diff options
| author | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2024-04-10 21:02:17 +0200 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2024-04-10 21:02:17 +0200 |
| commit | 87ee7561f32ee3f8913c28ee99e55ac98a9beac3 (patch) | |
| tree | 57b1e4a9b08c5d8f082525c9bbd64347b1c41355 | |
| parent | 0a667715c14a90997501800b597308adb31255c8 (diff) | |
| download | vulns-87ee7561f32ee3f8913c28ee99e55ac98a9beac3.tar.gz | |
more GSD->CVE assignments
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
44 files changed, 2118 insertions, 0 deletions
diff --git a/cve/reserved/2021/CVE-2021-47209 b/cve/published/2021/CVE-2021-47209 index e69de29b..e69de29b 100644 --- a/cve/reserved/2021/CVE-2021-47209 +++ b/cve/published/2021/CVE-2021-47209 diff --git a/cve/published/2021/CVE-2021-47209.json b/cve/published/2021/CVE-2021-47209.json new file mode 100644 index 00000000..5fc00f52 --- /dev/null +++ b/cve/published/2021/CVE-2021-47209.json @@ -0,0 +1,88 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/fair: Prevent dead task groups from regaining cfs_rq's\n\nKevin is reporting crashes which point to a use-after-free of a cfs_rq\nin update_blocked_averages(). Initial debugging revealed that we've\nlive cfs_rq's (on_list=1) in an about to be kfree()'d task group in\nfree_fair_sched_group(). However, it was unclear how that can happen.\n\nHis kernel config happened to lead to a layout of struct sched_entity\nthat put the 'my_q' member directly into the middle of the object\nwhich makes it incidentally overlap with SLUB's freelist pointer.\nThat, in combination with SLAB_FREELIST_HARDENED's freelist pointer\nmangling, leads to a reliable access violation in form of a #GP which\nmade the UAF fail fast.\n\nMichal seems to have run into the same issue[1]. He already correctly\ndiagnosed that commit a7b359fc6a37 (\"sched/fair: Correctly insert\ncfs_rq's to list on unthrottle\") is causing the preconditions for the\nUAF to happen by re-adding cfs_rq's also to task groups that have no\nmore running tasks, i.e. also to dead ones. His analysis, however,\nmisses the real root cause and it cannot be seen from the crash\nbacktrace only, as the real offender is tg_unthrottle_up() getting\ncalled via sched_cfs_period_timer() via the timer interrupt at an\ninconvenient time.\n\nWhen unregister_fair_sched_group() unlinks all cfs_rq's from the dying\ntask group, it doesn't protect itself from getting interrupted. If the\ntimer interrupt triggers while we iterate over all CPUs or after\nunregister_fair_sched_group() has finished but prior to unlinking the\ntask group, sched_cfs_period_timer() will execute and walk the list of\ntask groups, trying to unthrottle cfs_rq's, i.e. re-add them to the\ndying task group. These will later -- in free_fair_sched_group() -- be\nkfree()'ed while still being linked, leading to the fireworks Kevin\nand Michal are seeing.\n\nTo fix this race, ensure the dying task group gets unlinked first.\nHowever, simply switching the order of unregistering and unlinking the\ntask group isn't sufficient, as concurrent RCU walkers might still see\nit, as can be seen below:\n\n CPU1: CPU2:\n : timer IRQ:\n : do_sched_cfs_period_timer():\n : :\n : distribute_cfs_runtime():\n : rcu_read_lock();\n : :\n : unthrottle_cfs_rq():\n sched_offline_group(): :\n : walk_tg_tree_from(…,tg_unthrottle_up,…):\n list_del_rcu(&tg->list); :\n (1) : list_for_each_entry_rcu(child, &parent->children, siblings)\n : :\n (2) list_del_rcu(&tg->siblings); :\n : tg_unthrottle_up():\n unregister_fair_sched_group(): struct cfs_rq *cfs_rq = tg->cfs_rq[cpu_of(rq)];\n : :\n list_del_leaf_cfs_rq(tg->cfs_rq[cpu]); :\n : :\n : if (!cfs_rq_is_decayed(cfs_rq) || cfs_rq->nr_running)\n (3) : list_add_leaf_cfs_rq(cfs_rq);\n : :\n : :\n : :\n : :\n : \n---truncated---" + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "a7b359fc6a37", + "lessThan": "512e21c150c1", + "status": "affected", + "versionType": "git" + }, + { + "version": "a7b359fc6a37", + "lessThan": "b027789e5e50", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.13", + "status": "affected" + }, + { + "version": "0", + "lessThan": "5.13", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.5", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.16", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/512e21c150c1c3ee298852660f3a796e267e62ec" + }, + { + "url": "https://git.kernel.org/stable/c/b027789e5e50494c2325cc70c8642e7fd6059479" + } + ], + "title": "sched/fair: Prevent dead task groups from regaining cfs_rq's", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2021-47209", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2021/CVE-2021-47209.mbox b/cve/published/2021/CVE-2021-47209.mbox new file mode 100644 index 00000000..046779ad --- /dev/null +++ b/cve/published/2021/CVE-2021-47209.mbox @@ -0,0 +1,158 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2021-47209: sched/fair: Prevent dead task groups from regaining cfs_rq's +Message-Id: <2024041004-CVE-2021-47209-1cf6@gregkh> +Content-Length: 6889 +Lines: 141 +X-Developer-Signature: v=1; a=openpgp-sha256; l=7031; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=ryOwd3aKZBOvfa0cNn/oXW23a9pUqxIg2jTP8GS0R9I=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGlij3RKZLm/Jlc7V/Nznuq42nmaN9Jsx3abFKFfpbNXZ + 23dxLGyI5aFQZCJQVZMkeXLNp6j+ysOKXoZ2p6GmcPKBDKEgYtTACYyt4FhnupBmYlp9yN6pV/O + ZvmYq2208luWLsM8w+n10u6az26w3fr1I/BcWA7bC7U0AA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +sched/fair: Prevent dead task groups from regaining cfs_rq's + +Kevin is reporting crashes which point to a use-after-free of a cfs_rq +in update_blocked_averages(). Initial debugging revealed that we've +live cfs_rq's (on_list=1) in an about to be kfree()'d task group in +free_fair_sched_group(). However, it was unclear how that can happen. + +His kernel config happened to lead to a layout of struct sched_entity +that put the 'my_q' member directly into the middle of the object +which makes it incidentally overlap with SLUB's freelist pointer. +That, in combination with SLAB_FREELIST_HARDENED's freelist pointer +mangling, leads to a reliable access violation in form of a #GP which +made the UAF fail fast. + +Michal seems to have run into the same issue[1]. He already correctly +diagnosed that commit a7b359fc6a37 ("sched/fair: Correctly insert +cfs_rq's to list on unthrottle") is causing the preconditions for the +UAF to happen by re-adding cfs_rq's also to task groups that have no +more running tasks, i.e. also to dead ones. His analysis, however, +misses the real root cause and it cannot be seen from the crash +backtrace only, as the real offender is tg_unthrottle_up() getting +called via sched_cfs_period_timer() via the timer interrupt at an +inconvenient time. + +When unregister_fair_sched_group() unlinks all cfs_rq's from the dying +task group, it doesn't protect itself from getting interrupted. If the +timer interrupt triggers while we iterate over all CPUs or after +unregister_fair_sched_group() has finished but prior to unlinking the +task group, sched_cfs_period_timer() will execute and walk the list of +task groups, trying to unthrottle cfs_rq's, i.e. re-add them to the +dying task group. These will later -- in free_fair_sched_group() -- be +kfree()'ed while still being linked, leading to the fireworks Kevin +and Michal are seeing. + +To fix this race, ensure the dying task group gets unlinked first. +However, simply switching the order of unregistering and unlinking the +task group isn't sufficient, as concurrent RCU walkers might still see +it, as can be seen below: + + CPU1: CPU2: + : timer IRQ: + : do_sched_cfs_period_timer(): + : : + : distribute_cfs_runtime(): + : rcu_read_lock(); + : : + : unthrottle_cfs_rq(): + sched_offline_group(): : + : walk_tg_tree_from(…,tg_unthrottle_up,…): + list_del_rcu(&tg->list); : + (1) : list_for_each_entry_rcu(child, &parent->children, siblings) + : : + (2) list_del_rcu(&tg->siblings); : + : tg_unthrottle_up(): + unregister_fair_sched_group(): struct cfs_rq *cfs_rq = tg->cfs_rq[cpu_of(rq)]; + : : + list_del_leaf_cfs_rq(tg->cfs_rq[cpu]); : + : : + : if (!cfs_rq_is_decayed(cfs_rq) || cfs_rq->nr_running) + (3) : list_add_leaf_cfs_rq(cfs_rq); + : : + : : + : : + : : + : : + (4) : rcu_read_unlock(); + +CPU 2 walks the task group list in parallel to sched_offline_group(), +specifically, it'll read the soon to be unlinked task group entry at +(1). Unlinking it on CPU 1 at (2) therefore won't prevent CPU 2 from +still passing it on to tg_unthrottle_up(). CPU 1 now tries to unlink +all cfs_rq's via list_del_leaf_cfs_rq() in +unregister_fair_sched_group(). Meanwhile CPU 2 will re-add some of +these at (3), which is the cause of the UAF later on. + +To prevent this additional race from happening, we need to wait until +walk_tg_tree_from() has finished traversing the task groups, i.e. +after the RCU read critical section ends in (4). Afterwards we're safe +to call unregister_fair_sched_group(), as each new walk won't see the +dying task group any more. + +On top of that, we need to wait yet another RCU grace period after +unregister_fair_sched_group() to ensure print_cfs_stats(), which might +run concurrently, always sees valid objects, i.e. not already free'd +ones. + +This patch survives Michal's reproducer[2] for 8h+ now, which used to +trigger within minutes before. + + [1] https://lore.kernel.org/lkml/20211011172236.11223-1-mkoutny@suse.com/ + [2] https://lore.kernel.org/lkml/20211102160228.GA57072@blackbody.suse.cz/ + +[peterz: shuffle code around a bit] + +The Linux kernel CVE team has assigned CVE-2021-47209 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 5.13 with commit a7b359fc6a37 and fixed in 5.15.5 with commit 512e21c150c1 + Issue introduced in 5.13 with commit a7b359fc6a37 and fixed in 5.16 with commit b027789e5e50 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2021-47209 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + kernel/sched/autogroup.c + kernel/sched/core.c + kernel/sched/fair.c + kernel/sched/rt.c + kernel/sched/sched.h + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/512e21c150c1c3ee298852660f3a796e267e62ec + https://git.kernel.org/stable/c/b027789e5e50494c2325cc70c8642e7fd6059479 diff --git a/cve/published/2021/CVE-2021-47209.sha1 b/cve/published/2021/CVE-2021-47209.sha1 new file mode 100644 index 00000000..7a3da662 --- /dev/null +++ b/cve/published/2021/CVE-2021-47209.sha1 @@ -0,0 +1 @@ +b027789e5e50494c2325cc70c8642e7fd6059479 diff --git a/cve/reserved/2021/CVE-2021-47210 b/cve/published/2021/CVE-2021-47210 index e69de29b..e69de29b 100644 --- a/cve/reserved/2021/CVE-2021-47210 +++ b/cve/published/2021/CVE-2021-47210 diff --git a/cve/published/2021/CVE-2021-47210.json b/cve/published/2021/CVE-2021-47210.json new file mode 100644 index 00000000..f52d3214 --- /dev/null +++ b/cve/published/2021/CVE-2021-47210.json @@ -0,0 +1,123 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: tipd: Remove WARN_ON in tps6598x_block_read\n\nCalling tps6598x_block_read with a higher than allowed len can be\nhandled by just returning an error. There's no need to crash systems\nwith panic-on-warn enabled." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "1da177e4c3f4", + "lessThan": "2a897d384513", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "30dcfcda8992", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "eff8b7628410", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "2c71811c963b", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "b7a0a63f3fed", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "4.19.218", + "lessThanOrEqual": "4.19.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.4.162", + "lessThanOrEqual": "5.4.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.10.82", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.5", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.16", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/2a897d384513ba7f7ef05611338b9a6ec6aeac00" + }, + { + "url": "https://git.kernel.org/stable/c/30dcfcda8992dc42f18e7d35b6a1fa72372d382d" + }, + { + "url": "https://git.kernel.org/stable/c/eff8b7628410cb2eb562ca0d5d1f12e27063733e" + }, + { + "url": "https://git.kernel.org/stable/c/2c71811c963b6c310a29455d521d31a7ea6c5b5e" + }, + { + "url": "https://git.kernel.org/stable/c/b7a0a63f3fed57d413bb857de164ea9c3984bc4e" + } + ], + "title": "usb: typec: tipd: Remove WARN_ON in tps6598x_block_read", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2021-47210", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2021/CVE-2021-47210.mbox b/cve/published/2021/CVE-2021-47210.mbox new file mode 100644 index 00000000..f2c6cc88 --- /dev/null +++ b/cve/published/2021/CVE-2021-47210.mbox @@ -0,0 +1,72 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2021-47210: usb: typec: tipd: Remove WARN_ON in tps6598x_block_read +Message-Id: <2024041004-CVE-2021-47210-1d37@gregkh> +Content-Length: 2014 +Lines: 55 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2070; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=1t6RrkQkVoWMFLe65Okib7Yo2Njlw6/TCTxxdQoqGcs=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGlij3SWs1hJOmg2n7T9r6VxNcT+a+zrsuD0IrlC95nVm + ktfCcd2xLIwCDIxyIopsnzZxnN0f8UhRS9D29Mwc1iZQIYwcHEKwETuf2GYpxgfMf1gVm0Wx+7m + 937MfuIvFjOxMMz3F4l1ElYUvbXDx8BuQ1WH0t6cXlkA +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +usb: typec: tipd: Remove WARN_ON in tps6598x_block_read + +Calling tps6598x_block_read with a higher than allowed len can be +handled by just returning an error. There's no need to crash systems +with panic-on-warn enabled. + +The Linux kernel CVE team has assigned CVE-2021-47210 to this issue. + + +Affected and fixed versions +=========================== + + Fixed in 4.19.218 with commit 2a897d384513 + Fixed in 5.4.162 with commit 30dcfcda8992 + Fixed in 5.10.82 with commit eff8b7628410 + Fixed in 5.15.5 with commit 2c71811c963b + Fixed in 5.16 with commit b7a0a63f3fed + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2021-47210 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/usb/typec/tipd/core.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/2a897d384513ba7f7ef05611338b9a6ec6aeac00 + https://git.kernel.org/stable/c/30dcfcda8992dc42f18e7d35b6a1fa72372d382d + https://git.kernel.org/stable/c/eff8b7628410cb2eb562ca0d5d1f12e27063733e + https://git.kernel.org/stable/c/2c71811c963b6c310a29455d521d31a7ea6c5b5e + https://git.kernel.org/stable/c/b7a0a63f3fed57d413bb857de164ea9c3984bc4e diff --git a/cve/published/2021/CVE-2021-47210.sha1 b/cve/published/2021/CVE-2021-47210.sha1 new file mode 100644 index 00000000..de677b63 --- /dev/null +++ b/cve/published/2021/CVE-2021-47210.sha1 @@ -0,0 +1 @@ +b7a0a63f3fed57d413bb857de164ea9c3984bc4e diff --git a/cve/reserved/2021/CVE-2021-47211 b/cve/published/2021/CVE-2021-47211 index e69de29b..e69de29b 100644 --- a/cve/reserved/2021/CVE-2021-47211 +++ b/cve/published/2021/CVE-2021-47211 diff --git a/cve/published/2021/CVE-2021-47211.json b/cve/published/2021/CVE-2021-47211.json new file mode 100644 index 00000000..fc99c9e1 --- /dev/null +++ b/cve/published/2021/CVE-2021-47211.json @@ -0,0 +1,78 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: fix null pointer dereference on pointer cs_desc\n\nThe pointer cs_desc return from snd_usb_find_clock_source could\nbe null, so there is a potential null pointer dereference issue.\nFix this by adding a null check before dereference." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "1da177e4c3f4", + "lessThan": "58fa50de595f", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "b97053df0f04", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.15.5", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.16", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/58fa50de595f152900594c28ec9915c169643739" + }, + { + "url": "https://git.kernel.org/stable/c/b97053df0f04747c3c1e021ecbe99db675342954" + } + ], + "title": "ALSA: usb-audio: fix null pointer dereference on pointer cs_desc", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2021-47211", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2021/CVE-2021-47211.mbox b/cve/published/2021/CVE-2021-47211.mbox new file mode 100644 index 00000000..1a08c341 --- /dev/null +++ b/cve/published/2021/CVE-2021-47211.mbox @@ -0,0 +1,66 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2021-47211: ALSA: usb-audio: fix null pointer dereference on pointer cs_desc +Message-Id: <2024041004-CVE-2021-47211-cde3@gregkh> +Content-Length: 1677 +Lines: 49 +X-Developer-Signature: v=1; a=openpgp-sha256; l=1727; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=get3mWZB5xgy2tW2sdpNu4X9nPFIp/4FMkJx6D6fyaE=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGlij3T4vT5oXz8418E6ZWrzVGH9fsbJLw6eWr8qPHj+g + W9cjrlHO2JZGASZGGTFFFm+bOM5ur/ikKKXoe1pmDmsTCBDGLg4BWAif5MY5rs9Cyw/+k/LQyVn + 26R95iotK7zWXmFYML1ILnEN596A7kYlt53/85TS9hx7DgA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +ALSA: usb-audio: fix null pointer dereference on pointer cs_desc + +The pointer cs_desc return from snd_usb_find_clock_source could +be null, so there is a potential null pointer dereference issue. +Fix this by adding a null check before dereference. + +The Linux kernel CVE team has assigned CVE-2021-47211 to this issue. + + +Affected and fixed versions +=========================== + + Fixed in 5.15.5 with commit 58fa50de595f + Fixed in 5.16 with commit b97053df0f04 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2021-47211 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + sound/usb/clock.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/58fa50de595f152900594c28ec9915c169643739 + https://git.kernel.org/stable/c/b97053df0f04747c3c1e021ecbe99db675342954 diff --git a/cve/published/2021/CVE-2021-47211.sha1 b/cve/published/2021/CVE-2021-47211.sha1 new file mode 100644 index 00000000..2b7de929 --- /dev/null +++ b/cve/published/2021/CVE-2021-47211.sha1 @@ -0,0 +1 @@ +b97053df0f04747c3c1e021ecbe99db675342954 diff --git a/cve/reserved/2021/CVE-2021-47212 b/cve/published/2021/CVE-2021-47212 index e69de29b..e69de29b 100644 --- a/cve/reserved/2021/CVE-2021-47212 +++ b/cve/published/2021/CVE-2021-47212 diff --git a/cve/published/2021/CVE-2021-47212.json b/cve/published/2021/CVE-2021-47212.json new file mode 100644 index 00000000..340ef9a6 --- /dev/null +++ b/cve/published/2021/CVE-2021-47212.json @@ -0,0 +1,88 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Update error handler for UCTX and UMEM\n\nIn the fast unload flow, the device state is set to internal error,\nwhich indicates that the driver started the destroy process.\nIn this case, when a destroy command is being executed, it should return\nMLX5_CMD_STAT_OK.\nFix MLX5_CMD_OP_DESTROY_UCTX and MLX5_CMD_OP_DESTROY_UMEM to return OK\ninstead of EIO.\n\nThis fixes a call trace in the umem release process -\n[ 2633.536695] Call Trace:\n[ 2633.537518] ib_uverbs_remove_one+0xc3/0x140 [ib_uverbs]\n[ 2633.538596] remove_client_context+0x8b/0xd0 [ib_core]\n[ 2633.539641] disable_device+0x8c/0x130 [ib_core]\n[ 2633.540615] __ib_unregister_device+0x35/0xa0 [ib_core]\n[ 2633.541640] ib_unregister_device+0x21/0x30 [ib_core]\n[ 2633.542663] __mlx5_ib_remove+0x38/0x90 [mlx5_ib]\n[ 2633.543640] auxiliary_bus_remove+0x1e/0x30 [auxiliary]\n[ 2633.544661] device_release_driver_internal+0x103/0x1f0\n[ 2633.545679] bus_remove_device+0xf7/0x170\n[ 2633.546640] device_del+0x181/0x410\n[ 2633.547606] mlx5_rescan_drivers_locked.part.10+0x63/0x160 [mlx5_core]\n[ 2633.548777] mlx5_unregister_device+0x27/0x40 [mlx5_core]\n[ 2633.549841] mlx5_uninit_one+0x21/0xc0 [mlx5_core]\n[ 2633.550864] remove_one+0x69/0xe0 [mlx5_core]\n[ 2633.551819] pci_device_remove+0x3b/0xc0\n[ 2633.552731] device_release_driver_internal+0x103/0x1f0\n[ 2633.553746] unbind_store+0xf6/0x130\n[ 2633.554657] kernfs_fop_write+0x116/0x190\n[ 2633.555567] vfs_write+0xa5/0x1a0\n[ 2633.556407] ksys_write+0x4f/0xb0\n[ 2633.557233] do_syscall_64+0x5b/0x1a0\n[ 2633.558071] entry_SYSCALL_64_after_hwframe+0x65/0xca\n[ 2633.559018] RIP: 0033:0x7f9977132648\n[ 2633.559821] Code: 89 02 48 c7 c0 ff ff ff ff eb b3 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 8d 05 55 6f 2d 00 8b 00 85 c0 75 17 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 41 54 49 89 d4 55\n[ 2633.562332] RSP: 002b:00007fffb1a83888 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\n[ 2633.563472] RAX: ffffffffffffffda RBX: 000000000000000c RCX: 00007f9977132648\n[ 2633.564541] RDX: 000000000000000c RSI: 000055b90546e230 RDI: 0000000000000001\n[ 2633.565596] RBP: 000055b90546e230 R08: 00007f9977406860 R09: 00007f9977a54740\n[ 2633.566653] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f99774056e0\n[ 2633.567692] R13: 000000000000000c R14: 00007f9977400880 R15: 000000000000000c\n[ 2633.568725] ---[ end trace 10b4fe52945e544d ]---" + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "6a6fabbfa3e8", + "lessThan": "a51a6da375d8", + "status": "affected", + "versionType": "git" + }, + { + "version": "6a6fabbfa3e8", + "lessThan": "ba50cd9451f6", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.2", + "status": "affected" + }, + { + "version": "0", + "lessThan": "5.2", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.5", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.16", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/a51a6da375d82aed5c8f83abd13e7d060421bd48" + }, + { + "url": "https://git.kernel.org/stable/c/ba50cd9451f6c49cf0841c0a4a146ff6a2822699" + } + ], + "title": "net/mlx5: Update error handler for UCTX and UMEM", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2021-47212", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2021/CVE-2021-47212.mbox b/cve/published/2021/CVE-2021-47212.mbox new file mode 100644 index 00000000..0b5d2e8f --- /dev/null +++ b/cve/published/2021/CVE-2021-47212.mbox @@ -0,0 +1,103 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2021-47212: net/mlx5: Update error handler for UCTX and UMEM +Message-Id: <2024041005-CVE-2021-47212-01d8@gregkh> +Content-Length: 3940 +Lines: 86 +X-Developer-Signature: v=1; a=openpgp-sha256; l=4027; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=9Vz5uMk8JO8j8cHyRAUZsl6O/1Cnx+/VoOu7XXGmKqM=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGlij3S37XjdEH+7W6vXwPFBb4tv+9avfEU5BXLH+l9sb + GZc9yenI5aFQZCJQVZMkeXLNp6j+ysOKXoZ2p6GmcPKBDKEgYtTACaSrMowh/ffOeaS1oVGdk/E + ku4/uif06MqTywwLFpw8oZ5gw7hAQ77fuFQqrPi7cnUvAA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +net/mlx5: Update error handler for UCTX and UMEM + +In the fast unload flow, the device state is set to internal error, +which indicates that the driver started the destroy process. +In this case, when a destroy command is being executed, it should return +MLX5_CMD_STAT_OK. +Fix MLX5_CMD_OP_DESTROY_UCTX and MLX5_CMD_OP_DESTROY_UMEM to return OK +instead of EIO. + +This fixes a call trace in the umem release process - +[ 2633.536695] Call Trace: +[ 2633.537518] ib_uverbs_remove_one+0xc3/0x140 [ib_uverbs] +[ 2633.538596] remove_client_context+0x8b/0xd0 [ib_core] +[ 2633.539641] disable_device+0x8c/0x130 [ib_core] +[ 2633.540615] __ib_unregister_device+0x35/0xa0 [ib_core] +[ 2633.541640] ib_unregister_device+0x21/0x30 [ib_core] +[ 2633.542663] __mlx5_ib_remove+0x38/0x90 [mlx5_ib] +[ 2633.543640] auxiliary_bus_remove+0x1e/0x30 [auxiliary] +[ 2633.544661] device_release_driver_internal+0x103/0x1f0 +[ 2633.545679] bus_remove_device+0xf7/0x170 +[ 2633.546640] device_del+0x181/0x410 +[ 2633.547606] mlx5_rescan_drivers_locked.part.10+0x63/0x160 [mlx5_core] +[ 2633.548777] mlx5_unregister_device+0x27/0x40 [mlx5_core] +[ 2633.549841] mlx5_uninit_one+0x21/0xc0 [mlx5_core] +[ 2633.550864] remove_one+0x69/0xe0 [mlx5_core] +[ 2633.551819] pci_device_remove+0x3b/0xc0 +[ 2633.552731] device_release_driver_internal+0x103/0x1f0 +[ 2633.553746] unbind_store+0xf6/0x130 +[ 2633.554657] kernfs_fop_write+0x116/0x190 +[ 2633.555567] vfs_write+0xa5/0x1a0 +[ 2633.556407] ksys_write+0x4f/0xb0 +[ 2633.557233] do_syscall_64+0x5b/0x1a0 +[ 2633.558071] entry_SYSCALL_64_after_hwframe+0x65/0xca +[ 2633.559018] RIP: 0033:0x7f9977132648 +[ 2633.559821] Code: 89 02 48 c7 c0 ff ff ff ff eb b3 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 8d 05 55 6f 2d 00 8b 00 85 c0 75 17 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 41 54 49 89 d4 55 +[ 2633.562332] RSP: 002b:00007fffb1a83888 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 +[ 2633.563472] RAX: ffffffffffffffda RBX: 000000000000000c RCX: 00007f9977132648 +[ 2633.564541] RDX: 000000000000000c RSI: 000055b90546e230 RDI: 0000000000000001 +[ 2633.565596] RBP: 000055b90546e230 R08: 00007f9977406860 R09: 00007f9977a54740 +[ 2633.566653] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f99774056e0 +[ 2633.567692] R13: 000000000000000c R14: 00007f9977400880 R15: 000000000000000c +[ 2633.568725] ---[ end trace 10b4fe52945e544d ]--- + +The Linux kernel CVE team has assigned CVE-2021-47212 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 5.2 with commit 6a6fabbfa3e8 and fixed in 5.15.5 with commit a51a6da375d8 + Issue introduced in 5.2 with commit 6a6fabbfa3e8 and fixed in 5.16 with commit ba50cd9451f6 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2021-47212 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/net/ethernet/mellanox/mlx5/core/cmd.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/a51a6da375d82aed5c8f83abd13e7d060421bd48 + https://git.kernel.org/stable/c/ba50cd9451f6c49cf0841c0a4a146ff6a2822699 diff --git a/cve/published/2021/CVE-2021-47212.sha1 b/cve/published/2021/CVE-2021-47212.sha1 new file mode 100644 index 00000000..c86d02b0 --- /dev/null +++ b/cve/published/2021/CVE-2021-47212.sha1 @@ -0,0 +1 @@ +ba50cd9451f6c49cf0841c0a4a146ff6a2822699 diff --git a/cve/reserved/2021/CVE-2021-47213 b/cve/published/2021/CVE-2021-47213 index e69de29b..e69de29b 100644 --- a/cve/reserved/2021/CVE-2021-47213 +++ b/cve/published/2021/CVE-2021-47213 diff --git a/cve/published/2021/CVE-2021-47213.json b/cve/published/2021/CVE-2021-47213.json new file mode 100644 index 00000000..797cc822 --- /dev/null +++ b/cve/published/2021/CVE-2021-47213.json @@ -0,0 +1,88 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: Fix exposure in nfsd4_decode_bitmap()\n\nrtm@csail.mit.edu reports:\n> nfsd4_decode_bitmap4() will write beyond bmval[bmlen-1] if the RPC\n> directs it to do so. This can cause nfsd4_decode_state_protect4_a()\n> to write client-supplied data beyond the end of\n> nfsd4_exchange_id.spo_must_allow[] when called by\n> nfsd4_decode_exchange_id().\n\nRewrite the loops so nfsd4_decode_bitmap() cannot iterate beyond\n@bmlen.\n\nReported by: rtm@csail.mit.edu" + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "d1c263a031e8", + "lessThan": "10c22d9519f3", + "status": "affected", + "versionType": "git" + }, + { + "version": "d1c263a031e8", + "lessThan": "c0019b7db1d7", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.11", + "status": "affected" + }, + { + "version": "0", + "lessThan": "5.11", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.5", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.16", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/10c22d9519f3f5939de61a1500aa3a926b778d3a" + }, + { + "url": "https://git.kernel.org/stable/c/c0019b7db1d7ac62c711cda6b357a659d46428fe" + } + ], + "title": "NFSD: Fix exposure in nfsd4_decode_bitmap()", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2021-47213", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2021/CVE-2021-47213.mbox b/cve/published/2021/CVE-2021-47213.mbox new file mode 100644 index 00000000..603aadb9 --- /dev/null +++ b/cve/published/2021/CVE-2021-47213.mbox @@ -0,0 +1,74 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2021-47213: NFSD: Fix exposure in nfsd4_decode_bitmap() +Message-Id: <2024041005-CVE-2021-47213-c84f@gregkh> +Content-Length: 1987 +Lines: 57 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2045; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=ID2nPGGUOP0Qnw+Z7BAkS5MBqS9u3a0qdtcx+iy8Da8=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGlij3RnpOZuSlLkmLuokmtLatGSG19cUtas379XYs069 + ofPQh/2dsSyMAgyMciKKbJ82cZzdH/FIUUvQ9vTMHNYmUCGMHBxCsBEHtQwzI9T4Jxx7oXcb66D + /LvnH1wbJmIoz8cwz4D513+OkN/zWT83lMu2Xj1jdeFbCgA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +NFSD: Fix exposure in nfsd4_decode_bitmap() + +rtm@csail.mit.edu reports: +> nfsd4_decode_bitmap4() will write beyond bmval[bmlen-1] if the RPC +> directs it to do so. This can cause nfsd4_decode_state_protect4_a() +> to write client-supplied data beyond the end of +> nfsd4_exchange_id.spo_must_allow[] when called by +> nfsd4_decode_exchange_id(). + +Rewrite the loops so nfsd4_decode_bitmap() cannot iterate beyond +@bmlen. + +Reported by: rtm@csail.mit.edu + +The Linux kernel CVE team has assigned CVE-2021-47213 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 5.11 with commit d1c263a031e8 and fixed in 5.15.5 with commit 10c22d9519f3 + Issue introduced in 5.11 with commit d1c263a031e8 and fixed in 5.16 with commit c0019b7db1d7 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2021-47213 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + fs/nfsd/nfs4xdr.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/10c22d9519f3f5939de61a1500aa3a926b778d3a + https://git.kernel.org/stable/c/c0019b7db1d7ac62c711cda6b357a659d46428fe diff --git a/cve/published/2021/CVE-2021-47213.sha1 b/cve/published/2021/CVE-2021-47213.sha1 new file mode 100644 index 00000000..6c70a41f --- /dev/null +++ b/cve/published/2021/CVE-2021-47213.sha1 @@ -0,0 +1 @@ +c0019b7db1d7ac62c711cda6b357a659d46428fe diff --git a/cve/reserved/2021/CVE-2021-47214 b/cve/published/2021/CVE-2021-47214 index e69de29b..e69de29b 100644 --- a/cve/reserved/2021/CVE-2021-47214 +++ b/cve/published/2021/CVE-2021-47214 diff --git a/cve/published/2021/CVE-2021-47214.json b/cve/published/2021/CVE-2021-47214.json new file mode 100644 index 00000000..860a3f0c --- /dev/null +++ b/cve/published/2021/CVE-2021-47214.json @@ -0,0 +1,88 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhugetlb, userfaultfd: fix reservation restore on userfaultfd error\n\nCurrently in the is_continue case in hugetlb_mcopy_atomic_pte(), if we\nbail out using \"goto out_release_unlock;\" in the cases where idx >=\nsize, or !huge_pte_none(), the code will detect that new_pagecache_page\n== false, and so call restore_reserve_on_error(). In this case I see\nrestore_reserve_on_error() delete the reservation, and the following\ncall to remove_inode_hugepages() will increment h->resv_hugepages\ncausing a 100% reproducible leak.\n\nWe should treat the is_continue case similar to adding a page into the\npagecache and set new_pagecache_page to true, to indicate that there is\nno reservation to restore on the error path, and we need not call\nrestore_reserve_on_error(). Rename new_pagecache_page to\npage_in_pagecache to make that clear." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "c7b1850dfb41", + "lessThan": "b5069d44e2fb", + "status": "affected", + "versionType": "git" + }, + { + "version": "c7b1850dfb41", + "lessThan": "cc30042df6fc", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.14", + "status": "affected" + }, + { + "version": "0", + "lessThan": "5.14", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.5", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.16", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/b5069d44e2fbc4a9093d005b3ef0949add3dd27e" + }, + { + "url": "https://git.kernel.org/stable/c/cc30042df6fcc82ea18acf0dace831503e60a0b7" + } + ], + "title": "hugetlb, userfaultfd: fix reservation restore on userfaultfd error", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2021-47214", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2021/CVE-2021-47214.mbox b/cve/published/2021/CVE-2021-47214.mbox new file mode 100644 index 00000000..b8e4b68a --- /dev/null +++ b/cve/published/2021/CVE-2021-47214.mbox @@ -0,0 +1,77 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2021-47214: hugetlb, userfaultfd: fix reservation restore on userfaultfd error +Message-Id: <2024041005-CVE-2021-47214-59f9@gregkh> +Content-Length: 2411 +Lines: 60 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2472; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=zLk6l1enO1/MM57ThtvVtC1QPAIVJnM/rmt+9OoVCf4=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGlij3Snh/5Ybr0/UXjX/6/rd+7d37xn4dG915y+qq3bt + 39DlsBUh45YFgZBJgZZMUWWL9t4ju6vOKToZWh7GmYOKxPIEAYuTgGYiIQIw4KDYmFxLzwv3LrX + HcEgfERwZYas7H6GBYsNn/7m3tfasnnntXX/vkh8/HNiujUA +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +hugetlb, userfaultfd: fix reservation restore on userfaultfd error + +Currently in the is_continue case in hugetlb_mcopy_atomic_pte(), if we +bail out using "goto out_release_unlock;" in the cases where idx >= +size, or !huge_pte_none(), the code will detect that new_pagecache_page +== false, and so call restore_reserve_on_error(). In this case I see +restore_reserve_on_error() delete the reservation, and the following +call to remove_inode_hugepages() will increment h->resv_hugepages +causing a 100% reproducible leak. + +We should treat the is_continue case similar to adding a page into the +pagecache and set new_pagecache_page to true, to indicate that there is +no reservation to restore on the error path, and we need not call +restore_reserve_on_error(). Rename new_pagecache_page to +page_in_pagecache to make that clear. + +The Linux kernel CVE team has assigned CVE-2021-47214 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 5.14 with commit c7b1850dfb41 and fixed in 5.15.5 with commit b5069d44e2fb + Issue introduced in 5.14 with commit c7b1850dfb41 and fixed in 5.16 with commit cc30042df6fc + Issue introduced in 5.13.13 with commit 515b6124df6a + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2021-47214 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + mm/hugetlb.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/b5069d44e2fbc4a9093d005b3ef0949add3dd27e + https://git.kernel.org/stable/c/cc30042df6fcc82ea18acf0dace831503e60a0b7 diff --git a/cve/published/2021/CVE-2021-47214.sha1 b/cve/published/2021/CVE-2021-47214.sha1 new file mode 100644 index 00000000..a6a25a1b --- /dev/null +++ b/cve/published/2021/CVE-2021-47214.sha1 @@ -0,0 +1 @@ +cc30042df6fcc82ea18acf0dace831503e60a0b7 diff --git a/cve/reserved/2021/CVE-2021-47215 b/cve/published/2021/CVE-2021-47215 index e69de29b..e69de29b 100644 --- a/cve/reserved/2021/CVE-2021-47215 +++ b/cve/published/2021/CVE-2021-47215 diff --git a/cve/published/2021/CVE-2021-47215.json b/cve/published/2021/CVE-2021-47215.json new file mode 100644 index 00000000..a0b5a22b --- /dev/null +++ b/cve/published/2021/CVE-2021-47215.json @@ -0,0 +1,88 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: kTLS, Fix crash in RX resync flow\n\nFor the TLS RX resync flow, we maintain a list of TLS contexts\nthat require some attention, to communicate their resync information\nto the HW.\nHere we fix list corruptions, by protecting the entries against\nmovements coming from resync_handle_seq_match(), until their resync\nhandling in napi is fully completed." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "e9ce991bce5b", + "lessThan": "ebeda7a9528a", + "status": "affected", + "versionType": "git" + }, + { + "version": "e9ce991bce5b", + "lessThan": "cc4a9cc03faa", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.13", + "status": "affected" + }, + { + "version": "0", + "lessThan": "5.13", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.5", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.16", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/ebeda7a9528ae690e6bf12791a868f0cca8391f2" + }, + { + "url": "https://git.kernel.org/stable/c/cc4a9cc03faa6d8db1a6954bb536f2c1e63bdff6" + } + ], + "title": "net/mlx5e: kTLS, Fix crash in RX resync flow", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2021-47215", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2021/CVE-2021-47215.mbox b/cve/published/2021/CVE-2021-47215.mbox new file mode 100644 index 00000000..8053d091 --- /dev/null +++ b/cve/published/2021/CVE-2021-47215.mbox @@ -0,0 +1,69 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2021-47215: net/mlx5e: kTLS, Fix crash in RX resync flow +Message-Id: <2024041005-CVE-2021-47215-2718@gregkh> +Content-Length: 1937 +Lines: 52 +X-Developer-Signature: v=1; a=openpgp-sha256; l=1990; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=rtRxadVhAU5+9DS8pEMoZ8G0HNx/GnpXvrujjMI/isQ=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGlij3T/uf3WWjzjbfNNu8faWvYqumpK9crrIrbFfVZl+ + S55JlqnI5aFQZCJQVZMkeXLNp6j+ysOKXoZ2p6GmcPKBDKEgYtTACYyZQHDgvOX3rNETde2qHcM + 4utN5Ga0FbQ4wrDgYmhg22vmAKt7DIvXP4zWfbdkyufVAA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +net/mlx5e: kTLS, Fix crash in RX resync flow + +For the TLS RX resync flow, we maintain a list of TLS contexts +that require some attention, to communicate their resync information +to the HW. +Here we fix list corruptions, by protecting the entries against +movements coming from resync_handle_seq_match(), until their resync +handling in napi is fully completed. + +The Linux kernel CVE team has assigned CVE-2021-47215 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 5.13 with commit e9ce991bce5b and fixed in 5.15.5 with commit ebeda7a9528a + Issue introduced in 5.13 with commit e9ce991bce5b and fixed in 5.16 with commit cc4a9cc03faa + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2021-47215 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/net/ethernet/mellanox/mlx5/core/en_accel/ktls_rx.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/ebeda7a9528ae690e6bf12791a868f0cca8391f2 + https://git.kernel.org/stable/c/cc4a9cc03faa6d8db1a6954bb536f2c1e63bdff6 diff --git a/cve/published/2021/CVE-2021-47215.sha1 b/cve/published/2021/CVE-2021-47215.sha1 new file mode 100644 index 00000000..26226471 --- /dev/null +++ b/cve/published/2021/CVE-2021-47215.sha1 @@ -0,0 +1 @@ +cc4a9cc03faa6d8db1a6954bb536f2c1e63bdff6 diff --git a/cve/reserved/2021/CVE-2021-47216 b/cve/published/2021/CVE-2021-47216 index e69de29b..e69de29b 100644 --- a/cve/reserved/2021/CVE-2021-47216 +++ b/cve/published/2021/CVE-2021-47216 diff --git a/cve/published/2021/CVE-2021-47216.json b/cve/published/2021/CVE-2021-47216.json new file mode 100644 index 00000000..b37265ea --- /dev/null +++ b/cve/published/2021/CVE-2021-47216.json @@ -0,0 +1,168 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: advansys: Fix kernel pointer leak\n\nPointers should be printed with %p or %px rather than cast to 'unsigned\nlong' and printed with %lx.\n\nChange %lx to %p to print the hashed pointer." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "1da177e4c3f4", + "lessThan": "06d7d12efb5c", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "ad19f7046c24", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "5612287991de", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "f5a0ba4a9b5e", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "cc248790bfdc", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "055eced3edf5", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "27490ae6a85a", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "d4996c6eac4c", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "4.4.293", + "lessThanOrEqual": "4.4.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "4.9.291", + "lessThanOrEqual": "4.9.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "4.14.256", + "lessThanOrEqual": "4.14.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "4.19.218", + "lessThanOrEqual": "4.19.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.4.162", + "lessThanOrEqual": "5.4.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.10.82", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.5", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.16", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/06d7d12efb5c62db9dea15141ae2b322c2719515" + }, + { + "url": "https://git.kernel.org/stable/c/ad19f7046c24f95c674fbea21870479b2b9f5bab" + }, + { + "url": "https://git.kernel.org/stable/c/5612287991debe310c914600599bd59511ababfb" + }, + { + "url": "https://git.kernel.org/stable/c/f5a0ba4a9b5e70e7b2f767636d26523f9d1ac59d" + }, + { + "url": "https://git.kernel.org/stable/c/cc248790bfdcf879e3094fa248c85bf92cdf9dae" + }, + { + "url": "https://git.kernel.org/stable/c/055eced3edf5b675d12189081303f6285ef26511" + }, + { + "url": "https://git.kernel.org/stable/c/27490ae6a85a70242d80615ca74d0362a820d6a7" + }, + { + "url": "https://git.kernel.org/stable/c/d4996c6eac4c81b8872043e9391563f67f13e406" + } + ], + "title": "scsi: advansys: Fix kernel pointer leak", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2021-47216", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2021/CVE-2021-47216.mbox b/cve/published/2021/CVE-2021-47216.mbox new file mode 100644 index 00000000..498e7146 --- /dev/null +++ b/cve/published/2021/CVE-2021-47216.mbox @@ -0,0 +1,79 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2021-47216: scsi: advansys: Fix kernel pointer leak +Message-Id: <2024041006-CVE-2021-47216-1700@gregkh> +Content-Length: 2328 +Lines: 62 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2391; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=bwsxUdmHdhcwY4R29xZzghAOb0wogwTibcmnKT8C9KA=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGlij/SW85xxkwt5sHXK9y7Tl00ZPhdU9lZ++qb8rEzEe + J/J2m1ZHbEsDIJMDLJiiixftvEc3V9xSNHL0PY0zBxWJpAhDFycAjAR5sMM83TyO4y8y9c/TQoo + tGWQ1TFXSo/vYljQtVHMSdd7a9mJdmfDEBFO0U2C3w4AAA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +scsi: advansys: Fix kernel pointer leak + +Pointers should be printed with %p or %px rather than cast to 'unsigned +long' and printed with %lx. + +Change %lx to %p to print the hashed pointer. + +The Linux kernel CVE team has assigned CVE-2021-47216 to this issue. + + +Affected and fixed versions +=========================== + + Fixed in 4.4.293 with commit 06d7d12efb5c + Fixed in 4.9.291 with commit ad19f7046c24 + Fixed in 4.14.256 with commit 5612287991de + Fixed in 4.19.218 with commit f5a0ba4a9b5e + Fixed in 5.4.162 with commit cc248790bfdc + Fixed in 5.10.82 with commit 055eced3edf5 + Fixed in 5.15.5 with commit 27490ae6a85a + Fixed in 5.16 with commit d4996c6eac4c + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2021-47216 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/scsi/advansys.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/06d7d12efb5c62db9dea15141ae2b322c2719515 + https://git.kernel.org/stable/c/ad19f7046c24f95c674fbea21870479b2b9f5bab + https://git.kernel.org/stable/c/5612287991debe310c914600599bd59511ababfb + https://git.kernel.org/stable/c/f5a0ba4a9b5e70e7b2f767636d26523f9d1ac59d + https://git.kernel.org/stable/c/cc248790bfdcf879e3094fa248c85bf92cdf9dae + https://git.kernel.org/stable/c/055eced3edf5b675d12189081303f6285ef26511 + https://git.kernel.org/stable/c/27490ae6a85a70242d80615ca74d0362a820d6a7 + https://git.kernel.org/stable/c/d4996c6eac4c81b8872043e9391563f67f13e406 diff --git a/cve/published/2021/CVE-2021-47216.sha1 b/cve/published/2021/CVE-2021-47216.sha1 new file mode 100644 index 00000000..4bdd1e33 --- /dev/null +++ b/cve/published/2021/CVE-2021-47216.sha1 @@ -0,0 +1 @@ +d4996c6eac4c81b8872043e9391563f67f13e406 diff --git a/cve/reserved/2021/CVE-2021-47217 b/cve/published/2021/CVE-2021-47217 index e69de29b..e69de29b 100644 --- a/cve/reserved/2021/CVE-2021-47217 +++ b/cve/published/2021/CVE-2021-47217 diff --git a/cve/published/2021/CVE-2021-47217.json b/cve/published/2021/CVE-2021-47217.json new file mode 100644 index 00000000..8b63e33f --- /dev/null +++ b/cve/published/2021/CVE-2021-47217.json @@ -0,0 +1,133 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/hyperv: Fix NULL deref in set_hv_tscchange_cb() if Hyper-V setup fails\n\nCheck for a valid hv_vp_index array prior to derefencing hv_vp_index when\nsetting Hyper-V's TSC change callback. If Hyper-V setup failed in\nhyperv_init(), the kernel will still report that it's running under\nHyper-V, but will have silently disabled nearly all functionality.\n\n BUG: kernel NULL pointer dereference, address: 0000000000000010\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: 0000 [#1] SMP\n CPU: 4 PID: 1 Comm: swapper/0 Not tainted 5.15.0-rc2+ #75\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015\n RIP: 0010:set_hv_tscchange_cb+0x15/0xa0\n Code: <8b> 04 82 8b 15 12 17 85 01 48 c1 e0 20 48 0d ee 00 01 00 f6 c6 08\n ...\n Call Trace:\n kvm_arch_init+0x17c/0x280\n kvm_init+0x31/0x330\n vmx_init+0xba/0x13a\n do_one_initcall+0x41/0x1c0\n kernel_init_freeable+0x1f2/0x23b\n kernel_init+0x16/0x120\n ret_from_fork+0x22/0x30" + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "93286261de1b", + "lessThan": "b20ec58f8a6f", + "status": "affected", + "versionType": "git" + }, + { + "version": "93286261de1b", + "lessThan": "b0e44dfb4e4c", + "status": "affected", + "versionType": "git" + }, + { + "version": "93286261de1b", + "lessThan": "9c177eee116c", + "status": "affected", + "versionType": "git" + }, + { + "version": "93286261de1b", + "lessThan": "8823ea27fff6", + "status": "affected", + "versionType": "git" + }, + { + "version": "93286261de1b", + "lessThan": "daf972118c51", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "4.16", + "status": "affected" + }, + { + "version": "0", + "lessThan": "4.16", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "4.19.218", + "lessThanOrEqual": "4.19.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.4.162", + "lessThanOrEqual": "5.4.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.10.82", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.5", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.16", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/b20ec58f8a6f4fef32cc71480ddf824584e24743" + }, + { + "url": "https://git.kernel.org/stable/c/b0e44dfb4e4c699cca33ede431b8d127e6e8d661" + }, + { + "url": "https://git.kernel.org/stable/c/9c177eee116cf888276d3748cb176e72562cfd5c" + }, + { + "url": "https://git.kernel.org/stable/c/8823ea27fff6084bbb4bc71d15378fae0220b1d8" + }, + { + "url": "https://git.kernel.org/stable/c/daf972118c517b91f74ff1731417feb4270625a4" + } + ], + "title": "x86/hyperv: Fix NULL deref in set_hv_tscchange_cb() if Hyper-V setup fails", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2021-47217", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2021/CVE-2021-47217.mbox b/cve/published/2021/CVE-2021-47217.mbox new file mode 100644 index 00000000..f8b101d5 --- /dev/null +++ b/cve/published/2021/CVE-2021-47217.mbox @@ -0,0 +1,92 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2021-47217: x86/hyperv: Fix NULL deref in set_hv_tscchange_cb() if Hyper-V setup fails +Message-Id: <2024041006-CVE-2021-47217-a7d0@gregkh> +Content-Length: 3073 +Lines: 75 +X-Developer-Signature: v=1; a=openpgp-sha256; l=3149; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=KbbnrmDld8R0xI1hxEmCtHuymQ8xtGMpt7EoBHJWnKU=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGlij/TO6f0MqJTu5Oza7T1t7u2L81SWbFmT7/GS29no3 + aHz+3Knd8SyMAgyMciKKbJ82cZzdH/FIUUvQ9vTMHNYmUCGMHBxCsBEDr9lmJ/2+MS/zNUT6tsd + uKIDrmzw1e1f2sswPzv42LUlv+aEGTfdNzw42z8mecvi9QA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +x86/hyperv: Fix NULL deref in set_hv_tscchange_cb() if Hyper-V setup fails + +Check for a valid hv_vp_index array prior to derefencing hv_vp_index when +setting Hyper-V's TSC change callback. If Hyper-V setup failed in +hyperv_init(), the kernel will still report that it's running under +Hyper-V, but will have silently disabled nearly all functionality. + + BUG: kernel NULL pointer dereference, address: 0000000000000010 + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page + PGD 0 P4D 0 + Oops: 0000 [#1] SMP + CPU: 4 PID: 1 Comm: swapper/0 Not tainted 5.15.0-rc2+ #75 + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 + RIP: 0010:set_hv_tscchange_cb+0x15/0xa0 + Code: <8b> 04 82 8b 15 12 17 85 01 48 c1 e0 20 48 0d ee 00 01 00 f6 c6 08 + ... + Call Trace: + kvm_arch_init+0x17c/0x280 + kvm_init+0x31/0x330 + vmx_init+0xba/0x13a + do_one_initcall+0x41/0x1c0 + kernel_init_freeable+0x1f2/0x23b + kernel_init+0x16/0x120 + ret_from_fork+0x22/0x30 + +The Linux kernel CVE team has assigned CVE-2021-47217 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 4.16 with commit 93286261de1b and fixed in 4.19.218 with commit b20ec58f8a6f + Issue introduced in 4.16 with commit 93286261de1b and fixed in 5.4.162 with commit b0e44dfb4e4c + Issue introduced in 4.16 with commit 93286261de1b and fixed in 5.10.82 with commit 9c177eee116c + Issue introduced in 4.16 with commit 93286261de1b and fixed in 5.15.5 with commit 8823ea27fff6 + Issue introduced in 4.16 with commit 93286261de1b and fixed in 5.16 with commit daf972118c51 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2021-47217 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + arch/x86/hyperv/hv_init.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/b20ec58f8a6f4fef32cc71480ddf824584e24743 + https://git.kernel.org/stable/c/b0e44dfb4e4c699cca33ede431b8d127e6e8d661 + https://git.kernel.org/stable/c/9c177eee116cf888276d3748cb176e72562cfd5c + https://git.kernel.org/stable/c/8823ea27fff6084bbb4bc71d15378fae0220b1d8 + https://git.kernel.org/stable/c/daf972118c517b91f74ff1731417feb4270625a4 diff --git a/cve/published/2021/CVE-2021-47217.sha1 b/cve/published/2021/CVE-2021-47217.sha1 new file mode 100644 index 00000000..26b4aa45 --- /dev/null +++ b/cve/published/2021/CVE-2021-47217.sha1 @@ -0,0 +1 @@ +daf972118c517b91f74ff1731417feb4270625a4 diff --git a/cve/reserved/2021/CVE-2021-47218 b/cve/published/2021/CVE-2021-47218 index e69de29b..e69de29b 100644 --- a/cve/reserved/2021/CVE-2021-47218 +++ b/cve/published/2021/CVE-2021-47218 diff --git a/cve/published/2021/CVE-2021-47218.json b/cve/published/2021/CVE-2021-47218.json new file mode 100644 index 00000000..f23f558b --- /dev/null +++ b/cve/published/2021/CVE-2021-47218.json @@ -0,0 +1,103 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nselinux: fix NULL-pointer dereference when hashtab allocation fails\n\nWhen the hash table slot array allocation fails in hashtab_init(),\nh->size is left initialized with a non-zero value, but the h->htable\npointer is NULL. This may then cause a NULL pointer dereference, since\nthe policydb code relies on the assumption that even after a failed\nhashtab_init(), hashtab_map() and hashtab_destroy() can be safely called\non it. Yet, these detect an empty hashtab only by looking at the size.\n\nFix this by making sure that hashtab_init() always leaves behind a valid\nempty hashtab when the allocation fails." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "03414a49ad5f", + "lessThan": "b17dd53cac76", + "status": "affected", + "versionType": "git" + }, + { + "version": "03414a49ad5f", + "lessThan": "83c8ab8503ad", + "status": "affected", + "versionType": "git" + }, + { + "version": "03414a49ad5f", + "lessThan": "dc27f3c5d10c", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.8", + "status": "affected" + }, + { + "version": "0", + "lessThan": "5.8", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.10.82", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.5", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.16", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/b17dd53cac769dd13031b0ca34f90cc65e523fab" + }, + { + "url": "https://git.kernel.org/stable/c/83c8ab8503adf56bf68dafc7a382f4946c87da79" + }, + { + "url": "https://git.kernel.org/stable/c/dc27f3c5d10c58069672215787a96b4fae01818b" + } + ], + "title": "selinux: fix NULL-pointer dereference when hashtab allocation fails", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2021-47218", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2021/CVE-2021-47218.mbox b/cve/published/2021/CVE-2021-47218.mbox new file mode 100644 index 00000000..c3e58c0e --- /dev/null +++ b/cve/published/2021/CVE-2021-47218.mbox @@ -0,0 +1,74 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2021-47218: selinux: fix NULL-pointer dereference when hashtab allocation fails +Message-Id: <2024041006-CVE-2021-47218-cdc8@gregkh> +Content-Length: 2321 +Lines: 57 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2379; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=FFCDFPYeNBVGAGudy5jsYCQjx5fwT/UwKAvtgP7upNM=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGlij/R4Z1uxnuBTc1coEd/59d/ft11fOXMv7TV7piOe/ + mqRWNiLjlgWBkEmBlkxRZYv23iO7q84pOhlaHsaZg4rE8gQBi5OAZjIDCOGBZM2NH5wevqm6P+J + e8UTwvZccn1g+olhrhDbJ5tTHRabrv8VXzlzX5emtWnrHQA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +selinux: fix NULL-pointer dereference when hashtab allocation fails + +When the hash table slot array allocation fails in hashtab_init(), +h->size is left initialized with a non-zero value, but the h->htable +pointer is NULL. This may then cause a NULL pointer dereference, since +the policydb code relies on the assumption that even after a failed +hashtab_init(), hashtab_map() and hashtab_destroy() can be safely called +on it. Yet, these detect an empty hashtab only by looking at the size. + +Fix this by making sure that hashtab_init() always leaves behind a valid +empty hashtab when the allocation fails. + +The Linux kernel CVE team has assigned CVE-2021-47218 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 5.8 with commit 03414a49ad5f and fixed in 5.10.82 with commit b17dd53cac76 + Issue introduced in 5.8 with commit 03414a49ad5f and fixed in 5.15.5 with commit 83c8ab8503ad + Issue introduced in 5.8 with commit 03414a49ad5f and fixed in 5.16 with commit dc27f3c5d10c + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2021-47218 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + security/selinux/ss/hashtab.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/b17dd53cac769dd13031b0ca34f90cc65e523fab + https://git.kernel.org/stable/c/83c8ab8503adf56bf68dafc7a382f4946c87da79 + https://git.kernel.org/stable/c/dc27f3c5d10c58069672215787a96b4fae01818b diff --git a/cve/published/2021/CVE-2021-47218.sha1 b/cve/published/2021/CVE-2021-47218.sha1 new file mode 100644 index 00000000..40be7174 --- /dev/null +++ b/cve/published/2021/CVE-2021-47218.sha1 @@ -0,0 +1 @@ +dc27f3c5d10c58069672215787a96b4fae01818b diff --git a/cve/reserved/2021/CVE-2021-47219 b/cve/published/2021/CVE-2021-47219 index e69de29b..e69de29b 100644 --- a/cve/reserved/2021/CVE-2021-47219 +++ b/cve/published/2021/CVE-2021-47219 diff --git a/cve/published/2021/CVE-2021-47219.json b/cve/published/2021/CVE-2021-47219.json new file mode 100644 index 00000000..0a1cedc4 --- /dev/null +++ b/cve/published/2021/CVE-2021-47219.json @@ -0,0 +1,93 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: scsi_debug: Fix out-of-bound read in resp_report_tgtpgs()\n\nThe following issue was observed running syzkaller:\n\nBUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:377 [inline]\nBUG: KASAN: slab-out-of-bounds in sg_copy_buffer+0x150/0x1c0 lib/scatterlist.c:831\nRead of size 2132 at addr ffff8880aea95dc8 by task syz-executor.0/9815\n\nCPU: 0 PID: 9815 Comm: syz-executor.0 Not tainted 4.19.202-00874-gfc0fe04215a9 #2\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014\nCall Trace:\n __dump_stack lib/dump_stack.c:77 [inline]\n dump_stack+0xe4/0x14a lib/dump_stack.c:118\n print_address_description+0x73/0x280 mm/kasan/report.c:253\n kasan_report_error mm/kasan/report.c:352 [inline]\n kasan_report+0x272/0x370 mm/kasan/report.c:410\n memcpy+0x1f/0x50 mm/kasan/kasan.c:302\n memcpy include/linux/string.h:377 [inline]\n sg_copy_buffer+0x150/0x1c0 lib/scatterlist.c:831\n fill_from_dev_buffer+0x14f/0x340 drivers/scsi/scsi_debug.c:1021\n resp_report_tgtpgs+0x5aa/0x770 drivers/scsi/scsi_debug.c:1772\n schedule_resp+0x464/0x12f0 drivers/scsi/scsi_debug.c:4429\n scsi_debug_queuecommand+0x467/0x1390 drivers/scsi/scsi_debug.c:5835\n scsi_dispatch_cmd+0x3fc/0x9b0 drivers/scsi/scsi_lib.c:1896\n scsi_request_fn+0x1042/0x1810 drivers/scsi/scsi_lib.c:2034\n __blk_run_queue_uncond block/blk-core.c:464 [inline]\n __blk_run_queue+0x1a4/0x380 block/blk-core.c:484\n blk_execute_rq_nowait+0x1c2/0x2d0 block/blk-exec.c:78\n sg_common_write.isra.19+0xd74/0x1dc0 drivers/scsi/sg.c:847\n sg_write.part.23+0x6e0/0xd00 drivers/scsi/sg.c:716\n sg_write+0x64/0xa0 drivers/scsi/sg.c:622\n __vfs_write+0xed/0x690 fs/read_write.c:485\nkill_bdev:block_device:00000000e138492c\n vfs_write+0x184/0x4c0 fs/read_write.c:549\n ksys_write+0x107/0x240 fs/read_write.c:599\n do_syscall_64+0xc2/0x560 arch/x86/entry/common.c:293\n entry_SYSCALL_64_after_hwframe+0x49/0xbe\n\nWe get 'alen' from command its type is int. If userspace passes a large\nlength we will get a negative 'alen'.\n\nSwitch n, alen, and rlen to u32." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "1da177e4c3f4", + "lessThan": "8440377e1a56", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "66523553fa62", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "f347c26836c2", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.10.82", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.5", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.16", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/8440377e1a5644779b4c8d013aa2a917f5fc83c3" + }, + { + "url": "https://git.kernel.org/stable/c/66523553fa62c7878fc5441dc4e82be71934eb77" + }, + { + "url": "https://git.kernel.org/stable/c/f347c26836c270199de1599c3cd466bb7747caa9" + } + ], + "title": "scsi: scsi_debug: Fix out-of-bound read in resp_report_tgtpgs()", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2021-47219", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2021/CVE-2021-47219.mbox b/cve/published/2021/CVE-2021-47219.mbox new file mode 100644 index 00000000..e6a0feda --- /dev/null +++ b/cve/published/2021/CVE-2021-47219.mbox @@ -0,0 +1,105 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2021-47219: scsi: scsi_debug: Fix out-of-bound read in resp_report_tgtpgs() +Message-Id: <2024041006-CVE-2021-47219-c09e@gregkh> +Content-Length: 3566 +Lines: 88 +X-Developer-Signature: v=1; a=openpgp-sha256; l=3655; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=7P9Bj6IXqU1WT7dB1vSNNHq0pC+fpKMtFONNERw3iag=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGlij/TOe8bN9dj/M/nBvkeyXw8KdP5Ll57WET9Z+Nunh + p0ls9Zwd8SyMAgyMciKKbJ82cZzdH/FIUUvQ9vTMHNYmUCGMHBxCsBEfi1gmM2asL83Yk3PNAaG + LR8Zp0WlsjAsTmJYcEJPpG9fmunM7+vOPJE+zh7mU7+uCgA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +scsi: scsi_debug: Fix out-of-bound read in resp_report_tgtpgs() + +The following issue was observed running syzkaller: + +BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:377 [inline] +BUG: KASAN: slab-out-of-bounds in sg_copy_buffer+0x150/0x1c0 lib/scatterlist.c:831 +Read of size 2132 at addr ffff8880aea95dc8 by task syz-executor.0/9815 + +CPU: 0 PID: 9815 Comm: syz-executor.0 Not tainted 4.19.202-00874-gfc0fe04215a9 #2 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0xe4/0x14a lib/dump_stack.c:118 + print_address_description+0x73/0x280 mm/kasan/report.c:253 + kasan_report_error mm/kasan/report.c:352 [inline] + kasan_report+0x272/0x370 mm/kasan/report.c:410 + memcpy+0x1f/0x50 mm/kasan/kasan.c:302 + memcpy include/linux/string.h:377 [inline] + sg_copy_buffer+0x150/0x1c0 lib/scatterlist.c:831 + fill_from_dev_buffer+0x14f/0x340 drivers/scsi/scsi_debug.c:1021 + resp_report_tgtpgs+0x5aa/0x770 drivers/scsi/scsi_debug.c:1772 + schedule_resp+0x464/0x12f0 drivers/scsi/scsi_debug.c:4429 + scsi_debug_queuecommand+0x467/0x1390 drivers/scsi/scsi_debug.c:5835 + scsi_dispatch_cmd+0x3fc/0x9b0 drivers/scsi/scsi_lib.c:1896 + scsi_request_fn+0x1042/0x1810 drivers/scsi/scsi_lib.c:2034 + __blk_run_queue_uncond block/blk-core.c:464 [inline] + __blk_run_queue+0x1a4/0x380 block/blk-core.c:484 + blk_execute_rq_nowait+0x1c2/0x2d0 block/blk-exec.c:78 + sg_common_write.isra.19+0xd74/0x1dc0 drivers/scsi/sg.c:847 + sg_write.part.23+0x6e0/0xd00 drivers/scsi/sg.c:716 + sg_write+0x64/0xa0 drivers/scsi/sg.c:622 + __vfs_write+0xed/0x690 fs/read_write.c:485 +kill_bdev:block_device:00000000e138492c + vfs_write+0x184/0x4c0 fs/read_write.c:549 + ksys_write+0x107/0x240 fs/read_write.c:599 + do_syscall_64+0xc2/0x560 arch/x86/entry/common.c:293 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +We get 'alen' from command its type is int. If userspace passes a large +length we will get a negative 'alen'. + +Switch n, alen, and rlen to u32. + +The Linux kernel CVE team has assigned CVE-2021-47219 to this issue. + + +Affected and fixed versions +=========================== + + Fixed in 5.10.82 with commit 8440377e1a56 + Fixed in 5.15.5 with commit 66523553fa62 + Fixed in 5.16 with commit f347c26836c2 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2021-47219 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/scsi/scsi_debug.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/8440377e1a5644779b4c8d013aa2a917f5fc83c3 + https://git.kernel.org/stable/c/66523553fa62c7878fc5441dc4e82be71934eb77 + https://git.kernel.org/stable/c/f347c26836c270199de1599c3cd466bb7747caa9 diff --git a/cve/published/2021/CVE-2021-47219.sha1 b/cve/published/2021/CVE-2021-47219.sha1 new file mode 100644 index 00000000..6df72202 --- /dev/null +++ b/cve/published/2021/CVE-2021-47219.sha1 @@ -0,0 +1 @@ +f347c26836c270199de1599c3cd466bb7747caa9 |