diff options
| author | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2024-03-15 21:15:51 +0100 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2024-03-15 21:15:51 +0100 |
| commit | 18e27e4ae84c939fe941db1347256fccbb617688 (patch) | |
| tree | 08eda1fd3aa870a93a5ee35aa95007e5dd9cd924 | |
| parent | 7c07f0f9a2647fda29d0f6d6ed89842ef9e8804f (diff) | |
| download | vulns-18e27e4ae84c939fe941db1347256fccbb617688.tar.gz | |
Published some more gsd->cve entries
109 files changed, 5850 insertions, 0 deletions
diff --git a/cve/reserved/2021/CVE-2021-47109 b/cve/published/2021/CVE-2021-47109 index e69de29b..e69de29b 100644 --- a/cve/reserved/2021/CVE-2021-47109 +++ b/cve/published/2021/CVE-2021-47109 diff --git a/cve/published/2021/CVE-2021-47109.json b/cve/published/2021/CVE-2021-47109.json new file mode 100644 index 00000000..802b7d04 --- /dev/null +++ b/cve/published/2021/CVE-2021-47109.json @@ -0,0 +1,118 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nneighbour: allow NUD_NOARP entries to be forced GCed\n\nIFF_POINTOPOINT interfaces use NUD_NOARP entries for IPv6. It's possible to\nfill up the neighbour table with enough entries that it will overflow for\nvalid connections after that.\n\nThis behaviour is more prevalent after commit 58956317c8de (\"neighbor:\nImprove garbage collection\") is applied, as it prevents removal from\nentries that are not NUD_FAILED, unless they are more than 5s old." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "58956317c8de", + "lessThan": "d99029e6aab6", + "status": "affected", + "versionType": "git" + }, + { + "version": "58956317c8de", + "lessThan": "d17d47da59f7", + "status": "affected", + "versionType": "git" + }, + { + "version": "58956317c8de", + "lessThan": "ddf088d7aaaa", + "status": "affected", + "versionType": "git" + }, + { + "version": "58956317c8de", + "lessThan": "7a6b1ab7475f", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.0", + "status": "affected" + }, + { + "version": "0", + "lessThan": "5.0", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.4.125", + "lessThanOrEqual": "5.4.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.10.43", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.12.10", + "lessThanOrEqual": "5.12.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.13", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/d99029e6aab62aef0a0251588b2867e77e83b137" + }, + { + "url": "https://git.kernel.org/stable/c/d17d47da59f726dc4c87caebda3a50333d7e2fd3" + }, + { + "url": "https://git.kernel.org/stable/c/ddf088d7aaaaacfc836104f2e632b29b1d383cfc" + }, + { + "url": "https://git.kernel.org/stable/c/7a6b1ab7475fd6478eeaf5c9d1163e7a18125c8f" + } + ], + "title": "neighbour: allow NUD_NOARP entries to be forced GCed", + "x_generator": { + "engine": "bippy-8df59b4913de" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2021-47109", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2021/CVE-2021-47109.mbox b/cve/published/2021/CVE-2021-47109.mbox new file mode 100644 index 00000000..eb4b632f --- /dev/null +++ b/cve/published/2021/CVE-2021-47109.mbox @@ -0,0 +1,74 @@ +From bippy-8df59b4913de Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2021-47109: neighbour: allow NUD_NOARP entries to be forced GCed +Message-Id: <2024031558-CVE-2021-47109-5bde@gregkh> +Content-Length: 2321 +Lines: 57 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2379; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=EXVZdCrElRHfNVvB32S+ww/BRaiOyVwV0C7Cujg9KbQ=; + b=owGbwMvMwCRo6H6F97bub03G02pJDKlf1jhdOFWmo9I2+6gY6z6zWL21KbY+uaY/57TclCsQD + r5jPoe5I5aFQZCJQVZMkeXLNp6j+ysOKXoZ2p6GmcPKBDKEgYtTACbC/5xhfqqvfsFF11oLgY9V + RTXx/5obDFffYZhn8VbHeWUH78tjS1zlA9vmRf2Oa6gEAA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +neighbour: allow NUD_NOARP entries to be forced GCed + +IFF_POINTOPOINT interfaces use NUD_NOARP entries for IPv6. It's possible to +fill up the neighbour table with enough entries that it will overflow for +valid connections after that. + +This behaviour is more prevalent after commit 58956317c8de ("neighbor: +Improve garbage collection") is applied, as it prevents removal from +entries that are not NUD_FAILED, unless they are more than 5s old. + +The Linux kernel CVE team has assigned CVE-2021-47109 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 5.0 with commit 58956317c8de and fixed in 5.4.125 with commit d99029e6aab6 + Issue introduced in 5.0 with commit 58956317c8de and fixed in 5.10.43 with commit d17d47da59f7 + Issue introduced in 5.0 with commit 58956317c8de and fixed in 5.12.10 with commit ddf088d7aaaa + Issue introduced in 5.0 with commit 58956317c8de and fixed in 5.13 with commit 7a6b1ab7475f + +Please see https://www.kernel.org or a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2021-47109 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + net/core/neighbour.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/d99029e6aab62aef0a0251588b2867e77e83b137 + https://git.kernel.org/stable/c/d17d47da59f726dc4c87caebda3a50333d7e2fd3 + https://git.kernel.org/stable/c/ddf088d7aaaaacfc836104f2e632b29b1d383cfc + https://git.kernel.org/stable/c/7a6b1ab7475fd6478eeaf5c9d1163e7a18125c8f diff --git a/cve/published/2021/CVE-2021-47109.sha1 b/cve/published/2021/CVE-2021-47109.sha1 new file mode 100644 index 00000000..50d44633 --- /dev/null +++ b/cve/published/2021/CVE-2021-47109.sha1 @@ -0,0 +1 @@ +7a6b1ab7475fd6478eeaf5c9d1163e7a18125c8f diff --git a/cve/reserved/2021/CVE-2021-47110 b/cve/published/2021/CVE-2021-47110 index e69de29b..e69de29b 100644 --- a/cve/reserved/2021/CVE-2021-47110 +++ b/cve/published/2021/CVE-2021-47110 diff --git a/cve/published/2021/CVE-2021-47110.json b/cve/published/2021/CVE-2021-47110.json new file mode 100644 index 00000000..2ba93ff0 --- /dev/null +++ b/cve/published/2021/CVE-2021-47110.json @@ -0,0 +1,108 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/kvm: Disable kvmclock on all CPUs on shutdown\n\nCurrenly, we disable kvmclock from machine_shutdown() hook and this\nonly happens for boot CPU. We need to disable it for all CPUs to\nguard against memory corruption e.g. on restore from hibernate.\n\nNote, writing '0' to kvmclock MSR doesn't clear memory location, it\njust prevents hypervisor from updating the location so for the short\nwhile after write and while CPU is still alive, the clock remains usable\nand correct so we don't need to switch to some other clocksource." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "1da177e4c3f4", + "lessThan": "9084fe1b3572", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "3b0becf8b1ec", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "1df2dc09926f", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "c02027b5742b", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.4.125", + "lessThanOrEqual": "5.4.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.10.43", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.12.10", + "lessThanOrEqual": "5.12.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.13", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/9084fe1b3572664ad276f427dce575f580c9799a" + }, + { + "url": "https://git.kernel.org/stable/c/3b0becf8b1ecf642a9edaf4c9628ffc641e490d6" + }, + { + "url": "https://git.kernel.org/stable/c/1df2dc09926f61319116c80ee85701df33577d70" + }, + { + "url": "https://git.kernel.org/stable/c/c02027b5742b5aa804ef08a4a9db433295533046" + } + ], + "title": "x86/kvm: Disable kvmclock on all CPUs on shutdown", + "x_generator": { + "engine": "bippy-8df59b4913de" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2021-47110", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2021/CVE-2021-47110.mbox b/cve/published/2021/CVE-2021-47110.mbox new file mode 100644 index 00000000..508fd46f --- /dev/null +++ b/cve/published/2021/CVE-2021-47110.mbox @@ -0,0 +1,77 @@ +From bippy-8df59b4913de Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2021-47110: x86/kvm: Disable kvmclock on all CPUs on shutdown +Message-Id: <2024031506-CVE-2021-47110-2cb8@gregkh> +Content-Length: 2254 +Lines: 60 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2315; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=MRogQqfdQio3/6/EWqFi0gCfWbHt7zl9YNTte3ZTLUM=; + b=owGbwMvMwCRo6H6F97bub03G02pJDKlf1nh19XEeiOU8xbhK9ul5Jq7ch2I2bAIJQnMjrtu7t + FjV9fR3xLIwCDIxyIopsnzZxnN0f8UhRS9D29Mwc1iZQIYwcHEKwEQOdDMsWBl3JtC1mN9E/wRf + qsfuZ5PuzDs2m2HBKe2MP7LuB612zSjT+fVq0n8uCbcYAA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +x86/kvm: Disable kvmclock on all CPUs on shutdown + +Currenly, we disable kvmclock from machine_shutdown() hook and this +only happens for boot CPU. We need to disable it for all CPUs to +guard against memory corruption e.g. on restore from hibernate. + +Note, writing '0' to kvmclock MSR doesn't clear memory location, it +just prevents hypervisor from updating the location so for the short +while after write and while CPU is still alive, the clock remains usable +and correct so we don't need to switch to some other clocksource. + +The Linux kernel CVE team has assigned CVE-2021-47110 to this issue. + + +Affected and fixed versions +=========================== + + Fixed in 5.4.125 with commit 9084fe1b3572 + Fixed in 5.10.43 with commit 3b0becf8b1ec + Fixed in 5.12.10 with commit 1df2dc09926f + Fixed in 5.13 with commit c02027b5742b + +Please see https://www.kernel.org or a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2021-47110 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + arch/x86/include/asm/kvm_para.h + arch/x86/kernel/kvm.c + arch/x86/kernel/kvmclock.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/9084fe1b3572664ad276f427dce575f580c9799a + https://git.kernel.org/stable/c/3b0becf8b1ecf642a9edaf4c9628ffc641e490d6 + https://git.kernel.org/stable/c/1df2dc09926f61319116c80ee85701df33577d70 + https://git.kernel.org/stable/c/c02027b5742b5aa804ef08a4a9db433295533046 diff --git a/cve/published/2021/CVE-2021-47110.sha1 b/cve/published/2021/CVE-2021-47110.sha1 new file mode 100644 index 00000000..3d0cd0f0 --- /dev/null +++ b/cve/published/2021/CVE-2021-47110.sha1 @@ -0,0 +1 @@ +c02027b5742b5aa804ef08a4a9db433295533046 diff --git a/cve/reserved/2021/CVE-2021-47111 b/cve/published/2021/CVE-2021-47111 index e69de29b..e69de29b 100644 --- a/cve/reserved/2021/CVE-2021-47111 +++ b/cve/published/2021/CVE-2021-47111 diff --git a/cve/published/2021/CVE-2021-47111.json b/cve/published/2021/CVE-2021-47111.json new file mode 100644 index 00000000..ec4e414c --- /dev/null +++ b/cve/published/2021/CVE-2021-47111.json @@ -0,0 +1,103 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxen-netback: take a reference to the RX task thread\n\nDo this in order to prevent the task from being freed if the thread\nreturns (which can be triggered by the frontend) before the call to\nkthread_stop done as part of the backend tear down. Not taking the\nreference will lead to a use-after-free in that scenario. Such\nreference was taken before but dropped as part of the rework done in\n2ac061ce97f4.\n\nReintroduce the reference taking and add a comment this time\nexplaining why it's needed.\n\nThis is XSA-374 / CVE-2021-28691." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "2ac061ce97f4", + "lessThan": "6b53db8c4c14", + "status": "affected", + "versionType": "git" + }, + { + "version": "2ac061ce97f4", + "lessThan": "caec9bcaeb1a", + "status": "affected", + "versionType": "git" + }, + { + "version": "2ac061ce97f4", + "lessThan": "107866a8eb0b", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.5", + "status": "affected" + }, + { + "version": "0", + "lessThan": "5.5", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.10.43", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.12.10", + "lessThanOrEqual": "5.12.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.13", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/6b53db8c4c14b4e7256f058d202908b54a7b85b4" + }, + { + "url": "https://git.kernel.org/stable/c/caec9bcaeb1a5f03f2d406305355c853af10c13e" + }, + { + "url": "https://git.kernel.org/stable/c/107866a8eb0b664675a260f1ba0655010fac1e08" + } + ], + "title": "xen-netback: take a reference to the RX task thread", + "x_generator": { + "engine": "bippy-8df59b4913de" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2021-47111", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2021/CVE-2021-47111.mbox b/cve/published/2021/CVE-2021-47111.mbox new file mode 100644 index 00000000..ef529793 --- /dev/null +++ b/cve/published/2021/CVE-2021-47111.mbox @@ -0,0 +1,76 @@ +From bippy-8df59b4913de Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2021-47111: xen-netback: take a reference to the RX task thread +Message-Id: <2024031506-CVE-2021-47111-4bd0@gregkh> +Content-Length: 2251 +Lines: 59 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2311; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=UMliAEtAOmkZjtgZuTKsjs81it66uE0o9Z8QO/GQROU=; + b=owGbwMvMwCRo6H6F97bub03G02pJDKlf1nip7r9XOv/Q6q9SHJpLfmzSkpnz88bE5hMbeScrH + 2C+wHd2V0csC4MgE4OsmCLLl208R/dXHFL0MrQ9DTOHlQlkCAMXpwBMxD6XYQ7fSonTXlcYRTas + lL++82Xh5ht2KqwMC+YbHzH4/kLkQI7k5BUyJ2oPqVsangUA +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +xen-netback: take a reference to the RX task thread + +Do this in order to prevent the task from being freed if the thread +returns (which can be triggered by the frontend) before the call to +kthread_stop done as part of the backend tear down. Not taking the +reference will lead to a use-after-free in that scenario. Such +reference was taken before but dropped as part of the rework done in +2ac061ce97f4. + +Reintroduce the reference taking and add a comment this time +explaining why it's needed. + +This is XSA-374 / CVE-2021-28691. + +The Linux kernel CVE team has assigned CVE-2021-47111 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 5.5 with commit 2ac061ce97f4 and fixed in 5.10.43 with commit 6b53db8c4c14 + Issue introduced in 5.5 with commit 2ac061ce97f4 and fixed in 5.12.10 with commit caec9bcaeb1a + Issue introduced in 5.5 with commit 2ac061ce97f4 and fixed in 5.13 with commit 107866a8eb0b + +Please see https://www.kernel.org or a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2021-47111 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/net/xen-netback/interface.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/6b53db8c4c14b4e7256f058d202908b54a7b85b4 + https://git.kernel.org/stable/c/caec9bcaeb1a5f03f2d406305355c853af10c13e + https://git.kernel.org/stable/c/107866a8eb0b664675a260f1ba0655010fac1e08 diff --git a/cve/published/2021/CVE-2021-47111.sha1 b/cve/published/2021/CVE-2021-47111.sha1 new file mode 100644 index 00000000..c2fff5b1 --- /dev/null +++ b/cve/published/2021/CVE-2021-47111.sha1 @@ -0,0 +1 @@ +107866a8eb0b664675a260f1ba0655010fac1e08 diff --git a/cve/reserved/2021/CVE-2021-47112 b/cve/published/2021/CVE-2021-47112 index e69de29b..e69de29b 100644 --- a/cve/reserved/2021/CVE-2021-47112 +++ b/cve/published/2021/CVE-2021-47112 diff --git a/cve/published/2021/CVE-2021-47112.json b/cve/published/2021/CVE-2021-47112.json new file mode 100644 index 00000000..32e14707 --- /dev/null +++ b/cve/published/2021/CVE-2021-47112.json @@ -0,0 +1,108 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/kvm: Teardown PV features on boot CPU as well\n\nVarious PV features (Async PF, PV EOI, steal time) work through memory\nshared with hypervisor and when we restore from hibernation we must\nproperly teardown all these features to make sure hypervisor doesn't\nwrite to stale locations after we jump to the previously hibernated kernel\n(which can try to place anything there). For secondary CPUs the job is\nalready done by kvm_cpu_down_prepare(), register syscore ops to do\nthe same for boot CPU." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "1da177e4c3f4", + "lessThan": "7620a669111b", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "38b858da1c58", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "d1629b5b925d", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "8b79feffeca2", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.4.125", + "lessThanOrEqual": "5.4.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.10.43", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.12.10", + "lessThanOrEqual": "5.12.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.13", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/7620a669111b52f224d006dea9e1e688e2d62c54" + }, + { + "url": "https://git.kernel.org/stable/c/38b858da1c58ad46519a257764e059e663b59ff2" + }, + { + "url": "https://git.kernel.org/stable/c/d1629b5b925de9b27979e929dae7fcb766daf6b6" + }, + { + "url": "https://git.kernel.org/stable/c/8b79feffeca28c5459458fe78676b081e87c93a4" + } + ], + "title": "x86/kvm: Teardown PV features on boot CPU as well", + "x_generator": { + "engine": "bippy-8df59b4913de" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2021-47112", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2021/CVE-2021-47112.mbox b/cve/published/2021/CVE-2021-47112.mbox new file mode 100644 index 00000000..e0de079c --- /dev/null +++ b/cve/published/2021/CVE-2021-47112.mbox @@ -0,0 +1,74 @@ +From bippy-8df59b4913de Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2021-47112: x86/kvm: Teardown PV features on boot CPU as well +Message-Id: <2024031507-CVE-2021-47112-339c@gregkh> +Content-Length: 2163 +Lines: 57 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2221; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=K2mRXwR2ipbjmDVTwBunauYAi7jVWgkLwTzEa0K6J0M=; + b=owGbwMvMwCRo6H6F97bub03G02pJDKlf1njf2HHX6kueScWhpsYS0aAunoNhzwKOhlsZ6h1Ij + rzQwa/WEcvCIMjEICumyPJlG8/R/RWHFL0MbU/DzGFlAhnCwMUpABOpkWCY79mUMf+XaIn7sUa7 + ErNFqU8Xn75yhmFBr/Q0832uKYtv56gWFOdbxqTx954GAA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +x86/kvm: Teardown PV features on boot CPU as well + +Various PV features (Async PF, PV EOI, steal time) work through memory +shared with hypervisor and when we restore from hibernation we must +properly teardown all these features to make sure hypervisor doesn't +write to stale locations after we jump to the previously hibernated kernel +(which can try to place anything there). For secondary CPUs the job is +already done by kvm_cpu_down_prepare(), register syscore ops to do +the same for boot CPU. + +The Linux kernel CVE team has assigned CVE-2021-47112 to this issue. + + +Affected and fixed versions +=========================== + + Fixed in 5.4.125 with commit 7620a669111b + Fixed in 5.10.43 with commit 38b858da1c58 + Fixed in 5.12.10 with commit d1629b5b925d + Fixed in 5.13 with commit 8b79feffeca2 + +Please see https://www.kernel.org or a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2021-47112 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + arch/x86/kernel/kvm.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/7620a669111b52f224d006dea9e1e688e2d62c54 + https://git.kernel.org/stable/c/38b858da1c58ad46519a257764e059e663b59ff2 + https://git.kernel.org/stable/c/d1629b5b925de9b27979e929dae7fcb766daf6b6 + https://git.kernel.org/stable/c/8b79feffeca28c5459458fe78676b081e87c93a4 diff --git a/cve/published/2021/CVE-2021-47112.sha1 b/cve/published/2021/CVE-2021-47112.sha1 new file mode 100644 index 00000000..d01430b3 --- /dev/null +++ b/cve/published/2021/CVE-2021-47112.sha1 @@ -0,0 +1 @@ +8b79feffeca28c5459458fe78676b081e87c93a4 diff --git a/cve/reserved/2021/CVE-2021-47113 b/cve/published/2021/CVE-2021-47113 index e69de29b..e69de29b 100644 --- a/cve/reserved/2021/CVE-2021-47113 +++ b/cve/published/2021/CVE-2021-47113 diff --git a/cve/published/2021/CVE-2021-47113.json b/cve/published/2021/CVE-2021-47113.json new file mode 100644 index 00000000..6f603480 --- /dev/null +++ b/cve/published/2021/CVE-2021-47113.json @@ -0,0 +1,93 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: abort in rename_exchange if we fail to insert the second ref\n\nError injection stress uncovered a problem where we'd leave a dangling\ninode ref if we failed during a rename_exchange. This happens because\nwe insert the inode ref for one side of the rename, and then for the\nother side. If this second inode ref insert fails we'll leave the first\none dangling and leave a corrupt file system behind. Fix this by\naborting if we did the insert for the first inode ref." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "1da177e4c3f4", + "lessThan": "0df50d47d174", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "ff8de2cec65a", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "dc09ef356272", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.10.43", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.12.10", + "lessThanOrEqual": "5.12.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.13", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/0df50d47d17401f9f140dfbe752a65e5d72f9932" + }, + { + "url": "https://git.kernel.org/stable/c/ff8de2cec65a8c8521faade12a31b39c80e49f5b" + }, + { + "url": "https://git.kernel.org/stable/c/dc09ef3562726cd520c8338c1640872a60187af5" + } + ], + "title": "btrfs: abort in rename_exchange if we fail to insert the second ref", + "x_generator": { + "engine": "bippy-8df59b4913de" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2021-47113", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2021/CVE-2021-47113.mbox b/cve/published/2021/CVE-2021-47113.mbox new file mode 100644 index 00000000..2909e255 --- /dev/null +++ b/cve/published/2021/CVE-2021-47113.mbox @@ -0,0 +1,71 @@ +From bippy-8df59b4913de Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2021-47113: btrfs: abort in rename_exchange if we fail to insert the second ref +Message-Id: <2024031507-CVE-2021-47113-bf29@gregkh> +Content-Length: 2020 +Lines: 54 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2075; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=R8CyICg3LuZ1vtfy2Fjg3Xjt1JUXlJ38Td9EyJHYoNE=; + b=owGbwMvMwCRo6H6F97bub03G02pJDKlf1nhfZPh258sM5/sidbfS1HdwT274ybNLfaHORofD0 + vx8JnLcHbEsDIJMDLJiiixftvEc3V9xSNHL0PY0zBxWJpAhDFycAjCR3I8MC/b3JSl4VFj2cla4 + yD/eeYwjU0SjmWGu9JeDWf/Vghl+J3BniuUdPzm/dasyAA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +btrfs: abort in rename_exchange if we fail to insert the second ref + +Error injection stress uncovered a problem where we'd leave a dangling +inode ref if we failed during a rename_exchange. This happens because +we insert the inode ref for one side of the rename, and then for the +other side. If this second inode ref insert fails we'll leave the first +one dangling and leave a corrupt file system behind. Fix this by +aborting if we did the insert for the first inode ref. + +The Linux kernel CVE team has assigned CVE-2021-47113 to this issue. + + +Affected and fixed versions +=========================== + + Fixed in 5.10.43 with commit 0df50d47d174 + Fixed in 5.12.10 with commit ff8de2cec65a + Fixed in 5.13 with commit dc09ef356272 + +Please see https://www.kernel.org or a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2021-47113 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + fs/btrfs/inode.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/0df50d47d17401f9f140dfbe752a65e5d72f9932 + https://git.kernel.org/stable/c/ff8de2cec65a8c8521faade12a31b39c80e49f5b + https://git.kernel.org/stable/c/dc09ef3562726cd520c8338c1640872a60187af5 diff --git a/cve/published/2021/CVE-2021-47113.sha1 b/cve/published/2021/CVE-2021-47113.sha1 new file mode 100644 index 00000000..c95bc9db --- /dev/null +++ b/cve/published/2021/CVE-2021-47113.sha1 @@ -0,0 +1 @@ +dc09ef3562726cd520c8338c1640872a60187af5 diff --git a/cve/reserved/2021/CVE-2021-47114 b/cve/published/2021/CVE-2021-47114 index e69de29b..e69de29b 100644 --- a/cve/reserved/2021/CVE-2021-47114 +++ b/cve/published/2021/CVE-2021-47114 diff --git a/cve/published/2021/CVE-2021-47114.json b/cve/published/2021/CVE-2021-47114.json new file mode 100644 index 00000000..e8926369 --- /dev/null +++ b/cve/published/2021/CVE-2021-47114.json @@ -0,0 +1,168 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: fix data corruption by fallocate\n\nWhen fallocate punches holes out of inode size, if original isize is in\nthe middle of last cluster, then the part from isize to the end of the\ncluster will be zeroed with buffer write, at that time isize is not yet\nupdated to match the new size, if writeback is kicked in, it will invoke\nocfs2_writepage()->block_write_full_page() where the pages out of inode\nsize will be dropped. That will cause file corruption. Fix this by\nzero out eof blocks when extending the inode size.\n\nRunning the following command with qemu-image 4.2.1 can get a corrupted\ncoverted image file easily.\n\n qemu-img convert -p -t none -T none -f qcow2 $qcow_image \\\n -O qcow2 -o compat=1.1 $qcow_image.conv\n\nThe usage of fallocate in qemu is like this, it first punches holes out\nof inode size, then extend the inode size.\n\n fallocate(11, FALLOC_FL_KEEP_SIZE|FALLOC_FL_PUNCH_HOLE, 2276196352, 65536) = 0\n fallocate(11, 0, 2276196352, 65536) = 0\n\nv1: https://www.spinics.net/lists/linux-fsdevel/msg193999.html\nv2: https://lore.kernel.org/linux-fsdevel/20210525093034.GB4112@quack2.suse.cz/T/" + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "1da177e4c3f4", + "lessThan": "624fa7baa378", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "33e03adafb29", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "a1700479524b", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "cec4e857ffaa", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "cc2edb99ea60", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "c8d5faee4624", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "0a31dd6fd2f4", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "6bba4471f0cc", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "4.4.272", + "lessThanOrEqual": "4.4.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "4.9.272", + "lessThanOrEqual": "4.9.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "4.14.236", + "lessThanOrEqual": "4.14.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "4.19.194", + "lessThanOrEqual": "4.19.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.4.125", + "lessThanOrEqual": "5.4.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.10.43", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.12.10", + "lessThanOrEqual": "5.12.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.13", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/624fa7baa3788dc9e57840ba5b94bc22b03cda57" + }, + { + "url": "https://git.kernel.org/stable/c/33e03adafb29eedae1bae9cdb50c1385279fcf65" + }, + { + "url": "https://git.kernel.org/stable/c/a1700479524bb9cb5e8ae720236a6fabd003acae" + }, + { + "url": "https://git.kernel.org/stable/c/cec4e857ffaa8c447f51cd8ab4e72350077b6770" + }, + { + "url": "https://git.kernel.org/stable/c/cc2edb99ea606a45182b5ea38cc8f4e583aa0774" + }, + { + "url": "https://git.kernel.org/stable/c/c8d5faee46242c3f33b8a71a4d7d52214785bfcc" + }, + { + "url": "https://git.kernel.org/stable/c/0a31dd6fd2f4e7db538fb6eb1f06973d81f8dd3b" + }, + { + "url": "https://git.kernel.org/stable/c/6bba4471f0cc1296fe3c2089b9e52442d3074b2e" + } + ], + "title": "ocfs2: fix data corruption by fallocate", + "x_generator": { + "engine": "bippy-8df59b4913de" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2021-47114", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2021/CVE-2021-47114.mbox b/cve/published/2021/CVE-2021-47114.mbox new file mode 100644 index 00000000..999fce2e --- /dev/null +++ b/cve/published/2021/CVE-2021-47114.mbox @@ -0,0 +1,97 @@ +From bippy-8df59b4913de Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2021-47114: ocfs2: fix data corruption by fallocate +Message-Id: <2024031507-CVE-2021-47114-6af8@gregkh> +Content-Length: 3261 +Lines: 80 +X-Developer-Signature: v=1; a=openpgp-sha256; l=3342; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=AHLefo1BQDELifwHnM3VhW57qEtSoQAmrACHqSes1tY=; + b=owGbwMvMwCRo6H6F97bub03G02pJDKlf1njXLdolqOXsk+zeFuk2df6fP8dZMk3fTru6Ne3os + qWLL0zk74hlYRBkYpAVU2T5so3n6P6KQ4pehranYeawMoEMYeDiFICJ2OUyzGb/372asSK+ynPb + vU/5341vOebeL2ZYcPyHX37c/IKJ0xee6pX67P9+rWvqTQA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +ocfs2: fix data corruption by fallocate + +When fallocate punches holes out of inode size, if original isize is in +the middle of last cluster, then the part from isize to the end of the +cluster will be zeroed with buffer write, at that time isize is not yet +updated to match the new size, if writeback is kicked in, it will invoke +ocfs2_writepage()->block_write_full_page() where the pages out of inode +size will be dropped. That will cause file corruption. Fix this by +zero out eof blocks when extending the inode size. + +Running the following command with qemu-image 4.2.1 can get a corrupted +coverted image file easily. + + qemu-img convert -p -t none -T none -f qcow2 $qcow_image \ + -O qcow2 -o compat=1.1 $qcow_image.conv + +The usage of fallocate in qemu is like this, it first punches holes out +of inode size, then extend the inode size. + + fallocate(11, FALLOC_FL_KEEP_SIZE|FALLOC_FL_PUNCH_HOLE, 2276196352, 65536) = 0 + fallocate(11, 0, 2276196352, 65536) = 0 + +v1: https://www.spinics.net/lists/linux-fsdevel/msg193999.html +v2: https://lore.kernel.org/linux-fsdevel/20210525093034.GB4112@quack2.suse.cz/T/ + +The Linux kernel CVE team has assigned CVE-2021-47114 to this issue. + + +Affected and fixed versions +=========================== + + Fixed in 4.4.272 with commit 624fa7baa378 + Fixed in 4.9.272 with commit 33e03adafb29 + Fixed in 4.14.236 with commit a1700479524b + Fixed in 4.19.194 with commit cec4e857ffaa + Fixed in 5.4.125 with commit cc2edb99ea60 + Fixed in 5.10.43 with commit c8d5faee4624 + Fixed in 5.12.10 with commit 0a31dd6fd2f4 + Fixed in 5.13 with commit 6bba4471f0cc + +Please see https://www.kernel.org or a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2021-47114 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + fs/ocfs2/file.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/624fa7baa3788dc9e57840ba5b94bc22b03cda57 + https://git.kernel.org/stable/c/33e03adafb29eedae1bae9cdb50c1385279fcf65 + https://git.kernel.org/stable/c/a1700479524bb9cb5e8ae720236a6fabd003acae + https://git.kernel.org/stable/c/cec4e857ffaa8c447f51cd8ab4e72350077b6770 + https://git.kernel.org/stable/c/cc2edb99ea606a45182b5ea38cc8f4e583aa0774 + https://git.kernel.org/stable/c/c8d5faee46242c3f33b8a71a4d7d52214785bfcc + https://git.kernel.org/stable/c/0a31dd6fd2f4e7db538fb6eb1f06973d81f8dd3b + https://git.kernel.org/stable/c/6bba4471f0cc1296fe3c2089b9e52442d3074b2e diff --git a/cve/published/2021/CVE-2021-47114.sha1 b/cve/published/2021/CVE-2021-47114.sha1 new file mode 100644 index 00000000..c43fd788 --- /dev/null +++ b/cve/published/2021/CVE-2021-47114.sha1 @@ -0,0 +1 @@ +6bba4471f0cc1296fe3c2089b9e52442d3074b2e diff --git a/cve/reserved/2021/CVE-2021-47115 b/cve/published/2021/CVE-2021-47115 index e69de29b..e69de29b 100644 --- a/cve/reserved/2021/CVE-2021-47115 +++ b/cve/published/2021/CVE-2021-47115 diff --git a/cve/published/2021/CVE-2021-47115.json b/cve/published/2021/CVE-2021-47115.json new file mode 100644 index 00000000..7d657754 --- /dev/null +++ b/cve/published/2021/CVE-2021-47115.json @@ -0,0 +1,178 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: fix NULL ptr dereference in llcp_sock_getname() after failed connect\n\nIt's possible to trigger NULL pointer dereference by local unprivileged\nuser, when calling getsockname() after failed bind() (e.g. the bind\nfails because LLCP_SAP_MAX used as SAP):\n\n BUG: kernel NULL pointer dereference, address: 0000000000000000\n CPU: 1 PID: 426 Comm: llcp_sock_getna Not tainted 5.13.0-rc2-next-20210521+ #9\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1 04/01/2014\n Call Trace:\n llcp_sock_getname+0xb1/0xe0\n __sys_getpeername+0x95/0xc0\n ? lockdep_hardirqs_on_prepare+0xd5/0x180\n ? syscall_enter_from_user_mode+0x1c/0x40\n __x64_sys_getpeername+0x11/0x20\n do_syscall_64+0x36/0x70\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nThis can be reproduced with Syzkaller C repro (bind followed by\ngetpeername):\nhttps://syzkaller.appspot.com/x/repro.c?x=14def446e00000" + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "d646960f7986", + "lessThan": "eb6875d48590", + "status": "affected", + "versionType": "git" + }, + { + "version": "d646960f7986", + "lessThan": "39c15bd2e5d1", + "status": "affected", + "versionType": "git" + }, + { + "version": "d646960f7986", + "lessThan": "ffff05b9ee5c", + "status": "affected", + "versionType": "git" + }, + { + "version": "d646960f7986", + "lessThan": "93e4ac2a9979", + "status": "affected", + "versionType": "git" + }, + { + "version": "d646960f7986", + "lessThan": "5d4c4b06ed9f", + "status": "affected", + "versionType": "git" + }, + { + "version": "d646960f7986", + "lessThan": "48ee0db61c82", + "status": "affected", + "versionType": "git" + }, + { + "version": "d646960f7986", + "lessThan": "0c4559736d9a", + "status": "affected", + "versionType": "git" + }, + { + "version": "d646960f7986", + "lessThan": "4ac06a1e013c", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "3.3", + "status": "affected" + }, + { + "version": "0", + "lessThan": "3.3", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "4.4.272", + "lessThanOrEqual": "4.4.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "4.9.272", + "lessThanOrEqual": "4.9.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "4.14.236", + "lessThanOrEqual": "4.14.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "4.19.194", + "lessThanOrEqual": "4.19.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.4.125", + "lessThanOrEqual": "5.4.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.10.43", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.12.10", + "lessThanOrEqual": "5.12.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.13", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/eb6875d48590d8e564092e831ff07fa384d7e477" + }, + { + "url": "https://git.kernel.org/stable/c/39c15bd2e5d11bcf7f4c3dba2aad9e1e110a5d94" + }, + { + "url": "https://git.kernel.org/stable/c/ffff05b9ee5c74c04bba2801c1f99b31975d74d9" + }, + { + "url": "https://git.kernel.org/stable/c/93e4ac2a9979a9a4ecc158409ed9c3044dc0ae1f" + }, + { + "url": "https://git.kernel.org/stable/c/5d4c4b06ed9fb7a69d0b2e2a73fc73226d25ab70" + }, + { + "url": "https://git.kernel.org/stable/c/48ee0db61c8299022ec88c79ad137f290196cac2" + }, + { + "url": "https://git.kernel.org/stable/c/0c4559736d9a4ec1ca58ba98ca34e7c4da4c422b" + }, + { + "url": "https://git.kernel.org/stable/c/4ac06a1e013cf5fdd963317ffd3b968560f33bba" + } + ], + "title": "nfc: fix NULL ptr dereference in llcp_sock_getname() after failed connect", + "x_generator": { + "engine": "bippy-8df59b4913de" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2021-47115", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2021/CVE-2021-47115.mbox b/cve/published/2021/CVE-2021-47115.mbox new file mode 100644 index 00000000..516c586e --- /dev/null +++ b/cve/published/2021/CVE-2021-47115.mbox @@ -0,0 +1,94 @@ +From bippy-8df59b4913de Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2021-47115: nfc: fix NULL ptr dereference in llcp_sock_getname() after failed connect +Message-Id: <2024031508-CVE-2021-47115-9715@gregkh> +Content-Length: 3452 +Lines: 77 +X-Developer-Signature: v=1; a=openpgp-sha256; l=3530; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=dUgshrAF99M3jRSvJmYFDWtEeKOBjyPGTmyL8jEyQWg=; + b=owGbwMvMwCRo6H6F97bub03G02pJDKlf1vhMSvdg4Dz+el/9+iUbw54byWXlyF3SadpxpeWl/ + HOxvy2+HbEsDIJMDLJiiixftvEc3V9xSNHL0PY0zBxWJpAhDFycAjCRv+UM80w6S37fiNxlO/NH + 3aKl2aK8p3dF/WBYMP3GwkzHiTfKlGO0OGwCll78lNwaAQA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +nfc: fix NULL ptr dereference in llcp_sock_getname() after failed connect + +It's possible to trigger NULL pointer dereference by local unprivileged +user, when calling getsockname() after failed bind() (e.g. the bind +fails because LLCP_SAP_MAX used as SAP): + + BUG: kernel NULL pointer dereference, address: 0000000000000000 + CPU: 1 PID: 426 Comm: llcp_sock_getna Not tainted 5.13.0-rc2-next-20210521+ #9 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1 04/01/2014 + Call Trace: + llcp_sock_getname+0xb1/0xe0 + __sys_getpeername+0x95/0xc0 + ? lockdep_hardirqs_on_prepare+0xd5/0x180 + ? syscall_enter_from_user_mode+0x1c/0x40 + __x64_sys_getpeername+0x11/0x20 + do_syscall_64+0x36/0x70 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +This can be reproduced with Syzkaller C repro (bind followed by +getpeername): +https://syzkaller.appspot.com/x/repro.c?x=14def446e00000 + +The Linux kernel CVE team has assigned CVE-2021-47115 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 3.3 with commit d646960f7986 and fixed in 4.4.272 with commit eb6875d48590 + Issue introduced in 3.3 with commit d646960f7986 and fixed in 4.9.272 with commit 39c15bd2e5d1 + Issue introduced in 3.3 with commit d646960f7986 and fixed in 4.14.236 with commit ffff05b9ee5c + Issue introduced in 3.3 with commit d646960f7986 and fixed in 4.19.194 with commit 93e4ac2a9979 + Issue introduced in 3.3 with commit d646960f7986 and fixed in 5.4.125 with commit 5d4c4b06ed9f + Issue introduced in 3.3 with commit d646960f7986 and fixed in 5.10.43 with commit 48ee0db61c82 + Issue introduced in 3.3 with commit d646960f7986 and fixed in 5.12.10 with commit 0c4559736d9a + Issue introduced in 3.3 with commit d646960f7986 and fixed in 5.13 with commit 4ac06a1e013c + +Please see https://www.kernel.org or a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2021-47115 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + net/nfc/llcp_sock.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/eb6875d48590d8e564092e831ff07fa384d7e477 + https://git.kernel.org/stable/c/39c15bd2e5d11bcf7f4c3dba2aad9e1e110a5d94 + https://git.kernel.org/stable/c/ffff05b9ee5c74c04bba2801c1f99b31975d74d9 + https://git.kernel.org/stable/c/93e4ac2a9979a9a4ecc158409ed9c3044dc0ae1f + https://git.kernel.org/stable/c/5d4c4b06ed9fb7a69d0b2e2a73fc73226d25ab70 + https://git.kernel.org/stable/c/48ee0db61c8299022ec88c79ad137f290196cac2 + https://git.kernel.org/stable/c/0c4559736d9a4ec1ca58ba98ca34e7c4da4c422b + https://git.kernel.org/stable/c/4ac06a1e013cf5fdd963317ffd3b968560f33bba diff --git a/cve/published/2021/CVE-2021-47115.sha1 b/cve/published/2021/CVE-2021-47115.sha1 new file mode 100644 index 00000000..1a2608f8 --- /dev/null +++ b/cve/published/2021/CVE-2021-47115.sha1 @@ -0,0 +1 @@ +4ac06a1e013cf5fdd963317ffd3b968560f33bba diff --git a/cve/reserved/2021/CVE-2021-47116 b/cve/published/2021/CVE-2021-47116 index e69de29b..e69de29b 100644 --- a/cve/reserved/2021/CVE-2021-47116 +++ b/cve/published/2021/CVE-2021-47116 diff --git a/cve/published/2021/CVE-2021-47116.json b/cve/published/2021/CVE-2021-47116.json new file mode 100644 index 00000000..b93d2dae --- /dev/null +++ b/cve/published/2021/CVE-2021-47116.json @@ -0,0 +1,93 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix memory leak in ext4_mb_init_backend on error path.\n\nFix a memory leak discovered by syzbot when a file system is corrupted\nwith an illegally large s_log_groups_per_flex." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "1da177e4c3f4", + "lessThan": "2050c6e5b161", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "04fb2baa0b14", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "a8867f4e3809", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.10.43", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.12.10", + "lessThanOrEqual": "5.12.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.13", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/2050c6e5b161e5e25ce3c420fef58b24fa388a49" + }, + { + "url": "https://git.kernel.org/stable/c/04fb2baa0b147f51db065a1b13a11954abe592d0" + }, + { + "url": "https://git.kernel.org/stable/c/a8867f4e3809050571c98de7a2d465aff5e4daf5" + } + ], + "title": "ext4: fix memory leak in ext4_mb_init_backend on error path.", + "x_generator": { + "engine": "bippy-8df59b4913de" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2021-47116", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2021/CVE-2021-47116.mbox b/cve/published/2021/CVE-2021-47116.mbox new file mode 100644 index 00000000..1a8d05c5 --- /dev/null +++ b/cve/published/2021/CVE-2021-47116.mbox @@ -0,0 +1,67 @@ +From bippy-8df59b4913de Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2021-47116: ext4: fix memory leak in ext4_mb_init_backend on error path. +Message-Id: <2024031508-CVE-2021-47116-8383@gregkh> +Content-Length: 1727 +Lines: 50 +X-Developer-Signature: v=1; a=openpgp-sha256; l=1778; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=bf+ai+vx2MDTMtDh44UqyHRrVEzxTM/e0LHDxazIdIE=; + b=owGbwMvMwCRo6H6F97bub03G02pJDKlf1vjMupzfnN6+bb2GZNC0aRrJjmdbGJZv2qJ55knHs + pAIVZ2dHbEsDIJMDLJiiixftvEc3V9xSNHL0PY0zBxWJpAhDFycAjARsW6GueJ856at1dqtf6WB + e/KH3d0S+zPmsTEs2LJD02Tnqv3lH89EnS6svfEi0PnndgA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +ext4: fix memory leak in ext4_mb_init_backend on error path. + +Fix a memory leak discovered by syzbot when a file system is corrupted +with an illegally large s_log_groups_per_flex. + +The Linux kernel CVE team has assigned CVE-2021-47116 to this issue. + + +Affected and fixed versions +=========================== + + Fixed in 5.10.43 with commit 2050c6e5b161 + Fixed in 5.12.10 with commit 04fb2baa0b14 + Fixed in 5.13 with commit a8867f4e3809 + +Please see https://www.kernel.org or a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2021-47116 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + fs/ext4/mballoc.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/2050c6e5b161e5e25ce3c420fef58b24fa388a49 + https://git.kernel.org/stable/c/04fb2baa0b147f51db065a1b13a11954abe592d0 + https://git.kernel.org/stable/c/a8867f4e3809050571c98de7a2d465aff5e4daf5 diff --git a/cve/published/2021/CVE-2021-47116.sha1 b/cve/published/2021/CVE-2021-47116.sha1 new file mode 100644 index 00000000..7500b783 --- /dev/null +++ b/cve/published/2021/CVE-2021-47116.sha1 @@ -0,0 +1 @@ +a8867f4e3809050571c98de7a2d465aff5e4daf5 diff --git a/cve/reserved/2021/CVE-2021-47117 b/cve/published/2021/CVE-2021-47117 index e69de29b..e69de29b 100644 --- a/cve/reserved/2021/CVE-2021-47117 +++ b/cve/published/2021/CVE-2021-47117 diff --git a/cve/published/2021/CVE-2021-47117.json b/cve/published/2021/CVE-2021-47117.json new file mode 100644 index 00000000..07eeef90 --- /dev/null +++ b/cve/published/2021/CVE-2021-47117.json @@ -0,0 +1,168 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix bug on in ext4_es_cache_extent as ext4_split_extent_at failed\n\nWe got follow bug_on when run fsstress with injecting IO fault:\n[130747.323114] kernel BUG at fs/ext4/extents_status.c:762!\n[130747.323117] Internal error: Oops - BUG: 0 [#1] SMP\n......\n[130747.334329] Call trace:\n[130747.334553] ext4_es_cache_extent+0x150/0x168 [ext4]\n[130747.334975] ext4_cache_extents+0x64/0xe8 [ext4]\n[130747.335368] ext4_find_extent+0x300/0x330 [ext4]\n[130747.335759] ext4_ext_map_blocks+0x74/0x1178 [ext4]\n[130747.336179] ext4_map_blocks+0x2f4/0x5f0 [ext4]\n[130747.336567] ext4_mpage_readpages+0x4a8/0x7a8 [ext4]\n[130747.336995] ext4_readpage+0x54/0x100 [ext4]\n[130747.337359] generic_file_buffered_read+0x410/0xae8\n[130747.337767] generic_file_read_iter+0x114/0x190\n[130747.338152] ext4_file_read_iter+0x5c/0x140 [ext4]\n[130747.338556] __vfs_read+0x11c/0x188\n[130747.338851] vfs_read+0x94/0x150\n[130747.339110] ksys_read+0x74/0xf0\n\nThis patch's modification is according to Jan Kara's suggestion in:\nhttps://patchwork.ozlabs.org/project/linux-ext4/patch/20210428085158.3728201-1-yebin10@huawei.com/\n\"I see. Now I understand your patch. Honestly, seeing how fragile is trying\nto fix extent tree after split has failed in the middle, I would probably\ngo even further and make sure we fix the tree properly in case of ENOSPC\nand EDQUOT (those are easily user triggerable). Anything else indicates a\nHW problem or fs corruption so I'd rather leave the extent tree as is and\ndon't try to fix it (which also means we will not create overlapping\nextents).\"" + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "1da177e4c3f4", + "lessThan": "e33bafad30d3", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "5b3a9a2be594", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "d8116743ef54", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "569496aa3776", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "920697b004e4", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "d3b668b96ad3", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "48105dc98c9c", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "082cd4ec240b", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "4.4.272", + "lessThanOrEqual": "4.4.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "4.9.272", + "lessThanOrEqual": "4.9.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "4.14.236", + "lessThanOrEqual": "4.14.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "4.19.194", + "lessThanOrEqual": "4.19.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.4.125", + "lessThanOrEqual": "5.4.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.10.43", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.12.10", + "lessThanOrEqual": "5.12.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.13", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/e33bafad30d34cfa5e9787cb099cab05e2677fcb" + }, + { + "url": "https://git.kernel.org/stable/c/5b3a9a2be59478b013a430ac57b0f3d65471b071" + }, + { + "url": "https://git.kernel.org/stable/c/d8116743ef5432336289256b2f7c117299213eb9" + }, + { + "url": "https://git.kernel.org/stable/c/569496aa3776eea1ff0d49d0174ac1b7e861e107" + }, + { + "url": "https://git.kernel.org/stable/c/920697b004e49cb026e2e15fe91be065bf0741b7" + }, + { + "url": "https://git.kernel.org/stable/c/d3b668b96ad3192c0581a248ae2f596cd054792a" + }, + { + "url": "https://git.kernel.org/stable/c/48105dc98c9ca35af418746277b087cb2bc6df7c" + }, + { + "url": "https://git.kernel.org/stable/c/082cd4ec240b8734a82a89ffb890216ac98fec68" + } + ], + "title": "ext4: fix bug on in ext4_es_cache_extent as ext4_split_extent_at failed", + "x_generator": { + "engine": "bippy-8df59b4913de" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2021-47117", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2021/CVE-2021-47117.mbox b/cve/published/2021/CVE-2021-47117.mbox new file mode 100644 index 00000000..67351347 --- /dev/null +++ b/cve/published/2021/CVE-2021-47117.mbox @@ -0,0 +1,103 @@ +From bippy-8df59b4913de Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2021-47117: ext4: fix bug on in ext4_es_cache_extent as ext4_split_extent_at failed +Message-Id: <2024031508-CVE-2021-47117-5ea7@gregkh> +Content-Length: 3695 +Lines: 86 +X-Developer-Signature: v=1; a=openpgp-sha256; l=3782; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=YHSQ2lJMGVu9yuKdgv+axNeHJqRlncMSyXGRECvziN8=; + b=owGbwMvMwCRo6H6F97bub03G02pJDKlf1vjy7RKOivnhZn6q9rPRvoi+CbEbJtucrWOXMTeZq + P3Mfs6FjlgWBkEmBlkxRZYv23iO7q84pOhlaHsaZg4rE8gQBi5OAZhItwjDgiVpYXLMIe9XGU5U + Tn7m7fp5/0GnFIb5vnMXrdmx0CW9813l9mAJE6+4kpc3AA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +ext4: fix bug on in ext4_es_cache_extent as ext4_split_extent_at failed + +We got follow bug_on when run fsstress with injecting IO fault: +[130747.323114] kernel BUG at fs/ext4/extents_status.c:762! +[130747.323117] Internal error: Oops - BUG: 0 [#1] SMP +...... +[130747.334329] Call trace: +[130747.334553] ext4_es_cache_extent+0x150/0x168 [ext4] +[130747.334975] ext4_cache_extents+0x64/0xe8 [ext4] +[130747.335368] ext4_find_extent+0x300/0x330 [ext4] +[130747.335759] ext4_ext_map_blocks+0x74/0x1178 [ext4] +[130747.336179] ext4_map_blocks+0x2f4/0x5f0 [ext4] +[130747.336567] ext4_mpage_readpages+0x4a8/0x7a8 [ext4] +[130747.336995] ext4_readpage+0x54/0x100 [ext4] +[130747.337359] generic_file_buffered_read+0x410/0xae8 +[130747.337767] generic_file_read_iter+0x114/0x190 +[130747.338152] ext4_file_read_iter+0x5c/0x140 [ext4] +[130747.338556] __vfs_read+0x11c/0x188 +[130747.338851] vfs_read+0x94/0x150 +[130747.339110] ksys_read+0x74/0xf0 + +This patch's modification is according to Jan Kara's suggestion in: +https://patchwork.ozlabs.org/project/linux-ext4/patch/20210428085158.3728201-1-yebin10@huawei.com/ +"I see. Now I understand your patch. Honestly, seeing how fragile is trying +to fix extent tree after split has failed in the middle, I would probably +go even further and make sure we fix the tree properly in case of ENOSPC +and EDQUOT (those are easily user triggerable). Anything else indicates a +HW problem or fs corruption so I'd rather leave the extent tree as is and +don't try to fix it (which also means we will not create overlapping +extents)." + +The Linux kernel CVE team has assigned CVE-2021-47117 to this issue. + + +Affected and fixed versions +=========================== + + Fixed in 4.4.272 with commit e33bafad30d3 + Fixed in 4.9.272 with commit 5b3a9a2be594 + Fixed in 4.14.236 with commit d8116743ef54 + Fixed in 4.19.194 with commit 569496aa3776 + Fixed in 5.4.125 with commit 920697b004e4 + Fixed in 5.10.43 with commit d3b668b96ad3 + Fixed in 5.12.10 with commit 48105dc98c9c + Fixed in 5.13 with commit 082cd4ec240b + +Please see https://www.kernel.org or a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2021-47117 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + fs/ext4/extents.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/e33bafad30d34cfa5e9787cb099cab05e2677fcb + https://git.kernel.org/stable/c/5b3a9a2be59478b013a430ac57b0f3d65471b071 + https://git.kernel.org/stable/c/d8116743ef5432336289256b2f7c117299213eb9 + https://git.kernel.org/stable/c/569496aa3776eea1ff0d49d0174ac1b7e861e107 + https://git.kernel.org/stable/c/920697b004e49cb026e2e15fe91be065bf0741b7 + https://git.kernel.org/stable/c/d3b668b96ad3192c0581a248ae2f596cd054792a + https://git.kernel.org/stable/c/48105dc98c9ca35af418746277b087cb2bc6df7c + https://git.kernel.org/stable/c/082cd4ec240b8734a82a89ffb890216ac98fec68 diff --git a/cve/published/2021/CVE-2021-47117.sha1 b/cve/published/2021/CVE-2021-47117.sha1 new file mode 100644 index 00000000..17168ff4 --- /dev/null +++ b/cve/published/2021/CVE-2021-47117.sha1 @@ -0,0 +1 @@ +082cd4ec240b8734a82a89ffb890216ac98fec68 diff --git a/cve/reserved/2021/CVE-2021-47118 b/cve/published/2021/CVE-2021-47118 index e69de29b..e69de29b 100644 --- a/cve/reserved/2021/CVE-2021-47118 +++ b/cve/published/2021/CVE-2021-47118 diff --git a/cve/published/2021/CVE-2021-47118.json b/cve/published/2021/CVE-2021-47118.json new file mode 100644 index 00000000..b70132d5 --- /dev/null +++ b/cve/published/2021/CVE-2021-47118.json @@ -0,0 +1,178 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\npid: take a reference when initializing `cad_pid`\n\nDuring boot, kernel_init_freeable() initializes `cad_pid` to the init\ntask's struct pid. Later on, we may change `cad_pid` via a sysctl, and\nwhen this happens proc_do_cad_pid() will increment the refcount on the\nnew pid via get_pid(), and will decrement the refcount on the old pid\nvia put_pid(). As we never called get_pid() when we initialized\n`cad_pid`, we decrement a reference we never incremented, can therefore\nfree the init task's struct pid early. As there can be dangling\nreferences to the struct pid, we can later encounter a use-after-free\n(e.g. when delivering signals).\n\nThis was spotted when fuzzing v5.13-rc3 with Syzkaller, but seems to\nhave been around since the conversion of `cad_pid` to struct pid in\ncommit 9ec52099e4b8 (\"[PATCH] replace cad_pid by a struct pid\") from the\npre-KASAN stone age of v2.6.19.\n\nFix this by getting a reference to the init task's struct pid when we\nassign it to `cad_pid`.\n\nFull KASAN splat below.\n\n ==================================================================\n BUG: KASAN: use-after-free in ns_of_pid include/linux/pid.h:153 [inline]\n BUG: KASAN: use-after-free in task_active_pid_ns+0xc0/0xc8 kernel/pid.c:509\n Read of size 4 at addr ffff23794dda0004 by task syz-executor.0/273\n\n CPU: 1 PID: 273 Comm: syz-executor.0 Not tainted 5.12.0-00001-g9aef892b2d15 #1\n Hardware name: linux,dummy-virt (DT)\n Call trace:\n ns_of_pid include/linux/pid.h:153 [inline]\n task_active_pid_ns+0xc0/0xc8 kernel/pid.c:509\n do_notify_parent+0x308/0xe60 kernel/signal.c:1950\n exit_notify kernel/exit.c:682 [inline]\n do_exit+0x2334/0x2bd0 kernel/exit.c:845\n do_group_exit+0x108/0x2c8 kernel/exit.c:922\n get_signal+0x4e4/0x2a88 kernel/signal.c:2781\n do_signal arch/arm64/kernel/signal.c:882 [inline]\n do_notify_resume+0x300/0x970 arch/arm64/kernel/signal.c:936\n work_pending+0xc/0x2dc\n\n Allocated by task 0:\n slab_post_alloc_hook+0x50/0x5c0 mm/slab.h:516\n slab_alloc_node mm/slub.c:2907 [inline]\n slab_alloc mm/slub.c:2915 [inline]\n kmem_cache_alloc+0x1f4/0x4c0 mm/slub.c:2920\n alloc_pid+0xdc/0xc00 kernel/pid.c:180\n copy_process+0x2794/0x5e18 kernel/fork.c:2129\n kernel_clone+0x194/0x13c8 kernel/fork.c:2500\n kernel_thread+0xd4/0x110 kernel/fork.c:2552\n rest_init+0x44/0x4a0 init/main.c:687\n arch_call_rest_init+0x1c/0x28\n start_kernel+0x520/0x554 init/main.c:1064\n 0x0\n\n Freed by task 270:\n slab_free_hook mm/slub.c:1562 [inline]\n slab_free_freelist_hook+0x98/0x260 mm/slub.c:1600\n slab_free mm/slub.c:3161 [inline]\n kmem_cache_free+0x224/0x8e0 mm/slub.c:3177\n put_pid.part.4+0xe0/0x1a8 kernel/pid.c:114\n put_pid+0x30/0x48 kernel/pid.c:109\n proc_do_cad_pid+0x190/0x1b0 kernel/sysctl.c:1401\n proc_sys_call_handler+0x338/0x4b0 fs/proc/proc_sysctl.c:591\n proc_sys_write+0x34/0x48 fs/proc/proc_sysctl.c:617\n call_write_iter include/linux/fs.h:1977 [inline]\n new_sync_write+0x3ac/0x510 fs/read_write.c:518\n vfs_write fs/read_write.c:605 [inline]\n vfs_write+0x9c4/0x1018 fs/read_write.c:585\n ksys_write+0x124/0x240 fs/read_write.c:658\n __do_sys_write fs/read_write.c:670 [inline]\n __se_sys_write fs/read_write.c:667 [inline]\n __arm64_sys_write+0x78/0xb0 fs/read_write.c:667\n __invoke_syscall arch/arm64/kernel/syscall.c:37 [inline]\n invoke_syscall arch/arm64/kernel/syscall.c:49 [inline]\n el0_svc_common.constprop.1+0x16c/0x388 arch/arm64/kernel/syscall.c:129\n do_el0_svc+0xf8/0x150 arch/arm64/kernel/syscall.c:168\n el0_svc+0x28/0x38 arch/arm64/kernel/entry-common.c:416\n el0_sync_handler+0x134/0x180 arch/arm64/kernel/entry-common.c:432\n el0_sync+0x154/0x180 arch/arm64/kernel/entry.S:701\n\n The buggy address belongs to the object at ffff23794dda0000\n which belongs to the cache pid of size 224\n The buggy address is located 4 bytes inside of\n 224-byte region [ff\n---truncated---" + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "9ec52099e4b8678a", + "lessThan": "764c2e892d1f", + "status": "affected", + "versionType": "git" + }, + { + "version": "9ec52099e4b8678a", + "lessThan": "f86c80515a8a", + "status": "affected", + "versionType": "git" + }, + { + "version": "9ec52099e4b8678a", + "lessThan": "4dbd8808a591", + "status": "affected", + "versionType": "git" + }, + { + "version": "9ec52099e4b8678a", + "lessThan": "d106f05432e6", + "status": "affected", + "versionType": "git" + }, + { + "version": "9ec52099e4b8678a", + "lessThan": "2cd6eedfa634", + "status": "affected", + "versionType": "git" + }, + { + "version": "9ec52099e4b8678a", + "lessThan": "7178be006d49", + "status": "affected", + "versionType": "git" + }, + { + "version": "9ec52099e4b8678a", + "lessThan": "b8ff869f2015", + "status": "affected", + "versionType": "git" + }, + { + "version": "9ec52099e4b8678a", + "lessThan": "0711f0d7050b", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "2.6.19", + "status": "affected" + }, + { + "version": "0", + "lessThan": "2.6.19", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "4.4.272", + "lessThanOrEqual": "4.4.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "4.9.272", + "lessThanOrEqual": "4.9.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "4.14.236", + "lessThanOrEqual": "4.14.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "4.19.194", + "lessThanOrEqual": "4.19.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.4.125", + "lessThanOrEqual": "5.4.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.10.43", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.12.10", + "lessThanOrEqual": "5.12.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.13", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/764c2e892d1fe895392aff62fb353fdce43bb529" + }, + { + "url": "https://git.kernel.org/stable/c/f86c80515a8a3703e0ca2e56deb50fc2879c5ea4" + }, + { + "url": "https://git.kernel.org/stable/c/4dbd8808a591b49b717862e6e0081bcf14a87788" + }, + { + "url": "https://git.kernel.org/stable/c/d106f05432e60f9f62d456ef017687f5c73cb414" + }, + { + "url": "https://git.kernel.org/stable/c/2cd6eedfa6344f5ef5c3dac3aee57a39b5b46dff" + }, + { + "url": "https://git.kernel.org/stable/c/7178be006d495ffb741c329012da289b62dddfe6" + }, + { + "url": "https://git.kernel.org/stable/c/b8ff869f20152fbe66b6c2e2715d26a2f9897cca" + }, + { + "url": "https://git.kernel.org/stable/c/0711f0d7050b9e07c44bc159bbc64ac0a1022c7f" + } + ], + "title": "pid: take a reference when initializing `cad_pid`", + "x_generator": { + "engine": "bippy-8df59b4913de" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2021-47118", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2021/CVE-2021-47118.mbox b/cve/published/2021/CVE-2021-47118.mbox new file mode 100644 index 00000000..683b7743 --- /dev/null +++ b/cve/published/2021/CVE-2021-47118.mbox @@ -0,0 +1,174 @@ +From bippy-8df59b4913de Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2021-47118: pid: take a reference when initializing `cad_pid` +Message-Id: <2024031509-CVE-2021-47118-faf2@gregkh> +Content-Length: 7473 +Lines: 157 +X-Developer-Signature: v=1; a=openpgp-sha256; l=7631; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=5mMeNno/TvMgQnD/15zYH+Lx7jDAt7JwBmsb3N7wL0k=; + b=owGbwMvMwCRo6H6F97bub03G02pJDKlf1vh6XH3s3XFa6sFiIetjXi/ZLb0DOlr5JpTXnGacZ + eK85O7kjlgWBkEmBlkxRZYv23iO7q84pOhlaHsaZg4rE8gQBi5OAZiI+UOGBdtMJ+4uXOW9e1Z+ + 1+8fJzmlt866ks8wh5spzvnx+nz9Z/UWGgerlqeHvdS7CAA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +pid: take a reference when initializing `cad_pid` + +During boot, kernel_init_freeable() initializes `cad_pid` to the init +task's struct pid. Later on, we may change `cad_pid` via a sysctl, and +when this happens proc_do_cad_pid() will increment the refcount on the +new pid via get_pid(), and will decrement the refcount on the old pid +via put_pid(). As we never called get_pid() when we initialized +`cad_pid`, we decrement a reference we never incremented, can therefore +free the init task's struct pid early. As there can be dangling +references to the struct pid, we can later encounter a use-after-free +(e.g. when delivering signals). + +This was spotted when fuzzing v5.13-rc3 with Syzkaller, but seems to +have been around since the conversion of `cad_pid` to struct pid in +commit 9ec52099e4b8 ("[PATCH] replace cad_pid by a struct pid") from the +pre-KASAN stone age of v2.6.19. + +Fix this by getting a reference to the init task's struct pid when we +assign it to `cad_pid`. + +Full KASAN splat below. + + ================================================================== + BUG: KASAN: use-after-free in ns_of_pid include/linux/pid.h:153 [inline] + BUG: KASAN: use-after-free in task_active_pid_ns+0xc0/0xc8 kernel/pid.c:509 + Read of size 4 at addr ffff23794dda0004 by task syz-executor.0/273 + + CPU: 1 PID: 273 Comm: syz-executor.0 Not tainted 5.12.0-00001-g9aef892b2d15 #1 + Hardware name: linux,dummy-virt (DT) + Call trace: + ns_of_pid include/linux/pid.h:153 [inline] + task_active_pid_ns+0xc0/0xc8 kernel/pid.c:509 + do_notify_parent+0x308/0xe60 kernel/signal.c:1950 + exit_notify kernel/exit.c:682 [inline] + do_exit+0x2334/0x2bd0 kernel/exit.c:845 + do_group_exit+0x108/0x2c8 kernel/exit.c:922 + get_signal+0x4e4/0x2a88 kernel/signal.c:2781 + do_signal arch/arm64/kernel/signal.c:882 [inline] + do_notify_resume+0x300/0x970 arch/arm64/kernel/signal.c:936 + work_pending+0xc/0x2dc + + Allocated by task 0: + slab_post_alloc_hook+0x50/0x5c0 mm/slab.h:516 + slab_alloc_node mm/slub.c:2907 [inline] + slab_alloc mm/slub.c:2915 [inline] + kmem_cache_alloc+0x1f4/0x4c0 mm/slub.c:2920 + alloc_pid+0xdc/0xc00 kernel/pid.c:180 + copy_process+0x2794/0x5e18 kernel/fork.c:2129 + kernel_clone+0x194/0x13c8 kernel/fork.c:2500 + kernel_thread+0xd4/0x110 kernel/fork.c:2552 + rest_init+0x44/0x4a0 init/main.c:687 + arch_call_rest_init+0x1c/0x28 + start_kernel+0x520/0x554 init/main.c:1064 + 0x0 + + Freed by task 270: + slab_free_hook mm/slub.c:1562 [inline] + slab_free_freelist_hook+0x98/0x260 mm/slub.c:1600 + slab_free mm/slub.c:3161 [inline] + kmem_cache_free+0x224/0x8e0 mm/slub.c:3177 + put_pid.part.4+0xe0/0x1a8 kernel/pid.c:114 + put_pid+0x30/0x48 kernel/pid.c:109 + proc_do_cad_pid+0x190/0x1b0 kernel/sysctl.c:1401 + proc_sys_call_handler+0x338/0x4b0 fs/proc/proc_sysctl.c:591 + proc_sys_write+0x34/0x48 fs/proc/proc_sysctl.c:617 + call_write_iter include/linux/fs.h:1977 [inline] + new_sync_write+0x3ac/0x510 fs/read_write.c:518 + vfs_write fs/read_write.c:605 [inline] + vfs_write+0x9c4/0x1018 fs/read_write.c:585 + ksys_write+0x124/0x240 fs/read_write.c:658 + __do_sys_write fs/read_write.c:670 [inline] + __se_sys_write fs/read_write.c:667 [inline] + __arm64_sys_write+0x78/0xb0 fs/read_write.c:667 + __invoke_syscall arch/arm64/kernel/syscall.c:37 [inline] + invoke_syscall arch/arm64/kernel/syscall.c:49 [inline] + el0_svc_common.constprop.1+0x16c/0x388 arch/arm64/kernel/syscall.c:129 + do_el0_svc+0xf8/0x150 arch/arm64/kernel/syscall.c:168 + el0_svc+0x28/0x38 arch/arm64/kernel/entry-common.c:416 + el0_sync_handler+0x134/0x180 arch/arm64/kernel/entry-common.c:432 + el0_sync+0x154/0x180 arch/arm64/kernel/entry.S:701 + + The buggy address belongs to the object at ffff23794dda0000 + which belongs to the cache pid of size 224 + The buggy address is located 4 bytes inside of + 224-byte region [ffff23794dda0000, ffff23794dda00e0) + The buggy address belongs to the page: + page:(____ptrval____) refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4dda0 + head:(____ptrval____) order:1 compound_mapcount:0 + flags: 0x3fffc0000010200(slab|head) + raw: 03fffc0000010200 dead000000000100 dead000000000122 ffff23794d40d080 + raw: 0000000000000000 0000000000190019 00000001ffffffff 0000000000000000 + page dumped because: kasan: bad access detected + + Memory state around the buggy address: + ffff23794dd9ff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ffff23794dd9ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + >ffff23794dda0000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ^ + ffff23794dda0080: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc + ffff23794dda0100: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 + ================================================================== + +The Linux kernel CVE team has assigned CVE-2021-47118 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 2.6.19 with commit 9ec52099e4b8678a and fixed in 4.4.272 with commit 764c2e892d1f + Issue introduced in 2.6.19 with commit 9ec52099e4b8678a and fixed in 4.9.272 with commit f86c80515a8a + Issue introduced in 2.6.19 with commit 9ec52099e4b8678a and fixed in 4.14.236 with commit 4dbd8808a591 + Issue introduced in 2.6.19 with commit 9ec52099e4b8678a and fixed in 4.19.194 with commit d106f05432e6 + Issue introduced in 2.6.19 with commit 9ec52099e4b8678a and fixed in 5.4.125 with commit 2cd6eedfa634 + Issue introduced in 2.6.19 with commit 9ec52099e4b8678a and fixed in 5.10.43 with commit 7178be006d49 + Issue introduced in 2.6.19 with commit 9ec52099e4b8678a and fixed in 5.12.10 with commit b8ff869f2015 + Issue introduced in 2.6.19 with commit 9ec52099e4b8678a and fixed in 5.13 with commit 0711f0d7050b + +Please see https://www.kernel.org or a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2021-47118 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + init/main.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/764c2e892d1fe895392aff62fb353fdce43bb529 + https://git.kernel.org/stable/c/f86c80515a8a3703e0ca2e56deb50fc2879c5ea4 + https://git.kernel.org/stable/c/4dbd8808a591b49b717862e6e0081bcf14a87788 + https://git.kernel.org/stable/c/d106f05432e60f9f62d456ef017687f5c73cb414 + https://git.kernel.org/stable/c/2cd6eedfa6344f5ef5c3dac3aee57a39b5b46dff + https://git.kernel.org/stable/c/7178be006d495ffb741c329012da289b62dddfe6 + https://git.kernel.org/stable/c/b8ff869f20152fbe66b6c2e2715d26a2f9897cca + https://git.kernel.org/stable/c/0711f0d7050b9e07c44bc159bbc64ac0a1022c7f diff --git a/cve/published/2021/CVE-2021-47118.sha1 b/cve/published/2021/CVE-2021-47118.sha1 new file mode 100644 index 00000000..3f7227a6 --- /dev/null +++ b/cve/published/2021/CVE-2021-47118.sha1 @@ -0,0 +1 @@ +0711f0d7050b9e07c44bc159bbc64ac0a1022c7f diff --git a/cve/reserved/2021/CVE-2021-47119 b/cve/published/2021/CVE-2021-47119 index e69de29b..e69de29b 100644 --- a/cve/reserved/2021/CVE-2021-47119 +++ b/cve/published/2021/CVE-2021-47119 diff --git a/cve/published/2021/CVE-2021-47119.json b/cve/published/2021/CVE-2021-47119.json new file mode 100644 index 00000000..2a37726e --- /dev/null +++ b/cve/published/2021/CVE-2021-47119.json @@ -0,0 +1,103 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix memory leak in ext4_fill_super\n\nBuffer head references must be released before calling kill_bdev();\notherwise the buffer head (and its page referenced by b_data) will not\nbe freed by kill_bdev, and subsequently that bh will be leaked.\n\nIf blocksizes differ, sb_set_blocksize() will kill current buffers and\npage cache by using kill_bdev(). And then super block will be reread\nagain but using correct blocksize this time. sb_set_blocksize() didn't\nfully free superblock page and buffer head, and being busy, they were\nnot freed and instead leaked.\n\nThis can easily be reproduced by calling an infinite loop of:\n\n systemctl start <ext4_on_lvm>.mount, and\n systemctl stop <ext4_on_lvm>.mount\n\n... since systemd creates a cgroup for each slice which it mounts, and\nthe bh leak get amplified by a dying memory cgroup that also never\ngets freed, and memory consumption is much more easily noticed." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "ac27a0ec112a", + "lessThan": "01d349a481f0", + "status": "affected", + "versionType": "git" + }, + { + "version": "ac27a0ec112a", + "lessThan": "1385b23396d5", + "status": "affected", + "versionType": "git" + }, + { + "version": "ac27a0ec112a", + "lessThan": "afd09b617db3", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "2.6.19", + "status": "affected" + }, + { + "version": "0", + "lessThan": "2.6.19", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.10.43", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.12.10", + "lessThanOrEqual": "5.12.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.13", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/01d349a481f0591230300a9171330136f9159bcd" + }, + { + "url": "https://git.kernel.org/stable/c/1385b23396d511d5233b8b921ac3058b3f86a5e1" + }, + { + "url": "https://git.kernel.org/stable/c/afd09b617db3786b6ef3dc43e28fe728cfea84df" + } + ], + "title": "ext4: fix memory leak in ext4_fill_super", + "x_generator": { + "engine": "bippy-8df59b4913de" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2021-47119", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2021/CVE-2021-47119.mbox b/cve/published/2021/CVE-2021-47119.mbox new file mode 100644 index 00000000..81fb197f --- /dev/null +++ b/cve/published/2021/CVE-2021-47119.mbox @@ -0,0 +1,83 @@ +From bippy-8df59b4913de Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2021-47119: ext4: fix memory leak in ext4_fill_super +Message-Id: <2024031509-CVE-2021-47119-22d3@gregkh> +Content-Length: 2617 +Lines: 66 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2684; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=CIV8Orjqp+X/587p0w7c3vLDvuEQ7gBsjJq2Moicp5g=; + b=owGbwMvMwCRo6H6F97bub03G02pJDKlf1viq1myz0V33ZkNSxeen12pzNSIKXrSZK/JaOkhrX + Vdi3WLaEcvCIMjEICumyPJlG8/R/RWHFL0MbU/DzGFlAhnCwMUpABO5mc8wz37JSvaOjSx26oZm + GbuWZbVtneJ5hGG+S4Mjr9sSQa0fSjY50eHT7vL/PLQBAA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +ext4: fix memory leak in ext4_fill_super + +Buffer head references must be released before calling kill_bdev(); +otherwise the buffer head (and its page referenced by b_data) will not +be freed by kill_bdev, and subsequently that bh will be leaked. + +If blocksizes differ, sb_set_blocksize() will kill current buffers and +page cache by using kill_bdev(). And then super block will be reread +again but using correct blocksize this time. sb_set_blocksize() didn't +fully free superblock page and buffer head, and being busy, they were +not freed and instead leaked. + +This can easily be reproduced by calling an infinite loop of: + + systemctl start <ext4_on_lvm>.mount, and + systemctl stop <ext4_on_lvm>.mount + +... since systemd creates a cgroup for each slice which it mounts, and +the bh leak get amplified by a dying memory cgroup that also never +gets freed, and memory consumption is much more easily noticed. + +The Linux kernel CVE team has assigned CVE-2021-47119 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 2.6.19 with commit ac27a0ec112a and fixed in 5.10.43 with commit 01d349a481f0 + Issue introduced in 2.6.19 with commit ac27a0ec112a and fixed in 5.12.10 with commit 1385b23396d5 + Issue introduced in 2.6.19 with commit ac27a0ec112a and fixed in 5.13 with commit afd09b617db3 + +Please see https://www.kernel.org or a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2021-47119 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + fs/ext4/super.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/01d349a481f0591230300a9171330136f9159bcd + https://git.kernel.org/stable/c/1385b23396d511d5233b8b921ac3058b3f86a5e1 + https://git.kernel.org/stable/c/afd09b617db3786b6ef3dc43e28fe728cfea84df diff --git a/cve/published/2021/CVE-2021-47119.sha1 b/cve/published/2021/CVE-2021-47119.sha1 new file mode 100644 index 00000000..378e0a9d --- /dev/null +++ b/cve/published/2021/CVE-2021-47119.sha1 @@ -0,0 +1 @@ +afd09b617db3786b6ef3dc43e28fe728cfea84df diff --git a/cve/reserved/2021/CVE-2021-47120 b/cve/published/2021/CVE-2021-47120 index e69de29b..e69de29b 100644 --- a/cve/reserved/2021/CVE-2021-47120 +++ b/cve/published/2021/CVE-2021-47120 diff --git a/cve/published/2021/CVE-2021-47120.json b/cve/published/2021/CVE-2021-47120.json new file mode 100644 index 00000000..6da1df13 --- /dev/null +++ b/cve/published/2021/CVE-2021-47120.json @@ -0,0 +1,118 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: magicmouse: fix NULL-deref on disconnect\n\nCommit 9d7b18668956 (\"HID: magicmouse: add support for Apple Magic\nTrackpad 2\") added a sanity check for an Apple trackpad but returned\nsuccess instead of -ENODEV when the check failed. This means that the\nremove callback will dereference the never-initialised driver data\npointer when the driver is later unbound (e.g. on USB disconnect)." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "9d7b18668956", + "lessThan": "368c5d45a87e", + "status": "affected", + "versionType": "git" + }, + { + "version": "9d7b18668956", + "lessThan": "b5d013c4c76b", + "status": "affected", + "versionType": "git" + }, + { + "version": "9d7b18668956", + "lessThan": "9cf27473f219", + "status": "affected", + "versionType": "git" + }, + { + "version": "9d7b18668956", + "lessThan": "4b4f6cecca44", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "4.20", + "status": "affected" + }, + { + "version": "0", + "lessThan": "4.20", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.4.125", + "lessThanOrEqual": "5.4.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.10.43", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.12.10", + "lessThanOrEqual": "5.12.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.13", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/368c5d45a87e1bcc7f1e98e0c255c37b7b12c5d6" + }, + { + "url": "https://git.kernel.org/stable/c/b5d013c4c76b276890135b5d32803c4c63924b77" + }, + { + "url": "https://git.kernel.org/stable/c/9cf27473f21913a3eaf4702dd2a25415afd5f33f" + }, + { + "url": "https://git.kernel.org/stable/c/4b4f6cecca446abcb686c6e6c451d4f1ec1a7497" + } + ], + "title": "HID: magicmouse: fix NULL-deref on disconnect", + "x_generator": { + "engine": "bippy-8df59b4913de" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2021-47120", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2021/CVE-2021-47120.mbox b/cve/published/2021/CVE-2021-47120.mbox new file mode 100644 index 00000000..9cc3289b --- /dev/null +++ b/cve/published/2021/CVE-2021-47120.mbox @@ -0,0 +1,72 @@ +From bippy-8df59b4913de Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2021-47120: HID: magicmouse: fix NULL-deref on disconnect +Message-Id: <2024031510-CVE-2021-47120-c3db@gregkh> +Content-Length: 2278 +Lines: 55 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2334; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=KKnAZzdh7D61eNLpkShBbmvz9bFHpWmnKwWHRD3Qo8w=; + b=owGbwMvMwCRo6H6F97bub03G02pJDKlf1vhJZk4K33DpgeqUtSrrbI4mhGnONflu4K0+xZzxI + N/V94FqHbEsDIJMDLJiiixftvEc3V9xSNHL0PY0zBxWJpAhDFycAjCRwy4MCw4E7G2c02vVJdea + UM5VeN+nd8qWuwzz1PmuXP3/IHLB7keZ+suNBTp+mDx/CQA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +HID: magicmouse: fix NULL-deref on disconnect + +Commit 9d7b18668956 ("HID: magicmouse: add support for Apple Magic +Trackpad 2") added a sanity check for an Apple trackpad but returned +success instead of -ENODEV when the check failed. This means that the +remove callback will dereference the never-initialised driver data +pointer when the driver is later unbound (e.g. on USB disconnect). + +The Linux kernel CVE team has assigned CVE-2021-47120 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 4.20 with commit 9d7b18668956 and fixed in 5.4.125 with commit 368c5d45a87e + Issue introduced in 4.20 with commit 9d7b18668956 and fixed in 5.10.43 with commit b5d013c4c76b + Issue introduced in 4.20 with commit 9d7b18668956 and fixed in 5.12.10 with commit 9cf27473f219 + Issue introduced in 4.20 with commit 9d7b18668956 and fixed in 5.13 with commit 4b4f6cecca44 + +Please see https://www.kernel.org or a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2021-47120 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/hid/hid-magicmouse.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/368c5d45a87e1bcc7f1e98e0c255c37b7b12c5d6 + https://git.kernel.org/stable/c/b5d013c4c76b276890135b5d32803c4c63924b77 + https://git.kernel.org/stable/c/9cf27473f21913a3eaf4702dd2a25415afd5f33f + https://git.kernel.org/stable/c/4b4f6cecca446abcb686c6e6c451d4f1ec1a7497 diff --git a/cve/published/2021/CVE-2021-47120.sha1 b/cve/published/2021/CVE-2021-47120.sha1 new file mode 100644 index 00000000..5f897925 --- /dev/null +++ b/cve/published/2021/CVE-2021-47120.sha1 @@ -0,0 +1 @@ +4b4f6cecca446abcb686c6e6c451d4f1ec1a7497 diff --git a/cve/reserved/2021/CVE-2021-47121 b/cve/published/2021/CVE-2021-47121 index e69de29b..e69de29b 100644 --- a/cve/reserved/2021/CVE-2021-47121 +++ b/cve/published/2021/CVE-2021-47121 diff --git a/cve/published/2021/CVE-2021-47121.json b/cve/published/2021/CVE-2021-47121.json new file mode 100644 index 00000000..485da5ea --- /dev/null +++ b/cve/published/2021/CVE-2021-47121.json @@ -0,0 +1,178 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: caif: fix memory leak in cfusbl_device_notify\n\nIn case of caif_enroll_dev() fail, allocated\nlink_support won't be assigned to the corresponding\nstructure. So simply free allocated pointer in case\nof error." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "7ad65bf68d70", + "lessThan": "cc302e30a504", + "status": "affected", + "versionType": "git" + }, + { + "version": "7ad65bf68d70", + "lessThan": "81afc61cb6e2", + "status": "affected", + "versionType": "git" + }, + { + "version": "7ad65bf68d70", + "lessThan": "e8b37f5009ea", + "status": "affected", + "versionType": "git" + }, + { + "version": "7ad65bf68d70", + "lessThan": "9ea0ab48e755", + "status": "affected", + "versionType": "git" + }, + { + "version": "7ad65bf68d70", + "lessThan": "4d94f530cd24", + "status": "affected", + "versionType": "git" + }, + { + "version": "7ad65bf68d70", + "lessThan": "46403c1f80b0", + "status": "affected", + "versionType": "git" + }, + { + "version": "7ad65bf68d70", + "lessThan": "dde8686985ec", + "status": "affected", + "versionType": "git" + }, + { + "version": "7ad65bf68d70", + "lessThan": "7f5d86669fa4", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "3.3", + "status": "affected" + }, + { + "version": "0", + "lessThan": "3.3", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "4.4.272", + "lessThanOrEqual": "4.4.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "4.9.272", + "lessThanOrEqual": "4.9.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "4.14.236", + "lessThanOrEqual": "4.14.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "4.19.194", + "lessThanOrEqual": "4.19.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.4.125", + "lessThanOrEqual": "5.4.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.10.43", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.12.10", + "lessThanOrEqual": "5.12.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.13", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/cc302e30a504e6b60a9ac8df7988646f46cd0294" + }, + { + "url": "https://git.kernel.org/stable/c/81afc61cb6e2b553f2c5f992fa79e0ae73857141" + }, + { + "url": "https://git.kernel.org/stable/c/e8b37f5009ea7095529790f022859711e6939c76" + }, + { + "url": "https://git.kernel.org/stable/c/9ea0ab48e755d8f29fe89eb235fb86176fdb597f" + }, + { + "url": "https://git.kernel.org/stable/c/4d94f530cd24c85aede6e72b8923f371b45d6886" + }, + { + "url": "https://git.kernel.org/stable/c/46403c1f80b0d3f937ff9c4f5edc63bb64bc5051" + }, + { + "url": "https://git.kernel.org/stable/c/dde8686985ec24d6b00487080a906609bd613ea1" + }, + { + "url": "https://git.kernel.org/stable/c/7f5d86669fa4d485523ddb1d212e0a2d90bd62bb" + } + ], + "title": "net: caif: fix memory leak in cfusbl_device_notify", + "x_generator": { + "engine": "bippy-8df59b4913de" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2021-47121", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2021/CVE-2021-47121.mbox b/cve/published/2021/CVE-2021-47121.mbox new file mode 100644 index 00000000..c6ffb37b --- /dev/null +++ b/cve/published/2021/CVE-2021-47121.mbox @@ -0,0 +1,79 @@ +From bippy-8df59b4913de Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2021-47121: net: caif: fix memory leak in cfusbl_device_notify +Message-Id: <2024031510-CVE-2021-47121-13c1@gregkh> +Content-Length: 2771 +Lines: 62 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2834; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=hJHQKZ1dy5HY3BJdNvw3pAlCqU52Ttyc70n9jF85Gs0=; + b=owGbwMvMwCRo6H6F97bub03G02pJDKlf1vj9mjVRP3BFoeKB4GuJ3RPNr++894Tn1JWmV+KmI + W5ZxcmVHbEsDIJMDLJiiixftvEc3V9xSNHL0PY0zBxWJpAhDFycAjCRJBWG+e6cbg//vN++VzTr + otF0x8XrLBpPbGdY0DWl5XZVZct14/22f75digoWuN/2BQA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +net: caif: fix memory leak in cfusbl_device_notify + +In case of caif_enroll_dev() fail, allocated +link_support won't be assigned to the corresponding +structure. So simply free allocated pointer in case +of error. + +The Linux kernel CVE team has assigned CVE-2021-47121 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 3.3 with commit 7ad65bf68d70 and fixed in 4.4.272 with commit cc302e30a504 + Issue introduced in 3.3 with commit 7ad65bf68d70 and fixed in 4.9.272 with commit 81afc61cb6e2 + Issue introduced in 3.3 with commit 7ad65bf68d70 and fixed in 4.14.236 with commit e8b37f5009ea + Issue introduced in 3.3 with commit 7ad65bf68d70 and fixed in 4.19.194 with commit 9ea0ab48e755 + Issue introduced in 3.3 with commit 7ad65bf68d70 and fixed in 5.4.125 with commit 4d94f530cd24 + Issue introduced in 3.3 with commit 7ad65bf68d70 and fixed in 5.10.43 with commit 46403c1f80b0 + Issue introduced in 3.3 with commit 7ad65bf68d70 and fixed in 5.12.10 with commit dde8686985ec + Issue introduced in 3.3 with commit 7ad65bf68d70 and fixed in 5.13 with commit 7f5d86669fa4 + +Please see https://www.kernel.org or a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2021-47121 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + net/caif/caif_usb.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/cc302e30a504e6b60a9ac8df7988646f46cd0294 + https://git.kernel.org/stable/c/81afc61cb6e2b553f2c5f992fa79e0ae73857141 + https://git.kernel.org/stable/c/e8b37f5009ea7095529790f022859711e6939c76 + https://git.kernel.org/stable/c/9ea0ab48e755d8f29fe89eb235fb86176fdb597f + https://git.kernel.org/stable/c/4d94f530cd24c85aede6e72b8923f371b45d6886 + https://git.kernel.org/stable/c/46403c1f80b0d3f937ff9c4f5edc63bb64bc5051 + https://git.kernel.org/stable/c/dde8686985ec24d6b00487080a906609bd613ea1 + https://git.kernel.org/stable/c/7f5d86669fa4d485523ddb1d212e0a2d90bd62bb diff --git a/cve/published/2021/CVE-2021-47121.sha1 b/cve/published/2021/CVE-2021-47121.sha1 new file mode 100644 index 00000000..d36b0ce1 --- /dev/null +++ b/cve/published/2021/CVE-2021-47121.sha1 @@ -0,0 +1 @@ +7f5d86669fa4d485523ddb1d212e0a2d90bd62bb diff --git a/cve/reserved/2021/CVE-2021-47122 b/cve/published/2021/CVE-2021-47122 index e69de29b..e69de29b 100644 --- a/cve/reserved/2021/CVE-2021-47122 +++ b/cve/published/2021/CVE-2021-47122 diff --git a/cve/published/2021/CVE-2021-47122.json b/cve/published/2021/CVE-2021-47122.json new file mode 100644 index 00000000..c60d4d71 --- /dev/null +++ b/cve/published/2021/CVE-2021-47122.json @@ -0,0 +1,178 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: caif: fix memory leak in caif_device_notify\n\nIn case of caif_enroll_dev() fail, allocated\nlink_support won't be assigned to the corresponding\nstructure. So simply free allocated pointer in case\nof error" + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "7c18d2205ea7", + "lessThan": "b042e2b20395", + "status": "affected", + "versionType": "git" + }, + { + "version": "7c18d2205ea7", + "lessThan": "9348c1f10932", + "status": "affected", + "versionType": "git" + }, + { + "version": "7c18d2205ea7", + "lessThan": "4bca2034b41c", + "status": "affected", + "versionType": "git" + }, + { + "version": "7c18d2205ea7", + "lessThan": "3be863c11cab", + "status": "affected", + "versionType": "git" + }, + { + "version": "7c18d2205ea7", + "lessThan": "f52f4fd67264", + "status": "affected", + "versionType": "git" + }, + { + "version": "7c18d2205ea7", + "lessThan": "af2806345a37", + "status": "affected", + "versionType": "git" + }, + { + "version": "7c18d2205ea7", + "lessThan": "6a0e317f6109", + "status": "affected", + "versionType": "git" + }, + { + "version": "7c18d2205ea7", + "lessThan": "b53558a950a8", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "3.3", + "status": "affected" + }, + { + "version": "0", + "lessThan": "3.3", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "4.4.272", + "lessThanOrEqual": "4.4.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "4.9.272", + "lessThanOrEqual": "4.9.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "4.14.236", + "lessThanOrEqual": "4.14.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "4.19.194", + "lessThanOrEqual": "4.19.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.4.125", + "lessThanOrEqual": "5.4.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.10.43", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.12.10", + "lessThanOrEqual": "5.12.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.13", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/b042e2b2039565eb8f0eb51c14fbe1ef463c8cd8" + }, + { + "url": "https://git.kernel.org/stable/c/9348c1f10932f13b299cbc8b1bd5f780751fae49" + }, + { + "url": "https://git.kernel.org/stable/c/4bca2034b41c15b62d47a19158bb76235fd4455d" + }, + { + "url": "https://git.kernel.org/stable/c/3be863c11cab725add9fef4237ed4e232c3fc3bb" + }, + { + "url": "https://git.kernel.org/stable/c/f52f4fd67264c70cd0b4ba326962ebe12d9cba94" + }, + { + "url": "https://git.kernel.org/stable/c/af2806345a37313f01b1c9f15e046745b8ee2daa" + }, + { + "url": "https://git.kernel.org/stable/c/6a0e317f61094d377335547e015dd2ff12caf893" + }, + { + "url": "https://git.kernel.org/stable/c/b53558a950a89824938e9811eddfc8efcd94e1bb" + } + ], + "title": "net: caif: fix memory leak in caif_device_notify", + "x_generator": { + "engine": "bippy-8df59b4913de" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2021-47122", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2021/CVE-2021-47122.mbox b/cve/published/2021/CVE-2021-47122.mbox new file mode 100644 index 00000000..6e60947b --- /dev/null +++ b/cve/published/2021/CVE-2021-47122.mbox @@ -0,0 +1,79 @@ +From bippy-8df59b4913de Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2021-47122: net: caif: fix memory leak in caif_device_notify +Message-Id: <2024031510-CVE-2021-47122-b183@gregkh> +Content-Length: 2768 +Lines: 62 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2831; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=n65gYxsjTIJDFtvCVX504pzs6vpi9xoqoBgxpSbVzsE=; + b=owGbwMvMwCRo6H6F97bub03G02pJDKlf1vhpRHDlPPv0Myjv8bc9vjs+509iU1ra2PN2YWDRl + DwJY87QjlgWBkEmBlkxRZYv23iO7q84pOhlaHsaZg4rE8gQBi5OAZhIwTeGBVdXfNAt6phfvoX3 + 5nzjMkdtnyazqwzzNLwPvw00DeOxOSWmX670rywzvbcUAA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +net: caif: fix memory leak in caif_device_notify + +In case of caif_enroll_dev() fail, allocated +link_support won't be assigned to the corresponding +structure. So simply free allocated pointer in case +of error + +The Linux kernel CVE team has assigned CVE-2021-47122 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 3.3 with commit 7c18d2205ea7 and fixed in 4.4.272 with commit b042e2b20395 + Issue introduced in 3.3 with commit 7c18d2205ea7 and fixed in 4.9.272 with commit 9348c1f10932 + Issue introduced in 3.3 with commit 7c18d2205ea7 and fixed in 4.14.236 with commit 4bca2034b41c + Issue introduced in 3.3 with commit 7c18d2205ea7 and fixed in 4.19.194 with commit 3be863c11cab + Issue introduced in 3.3 with commit 7c18d2205ea7 and fixed in 5.4.125 with commit f52f4fd67264 + Issue introduced in 3.3 with commit 7c18d2205ea7 and fixed in 5.10.43 with commit af2806345a37 + Issue introduced in 3.3 with commit 7c18d2205ea7 and fixed in 5.12.10 with commit 6a0e317f6109 + Issue introduced in 3.3 with commit 7c18d2205ea7 and fixed in 5.13 with commit b53558a950a8 + +Please see https://www.kernel.org or a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2021-47122 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + net/caif/caif_dev.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/b042e2b2039565eb8f0eb51c14fbe1ef463c8cd8 + https://git.kernel.org/stable/c/9348c1f10932f13b299cbc8b1bd5f780751fae49 + https://git.kernel.org/stable/c/4bca2034b41c15b62d47a19158bb76235fd4455d + https://git.kernel.org/stable/c/3be863c11cab725add9fef4237ed4e232c3fc3bb + https://git.kernel.org/stable/c/f52f4fd67264c70cd0b4ba326962ebe12d9cba94 + https://git.kernel.org/stable/c/af2806345a37313f01b1c9f15e046745b8ee2daa + https://git.kernel.org/stable/c/6a0e317f61094d377335547e015dd2ff12caf893 + https://git.kernel.org/stable/c/b53558a950a89824938e9811eddfc8efcd94e1bb diff --git a/cve/published/2021/CVE-2021-47122.sha1 b/cve/published/2021/CVE-2021-47122.sha1 new file mode 100644 index 00000000..38803488 --- /dev/null +++ b/cve/published/2021/CVE-2021-47122.sha1 @@ -0,0 +1 @@ +b53558a950a89824938e9811eddfc8efcd94e1bb diff --git a/cve/reserved/2021/CVE-2021-47123 b/cve/published/2021/CVE-2021-47123 index e69de29b..e69de29b 100644 --- a/cve/reserved/2021/CVE-2021-47123 +++ b/cve/published/2021/CVE-2021-47123 diff --git a/cve/published/2021/CVE-2021-47123.json b/cve/published/2021/CVE-2021-47123.json new file mode 100644 index 00000000..9098c34b --- /dev/null +++ b/cve/published/2021/CVE-2021-47123.json @@ -0,0 +1,88 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: fix ltout double free on completion race\n\nAlways remove linked timeout on io_link_timeout_fn() from the master\nrequest link list, otherwise we may get use-after-free when first\nio_link_timeout_fn() puts linked timeout in the fail path, and then\nwill be found and put on master's free." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "90cd7e424969d", + "lessThan": "1f64f5e903b9", + "status": "affected", + "versionType": "git" + }, + { + "version": "90cd7e424969d", + "lessThan": "447c19f3b507", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.11", + "status": "affected" + }, + { + "version": "0", + "lessThan": "5.11", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.12.10", + "lessThanOrEqual": "5.12.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.13", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/1f64f5e903b9d1d157875721e02adadc9d6f0a5d" + }, + { + "url": "https://git.kernel.org/stable/c/447c19f3b5074409c794b350b10306e1da1ef4ba" + } + ], + "title": "io_uring: fix ltout double free on completion race", + "x_generator": { + "engine": "bippy-8df59b4913de" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2021-47123", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2021/CVE-2021-47123.mbox b/cve/published/2021/CVE-2021-47123.mbox new file mode 100644 index 00000000..924536d1 --- /dev/null +++ b/cve/published/2021/CVE-2021-47123.mbox @@ -0,0 +1,67 @@ +From bippy-8df59b4913de Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2021-47123: io_uring: fix ltout double free on completion race +Message-Id: <2024031511-CVE-2021-47123-8318@gregkh> +Content-Length: 1831 +Lines: 50 +X-Developer-Signature: v=1; a=openpgp-sha256; l=1882; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=9MyT1/2g7ZtBGpI8AbS0W4vNubv5q1e2ooOWkO09JHs=; + b=owGbwMvMwCRo6H6F97bub03G02pJDKlf1vi77KuNawwJel8pUyUQvGm25b5P06c9uNGjGGTqb + xWQHKjeEcvCIMjEICumyPJlG8/R/RWHFL0MbU/DzGFlAhnCwMUpABM50cswVz6P3XLWBfcKt9+3 + 2BYcTxXzLPONZJjvtk7xqEetlFVuoqG7wBS/dTWHbWcAAA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +io_uring: fix ltout double free on completion race + +Always remove linked timeout on io_link_timeout_fn() from the master +request link list, otherwise we may get use-after-free when first +io_link_timeout_fn() puts linked timeout in the fail path, and then +will be found and put on master's free. + +The Linux kernel CVE team has assigned CVE-2021-47123 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 5.11 with commit 90cd7e424969d and fixed in 5.12.10 with commit 1f64f5e903b9 + Issue introduced in 5.11 with commit 90cd7e424969d and fixed in 5.13 with commit 447c19f3b507 + +Please see https://www.kernel.org or a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2021-47123 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + fs/io_uring.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/1f64f5e903b9d1d157875721e02adadc9d6f0a5d + https://git.kernel.org/stable/c/447c19f3b5074409c794b350b10306e1da1ef4ba diff --git a/cve/published/2021/CVE-2021-47123.sha1 b/cve/published/2021/CVE-2021-47123.sha1 new file mode 100644 index 00000000..6bc09cbe --- /dev/null +++ b/cve/published/2021/CVE-2021-47123.sha1 @@ -0,0 +1 @@ +447c19f3b5074409c794b350b10306e1da1ef4ba diff --git a/cve/reserved/2021/CVE-2021-47124 b/cve/published/2021/CVE-2021-47124 index e69de29b..e69de29b 100644 --- a/cve/reserved/2021/CVE-2021-47124 +++ b/cve/published/2021/CVE-2021-47124 diff --git a/cve/published/2021/CVE-2021-47124.json b/cve/published/2021/CVE-2021-47124.json new file mode 100644 index 00000000..854e34b1 --- /dev/null +++ b/cve/published/2021/CVE-2021-47124.json @@ -0,0 +1,123 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: fix link timeout refs\n\nWARNING: CPU: 0 PID: 10242 at lib/refcount.c:28 refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28\nRIP: 0010:refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28\nCall Trace:\n __refcount_sub_and_test include/linux/refcount.h:283 [inline]\n __refcount_dec_and_test include/linux/refcount.h:315 [inline]\n refcount_dec_and_test include/linux/refcount.h:333 [inline]\n io_put_req fs/io_uring.c:2140 [inline]\n io_queue_linked_timeout fs/io_uring.c:6300 [inline]\n __io_queue_sqe+0xbef/0xec0 fs/io_uring.c:6354\n io_submit_sqe fs/io_uring.c:6534 [inline]\n io_submit_sqes+0x2bbd/0x7c50 fs/io_uring.c:6660\n __do_sys_io_uring_enter fs/io_uring.c:9240 [inline]\n __se_sys_io_uring_enter+0x256/0x1d60 fs/io_uring.c:9182\n\nio_link_timeout_fn() should put only one reference of the linked timeout\nrequest, however in case of racing with the master request's completion\nfirst io_req_complete() puts one and then io_put_req_deferred() is\ncalled." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "1c20e9040f49", + "lessThan": "0b2a990e5d2f", + "status": "affected", + "versionType": "git" + }, + { + "version": "1c20e9040f49", + "lessThan": "6f5d7a45f58d", + "status": "affected", + "versionType": "git" + }, + { + "version": "9ae1f8dd372e0", + "lessThan": "876808dba2ff", + "status": "affected", + "versionType": "git" + }, + { + "version": "9ae1f8dd372e0", + "lessThan": "ff4a96ba5c8f", + "status": "affected", + "versionType": "git" + }, + { + "version": "9ae1f8dd372e0", + "lessThan": "a298232ee6b9", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.10.43", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.10.55", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.12.10", + "lessThanOrEqual": "5.12.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.12.19", + "lessThanOrEqual": "5.12.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.13", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/0b2a990e5d2f76d020cb840c456e6ec5f0c27530" + }, + { + "url": "https://git.kernel.org/stable/c/6f5d7a45f58d3abe3a936de1441b8d6318f978ff" + }, + { + "url": "https://git.kernel.org/stable/c/876808dba2ff7509bdd7f230c4f374a0caf4f410" + }, + { + "url": "https://git.kernel.org/stable/c/ff4a96ba5c8f9b266706280ff8021d2ef3f17e86" + }, + { + "url": "https://git.kernel.org/stable/c/a298232ee6b9a1d5d732aa497ff8be0d45b5bd82" + } + ], + "title": "io_uring: fix link timeout refs", + "x_generator": { + "engine": "bippy-8df59b4913de" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2021-47124", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2021/CVE-2021-47124.mbox b/cve/published/2021/CVE-2021-47124.mbox new file mode 100644 index 00000000..a7466100 --- /dev/null +++ b/cve/published/2021/CVE-2021-47124.mbox @@ -0,0 +1,87 @@ +From bippy-8df59b4913de Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2021-47124: io_uring: fix link timeout refs +Message-Id: <2024031511-CVE-2021-47124-42c9@gregkh> +Content-Length: 3015 +Lines: 70 +X-Developer-Signature: v=1; a=openpgp-sha256; l=3086; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=BlRLmxexxfz+En7YtOjJo8VA/WDAiMyutiFTjC+5EyE=; + b=owGbwMvMwCRo6H6F97bub03G02pJDKlf1viHrXh7MfyC4Gf2rz5KccJFMxjr6lufJTcr/RU/t + E9AYt6HjlgWBkEmBlkxRZYv23iO7q84pOhlaHsaZg4rE8gQBi5OAZgI82GGeVqaW/R3bly2+urB + U7dflK1/0prxaCLDguYww/CGwp3Fr3+n97Uypv0vCOkVBwA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +io_uring: fix link timeout refs + +WARNING: CPU: 0 PID: 10242 at lib/refcount.c:28 refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28 +RIP: 0010:refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28 +Call Trace: + __refcount_sub_and_test include/linux/refcount.h:283 [inline] + __refcount_dec_and_test include/linux/refcount.h:315 [inline] + refcount_dec_and_test include/linux/refcount.h:333 [inline] + io_put_req fs/io_uring.c:2140 [inline] + io_queue_linked_timeout fs/io_uring.c:6300 [inline] + __io_queue_sqe+0xbef/0xec0 fs/io_uring.c:6354 + io_submit_sqe fs/io_uring.c:6534 [inline] + io_submit_sqes+0x2bbd/0x7c50 fs/io_uring.c:6660 + __do_sys_io_uring_enter fs/io_uring.c:9240 [inline] + __se_sys_io_uring_enter+0x256/0x1d60 fs/io_uring.c:9182 + +io_link_timeout_fn() should put only one reference of the linked timeout +request, however in case of racing with the master request's completion +first io_req_complete() puts one and then io_put_req_deferred() is +called. + +The Linux kernel CVE team has assigned CVE-2021-47124 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 5.10.26 with commit 1c20e9040f49 and fixed in 5.10.43 with commit 0b2a990e5d2f + Issue introduced in 5.10.26 with commit 1c20e9040f49 and fixed in 5.10.55 with commit 6f5d7a45f58d + Issue introduced in 5.12 with commit 9ae1f8dd372e0 and fixed in 5.12.10 with commit 876808dba2ff + Issue introduced in 5.12 with commit 9ae1f8dd372e0 and fixed in 5.12.19 with commit ff4a96ba5c8f + Issue introduced in 5.12 with commit 9ae1f8dd372e0 and fixed in 5.13 with commit a298232ee6b9 + +Please see https://www.kernel.org or a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2021-47124 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + fs/io_uring.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/0b2a990e5d2f76d020cb840c456e6ec5f0c27530 + https://git.kernel.org/stable/c/6f5d7a45f58d3abe3a936de1441b8d6318f978ff + https://git.kernel.org/stable/c/876808dba2ff7509bdd7f230c4f374a0caf4f410 + https://git.kernel.org/stable/c/ff4a96ba5c8f9b266706280ff8021d2ef3f17e86 + https://git.kernel.org/stable/c/a298232ee6b9a1d5d732aa497ff8be0d45b5bd82 diff --git a/cve/published/2021/CVE-2021-47124.sha1 b/cve/published/2021/CVE-2021-47124.sha1 new file mode 100644 index 00000000..f02051c5 --- /dev/null +++ b/cve/published/2021/CVE-2021-47124.sha1 @@ -0,0 +1 @@ +a298232ee6b9a1d5d732aa497ff8be0d45b5bd82 diff --git a/cve/reserved/2021/CVE-2021-47125 b/cve/published/2021/CVE-2021-47125 index e69de29b..e69de29b 100644 --- a/cve/reserved/2021/CVE-2021-47125 +++ b/cve/published/2021/CVE-2021-47125 diff --git a/cve/published/2021/CVE-2021-47125.json b/cve/published/2021/CVE-2021-47125.json new file mode 100644 index 00000000..561e36ca --- /dev/null +++ b/cve/published/2021/CVE-2021-47125.json @@ -0,0 +1,88 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsch_htb: fix refcount leak in htb_parent_to_leaf_offload\n\nThe commit ae81feb7338c (\"sch_htb: fix null pointer dereference\non a null new_q\") fixes a NULL pointer dereference bug, but it\nis not correct.\n\nBecause htb_graft_helper properly handles the case when new_q\nis NULL, and after the previous patch by skipping this call\nwhich creates an inconsistency : dev_queue->qdisc will still\npoint to the old qdisc, but cl->parent->leaf.q will point to\nthe new one (which will be noop_qdisc, because new_q was NULL).\nThe code is based on an assumption that these two pointers are\nthe same, so it can lead to refcount leaks.\n\nThe correct fix is to add a NULL pointer check to protect\nqdisc_refcount_inc inside htb_parent_to_leaf_offload." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "ae81feb7338c", + "lessThan": "2411c02d0389", + "status": "affected", + "versionType": "git" + }, + { + "version": "ae81feb7338c", + "lessThan": "944d671d5faa", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.12", + "status": "affected" + }, + { + "version": "0", + "lessThan": "5.12", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.12.10", + "lessThanOrEqual": "5.12.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.13", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/2411c02d03892a5057499f8102d0cc1e0f852416" + }, + { + "url": "https://git.kernel.org/stable/c/944d671d5faa0d78980a3da5c0f04960ef1ad893" + } + ], + "title": "sch_htb: fix refcount leak in htb_parent_to_leaf_offload", + "x_generator": { + "engine": "bippy-8df59b4913de" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2021-47125", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2021/CVE-2021-47125.mbox b/cve/published/2021/CVE-2021-47125.mbox new file mode 100644 index 00000000..be0c9ed5 --- /dev/null +++ b/cve/published/2021/CVE-2021-47125.mbox @@ -0,0 +1,77 @@ +From bippy-8df59b4913de Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2021-47125: sch_htb: fix refcount leak in htb_parent_to_leaf_offload +Message-Id: <2024031511-CVE-2021-47125-9c33@gregkh> +Content-Length: 2270 +Lines: 60 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2331; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=lRE9FY1/aY+uI6PA6612qnHUm5vKf1dngbTwEcb71Pc=; + b=owGbwMvMwCRo6H6F97bub03G02pJDKlf1vg3sa2yfuXm+Xzqyw0PlrJMqp4gku7nGLyH3+j9h + RNGmjuZOmJZGASZGGTFFFm+bOM5ur/ikKKXoe1pmDmsTCBDGLg4BWAiUW4M8/Tjrj3vMapIfZKW + /XNeA9c3/zMXuBkWbDhyiOHI7Pg2zefdks/iFlcUPeZUAgA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +sch_htb: fix refcount leak in htb_parent_to_leaf_offload + +The commit ae81feb7338c ("sch_htb: fix null pointer dereference +on a null new_q") fixes a NULL pointer dereference bug, but it +is not correct. + +Because htb_graft_helper properly handles the case when new_q +is NULL, and after the previous patch by skipping this call +which creates an inconsistency : dev_queue->qdisc will still +point to the old qdisc, but cl->parent->leaf.q will point to +the new one (which will be noop_qdisc, because new_q was NULL). +The code is based on an assumption that these two pointers are +the same, so it can lead to refcount leaks. + +The correct fix is to add a NULL pointer check to protect +qdisc_refcount_inc inside htb_parent_to_leaf_offload. + +The Linux kernel CVE team has assigned CVE-2021-47125 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 5.12 with commit ae81feb7338c and fixed in 5.12.10 with commit 2411c02d0389 + Issue introduced in 5.12 with commit ae81feb7338c and fixed in 5.13 with commit 944d671d5faa + +Please see https://www.kernel.org or a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2021-47125 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + net/sched/sch_htb.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/2411c02d03892a5057499f8102d0cc1e0f852416 + https://git.kernel.org/stable/c/944d671d5faa0d78980a3da5c0f04960ef1ad893 diff --git a/cve/published/2021/CVE-2021-47125.sha1 b/cve/published/2021/CVE-2021-47125.sha1 new file mode 100644 index 00000000..32fa452c --- /dev/null +++ b/cve/published/2021/CVE-2021-47125.sha1 @@ -0,0 +1 @@ +944d671d5faa0d78980a3da5c0f04960ef1ad893 diff --git a/cve/reserved/2021/CVE-2021-47126 b/cve/published/2021/CVE-2021-47126 index e69de29b..e69de29b 100644 --- a/cve/reserved/2021/CVE-2021-47126 +++ b/cve/published/2021/CVE-2021-47126 diff --git a/cve/published/2021/CVE-2021-47126.json b/cve/published/2021/CVE-2021-47126.json new file mode 100644 index 00000000..b9baad2c --- /dev/null +++ b/cve/published/2021/CVE-2021-47126.json @@ -0,0 +1,118 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: Fix KASAN: slab-out-of-bounds Read in fib6_nh_flush_exceptions\n\nReported by syzbot:\nHEAD commit: 90c911ad Merge tag 'fixes' of git://git.kernel.org/pub/scm..\ngit tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master\ndashboard link: https://syzkaller.appspot.com/bug?extid=123aa35098fd3c000eb7\ncompiler: Debian clang version 11.0.1-2\n\n==================================================================\nBUG: KASAN: slab-out-of-bounds in fib6_nh_get_excptn_bucket net/ipv6/route.c:1604 [inline]\nBUG: KASAN: slab-out-of-bounds in fib6_nh_flush_exceptions+0xbd/0x360 net/ipv6/route.c:1732\nRead of size 8 at addr ffff8880145c78f8 by task syz-executor.4/17760\n\nCPU: 0 PID: 17760 Comm: syz-executor.4 Not tainted 5.12.0-rc8-syzkaller #0\nCall Trace:\n <IRQ>\n __dump_stack lib/dump_stack.c:79 [inline]\n dump_stack+0x202/0x31e lib/dump_stack.c:120\n print_address_description+0x5f/0x3b0 mm/kasan/report.c:232\n __kasan_report mm/kasan/report.c:399 [inline]\n kasan_report+0x15c/0x200 mm/kasan/report.c:416\n fib6_nh_get_excptn_bucket net/ipv6/route.c:1604 [inline]\n fib6_nh_flush_exceptions+0xbd/0x360 net/ipv6/route.c:1732\n fib6_nh_release+0x9a/0x430 net/ipv6/route.c:3536\n fib6_info_destroy_rcu+0xcb/0x1c0 net/ipv6/ip6_fib.c:174\n rcu_do_batch kernel/rcu/tree.c:2559 [inline]\n rcu_core+0x8f6/0x1450 kernel/rcu/tree.c:2794\n __do_softirq+0x372/0x7a6 kernel/softirq.c:345\n invoke_softirq kernel/softirq.c:221 [inline]\n __irq_exit_rcu+0x22c/0x260 kernel/softirq.c:422\n irq_exit_rcu+0x5/0x20 kernel/softirq.c:434\n sysvec_apic_timer_interrupt+0x91/0xb0 arch/x86/kernel/apic/apic.c:1100\n </IRQ>\n asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:632\nRIP: 0010:lock_acquire+0x1f6/0x720 kernel/locking/lockdep.c:5515\nCode: f6 84 24 a1 00 00 00 02 0f 85 8d 02 00 00 f7 c3 00 02 00 00 49 bd 00 00 00 00 00 fc ff df 74 01 fb 48 c7 44 24 40 0e 36 e0 45 <4b> c7 44 3d 00 00 00 00 00 4b c7 44 3d 09 00 00 00 00 43 c7 44 3d\nRSP: 0018:ffffc90009e06560 EFLAGS: 00000206\nRAX: 1ffff920013c0cc0 RBX: 0000000000000246 RCX: dffffc0000000000\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: ffffc90009e066e0 R08: dffffc0000000000 R09: fffffbfff1f992b1\nR10: fffffbfff1f992b1 R11: 0000000000000000 R12: 0000000000000000\nR13: dffffc0000000000 R14: 0000000000000000 R15: 1ffff920013c0cb4\n rcu_lock_acquire+0x2a/0x30 include/linux/rcupdate.h:267\n rcu_read_lock include/linux/rcupdate.h:656 [inline]\n ext4_get_group_info+0xea/0x340 fs/ext4/ext4.h:3231\n ext4_mb_prefetch+0x123/0x5d0 fs/ext4/mballoc.c:2212\n ext4_mb_regular_allocator+0x8a5/0x28f0 fs/ext4/mballoc.c:2379\n ext4_mb_new_blocks+0xc6e/0x24f0 fs/ext4/mballoc.c:4982\n ext4_ext_map_blocks+0x2be3/0x7210 fs/ext4/extents.c:4238\n ext4_map_blocks+0xab3/0x1cb0 fs/ext4/inode.c:638\n ext4_getblk+0x187/0x6c0 fs/ext4/inode.c:848\n ext4_bread+0x2a/0x1c0 fs/ext4/inode.c:900\n ext4_append+0x1a4/0x360 fs/ext4/namei.c:67\n ext4_init_new_dir+0x337/0xa10 fs/ext4/namei.c:2768\n ext4_mkdir+0x4b8/0xc00 fs/ext4/namei.c:2814\n vfs_mkdir+0x45b/0x640 fs/namei.c:3819\n ovl_do_mkdir fs/overlayfs/overlayfs.h:161 [inline]\n ovl_mkdir_real+0x53/0x1a0 fs/overlayfs/dir.c:146\n ovl_create_real+0x280/0x490 fs/overlayfs/dir.c:193\n ovl_workdir_create+0x425/0x600 fs/overlayfs/super.c:788\n ovl_make_workdir+0xed/0x1140 fs/overlayfs/super.c:1355\n ovl_get_workdir fs/overlayfs/super.c:1492 [inline]\n ovl_fill_super+0x39ee/0x5370 fs/overlayfs/super.c:2035\n mount_nodev+0x52/0xe0 fs/super.c:1413\n legacy_get_tree+0xea/0x180 fs/fs_context.c:592\n vfs_get_tree+0x86/0x270 fs/super.c:1497\n do_new_mount fs/namespace.c:2903 [inline]\n path_mount+0x196f/0x2be0 fs/namespace.c:3233\n do_mount fs/namespace.c:3246 [inline]\n __do_sys_mount fs/namespace.c:3454 [inline]\n __se_sys_mount+0x2f9/0x3b0 fs/namespace.c:3431\n do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46\n entry_SYSCALL_64_after_hwframe+0x44/0xae\nRIP: 0033:0x4665f9\nCode: ff ff c3 66 2e 0f 1f 84 \n---truncated---" + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "706ec91916462", + "lessThan": "7ba7fa78a92d", + "status": "affected", + "versionType": "git" + }, + { + "version": "706ec91916462", + "lessThan": "098702358274", + "status": "affected", + "versionType": "git" + }, + { + "version": "706ec91916462", + "lessThan": "0a462e25ef0f", + "status": "affected", + "versionType": "git" + }, + { + "version": "706ec91916462", + "lessThan": "821bbf79fe46", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.3", + "status": "affected" + }, + { + "version": "0", + "lessThan": "5.3", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.4.125", + "lessThanOrEqual": "5.4.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.10.43", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.12.10", + "lessThanOrEqual": "5.12.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.13", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/7ba7fa78a92dc410b6f93ed73075ab669c3a0b59" + }, + { + "url": "https://git.kernel.org/stable/c/09870235827451409ff546b073d754a19fd17e2e" + }, + { + "url": "https://git.kernel.org/stable/c/0a462e25ef0f7ab305081a08d435bbd1f13c0a94" + }, + { + "url": "https://git.kernel.org/stable/c/821bbf79fe46a8b1d18aa456e8ed0a3c208c3754" + } + ], + "title": "ipv6: Fix KASAN: slab-out-of-bounds Read in fib6_nh_flush_exceptions", + "x_generator": { + "engine": "bippy-8df59b4913de" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2021-47126", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2021/CVE-2021-47126.mbox b/cve/published/2021/CVE-2021-47126.mbox new file mode 100644 index 00000000..c5a55789 --- /dev/null +++ b/cve/published/2021/CVE-2021-47126.mbox @@ -0,0 +1,245 @@ +From bippy-8df59b4913de Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2021-47126: ipv6: Fix KASAN: slab-out-of-bounds Read in fib6_nh_flush_exceptions +Message-Id: <2024031512-CVE-2021-47126-f717@gregkh> +Content-Length: 11469 +Lines: 228 +X-Developer-Signature: v=1; a=openpgp-sha256; l=11698; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=HwEdqAdp+fVjhq/oyO7EBEfGGnzpbYEAgPfHdcFeKjo=; + b=owGbwMvMwCRo6H6F97bub03G02pJDKlf1gQwy5lMnPoy6EHMb6VD7Srr26axbZ/tZDM9+feLU + FeJE5+PdsSyMAgyMciKKbJ82cZzdH/FIUUvQ9vTMHNYmUCGMHBxCsBE0joYFpwMin/RazvnzjTv + PnHPReXq2x5dn84wTzNumsSpT6kzrHP1t3FoiS5ZH6P9GQA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +ipv6: Fix KASAN: slab-out-of-bounds Read in fib6_nh_flush_exceptions + +Reported by syzbot: +HEAD commit: 90c911ad Merge tag 'fixes' of git://git.kernel.org/pub/scm.. +git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master +dashboard link: https://syzkaller.appspot.com/bug?extid=123aa35098fd3c000eb7 +compiler: Debian clang version 11.0.1-2 + +================================================================== +BUG: KASAN: slab-out-of-bounds in fib6_nh_get_excptn_bucket net/ipv6/route.c:1604 [inline] +BUG: KASAN: slab-out-of-bounds in fib6_nh_flush_exceptions+0xbd/0x360 net/ipv6/route.c:1732 +Read of size 8 at addr ffff8880145c78f8 by task syz-executor.4/17760 + +CPU: 0 PID: 17760 Comm: syz-executor.4 Not tainted 5.12.0-rc8-syzkaller #0 +Call Trace: + <IRQ> + __dump_stack lib/dump_stack.c:79 [inline] + dump_stack+0x202/0x31e lib/dump_stack.c:120 + print_address_description+0x5f/0x3b0 mm/kasan/report.c:232 + __kasan_report mm/kasan/report.c:399 [inline] + kasan_report+0x15c/0x200 mm/kasan/report.c:416 + fib6_nh_get_excptn_bucket net/ipv6/route.c:1604 [inline] + fib6_nh_flush_exceptions+0xbd/0x360 net/ipv6/route.c:1732 + fib6_nh_release+0x9a/0x430 net/ipv6/route.c:3536 + fib6_info_destroy_rcu+0xcb/0x1c0 net/ipv6/ip6_fib.c:174 + rcu_do_batch kernel/rcu/tree.c:2559 [inline] + rcu_core+0x8f6/0x1450 kernel/rcu/tree.c:2794 + __do_softirq+0x372/0x7a6 kernel/softirq.c:345 + invoke_softirq kernel/softirq.c:221 [inline] + __irq_exit_rcu+0x22c/0x260 kernel/softirq.c:422 + irq_exit_rcu+0x5/0x20 kernel/softirq.c:434 + sysvec_apic_timer_interrupt+0x91/0xb0 arch/x86/kernel/apic/apic.c:1100 + </IRQ> + asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:632 +RIP: 0010:lock_acquire+0x1f6/0x720 kernel/locking/lockdep.c:5515 +Code: f6 84 24 a1 00 00 00 02 0f 85 8d 02 00 00 f7 c3 00 02 00 00 49 bd 00 00 00 00 00 fc ff df 74 01 fb 48 c7 44 24 40 0e 36 e0 45 <4b> c7 44 3d 00 00 00 00 00 4b c7 44 3d 09 00 00 00 00 43 c7 44 3d +RSP: 0018:ffffc90009e06560 EFLAGS: 00000206 +RAX: 1ffff920013c0cc0 RBX: 0000000000000246 RCX: dffffc0000000000 +RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 +RBP: ffffc90009e066e0 R08: dffffc0000000000 R09: fffffbfff1f992b1 +R10: fffffbfff1f992b1 R11: 0000000000000000 R12: 0000000000000000 +R13: dffffc0000000000 R14: 0000000000000000 R15: 1ffff920013c0cb4 + rcu_lock_acquire+0x2a/0x30 include/linux/rcupdate.h:267 + rcu_read_lock include/linux/rcupdate.h:656 [inline] + ext4_get_group_info+0xea/0x340 fs/ext4/ext4.h:3231 + ext4_mb_prefetch+0x123/0x5d0 fs/ext4/mballoc.c:2212 + ext4_mb_regular_allocator+0x8a5/0x28f0 fs/ext4/mballoc.c:2379 + ext4_mb_new_blocks+0xc6e/0x24f0 fs/ext4/mballoc.c:4982 + ext4_ext_map_blocks+0x2be3/0x7210 fs/ext4/extents.c:4238 + ext4_map_blocks+0xab3/0x1cb0 fs/ext4/inode.c:638 + ext4_getblk+0x187/0x6c0 fs/ext4/inode.c:848 + ext4_bread+0x2a/0x1c0 fs/ext4/inode.c:900 + ext4_append+0x1a4/0x360 fs/ext4/namei.c:67 + ext4_init_new_dir+0x337/0xa10 fs/ext4/namei.c:2768 + ext4_mkdir+0x4b8/0xc00 fs/ext4/namei.c:2814 + vfs_mkdir+0x45b/0x640 fs/namei.c:3819 + ovl_do_mkdir fs/overlayfs/overlayfs.h:161 [inline] + ovl_mkdir_real+0x53/0x1a0 fs/overlayfs/dir.c:146 + ovl_create_real+0x280/0x490 fs/overlayfs/dir.c:193 + ovl_workdir_create+0x425/0x600 fs/overlayfs/super.c:788 + ovl_make_workdir+0xed/0x1140 fs/overlayfs/super.c:1355 + ovl_get_workdir fs/overlayfs/super.c:1492 [inline] + ovl_fill_super+0x39ee/0x5370 fs/overlayfs/super.c:2035 + mount_nodev+0x52/0xe0 fs/super.c:1413 + legacy_get_tree+0xea/0x180 fs/fs_context.c:592 + vfs_get_tree+0x86/0x270 fs/super.c:1497 + do_new_mount fs/namespace.c:2903 [inline] + path_mount+0x196f/0x2be0 fs/namespace.c:3233 + do_mount fs/namespace.c:3246 [inline] + __do_sys_mount fs/namespace.c:3454 [inline] + __se_sys_mount+0x2f9/0x3b0 fs/namespace.c:3431 + do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 + entry_SYSCALL_64_after_hwframe+0x44/0xae +RIP: 0033:0x4665f9 +Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007f68f2b87188 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 +RAX: ffffffffffffffda RBX: 000000000056bf60 RCX: 00000000004665f9 +RDX: 00000000200000c0 RSI: 0000000020000000 RDI: 000000000040000a +RBP: 00000000004bfbb9 R08: 0000000020000100 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf60 +R13: 00007ffe19002dff R14: 00007f68f2b87300 R15: 0000000000022000 + +Allocated by task 17768: + kasan_save_stack mm/kasan/common.c:38 [inline] + kasan_set_track mm/kasan/common.c:46 [inline] + set_alloc_info mm/kasan/common.c:427 [inline] + ____kasan_kmalloc+0xc2/0xf0 mm/kasan/common.c:506 + kasan_kmalloc include/linux/kasan.h:233 [inline] + __kmalloc+0xb4/0x380 mm/slub.c:4055 + kmalloc include/linux/slab.h:559 [inline] + kzalloc include/linux/slab.h:684 [inline] + fib6_info_alloc+0x2c/0xd0 net/ipv6/ip6_fib.c:154 + ip6_route_info_create+0x55d/0x1a10 net/ipv6/route.c:3638 + ip6_route_add+0x22/0x120 net/ipv6/route.c:3728 + inet6_rtm_newroute+0x2cd/0x2260 net/ipv6/route.c:5352 + rtnetlink_rcv_msg+0xb34/0xe70 net/core/rtnetlink.c:5553 + netlink_rcv_skb+0x1f0/0x460 net/netlink/af_netlink.c:2502 + netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline] + netlink_unicast+0x7de/0x9b0 net/netlink/af_netlink.c:1338 + netlink_sendmsg+0xaa6/0xe90 net/netlink/af_netlink.c:1927 + sock_sendmsg_nosec net/socket.c:654 [inline] + sock_sendmsg net/socket.c:674 [inline] + ____sys_sendmsg+0x5a2/0x900 net/socket.c:2350 + ___sys_sendmsg net/socket.c:2404 [inline] + __sys_sendmsg+0x319/0x400 net/socket.c:2433 + do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +Last potentially related work creation: + kasan_save_stack+0x27/0x50 mm/kasan/common.c:38 + kasan_record_aux_stack+0xee/0x120 mm/kasan/generic.c:345 + __call_rcu kernel/rcu/tree.c:3039 [inline] + call_rcu+0x1b1/0xa30 kernel/rcu/tree.c:3114 + fib6_info_release include/net/ip6_fib.h:337 [inline] + ip6_route_info_create+0x10c4/0x1a10 net/ipv6/route.c:3718 + ip6_route_add+0x22/0x120 net/ipv6/route.c:3728 + inet6_rtm_newroute+0x2cd/0x2260 net/ipv6/route.c:5352 + rtnetlink_rcv_msg+0xb34/0xe70 net/core/rtnetlink.c:5553 + netlink_rcv_skb+0x1f0/0x460 net/netlink/af_netlink.c:2502 + netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline] + netlink_unicast+0x7de/0x9b0 net/netlink/af_netlink.c:1338 + netlink_sendmsg+0xaa6/0xe90 net/netlink/af_netlink.c:1927 + sock_sendmsg_nosec net/socket.c:654 [inline] + sock_sendmsg net/socket.c:674 [inline] + ____sys_sendmsg+0x5a2/0x900 net/socket.c:2350 + ___sys_sendmsg net/socket.c:2404 [inline] + __sys_sendmsg+0x319/0x400 net/socket.c:2433 + do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +Second to last potentially related work creation: + kasan_save_stack+0x27/0x50 mm/kasan/common.c:38 + kasan_record_aux_stack+0xee/0x120 mm/kasan/generic.c:345 + insert_work+0x54/0x400 kernel/workqueue.c:1331 + __queue_work+0x981/0xcc0 kernel/workqueue.c:1497 + queue_work_on+0x111/0x200 kernel/workqueue.c:1524 + queue_work include/linux/workqueue.h:507 [inline] + call_usermodehelper_exec+0x283/0x470 kernel/umh.c:433 + kobject_uevent_env+0x1349/0x1730 lib/kobject_uevent.c:617 + kvm_uevent_notify_change+0x309/0x3b0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:4809 + kvm_destroy_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:877 [inline] + kvm_put_kvm+0x9c/0xd10 arch/x86/kvm/../../../virt/kvm/kvm_main.c:920 + kvm_vcpu_release+0x53/0x60 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3120 + __fput+0x352/0x7b0 fs/file_table.c:280 + task_work_run+0x146/0x1c0 kernel/task_work.c:140 + tracehook_notify_resume include/linux/tracehook.h:189 [inline] + exit_to_user_mode_loop kernel/entry/common.c:174 [inline] + exit_to_user_mode_prepare+0x10b/0x1e0 kernel/entry/common.c:208 + __syscall_exit_to_user_mode_work kernel/entry/common.c:290 [inline] + syscall_exit_to_user_mode+0x26/0x70 kernel/entry/common.c:301 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +The buggy address belongs to the object at ffff8880145c7800 + which belongs to the cache kmalloc-192 of size 192 +The buggy address is located 56 bytes to the right of + 192-byte region [ffff8880145c7800, ffff8880145c78c0) +The buggy address belongs to the page: +page:ffffea00005171c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x145c7 +flags: 0xfff00000000200(slab) +raw: 00fff00000000200 ffffea00006474c0 0000000200000002 ffff888010c41a00 +raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff8880145c7780: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc + ffff8880145c7800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +>ffff8880145c7880: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc + ^ + ffff8880145c7900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff8880145c7980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc +================================================================== + +In the ip6_route_info_create function, in the case that the nh pointer +is not NULL, the fib6_nh in fib6_info has not been allocated. +Therefore, when trying to free fib6_info in this error case using +fib6_info_release, the function will call fib6_info_destroy_rcu, +which it will access fib6_nh_release(f6i->fib6_nh); +However, f6i->fib6_nh doesn't have any refcount yet given the lack of allocation +causing the reported memory issue above. +Therefore, releasing the empty pointer directly instead would be the solution. + +The Linux kernel CVE team has assigned CVE-2021-47126 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 5.3 with commit 706ec91916462 and fixed in 5.4.125 with commit 7ba7fa78a92d + Issue introduced in 5.3 with commit 706ec91916462 and fixed in 5.10.43 with commit 098702358274 + Issue introduced in 5.3 with commit 706ec91916462 and fixed in 5.12.10 with commit 0a462e25ef0f + Issue introduced in 5.3 with commit 706ec91916462 and fixed in 5.13 with commit 821bbf79fe46 + +Please see https://www.kernel.org or a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2021-47126 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + net/ipv6/route.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/7ba7fa78a92dc410b6f93ed73075ab669c3a0b59 + https://git.kernel.org/stable/c/09870235827451409ff546b073d754a19fd17e2e + https://git.kernel.org/stable/c/0a462e25ef0f7ab305081a08d435bbd1f13c0a94 + https://git.kernel.org/stable/c/821bbf79fe46a8b1d18aa456e8ed0a3c208c3754 diff --git a/cve/published/2021/CVE-2021-47126.sha1 b/cve/published/2021/CVE-2021-47126.sha1 new file mode 100644 index 00000000..b36ba015 --- /dev/null +++ b/cve/published/2021/CVE-2021-47126.sha1 @@ -0,0 +1 @@ +821bbf79fe46a8b1d18aa456e8ed0a3c208c3754 diff --git a/cve/reserved/2021/CVE-2021-47127 b/cve/published/2021/CVE-2021-47127 index e69de29b..e69de29b 100644 --- a/cve/reserved/2021/CVE-2021-47127 +++ b/cve/published/2021/CVE-2021-47127 diff --git a/cve/published/2021/CVE-2021-47127.json b/cve/published/2021/CVE-2021-47127.json new file mode 100644 index 00000000..139c94ac --- /dev/null +++ b/cve/published/2021/CVE-2021-47127.json @@ -0,0 +1,88 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: track AF_XDP ZC enabled queues in bitmap\n\nCommit c7a219048e45 (\"ice: Remove xsk_buff_pool from VSI structure\")\nsilently introduced a regression and broke the Tx side of AF_XDP in copy\nmode. xsk_pool on ice_ring is set only based on the existence of the XDP\nprog on the VSI which in turn picks ice_clean_tx_irq_zc to be executed.\nThat is not something that should happen for copy mode as it should use\nthe regular data path ice_clean_tx_irq.\n\nThis results in a following splat when xdpsock is run in txonly or l2fwd\nscenarios in copy mode:\n\n<snip>\n[ 106.050195] BUG: kernel NULL pointer dereference, address: 0000000000000030\n[ 106.057269] #PF: supervisor read access in kernel mode\n[ 106.062493] #PF: error_code(0x0000) - not-present page\n[ 106.067709] PGD 0 P4D 0\n[ 106.070293] Oops: 0000 [#1] PREEMPT SMP NOPTI\n[ 106.074721] CPU: 61 PID: 0 Comm: swapper/61 Not tainted 5.12.0-rc2+ #45\n[ 106.081436] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0008.031920191559 03/19/2019\n[ 106.092027] RIP: 0010:xp_raw_get_dma+0x36/0x50\n[ 106.096551] Code: 74 14 48 b8 ff ff ff ff ff ff 00 00 48 21 f0 48 c1 ee 30 48 01 c6 48 8b 87 90 00 00 00 48 89 f2 81 e6 ff 0f 00 00 48 c1 ea 0c <48> 8b 04 d0 48 83 e0 fe 48 01 f0 c3 66 66 2e 0f 1f 84 00 00 00 00\n[ 106.115588] RSP: 0018:ffffc9000d694e50 EFLAGS: 00010206\n[ 106.120893] RAX: 0000000000000000 RBX: ffff88984b8c8a00 RCX: ffff889852581800\n[ 106.128137] RDX: 0000000000000006 RSI: 0000000000000000 RDI: ffff88984cd8b800\n[ 106.135383] RBP: ffff888123b50001 R08: ffff889896800000 R09: 0000000000000800\n[ 106.142628] R10: 0000000000000000 R11: ffffffff826060c0 R12: 00000000000000ff\n[ 106.149872] R13: 0000000000000000 R14: 0000000000000040 R15: ffff888123b50018\n[ 106.157117] FS: 0000000000000000(0000) GS:ffff8897e0f40000(0000) knlGS:0000000000000000\n[ 106.165332] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 106.171163] CR2: 0000000000000030 CR3: 000000000560a004 CR4: 00000000007706e0\n[ 106.178408] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 106.185653] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 106.192898] PKRU: 55555554\n[ 106.195653] Call Trace:\n[ 106.198143] <IRQ>\n[ 106.200196] ice_clean_tx_irq_zc+0x183/0x2a0 [ice]\n[ 106.205087] ice_napi_poll+0x3e/0x590 [ice]\n[ 106.209356] __napi_poll+0x2a/0x160\n[ 106.212911] net_rx_action+0xd6/0x200\n[ 106.216634] __do_softirq+0xbf/0x29b\n[ 106.220274] irq_exit_rcu+0x88/0xc0\n[ 106.223819] common_interrupt+0x7b/0xa0\n[ 106.227719] </IRQ>\n[ 106.229857] asm_common_interrupt+0x1e/0x40\n</snip>\n\nFix this by introducing the bitmap of queues that are zero-copy enabled,\nwhere each bit, corresponding to a queue id that xsk pool is being\nconfigured on, will be set/cleared within ice_xsk_pool_{en,dis}able and\nchecked within ice_xsk_pool(). The latter is a function used for\ndeciding which napi poll routine is executed.\nIdea is being taken from our other drivers such as i40e and ixgbe." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "c7a219048e45", + "lessThan": "1d34fa4fcf06", + "status": "affected", + "versionType": "git" + }, + { + "version": "c7a219048e45", + "lessThan": "e102db780e1c", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.12", + "status": "affected" + }, + { + "version": "0", + "lessThan": "5.12", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.12.10", + "lessThanOrEqual": "5.12.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.13", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/1d34fa4fcf06649036ba0c97854fcf7a741ee18c" + }, + { + "url": "https://git.kernel.org/stable/c/e102db780e1c14f10c70dafa7684af22a745b51d" + } + ], + "title": "ice: track AF_XDP ZC enabled queues in bitmap", + "x_generator": { + "engine": "bippy-8df59b4913de" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2021-47127", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2021/CVE-2021-47127.mbox b/cve/published/2021/CVE-2021-47127.mbox new file mode 100644 index 00000000..3974d07e --- /dev/null +++ b/cve/published/2021/CVE-2021-47127.mbox @@ -0,0 +1,116 @@ +From bippy-8df59b4913de Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2021-47127: ice: track AF_XDP ZC enabled queues in bitmap +Message-Id: <2024031512-CVE-2021-47127-d0d6@gregkh> +Content-Length: 4638 +Lines: 99 +X-Developer-Signature: v=1; a=openpgp-sha256; l=4738; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=72RFDLA4mlZ1dMOC+iz7tp0UnVp2Q+LMI3vPnLxqVHo=; + b=owGbwMvMwCRo6H6F97bub03G02pJDKlf1gTonT6tamIT4a83+6T/gcnT6+3T3yxW8z5kJaN49 + t25Fu/dHbEsDIJMDLJiiixftvEc3V9xSNHL0PY0zBxWJpAhDFycAjARAWeGBROfOdiLVCb+fNLi + +vaVh0FdxKHlqgxzhe79C3LPfvBggVFs0P8bXRf/PHq1HwA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +ice: track AF_XDP ZC enabled queues in bitmap + +Commit c7a219048e45 ("ice: Remove xsk_buff_pool from VSI structure") +silently introduced a regression and broke the Tx side of AF_XDP in copy +mode. xsk_pool on ice_ring is set only based on the existence of the XDP +prog on the VSI which in turn picks ice_clean_tx_irq_zc to be executed. +That is not something that should happen for copy mode as it should use +the regular data path ice_clean_tx_irq. + +This results in a following splat when xdpsock is run in txonly or l2fwd +scenarios in copy mode: + +<snip> +[ 106.050195] BUG: kernel NULL pointer dereference, address: 0000000000000030 +[ 106.057269] #PF: supervisor read access in kernel mode +[ 106.062493] #PF: error_code(0x0000) - not-present page +[ 106.067709] PGD 0 P4D 0 +[ 106.070293] Oops: 0000 [#1] PREEMPT SMP NOPTI +[ 106.074721] CPU: 61 PID: 0 Comm: swapper/61 Not tainted 5.12.0-rc2+ #45 +[ 106.081436] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0008.031920191559 03/19/2019 +[ 106.092027] RIP: 0010:xp_raw_get_dma+0x36/0x50 +[ 106.096551] Code: 74 14 48 b8 ff ff ff ff ff ff 00 00 48 21 f0 48 c1 ee 30 48 01 c6 48 8b 87 90 00 00 00 48 89 f2 81 e6 ff 0f 00 00 48 c1 ea 0c <48> 8b 04 d0 48 83 e0 fe 48 01 f0 c3 66 66 2e 0f 1f 84 00 00 00 00 +[ 106.115588] RSP: 0018:ffffc9000d694e50 EFLAGS: 00010206 +[ 106.120893] RAX: 0000000000000000 RBX: ffff88984b8c8a00 RCX: ffff889852581800 +[ 106.128137] RDX: 0000000000000006 RSI: 0000000000000000 RDI: ffff88984cd8b800 +[ 106.135383] RBP: ffff888123b50001 R08: ffff889896800000 R09: 0000000000000800 +[ 106.142628] R10: 0000000000000000 R11: ffffffff826060c0 R12: 00000000000000ff +[ 106.149872] R13: 0000000000000000 R14: 0000000000000040 R15: ffff888123b50018 +[ 106.157117] FS: 0000000000000000(0000) GS:ffff8897e0f40000(0000) knlGS:0000000000000000 +[ 106.165332] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 106.171163] CR2: 0000000000000030 CR3: 000000000560a004 CR4: 00000000007706e0 +[ 106.178408] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 106.185653] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 106.192898] PKRU: 55555554 +[ 106.195653] Call Trace: +[ 106.198143] <IRQ> +[ 106.200196] ice_clean_tx_irq_zc+0x183/0x2a0 [ice] +[ 106.205087] ice_napi_poll+0x3e/0x590 [ice] +[ 106.209356] __napi_poll+0x2a/0x160 +[ 106.212911] net_rx_action+0xd6/0x200 +[ 106.216634] __do_softirq+0xbf/0x29b +[ 106.220274] irq_exit_rcu+0x88/0xc0 +[ 106.223819] common_interrupt+0x7b/0xa0 +[ 106.227719] </IRQ> +[ 106.229857] asm_common_interrupt+0x1e/0x40 +</snip> + +Fix this by introducing the bitmap of queues that are zero-copy enabled, +where each bit, corresponding to a queue id that xsk pool is being +configured on, will be set/cleared within ice_xsk_pool_{en,dis}able and +checked within ice_xsk_pool(). The latter is a function used for +deciding which napi poll routine is executed. +Idea is being taken from our other drivers such as i40e and ixgbe. + +The Linux kernel CVE team has assigned CVE-2021-47127 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 5.12 with commit c7a219048e45 and fixed in 5.12.10 with commit 1d34fa4fcf06 + Issue introduced in 5.12 with commit c7a219048e45 and fixed in 5.13 with commit e102db780e1c + +Please see https://www.kernel.org or a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2021-47127 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/net/ethernet/intel/ice/ice.h + drivers/net/ethernet/intel/ice/ice_lib.c + drivers/net/ethernet/intel/ice/ice_xsk.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/1d34fa4fcf06649036ba0c97854fcf7a741ee18c + https://git.kernel.org/stable/c/e102db780e1c14f10c70dafa7684af22a745b51d diff --git a/cve/published/2021/CVE-2021-47127.sha1 b/cve/published/2021/CVE-2021-47127.sha1 new file mode 100644 index 00000000..e489e440 --- /dev/null +++ b/cve/published/2021/CVE-2021-47127.sha1 @@ -0,0 +1 @@ +e102db780e1c14f10c70dafa7684af22a745b51d diff --git a/cve/reserved/2021/CVE-2021-47128 b/cve/published/2021/CVE-2021-47128 index e69de29b..e69de29b 100644 --- a/cve/reserved/2021/CVE-2021-47128 +++ b/cve/published/2021/CVE-2021-47128 diff --git a/cve/published/2021/CVE-2021-47128.json b/cve/published/2021/CVE-2021-47128.json new file mode 100644 index 00000000..1214dd3c --- /dev/null +++ b/cve/published/2021/CVE-2021-47128.json @@ -0,0 +1,103 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, lockdown, audit: Fix buggy SELinux lockdown permission checks\n\nCommit 59438b46471a (\"security,lockdown,selinux: implement SELinux lockdown\")\nadded an implementation of the locked_down LSM hook to SELinux, with the aim\nto restrict which domains are allowed to perform operations that would breach\nlockdown. This is indirectly also getting audit subsystem involved to report\nevents. The latter is problematic, as reported by Ondrej and Serhei, since it\ncan bring down the whole system via audit:\n\n 1) The audit events that are triggered due to calls to security_locked_down()\n can OOM kill a machine, see below details [0].\n\n 2) It also seems to be causing a deadlock via avc_has_perm()/slow_avc_audit()\n when trying to wake up kauditd, for example, when using trace_sched_switch()\n tracepoint, see details in [1]. Triggering this was not via some hypothetical\n corner case, but with existing tools like runqlat & runqslower from bcc, for\n example, which make use of this tracepoint. Rough call sequence goes like:\n\n rq_lock(rq) -> -------------------------+\n trace_sched_switch() -> |\n bpf_prog_xyz() -> +-> deadlock\n selinux_lockdown() -> |\n audit_log_end() -> |\n wake_up_interruptible() -> |\n try_to_wake_up() -> |\n rq_lock(rq) --------------+\n\nWhat's worse is that the intention of 59438b46471a to further restrict lockdown\nsettings for specific applications in respect to the global lockdown policy is\ncompletely broken for BPF. The SELinux policy rule for the current lockdown check\nlooks something like this:\n\n allow <who> <who> : lockdown { <reason> };\n\nHowever, this doesn't match with the 'current' task where the security_locked_down()\nis executed, example: httpd does a syscall. There is a tracing program attached\nto the syscall which triggers a BPF program to run, which ends up doing a\nbpf_probe_read_kernel{,_str}() helper call. The selinux_lockdown() hook does\nthe permission check against 'current', that is, httpd in this example. httpd\nhas literally zero relation to this tracing program, and it would be nonsensical\nhaving to write an SELinux policy rule against httpd to let the tracing helper\npass. The policy in this case needs to be against the entity that is installing\nthe BPF program. For example, if bpftrace would generate a histogram of syscall\ncounts by user space application:\n\n bpftrace -e 'tracepoint:raw_syscalls:sys_enter { @[comm] = count(); }'\n\nbpftrace would then go and generate a BPF program from this internally. One way\nof doing it [for the sake of the example] could be to call bpf_get_current_task()\nhelper and then access current->comm via one of bpf_probe_read_kernel{,_str}()\nhelpers. So the program itself has nothing to do with httpd or any other random\napp doing a syscall here. The BPF program _explicitly initiated_ the lockdown\ncheck. The allow/deny policy belongs in the context of bpftrace: meaning, you\nwant to grant bpftrace access to use these helpers, but other tracers on the\nsystem like my_random_tracer _not_.\n\nTherefore fix all three issues at the same time by taking a completely different\napproach for the security_locked_down() hook, that is, move the check into the\nprogram verification phase where we actually retrieve the BPF func proto. This\nalso reliably gets the task (current) that is trying to install the BPF tracing\nprogram, e.g. bpftrace/bcc/perf/systemtap/etc, and it also fixes the OOM since\nwe're moving this out of the BPF helper's fast-path which can be called several\nmillions of times per second.\n\nThe check is then also in line with other security_locked_down() hooks in the\nsystem where the enforcement is performed at open/load time, for example,\nopen_kcore() for /proc/kcore access or module_sig_check() for module signatures\njust to pick f\n---truncated---" + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "59438b46471a", + "lessThan": "ff5039ec75c8", + "status": "affected", + "versionType": "git" + }, + { + "version": "59438b46471a", + "lessThan": "acc43fc6cf0d", + "status": "affected", + "versionType": "git" + }, + { + "version": "59438b46471a", + "lessThan": "ff40e51043af", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.6", + "status": "affected" + }, + { + "version": "0", + "lessThan": "5.6", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.10.43", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.12.10", + "lessThanOrEqual": "5.12.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.13", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/ff5039ec75c83d2ed5b781dc7733420ee8c985fc" + }, + { + "url": "https://git.kernel.org/stable/c/acc43fc6cf0d50612193813c5906a1ab9d433e1e" + }, + { + "url": "https://git.kernel.org/stable/c/ff40e51043af63715ab413995ff46996ecf9583f" + } + ], + "title": "bpf, lockdown, audit: Fix buggy SELinux lockdown permission checks", + "x_generator": { + "engine": "bippy-8df59b4913de" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2021-47128", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2021/CVE-2021-47128.mbox b/cve/published/2021/CVE-2021-47128.mbox new file mode 100644 index 00000000..d4685ba7 --- /dev/null +++ b/cve/published/2021/CVE-2021-47128.mbox @@ -0,0 +1,210 @@ +From bippy-8df59b4913de Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2021-47128: bpf, lockdown, audit: Fix buggy SELinux lockdown permission checks +Message-Id: <2024031512-CVE-2021-47128-bef7@gregkh> +Content-Length: 10017 +Lines: 193 +X-Developer-Signature: v=1; a=openpgp-sha256; l=10211; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=mbXLrkQrqSVUsMXrMuRA0u/MxjY9DterNR4RqBJiMDY=; + b=owGbwMvMwCRo6H6F97bub03G02pJDKlf1gSytJ6s+LBeZCO7vMF53l2TGaI3np+8V08tQ3a99 + glL1yfLOmJZGASZGGTFFFm+bOM5ur/ikKKXoe1pmDmsTCBDGLg4BeAiPxnmZx/4eZfpbGH7et1J + ++Mer1nbXyL/kmEOZ+lerqDckhdzGxxL4vsunfD6WFcPAA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +bpf, lockdown, audit: Fix buggy SELinux lockdown permission checks + +Commit 59438b46471a ("security,lockdown,selinux: implement SELinux lockdown") +added an implementation of the locked_down LSM hook to SELinux, with the aim +to restrict which domains are allowed to perform operations that would breach +lockdown. This is indirectly also getting audit subsystem involved to report +events. The latter is problematic, as reported by Ondrej and Serhei, since it +can bring down the whole system via audit: + + 1) The audit events that are triggered due to calls to security_locked_down() + can OOM kill a machine, see below details [0]. + + 2) It also seems to be causing a deadlock via avc_has_perm()/slow_avc_audit() + when trying to wake up kauditd, for example, when using trace_sched_switch() + tracepoint, see details in [1]. Triggering this was not via some hypothetical + corner case, but with existing tools like runqlat & runqslower from bcc, for + example, which make use of this tracepoint. Rough call sequence goes like: + + rq_lock(rq) -> -------------------------+ + trace_sched_switch() -> | + bpf_prog_xyz() -> +-> deadlock + selinux_lockdown() -> | + audit_log_end() -> | + wake_up_interruptible() -> | + try_to_wake_up() -> | + rq_lock(rq) --------------+ + +What's worse is that the intention of 59438b46471a to further restrict lockdown +settings for specific applications in respect to the global lockdown policy is +completely broken for BPF. The SELinux policy rule for the current lockdown check +looks something like this: + + allow <who> <who> : lockdown { <reason> }; + +However, this doesn't match with the 'current' task where the security_locked_down() +is executed, example: httpd does a syscall. There is a tracing program attached +to the syscall which triggers a BPF program to run, which ends up doing a +bpf_probe_read_kernel{,_str}() helper call. The selinux_lockdown() hook does +the permission check against 'current', that is, httpd in this example. httpd +has literally zero relation to this tracing program, and it would be nonsensical +having to write an SELinux policy rule against httpd to let the tracing helper +pass. The policy in this case needs to be against the entity that is installing +the BPF program. For example, if bpftrace would generate a histogram of syscall +counts by user space application: + + bpftrace -e 'tracepoint:raw_syscalls:sys_enter { @[comm] = count(); }' + +bpftrace would then go and generate a BPF program from this internally. One way +of doing it [for the sake of the example] could be to call bpf_get_current_task() +helper and then access current->comm via one of bpf_probe_read_kernel{,_str}() +helpers. So the program itself has nothing to do with httpd or any other random +app doing a syscall here. The BPF program _explicitly initiated_ the lockdown +check. The allow/deny policy belongs in the context of bpftrace: meaning, you +want to grant bpftrace access to use these helpers, but other tracers on the +system like my_random_tracer _not_. + +Therefore fix all three issues at the same time by taking a completely different +approach for the security_locked_down() hook, that is, move the check into the +program verification phase where we actually retrieve the BPF func proto. This +also reliably gets the task (current) that is trying to install the BPF tracing +program, e.g. bpftrace/bcc/perf/systemtap/etc, and it also fixes the OOM since +we're moving this out of the BPF helper's fast-path which can be called several +millions of times per second. + +The check is then also in line with other security_locked_down() hooks in the +system where the enforcement is performed at open/load time, for example, +open_kcore() for /proc/kcore access or module_sig_check() for module signatures +just to pick few random ones. What's out of scope in the fix as well as in +other security_locked_down() hook locations /outside/ of BPF subsystem is that +if the lockdown policy changes on the fly there is no retrospective action. +This requires a different discussion, potentially complex infrastructure, and +it's also not clear whether this can be solved generically. Either way, it is +out of scope for a suitable stable fix which this one is targeting. Note that +the breakage is specifically on 59438b46471a where it started to rely on 'current' +as UAPI behavior, and _not_ earlier infrastructure such as 9d1f8be5cf42 ("bpf: +Restrict bpf when kernel lockdown is in confidentiality mode"). + +[0] https://bugzilla.redhat.com/show_bug.cgi?id=1955585, Jakub Hrozek says: + + I starting seeing this with F-34. When I run a container that is traced with + BPF to record the syscalls it is doing, auditd is flooded with messages like: + + type=AVC msg=audit(1619784520.593:282387): avc: denied { confidentiality } + for pid=476 comm="auditd" lockdown_reason="use of bpf to read kernel RAM" + scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:system_r:auditd_t:s0 + tclass=lockdown permissive=0 + + This seems to be leading to auditd running out of space in the backlog buffer + and eventually OOMs the machine. + + [...] + auditd running at 99% CPU presumably processing all the messages, eventually I get: + Apr 30 12:20:42 fedora kernel: audit: backlog limit exceeded + Apr 30 12:20:42 fedora kernel: audit: backlog limit exceeded + Apr 30 12:20:42 fedora kernel: audit: audit_backlog=2152579 > audit_backlog_limit=64 + Apr 30 12:20:42 fedora kernel: audit: audit_backlog=2152626 > audit_backlog_limit=64 + Apr 30 12:20:42 fedora kernel: audit: audit_backlog=2152694 > audit_backlog_limit=64 + Apr 30 12:20:42 fedora kernel: audit: audit_lost=6878426 audit_rate_limit=0 audit_backlog_limit=64 + Apr 30 12:20:45 fedora kernel: oci-seccomp-bpf invoked oom-killer: gfp_mask=0x100cca(GFP_HIGHUSER_MOVABLE), order=0, oom_score_adj=-1000 + Apr 30 12:20:45 fedora kernel: CPU: 0 PID: 13284 Comm: oci-seccomp-bpf Not tainted 5.11.12-300.fc34.x86_64 #1 + Apr 30 12:20:45 fedora kernel: Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-2.fc32 04/01/2014 + [...] + +[1] https://lore.kernel.org/linux-audit/CANYvDQN7H5tVp47fbYcRasv4XF07eUbsDwT_eDCHXJUj43J7jQ@mail.gmail.com/, + Serhei Makarov says: + + Upstream kernel 5.11.0-rc7 and later was found to deadlock during a + bpf_probe_read_compat() call within a sched_switch tracepoint. The problem + is reproducible with the reg_alloc3 testcase from SystemTap's BPF backend + testsuite on x86_64 as well as the runqlat, runqslower tools from bcc on + ppc64le. Example stack trace: + + [...] + [ 730.868702] stack backtrace: + [ 730.869590] CPU: 1 PID: 701 Comm: in:imjournal Not tainted, 5.12.0-0.rc2.20210309git144c79ef3353.166.fc35.x86_64 #1 + [ 730.871605] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-2.fc32 04/01/2014 + [ 730.873278] Call Trace: + [ 730.873770] dump_stack+0x7f/0xa1 + [ 730.874433] check_noncircular+0xdf/0x100 + [ 730.875232] __lock_acquire+0x1202/0x1e10 + [ 730.876031] ? __lock_acquire+0xfc0/0x1e10 + [ 730.876844] lock_acquire+0xc2/0x3a0 + [ 730.877551] ? __wake_up_common_lock+0x52/0x90 + [ 730.878434] ? lock_acquire+0xc2/0x3a0 + [ 730.879186] ? lock_is_held_type+0xa7/0x120 + [ 730.880044] ? skb_queue_tail+0x1b/0x50 + [ 730.880800] _raw_spin_lock_irqsave+0x4d/0x90 + [ 730.881656] ? __wake_up_common_lock+0x52/0x90 + [ 730.882532] __wake_up_common_lock+0x52/0x90 + [ 730.883375] audit_log_end+0x5b/0x100 + [ 730.884104] slow_avc_audit+0x69/0x90 + [ 730.884836] avc_has_perm+0x8b/0xb0 + [ 730.885532] selinux_lockdown+0xa5/0xd0 + [ 730.886297] security_locked_down+0x20/0x40 + [ 730.887133] bpf_probe_read_compat+0x66/0xd0 + [ 730.887983] bpf_prog_250599c5469ac7b5+0x10f/0x820 + [ 730.888917] trace_call_bpf+0xe9/0x240 + [ 730.889672] perf_trace_run_bpf_submit+0x4d/0xc0 + [ 730.890579] perf_trace_sched_switch+0x142/0x180 + [ 730.891485] ? __schedule+0x6d8/0xb20 + [ 730.892209] __schedule+0x6d8/0xb20 + [ 730.892899] schedule+0x5b/0xc0 + [ 730.893522] exit_to_user_mode_prepare+0x11d/0x240 + [ 730.894457] syscall_exit_to_user_mode+0x27/0x70 + [ 730.895361] entry_SYSCALL_64_after_hwframe+0x44/0xae + [...] + +The Linux kernel CVE team has assigned CVE-2021-47128 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 5.6 with commit 59438b46471a and fixed in 5.10.43 with commit ff5039ec75c8 + Issue introduced in 5.6 with commit 59438b46471a and fixed in 5.12.10 with commit acc43fc6cf0d + Issue introduced in 5.6 with commit 59438b46471a and fixed in 5.13 with commit ff40e51043af + +Please see https://www.kernel.org or a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2021-47128 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + kernel/bpf/helpers.c + kernel/trace/bpf_trace.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/ff5039ec75c83d2ed5b781dc7733420ee8c985fc + https://git.kernel.org/stable/c/acc43fc6cf0d50612193813c5906a1ab9d433e1e + https://git.kernel.org/stable/c/ff40e51043af63715ab413995ff46996ecf9583f diff --git a/cve/published/2021/CVE-2021-47128.sha1 b/cve/published/2021/CVE-2021-47128.sha1 new file mode 100644 index 00000000..c2c8ac4b --- /dev/null +++ b/cve/published/2021/CVE-2021-47128.sha1 @@ -0,0 +1 @@ +ff40e51043af63715ab413995ff46996ecf9583f diff --git a/cve/reserved/2021/CVE-2021-47129 b/cve/published/2021/CVE-2021-47129 index e69de29b..e69de29b 100644 --- a/cve/reserved/2021/CVE-2021-47129 +++ b/cve/published/2021/CVE-2021-47129 diff --git a/cve/published/2021/CVE-2021-47129.json b/cve/published/2021/CVE-2021-47129.json new file mode 100644 index 00000000..4aa1e6ba --- /dev/null +++ b/cve/published/2021/CVE-2021-47129.json @@ -0,0 +1,118 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_ct: skip expectations for confirmed conntrack\n\nnft_ct_expect_obj_eval() calls nf_ct_ext_add() for a confirmed\nconntrack entry. However, nf_ct_ext_add() can only be called for\n!nf_ct_is_confirmed().\n\n[ 1825.349056] WARNING: CPU: 0 PID: 1279 at net/netfilter/nf_conntrack_extend.c:48 nf_ct_xt_add+0x18e/0x1a0 [nf_conntrack]\n[ 1825.351391] RIP: 0010:nf_ct_ext_add+0x18e/0x1a0 [nf_conntrack]\n[ 1825.351493] Code: 41 5c 41 5d 41 5e 41 5f c3 41 bc 0a 00 00 00 e9 15 ff ff ff ba 09 00 00 00 31 f6 4c 89 ff e8 69 6c 3d e9 eb 96 45 31 ed eb cd <0f> 0b e9 b1 fe ff ff e8 86 79 14 e9 eb bf 0f 1f 40 00 0f 1f 44 00\n[ 1825.351721] RSP: 0018:ffffc90002e1f1e8 EFLAGS: 00010202\n[ 1825.351790] RAX: 000000000000000e RBX: ffff88814f5783c0 RCX: ffffffffc0e4f887\n[ 1825.351881] RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff88814f578440\n[ 1825.351971] RBP: 0000000000000000 R08: 0000000000000000 R09: ffff88814f578447\n[ 1825.352060] R10: ffffed1029eaf088 R11: 0000000000000001 R12: ffff88814f578440\n[ 1825.352150] R13: ffff8882053f3a00 R14: 0000000000000000 R15: 0000000000000a20\n[ 1825.352240] FS: 00007f992261c900(0000) GS:ffff889faec00000(0000) knlGS:0000000000000000\n[ 1825.352343] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 1825.352417] CR2: 000056070a4d1158 CR3: 000000015efe0000 CR4: 0000000000350ee0\n[ 1825.352508] Call Trace:\n[ 1825.352544] nf_ct_helper_ext_add+0x10/0x60 [nf_conntrack]\n[ 1825.352641] nft_ct_expect_obj_eval+0x1b8/0x1e0 [nft_ct]\n[ 1825.352716] nft_do_chain+0x232/0x850 [nf_tables]\n\nAdd the ct helper extension only for unconfirmed conntrack. Skip rule\nevaluation if the ct helper extension does not exist. Thus, you can\nonly create expectations from the first packet.\n\nIt should be possible to remove this limitation by adding a new action\nto attach a generic ct helper to the first packet. Then, use this ct\nhelper extension from follow up packets to create the ct expectation.\n\nWhile at it, add a missing check to skip the template conntrack too\nand remove check for IPCT_UNTRACK which is implicit to !ct." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "857b46027d6f", + "lessThan": "da8d31e80ff4", + "status": "affected", + "versionType": "git" + }, + { + "version": "857b46027d6f", + "lessThan": "5f3429c05e40", + "status": "affected", + "versionType": "git" + }, + { + "version": "857b46027d6f", + "lessThan": "2c0e6b35b88a", + "status": "affected", + "versionType": "git" + }, + { + "version": "857b46027d6f", + "lessThan": "1710eb913bdc", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.3", + "status": "affected" + }, + { + "version": "0", + "lessThan": "5.3", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.4.125", + "lessThanOrEqual": "5.4.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.10.43", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.12.10", + "lessThanOrEqual": "5.12.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.13", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/da8d31e80ff425f5a65dab7060d5c4aba749e562" + }, + { + "url": "https://git.kernel.org/stable/c/5f3429c05e4028a0e241afdad856dd15dec2ffb9" + }, + { + "url": "https://git.kernel.org/stable/c/2c0e6b35b88a961127066a1028bce9c727cbc3e5" + }, + { + "url": "https://git.kernel.org/stable/c/1710eb913bdcda3917f44d383c32de6bdabfc836" + } + ], + "title": "netfilter: nft_ct: skip expectations for confirmed conntrack", + "x_generator": { + "engine": "bippy-8df59b4913de" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2021-47129", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2021/CVE-2021-47129.mbox b/cve/published/2021/CVE-2021-47129.mbox new file mode 100644 index 00000000..c436d884 --- /dev/null +++ b/cve/published/2021/CVE-2021-47129.mbox @@ -0,0 +1,98 @@ +From bippy-8df59b4913de Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2021-47129: netfilter: nft_ct: skip expectations for confirmed conntrack +Message-Id: <2024031513-CVE-2021-47129-7ba5@gregkh> +Content-Length: 3930 +Lines: 81 +X-Developer-Signature: v=1; a=openpgp-sha256; l=4012; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=gHL7OmLOOqHQAId02kz19NcsW5y5uLNblmSVn49/HOk=; + b=owGbwMvMwCRo6H6F97bub03G02pJDKlf1gTO3qXZNNMtz+aj0LwZXmpbNjn5Wd1Qm7TuVKQ6q + 7H+kS1mHbEsDIJMDLJiiixftvEc3V9xSNHL0PY0zBxWJpAhDFycAjCRo3MZZjLanrN/95P1mpnF + xW+JdZOSFvbf5mZYsGKSxPUbJT7rNzvcljn4IVLucErtBwA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +netfilter: nft_ct: skip expectations for confirmed conntrack + +nft_ct_expect_obj_eval() calls nf_ct_ext_add() for a confirmed +conntrack entry. However, nf_ct_ext_add() can only be called for +!nf_ct_is_confirmed(). + +[ 1825.349056] WARNING: CPU: 0 PID: 1279 at net/netfilter/nf_conntrack_extend.c:48 nf_ct_xt_add+0x18e/0x1a0 [nf_conntrack] +[ 1825.351391] RIP: 0010:nf_ct_ext_add+0x18e/0x1a0 [nf_conntrack] +[ 1825.351493] Code: 41 5c 41 5d 41 5e 41 5f c3 41 bc 0a 00 00 00 e9 15 ff ff ff ba 09 00 00 00 31 f6 4c 89 ff e8 69 6c 3d e9 eb 96 45 31 ed eb cd <0f> 0b e9 b1 fe ff ff e8 86 79 14 e9 eb bf 0f 1f 40 00 0f 1f 44 00 +[ 1825.351721] RSP: 0018:ffffc90002e1f1e8 EFLAGS: 00010202 +[ 1825.351790] RAX: 000000000000000e RBX: ffff88814f5783c0 RCX: ffffffffc0e4f887 +[ 1825.351881] RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff88814f578440 +[ 1825.351971] RBP: 0000000000000000 R08: 0000000000000000 R09: ffff88814f578447 +[ 1825.352060] R10: ffffed1029eaf088 R11: 0000000000000001 R12: ffff88814f578440 +[ 1825.352150] R13: ffff8882053f3a00 R14: 0000000000000000 R15: 0000000000000a20 +[ 1825.352240] FS: 00007f992261c900(0000) GS:ffff889faec00000(0000) knlGS:0000000000000000 +[ 1825.352343] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 1825.352417] CR2: 000056070a4d1158 CR3: 000000015efe0000 CR4: 0000000000350ee0 +[ 1825.352508] Call Trace: +[ 1825.352544] nf_ct_helper_ext_add+0x10/0x60 [nf_conntrack] +[ 1825.352641] nft_ct_expect_obj_eval+0x1b8/0x1e0 [nft_ct] +[ 1825.352716] nft_do_chain+0x232/0x850 [nf_tables] + +Add the ct helper extension only for unconfirmed conntrack. Skip rule +evaluation if the ct helper extension does not exist. Thus, you can +only create expectations from the first packet. + +It should be possible to remove this limitation by adding a new action +to attach a generic ct helper to the first packet. Then, use this ct +helper extension from follow up packets to create the ct expectation. + +While at it, add a missing check to skip the template conntrack too +and remove check for IPCT_UNTRACK which is implicit to !ct. + +The Linux kernel CVE team has assigned CVE-2021-47129 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 5.3 with commit 857b46027d6f and fixed in 5.4.125 with commit da8d31e80ff4 + Issue introduced in 5.3 with commit 857b46027d6f and fixed in 5.10.43 with commit 5f3429c05e40 + Issue introduced in 5.3 with commit 857b46027d6f and fixed in 5.12.10 with commit 2c0e6b35b88a + Issue introduced in 5.3 with commit 857b46027d6f and fixed in 5.13 with commit 1710eb913bdc + +Please see https://www.kernel.org or a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2021-47129 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + net/netfilter/nft_ct.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/da8d31e80ff425f5a65dab7060d5c4aba749e562 + https://git.kernel.org/stable/c/5f3429c05e4028a0e241afdad856dd15dec2ffb9 + https://git.kernel.org/stable/c/2c0e6b35b88a961127066a1028bce9c727cbc3e5 + https://git.kernel.org/stable/c/1710eb913bdcda3917f44d383c32de6bdabfc836 diff --git a/cve/published/2021/CVE-2021-47129.sha1 b/cve/published/2021/CVE-2021-47129.sha1 new file mode 100644 index 00000000..09fbcb3e --- /dev/null +++ b/cve/published/2021/CVE-2021-47129.sha1 @@ -0,0 +1 @@ +1710eb913bdcda3917f44d383c32de6bdabfc836 diff --git a/cve/reserved/2021/CVE-2021-47130 b/cve/published/2021/CVE-2021-47130 index e69de29b..e69de29b 100644 --- a/cve/reserved/2021/CVE-2021-47130 +++ b/cve/published/2021/CVE-2021-47130 diff --git a/cve/published/2021/CVE-2021-47130.json b/cve/published/2021/CVE-2021-47130.json new file mode 100644 index 00000000..907fb82a --- /dev/null +++ b/cve/published/2021/CVE-2021-47130.json @@ -0,0 +1,103 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet: fix freeing unallocated p2pmem\n\nIn case p2p device was found but the p2p pool is empty, the nvme target\nis still trying to free the sgl from the p2p pool instead of the\nregular sgl pool and causing a crash (BUG() is called). Instead, assign\nthe p2p_dev for the request only if it was allocated from p2p pool.\n\nThis is the crash that was caused:\n\n[Sun May 30 19:13:53 2021] ------------[ cut here ]------------\n[Sun May 30 19:13:53 2021] kernel BUG at lib/genalloc.c:518!\n[Sun May 30 19:13:53 2021] invalid opcode: 0000 [#1] SMP PTI\n...\n[Sun May 30 19:13:53 2021] kernel BUG at lib/genalloc.c:518!\n...\n[Sun May 30 19:13:53 2021] RIP: 0010:gen_pool_free_owner+0xa8/0xb0\n...\n[Sun May 30 19:13:53 2021] Call Trace:\n[Sun May 30 19:13:53 2021] ------------[ cut here ]------------\n[Sun May 30 19:13:53 2021] pci_free_p2pmem+0x2b/0x70\n[Sun May 30 19:13:53 2021] pci_p2pmem_free_sgl+0x4f/0x80\n[Sun May 30 19:13:53 2021] nvmet_req_free_sgls+0x1e/0x80 [nvmet]\n[Sun May 30 19:13:53 2021] kernel BUG at lib/genalloc.c:518!\n[Sun May 30 19:13:53 2021] nvmet_rdma_release_rsp+0x4e/0x1f0 [nvmet_rdma]\n[Sun May 30 19:13:53 2021] nvmet_rdma_send_done+0x1c/0x60 [nvmet_rdma]" + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "c6e3f1339812", + "lessThan": "c440cd080761", + "status": "affected", + "versionType": "git" + }, + { + "version": "c6e3f1339812", + "lessThan": "8a452d62e7ce", + "status": "affected", + "versionType": "git" + }, + { + "version": "c6e3f1339812", + "lessThan": "bcd9a0797d73", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.8", + "status": "affected" + }, + { + "version": "0", + "lessThan": "5.8", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.10.43", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.12.10", + "lessThanOrEqual": "5.12.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.13", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/c440cd080761b18a52cac20f2a42e5da1e3995af" + }, + { + "url": "https://git.kernel.org/stable/c/8a452d62e7cea3c8a2676a3b89a9118755a1a271" + }, + { + "url": "https://git.kernel.org/stable/c/bcd9a0797d73eeff659582f23277e7ab6e5f18f3" + } + ], + "title": "nvmet: fix freeing unallocated p2pmem", + "x_generator": { + "engine": "bippy-8df59b4913de" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2021-47130", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2021/CVE-2021-47130.mbox b/cve/published/2021/CVE-2021-47130.mbox new file mode 100644 index 00000000..5cf4f1a1 --- /dev/null +++ b/cve/published/2021/CVE-2021-47130.mbox @@ -0,0 +1,88 @@ +From bippy-8df59b4913de Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2021-47130: nvmet: fix freeing unallocated p2pmem +Message-Id: <2024031513-CVE-2021-47130-9f71@gregkh> +Content-Length: 2883 +Lines: 71 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2955; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=sFwYT9Lpum1tdal9ePQJ27nx0U48ha70mTNV4ELikXs=; + b=owGbwMvMwCRo6H6F97bub03G02pJDKlf1gQ++1UlX2QZ01Vfw2xskuj5PrQ+Wt1esSiAuWCzt + 8kfdq6OWBYGQSYGWTFFli/beI7urzik6GVoexpmDisTyBAGLk4BmMid7QzzU35cfsLqaXbBpiXi + 5j/P3MnRS32NGeb7qXdaVN8sKJGuTpHzCv2aa59T9BAA +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +nvmet: fix freeing unallocated p2pmem + +In case p2p device was found but the p2p pool is empty, the nvme target +is still trying to free the sgl from the p2p pool instead of the +regular sgl pool and causing a crash (BUG() is called). Instead, assign +the p2p_dev for the request only if it was allocated from p2p pool. + +This is the crash that was caused: + +[Sun May 30 19:13:53 2021] ------------[ cut here ]------------ +[Sun May 30 19:13:53 2021] kernel BUG at lib/genalloc.c:518! +[Sun May 30 19:13:53 2021] invalid opcode: 0000 [#1] SMP PTI +... +[Sun May 30 19:13:53 2021] kernel BUG at lib/genalloc.c:518! +... +[Sun May 30 19:13:53 2021] RIP: 0010:gen_pool_free_owner+0xa8/0xb0 +... +[Sun May 30 19:13:53 2021] Call Trace: +[Sun May 30 19:13:53 2021] ------------[ cut here ]------------ +[Sun May 30 19:13:53 2021] pci_free_p2pmem+0x2b/0x70 +[Sun May 30 19:13:53 2021] pci_p2pmem_free_sgl+0x4f/0x80 +[Sun May 30 19:13:53 2021] nvmet_req_free_sgls+0x1e/0x80 [nvmet] +[Sun May 30 19:13:53 2021] kernel BUG at lib/genalloc.c:518! +[Sun May 30 19:13:53 2021] nvmet_rdma_release_rsp+0x4e/0x1f0 [nvmet_rdma] +[Sun May 30 19:13:53 2021] nvmet_rdma_send_done+0x1c/0x60 [nvmet_rdma] + +The Linux kernel CVE team has assigned CVE-2021-47130 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 5.8 with commit c6e3f1339812 and fixed in 5.10.43 with commit c440cd080761 + Issue introduced in 5.8 with commit c6e3f1339812 and fixed in 5.12.10 with commit 8a452d62e7ce + Issue introduced in 5.8 with commit c6e3f1339812 and fixed in 5.13 with commit bcd9a0797d73 + +Please see https://www.kernel.org or a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2021-47130 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/nvme/target/core.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/c440cd080761b18a52cac20f2a42e5da1e3995af + https://git.kernel.org/stable/c/8a452d62e7cea3c8a2676a3b89a9118755a1a271 + https://git.kernel.org/stable/c/bcd9a0797d73eeff659582f23277e7ab6e5f18f3 diff --git a/cve/published/2021/CVE-2021-47130.sha1 b/cve/published/2021/CVE-2021-47130.sha1 new file mode 100644 index 00000000..d0b7a949 --- /dev/null +++ b/cve/published/2021/CVE-2021-47130.sha1 @@ -0,0 +1 @@ +bcd9a0797d73eeff659582f23277e7ab6e5f18f3 diff --git a/cve/reserved/2021/CVE-2021-47131 b/cve/published/2021/CVE-2021-47131 index e69de29b..e69de29b 100644 --- a/cve/reserved/2021/CVE-2021-47131 +++ b/cve/published/2021/CVE-2021-47131 diff --git a/cve/published/2021/CVE-2021-47131.json b/cve/published/2021/CVE-2021-47131.json new file mode 100644 index 00000000..4a87e0a1 --- /dev/null +++ b/cve/published/2021/CVE-2021-47131.json @@ -0,0 +1,103 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/tls: Fix use-after-free after the TLS device goes down and up\n\nWhen a netdev with active TLS offload goes down, tls_device_down is\ncalled to stop the offload and tear down the TLS context. However, the\nsocket stays alive, and it still points to the TLS context, which is now\ndeallocated. If a netdev goes up, while the connection is still active,\nand the data flow resumes after a number of TCP retransmissions, it will\nlead to a use-after-free of the TLS context.\n\nThis commit addresses this bug by keeping the context alive until its\nnormal destruction, and implements the necessary fallbacks, so that the\nconnection can resume in software (non-offloaded) kTLS mode.\n\nOn the TX side tls_sw_fallback is used to encrypt all packets. The RX\nside already has all the necessary fallbacks, because receiving\nnon-decrypted packets is supported. The thing needed on the RX side is\nto block resync requests, which are normally produced after receiving\nnon-decrypted packets.\n\nThe necessary synchronization is implemented for a graceful teardown:\nfirst the fallbacks are deployed, then the driver resources are released\n(it used to be possible to have a tls_dev_resync after tls_dev_del).\n\nA new flag called TLS_RX_DEV_DEGRADED is added to indicate the fallback\nmode. It's used to skip the RX resync logic completely, as it becomes\nuseless, and some objects may be released (for example, resync_async,\nwhich is allocated and freed by the driver)." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "e8f69799810c", + "lessThan": "f1d4184f128d", + "status": "affected", + "versionType": "git" + }, + { + "version": "e8f69799810c", + "lessThan": "0f1e6fe66977", + "status": "affected", + "versionType": "git" + }, + { + "version": "e8f69799810c", + "lessThan": "c55dcdd435aa", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "4.18", + "status": "affected" + }, + { + "version": "0", + "lessThan": "4.18", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.10.43", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.12.10", + "lessThanOrEqual": "5.12.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.13", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/f1d4184f128dede82a59a841658ed40d4e6d3aa2" + }, + { + "url": "https://git.kernel.org/stable/c/0f1e6fe66977a864fe850522316f713d7b926fd9" + }, + { + "url": "https://git.kernel.org/stable/c/c55dcdd435aa6c6ad6ccac0a4c636d010ee367a4" + } + ], + "title": "net/tls: Fix use-after-free after the TLS device goes down and up", + "x_generator": { + "engine": "bippy-8df59b4913de" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2021-47131", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2021/CVE-2021-47131.mbox b/cve/published/2021/CVE-2021-47131.mbox new file mode 100644 index 00000000..ee516dc6 --- /dev/null +++ b/cve/published/2021/CVE-2021-47131.mbox @@ -0,0 +1,93 @@ +From bippy-8df59b4913de Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2021-47131: net/tls: Fix use-after-free after the TLS device goes down and up +Message-Id: <2024031513-CVE-2021-47131-eafc@gregkh> +Content-Length: 3225 +Lines: 76 +X-Developer-Signature: v=1; a=openpgp-sha256; l=3302; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=wZAN/kS8ksi/icF49t1Jq9jR9Ow44UiS0fNZaDFn2zU=; + b=owGbwMvMwCRo6H6F97bub03G02pJDKlf1gTNeX03K95MomPhtKfv7xUePlsjEnrtg2SlA8PN3 + 426UxpXdMSyMAgyMciKKbJ82cZzdH/FIUUvQ9vTMHNYmUCGMHBxCsBEfh1gWLDBTvskRxLzE/F5 + kYqLzpjK/Xg9uYhhrtD/66HzK5pX/pimMcPzDy+/0oEtKgA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +net/tls: Fix use-after-free after the TLS device goes down and up + +When a netdev with active TLS offload goes down, tls_device_down is +called to stop the offload and tear down the TLS context. However, the +socket stays alive, and it still points to the TLS context, which is now +deallocated. If a netdev goes up, while the connection is still active, +and the data flow resumes after a number of TCP retransmissions, it will +lead to a use-after-free of the TLS context. + +This commit addresses this bug by keeping the context alive until its +normal destruction, and implements the necessary fallbacks, so that the +connection can resume in software (non-offloaded) kTLS mode. + +On the TX side tls_sw_fallback is used to encrypt all packets. The RX +side already has all the necessary fallbacks, because receiving +non-decrypted packets is supported. The thing needed on the RX side is +to block resync requests, which are normally produced after receiving +non-decrypted packets. + +The necessary synchronization is implemented for a graceful teardown: +first the fallbacks are deployed, then the driver resources are released +(it used to be possible to have a tls_dev_resync after tls_dev_del). + +A new flag called TLS_RX_DEV_DEGRADED is added to indicate the fallback +mode. It's used to skip the RX resync logic completely, as it becomes +useless, and some objects may be released (for example, resync_async, +which is allocated and freed by the driver). + +The Linux kernel CVE team has assigned CVE-2021-47131 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 4.18 with commit e8f69799810c and fixed in 5.10.43 with commit f1d4184f128d + Issue introduced in 4.18 with commit e8f69799810c and fixed in 5.12.10 with commit 0f1e6fe66977 + Issue introduced in 4.18 with commit e8f69799810c and fixed in 5.13 with commit c55dcdd435aa + +Please see https://www.kernel.org or a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2021-47131 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + include/net/tls.h + net/tls/tls_device.c + net/tls/tls_device_fallback.c + net/tls/tls_main.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/f1d4184f128dede82a59a841658ed40d4e6d3aa2 + https://git.kernel.org/stable/c/0f1e6fe66977a864fe850522316f713d7b926fd9 + https://git.kernel.org/stable/c/c55dcdd435aa6c6ad6ccac0a4c636d010ee367a4 diff --git a/cve/published/2021/CVE-2021-47131.sha1 b/cve/published/2021/CVE-2021-47131.sha1 new file mode 100644 index 00000000..fa1b4663 --- /dev/null +++ b/cve/published/2021/CVE-2021-47131.sha1 @@ -0,0 +1 @@ +c55dcdd435aa6c6ad6ccac0a4c636d010ee367a4 diff --git a/cve/reserved/2021/CVE-2021-47132 b/cve/published/2021/CVE-2021-47132 index e69de29b..e69de29b 100644 --- a/cve/reserved/2021/CVE-2021-47132 +++ b/cve/published/2021/CVE-2021-47132 diff --git a/cve/published/2021/CVE-2021-47132.json b/cve/published/2021/CVE-2021-47132.json new file mode 100644 index 00000000..6999e80a --- /dev/null +++ b/cve/published/2021/CVE-2021-47132.json @@ -0,0 +1,88 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix sk_forward_memory corruption on retransmission\n\nMPTCP sk_forward_memory handling is a bit special, as such field\nis protected by the msk socket spin_lock, instead of the plain\nsocket lock.\n\nCurrently we have a code path updating such field without handling\nthe relevant lock:\n\n__mptcp_retrans() -> __mptcp_clean_una_wakeup()\n\nSeveral helpers in __mptcp_clean_una_wakeup() will update\nsk_forward_alloc, possibly causing such field corruption, as reported\nby Matthieu.\n\nAddress the issue providing and using a new variant of blamed function\nwhich explicitly acquires the msk spin lock." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "64b9cea7a0af", + "lessThan": "b9c78b1a9596", + "status": "affected", + "versionType": "git" + }, + { + "version": "64b9cea7a0af", + "lessThan": "b5941f066b4c", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.12", + "status": "affected" + }, + { + "version": "0", + "lessThan": "5.12", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.12.10", + "lessThanOrEqual": "5.12.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.13", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/b9c78b1a95966a7bd2ddae05b73eafc0cda4fba3" + }, + { + "url": "https://git.kernel.org/stable/c/b5941f066b4ca331db225a976dae1d6ca8cf0ae3" + } + ], + "title": "mptcp: fix sk_forward_memory corruption on retransmission", + "x_generator": { + "engine": "bippy-8df59b4913de" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2021-47132", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2021/CVE-2021-47132.mbox b/cve/published/2021/CVE-2021-47132.mbox new file mode 100644 index 00000000..689478dd --- /dev/null +++ b/cve/published/2021/CVE-2021-47132.mbox @@ -0,0 +1,78 @@ +From bippy-8df59b4913de Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2021-47132: mptcp: fix sk_forward_memory corruption on retransmission +Message-Id: <2024031514-CVE-2021-47132-80b2@gregkh> +Content-Length: 2136 +Lines: 61 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2198; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=mSXBYHLU7qzLQYeGSf6Vg9CdpkQbW05Eu99VmEtdjq0=; + b=owGbwMvMwCRo6H6F97bub03G02pJDKlf1gTF2z3nftW1oCGhbeProyunnRO5yLHIseVBVkvMf + T8hg28FHbEsDIJMDLJiiixftvEc3V9xSNHL0PY0zBxWJpAhDFycAjARA0WGuYKsmpEhC/6zysq2 + WF42OMi9uOGyCcP8RCHbe/eOZvMUPv8QyfvVwnmX0NwaAA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +mptcp: fix sk_forward_memory corruption on retransmission + +MPTCP sk_forward_memory handling is a bit special, as such field +is protected by the msk socket spin_lock, instead of the plain +socket lock. + +Currently we have a code path updating such field without handling +the relevant lock: + +__mptcp_retrans() -> __mptcp_clean_una_wakeup() + +Several helpers in __mptcp_clean_una_wakeup() will update +sk_forward_alloc, possibly causing such field corruption, as reported +by Matthieu. + +Address the issue providing and using a new variant of blamed function +which explicitly acquires the msk spin lock. + +The Linux kernel CVE team has assigned CVE-2021-47132 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 5.12 with commit 64b9cea7a0af and fixed in 5.12.10 with commit b9c78b1a9596 + Issue introduced in 5.12 with commit 64b9cea7a0af and fixed in 5.13 with commit b5941f066b4c + +Please see https://www.kernel.org or a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2021-47132 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + net/mptcp/protocol.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/b9c78b1a95966a7bd2ddae05b73eafc0cda4fba3 + https://git.kernel.org/stable/c/b5941f066b4ca331db225a976dae1d6ca8cf0ae3 diff --git a/cve/published/2021/CVE-2021-47132.sha1 b/cve/published/2021/CVE-2021-47132.sha1 new file mode 100644 index 00000000..5f152360 --- /dev/null +++ b/cve/published/2021/CVE-2021-47132.sha1 @@ -0,0 +1 @@ +b5941f066b4ca331db225a976dae1d6ca8cf0ae3 diff --git a/cve/reserved/2021/CVE-2021-47133 b/cve/published/2021/CVE-2021-47133 index e69de29b..e69de29b 100644 --- a/cve/reserved/2021/CVE-2021-47133 +++ b/cve/published/2021/CVE-2021-47133 diff --git a/cve/published/2021/CVE-2021-47133.json b/cve/published/2021/CVE-2021-47133.json new file mode 100644 index 00000000..6098373a --- /dev/null +++ b/cve/published/2021/CVE-2021-47133.json @@ -0,0 +1,88 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: amd_sfh: Fix memory leak in amd_sfh_work\n\nKmemleak tool detected a memory leak in the amd_sfh driver.\n\n====================\nunreferenced object 0xffff88810228ada0 (size 32):\n comm \"insmod\", pid 3968, jiffies 4295056001 (age 775.792s)\n hex dump (first 32 bytes):\n 00 20 73 1f 81 88 ff ff 00 01 00 00 00 00 ad de . s.............\n 22 01 00 00 00 00 ad de 01 00 02 00 00 00 00 00 \"...............\n backtrace:\n [<000000007b4c8799>] kmem_cache_alloc_trace+0x163/0x4f0\n [<0000000005326893>] amd_sfh_get_report+0xa4/0x1d0 [amd_sfh]\n [<000000002a9e5ec4>] amdtp_hid_request+0x62/0x80 [amd_sfh]\n [<00000000b8a95807>] sensor_hub_get_feature+0x145/0x270 [hid_sensor_hub]\n [<00000000fda054ee>] hid_sensor_parse_common_attributes+0x215/0x460 [hid_sensor_iio_common]\n [<0000000021279ecf>] hid_accel_3d_probe+0xff/0x4a0 [hid_sensor_accel_3d]\n [<00000000915760ce>] platform_probe+0x6a/0xd0\n [<0000000060258a1f>] really_probe+0x192/0x620\n [<00000000fa812f2d>] driver_probe_device+0x14a/0x1d0\n [<000000005e79f7fd>] __device_attach_driver+0xbd/0x110\n [<0000000070d15018>] bus_for_each_drv+0xfd/0x160\n [<0000000013a3c312>] __device_attach+0x18b/0x220\n [<000000008c7b4afc>] device_initial_probe+0x13/0x20\n [<00000000e6e99665>] bus_probe_device+0xfe/0x120\n [<00000000833fa90b>] device_add+0x6a6/0xe00\n [<00000000fa901078>] platform_device_add+0x180/0x380\n====================\n\nThe fix is to freeing request_list entry once the processed entry is\nremoved from the request_list." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "4b2c53d93a4b", + "lessThan": "29beadea66a2", + "status": "affected", + "versionType": "git" + }, + { + "version": "4b2c53d93a4b", + "lessThan": "5ad755fd2b32", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.11", + "status": "affected" + }, + { + "version": "0", + "lessThan": "5.11", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.12.10", + "lessThanOrEqual": "5.12.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.13", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/29beadea66a226d744d5ffdcde6b984623053d24" + }, + { + "url": "https://git.kernel.org/stable/c/5ad755fd2b326aa2bc8910b0eb351ee6aece21b1" + } + ], + "title": "HID: amd_sfh: Fix memory leak in amd_sfh_work", + "x_generator": { + "engine": "bippy-8df59b4913de" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2021-47133", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2021/CVE-2021-47133.mbox b/cve/published/2021/CVE-2021-47133.mbox new file mode 100644 index 00000000..41a1d158 --- /dev/null +++ b/cve/published/2021/CVE-2021-47133.mbox @@ -0,0 +1,92 @@ +From bippy-8df59b4913de Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2021-47133: HID: amd_sfh: Fix memory leak in amd_sfh_work +Message-Id: <2024031514-CVE-2021-47133-1141@gregkh> +Content-Length: 3079 +Lines: 75 +X-Developer-Signature: v=1; a=openpgp-sha256; l=3155; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=aKwD0Nz2QUl2u3X7nthsoQPn4cyHBARNg8S3Lgz2LMk=; + b=owGbwMvMwCRo6H6F97bub03G02pJDKlf1gQ1Kgq9FueeuPJTVu6M67/Waqqerv6s8tx3Q4RMz + M8zeq6bO2JZGASZGGTFFFm+bOM5ur/ikKKXoe1pmDmsTCBDGLg4BWAikYsY5tnuuvvoWtHlgrei + 873r3zqx1DYdXcSwYCNXpq1+/Fqd0KOvGtsUegOMfMROAAA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +HID: amd_sfh: Fix memory leak in amd_sfh_work + +Kmemleak tool detected a memory leak in the amd_sfh driver. + +==================== +unreferenced object 0xffff88810228ada0 (size 32): + comm "insmod", pid 3968, jiffies 4295056001 (age 775.792s) + hex dump (first 32 bytes): + 00 20 73 1f 81 88 ff ff 00 01 00 00 00 00 ad de . s............. + 22 01 00 00 00 00 ad de 01 00 02 00 00 00 00 00 "............... + backtrace: + [<000000007b4c8799>] kmem_cache_alloc_trace+0x163/0x4f0 + [<0000000005326893>] amd_sfh_get_report+0xa4/0x1d0 [amd_sfh] + [<000000002a9e5ec4>] amdtp_hid_request+0x62/0x80 [amd_sfh] + [<00000000b8a95807>] sensor_hub_get_feature+0x145/0x270 [hid_sensor_hub] + [<00000000fda054ee>] hid_sensor_parse_common_attributes+0x215/0x460 [hid_sensor_iio_common] + [<0000000021279ecf>] hid_accel_3d_probe+0xff/0x4a0 [hid_sensor_accel_3d] + [<00000000915760ce>] platform_probe+0x6a/0xd0 + [<0000000060258a1f>] really_probe+0x192/0x620 + [<00000000fa812f2d>] driver_probe_device+0x14a/0x1d0 + [<000000005e79f7fd>] __device_attach_driver+0xbd/0x110 + [<0000000070d15018>] bus_for_each_drv+0xfd/0x160 + [<0000000013a3c312>] __device_attach+0x18b/0x220 + [<000000008c7b4afc>] device_initial_probe+0x13/0x20 + [<00000000e6e99665>] bus_probe_device+0xfe/0x120 + [<00000000833fa90b>] device_add+0x6a6/0xe00 + [<00000000fa901078>] platform_device_add+0x180/0x380 +==================== + +The fix is to freeing request_list entry once the processed entry is +removed from the request_list. + +The Linux kernel CVE team has assigned CVE-2021-47133 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 5.11 with commit 4b2c53d93a4b and fixed in 5.12.10 with commit 29beadea66a2 + Issue introduced in 5.11 with commit 4b2c53d93a4b and fixed in 5.13 with commit 5ad755fd2b32 + +Please see https://www.kernel.org or a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2021-47133 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/hid/amd-sfh-hid/amd_sfh_client.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/29beadea66a226d744d5ffdcde6b984623053d24 + https://git.kernel.org/stable/c/5ad755fd2b326aa2bc8910b0eb351ee6aece21b1 diff --git a/cve/published/2021/CVE-2021-47133.sha1 b/cve/published/2021/CVE-2021-47133.sha1 new file mode 100644 index 00000000..a0b041a6 --- /dev/null +++ b/cve/published/2021/CVE-2021-47133.sha1 @@ -0,0 +1 @@ +5ad755fd2b326aa2bc8910b0eb351ee6aece21b1 diff --git a/cve/reserved/2021/CVE-2021-47134 b/cve/published/2021/CVE-2021-47134 index e69de29b..e69de29b 100644 --- a/cve/reserved/2021/CVE-2021-47134 +++ b/cve/published/2021/CVE-2021-47134 diff --git a/cve/published/2021/CVE-2021-47134.json b/cve/published/2021/CVE-2021-47134.json new file mode 100644 index 00000000..55f6ecf1 --- /dev/null +++ b/cve/published/2021/CVE-2021-47134.json @@ -0,0 +1,103 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nefi/fdt: fix panic when no valid fdt found\n\nsetup_arch() would invoke efi_init()->efi_get_fdt_params(). If no\nvalid fdt found then initial_boot_params will be null. So we\nshould stop further fdt processing here. I encountered this\nissue on risc-v." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "b91540d52a08b", + "lessThan": "5148066edbdc", + "status": "affected", + "versionType": "git" + }, + { + "version": "b91540d52a08b", + "lessThan": "8a7e8b4e5631", + "status": "affected", + "versionType": "git" + }, + { + "version": "b91540d52a08b", + "lessThan": "668a84c1bfb2", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.10", + "status": "affected" + }, + { + "version": "0", + "lessThan": "5.10", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.10.43", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.12.10", + "lessThanOrEqual": "5.12.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.13", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/5148066edbdc89c6fe5bc419c31a5c22e5f83bdb" + }, + { + "url": "https://git.kernel.org/stable/c/8a7e8b4e5631a03ea2fee27957857a56612108ca" + }, + { + "url": "https://git.kernel.org/stable/c/668a84c1bfb2b3fd5a10847825a854d63fac7baa" + } + ], + "title": "efi/fdt: fix panic when no valid fdt found", + "x_generator": { + "engine": "bippy-8df59b4913de" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2021-47134", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2021/CVE-2021-47134.mbox b/cve/published/2021/CVE-2021-47134.mbox new file mode 100644 index 00000000..b9c8455e --- /dev/null +++ b/cve/published/2021/CVE-2021-47134.mbox @@ -0,0 +1,69 @@ +From bippy-8df59b4913de Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2021-47134: efi/fdt: fix panic when no valid fdt found +Message-Id: <2024031515-CVE-2021-47134-3348@gregkh> +Content-Length: 1975 +Lines: 52 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2028; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=uLyMEd6an9VXkBzBwFwvqHDiEKQ31B3j2XhjcUmACH0=; + b=owGbwMvMwCRo6H6F97bub03G02pJDKlf1gRf3/ly9jy/h4fOFrs9br36g7HbeuWy84aLTCpiT + fXFe7o7OmJZGASZGGTFFFm+bOM5ur/ikKKXoe1pmDmsTCBDGLg4BWAiS2cwzM+5MqMwc8bj3e99 + 5q5tvW9udfhR9XGG+SU94sG/HmicnZ6yKMT9iGjwxWrhNAA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +efi/fdt: fix panic when no valid fdt found + +setup_arch() would invoke efi_init()->efi_get_fdt_params(). If no +valid fdt found then initial_boot_params will be null. So we +should stop further fdt processing here. I encountered this +issue on risc-v. + +The Linux kernel CVE team has assigned CVE-2021-47134 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 5.10 with commit b91540d52a08b and fixed in 5.10.43 with commit 5148066edbdc + Issue introduced in 5.10 with commit b91540d52a08b and fixed in 5.12.10 with commit 8a7e8b4e5631 + Issue introduced in 5.10 with commit b91540d52a08b and fixed in 5.13 with commit 668a84c1bfb2 + +Please see https://www.kernel.org or a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2021-47134 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/firmware/efi/fdtparams.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/5148066edbdc89c6fe5bc419c31a5c22e5f83bdb + https://git.kernel.org/stable/c/8a7e8b4e5631a03ea2fee27957857a56612108ca + https://git.kernel.org/stable/c/668a84c1bfb2b3fd5a10847825a854d63fac7baa diff --git a/cve/published/2021/CVE-2021-47134.sha1 b/cve/published/2021/CVE-2021-47134.sha1 new file mode 100644 index 00000000..aa3c3514 --- /dev/null +++ b/cve/published/2021/CVE-2021-47134.sha1 @@ -0,0 +1 @@ +668a84c1bfb2b3fd5a10847825a854d63fac7baa diff --git a/cve/reserved/2021/CVE-2021-47135 b/cve/published/2021/CVE-2021-47135 index e69de29b..e69de29b 100644 --- a/cve/reserved/2021/CVE-2021-47135 +++ b/cve/published/2021/CVE-2021-47135 diff --git a/cve/published/2021/CVE-2021-47135.json b/cve/published/2021/CVE-2021-47135.json new file mode 100644 index 00000000..c7914643 --- /dev/null +++ b/cve/published/2021/CVE-2021-47135.json @@ -0,0 +1,88 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmt76: mt7921: fix possible AOOB issue in mt7921_mcu_tx_rate_report\n\nFix possible array out of bound access in mt7921_mcu_tx_rate_report.\nRemove unnecessary varibable in mt7921_mcu_tx_rate_report" + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "1c099ab44727c", + "lessThan": "6919e8a24e70", + "status": "affected", + "versionType": "git" + }, + { + "version": "1c099ab44727c", + "lessThan": "d874e6c06952", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.12", + "status": "affected" + }, + { + "version": "0", + "lessThan": "5.12", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.12.10", + "lessThanOrEqual": "5.12.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.13", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/6919e8a24e70b6ba148fe07f44f835bcdd1a8d02" + }, + { + "url": "https://git.kernel.org/stable/c/d874e6c06952382897d35bf4094193cd44ae91bd" + } + ], + "title": "mt76: mt7921: fix possible AOOB issue in mt7921_mcu_tx_rate_report", + "x_generator": { + "engine": "bippy-8df59b4913de" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2021-47135", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2021/CVE-2021-47135.mbox b/cve/published/2021/CVE-2021-47135.mbox new file mode 100644 index 00000000..80d9bdc5 --- /dev/null +++ b/cve/published/2021/CVE-2021-47135.mbox @@ -0,0 +1,65 @@ +From bippy-8df59b4913de Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2021-47135: mt76: mt7921: fix possible AOOB issue in mt7921_mcu_tx_rate_report +Message-Id: <2024031515-CVE-2021-47135-2c50@gregkh> +Content-Length: 1765 +Lines: 48 +X-Developer-Signature: v=1; a=openpgp-sha256; l=1814; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=YF+AkUnwxtvdyCjw7+zoFcG9h2ggtVSgHePyQL2GA48=; + b=owGbwMvMwCRo6H6F97bub03G02pJDKlf1gRbatz9I9iyKT3Q8MLDnaYKaqprpwasX/j6EfNTd + 9PdS2bwdMSyMAgyMciKKbJ82cZzdH/FIUUvQ9vTMHNYmUCGMHBxCsBETjxnWLCkUqMrg+94tdaf + BcWttxq5Z2mlvWRY0Cn/N+iY1cL8t2/9At+6L3t/YFHcNwA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +mt76: mt7921: fix possible AOOB issue in mt7921_mcu_tx_rate_report + +Fix possible array out of bound access in mt7921_mcu_tx_rate_report. +Remove unnecessary varibable in mt7921_mcu_tx_rate_report + +The Linux kernel CVE team has assigned CVE-2021-47135 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 5.12 with commit 1c099ab44727c and fixed in 5.12.10 with commit 6919e8a24e70 + Issue introduced in 5.12 with commit 1c099ab44727c and fixed in 5.13 with commit d874e6c06952 + +Please see https://www.kernel.org or a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2021-47135 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/net/wireless/mediatek/mt76/mt7921/mcu.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/6919e8a24e70b6ba148fe07f44f835bcdd1a8d02 + https://git.kernel.org/stable/c/d874e6c06952382897d35bf4094193cd44ae91bd diff --git a/cve/published/2021/CVE-2021-47135.sha1 b/cve/published/2021/CVE-2021-47135.sha1 new file mode 100644 index 00000000..6850d1f1 --- /dev/null +++ b/cve/published/2021/CVE-2021-47135.sha1 @@ -0,0 +1 @@ +d874e6c06952382897d35bf4094193cd44ae91bd diff --git a/cve/review/done/gsd-request-2021-06-15.review-fromfile-greg b/cve/review/done/gsd-request-2021-06-15.review-fromfile-greg new file mode 100644 index 00000000..f9d1848c --- /dev/null +++ b/cve/review/done/gsd-request-2021-06-15.review-fromfile-greg @@ -0,0 +1,27 @@ +7a6b1ab7475f neighbour: allow NUD_NOARP entries to be forced GCed +c02027b5742b x86/kvm: Disable kvmclock on all CPUs on shutdown +107866a8eb0b xen-netback: take a reference to the RX task thread +8b79feffeca2 x86/kvm: Teardown PV features on boot CPU as well +dc09ef356272 btrfs: abort in rename_exchange if we fail to insert the second ref +6bba4471f0cc ocfs2: fix data corruption by fallocate +4ac06a1e013c nfc: fix NULL ptr dereference in llcp_sock_getname() after failed connect +a8867f4e3809 ext4: fix memory leak in ext4_mb_init_backend on error path. +082cd4ec240b ext4: fix bug on in ext4_es_cache_extent as ext4_split_extent_at failed +0711f0d7050b pid: take a reference when initializing `cad_pid` +afd09b617db3 ext4: fix memory leak in ext4_fill_super +4b4f6cecca44 HID: magicmouse: fix NULL-deref on disconnect +7f5d86669fa4 net: caif: fix memory leak in cfusbl_device_notify +b53558a950a8 net: caif: fix memory leak in caif_device_notify +447c19f3b507 io_uring: fix ltout double free on completion race +a298232ee6b9 io_uring: fix link timeout refs +944d671d5faa sch_htb: fix refcount leak in htb_parent_to_leaf_offload +821bbf79fe46 ipv6: Fix KASAN: slab-out-of-bounds Read in fib6_nh_flush_exceptions +e102db780e1c ice: track AF_XDP ZC enabled queues in bitmap +ff40e51043af bpf, lockdown, audit: Fix buggy SELinux lockdown permission checks +1710eb913bdc netfilter: nft_ct: skip expectations for confirmed conntrack +bcd9a0797d73 nvmet: fix freeing unallocated p2pmem +c55dcdd435aa net/tls: Fix use-after-free after the TLS device goes down and up +b5941f066b4c mptcp: fix sk_forward_memory corruption on retransmission +5ad755fd2b32 HID: amd_sfh: Fix memory leak in amd_sfh_work +668a84c1bfb2 efi/fdt: fix panic when no valid fdt found +d874e6c06952 mt76: mt7921: fix possible AOOB issue in mt7921_mcu_tx_rate_report |