ b/cve/published/2021/CVE-2021-47142 diff --git a/cve/published/2021/CVE-2021-47142.json b/cve/published/2021/CVE-2021-47142.json new file mode 100644 index 00000000..b61ad316 --- /dev/null +++ b/cve/published/2021/CVE-2021-47142.json @@ -0,0 +1,168 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix a use-after-free\n\nlooks like we forget to set ttm->sg to NULL.\nHit panic below\n\n[ 1235.844104] general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b7b4b: 0000 [#1] SMP DEBUG_PAGEALLOC NOPTI\n[ 1235.989074] Call Trace:\n[ 1235.991751] sg_free_table+0x17/0x20\n[ 1235.995667] amdgpu_ttm_backend_unbind.cold+0x4d/0xf7 [amdgpu]\n[ 1236.002288] amdgpu_ttm_backend_destroy+0x29/0x130 [amdgpu]\n[ 1236.008464] ttm_tt_destroy+0x1e/0x30 [ttm]\n[ 1236.013066] ttm_bo_cleanup_memtype_use+0x51/0xa0 [ttm]\n[ 1236.018783] ttm_bo_release+0x262/0xa50 [ttm]\n[ 1236.023547] ttm_bo_put+0x82/0xd0 [ttm]\n[ 1236.027766] amdgpu_bo_unref+0x26/0x50 [amdgpu]\n[ 1236.032809] amdgpu_amdkfd_gpuvm_alloc_memory_of_gpu+0x7aa/0xd90 [amdgpu]\n[ 1236.040400] kfd_ioctl_alloc_memory_of_gpu+0xe2/0x330 [amdgpu]\n[ 1236.046912] kfd_ioctl+0x463/0x690 [amdgpu]" + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "1da177e4c3f4", + "lessThan": "0707c3fea810", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "3293cf3513d6", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "952ab3f9f48e", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "a849e218556f", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "7398c2aab4da", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "f98cdf084405", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "d4ea141fd4b4", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "1e5c37385097", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "4.4.271", + "lessThanOrEqual": "4.4.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "4.9.271", + "lessThanOrEqual": "4.9.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "4.14.235", + "lessThanOrEqual": "4.14.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "4.19.193", + "lessThanOrEqual": "4.19.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.4.124", + "lessThanOrEqual": "5.4.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.10.42", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.12.9", + "lessThanOrEqual": "5.12.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.13", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/0707c3fea8102d211631ba515ef2159707561b0d" + }, + { + "url": "https://git.kernel.org/stable/c/3293cf3513d69f00c14d43e2020826d45ea0e46a" + }, + { + "url": "https://git.kernel.org/stable/c/952ab3f9f48eb0e8050596d41951cf516be6b122" + }, + { + "url": "https://git.kernel.org/stable/c/a849e218556f932576c0fb1c5a88714b61709a17" + }, + { + "url": "https://git.kernel.org/stable/c/7398c2aab4da960761ec182d04d6d5abbb4a226e" + }, + { + "url": "https://git.kernel.org/stable/c/f98cdf084405333ee2f5be548a91b2d168e49276" + }, + { + "url": "https://git.kernel.org/stable/c/d4ea141fd4b40636a8326df5a377d9c5cf9b3faa" + }, + { + "url": "https://git.kernel.org/stable/c/1e5c37385097c35911b0f8a0c67ffd10ee1af9a2" + } + ], + "title": "drm/amdgpu: Fix a use-after-free", + "x_generator": { + "engine": "bippy-b4257b672505" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2021-47142", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2021/CVE-2021-47142.mbox b/cve/published/2021/CVE-2021-47142.mbox new file mode 100644 index 00000000..1c218911 --- /dev/null +++ b/cve/published/2021/CVE-2021-47142.mbox @@ -0,0 +1,91 @@ +From bippy-b4257b672505 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2021-47142: drm/amdgpu: Fix a use-after-free +Message-Id: <2024032558-CVE-2021-47142-9319@gregkh> +Content-Length: 3019 +Lines: 74 +X-Developer-Signature: v=1; a=openpgp-sha256; l=3094; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=nW371dOOrkriKNimBJzO5FxZJtTgGS/EO4C8aTx9L6g=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGmMdu+kjxjO1Ve3PhoqIxB59LR1uaHH2v6c2VYbY98VK + V84xDqhI5aFQZCJQVZMkeXLNp6j+ysOKXoZ2p6GmcPKBDKEgYtTACYSZcMwV/gMR8LExPSb9dLx + PBeENvicncgeyTA/09XgfkUOs9hRp+BnL2ed9w61LO0DAA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +drm/amdgpu: Fix a use-after-free + +looks like we forget to set ttm->sg to NULL. +Hit panic below + +[ 1235.844104] general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b7b4b: 0000 [#1] SMP DEBUG_PAGEALLOC NOPTI +[ 1235.989074] Call Trace: +[ 1235.991751] sg_free_table+0x17/0x20 +[ 1235.995667] amdgpu_ttm_backend_unbind.cold+0x4d/0xf7 [amdgpu] +[ 1236.002288] amdgpu_ttm_backend_destroy+0x29/0x130 [amdgpu] +[ 1236.008464] ttm_tt_destroy+0x1e/0x30 [ttm] +[ 1236.013066] ttm_bo_cleanup_memtype_use+0x51/0xa0 [ttm] +[ 1236.018783] ttm_bo_release+0x262/0xa50 [ttm] +[ 1236.023547] ttm_bo_put+0x82/0xd0 [ttm] +[ 1236.027766] amdgpu_bo_unref+0x26/0x50 [amdgpu] +[ 1236.032809] amdgpu_amdkfd_gpuvm_alloc_memory_of_gpu+0x7aa/0xd90 [amdgpu] +[ 1236.040400] kfd_ioctl_alloc_memory_of_gpu+0xe2/0x330 [amdgpu] +[ 1236.046912] kfd_ioctl+0x463/0x690 [amdgpu] + +The Linux kernel CVE team has assigned CVE-2021-47142 to this issue. + + +Affected and fixed versions +=========================== + + Fixed in 4.4.271 with commit 0707c3fea810 + Fixed in 4.9.271 with commit 3293cf3513d6 + Fixed in 4.14.235 with commit 952ab3f9f48e + Fixed in 4.19.193 with commit a849e218556f + Fixed in 5.4.124 with commit 7398c2aab4da + Fixed in 5.10.42 with commit f98cdf084405 + Fixed in 5.12.9 with commit d4ea141fd4b4 + Fixed in 5.13 with commit 1e5c37385097 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2021-47142 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/0707c3fea8102d211631ba515ef2159707561b0d + https://git.kernel.org/stable/c/3293cf3513d69f00c14d43e2020826d45ea0e46a + https://git.kernel.org/stable/c/952ab3f9f48eb0e8050596d41951cf516be6b122 + https://git.kernel.org/stable/c/a849e218556f932576c0fb1c5a88714b61709a17 + https://git.kernel.org/stable/c/7398c2aab4da960761ec182d04d6d5abbb4a226e + https://git.kernel.org/stable/c/f98cdf084405333ee2f5be548a91b2d168e49276 + https://git.kernel.org/stable/c/d4ea141fd4b40636a8326df5a377d9c5cf9b3faa + https://git.kernel.org/stable/c/1e5c37385097c35911b0f8a0c67ffd10ee1af9a2 diff --git a/cve/published/2021/CVE-2021-47142.sha1 b/cve/published/2021/CVE-2021-47142.sha1 new file mode 100644 index 00000000..418f2f6b --- /dev/null +++ b/cve/published/2021/CVE-2021-47142.sha1 @@ -0,0 +1 @@ +1e5c37385097c35911b0f8a0c67ffd10ee1af9a2 diff --git a/cve/reserved/2021/CVE-2021-47143 b/cve/published/2021/CVE-2021-47143 index e69de29b..e69de29b 100644 --- a/cve/reserved/2021/CVE-2021-47143 +++ b/cve/published/2021/CVE-2021-47143 diff --git a/cve/published/2021/CVE-2021-47143.json b/cve/published/2021/CVE-2021-47143.json new file mode 100644 index 00000000..6d2d8671 --- /dev/null +++ b/cve/published/2021/CVE-2021-47143.json @@ -0,0 +1,103 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: remove device from smcd_dev_list after failed device_add()\n\nIf the device_add() for a smcd_dev fails, there's no cleanup step that\nrolls back the earlier list_add(). The device subsequently gets freed,\nand we end up with a corrupted list.\n\nAdd some error handling that removes the device from the list." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "c6ba7c9ba43d", + "lessThan": "8b2cdc004d21", + "status": "affected", + "versionType": "git" + }, + { + "version": "c6ba7c9ba43d", + "lessThan": "40588782f101", + "status": "affected", + "versionType": "git" + }, + { + "version": "c6ba7c9ba43d", + "lessThan": "444d7be9532d", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "4.19", + "status": "affected" + }, + { + "version": "0", + "lessThan": "4.19", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.10.42", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.12.9", + "lessThanOrEqual": "5.12.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.13", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/8b2cdc004d21a7255f219706dca64411108f7897" + }, + { + "url": "https://git.kernel.org/stable/c/40588782f1016c655ae1d302892f61d35af96842" + }, + { + "url": "https://git.kernel.org/stable/c/444d7be9532dcfda8e0385226c862fd7e986f607" + } + ], + "title": "net/smc: remove device from smcd_dev_list after failed device_add()", + "x_generator": { + "engine": "bippy-b4257b672505" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2021-47143", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2021/CVE-2021-47143.mbox b/cve/published/2021/CVE-2021-47143.mbox new file mode 100644 index 00000000..cc8d0a31 --- /dev/null +++ b/cve/published/2021/CVE-2021-47143.mbox @@ -0,0 +1,70 @@ +From bippy-b4257b672505 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2021-47143: net/smc: remove device from smcd_dev_list after failed device_add() +Message-Id: <2024032558-CVE-2021-47143-4f3c@gregkh> +Content-Length: 2021 +Lines: 53 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2075; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=N10i9v4UrpxLQvdA79eZhhlcxIIqcmIRMqeW2E9MNwY=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGmMdu+eGhVs4zHJ3md+33rNO7POLuMHS6Rd5zpJH9UJE + rn+hvtMRywLgyATg6yYIsuXbTxH91ccUvQytD0NM4eVCWQIAxenAEzkbinDLOb6IM7GD7O//L7E + GPf++xvr1O3bnzPMT70SVW73mc/HtJBr0/qdTK6yfqnBAA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +net/smc: remove device from smcd_dev_list after failed device_add() + +If the device_add() for a smcd_dev fails, there's no cleanup step that +rolls back the earlier list_add(). The device subsequently gets freed, +and we end up with a corrupted list. + +Add some error handling that removes the device from the list. + +The Linux kernel CVE team has assigned CVE-2021-47143 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 4.19 with commit c6ba7c9ba43d and fixed in 5.10.42 with commit 8b2cdc004d21 + Issue introduced in 4.19 with commit c6ba7c9ba43d and fixed in 5.12.9 with commit 40588782f101 + Issue introduced in 4.19 with commit c6ba7c9ba43d and fixed in 5.13 with commit 444d7be9532d + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2021-47143 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + net/smc/smc_ism.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/8b2cdc004d21a7255f219706dca64411108f7897 + https://git.kernel.org/stable/c/40588782f1016c655ae1d302892f61d35af96842 + https://git.kernel.org/stable/c/444d7be9532dcfda8e0385226c862fd7e986f607 diff --git a/cve/published/2021/CVE-2021-47143.sha1 b/cve/published/2021/CVE-2021-47143.sha1 new file mode 100644 index 00000000..fa935e04 --- /dev/null +++ b/cve/published/2021/CVE-2021-47143.sha1 @@ -0,0 +1 @@ +444d7be9532dcfda8e0385226c862fd7e986f607 diff --git a/cve/reserved/2021/CVE-2021-47144 b/cve/published/2021/CVE-2021-47144 index e69de29b..e69de29b 100644 --- a/cve/reserved/2021/CVE-2021-47144 +++ b/cve/published/2021/CVE-2021-47144 diff --git a/cve/published/2021/CVE-2021-47144.json b/cve/published/2021/CVE-2021-47144.json new file mode 100644 index 00000000..216add72 --- /dev/null +++ b/cve/published/2021/CVE-2021-47144.json @@ -0,0 +1,123 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/amdgpu: fix refcount leak\n\n[Why]\nthe gem object rfb->base.obj[0] is get according to num_planes\nin amdgpufb_create, but is not put according to num_planes\n\n[How]\nput rfb->base.obj[0] in amdgpu_fbdev_destroy according to num_planes" + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "1da177e4c3f4", + "lessThan": "599e5d61ace9", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "dde2656e0bbb", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "9fdb8ed37a3a", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "95a4ec905e51", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "fa7e6abc75f3", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "4.19.193", + "lessThanOrEqual": "4.19.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.4.124", + "lessThanOrEqual": "5.4.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.10.42", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.12.9", + "lessThanOrEqual": "5.12.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.13", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/599e5d61ace952b0bb9bd942b198bbd0cfded1d7" + }, + { + "url": "https://git.kernel.org/stable/c/dde2656e0bbb2ac7d83a7bd95a8d5c3c95bbc009" + }, + { + "url": "https://git.kernel.org/stable/c/9fdb8ed37a3a44f9c49372b69f87fd5f61cb3240" + }, + { + "url": "https://git.kernel.org/stable/c/95a4ec905e51a30c64cf2d78b04a7acbeae5ca94" + }, + { + "url": "https://git.kernel.org/stable/c/fa7e6abc75f3d491bc561734312d065dc9dc2a77" + } + ], + "title": "drm/amd/amdgpu: fix refcount leak", + "x_generator": { + "engine": "bippy-b4257b672505" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2021-47144", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2021/CVE-2021-47144.mbox b/cve/published/2021/CVE-2021-47144.mbox new file mode 100644 index 00000000..6a6ab4e6 --- /dev/null +++ b/cve/published/2021/CVE-2021-47144.mbox @@ -0,0 +1,75 @@ +From bippy-b4257b672505 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2021-47144: drm/amd/amdgpu: fix refcount leak +Message-Id: <2024032558-CVE-2021-47144-26d3@gregkh> +Content-Length: 2042 +Lines: 58 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2101; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=M01FnDA73h7zpO70eJQaZg/4+8JaLcL9k7JK5n0Tr24=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGmMdu80b7g0/U9ZdT5kGduiZ4zL5h+cfEGsIPrQvjzG3 + HtP+SfO6IhlYRBkYpAVU2T5so3n6P6KQ4pehranYeawMoEMYeDiFICJcD5iWNCxKS26/aRWrN6l + tKoNe3X//+GSj2FYsC5+kVtd4P8rU/SOLnu/7ei6NsaTdwA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +drm/amd/amdgpu: fix refcount leak + +[Why] +the gem object rfb->base.obj[0] is get according to num_planes +in amdgpufb_create, but is not put according to num_planes + +[How] +put rfb->base.obj[0] in amdgpu_fbdev_destroy according to num_planes + +The Linux kernel CVE team has assigned CVE-2021-47144 to this issue. + + +Affected and fixed versions +=========================== + + Fixed in 4.19.193 with commit 599e5d61ace9 + Fixed in 5.4.124 with commit dde2656e0bbb + Fixed in 5.10.42 with commit 9fdb8ed37a3a + Fixed in 5.12.9 with commit 95a4ec905e51 + Fixed in 5.13 with commit fa7e6abc75f3 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2021-47144 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/gpu/drm/amd/amdgpu/amdgpu_fb.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/599e5d61ace952b0bb9bd942b198bbd0cfded1d7 + https://git.kernel.org/stable/c/dde2656e0bbb2ac7d83a7bd95a8d5c3c95bbc009 + https://git.kernel.org/stable/c/9fdb8ed37a3a44f9c49372b69f87fd5f61cb3240 + https://git.kernel.org/stable/c/95a4ec905e51a30c64cf2d78b04a7acbeae5ca94 + https://git.kernel.org/stable/c/fa7e6abc75f3d491bc561734312d065dc9dc2a77 diff --git a/cve/published/2021/CVE-2021-47144.sha1 b/cve/published/2021/CVE-2021-47144.sha1 new file mode 100644 index 00000000..7281cb48 --- /dev/null +++ b/cve/published/2021/CVE-2021-47144.sha1 @@ -0,0 +1 @@ +fa7e6abc75f3d491bc561734312d065dc9dc2a77 diff --git a/cve/reserved/2021/CVE-2021-47145 b/cve/published/2021/CVE-2021-47145 index e69de29b..e69de29b 100644 --- a/cve/reserved/2021/CVE-2021-47145 +++ b/cve/published/2021/CVE-2021-47145 diff --git a/cve/published/2021/CVE-2021-47145.json b/cve/published/2021/CVE-2021-47145.json new file mode 100644 index 00000000..a6165432 --- /dev/null +++ b/cve/published/2021/CVE-2021-47145.json @@ -0,0 +1,168 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: do not BUG_ON in link_to_fixup_dir\n\nWhile doing error injection testing I got the following panic\n\n kernel BUG at fs/btrfs/tree-log.c:1862!\n invalid opcode: 0000 [#1] SMP NOPTI\n CPU: 1 PID: 7836 Comm: mount Not tainted 5.13.0-rc1+ #305\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-2.fc32 04/01/2014\n RIP: 0010:link_to_fixup_dir+0xd5/0xe0\n RSP: 0018:ffffb5800180fa30 EFLAGS: 00010216\n RAX: fffffffffffffffb RBX: 00000000fffffffb RCX: ffff8f595287faf0\n RDX: ffffb5800180fa37 RSI: ffff8f5954978800 RDI: 0000000000000000\n RBP: ffff8f5953af9450 R08: 0000000000000019 R09: 0000000000000001\n R10: 000151f408682970 R11: 0000000120021001 R12: ffff8f5954978800\n R13: ffff8f595287faf0 R14: ffff8f5953c77dd0 R15: 0000000000000065\n FS: 00007fc5284c8c40(0000) GS:ffff8f59bbd00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007fc5287f47c0 CR3: 000000011275e002 CR4: 0000000000370ee0\n Call Trace:\n replay_one_buffer+0x409/0x470\n ? btree_read_extent_buffer_pages+0xd0/0x110\n walk_up_log_tree+0x157/0x1e0\n walk_log_tree+0xa6/0x1d0\n btrfs_recover_log_trees+0x1da/0x360\n ? replay_one_extent+0x7b0/0x7b0\n open_ctree+0x1486/0x1720\n btrfs_mount_root.cold+0x12/0xea\n ? __kmalloc_track_caller+0x12f/0x240\n legacy_get_tree+0x24/0x40\n vfs_get_tree+0x22/0xb0\n vfs_kern_mount.part.0+0x71/0xb0\n btrfs_mount+0x10d/0x380\n ? vfs_parse_fs_string+0x4d/0x90\n legacy_get_tree+0x24/0x40\n vfs_get_tree+0x22/0xb0\n path_mount+0x433/0xa10\n __x64_sys_mount+0xe3/0x120\n do_syscall_64+0x3d/0x80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nWe can get -EIO or any number of legitimate errors from\nbtrfs_search_slot(), panicing here is not the appropriate response. The\nerror path for this code handles errors properly, simply return the\nerror." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "1da177e4c3f4", + "lessThan": "76bfd8ac20be", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "e934c4ee17b3", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "0eaf383c6a4a", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "6eccfb28f8dc", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "0ed102453aa1", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "7e13db503918", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "b54544213358", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "91df99a6eb50", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "4.4.271", + "lessThanOrEqual": "4.4.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "4.9.271", + "lessThanOrEqual": "4.9.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "4.14.235", + "lessThanOrEqual": "4.14.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "4.19.193", + "lessThanOrEqual": "4.19.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.4.124", + "lessThanOrEqual": "5.4.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.10.42", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.12.9", + "lessThanOrEqual": "5.12.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.13", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/76bfd8ac20bebeae599452a03dfc5724c0475dcf" + }, + { + "url": "https://git.kernel.org/stable/c/e934c4ee17b33bafb0444f2f9766cda7166d3c40" + }, + { + "url": "https://git.kernel.org/stable/c/0eaf383c6a4a83c09f60fd07a1bea9f1a9181611" + }, + { + "url": "https://git.kernel.org/stable/c/6eccfb28f8dca70c9b1b3bb3194ca54cbe73a9fa" + }, + { + "url": "https://git.kernel.org/stable/c/0ed102453aa1cd12fefde8f6b60b9519b0b1f003" + }, + { + "url": "https://git.kernel.org/stable/c/7e13db503918820e6333811cdc6f151dcea5090a" + }, + { + "url": "https://git.kernel.org/stable/c/b545442133580dcb2f2496133bf850824d41255c" + }, + { + "url": "https://git.kernel.org/stable/c/91df99a6eb50d5a1bc70fff4a09a0b7ae6aab96d" + } + ], + "title": "btrfs: do not BUG_ON in link_to_fixup_dir", + "x_generator": { + "engine": "bippy-b4257b672505" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2021-47145", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2021/CVE-2021-47145.mbox b/cve/published/2021/CVE-2021-47145.mbox new file mode 100644 index 00000000..c8259155 --- /dev/null +++ b/cve/published/2021/CVE-2021-47145.mbox @@ -0,0 +1,117 @@ +From bippy-b4257b672505 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2021-47145: btrfs: do not BUG_ON in link_to_fixup_dir +Message-Id: <2024032558-CVE-2021-47145-e536@gregkh> +Content-Length: 3961 +Lines: 100 +X-Developer-Signature: v=1; a=openpgp-sha256; l=4062; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=VVLttswBsYmKE/7i/FsUpkCafYDQMvx3XrSxTkYMrnA=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGmMdu+/G/3JjOK7oeZSIJwmOnOLluNfbc67x9SmHuJa4 + XjC3UK8I5aFQZCJQVZMkeXLNp6j+ysOKXoZ2p6GmcPKBDKEgYtTACai2cOwoKvY4IlA3Jn7GU2n + Hz+V4r62vbdoP8N8v6ssleufKNx0q3Tczed2hEOrfskuAA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +btrfs: do not BUG_ON in link_to_fixup_dir + +While doing error injection testing I got the following panic + + kernel BUG at fs/btrfs/tree-log.c:1862! + invalid opcode: 0000 [#1] SMP NOPTI + CPU: 1 PID: 7836 Comm: mount Not tainted 5.13.0-rc1+ #305 + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-2.fc32 04/01/2014 + RIP: 0010:link_to_fixup_dir+0xd5/0xe0 + RSP: 0018:ffffb5800180fa30 EFLAGS: 00010216 + RAX: fffffffffffffffb RBX: 00000000fffffffb RCX: ffff8f595287faf0 + RDX: ffffb5800180fa37 RSI: ffff8f5954978800 RDI: 0000000000000000 + RBP: ffff8f5953af9450 R08: 0000000000000019 R09: 0000000000000001 + R10: 000151f408682970 R11: 0000000120021001 R12: ffff8f5954978800 + R13: ffff8f595287faf0 R14: ffff8f5953c77dd0 R15: 0000000000000065 + FS: 00007fc5284c8c40(0000) GS:ffff8f59bbd00000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00007fc5287f47c0 CR3: 000000011275e002 CR4: 0000000000370ee0 + Call Trace: + replay_one_buffer+0x409/0x470 + ? btree_read_extent_buffer_pages+0xd0/0x110 + walk_up_log_tree+0x157/0x1e0 + walk_log_tree+0xa6/0x1d0 + btrfs_recover_log_trees+0x1da/0x360 + ? replay_one_extent+0x7b0/0x7b0 + open_ctree+0x1486/0x1720 + btrfs_mount_root.cold+0x12/0xea + ? __kmalloc_track_caller+0x12f/0x240 + legacy_get_tree+0x24/0x40 + vfs_get_tree+0x22/0xb0 + vfs_kern_mount.part.0+0x71/0xb0 + btrfs_mount+0x10d/0x380 + ? vfs_parse_fs_string+0x4d/0x90 + legacy_get_tree+0x24/0x40 + vfs_get_tree+0x22/0xb0 + path_mount+0x433/0xa10 + __x64_sys_mount+0xe3/0x120 + do_syscall_64+0x3d/0x80 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +We can get -EIO or any number of legitimate errors from +btrfs_search_slot(), panicing here is not the appropriate response. The +error path for this code handles errors properly, simply return the +error. + +The Linux kernel CVE team has assigned CVE-2021-47145 to this issue. + + +Affected and fixed versions +=========================== + + Fixed in 4.4.271 with commit 76bfd8ac20be + Fixed in 4.9.271 with commit e934c4ee17b3 + Fixed in 4.14.235 with commit 0eaf383c6a4a + Fixed in 4.19.193 with commit 6eccfb28f8dc + Fixed in 5.4.124 with commit 0ed102453aa1 + Fixed in 5.10.42 with commit 7e13db503918 + Fixed in 5.12.9 with commit b54544213358 + Fixed in 5.13 with commit 91df99a6eb50 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2021-47145 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + fs/btrfs/tree-log.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/76bfd8ac20bebeae599452a03dfc5724c0475dcf + https://git.kernel.org/stable/c/e934c4ee17b33bafb0444f2f9766cda7166d3c40 + https://git.kernel.org/stable/c/0eaf383c6a4a83c09f60fd07a1bea9f1a9181611 + https://git.kernel.org/stable/c/6eccfb28f8dca70c9b1b3bb3194ca54cbe73a9fa + https://git.kernel.org/stable/c/0ed102453aa1cd12fefde8f6b60b9519b0b1f003 + https://git.kernel.org/stable/c/7e13db503918820e6333811cdc6f151dcea5090a + https://git.kernel.org/stable/c/b545442133580dcb2f2496133bf850824d41255c + https://git.kernel.org/stable/c/91df99a6eb50d5a1bc70fff4a09a0b7ae6aab96d diff --git a/cve/published/2021/CVE-2021-47145.sha1 b/cve/published/2021/CVE-2021-47145.sha1 new file mode 100644 index 00000000..0111f8cb --- /dev/null +++ b/cve/published/2021/CVE-2021-47145.sha1 @@ -0,0 +1 @@ +91df99a6eb50d5a1bc70fff4a09a0b7ae6aab96d diff --git a/cve/reserved/2021/CVE-2021-47146 b/cve/published/2021/CVE-2021-47146 index e69de29b..e69de29b 100644 --- a/cve/reserved/2021/CVE-2021-47146 +++ b/cve/published/2021/CVE-2021-47146 diff --git a/cve/published/2021/CVE-2021-47146.json b/cve/published/2021/CVE-2021-47146.json new file mode 100644 index 00000000..d6f20f85 --- /dev/null +++ b/cve/published/2021/CVE-2021-47146.json @@ -0,0 +1,178 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmld: fix panic in mld_newpack()\n\nmld_newpack() doesn't allow to allocate high order page,\nonly order-0 allocation is allowed.\nIf headroom size is too large, a kernel panic could occur in skb_put().\n\nTest commands:\n ip netns del A\n ip netns del B\n ip netns add A\n ip netns add B\n ip link add veth0 type veth peer name veth1\n ip link set veth0 netns A\n ip link set veth1 netns B\n\n ip netns exec A ip link set lo up\n ip netns exec A ip link set veth0 up\n ip netns exec A ip -6 a a 2001:db8:0::1/64 dev veth0\n ip netns exec B ip link set lo up\n ip netns exec B ip link set veth1 up\n ip netns exec B ip -6 a a 2001:db8:0::2/64 dev veth1\n for i in {1..99}\n do\n let A=$i-1\n ip netns exec A ip link add ip6gre$i type ip6gre \\\n\tlocal 2001:db8:$A::1 remote 2001:db8:$A::2 encaplimit 100\n ip netns exec A ip -6 a a 2001:db8:$i::1/64 dev ip6gre$i\n ip netns exec A ip link set ip6gre$i up\n\n ip netns exec B ip link add ip6gre$i type ip6gre \\\n\tlocal 2001:db8:$A::2 remote 2001:db8:$A::1 encaplimit 100\n ip netns exec B ip -6 a a 2001:db8:$i::2/64 dev ip6gre$i\n ip netns exec B ip link set ip6gre$i up\n done\n\nSplat looks like:\nkernel BUG at net/core/skbuff.c:110!\ninvalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI\nCPU: 0 PID: 7 Comm: kworker/0:1 Not tainted 5.12.0+ #891\nWorkqueue: ipv6_addrconf addrconf_dad_work\nRIP: 0010:skb_panic+0x15d/0x15f\nCode: 92 fe 4c 8b 4c 24 10 53 8b 4d 70 45 89 e0 48 c7 c7 00 ae 79 83\n41 57 41 56 41 55 48 8b 54 24 a6 26 f9 ff <0f> 0b 48 8b 6c 24 20 89\n34 24 e8 4a 4e 92 fe 8b 34 24 48 c7 c1 20\nRSP: 0018:ffff88810091f820 EFLAGS: 00010282\nRAX: 0000000000000089 RBX: ffff8881086e9000 RCX: 0000000000000000\nRDX: 0000000000000089 RSI: 0000000000000008 RDI: ffffed1020123efb\nRBP: ffff888005f6eac0 R08: ffffed1022fc0031 R09: ffffed1022fc0031\nR10: ffff888117e00187 R11: ffffed1022fc0030 R12: 0000000000000028\nR13: ffff888008284eb0 R14: 0000000000000ed8 R15: 0000000000000ec0\nFS: 0000000000000000(0000) GS:ffff888117c00000(0000)\nknlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f8b801c5640 CR3: 0000000033c2c006 CR4: 00000000003706f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n ? ip6_mc_hdr.isra.26.constprop.46+0x12a/0x600\n ? ip6_mc_hdr.isra.26.constprop.46+0x12a/0x600\n skb_put.cold.104+0x22/0x22\n ip6_mc_hdr.isra.26.constprop.46+0x12a/0x600\n ? rcu_read_lock_sched_held+0x91/0xc0\n mld_newpack+0x398/0x8f0\n ? ip6_mc_hdr.isra.26.constprop.46+0x600/0x600\n ? lock_contended+0xc40/0xc40\n add_grhead.isra.33+0x280/0x380\n add_grec+0x5ca/0xff0\n ? mld_sendpack+0xf40/0xf40\n ? lock_downgrade+0x690/0x690\n mld_send_initial_cr.part.34+0xb9/0x180\n ipv6_mc_dad_complete+0x15d/0x1b0\n addrconf_dad_completed+0x8d2/0xbb0\n ? lock_downgrade+0x690/0x690\n ? addrconf_rs_timer+0x660/0x660\n ? addrconf_dad_work+0x73c/0x10e0\n addrconf_dad_work+0x73c/0x10e0\n\nAllowing high order page allocation could fix this problem." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "72e09ad107e7", + "lessThan": "0e35b7457b7b", + "status": "affected", + "versionType": "git" + }, + { + "version": "72e09ad107e7", + "lessThan": "17728616a4c8", + "status": "affected", + "versionType": "git" + }, + { + "version": "72e09ad107e7", + "lessThan": "221142038f36", + "status": "affected", + "versionType": "git" + }, + { + "version": "72e09ad107e7", + "lessThan": "4b77ad909706", + "status": "affected", + "versionType": "git" + }, + { + "version": "72e09ad107e7", + "lessThan": "37d697759958", + "status": "affected", + "versionType": "git" + }, + { + "version": "72e09ad107e7", + "lessThan": "beb39adb150f", + "status": "affected", + "versionType": "git" + }, + { + "version": "72e09ad107e7", + "lessThan": "a76fb9ba5452", + "status": "affected", + "versionType": "git" + }, + { + "version": "72e09ad107e7", + "lessThan": "020ef930b826", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "2.6.35", + "status": "affected" + }, + { + "version": "0", + "lessThan": "2.6.35", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "4.4.271", + "lessThanOrEqual": "4.4.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "4.9.271", + "lessThanOrEqual": "4.9.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "4.14.235", + "lessThanOrEqual": "4.14.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "4.19.193", + "lessThanOrEqual": "4.19.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.4.124", + "lessThanOrEqual": "5.4.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.10.42", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.12.9", + "lessThanOrEqual": "5.12.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.13", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/0e35b7457b7b6e73ffeaaca1a577fdf1af0feca1" + }, + { + "url": "https://git.kernel.org/stable/c/17728616a4c85baf0edc975c60ba4e4157684d9a" + }, + { + "url": "https://git.kernel.org/stable/c/221142038f36d9f28b64e83e954774da4d4ccd17" + }, + { + "url": "https://git.kernel.org/stable/c/4b77ad9097067b31237eeeee0bf70f80849680a0" + }, + { + "url": "https://git.kernel.org/stable/c/37d697759958d111439080bab7e14d2b0e7b39f5" + }, + { + "url": "https://git.kernel.org/stable/c/beb39adb150f8f3b516ddf7c39835a9788704d23" + }, + { + "url": "https://git.kernel.org/stable/c/a76fb9ba545289379acf409653ad5f74417be59c" + }, + { + "url": "https://git.kernel.org/stable/c/020ef930b826d21c5446fdc9db80fd72a791bc21" + } + ], + "title": "mld: fix panic in mld_newpack()", + "x_generator": { + "engine": "bippy-b4257b672505" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2021-47146", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2021/CVE-2021-47146.mbox b/cve/published/2021/CVE-2021-47146.mbox new file mode 100644 index 00000000..fcb36a4f --- /dev/null +++ b/cve/published/2021/CVE-2021-47146.mbox @@ -0,0 +1,151 @@ +From bippy-b4257b672505 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2021-47146: mld: fix panic in mld_newpack() +Message-Id: <2024032559-CVE-2021-47146-05d4@gregkh> +Content-Length: 5624 +Lines: 134 +X-Developer-Signature: v=1; a=openpgp-sha256; l=5759; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=JuTL+n4vK5Q4KNNvMBoN/Uxzd/RpPVNoLuKrGClyAMA=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGmMdu+nzJnYtCZv27bQyR8e8j0J4p/x56D6yrX3pzYv6 + 32T1j6hvSOWhUGQiUFWTJHlyzaeo/srDil6GdqehpnDygQyhIGLUwAm4urBsGBt4ZNjytv3HUs4 + d4D99K9bx9Wba4MYFmxir1UXDHtXLKV+8xz3tL33rsuxyQAA +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +mld: fix panic in mld_newpack() + +mld_newpack() doesn't allow to allocate high order page, +only order-0 allocation is allowed. +If headroom size is too large, a kernel panic could occur in skb_put(). + +Test commands: + ip netns del A + ip netns del B + ip netns add A + ip netns add B + ip link add veth0 type veth peer name veth1 + ip link set veth0 netns A + ip link set veth1 netns B + + ip netns exec A ip link set lo up + ip netns exec A ip link set veth0 up + ip netns exec A ip -6 a a 2001:db8:0::1/64 dev veth0 + ip netns exec B ip link set lo up + ip netns exec B ip link set veth1 up + ip netns exec B ip -6 a a 2001:db8:0::2/64 dev veth1 + for i in {1..99} + do + let A=$i-1 + ip netns exec A ip link add ip6gre$i type ip6gre \ + local 2001:db8:$A::1 remote 2001:db8:$A::2 encaplimit 100 + ip netns exec A ip -6 a a 2001:db8:$i::1/64 dev ip6gre$i + ip netns exec A ip link set ip6gre$i up + + ip netns exec B ip link add ip6gre$i type ip6gre \ + local 2001:db8:$A::2 remote 2001:db8:$A::1 encaplimit 100 + ip netns exec B ip -6 a a 2001:db8:$i::2/64 dev ip6gre$i + ip netns exec B ip link set ip6gre$i up + done + +Splat looks like: +kernel BUG at net/core/skbuff.c:110! +invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI +CPU: 0 PID: 7 Comm: kworker/0:1 Not tainted 5.12.0+ #891 +Workqueue: ipv6_addrconf addrconf_dad_work +RIP: 0010:skb_panic+0x15d/0x15f +Code: 92 fe 4c 8b 4c 24 10 53 8b 4d 70 45 89 e0 48 c7 c7 00 ae 79 83 +41 57 41 56 41 55 48 8b 54 24 a6 26 f9 ff <0f> 0b 48 8b 6c 24 20 89 +34 24 e8 4a 4e 92 fe 8b 34 24 48 c7 c1 20 +RSP: 0018:ffff88810091f820 EFLAGS: 00010282 +RAX: 0000000000000089 RBX: ffff8881086e9000 RCX: 0000000000000000 +RDX: 0000000000000089 RSI: 0000000000000008 RDI: ffffed1020123efb +RBP: ffff888005f6eac0 R08: ffffed1022fc0031 R09: ffffed1022fc0031 +R10: ffff888117e00187 R11: ffffed1022fc0030 R12: 0000000000000028 +R13: ffff888008284eb0 R14: 0000000000000ed8 R15: 0000000000000ec0 +FS: 0000000000000000(0000) GS:ffff888117c00000(0000) +knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f8b801c5640 CR3: 0000000033c2c006 CR4: 00000000003706f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + ? ip6_mc_hdr.isra.26.constprop.46+0x12a/0x600 + ? ip6_mc_hdr.isra.26.constprop.46+0x12a/0x600 + skb_put.cold.104+0x22/0x22 + ip6_mc_hdr.isra.26.constprop.46+0x12a/0x600 + ? rcu_read_lock_sched_held+0x91/0xc0 + mld_newpack+0x398/0x8f0 + ? ip6_mc_hdr.isra.26.constprop.46+0x600/0x600 + ? lock_contended+0xc40/0xc40 + add_grhead.isra.33+0x280/0x380 + add_grec+0x5ca/0xff0 + ? mld_sendpack+0xf40/0xf40 + ? lock_downgrade+0x690/0x690 + mld_send_initial_cr.part.34+0xb9/0x180 + ipv6_mc_dad_complete+0x15d/0x1b0 + addrconf_dad_completed+0x8d2/0xbb0 + ? lock_downgrade+0x690/0x690 + ? addrconf_rs_timer+0x660/0x660 + ? addrconf_dad_work+0x73c/0x10e0 + addrconf_dad_work+0x73c/0x10e0 + +Allowing high order page allocation could fix this problem. + +The Linux kernel CVE team has assigned CVE-2021-47146 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 2.6.35 with commit 72e09ad107e7 and fixed in 4.4.271 with commit 0e35b7457b7b + Issue introduced in 2.6.35 with commit 72e09ad107e7 and fixed in 4.9.271 with commit 17728616a4c8 + Issue introduced in 2.6.35 with commit 72e09ad107e7 and fixed in 4.14.235 with commit 221142038f36 + Issue introduced in 2.6.35 with commit 72e09ad107e7 and fixed in 4.19.193 with commit 4b77ad909706 + Issue introduced in 2.6.35 with commit 72e09ad107e7 and fixed in 5.4.124 with commit 37d697759958 + Issue introduced in 2.6.35 with commit 72e09ad107e7 and fixed in 5.10.42 with commit beb39adb150f + Issue introduced in 2.6.35 with commit 72e09ad107e7 and fixed in 5.12.9 with commit a76fb9ba5452 + Issue introduced in 2.6.35 with commit 72e09ad107e7 and fixed in 5.13 with commit 020ef930b826 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2021-47146 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + net/ipv6/mcast.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/0e35b7457b7b6e73ffeaaca1a577fdf1af0feca1 + https://git.kernel.org/stable/c/17728616a4c85baf0edc975c60ba4e4157684d9a + https://git.kernel.org/stable/c/221142038f36d9f28b64e83e954774da4d4ccd17 + https://git.kernel.org/stable/c/4b77ad9097067b31237eeeee0bf70f80849680a0 + https://git.kernel.org/stable/c/37d697759958d111439080bab7e14d2b0e7b39f5 + https://git.kernel.org/stable/c/beb39adb150f8f3b516ddf7c39835a9788704d23 + https://git.kernel.org/stable/c/a76fb9ba545289379acf409653ad5f74417be59c + https://git.kernel.org/stable/c/020ef930b826d21c5446fdc9db80fd72a791bc21 diff --git a/cve/published/2021/CVE-2021-47146.sha1 b/cve/published/2021/CVE-2021-47146.sha1 new file mode 100644 index 00000000..a353d3c1 --- /dev/null +++ b/cve/published/2021/CVE-2021-47146.sha1 @@ -0,0 +1 @@ +020ef930b826d21c5446fdc9db80fd72a791bc21 diff --git a/cve/reserved/2021/CVE-2021-47147 b/cve/published/2021/CVE-2021-47147 index e69de29b..e69de29b 100644 --- a/cve/reserved/2021/CVE-2021-47147 +++ b/cve/published/2021/CVE-2021-47147 diff --git a/cve/published/2021/CVE-2021-47147.json b/cve/published/2021/CVE-2021-47147.json new file mode 100644 index 00000000..f96d05e3 --- /dev/null +++ b/cve/published/2021/CVE-2021-47147.json @@ -0,0 +1,88 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nptp: ocp: Fix a resource leak in an error handling path\n\nIf an error occurs after a successful 'pci_ioremap_bar()' call, it must be\nundone by a corresponding 'pci_iounmap()' call, as already done in the\nremove function." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "a7e1abad13f3", + "lessThan": "0e38e702f115", + "status": "affected", + "versionType": "git" + }, + { + "version": "a7e1abad13f3", + "lessThan": "9c1bb37f8cad", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.11", + "status": "affected" + }, + { + "version": "0", + "lessThan": "5.11", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.12.9", + "lessThanOrEqual": "5.12.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.13", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/0e38e702f1152479e6afac34f151dbfd99417f99" + }, + { + "url": "https://git.kernel.org/stable/c/9c1bb37f8cad5e2ee1933fa1da9a6baa7876a8e4" + } + ], + "title": "ptp: ocp: Fix a resource leak in an error handling path", + "x_generator": { + "engine": "bippy-b4257b672505" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2021-47147", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2021/CVE-2021-47147.mbox b/cve/published/2021/CVE-2021-47147.mbox new file mode 100644 index 00000000..3dec2a4f --- /dev/null +++ b/cve/published/2021/CVE-2021-47147.mbox @@ -0,0 +1,66 @@ +From bippy-b4257b672505 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2021-47147: ptp: ocp: Fix a resource leak in an error handling path +Message-Id: <2024032559-CVE-2021-47147-e4bc@gregkh> +Content-Length: 1762 +Lines: 49 +X-Developer-Signature: v=1; a=openpgp-sha256; l=1812; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=iaAwcJStXLsGijtZEpamoNn03lMpcYqNI8vjeFZB/b0=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGmMdu8Zvy2/OtWoVXoSf2p2rRJj5ooW+zeTK1atmeu5X + PJ+oodWRywLgyATg6yYIsuXbTxH91ccUvQytD0NM4eVCWQIAxenAEzEzoNhnk77mbqdio/Tb++b + OMOVubLQWTGwmGGecvy9fqnnckYu9Wdq1Z8unjZxn5Y1AA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +ptp: ocp: Fix a resource leak in an error handling path + +If an error occurs after a successful 'pci_ioremap_bar()' call, it must be +undone by a corresponding 'pci_iounmap()' call, as already done in the +remove function. + +The Linux kernel CVE team has assigned CVE-2021-47147 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 5.11 with commit a7e1abad13f3 and fixed in 5.12.9 with commit 0e38e702f115 + Issue introduced in 5.11 with commit a7e1abad13f3 and fixed in 5.13 with commit 9c1bb37f8cad + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2021-47147 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/ptp/ptp_ocp.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/0e38e702f1152479e6afac34f151dbfd99417f99 + https://git.kernel.org/stable/c/9c1bb37f8cad5e2ee1933fa1da9a6baa7876a8e4 diff --git a/cve/published/2021/CVE-2021-47147.sha1 b/cve/published/2021/CVE-2021-47147.sha1 new file mode 100644 index 00000000..dc0c2f14 --- /dev/null +++ b/cve/published/2021/CVE-2021-47147.sha1 @@ -0,0 +1 @@ +9c1bb37f8cad5e2ee1933fa1da9a6baa7876a8e4 diff --git a/cve/reserved/2021/CVE-2021-47148 b/cve/published/2021/CVE-2021-47148 index e69de29b..e69de29b 100644 --- a/cve/reserved/2021/CVE-2021-47148 +++ b/cve/published/2021/CVE-2021-47148 diff --git a/cve/published/2021/CVE-2021-47148.json b/cve/published/2021/CVE-2021-47148.json new file mode 100644 index 00000000..34a45d6a --- /dev/null +++ b/cve/published/2021/CVE-2021-47148.json @@ -0,0 +1,88 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nocteontx2-pf: fix a buffer overflow in otx2_set_rxfh_context()\n\nThis function is called from ethtool_set_rxfh() and \"*rss_context\"\ncomes from the user. Add some bounds checking to prevent memory\ncorruption." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "81a4362016e7", + "lessThan": "389146bc6d2b", + "status": "affected", + "versionType": "git" + }, + { + "version": "81a4362016e7", + "lessThan": "e5cc361e2164", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.12", + "status": "affected" + }, + { + "version": "0", + "lessThan": "5.12", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.12.9", + "lessThanOrEqual": "5.12.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.13", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/389146bc6d2bbb20714d06624b74856320ce40f7" + }, + { + "url": "https://git.kernel.org/stable/c/e5cc361e21648b75f935f9571d4003aaee480214" + } + ], + "title": "octeontx2-pf: fix a buffer overflow in otx2_set_rxfh_context()", + "x_generator": { + "engine": "bippy-b4257b672505" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2021-47148", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2021/CVE-2021-47148.mbox b/cve/published/2021/CVE-2021-47148.mbox new file mode 100644 index 00000000..97d190c4 --- /dev/null +++ b/cve/published/2021/CVE-2021-47148.mbox @@ -0,0 +1,66 @@ +From bippy-b4257b672505 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2021-47148: octeontx2-pf: fix a buffer overflow in otx2_set_rxfh_context() +Message-Id: <2024032559-CVE-2021-47148-502f@gregkh> +Content-Length: 1786 +Lines: 49 +X-Developer-Signature: v=1; a=openpgp-sha256; l=1836; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=SVSEBBHxj9XBZ05LM1gVfIFOGoPP5hknYxEtbvByYr8=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGmMdu+d51x46ryqnJ+pXjonapP0C38xubXiK+NrDlw8V + yCj1rq7I5aFQZCJQVZMkeXLNp6j+ysOKXoZ2p6GmcPKBDKEgYtTACay/D/D/JSri/dlmbUW3v04 + f6Lijtqn2X4L4xnm1z1NFxS4/U6Awe/Gn6vqtWGXUh+uAQA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +octeontx2-pf: fix a buffer overflow in otx2_set_rxfh_context() + +This function is called from ethtool_set_rxfh() and "*rss_context" +comes from the user. Add some bounds checking to prevent memory +corruption. + +The Linux kernel CVE team has assigned CVE-2021-47148 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 5.12 with commit 81a4362016e7 and fixed in 5.12.9 with commit 389146bc6d2b + Issue introduced in 5.12 with commit 81a4362016e7 and fixed in 5.13 with commit e5cc361e2164 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2021-47148 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/389146bc6d2bbb20714d06624b74856320ce40f7 + https://git.kernel.org/stable/c/e5cc361e21648b75f935f9571d4003aaee480214 diff --git a/cve/published/2021/CVE-2021-47148.sha1 b/cve/published/2021/CVE-2021-47148.sha1 new file mode 100644 index 00000000..90d8a9f1 --- /dev/null +++ b/cve/published/2021/CVE-2021-47148.sha1 @@ -0,0 +1 @@ +e5cc361e21648b75f935f9571d4003aaee480214 diff --git a/cve/reserved/2021/CVE-2021-47149 b/cve/published/2021/CVE-2021-47149 index e69de29b..e69de29b 100644 --- a/cve/reserved/2021/CVE-2021-47149 +++ b/cve/published/2021/CVE-2021-47149 diff --git a/cve/published/2021/CVE-2021-47149.json b/cve/published/2021/CVE-2021-47149.json new file mode 100644 index 00000000..b2f42835 --- /dev/null +++ b/cve/published/2021/CVE-2021-47149.json @@ -0,0 +1,168 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fujitsu: fix potential null-ptr-deref\n\nIn fmvj18x_get_hwinfo(), if ioremap fails there will be NULL pointer\nderef. To fix this, check the return value of ioremap and return -1\nto the caller in case of failure." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "1da177e4c3f4", + "lessThan": "b92170e209f7", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "6dbf1101594f", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "c4f1c23edbe9", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "7883d3895d0f", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "22049c3d40f0", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "71723a796ab7", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "f14bf57a0877", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "52202be1cd99", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "4.4.271", + "lessThanOrEqual": "4.4.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "4.9.271", + "lessThanOrEqual": "4.9.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "4.14.235", + "lessThanOrEqual": "4.14.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "4.19.193", + "lessThanOrEqual": "4.19.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.4.124", + "lessThanOrEqual": "5.4.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.10.42", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.12.9", + "lessThanOrEqual": "5.12.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.13", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/b92170e209f7746ed72eaac98f2c2f4b9af734e6" + }, + { + "url": "https://git.kernel.org/stable/c/6dbf1101594f7c76990b63c35b5a40205a914b6b" + }, + { + "url": "https://git.kernel.org/stable/c/c4f1c23edbe921ab2ecd6140d700e756cd44c5f7" + }, + { + "url": "https://git.kernel.org/stable/c/7883d3895d0fbb0ba9bff0f8665f99974b45210f" + }, + { + "url": "https://git.kernel.org/stable/c/22049c3d40f08facd1867548716a484dad6b3251" + }, + { + "url": "https://git.kernel.org/stable/c/71723a796ab7881f491d663c6cd94b29be5fba50" + }, + { + "url": "https://git.kernel.org/stable/c/f14bf57a08779a5dee9936f63ada0149ea89c5e6" + }, + { + "url": "https://git.kernel.org/stable/c/52202be1cd996cde6e8969a128dc27ee45a7cb5e" + } + ], + "title": "net: fujitsu: fix potential null-ptr-deref", + "x_generator": { + "engine": "bippy-b4257b672505" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2021-47149", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2021/CVE-2021-47149.mbox b/cve/published/2021/CVE-2021-47149.mbox new file mode 100644 index 00000000..1f2b7af9 --- /dev/null +++ b/cve/published/2021/CVE-2021-47149.mbox @@ -0,0 +1,78 @@ +From bippy-b4257b672505 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2021-47149: net: fujitsu: fix potential null-ptr-deref +Message-Id: <2024032500-CVE-2021-47149-b998@gregkh> +Content-Length: 2373 +Lines: 61 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2435; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=wUAw6SMyzWs0IxiqzxlEvxzrMJ1biCx66Sc0TSddaLA=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGmMdh9636nlpO6Pv8UiGnbgmJTvktL/ETK3t2/vuWkXU + qQa9+tGRywLgyATg6yYIsuXbTxH91ccUvQytD0NM4eVCWQIAxenAEzkrirD/NJe/ullJ7bfXtmo + uXvOqplf5t21yGOY77poI+dr9rPVbtMeneDQuR0ytybiBAA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +net: fujitsu: fix potential null-ptr-deref + +In fmvj18x_get_hwinfo(), if ioremap fails there will be NULL pointer +deref. To fix this, check the return value of ioremap and return -1 +to the caller in case of failure. + +The Linux kernel CVE team has assigned CVE-2021-47149 to this issue. + + +Affected and fixed versions +=========================== + + Fixed in 4.4.271 with commit b92170e209f7 + Fixed in 4.9.271 with commit 6dbf1101594f + Fixed in 4.14.235 with commit c4f1c23edbe9 + Fixed in 4.19.193 with commit 7883d3895d0f + Fixed in 5.4.124 with commit 22049c3d40f0 + Fixed in 5.10.42 with commit 71723a796ab7 + Fixed in 5.12.9 with commit f14bf57a0877 + Fixed in 5.13 with commit 52202be1cd99 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2021-47149 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/net/ethernet/fujitsu/fmvj18x_cs.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/b92170e209f7746ed72eaac98f2c2f4b9af734e6 + https://git.kernel.org/stable/c/6dbf1101594f7c76990b63c35b5a40205a914b6b + https://git.kernel.org/stable/c/c4f1c23edbe921ab2ecd6140d700e756cd44c5f7 + https://git.kernel.org/stable/c/7883d3895d0fbb0ba9bff0f8665f99974b45210f + https://git.kernel.org/stable/c/22049c3d40f08facd1867548716a484dad6b3251 + https://git.kernel.org/stable/c/71723a796ab7881f491d663c6cd94b29be5fba50 + https://git.kernel.org/stable/c/f14bf57a08779a5dee9936f63ada0149ea89c5e6 + https://git.kernel.org/stable/c/52202be1cd996cde6e8969a128dc27ee45a7cb5e diff --git a/cve/published/2021/CVE-2021-47149.sha1 b/cve/published/2021/CVE-2021-47149.sha1 new file mode 100644 index 00000000..db09bad1 --- /dev/null +++ b/cve/published/2021/CVE-2021-47149.sha1 @@ -0,0 +1 @@ +52202be1cd996cde6e8969a128dc27ee45a7cb5e diff --git a/cve/reserved/2021/CVE-2021-47150 b/cve/published/2021/CVE-2021-47150 index e69de29b..e69de29b 100644 --- a/cve/reserved/2021/CVE-2021-47150 +++ b/cve/published/2021/CVE-2021-47150 diff --git a/cve/published/2021/CVE-2021-47150.json b/cve/published/2021/CVE-2021-47150.json new file mode 100644 index 00000000..33d44547 --- /dev/null +++ b/cve/published/2021/CVE-2021-47150.json @@ -0,0 +1,133 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fec: fix the potential memory leak in fec_enet_init()\n\nIf the memory allocated for cbd_base is failed, it should\nfree the memory allocated for the queues, otherwise it causes\nmemory leak.\n\nAnd if the memory allocated for the queues is failed, it can\nreturn error directly." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "59d0f7465644", + "lessThan": "15102886bc8f", + "status": "affected", + "versionType": "git" + }, + { + "version": "59d0f7465644", + "lessThan": "20255d41ac56", + "status": "affected", + "versionType": "git" + }, + { + "version": "59d0f7465644", + "lessThan": "8ee7ef4a57a9", + "status": "affected", + "versionType": "git" + }, + { + "version": "59d0f7465644", + "lessThan": "32a1777fd113", + "status": "affected", + "versionType": "git" + }, + { + "version": "59d0f7465644", + "lessThan": "619fee9eb13b", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "3.18", + "status": "affected" + }, + { + "version": "0", + "lessThan": "3.18", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "4.19.193", + "lessThanOrEqual": "4.19.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.4.124", + "lessThanOrEqual": "5.4.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.10.42", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.12.9", + "lessThanOrEqual": "5.12.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.13", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/15102886bc8f5f29daaadf2d925591d564c17e9f" + }, + { + "url": "https://git.kernel.org/stable/c/20255d41ac560397b6a07d8d87dcc5e2efc7672a" + }, + { + "url": "https://git.kernel.org/stable/c/8ee7ef4a57a9e1228b6f345aaa70aa8951c7e9cd" + }, + { + "url": "https://git.kernel.org/stable/c/32a1777fd113335c3f70dc445dffee0ad1c6870f" + }, + { + "url": "https://git.kernel.org/stable/c/619fee9eb13b5d29e4267cb394645608088c28a8" + } + ], + "title": "net: fec: fix the potential memory leak in fec_enet_init()", + "x_generator": { + "engine": "bippy-b4257b672505" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2021-47150", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2021/CVE-2021-47150.mbox b/cve/published/2021/CVE-2021-47150.mbox new file mode 100644 index 00000000..5150cc2c --- /dev/null +++ b/cve/published/2021/CVE-2021-47150.mbox @@ -0,0 +1,75 @@ +From bippy-b4257b672505 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2021-47150: net: fec: fix the potential memory leak in fec_enet_init() +Message-Id: <2024032500-CVE-2021-47150-f066@gregkh> +Content-Length: 2354 +Lines: 58 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2413; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=ylRrfUvpw/V8G4BDNhEmnRSCiFxTruPsKg1Q9pOSByo=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGmMdh88mOa0yCu2ctgvXvGjcu/73Q6bq9deur/AtSPFs + 7zx+rNzHbEsDIJMDLJiiixftvEc3V9xSNHL0PY0zBxWJpAhDFycAjCRx8oM86sYjzA5vX77JaJy + xpQfks4pihvrmRjmx9mXt5uWtRisc2i71W07JTDlka8wAA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +net: fec: fix the potential memory leak in fec_enet_init() + +If the memory allocated for cbd_base is failed, it should +free the memory allocated for the queues, otherwise it causes +memory leak. + +And if the memory allocated for the queues is failed, it can +return error directly. + +The Linux kernel CVE team has assigned CVE-2021-47150 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 3.18 with commit 59d0f7465644 and fixed in 4.19.193 with commit 15102886bc8f + Issue introduced in 3.18 with commit 59d0f7465644 and fixed in 5.4.124 with commit 20255d41ac56 + Issue introduced in 3.18 with commit 59d0f7465644 and fixed in 5.10.42 with commit 8ee7ef4a57a9 + Issue introduced in 3.18 with commit 59d0f7465644 and fixed in 5.12.9 with commit 32a1777fd113 + Issue introduced in 3.18 with commit 59d0f7465644 and fixed in 5.13 with commit 619fee9eb13b + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2021-47150 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/net/ethernet/freescale/fec_main.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/15102886bc8f5f29daaadf2d925591d564c17e9f + https://git.kernel.org/stable/c/20255d41ac560397b6a07d8d87dcc5e2efc7672a + https://git.kernel.org/stable/c/8ee7ef4a57a9e1228b6f345aaa70aa8951c7e9cd + https://git.kernel.org/stable/c/32a1777fd113335c3f70dc445dffee0ad1c6870f + https://git.kernel.org/stable/c/619fee9eb13b5d29e4267cb394645608088c28a8 diff --git a/cve/published/2021/CVE-2021-47150.sha1 b/cve/published/2021/CVE-2021-47150.sha1 new file mode 100644 index 00000000..c3508b51 --- /dev/null +++ b/cve/published/2021/CVE-2021-47150.sha1 @@ -0,0 +1 @@ +619fee9eb13b5d29e4267cb394645608088c28a8 diff --git a/cve/reserved/2021/CVE-2021-47151 b/cve/published/2021/CVE-2021-47151 index e69de29b..e69de29b 100644 --- a/cve/reserved/2021/CVE-2021-47151 +++ b/cve/published/2021/CVE-2021-47151 diff --git a/cve/published/2021/CVE-2021-47151.json b/cve/published/2021/CVE-2021-47151.json new file mode 100644 index 00000000..3be9582a --- /dev/null +++ b/cve/published/2021/CVE-2021-47151.json @@ -0,0 +1,103 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ninterconnect: qcom: bcm-voter: add a missing of_node_put()\n\nAdd a missing of_node_put() in of_bcm_voter_get() to avoid the\nreference leak." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "976daac4a1c5", + "lessThan": "4e3cea8035b6", + "status": "affected", + "versionType": "git" + }, + { + "version": "976daac4a1c5", + "lessThan": "93d1dbe7043b", + "status": "affected", + "versionType": "git" + }, + { + "version": "976daac4a1c5", + "lessThan": "a00593737f8b", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.7", + "status": "affected" + }, + { + "version": "0", + "lessThan": "5.7", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.10.42", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.12.9", + "lessThanOrEqual": "5.12.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.13", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/4e3cea8035b6f1b9055e69cc6ebf9fa4e50763ae" + }, + { + "url": "https://git.kernel.org/stable/c/93d1dbe7043b3c9492bdf396b2e98a008435b55b" + }, + { + "url": "https://git.kernel.org/stable/c/a00593737f8bac2c9e97b696e7ff84a4446653e8" + } + ], + "title": "interconnect: qcom: bcm-voter: add a missing of_node_put()", + "x_generator": { + "engine": "bippy-b4257b672505" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2021-47151", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2021/CVE-2021-47151.mbox b/cve/published/2021/CVE-2021-47151.mbox new file mode 100644 index 00000000..d5df2ea4 --- /dev/null +++ b/cve/published/2021/CVE-2021-47151.mbox @@ -0,0 +1,67 @@ +From bippy-b4257b672505 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2021-47151: interconnect: qcom: bcm-voter: add a missing of_node_put() +Message-Id: <2024032500-CVE-2021-47151-2551@gregkh> +Content-Length: 1865 +Lines: 50 +X-Developer-Signature: v=1; a=openpgp-sha256; l=1916; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=PyvxHNdG3chAQZDrz/K9BBRASUxawE/tNC+0k9cMwCQ=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGmMdh9mbFA6NldF9cb0Nif3sto79x8e6jfJuzZvWY3uw + 16fF7k3OmJZGASZGGTFFFm+bOM5ur/ikKKXoe1pmDmsTCBDGLg4BWAi05YyLNh1+a6kwvQvD9fm + 1E6cYuzN63JpQxLDgsVn+vounTJ211fe3Wu77M3vIv8prAA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +interconnect: qcom: bcm-voter: add a missing of_node_put() + +Add a missing of_node_put() in of_bcm_voter_get() to avoid the +reference leak. + +The Linux kernel CVE team has assigned CVE-2021-47151 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 5.7 with commit 976daac4a1c5 and fixed in 5.10.42 with commit 4e3cea8035b6 + Issue introduced in 5.7 with commit 976daac4a1c5 and fixed in 5.12.9 with commit 93d1dbe7043b + Issue introduced in 5.7 with commit 976daac4a1c5 and fixed in 5.13 with commit a00593737f8b + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2021-47151 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/interconnect/qcom/bcm-voter.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/4e3cea8035b6f1b9055e69cc6ebf9fa4e50763ae + https://git.kernel.org/stable/c/93d1dbe7043b3c9492bdf396b2e98a008435b55b + https://git.kernel.org/stable/c/a00593737f8bac2c9e97b696e7ff84a4446653e8 diff --git a/cve/published/2021/CVE-2021-47151.sha1 b/cve/published/2021/CVE-2021-47151.sha1 new file mode 100644 index 00000000..67bc8e59 --- /dev/null +++ b/cve/published/2021/CVE-2021-47151.sha1 @@ -0,0 +1 @@ +a00593737f8bac2c9e97b696e7ff84a4446653e8 diff --git a/cve/reserved/2021/CVE-2021-47152 b/cve/published/2021/CVE-2021-47152 index e69de29b..e69de29b 100644 --- a/cve/reserved/2021/CVE-2021-47152 +++ b/cve/published/2021/CVE-2021-47152 diff --git a/cve/published/2021/CVE-2021-47152.json b/cve/published/2021/CVE-2021-47152.json new file mode 100644 index 00000000..2c484217 --- /dev/null +++ b/cve/published/2021/CVE-2021-47152.json @@ -0,0 +1,103 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix data stream corruption\n\nMaxim reported several issues when forcing a TCP transparent proxy\nto use the MPTCP protocol for the inbound connections. He also\nprovided a clean reproducer.\n\nThe problem boils down to 'mptcp_frag_can_collapse_to()' assuming\nthat only MPTCP will use the given page_frag.\n\nIf others - e.g. the plain TCP protocol - allocate page fragments,\nwe can end-up re-using already allocated memory for mptcp_data_frag.\n\nFix the issue ensuring that the to-be-expanded data fragment is\nlocated at the current page frag end.\n\nv1 -> v2:\n - added missing fixes tag (Mat)" + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "18b683bff89d", + "lessThan": "3267a061096e", + "status": "affected", + "versionType": "git" + }, + { + "version": "18b683bff89d", + "lessThan": "18e7f0580da1", + "status": "affected", + "versionType": "git" + }, + { + "version": "18b683bff89d", + "lessThan": "29249eac5225", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.7", + "status": "affected" + }, + { + "version": "0", + "lessThan": "5.7", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.10.42", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.12.9", + "lessThanOrEqual": "5.12.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.13", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/3267a061096efc91eda52c2a0c61ba76e46e4b34" + }, + { + "url": "https://git.kernel.org/stable/c/18e7f0580da15cac1e79d73683ada5a9e70980f8" + }, + { + "url": "https://git.kernel.org/stable/c/29249eac5225429b898f278230a6ca2baa1ae154" + } + ], + "title": "mptcp: fix data stream corruption", + "x_generator": { + "engine": "bippy-b4257b672505" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2021-47152", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2021/CVE-2021-47152.mbox b/cve/published/2021/CVE-2021-47152.mbox new file mode 100644 index 00000000..378760b2 --- /dev/null +++ b/cve/published/2021/CVE-2021-47152.mbox @@ -0,0 +1,80 @@ +From bippy-b4257b672505 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2021-47152: mptcp: fix data stream corruption +Message-Id: <2024032500-CVE-2021-47152-a386@gregkh> +Content-Length: 2300 +Lines: 63 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2364; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=l7YdC6Zpg2v6VlhvJzzjMd0cNf/11ioYas1bHR5rJJs=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGmMdh+6mze+n6B0OTd5yzPfn46GhYy3M9+rMWstP2cyK + fiXq+WzjlgWBkEmBlkxRZYv23iO7q84pOhlaHsaZg4rE8gQBi5OAZhI7SOG+a6K6R09NdmJ+Rn3 + JF31C6f+OV/IwjA/62/40j6bLy85fa9H8b0022UdP+c7AA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +mptcp: fix data stream corruption + +Maxim reported several issues when forcing a TCP transparent proxy +to use the MPTCP protocol for the inbound connections. He also +provided a clean reproducer. + +The problem boils down to 'mptcp_frag_can_collapse_to()' assuming +that only MPTCP will use the given page_frag. + +If others - e.g. the plain TCP protocol - allocate page fragments, +we can end-up re-using already allocated memory for mptcp_data_frag. + +Fix the issue ensuring that the to-be-expanded data fragment is +located at the current page frag end. + +v1 -> v2: + - added missing fixes tag (Mat) + +The Linux kernel CVE team has assigned CVE-2021-47152 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 5.7 with commit 18b683bff89d and fixed in 5.10.42 with commit 3267a061096e + Issue introduced in 5.7 with commit 18b683bff89d and fixed in 5.12.9 with commit 18e7f0580da1 + Issue introduced in 5.7 with commit 18b683bff89d and fixed in 5.13 with commit 29249eac5225 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2021-47152 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + net/mptcp/protocol.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/3267a061096efc91eda52c2a0c61ba76e46e4b34 + https://git.kernel.org/stable/c/18e7f0580da15cac1e79d73683ada5a9e70980f8 + https://git.kernel.org/stable/c/29249eac5225429b898f278230a6ca2baa1ae154 diff --git a/cve/published/2021/CVE-2021-47152.sha1 b/cve/published/2021/CVE-2021-47152.sha1 new file mode 100644 index 00000000..e0695627 --- /dev/null +++ b/cve/published/2021/CVE-2021-47152.sha1 @@ -0,0 +1 @@ +29249eac5225429b898f278230a6ca2baa1ae154 diff --git a/cve/reserved/2021/CVE-2021-47153 b/cve/published/2021/CVE-2021-47153 index e69de29b..e69de29b 100644 --- a/cve/reserved/2021/CVE-2021-47153 +++ b/cve/published/2021/CVE-2021-47153 diff --git a/cve/published/2021/CVE-2021-47153.json b/cve/published/2021/CVE-2021-47153.json new file mode 100644 index 00000000..a43b80ef --- /dev/null +++ b/cve/published/2021/CVE-2021-47153.json @@ -0,0 +1,178 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: i801: Don't generate an interrupt on bus reset\n\nNow that the i2c-i801 driver supports interrupts, setting the KILL bit\nin a attempt to recover from a timed out transaction triggers an\ninterrupt. Unfortunately, the interrupt handler (i801_isr) is not\nprepared for this situation and will try to process the interrupt as\nif it was signaling the end of a successful transaction. In the case\nof a block transaction, this can result in an out-of-range memory\naccess.\n\nThis condition was reproduced several times by syzbot:\nhttps://syzkaller.appspot.com/bug?extid=ed71512d469895b5b34e\nhttps://syzkaller.appspot.com/bug?extid=8c8dedc0ba9e03f6c79e\nhttps://syzkaller.appspot.com/bug?extid=c8ff0b6d6c73d81b610e\nhttps://syzkaller.appspot.com/bug?extid=33f6c360821c399d69eb\nhttps://syzkaller.appspot.com/bug?extid=be15dc0b1933f04b043a\nhttps://syzkaller.appspot.com/bug?extid=b4d3fd1dfd53e90afd79\n\nSo disable interrupts while trying to reset the bus. Interrupts will\nbe enabled again for the following transaction." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "636752bcb517", + "lessThan": "f9469082126c", + "status": "affected", + "versionType": "git" + }, + { + "version": "636752bcb517", + "lessThan": "09c9e79f4c10", + "status": "affected", + "versionType": "git" + }, + { + "version": "636752bcb517", + "lessThan": "dfa8929e117b", + "status": "affected", + "versionType": "git" + }, + { + "version": "636752bcb517", + "lessThan": "c70e1ba2e7e6", + "status": "affected", + "versionType": "git" + }, + { + "version": "636752bcb517", + "lessThan": "04cc05e3716a", + "status": "affected", + "versionType": "git" + }, + { + "version": "636752bcb517", + "lessThan": "b523feb7e8e4", + "status": "affected", + "versionType": "git" + }, + { + "version": "636752bcb517", + "lessThan": "1f583d3813f2", + "status": "affected", + "versionType": "git" + }, + { + "version": "636752bcb517", + "lessThan": "e4d8716c3dce", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "3.6", + "status": "affected" + }, + { + "version": "0", + "lessThan": "3.6", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "4.4.271", + "lessThanOrEqual": "4.4.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "4.9.271", + "lessThanOrEqual": "4.9.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "4.14.235", + "lessThanOrEqual": "4.14.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "4.19.193", + "lessThanOrEqual": "4.19.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.4.124", + "lessThanOrEqual": "5.4.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.10.42", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.12.9", + "lessThanOrEqual": "5.12.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.13", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/f9469082126cebb7337db3992d143f5e4edfe629" + }, + { + "url": "https://git.kernel.org/stable/c/09c9e79f4c10cfb6b9e0e1b4dd355232e4b5a3b3" + }, + { + "url": "https://git.kernel.org/stable/c/dfa8929e117b0228a7765f5c3f5988a4a028f3c6" + }, + { + "url": "https://git.kernel.org/stable/c/c70e1ba2e7e65255a0ce004f531dd90dada97a8c" + }, + { + "url": "https://git.kernel.org/stable/c/04cc05e3716ae31b17ecdab7bc55c8170def1b8b" + }, + { + "url": "https://git.kernel.org/stable/c/b523feb7e8e44652f92f3babb953a976e7ccbbef" + }, + { + "url": "https://git.kernel.org/stable/c/1f583d3813f204449037cd2acbfc09168171362a" + }, + { + "url": "https://git.kernel.org/stable/c/e4d8716c3dcec47f1557024add24e1f3c09eb24b" + } + ], + "title": "i2c: i801: Don't generate an interrupt on bus reset", + "x_generator": { + "engine": "bippy-b4257b672505" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2021-47153", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2021/CVE-2021-47153.mbox b/cve/published/2021/CVE-2021-47153.mbox new file mode 100644 index 00000000..ea6dc63f --- /dev/null +++ b/cve/published/2021/CVE-2021-47153.mbox @@ -0,0 +1,93 @@ +From bippy-b4257b672505 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2021-47153: i2c: i801: Don't generate an interrupt on bus reset +Message-Id: <2024032501-CVE-2021-47153-8c75@gregkh> +Content-Length: 3577 +Lines: 76 +X-Developer-Signature: v=1; a=openpgp-sha256; l=3654; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=pKQrN0Q45Ouv/ywt08asEYePOyq7e7tvTS7SfRXLEmU=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGmMdh8PNNo+vLVXvK59/0yPDcG5ly6fu3Nh4gZ53+OLQ + 8xuX757rCOWhUGQiUFWTJHlyzaeo/srDil6GdqehpnDygQyhIGLUwAmwuTNsGDFzXlPfLe3T9tw + Y/N7N6/bP70W7FrIMD/x75qtCeWd14vvnzi/lKUytvLBjAwA +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +i2c: i801: Don't generate an interrupt on bus reset + +Now that the i2c-i801 driver supports interrupts, setting the KILL bit +in a attempt to recover from a timed out transaction triggers an +interrupt. Unfortunately, the interrupt handler (i801_isr) is not +prepared for this situation and will try to process the interrupt as +if it was signaling the end of a successful transaction. In the case +of a block transaction, this can result in an out-of-range memory +access. + +This condition was reproduced several times by syzbot: +https://syzkaller.appspot.com/bug?extid=ed71512d469895b5b34e +https://syzkaller.appspot.com/bug?extid=8c8dedc0ba9e03f6c79e +https://syzkaller.appspot.com/bug?extid=c8ff0b6d6c73d81b610e +https://syzkaller.appspot.com/bug?extid=33f6c360821c399d69eb +https://syzkaller.appspot.com/bug?extid=be15dc0b1933f04b043a +https://syzkaller.appspot.com/bug?extid=b4d3fd1dfd53e90afd79 + +So disable interrupts while trying to reset the bus. Interrupts will +be enabled again for the following transaction. + +The Linux kernel CVE team has assigned CVE-2021-47153 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 3.6 with commit 636752bcb517 and fixed in 4.4.271 with commit f9469082126c + Issue introduced in 3.6 with commit 636752bcb517 and fixed in 4.9.271 with commit 09c9e79f4c10 + Issue introduced in 3.6 with commit 636752bcb517 and fixed in 4.14.235 with commit dfa8929e117b + Issue introduced in 3.6 with commit 636752bcb517 and fixed in 4.19.193 with commit c70e1ba2e7e6 + Issue introduced in 3.6 with commit 636752bcb517 and fixed in 5.4.124 with commit 04cc05e3716a + Issue introduced in 3.6 with commit 636752bcb517 and fixed in 5.10.42 with commit b523feb7e8e4 + Issue introduced in 3.6 with commit 636752bcb517 and fixed in 5.12.9 with commit 1f583d3813f2 + Issue introduced in 3.6 with commit 636752bcb517 and fixed in 5.13 with commit e4d8716c3dce + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2021-47153 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/i2c/busses/i2c-i801.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/f9469082126cebb7337db3992d143f5e4edfe629 + https://git.kernel.org/stable/c/09c9e79f4c10cfb6b9e0e1b4dd355232e4b5a3b3 + https://git.kernel.org/stable/c/dfa8929e117b0228a7765f5c3f5988a4a028f3c6 + https://git.kernel.org/stable/c/c70e1ba2e7e65255a0ce004f531dd90dada97a8c + https://git.kernel.org/stable/c/04cc05e3716ae31b17ecdab7bc55c8170def1b8b + https://git.kernel.org/stable/c/b523feb7e8e44652f92f3babb953a976e7ccbbef + https://git.kernel.org/stable/c/1f583d3813f204449037cd2acbfc09168171362a + https://git.kernel.org/stable/c/e4d8716c3dcec47f1557024add24e1f3c09eb24b diff --git a/cve/published/2021/CVE-2021-47153.sha1 b/cve/published/2021/CVE-2021-47153.sha1 new file mode 100644 index 00000000..ff828199 --- /dev/null +++ b/cve/published/2021/CVE-2021-47153.sha1 @@ -0,0 +1 @@ +e4d8716c3dcec47f1557024add24e1f3c09eb24b |