diff options
| author | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2024-04-17 12:10:25 +0200 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2024-04-17 12:10:25 +0200 |
| commit | 915d6d442af1141d7971ae719e80fddedb07004d (patch) | |
| tree | 9e4f29c3a68a4dd4c1db3ae48231dd0223f5639c | |
| parent | 2c1316e0788581440b2c3a811e960a7d36d1c12f (diff) | |
| download | vulns-915d6d442af1141d7971ae719e80fddedb07004d.tar.gz | |
more cves allocated for 6.7.7 stuff
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
60 files changed, 3398 insertions, 0 deletions
diff --git a/cve/reserved/2024/CVE-2024-26832 b/cve/published/2024/CVE-2024-26832 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26832 +++ b/cve/published/2024/CVE-2024-26832 diff --git a/cve/published/2024/CVE-2024-26832.json b/cve/published/2024/CVE-2024-26832.json new file mode 100644 index 00000000..efac9f48 --- /dev/null +++ b/cve/published/2024/CVE-2024-26832.json @@ -0,0 +1,118 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: zswap: fix missing folio cleanup in writeback race path\n\nIn zswap_writeback_entry(), after we get a folio from\n__read_swap_cache_async(), we grab the tree lock again to check that the\nswap entry was not invalidated and recycled. If it was, we delete the\nfolio we just added to the swap cache and exit.\n\nHowever, __read_swap_cache_async() returns the folio locked when it is\nnewly allocated, which is always true for this path, and the folio is\nref'd. Make sure to unlock and put the folio before returning.\n\nThis was discovered by code inspection, probably because this path handles\na race condition that should not happen often, and the bug would not crash\nthe system, it will only strand the folio indefinitely." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "2cab13f500a6", + "lessThan": "14f1992430ef", + "status": "affected", + "versionType": "git" + }, + { + "version": "04fc7816089c", + "lessThan": "6156277d1b26", + "status": "affected", + "versionType": "git" + }, + { + "version": "04fc7816089c", + "lessThan": "e2891c763aa2", + "status": "affected", + "versionType": "git" + }, + { + "version": "04fc7816089c", + "lessThan": "e3b63e966cac", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "6.4", + "status": "affected" + }, + { + "version": "0", + "lessThan": "6.4", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.80", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.19", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.7", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/14f1992430ef9e647b02aa8ca12c5bcb9a1dffea" + }, + { + "url": "https://git.kernel.org/stable/c/6156277d1b26cb3fdb6fcbf0686ab78268571644" + }, + { + "url": "https://git.kernel.org/stable/c/e2891c763aa2cff74dd6b5e978411ccf0cf94abe" + }, + { + "url": "https://git.kernel.org/stable/c/e3b63e966cac0bf78aaa1efede1827a252815a1d" + } + ], + "title": "mm: zswap: fix missing folio cleanup in writeback race path", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26832", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26832.mbox b/cve/published/2024/CVE-2024-26832.mbox new file mode 100644 index 00000000..8ec3bd05 --- /dev/null +++ b/cve/published/2024/CVE-2024-26832.mbox @@ -0,0 +1,80 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26832: mm: zswap: fix missing folio cleanup in writeback race path +Message-Id: <2024041714-CVE-2024-26832-77ce@gregkh> +Content-Length: 2640 +Lines: 63 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2704; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=4UeVMUR6tlT2YikM5qUgtYjtlLHyjQlk1fK7DSY9Qc4=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGnyC9jWPOqV1tzA4d5s8d1lV+DjRe6zbfXDD710P/NSI + /9iGC9/RywLgyATg6yYIsuXbTxH91ccUvQytD0NM4eVCWQIAxenAEzkyHWG+XkGP5hlyv05tt27 + +pBRsox3D89Kb4b5Tnw53dbGM2fvvbVGSozjz4tZMoWTAA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +mm: zswap: fix missing folio cleanup in writeback race path + +In zswap_writeback_entry(), after we get a folio from +__read_swap_cache_async(), we grab the tree lock again to check that the +swap entry was not invalidated and recycled. If it was, we delete the +folio we just added to the swap cache and exit. + +However, __read_swap_cache_async() returns the folio locked when it is +newly allocated, which is always true for this path, and the folio is +ref'd. Make sure to unlock and put the folio before returning. + +This was discovered by code inspection, probably because this path handles +a race condition that should not happen often, and the bug would not crash +the system, it will only strand the folio indefinitely. + +The Linux kernel CVE team has assigned CVE-2024-26832 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 6.1.30 with commit 2cab13f500a6 and fixed in 6.1.80 with commit 14f1992430ef + Issue introduced in 6.4 with commit 04fc7816089c and fixed in 6.6.19 with commit 6156277d1b26 + Issue introduced in 6.4 with commit 04fc7816089c and fixed in 6.7.7 with commit e2891c763aa2 + Issue introduced in 6.4 with commit 04fc7816089c and fixed in 6.8 with commit e3b63e966cac + Issue introduced in 6.3.4 with commit ba700ea13bf0 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26832 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + mm/zswap.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/14f1992430ef9e647b02aa8ca12c5bcb9a1dffea + https://git.kernel.org/stable/c/6156277d1b26cb3fdb6fcbf0686ab78268571644 + https://git.kernel.org/stable/c/e2891c763aa2cff74dd6b5e978411ccf0cf94abe + https://git.kernel.org/stable/c/e3b63e966cac0bf78aaa1efede1827a252815a1d diff --git a/cve/published/2024/CVE-2024-26832.sha1 b/cve/published/2024/CVE-2024-26832.sha1 new file mode 100644 index 00000000..291a2e66 --- /dev/null +++ b/cve/published/2024/CVE-2024-26832.sha1 @@ -0,0 +1 @@ +e3b63e966cac0bf78aaa1efede1827a252815a1d diff --git a/cve/reserved/2024/CVE-2024-26833 b/cve/published/2024/CVE-2024-26833 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26833 +++ b/cve/published/2024/CVE-2024-26833 diff --git a/cve/published/2024/CVE-2024-26833.json b/cve/published/2024/CVE-2024-26833.json new file mode 100644 index 00000000..8073d434 --- /dev/null +++ b/cve/published/2024/CVE-2024-26833.json @@ -0,0 +1,148 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix memory leak in dm_sw_fini()\n\nAfter destroying dmub_srv, the memory associated with it is\nnot freed, causing a memory leak:\n\nunreferenced object 0xffff896302b45800 (size 1024):\n comm \"(udev-worker)\", pid 222, jiffies 4294894636\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace (crc 6265fd77):\n [<ffffffff993495ed>] kmalloc_trace+0x29d/0x340\n [<ffffffffc0ea4a94>] dm_dmub_sw_init+0xb4/0x450 [amdgpu]\n [<ffffffffc0ea4e55>] dm_sw_init+0x15/0x2b0 [amdgpu]\n [<ffffffffc0ba8557>] amdgpu_device_init+0x1417/0x24e0 [amdgpu]\n [<ffffffffc0bab285>] amdgpu_driver_load_kms+0x15/0x190 [amdgpu]\n [<ffffffffc0ba09c7>] amdgpu_pci_probe+0x187/0x4e0 [amdgpu]\n [<ffffffff9968fd1e>] local_pci_probe+0x3e/0x90\n [<ffffffff996918a3>] pci_device_probe+0xc3/0x230\n [<ffffffff99805872>] really_probe+0xe2/0x480\n [<ffffffff99805c98>] __driver_probe_device+0x78/0x160\n [<ffffffff99805daf>] driver_probe_device+0x1f/0x90\n [<ffffffff9980601e>] __driver_attach+0xce/0x1c0\n [<ffffffff99803170>] bus_for_each_dev+0x70/0xc0\n [<ffffffff99804822>] bus_add_driver+0x112/0x210\n [<ffffffff99807245>] driver_register+0x55/0x100\n [<ffffffff990012d1>] do_one_initcall+0x41/0x300\n\nFix this by freeing dmub_srv after destroying it." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "743b9786b14a", + "lessThan": "b49b022f7dfc", + "status": "affected", + "versionType": "git" + }, + { + "version": "743b9786b14a", + "lessThan": "33f649f1b1ce", + "status": "affected", + "versionType": "git" + }, + { + "version": "743b9786b14a", + "lessThan": "58168005337e", + "status": "affected", + "versionType": "git" + }, + { + "version": "743b9786b14a", + "lessThan": "10c6b90e9753", + "status": "affected", + "versionType": "git" + }, + { + "version": "743b9786b14a", + "lessThan": "541e79265ea7", + "status": "affected", + "versionType": "git" + }, + { + "version": "743b9786b14a", + "lessThan": "bae67893578d", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.6", + "status": "affected" + }, + { + "version": "0", + "lessThan": "5.6", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.10.211", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.150", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.80", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.19", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.7", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/b49b022f7dfce85eb77d0d987008fde5c01d7857" + }, + { + "url": "https://git.kernel.org/stable/c/33f649f1b1cea39ed360e6c12bba4fac83118e6e" + }, + { + "url": "https://git.kernel.org/stable/c/58168005337eabef345a872be3f87d0215ff3b30" + }, + { + "url": "https://git.kernel.org/stable/c/10c6b90e975358c17856a578419dc449887899c2" + }, + { + "url": "https://git.kernel.org/stable/c/541e79265ea7e339a7c4a462feafe9f8f996e04b" + }, + { + "url": "https://git.kernel.org/stable/c/bae67893578d608e35691dcdfa90c4957debf1d3" + } + ], + "title": "drm/amd/display: Fix memory leak in dm_sw_fini()", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26833", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26833.mbox b/cve/published/2024/CVE-2024-26833.mbox new file mode 100644 index 00000000..c2ea43df --- /dev/null +++ b/cve/published/2024/CVE-2024-26833.mbox @@ -0,0 +1,98 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26833: drm/amd/display: Fix memory leak in dm_sw_fini() +Message-Id: <2024041714-CVE-2024-26833-b435@gregkh> +Content-Length: 3635 +Lines: 81 +X-Developer-Signature: v=1; a=openpgp-sha256; l=3717; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=UM0bj+UVkc1XjRMwqvk75Ev65yF7n0BpEjZXbIxo6NM=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGnyC9ger2B3/asodEh9R+p3vkqteYodR2efF13tY6/aJ + pe+wfVQRywLgyATg6yYIsuXbTxH91ccUvQytD0NM4eVCWQIAxenAExkvjjD/LLs/CgdcaOuf4pz + Is581VkQ5ZyQxDA//spu7p6kkrrUTSnXeCJWTAxZLJcJAA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +drm/amd/display: Fix memory leak in dm_sw_fini() + +After destroying dmub_srv, the memory associated with it is +not freed, causing a memory leak: + +unreferenced object 0xffff896302b45800 (size 1024): + comm "(udev-worker)", pid 222, jiffies 4294894636 + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace (crc 6265fd77): + [<ffffffff993495ed>] kmalloc_trace+0x29d/0x340 + [<ffffffffc0ea4a94>] dm_dmub_sw_init+0xb4/0x450 [amdgpu] + [<ffffffffc0ea4e55>] dm_sw_init+0x15/0x2b0 [amdgpu] + [<ffffffffc0ba8557>] amdgpu_device_init+0x1417/0x24e0 [amdgpu] + [<ffffffffc0bab285>] amdgpu_driver_load_kms+0x15/0x190 [amdgpu] + [<ffffffffc0ba09c7>] amdgpu_pci_probe+0x187/0x4e0 [amdgpu] + [<ffffffff9968fd1e>] local_pci_probe+0x3e/0x90 + [<ffffffff996918a3>] pci_device_probe+0xc3/0x230 + [<ffffffff99805872>] really_probe+0xe2/0x480 + [<ffffffff99805c98>] __driver_probe_device+0x78/0x160 + [<ffffffff99805daf>] driver_probe_device+0x1f/0x90 + [<ffffffff9980601e>] __driver_attach+0xce/0x1c0 + [<ffffffff99803170>] bus_for_each_dev+0x70/0xc0 + [<ffffffff99804822>] bus_add_driver+0x112/0x210 + [<ffffffff99807245>] driver_register+0x55/0x100 + [<ffffffff990012d1>] do_one_initcall+0x41/0x300 + +Fix this by freeing dmub_srv after destroying it. + +The Linux kernel CVE team has assigned CVE-2024-26833 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 5.6 with commit 743b9786b14a and fixed in 5.10.211 with commit b49b022f7dfc + Issue introduced in 5.6 with commit 743b9786b14a and fixed in 5.15.150 with commit 33f649f1b1ce + Issue introduced in 5.6 with commit 743b9786b14a and fixed in 6.1.80 with commit 58168005337e + Issue introduced in 5.6 with commit 743b9786b14a and fixed in 6.6.19 with commit 10c6b90e9753 + Issue introduced in 5.6 with commit 743b9786b14a and fixed in 6.7.7 with commit 541e79265ea7 + Issue introduced in 5.6 with commit 743b9786b14a and fixed in 6.8 with commit bae67893578d + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26833 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/b49b022f7dfce85eb77d0d987008fde5c01d7857 + https://git.kernel.org/stable/c/33f649f1b1cea39ed360e6c12bba4fac83118e6e + https://git.kernel.org/stable/c/58168005337eabef345a872be3f87d0215ff3b30 + https://git.kernel.org/stable/c/10c6b90e975358c17856a578419dc449887899c2 + https://git.kernel.org/stable/c/541e79265ea7e339a7c4a462feafe9f8f996e04b + https://git.kernel.org/stable/c/bae67893578d608e35691dcdfa90c4957debf1d3 diff --git a/cve/published/2024/CVE-2024-26833.sha1 b/cve/published/2024/CVE-2024-26833.sha1 new file mode 100644 index 00000000..e9a1e980 --- /dev/null +++ b/cve/published/2024/CVE-2024-26833.sha1 @@ -0,0 +1 @@ +bae67893578d608e35691dcdfa90c4957debf1d3 diff --git a/cve/reserved/2024/CVE-2024-26834 b/cve/published/2024/CVE-2024-26834 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26834 +++ b/cve/published/2024/CVE-2024-26834 diff --git a/cve/published/2024/CVE-2024-26834.json b/cve/published/2024/CVE-2024-26834.json new file mode 100644 index 00000000..816a085d --- /dev/null +++ b/cve/published/2024/CVE-2024-26834.json @@ -0,0 +1,121 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_flow_offload: release dst in case direct xmit path is used\n\nDirect xmit does not use it since it calls dev_queue_xmit() to send\npackets, hence it calls dst_release().\n\nkmemleak reports:\n\nunreferenced object 0xffff88814f440900 (size 184):\n comm \"softirq\", pid 0, jiffies 4294951896\n hex dump (first 32 bytes):\n 00 60 5b 04 81 88 ff ff 00 e6 e8 82 ff ff ff ff .`[.............\n 21 0b 50 82 ff ff ff ff 00 00 00 00 00 00 00 00 !.P.............\n backtrace (crc cb2bf5d6):\n [<000000003ee17107>] kmem_cache_alloc+0x286/0x340\n [<0000000021a5de2c>] dst_alloc+0x43/0xb0\n [<00000000f0671159>] rt_dst_alloc+0x2e/0x190\n [<00000000fe5092c9>] __mkroute_output+0x244/0x980\n [<000000005fb96fb0>] ip_route_output_flow+0xc0/0x160\n [<0000000045367433>] nf_ip_route+0xf/0x30\n [<0000000085da1d8e>] nf_route+0x2d/0x60\n [<00000000d1ecd1cb>] nft_flow_route+0x171/0x6a0 [nft_flow_offload]\n [<00000000d9b2fb60>] nft_flow_offload_eval+0x4e8/0x700 [nft_flow_offload]\n [<000000009f447dbb>] expr_call_ops_eval+0x53/0x330 [nf_tables]\n [<00000000072e1be6>] nft_do_chain+0x17c/0x840 [nf_tables]\n [<00000000d0551029>] nft_do_chain_inet+0xa1/0x210 [nf_tables]\n [<0000000097c9d5c6>] nf_hook_slow+0x5b/0x160\n [<0000000005eccab1>] ip_forward+0x8b6/0x9b0\n [<00000000553a269b>] ip_rcv+0x221/0x230\n [<00000000412872e5>] __netif_receive_skb_one_core+0xfe/0x110" + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "7c71b831220e", + "lessThan": "13b57b5cd591", + "status": "affected", + "versionType": "git" + }, + { + "version": "9c5662e95a8d", + "lessThan": "a6cafdb49a7b", + "status": "affected", + "versionType": "git" + }, + { + "version": "fa502c865666", + "lessThan": "9256ab9232e3", + "status": "affected", + "versionType": "git" + }, + { + "version": "fa502c865666", + "lessThan": "2d17cf10179a", + "status": "affected", + "versionType": "git" + }, + { + "version": "fa502c865666", + "lessThan": "8762785f459b", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "6.5", + "status": "affected" + }, + { + "version": "0", + "lessThan": "6.5", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.19", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.7", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/13b57b5cd591d5b22f9bbf047b2922967de411f3" + }, + { + "url": "https://git.kernel.org/stable/c/a6cafdb49a7bbf4a88367db209703eee6941e023" + }, + { + "url": "https://git.kernel.org/stable/c/9256ab9232e35a16af9c30fa4e522e6d1bd3605a" + }, + { + "url": "https://git.kernel.org/stable/c/2d17cf10179a7de6d8f0128168b84ad0b4a1863f" + }, + { + "url": "https://git.kernel.org/stable/c/8762785f459be1cfe6fcf7285c123aad6a3703f0" + } + ], + "title": "netfilter: nft_flow_offload: release dst in case direct xmit path is used", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26834", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26834.mbox b/cve/published/2024/CVE-2024-26834.mbox new file mode 100644 index 00000000..b9903741 --- /dev/null +++ b/cve/published/2024/CVE-2024-26834.mbox @@ -0,0 +1,94 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26834: netfilter: nft_flow_offload: release dst in case direct xmit path is used +Message-Id: <2024041714-CVE-2024-26834-a73b@gregkh> +Content-Length: 3261 +Lines: 77 +X-Developer-Signature: v=1; a=openpgp-sha256; l=3339; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=qyZ69wfaOdmi5yzymjXzcicnoJ0MT1Z7GC1IADQFAoE=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGnyC9hKYvuPfPkxO1voocNWyUyl1PZCG/X8n4tTt89YI + c8Tc9mtI5aFQZCJQVZMkeXLNp6j+ysOKXoZ2p6GmcPKBDKEgYtTACbSaMEwP2OJiX/2HzlxPQX3 + si933RPny27hYJgfuS/x1ZpW3nrjy19S+Q9OKtzrvfoWAA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +netfilter: nft_flow_offload: release dst in case direct xmit path is used + +Direct xmit does not use it since it calls dev_queue_xmit() to send +packets, hence it calls dst_release(). + +kmemleak reports: + +unreferenced object 0xffff88814f440900 (size 184): + comm "softirq", pid 0, jiffies 4294951896 + hex dump (first 32 bytes): + 00 60 5b 04 81 88 ff ff 00 e6 e8 82 ff ff ff ff .`[............. + 21 0b 50 82 ff ff ff ff 00 00 00 00 00 00 00 00 !.P............. + backtrace (crc cb2bf5d6): + [<000000003ee17107>] kmem_cache_alloc+0x286/0x340 + [<0000000021a5de2c>] dst_alloc+0x43/0xb0 + [<00000000f0671159>] rt_dst_alloc+0x2e/0x190 + [<00000000fe5092c9>] __mkroute_output+0x244/0x980 + [<000000005fb96fb0>] ip_route_output_flow+0xc0/0x160 + [<0000000045367433>] nf_ip_route+0xf/0x30 + [<0000000085da1d8e>] nf_route+0x2d/0x60 + [<00000000d1ecd1cb>] nft_flow_route+0x171/0x6a0 [nft_flow_offload] + [<00000000d9b2fb60>] nft_flow_offload_eval+0x4e8/0x700 [nft_flow_offload] + [<000000009f447dbb>] expr_call_ops_eval+0x53/0x330 [nf_tables] + [<00000000072e1be6>] nft_do_chain+0x17c/0x840 [nf_tables] + [<00000000d0551029>] nft_do_chain_inet+0xa1/0x210 [nf_tables] + [<0000000097c9d5c6>] nf_hook_slow+0x5b/0x160 + [<0000000005eccab1>] ip_forward+0x8b6/0x9b0 + [<00000000553a269b>] ip_rcv+0x221/0x230 + [<00000000412872e5>] __netif_receive_skb_one_core+0xfe/0x110 + +The Linux kernel CVE team has assigned CVE-2024-26834 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 6.5 with commit fa502c865666 and fixed in 6.6.19 with commit 9256ab9232e3 + Issue introduced in 6.5 with commit fa502c865666 and fixed in 6.7.7 with commit 2d17cf10179a + Issue introduced in 6.5 with commit fa502c865666 and fixed in 6.8 with commit 8762785f459b + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26834 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + net/netfilter/nf_flow_table_core.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/13b57b5cd591d5b22f9bbf047b2922967de411f3 + https://git.kernel.org/stable/c/a6cafdb49a7bbf4a88367db209703eee6941e023 + https://git.kernel.org/stable/c/9256ab9232e35a16af9c30fa4e522e6d1bd3605a + https://git.kernel.org/stable/c/2d17cf10179a7de6d8f0128168b84ad0b4a1863f + https://git.kernel.org/stable/c/8762785f459be1cfe6fcf7285c123aad6a3703f0 diff --git a/cve/published/2024/CVE-2024-26834.sha1 b/cve/published/2024/CVE-2024-26834.sha1 new file mode 100644 index 00000000..36db2455 --- /dev/null +++ b/cve/published/2024/CVE-2024-26834.sha1 @@ -0,0 +1 @@ +8762785f459be1cfe6fcf7285c123aad6a3703f0 diff --git a/cve/reserved/2024/CVE-2024-26835 b/cve/published/2024/CVE-2024-26835 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26835 +++ b/cve/published/2024/CVE-2024-26835 diff --git a/cve/published/2024/CVE-2024-26835.json b/cve/published/2024/CVE-2024-26835.json new file mode 100644 index 00000000..c42e415b --- /dev/null +++ b/cve/published/2024/CVE-2024-26835.json @@ -0,0 +1,163 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: set dormant flag on hook register failure\n\nWe need to set the dormant flag again if we fail to register\nthe hooks.\n\nDuring memory pressure hook registration can fail and we end up\nwith a table marked as active but no registered hooks.\n\nOn table/base chain deletion, nf_tables will attempt to unregister\nthe hook again which yields a warn splat from the nftables core." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "e10f661adc55", + "lessThan": "ae4360cbd385", + "status": "affected", + "versionType": "git" + }, + { + "version": "d9c4da8cb74e", + "lessThan": "31ea574aeca1", + "status": "affected", + "versionType": "git" + }, + { + "version": "179d9ba5559a", + "lessThan": "664264a5c55b", + "status": "affected", + "versionType": "git" + }, + { + "version": "179d9ba5559a", + "lessThan": "0c9302a6da26", + "status": "affected", + "versionType": "git" + }, + { + "version": "179d9ba5559a", + "lessThan": "f2135bbf1494", + "status": "affected", + "versionType": "git" + }, + { + "version": "179d9ba5559a", + "lessThan": "6f2496366426", + "status": "affected", + "versionType": "git" + }, + { + "version": "179d9ba5559a", + "lessThan": "bccebf647017", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.13", + "status": "affected" + }, + { + "version": "0", + "lessThan": "5.13", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.4.270", + "lessThanOrEqual": "5.4.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.10.211", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.150", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.80", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.19", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.7", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/ae4360cbd385f0d7a8a86d5723e50448cc6318f3" + }, + { + "url": "https://git.kernel.org/stable/c/31ea574aeca1aa488e18716459bde057217637af" + }, + { + "url": "https://git.kernel.org/stable/c/664264a5c55bf97a9c571c557d477b75416199be" + }, + { + "url": "https://git.kernel.org/stable/c/0c9302a6da262e6ab6a6c1d30f04a6130ed97376" + }, + { + "url": "https://git.kernel.org/stable/c/f2135bbf14949687e96cabb13d8a91ae3deb9069" + }, + { + "url": "https://git.kernel.org/stable/c/6f2496366426cec18ba53f1c7f6c3ac307ca6a95" + }, + { + "url": "https://git.kernel.org/stable/c/bccebf64701735533c8db37773eeacc6566cc8ec" + } + ], + "title": "netfilter: nf_tables: set dormant flag on hook register failure", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26835", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26835.mbox b/cve/published/2024/CVE-2024-26835.mbox new file mode 100644 index 00000000..ee7a2572 --- /dev/null +++ b/cve/published/2024/CVE-2024-26835.mbox @@ -0,0 +1,81 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26835: netfilter: nf_tables: set dormant flag on hook register failure +Message-Id: <2024041714-CVE-2024-26835-083d@gregkh> +Content-Length: 2800 +Lines: 64 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2865; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=wqF0e2KIIYkEC1WM/06A2cFMlyIPE1QL0Fx/K/uw8Dw=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGnyC9jYgxWmMyqs2Xr60Iavq+QM7nOXbLqSdye0j3N3e + VHu95oPHbEsDIJMDLJiiixftvEc3V9xSNHL0PY0zBxWJpAhDFycAjCRXTcY5qce6J83efsWi+4L + 227t/xBud9jp6EqGBWd907UuLmOJ9ThpzN/BNNH3kdduVgA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +netfilter: nf_tables: set dormant flag on hook register failure + +We need to set the dormant flag again if we fail to register +the hooks. + +During memory pressure hook registration can fail and we end up +with a table marked as active but no registered hooks. + +On table/base chain deletion, nf_tables will attempt to unregister +the hook again which yields a warn splat from the nftables core. + +The Linux kernel CVE team has assigned CVE-2024-26835 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 5.4.262 with commit e10f661adc55 and fixed in 5.4.270 with commit ae4360cbd385 + Issue introduced in 5.10.202 with commit d9c4da8cb74e and fixed in 5.10.211 with commit 31ea574aeca1 + Issue introduced in 5.13 with commit 179d9ba5559a and fixed in 5.15.150 with commit 664264a5c55b + Issue introduced in 5.13 with commit 179d9ba5559a and fixed in 6.1.80 with commit 0c9302a6da26 + Issue introduced in 5.13 with commit 179d9ba5559a and fixed in 6.6.19 with commit f2135bbf1494 + Issue introduced in 5.13 with commit 179d9ba5559a and fixed in 6.7.7 with commit 6f2496366426 + Issue introduced in 5.13 with commit 179d9ba5559a and fixed in 6.8 with commit bccebf647017 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26835 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + net/netfilter/nf_tables_api.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/ae4360cbd385f0d7a8a86d5723e50448cc6318f3 + https://git.kernel.org/stable/c/31ea574aeca1aa488e18716459bde057217637af + https://git.kernel.org/stable/c/664264a5c55bf97a9c571c557d477b75416199be + https://git.kernel.org/stable/c/0c9302a6da262e6ab6a6c1d30f04a6130ed97376 + https://git.kernel.org/stable/c/f2135bbf14949687e96cabb13d8a91ae3deb9069 + https://git.kernel.org/stable/c/6f2496366426cec18ba53f1c7f6c3ac307ca6a95 + https://git.kernel.org/stable/c/bccebf64701735533c8db37773eeacc6566cc8ec diff --git a/cve/published/2024/CVE-2024-26835.sha1 b/cve/published/2024/CVE-2024-26835.sha1 new file mode 100644 index 00000000..f188ac0e --- /dev/null +++ b/cve/published/2024/CVE-2024-26835.sha1 @@ -0,0 +1 @@ +bccebf64701735533c8db37773eeacc6566cc8ec diff --git a/cve/reserved/2024/CVE-2024-26836 b/cve/published/2024/CVE-2024-26836 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26836 +++ b/cve/published/2024/CVE-2024-26836 diff --git a/cve/published/2024/CVE-2024-26836.json b/cve/published/2024/CVE-2024-26836.json new file mode 100644 index 00000000..a4e50840 --- /dev/null +++ b/cve/published/2024/CVE-2024-26836.json @@ -0,0 +1,88 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: think-lmi: Fix password opcode ordering for workstations\n\nThe Lenovo workstations require the password opcode to be run before\nthe attribute value is changed (if Admin password is enabled).\n\nTested on some Thinkpads to confirm they are OK with this order too." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "640a5fa50a42", + "lessThan": "2bfbe1e0aed0", + "status": "affected", + "versionType": "git" + }, + { + "version": "640a5fa50a42", + "lessThan": "6f7d0f5fd8e4", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.17", + "status": "affected" + }, + { + "version": "0", + "lessThan": "5.17", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.7", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/2bfbe1e0aed00ba51d58573c79452fada3f62ed4" + }, + { + "url": "https://git.kernel.org/stable/c/6f7d0f5fd8e440c3446560100ac4ff9a55eec340" + } + ], + "title": "platform/x86: think-lmi: Fix password opcode ordering for workstations", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26836", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26836.mbox b/cve/published/2024/CVE-2024-26836.mbox new file mode 100644 index 00000000..ad7306ff --- /dev/null +++ b/cve/published/2024/CVE-2024-26836.mbox @@ -0,0 +1,67 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26836: platform/x86: think-lmi: Fix password opcode ordering for workstations +Message-Id: <2024041714-CVE-2024-26836-19c3@gregkh> +Content-Length: 1825 +Lines: 50 +X-Developer-Signature: v=1; a=openpgp-sha256; l=1876; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=4dVwPJNHessQofZvrQcTGrI0oEfLNN5TB2S/Kp6hukk=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGnyC9jDr8hdS7U2OMjNlxX5rdo58p/Co/gmvq7feYctx + I7btdZ1xLIwCDIxyIopsnzZxnN0f8UhRS9D29Mwc1iZQIYwcHEKwESczBkW7E34bWrAOFtu7vW9 + cwJVd0bmH5C2Y5jvM1E2w+LA5K3PaoNPpHwM2mjG8W4bAA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +platform/x86: think-lmi: Fix password opcode ordering for workstations + +The Lenovo workstations require the password opcode to be run before +the attribute value is changed (if Admin password is enabled). + +Tested on some Thinkpads to confirm they are OK with this order too. + +The Linux kernel CVE team has assigned CVE-2024-26836 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 5.17 with commit 640a5fa50a42 and fixed in 6.7.7 with commit 2bfbe1e0aed0 + Issue introduced in 5.17 with commit 640a5fa50a42 and fixed in 6.8 with commit 6f7d0f5fd8e4 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26836 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/platform/x86/think-lmi.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/2bfbe1e0aed00ba51d58573c79452fada3f62ed4 + https://git.kernel.org/stable/c/6f7d0f5fd8e440c3446560100ac4ff9a55eec340 diff --git a/cve/published/2024/CVE-2024-26836.sha1 b/cve/published/2024/CVE-2024-26836.sha1 new file mode 100644 index 00000000..59aa1df4 --- /dev/null +++ b/cve/published/2024/CVE-2024-26836.sha1 @@ -0,0 +1 @@ +6f7d0f5fd8e440c3446560100ac4ff9a55eec340 diff --git a/cve/reserved/2024/CVE-2024-26837 b/cve/published/2024/CVE-2024-26837 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26837 +++ b/cve/published/2024/CVE-2024-26837 diff --git a/cve/published/2024/CVE-2024-26837.json b/cve/published/2024/CVE-2024-26837.json new file mode 100644 index 00000000..9458d677 --- /dev/null +++ b/cve/published/2024/CVE-2024-26837.json @@ -0,0 +1,118 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bridge: switchdev: Skip MDB replays of deferred events on offload\n\nBefore this change, generation of the list of MDB events to replay\nwould race against the creation of new group memberships, either from\nthe IGMP/MLD snooping logic or from user configuration.\n\nWhile new memberships are immediately visible to walkers of\nbr->mdb_list, the notification of their existence to switchdev event\nsubscribers is deferred until a later point in time. So if a replay\nlist was generated during a time that overlapped with such a window,\nit would also contain a replay of the not-yet-delivered event.\n\nThe driver would thus receive two copies of what the bridge internally\nconsidered to be one single event. On destruction of the bridge, only\na single membership deletion event was therefore sent. As a\nconsequence of this, drivers which reference count memberships (at\nleast DSA), would be left with orphan groups in their hardware\ndatabase when the bridge was destroyed.\n\nThis is only an issue when replaying additions. While deletion events\nmay still be pending on the deferred queue, they will already have\nbeen removed from br->mdb_list, so no duplicates can be generated in\nthat scenario.\n\nTo a user this meant that old group memberships, from a bridge in\nwhich a port was previously attached, could be reanimated (in\nhardware) when the port joined a new bridge, without the new bridge's\nknowledge.\n\nFor example, on an mv88e6xxx system, create a snooping bridge and\nimmediately add a port to it:\n\n root@infix-06-0b-00:~$ ip link add dev br0 up type bridge mcast_snooping 1 && \\\n > ip link set dev x3 up master br0\n\nAnd then destroy the bridge:\n\n root@infix-06-0b-00:~$ ip link del dev br0\n root@infix-06-0b-00:~$ mvls atu\n ADDRESS FID STATE Q F 0 1 2 3 4 5 6 7 8 9 a\n DEV:0 Marvell 88E6393X\n 33:33:00:00:00:6a 1 static - - 0 . . . . . . . . . .\n 33:33:ff:87:e4:3f 1 static - - 0 . . . . . . . . . .\n ff:ff:ff:ff:ff:ff 1 static - - 0 1 2 3 4 5 6 7 8 9 a\n root@infix-06-0b-00:~$\n\nThe two IPv6 groups remain in the hardware database because the\nport (x3) is notified of the host's membership twice: once via the\noriginal event and once via a replay. Since only a single delete\nnotification is sent, the count remains at 1 when the bridge is\ndestroyed.\n\nThen add the same port (or another port belonging to the same hardware\ndomain) to a new bridge, this time with snooping disabled:\n\n root@infix-06-0b-00:~$ ip link add dev br1 up type bridge mcast_snooping 0 && \\\n > ip link set dev x3 up master br1\n\nAll multicast, including the two IPv6 groups from br0, should now be\nflooded, according to the policy of br1. But instead the old\nmemberships are still active in the hardware database, causing the\nswitch to only forward traffic to those groups towards the CPU (port\n0).\n\nEliminate the race in two steps:\n\n1. Grab the write-side lock of the MDB while generating the replay\n list.\n\nThis prevents new memberships from showing up while we are generating\nthe replay list. But it leaves the scenario in which a deferred event\nwas already generated, but not delivered, before we grabbed the\nlock. Therefore:\n\n2. Make sure that no deferred version of a replay event is already\n enqueued to the switchdev deferred queue, before adding it to the\n replay list, when replaying additions." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "4f2673b3a2b6", + "lessThan": "2d5b4b3376fa", + "status": "affected", + "versionType": "git" + }, + { + "version": "4f2673b3a2b6", + "lessThan": "603be95437e7", + "status": "affected", + "versionType": "git" + }, + { + "version": "4f2673b3a2b6", + "lessThan": "e0b4c5b1d760", + "status": "affected", + "versionType": "git" + }, + { + "version": "4f2673b3a2b6", + "lessThan": "dc489f86257c", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.13", + "status": "affected" + }, + { + "version": "0", + "lessThan": "5.13", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.80", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.19", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.7", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/2d5b4b3376fa146a23917b8577064906d643925f" + }, + { + "url": "https://git.kernel.org/stable/c/603be95437e7fd85ba694e75918067fb9e7754db" + }, + { + "url": "https://git.kernel.org/stable/c/e0b4c5b1d760008f1dd18c07c35af0442e54f9c8" + }, + { + "url": "https://git.kernel.org/stable/c/dc489f86257cab5056e747344f17a164f63bff4b" + } + ], + "title": "net: bridge: switchdev: Skip MDB replays of deferred events on offload", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26837", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26837.mbox b/cve/published/2024/CVE-2024-26837.mbox new file mode 100644 index 00000000..545dbe37 --- /dev/null +++ b/cve/published/2024/CVE-2024-26837.mbox @@ -0,0 +1,144 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26837: net: bridge: switchdev: Skip MDB replays of deferred events on offload +Message-Id: <2024041715-CVE-2024-26837-753c@gregkh> +Content-Length: 5346 +Lines: 127 +X-Developer-Signature: v=1; a=openpgp-sha256; l=5474; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=Z4UKWRlM+CCkQ82Yd3x5wZUCnAdOG7+MSbJe5D8dooY=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGnyC9i3X2BK71C6+snl0Z+J3T/Fl205t/zxXJc1LiHOL + Mpxa/2TOmJZGASZGGTFFFm+bOM5ur/ikKKXoe1pmDmsTCBDGLg4BWAiuw8wzPcXf2DJueUU//0K + l3PnyhSei9t/M2WYH3f1uMaBLfbXZ8dnW1iymd1m3CJ0DQA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +net: bridge: switchdev: Skip MDB replays of deferred events on offload + +Before this change, generation of the list of MDB events to replay +would race against the creation of new group memberships, either from +the IGMP/MLD snooping logic or from user configuration. + +While new memberships are immediately visible to walkers of +br->mdb_list, the notification of their existence to switchdev event +subscribers is deferred until a later point in time. So if a replay +list was generated during a time that overlapped with such a window, +it would also contain a replay of the not-yet-delivered event. + +The driver would thus receive two copies of what the bridge internally +considered to be one single event. On destruction of the bridge, only +a single membership deletion event was therefore sent. As a +consequence of this, drivers which reference count memberships (at +least DSA), would be left with orphan groups in their hardware +database when the bridge was destroyed. + +This is only an issue when replaying additions. While deletion events +may still be pending on the deferred queue, they will already have +been removed from br->mdb_list, so no duplicates can be generated in +that scenario. + +To a user this meant that old group memberships, from a bridge in +which a port was previously attached, could be reanimated (in +hardware) when the port joined a new bridge, without the new bridge's +knowledge. + +For example, on an mv88e6xxx system, create a snooping bridge and +immediately add a port to it: + + root@infix-06-0b-00:~$ ip link add dev br0 up type bridge mcast_snooping 1 && \ + > ip link set dev x3 up master br0 + +And then destroy the bridge: + + root@infix-06-0b-00:~$ ip link del dev br0 + root@infix-06-0b-00:~$ mvls atu + ADDRESS FID STATE Q F 0 1 2 3 4 5 6 7 8 9 a + DEV:0 Marvell 88E6393X + 33:33:00:00:00:6a 1 static - - 0 . . . . . . . . . . + 33:33:ff:87:e4:3f 1 static - - 0 . . . . . . . . . . + ff:ff:ff:ff:ff:ff 1 static - - 0 1 2 3 4 5 6 7 8 9 a + root@infix-06-0b-00:~$ + +The two IPv6 groups remain in the hardware database because the +port (x3) is notified of the host's membership twice: once via the +original event and once via a replay. Since only a single delete +notification is sent, the count remains at 1 when the bridge is +destroyed. + +Then add the same port (or another port belonging to the same hardware +domain) to a new bridge, this time with snooping disabled: + + root@infix-06-0b-00:~$ ip link add dev br1 up type bridge mcast_snooping 0 && \ + > ip link set dev x3 up master br1 + +All multicast, including the two IPv6 groups from br0, should now be +flooded, according to the policy of br1. But instead the old +memberships are still active in the hardware database, causing the +switch to only forward traffic to those groups towards the CPU (port +0). + +Eliminate the race in two steps: + +1. Grab the write-side lock of the MDB while generating the replay + list. + +This prevents new memberships from showing up while we are generating +the replay list. But it leaves the scenario in which a deferred event +was already generated, but not delivered, before we grabbed the +lock. Therefore: + +2. Make sure that no deferred version of a replay event is already + enqueued to the switchdev deferred queue, before adding it to the + replay list, when replaying additions. + +The Linux kernel CVE team has assigned CVE-2024-26837 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 5.13 with commit 4f2673b3a2b6 and fixed in 6.1.80 with commit 2d5b4b3376fa + Issue introduced in 5.13 with commit 4f2673b3a2b6 and fixed in 6.6.19 with commit 603be95437e7 + Issue introduced in 5.13 with commit 4f2673b3a2b6 and fixed in 6.7.7 with commit e0b4c5b1d760 + Issue introduced in 5.13 with commit 4f2673b3a2b6 and fixed in 6.8 with commit dc489f86257c + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26837 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + include/net/switchdev.h + net/bridge/br_switchdev.c + net/switchdev/switchdev.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/2d5b4b3376fa146a23917b8577064906d643925f + https://git.kernel.org/stable/c/603be95437e7fd85ba694e75918067fb9e7754db + https://git.kernel.org/stable/c/e0b4c5b1d760008f1dd18c07c35af0442e54f9c8 + https://git.kernel.org/stable/c/dc489f86257cab5056e747344f17a164f63bff4b diff --git a/cve/published/2024/CVE-2024-26837.sha1 b/cve/published/2024/CVE-2024-26837.sha1 new file mode 100644 index 00000000..63d0e5e2 --- /dev/null +++ b/cve/published/2024/CVE-2024-26837.sha1 @@ -0,0 +1 @@ +dc489f86257cab5056e747344f17a164f63bff4b diff --git a/cve/reserved/2024/CVE-2024-26838 b/cve/published/2024/CVE-2024-26838 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26838 +++ b/cve/published/2024/CVE-2024-26838 diff --git a/cve/published/2024/CVE-2024-26838.json b/cve/published/2024/CVE-2024-26838.json new file mode 100644 index 00000000..f1f92ce8 --- /dev/null +++ b/cve/published/2024/CVE-2024-26838.json @@ -0,0 +1,133 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/irdma: Fix KASAN issue with tasklet\n\nKASAN testing revealed the following issue assocated with freeing an IRQ.\n\n[50006.466686] Call Trace:\n[50006.466691] <IRQ>\n[50006.489538] dump_stack+0x5c/0x80\n[50006.493475] print_address_description.constprop.6+0x1a/0x150\n[50006.499872] ? irdma_sc_process_ceq+0x483/0x790 [irdma]\n[50006.505742] ? irdma_sc_process_ceq+0x483/0x790 [irdma]\n[50006.511644] kasan_report.cold.11+0x7f/0x118\n[50006.516572] ? irdma_sc_process_ceq+0x483/0x790 [irdma]\n[50006.522473] irdma_sc_process_ceq+0x483/0x790 [irdma]\n[50006.528232] irdma_process_ceq+0xb2/0x400 [irdma]\n[50006.533601] ? irdma_hw_flush_wqes_callback+0x370/0x370 [irdma]\n[50006.540298] irdma_ceq_dpc+0x44/0x100 [irdma]\n[50006.545306] tasklet_action_common.isra.14+0x148/0x2c0\n[50006.551096] __do_softirq+0x1d0/0xaf8\n[50006.555396] irq_exit_rcu+0x219/0x260\n[50006.559670] irq_exit+0xa/0x20\n[50006.563320] smp_apic_timer_interrupt+0x1bf/0x690\n[50006.568645] apic_timer_interrupt+0xf/0x20\n[50006.573341] </IRQ>\n\nThe issue is that a tasklet could be pending on another core racing\nthe delete of the irq.\n\nFix by insuring any scheduled tasklet is killed after deleting the\nirq." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "44d9e52977a1", + "lessThan": "635d79aa477f", + "status": "affected", + "versionType": "git" + }, + { + "version": "44d9e52977a1", + "lessThan": "b2e4a5266e3d", + "status": "affected", + "versionType": "git" + }, + { + "version": "44d9e52977a1", + "lessThan": "c6f1ca235f68", + "status": "affected", + "versionType": "git" + }, + { + "version": "44d9e52977a1", + "lessThan": "0ae8ad001397", + "status": "affected", + "versionType": "git" + }, + { + "version": "44d9e52977a1", + "lessThan": "bd97cea7b18a", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.14", + "status": "affected" + }, + { + "version": "0", + "lessThan": "5.14", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.150", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.80", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.19", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.7", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/635d79aa477f9912e602feb5498bdd51fb9cb824" + }, + { + "url": "https://git.kernel.org/stable/c/b2e4a5266e3d133b4c7f0e43bf40d13ce14fd1aa" + }, + { + "url": "https://git.kernel.org/stable/c/c6f1ca235f68b22b3e691b2ea87ac285e5946848" + }, + { + "url": "https://git.kernel.org/stable/c/0ae8ad0013978f7471f22bcf45b027393e87f5dc" + }, + { + "url": "https://git.kernel.org/stable/c/bd97cea7b18a0a553773af806dfbfac27a7c4acb" + } + ], + "title": "RDMA/irdma: Fix KASAN issue with tasklet", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26838", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26838.mbox b/cve/published/2024/CVE-2024-26838.mbox new file mode 100644 index 00000000..2917aafc --- /dev/null +++ b/cve/published/2024/CVE-2024-26838.mbox @@ -0,0 +1,96 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26838: RDMA/irdma: Fix KASAN issue with tasklet +Message-Id: <2024041715-CVE-2024-26838-2fdb@gregkh> +Content-Length: 3243 +Lines: 79 +X-Developer-Signature: v=1; a=openpgp-sha256; l=3323; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=iw508kydjyy1nFs6pWRrE6BLFbdY8D45rgvbctSMFw0=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGnyC9iv5ez/xf5r0ottybZnVx2cf92nYuXCjo64nonLj + +7dUrCRpSOWhUGQiUFWTJHlyzaeo/srDil6GdqehpnDygQyhIGLUwAmYufDsGD+p8wXS/jVnKX2 + SXpZvn4q3d0s8YVhfnye5LTM91yJK+vDPwaFpX73+xQ4GQA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +RDMA/irdma: Fix KASAN issue with tasklet + +KASAN testing revealed the following issue assocated with freeing an IRQ. + +[50006.466686] Call Trace: +[50006.466691] <IRQ> +[50006.489538] dump_stack+0x5c/0x80 +[50006.493475] print_address_description.constprop.6+0x1a/0x150 +[50006.499872] ? irdma_sc_process_ceq+0x483/0x790 [irdma] +[50006.505742] ? irdma_sc_process_ceq+0x483/0x790 [irdma] +[50006.511644] kasan_report.cold.11+0x7f/0x118 +[50006.516572] ? irdma_sc_process_ceq+0x483/0x790 [irdma] +[50006.522473] irdma_sc_process_ceq+0x483/0x790 [irdma] +[50006.528232] irdma_process_ceq+0xb2/0x400 [irdma] +[50006.533601] ? irdma_hw_flush_wqes_callback+0x370/0x370 [irdma] +[50006.540298] irdma_ceq_dpc+0x44/0x100 [irdma] +[50006.545306] tasklet_action_common.isra.14+0x148/0x2c0 +[50006.551096] __do_softirq+0x1d0/0xaf8 +[50006.555396] irq_exit_rcu+0x219/0x260 +[50006.559670] irq_exit+0xa/0x20 +[50006.563320] smp_apic_timer_interrupt+0x1bf/0x690 +[50006.568645] apic_timer_interrupt+0xf/0x20 +[50006.573341] </IRQ> + +The issue is that a tasklet could be pending on another core racing +the delete of the irq. + +Fix by insuring any scheduled tasklet is killed after deleting the +irq. + +The Linux kernel CVE team has assigned CVE-2024-26838 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 5.14 with commit 44d9e52977a1 and fixed in 5.15.150 with commit 635d79aa477f + Issue introduced in 5.14 with commit 44d9e52977a1 and fixed in 6.1.80 with commit b2e4a5266e3d + Issue introduced in 5.14 with commit 44d9e52977a1 and fixed in 6.6.19 with commit c6f1ca235f68 + Issue introduced in 5.14 with commit 44d9e52977a1 and fixed in 6.7.7 with commit 0ae8ad001397 + Issue introduced in 5.14 with commit 44d9e52977a1 and fixed in 6.8 with commit bd97cea7b18a + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26838 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/infiniband/hw/irdma/hw.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/635d79aa477f9912e602feb5498bdd51fb9cb824 + https://git.kernel.org/stable/c/b2e4a5266e3d133b4c7f0e43bf40d13ce14fd1aa + https://git.kernel.org/stable/c/c6f1ca235f68b22b3e691b2ea87ac285e5946848 + https://git.kernel.org/stable/c/0ae8ad0013978f7471f22bcf45b027393e87f5dc + https://git.kernel.org/stable/c/bd97cea7b18a0a553773af806dfbfac27a7c4acb diff --git a/cve/published/2024/CVE-2024-26838.sha1 b/cve/published/2024/CVE-2024-26838.sha1 new file mode 100644 index 00000000..af728bf6 --- /dev/null +++ b/cve/published/2024/CVE-2024-26838.sha1 @@ -0,0 +1 @@ +bd97cea7b18a0a553773af806dfbfac27a7c4acb diff --git a/cve/reserved/2024/CVE-2024-26839 b/cve/published/2024/CVE-2024-26839 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26839 +++ b/cve/published/2024/CVE-2024-26839 diff --git a/cve/published/2024/CVE-2024-26839.json b/cve/published/2024/CVE-2024-26839.json new file mode 100644 index 00000000..9823a99e --- /dev/null +++ b/cve/published/2024/CVE-2024-26839.json @@ -0,0 +1,178 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nIB/hfi1: Fix a memleak in init_credit_return\n\nWhen dma_alloc_coherent fails to allocate dd->cr_base[i].va,\ninit_credit_return should deallocate dd->cr_base and\ndd->cr_base[i] that allocated before. Or those resources\nwould be never freed and a memleak is triggered." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "7724105686e7", + "lessThan": "2e4f9f20b326", + "status": "affected", + "versionType": "git" + }, + { + "version": "7724105686e7", + "lessThan": "cecfb90cf71d", + "status": "affected", + "versionType": "git" + }, + { + "version": "7724105686e7", + "lessThan": "3fa240bb6b2d", + "status": "affected", + "versionType": "git" + }, + { + "version": "7724105686e7", + "lessThan": "52de5805c147", + "status": "affected", + "versionType": "git" + }, + { + "version": "7724105686e7", + "lessThan": "f0d857ce31a6", + "status": "affected", + "versionType": "git" + }, + { + "version": "7724105686e7", + "lessThan": "b41d0ade0398", + "status": "affected", + "versionType": "git" + }, + { + "version": "7724105686e7", + "lessThan": "8412c86e89cc", + "status": "affected", + "versionType": "git" + }, + { + "version": "7724105686e7", + "lessThan": "809aa64ebff5", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "4.3", + "status": "affected" + }, + { + "version": "0", + "lessThan": "4.3", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "4.19.308", + "lessThanOrEqual": "4.19.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.4.270", + "lessThanOrEqual": "5.4.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.10.211", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.150", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.80", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.19", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.7", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/2e4f9f20b32658ef3724aa46f7aef4908d2609e3" + }, + { + "url": "https://git.kernel.org/stable/c/cecfb90cf71d91e9efebd68b9e9b84661b277cc8" + }, + { + "url": "https://git.kernel.org/stable/c/3fa240bb6b2dbb3e7a3ee1440a4889cbb6207eb7" + }, + { + "url": "https://git.kernel.org/stable/c/52de5805c147137205662af89ed7e083d656ae25" + }, + { + "url": "https://git.kernel.org/stable/c/f0d857ce31a6bc7a82afcdbadb8f7417d482604b" + }, + { + "url": "https://git.kernel.org/stable/c/b41d0ade0398007fb746213f09903d52a920e896" + }, + { + "url": "https://git.kernel.org/stable/c/8412c86e89cc78d8b513cb25cf2157a2adf3670a" + }, + { + "url": "https://git.kernel.org/stable/c/809aa64ebff51eb170ee31a95f83b2d21efa32e2" + } + ], + "title": "IB/hfi1: Fix a memleak in init_credit_return", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26839", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26839.mbox b/cve/published/2024/CVE-2024-26839.mbox new file mode 100644 index 00000000..4b18d277 --- /dev/null +++ b/cve/published/2024/CVE-2024-26839.mbox @@ -0,0 +1,79 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26839: IB/hfi1: Fix a memleak in init_credit_return +Message-Id: <2024041715-CVE-2024-26839-1196@gregkh> +Content-Length: 2836 +Lines: 62 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2899; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=tquh8+FQX13h+6Ml2FdQ/+/hSOrSrdKHelyhK/FwlZE=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGnyC9jvzto/xboyI0X0wk6Zq8f/bL66gekMx8ldxrPnP + lZY3qrE2hHLwiDIxCArpsjyZRvP0f0VhxS9DG1Pw8xhZQIZwsDFKQATWT+DYa7s2SjDnVE2JodP + +bXNNTGakCAgvJphvmcbk8+uV5n9P4zDwsr3Z19IWsOSCQA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +IB/hfi1: Fix a memleak in init_credit_return + +When dma_alloc_coherent fails to allocate dd->cr_base[i].va, +init_credit_return should deallocate dd->cr_base and +dd->cr_base[i] that allocated before. Or those resources +would be never freed and a memleak is triggered. + +The Linux kernel CVE team has assigned CVE-2024-26839 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 4.3 with commit 7724105686e7 and fixed in 4.19.308 with commit 2e4f9f20b326 + Issue introduced in 4.3 with commit 7724105686e7 and fixed in 5.4.270 with commit cecfb90cf71d + Issue introduced in 4.3 with commit 7724105686e7 and fixed in 5.10.211 with commit 3fa240bb6b2d + Issue introduced in 4.3 with commit 7724105686e7 and fixed in 5.15.150 with commit 52de5805c147 + Issue introduced in 4.3 with commit 7724105686e7 and fixed in 6.1.80 with commit f0d857ce31a6 + Issue introduced in 4.3 with commit 7724105686e7 and fixed in 6.6.19 with commit b41d0ade0398 + Issue introduced in 4.3 with commit 7724105686e7 and fixed in 6.7.7 with commit 8412c86e89cc + Issue introduced in 4.3 with commit 7724105686e7 and fixed in 6.8 with commit 809aa64ebff5 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26839 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/infiniband/hw/hfi1/pio.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/2e4f9f20b32658ef3724aa46f7aef4908d2609e3 + https://git.kernel.org/stable/c/cecfb90cf71d91e9efebd68b9e9b84661b277cc8 + https://git.kernel.org/stable/c/3fa240bb6b2dbb3e7a3ee1440a4889cbb6207eb7 + https://git.kernel.org/stable/c/52de5805c147137205662af89ed7e083d656ae25 + https://git.kernel.org/stable/c/f0d857ce31a6bc7a82afcdbadb8f7417d482604b + https://git.kernel.org/stable/c/b41d0ade0398007fb746213f09903d52a920e896 + https://git.kernel.org/stable/c/8412c86e89cc78d8b513cb25cf2157a2adf3670a + https://git.kernel.org/stable/c/809aa64ebff51eb170ee31a95f83b2d21efa32e2 diff --git a/cve/published/2024/CVE-2024-26839.sha1 b/cve/published/2024/CVE-2024-26839.sha1 new file mode 100644 index 00000000..28571a96 --- /dev/null +++ b/cve/published/2024/CVE-2024-26839.sha1 @@ -0,0 +1 @@ +809aa64ebff51eb170ee31a95f83b2d21efa32e2 diff --git a/cve/reserved/2024/CVE-2024-26840 b/cve/published/2024/CVE-2024-26840 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26840 +++ b/cve/published/2024/CVE-2024-26840 diff --git a/cve/published/2024/CVE-2024-26840.json b/cve/published/2024/CVE-2024-26840.json new file mode 100644 index 00000000..7b3bd1c8 --- /dev/null +++ b/cve/published/2024/CVE-2024-26840.json @@ -0,0 +1,178 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncachefiles: fix memory leak in cachefiles_add_cache()\n\nThe following memory leak was reported after unbinding /dev/cachefiles:\n\n==================================================================\nunreferenced object 0xffff9b674176e3c0 (size 192):\n comm \"cachefilesd2\", pid 680, jiffies 4294881224\n hex dump (first 32 bytes):\n 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace (crc ea38a44b):\n [<ffffffff8eb8a1a5>] kmem_cache_alloc+0x2d5/0x370\n [<ffffffff8e917f86>] prepare_creds+0x26/0x2e0\n [<ffffffffc002eeef>] cachefiles_determine_cache_security+0x1f/0x120\n [<ffffffffc00243ec>] cachefiles_add_cache+0x13c/0x3a0\n [<ffffffffc0025216>] cachefiles_daemon_write+0x146/0x1c0\n [<ffffffff8ebc4a3b>] vfs_write+0xcb/0x520\n [<ffffffff8ebc5069>] ksys_write+0x69/0xf0\n [<ffffffff8f6d4662>] do_syscall_64+0x72/0x140\n [<ffffffff8f8000aa>] entry_SYSCALL_64_after_hwframe+0x6e/0x76\n==================================================================\n\nPut the reference count of cache_cred in cachefiles_daemon_unbind() to\nfix the problem. And also put cache_cred in cachefiles_add_cache() error\nbranch to avoid memory leaks." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "9ae326a69004", + "lessThan": "cb5466783793", + "status": "affected", + "versionType": "git" + }, + { + "version": "9ae326a69004", + "lessThan": "037d5a949b04", + "status": "affected", + "versionType": "git" + }, + { + "version": "9ae326a69004", + "lessThan": "43eccc582373", + "status": "affected", + "versionType": "git" + }, + { + "version": "9ae326a69004", + "lessThan": "94965be37add", + "status": "affected", + "versionType": "git" + }, + { + "version": "9ae326a69004", + "lessThan": "8b218e2f0a27", + "status": "affected", + "versionType": "git" + }, + { + "version": "9ae326a69004", + "lessThan": "38e921616320", + "status": "affected", + "versionType": "git" + }, + { + "version": "9ae326a69004", + "lessThan": "9cac69912052", + "status": "affected", + "versionType": "git" + }, + { + "version": "9ae326a69004", + "lessThan": "e21a2f17566c", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "2.6.30", + "status": "affected" + }, + { + "version": "0", + "lessThan": "2.6.30", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "4.19.309", + "lessThanOrEqual": "4.19.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.4.271", + "lessThanOrEqual": "5.4.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.10.212", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.151", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.80", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.19", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.7", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/cb5466783793e66272624cf71925ae1d1ba32083" + }, + { + "url": "https://git.kernel.org/stable/c/037d5a949b0455540ef9aab34c10ddf54b65d285" + }, + { + "url": "https://git.kernel.org/stable/c/43eccc5823732ba6daab2511ed32dfc545a666d8" + }, + { + "url": "https://git.kernel.org/stable/c/94965be37add0983672e48ecb33cdbda92b62579" + }, + { + "url": "https://git.kernel.org/stable/c/8b218e2f0a27a9f09428b1847b4580640b9d1e58" + }, + { + "url": "https://git.kernel.org/stable/c/38e921616320d159336b0ffadb09e9fb4945c7c3" + }, + { + "url": "https://git.kernel.org/stable/c/9cac69912052a4def571fedf1cb9bb4ec590e25a" + }, + { + "url": "https://git.kernel.org/stable/c/e21a2f17566cbd64926fb8f16323972f7a064444" + } + ], + "title": "cachefiles: fix memory leak in cachefiles_add_cache()", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26840", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26840.mbox b/cve/published/2024/CVE-2024-26840.mbox new file mode 100644 index 00000000..7e68ea88 --- /dev/null +++ b/cve/published/2024/CVE-2024-26840.mbox @@ -0,0 +1,99 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26840: cachefiles: fix memory leak in cachefiles_add_cache() +Message-Id: <2024041715-CVE-2024-26840-057d@gregkh> +Content-Length: 3846 +Lines: 82 +X-Developer-Signature: v=1; a=openpgp-sha256; l=3929; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=mF0GCv1qyZp/LZAGF/FzlJL7A27sVGsVvsbX5jJvJoc=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGnyC9jZDRk/szccSQ7hvXi30eYZ65d6tQey8TbHO2Xa3 + a+v5DzZEcvCIMjEICumyPJlG8/R/RWHFL0MbU/DzGFlAhnCwMUpABNRc2KYZzKl+4nXkn/XJ+iJ + aGb3L/lZOWtKP8N8T+N/vMnH7RRmsf4WU49Szt8072MoAA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +cachefiles: fix memory leak in cachefiles_add_cache() + +The following memory leak was reported after unbinding /dev/cachefiles: + +================================================================== +unreferenced object 0xffff9b674176e3c0 (size 192): + comm "cachefilesd2", pid 680, jiffies 4294881224 + hex dump (first 32 bytes): + 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace (crc ea38a44b): + [<ffffffff8eb8a1a5>] kmem_cache_alloc+0x2d5/0x370 + [<ffffffff8e917f86>] prepare_creds+0x26/0x2e0 + [<ffffffffc002eeef>] cachefiles_determine_cache_security+0x1f/0x120 + [<ffffffffc00243ec>] cachefiles_add_cache+0x13c/0x3a0 + [<ffffffffc0025216>] cachefiles_daemon_write+0x146/0x1c0 + [<ffffffff8ebc4a3b>] vfs_write+0xcb/0x520 + [<ffffffff8ebc5069>] ksys_write+0x69/0xf0 + [<ffffffff8f6d4662>] do_syscall_64+0x72/0x140 + [<ffffffff8f8000aa>] entry_SYSCALL_64_after_hwframe+0x6e/0x76 +================================================================== + +Put the reference count of cache_cred in cachefiles_daemon_unbind() to +fix the problem. And also put cache_cred in cachefiles_add_cache() error +branch to avoid memory leaks. + +The Linux kernel CVE team has assigned CVE-2024-26840 to this issue. + + +Affected and fixed versions +=========================== + + Issue introduced in 2.6.30 with commit 9ae326a69004 and fixed in 4.19.309 with commit cb5466783793 + Issue introduced in 2.6.30 with commit 9ae326a69004 and fixed in 5.4.271 with commit 037d5a949b04 + Issue introduced in 2.6.30 with commit 9ae326a69004 and fixed in 5.10.212 with commit 43eccc582373 + Issue introduced in 2.6.30 with commit 9ae326a69004 and fixed in 5.15.151 with commit 94965be37add + Issue introduced in 2.6.30 with commit 9ae326a69004 and fixed in 6.1.80 with commit 8b218e2f0a27 + Issue introduced in 2.6.30 with commit 9ae326a69004 and fixed in 6.6.19 with commit 38e921616320 + Issue introduced in 2.6.30 with commit 9ae326a69004 and fixed in 6.7.7 with commit 9cac69912052 + Issue introduced in 2.6.30 with commit 9ae326a69004 and fixed in 6.8 with commit e21a2f17566c + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26840 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + fs/cachefiles/cache.c + fs/cachefiles/daemon.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/cb5466783793e66272624cf71925ae1d1ba32083 + https://git.kernel.org/stable/c/037d5a949b0455540ef9aab34c10ddf54b65d285 + https://git.kernel.org/stable/c/43eccc5823732ba6daab2511ed32dfc545a666d8 + https://git.kernel.org/stable/c/94965be37add0983672e48ecb33cdbda92b62579 + https://git.kernel.org/stable/c/8b218e2f0a27a9f09428b1847b4580640b9d1e58 + https://git.kernel.org/stable/c/38e921616320d159336b0ffadb09e9fb4945c7c3 + https://git.kernel.org/stable/c/9cac69912052a4def571fedf1cb9bb4ec590e25a + https://git.kernel.org/stable/c/e21a2f17566cbd64926fb8f16323972f7a064444 diff --git a/cve/published/2024/CVE-2024-26840.sha1 b/cve/published/2024/CVE-2024-26840.sha1 new file mode 100644 index 00000000..86c53346 --- /dev/null +++ b/cve/published/2024/CVE-2024-26840.sha1 @@ -0,0 +1 @@ +e21a2f17566cbd64926fb8f16323972f7a064444 diff --git a/cve/reserved/2024/CVE-2024-26841 b/cve/published/2024/CVE-2024-26841 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26841 +++ b/cve/published/2024/CVE-2024-26841 diff --git a/cve/published/2024/CVE-2024-26841.json b/cve/published/2024/CVE-2024-26841.json new file mode 100644 index 00000000..56882fb9 --- /dev/null +++ b/cve/published/2024/CVE-2024-26841.json @@ -0,0 +1,93 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nLoongArch: Update cpu_sibling_map when disabling nonboot CPUs\n\nUpdate cpu_sibling_map when disabling nonboot CPUs by defining & calling\nclear_cpu_sibling_map(), otherwise we get such errors on SMT systems:\n\njump label: negative count!\nWARNING: CPU: 6 PID: 45 at kernel/jump_label.c:263 __static_key_slow_dec_cpuslocked+0xec/0x100\nCPU: 6 PID: 45 Comm: cpuhp/6 Not tainted 6.8.0-rc5+ #1340\npc 90000000004c302c ra 90000000004c302c tp 90000001005bc000 sp 90000001005bfd20\na0 000000000000001b a1 900000000224c278 a2 90000001005bfb58 a3 900000000224c280\na4 900000000224c278 a5 90000001005bfb50 a6 0000000000000001 a7 0000000000000001\nt0 ce87a4763eb5234a t1 ce87a4763eb5234a t2 0000000000000000 t3 0000000000000000\nt4 0000000000000006 t5 0000000000000000 t6 0000000000000064 t7 0000000000001964\nt8 000000000009ebf6 u0 9000000001f2a068 s9 0000000000000000 s0 900000000246a2d8\ns1 ffffffffffffffff s2 ffffffffffffffff s3 90000000021518c0 s4 0000000000000040\ns5 9000000002151058 s6 9000000009828e40 s7 00000000000000b4 s8 0000000000000006\n ra: 90000000004c302c __static_key_slow_dec_cpuslocked+0xec/0x100\n ERA: 90000000004c302c __static_key_slow_dec_cpuslocked+0xec/0x100\n CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE)\n PRMD: 00000004 (PPLV0 +PIE -PWE)\n EUEN: 00000000 (-FPE -SXE -ASXE -BTE)\n ECFG: 00071c1c (LIE=2-4,10-12 VS=7)\nESTAT: 000c0000 [BRK] (IS= ECode=12 EsubCode=0)\n PRID: 0014d000 (Loongson-64bit, Loongson-3A6000-HV)\nCPU: 6 PID: 45 Comm: cpuhp/6 Not tainted 6.8.0-rc5+ #1340\nStack : 0000000000000000 900000000203f258 900000000179afc8 90000001005bc000\n 90000001005bf980 0000000000000000 90000001005bf988 9000000001fe0be0\n 900000000224c280 900000000224c278 90000001005bf8c0 0000000000000001\n 0000000000000001 ce87a4763eb5234a 0000000007f38000 90000001003f8cc0\n 0000000000000000 0000000000000006 0000000000000000 4c206e6f73676e6f\n 6f4c203a656d616e 000000000009ec99 0000000007f38000 0000000000000000\n 900000000214b000 9000000001fe0be0 0000000000000004 0000000000000000\n 0000000000000107 0000000000000009 ffffffffffafdabe 00000000000000b4\n 0000000000000006 90000000004c302c 9000000000224528 00005555939a0c7c\n 00000000000000b0 0000000000000004 0000000000000000 0000000000071c1c\n ...\nCall Trace:\n[<9000000000224528>] show_stack+0x48/0x1a0\n[<900000000179afc8>] dump_stack_lvl+0x78/0xa0\n[<9000000000263ed0>] __warn+0x90/0x1a0\n[<90000000017419b8>] report_bug+0x1b8/0x280\n[<900000000179c564>] do_bp+0x264/0x420\n[<90000000004c302c>] __static_key_slow_dec_cpuslocked+0xec/0x100\n[<90000000002b4d7c>] sched_cpu_deactivate+0x2fc/0x300\n[<9000000000266498>] cpuhp_invoke_callback+0x178/0x8a0\n[<9000000000267f70>] cpuhp_thread_fun+0xf0/0x240\n[<90000000002a117c>] smpboot_thread_fn+0x1dc/0x2e0\n[<900000000029a720>] kthread+0x140/0x160\n[<9000000000222288>] ret_from_kernel_thread+0xc/0xa4" + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "1da177e4c3f4", + "lessThan": "b1ec3d6b86fd", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "0d862db64d26", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "752cd08da320", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "6.6.19", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.7", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/b1ec3d6b86fdd057559a5908e6668279bf770e0e" + }, + { + "url": "https://git.kernel.org/stable/c/0d862db64d26c2905ba1a6a8561466b215b664c2" + }, + { + "url": "https://git.kernel.org/stable/c/752cd08da320a667a833803a8fd6bb266114cce5" + } + ], + "title": "LoongArch: Update cpu_sibling_map when disabling nonboot CPUs", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26841", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26841.mbox b/cve/published/2024/CVE-2024-26841.mbox new file mode 100644 index 00000000..8349a945 --- /dev/null +++ b/cve/published/2024/CVE-2024-26841.mbox @@ -0,0 +1,112 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26841: LoongArch: Update cpu_sibling_map when disabling nonboot CPUs +Message-Id: <2024041716-CVE-2024-26841-6433@gregkh> +Content-Length: 4405 +Lines: 95 +X-Developer-Signature: v=1; a=openpgp-sha256; l=4501; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=Sa9BkSpMMJOvCdZD5zdH0GKMS/yIkEkkdusVboTGu0I=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGnyCzgen1v8u8xs4QtRSW6h59kdzYVCR39XcDmXsNTe3 + h25QHF3RywLgyATg6yYIsuXbTxH91ccUvQytD0NM4eVCWQIAxenAExk5n2GeSa/Vlcbdx1SnMnS + pj9jzbkJt6tVhBnmO+dfUers3sD9x36vdejrD33qW/TbAQ== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +LoongArch: Update cpu_sibling_map when disabling nonboot CPUs + +Update cpu_sibling_map when disabling nonboot CPUs by defining & calling +clear_cpu_sibling_map(), otherwise we get such errors on SMT systems: + +jump label: negative count! +WARNING: CPU: 6 PID: 45 at kernel/jump_label.c:263 __static_key_slow_dec_cpuslocked+0xec/0x100 +CPU: 6 PID: 45 Comm: cpuhp/6 Not tainted 6.8.0-rc5+ #1340 +pc 90000000004c302c ra 90000000004c302c tp 90000001005bc000 sp 90000001005bfd20 +a0 000000000000001b a1 900000000224c278 a2 90000001005bfb58 a3 900000000224c280 +a4 900000000224c278 a5 90000001005bfb50 a6 0000000000000001 a7 0000000000000001 +t0 ce87a4763eb5234a t1 ce87a4763eb5234a t2 0000000000000000 t3 0000000000000000 +t4 0000000000000006 t5 0000000000000000 t6 0000000000000064 t7 0000000000001964 +t8 000000000009ebf6 u0 9000000001f2a068 s9 0000000000000000 s0 900000000246a2d8 +s1 ffffffffffffffff s2 ffffffffffffffff s3 90000000021518c0 s4 0000000000000040 +s5 9000000002151058 s6 9000000009828e40 s7 00000000000000b4 s8 0000000000000006 + ra: 90000000004c302c __static_key_slow_dec_cpuslocked+0xec/0x100 + ERA: 90000000004c302c __static_key_slow_dec_cpuslocked+0xec/0x100 + CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE) + PRMD: 00000004 (PPLV0 +PIE -PWE) + EUEN: 00000000 (-FPE -SXE -ASXE -BTE) + ECFG: 00071c1c (LIE=2-4,10-12 VS=7) +ESTAT: 000c0000 [BRK] (IS= ECode=12 EsubCode=0) + PRID: 0014d000 (Loongson-64bit, Loongson-3A6000-HV) +CPU: 6 PID: 45 Comm: cpuhp/6 Not tainted 6.8.0-rc5+ #1340 +Stack : 0000000000000000 900000000203f258 900000000179afc8 90000001005bc000 + 90000001005bf980 0000000000000000 90000001005bf988 9000000001fe0be0 + 900000000224c280 900000000224c278 90000001005bf8c0 0000000000000001 + 0000000000000001 ce87a4763eb5234a 0000000007f38000 90000001003f8cc0 + 0000000000000000 0000000000000006 0000000000000000 4c206e6f73676e6f + 6f4c203a656d616e 000000000009ec99 0000000007f38000 0000000000000000 + 900000000214b000 9000000001fe0be0 0000000000000004 0000000000000000 + 0000000000000107 0000000000000009 ffffffffffafdabe 00000000000000b4 + 0000000000000006 90000000004c302c 9000000000224528 00005555939a0c7c + 00000000000000b0 0000000000000004 0000000000000000 0000000000071c1c + ... +Call Trace: +[<9000000000224528>] show_stack+0x48/0x1a0 +[<900000000179afc8>] dump_stack_lvl+0x78/0xa0 +[<9000000000263ed0>] __warn+0x90/0x1a0 +[<90000000017419b8>] report_bug+0x1b8/0x280 +[<900000000179c564>] do_bp+0x264/0x420 +[<90000000004c302c>] __static_key_slow_dec_cpuslocked+0xec/0x100 +[<90000000002b4d7c>] sched_cpu_deactivate+0x2fc/0x300 +[<9000000000266498>] cpuhp_invoke_callback+0x178/0x8a0 +[<9000000000267f70>] cpuhp_thread_fun+0xf0/0x240 +[<90000000002a117c>] smpboot_thread_fn+0x1dc/0x2e0 +[<900000000029a720>] kthread+0x140/0x160 +[<9000000000222288>] ret_from_kernel_thread+0xc/0xa4 + +The Linux kernel CVE team has assigned CVE-2024-26841 to this issue. + + +Affected and fixed versions +=========================== + + Fixed in 6.6.19 with commit b1ec3d6b86fd + Fixed in 6.7.7 with commit 0d862db64d26 + Fixed in 6.8 with commit 752cd08da320 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26841 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + arch/loongarch/kernel/smp.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/b1ec3d6b86fdd057559a5908e6668279bf770e0e + https://git.kernel.org/stable/c/0d862db64d26c2905ba1a6a8561466b215b664c2 + https://git.kernel.org/stable/c/752cd08da320a667a833803a8fd6bb266114cce5 diff --git a/cve/published/2024/CVE-2024-26841.sha1 b/cve/published/2024/CVE-2024-26841.sha1 new file mode 100644 index 00000000..0a840ad8 --- /dev/null +++ b/cve/published/2024/CVE-2024-26841.sha1 @@ -0,0 +1 @@ +752cd08da320a667a833803a8fd6bb266114cce5 diff --git a/cve/reserved/2024/CVE-2024-26842 b/cve/published/2024/CVE-2024-26842 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26842 +++ b/cve/published/2024/CVE-2024-26842 diff --git a/cve/published/2024/CVE-2024-26842.json b/cve/published/2024/CVE-2024-26842.json new file mode 100644 index 00000000..84e6d913 --- /dev/null +++ b/cve/published/2024/CVE-2024-26842.json @@ -0,0 +1,93 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ufs: core: Fix shift issue in ufshcd_clear_cmd()\n\nWhen task_tag >= 32 (in MCQ mode) and sizeof(unsigned int) == 4, 1U <<\ntask_tag will out of bounds for a u32 mask. Fix this up to prevent\nSHIFT_ISSUE (bitwise shifts that are out of bounds for their data type).\n\n[name:debug_monitors&]Unexpected kernel BRK exception at EL1\n[name:traps&]Internal error: BRK handler: 00000000f2005514 [#1] PREEMPT SMP\n[name:mediatek_cpufreq_hw&]cpufreq stop DVFS log done\n[name:mrdump&]Kernel Offset: 0x1ba5800000 from 0xffffffc008000000\n[name:mrdump&]PHYS_OFFSET: 0x80000000\n[name:mrdump&]pstate: 22400005 (nzCv daif +PAN -UAO)\n[name:mrdump&]pc : [0xffffffdbaf52bb2c] ufshcd_clear_cmd+0x280/0x288\n[name:mrdump&]lr : [0xffffffdbaf52a774] ufshcd_wait_for_dev_cmd+0x3e4/0x82c\n[name:mrdump&]sp : ffffffc0081471b0\n<snip>\nWorkqueue: ufs_eh_wq_0 ufshcd_err_handler\nCall trace:\n dump_backtrace+0xf8/0x144\n show_stack+0x18/0x24\n dump_stack_lvl+0x78/0x9c\n dump_stack+0x18/0x44\n mrdump_common_die+0x254/0x480 [mrdump]\n ipanic_die+0x20/0x30 [mrdump]\n notify_die+0x15c/0x204\n die+0x10c/0x5f8\n arm64_notify_die+0x74/0x13c\n do_debug_exception+0x164/0x26c\n el1_dbg+0x64/0x80\n el1h_64_sync_handler+0x3c/0x90\n el1h_64_sync+0x68/0x6c\n ufshcd_clear_cmd+0x280/0x288\n ufshcd_wait_for_dev_cmd+0x3e4/0x82c\n ufshcd_exec_dev_cmd+0x5bc/0x9ac\n ufshcd_verify_dev_init+0x84/0x1c8\n ufshcd_probe_hba+0x724/0x1ce0\n ufshcd_host_reset_and_restore+0x260/0x574\n ufshcd_reset_and_restore+0x138/0xbd0\n ufshcd_err_handler+0x1218/0x2f28\n process_one_work+0x5fc/0x1140\n worker_thread+0x7d8/0xe20\n kthread+0x25c/0x468\n ret_from_fork+0x10/0x20" + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "1da177e4c3f4", + "lessThan": "7ac9e18f5d66", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "a992425d18e5", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "b513d30d59bb", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "6.6.19", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.7", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/7ac9e18f5d66087cd22751c5c5bf0090eb0038fe" + }, + { + "url": "https://git.kernel.org/stable/c/a992425d18e5f7c48931121993c6c69426f2a8fb" + }, + { + "url": "https://git.kernel.org/stable/c/b513d30d59bb383a6a5d6b533afcab2cee99a8f8" + } + ], + "title": "scsi: ufs: core: Fix shift issue in ufshcd_clear_cmd()", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26842", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26842.mbox b/cve/published/2024/CVE-2024-26842.mbox new file mode 100644 index 00000000..b5f19f2d --- /dev/null +++ b/cve/published/2024/CVE-2024-26842.mbox @@ -0,0 +1,106 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26842: scsi: ufs: core: Fix shift issue in ufshcd_clear_cmd() +Message-Id: <2024041716-CVE-2024-26842-d556@gregkh> +Content-Length: 3140 +Lines: 89 +X-Developer-Signature: v=1; a=openpgp-sha256; l=3230; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=3fGtQNrDvdprLh0/EM+mS5eJJMMY7qH97zNzhL2hNGM=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGnyCzg4FOe9Ck5vlGAtnWRqfUlqW9yJZvlYqZuCU+edM + xTzmX+2I5aFQZCJQVZMkeXLNp6j+ysOKXoZ2p6GmcPKBDKEgYtTACZS/J9hnuZh373yp05P8Tuw + T0vLe7rb5VuXOhjmcB67JLIn0DrFPzXxl6Zn6pYspoMBAA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +scsi: ufs: core: Fix shift issue in ufshcd_clear_cmd() + +When task_tag >= 32 (in MCQ mode) and sizeof(unsigned int) == 4, 1U << +task_tag will out of bounds for a u32 mask. Fix this up to prevent +SHIFT_ISSUE (bitwise shifts that are out of bounds for their data type). + +[name:debug_monitors&]Unexpected kernel BRK exception at EL1 +[name:traps&]Internal error: BRK handler: 00000000f2005514 [#1] PREEMPT SMP +[name:mediatek_cpufreq_hw&]cpufreq stop DVFS log done +[name:mrdump&]Kernel Offset: 0x1ba5800000 from 0xffffffc008000000 +[name:mrdump&]PHYS_OFFSET: 0x80000000 +[name:mrdump&]pstate: 22400005 (nzCv daif +PAN -UAO) +[name:mrdump&]pc : [0xffffffdbaf52bb2c] ufshcd_clear_cmd+0x280/0x288 +[name:mrdump&]lr : [0xffffffdbaf52a774] ufshcd_wait_for_dev_cmd+0x3e4/0x82c +[name:mrdump&]sp : ffffffc0081471b0 +<snip> +Workqueue: ufs_eh_wq_0 ufshcd_err_handler +Call trace: + dump_backtrace+0xf8/0x144 + show_stack+0x18/0x24 + dump_stack_lvl+0x78/0x9c + dump_stack+0x18/0x44 + mrdump_common_die+0x254/0x480 [mrdump] + ipanic_die+0x20/0x30 [mrdump] + notify_die+0x15c/0x204 + die+0x10c/0x5f8 + arm64_notify_die+0x74/0x13c + do_debug_exception+0x164/0x26c + el1_dbg+0x64/0x80 + el1h_64_sync_handler+0x3c/0x90 + el1h_64_sync+0x68/0x6c + ufshcd_clear_cmd+0x280/0x288 + ufshcd_wait_for_dev_cmd+0x3e4/0x82c + ufshcd_exec_dev_cmd+0x5bc/0x9ac + ufshcd_verify_dev_init+0x84/0x1c8 + ufshcd_probe_hba+0x724/0x1ce0 + ufshcd_host_reset_and_restore+0x260/0x574 + ufshcd_reset_and_restore+0x138/0xbd0 + ufshcd_err_handler+0x1218/0x2f28 + process_one_work+0x5fc/0x1140 + worker_thread+0x7d8/0xe20 + kthread+0x25c/0x468 + ret_from_fork+0x10/0x20 + +The Linux kernel CVE team has assigned CVE-2024-26842 to this issue. + + +Affected and fixed versions +=========================== + + Fixed in 6.6.19 with commit 7ac9e18f5d66 + Fixed in 6.7.7 with commit a992425d18e5 + Fixed in 6.8 with commit b513d30d59bb + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26842 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/ufs/core/ufshcd.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/7ac9e18f5d66087cd22751c5c5bf0090eb0038fe + https://git.kernel.org/stable/c/a992425d18e5f7c48931121993c6c69426f2a8fb + https://git.kernel.org/stable/c/b513d30d59bb383a6a5d6b533afcab2cee99a8f8 diff --git a/cve/published/2024/CVE-2024-26842.sha1 b/cve/published/2024/CVE-2024-26842.sha1 new file mode 100644 index 00000000..b0f6d0d8 --- /dev/null +++ b/cve/published/2024/CVE-2024-26842.sha1 @@ -0,0 +1 @@ +b513d30d59bb383a6a5d6b533afcab2cee99a8f8 diff --git a/cve/reserved/2024/CVE-2024-26843 b/cve/published/2024/CVE-2024-26843 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26843 +++ b/cve/published/2024/CVE-2024-26843 diff --git a/cve/published/2024/CVE-2024-26843.json b/cve/published/2024/CVE-2024-26843.json new file mode 100644 index 00000000..59ae35df --- /dev/null +++ b/cve/published/2024/CVE-2024-26843.json @@ -0,0 +1,138 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nefi: runtime: Fix potential overflow of soft-reserved region size\n\nmd_size will have been narrowed if we have >= 4GB worth of pages in a\nsoft-reserved region." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "1da177e4c3f4", + "lessThan": "4fff3d735bae", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "4aa36b62c3ea", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "700c3f642c32", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "cf3d6813601f", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "156cb12ffdcf", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "de1034b38a34", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.10.211", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.150", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.80", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.19", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.7", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/4fff3d735baea104017f2e3c245e27cdc79f2426" + }, + { + "url": "https://git.kernel.org/stable/c/4aa36b62c3eaa869860bf78b1146e9f2b5f782a9" + }, + { + "url": "https://git.kernel.org/stable/c/700c3f642c32721f246e09d3a9511acf40ae42be" + }, + { + "url": "https://git.kernel.org/stable/c/cf3d6813601fe496de7f023435e31bfffa74ae70" + }, + { + "url": "https://git.kernel.org/stable/c/156cb12ffdcf33883304f0db645e1eadae712fe0" + }, + { + "url": "https://git.kernel.org/stable/c/de1034b38a346ef6be25fe8792f5d1e0684d5ff4" + } + ], + "title": "efi: runtime: Fix potential overflow of soft-reserved region size", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26843", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26843.mbox b/cve/published/2024/CVE-2024-26843.mbox new file mode 100644 index 00000000..c069718a --- /dev/null +++ b/cve/published/2024/CVE-2024-26843.mbox @@ -0,0 +1,74 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26843: efi: runtime: Fix potential overflow of soft-reserved region size +Message-Id: <2024041716-CVE-2024-26843-51a0@gregkh> +Content-Length: 2110 +Lines: 57 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2168; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=8e6Lxvyhp1fBaBTI84QME8I2zknO/7LDqZVXija3crE=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGnyCzhm7zbhffP+8rTM4usrpnbsyl3Y2yUUHva1osmly + 0xM5w9jRywLgyATg6yYIsuXbTxH91ccUvQytD0NM4eVCWQIAxenAEzkylaGBUutE8Ui1Oo9ko2S + eCoKrB7s4+NfyjA/O0fj0/996XdDC5okLJJCpLbll/ACAA== +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +efi: runtime: Fix potential overflow of soft-reserved region size + +md_size will have been narrowed if we have >= 4GB worth of pages in a +soft-reserved region. + +The Linux kernel CVE team has assigned CVE-2024-26843 to this issue. + + +Affected and fixed versions +=========================== + + Fixed in 5.10.211 with commit 4fff3d735bae + Fixed in 5.15.150 with commit 4aa36b62c3ea + Fixed in 6.1.80 with commit 700c3f642c32 + Fixed in 6.6.19 with commit cf3d6813601f + Fixed in 6.7.7 with commit 156cb12ffdcf + Fixed in 6.8 with commit de1034b38a34 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26843 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/firmware/efi/arm-runtime.c + drivers/firmware/efi/riscv-runtime.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/4fff3d735baea104017f2e3c245e27cdc79f2426 + https://git.kernel.org/stable/c/4aa36b62c3eaa869860bf78b1146e9f2b5f782a9 + https://git.kernel.org/stable/c/700c3f642c32721f246e09d3a9511acf40ae42be + https://git.kernel.org/stable/c/cf3d6813601fe496de7f023435e31bfffa74ae70 + https://git.kernel.org/stable/c/156cb12ffdcf33883304f0db645e1eadae712fe0 + https://git.kernel.org/stable/c/de1034b38a346ef6be25fe8792f5d1e0684d5ff4 diff --git a/cve/published/2024/CVE-2024-26843.sha1 b/cve/published/2024/CVE-2024-26843.sha1 new file mode 100644 index 00000000..d5aa1c22 --- /dev/null +++ b/cve/published/2024/CVE-2024-26843.sha1 @@ -0,0 +1 @@ +de1034b38a346ef6be25fe8792f5d1e0684d5ff4 diff --git a/cve/reserved/2024/CVE-2024-26844 b/cve/published/2024/CVE-2024-26844 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26844 +++ b/cve/published/2024/CVE-2024-26844 diff --git a/cve/published/2024/CVE-2024-26844.json b/cve/published/2024/CVE-2024-26844.json new file mode 100644 index 00000000..0d40591c --- /dev/null +++ b/cve/published/2024/CVE-2024-26844.json @@ -0,0 +1,108 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: Fix WARNING in _copy_from_iter\n\nSyzkaller reports a warning in _copy_from_iter because an\niov_iter is supposedly used in the wrong direction. The reason\nis that syzcaller managed to generate a request with\na transfer direction of SG_DXFER_TO_FROM_DEV. This instructs\nthe kernel to copy user buffers into the kernel, read into\nthe copied buffers and then copy the data back to user space.\n\nThus the iovec is used in both directions.\n\nDetect this situation in the block layer and construct a new\niterator with the correct direction for the copy-in." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "1da177e4c3f4", + "lessThan": "8fc80874103a", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "0f1bae071de9", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "cbaf9be337f7", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "13f3956eb568", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "6.1.80", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.19", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.7", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/8fc80874103a5c20aebdc2401361aa01c817f75b" + }, + { + "url": "https://git.kernel.org/stable/c/0f1bae071de9967602807472921829a54b2e5956" + }, + { + "url": "https://git.kernel.org/stable/c/cbaf9be337f7da25742acfce325119e3395b1f1b" + }, + { + "url": "https://git.kernel.org/stable/c/13f3956eb5681a4045a8dfdef48df5dc4d9f58a6" + } + ], + "title": "block: Fix WARNING in _copy_from_iter", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26844", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26844.mbox b/cve/published/2024/CVE-2024-26844.mbox new file mode 100644 index 00000000..0d9bfb96 --- /dev/null +++ b/cve/published/2024/CVE-2024-26844.mbox @@ -0,0 +1,78 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26844: block: Fix WARNING in _copy_from_iter +Message-Id: <2024041716-CVE-2024-26844-c534@gregkh> +Content-Length: 2212 +Lines: 61 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2274; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=2c3h+d9SduOgvUFIww78oVWFag5Rd9R+ZUjdptqhSs8=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGnyCzik7n/eHjplx/z3CTr378ZWX9odsbjZ0lD5qOumh + xHWwu7nOmJZGASZGGTFFFm+bOM5ur/ikKKXoe1pmDmsTCBDGLg4BWAiW2UY5mnuP/RGOlSuloXj + HqvRXGvLihMbtjIsmPWcgfnZ3eSjx3p+b1m/effNuIKG/QA= +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +block: Fix WARNING in _copy_from_iter + +Syzkaller reports a warning in _copy_from_iter because an +iov_iter is supposedly used in the wrong direction. The reason +is that syzcaller managed to generate a request with +a transfer direction of SG_DXFER_TO_FROM_DEV. This instructs +the kernel to copy user buffers into the kernel, read into +the copied buffers and then copy the data back to user space. + +Thus the iovec is used in both directions. + +Detect this situation in the block layer and construct a new +iterator with the correct direction for the copy-in. + +The Linux kernel CVE team has assigned CVE-2024-26844 to this issue. + + +Affected and fixed versions +=========================== + + Fixed in 6.1.80 with commit 8fc80874103a + Fixed in 6.6.19 with commit 0f1bae071de9 + Fixed in 6.7.7 with commit cbaf9be337f7 + Fixed in 6.8 with commit 13f3956eb568 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26844 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + block/blk-map.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/8fc80874103a5c20aebdc2401361aa01c817f75b + https://git.kernel.org/stable/c/0f1bae071de9967602807472921829a54b2e5956 + https://git.kernel.org/stable/c/cbaf9be337f7da25742acfce325119e3395b1f1b + https://git.kernel.org/stable/c/13f3956eb5681a4045a8dfdef48df5dc4d9f58a6 diff --git a/cve/published/2024/CVE-2024-26844.sha1 b/cve/published/2024/CVE-2024-26844.sha1 new file mode 100644 index 00000000..281e6693 --- /dev/null +++ b/cve/published/2024/CVE-2024-26844.sha1 @@ -0,0 +1 @@ +13f3956eb5681a4045a8dfdef48df5dc4d9f58a6 diff --git a/cve/reserved/2024/CVE-2024-26845 b/cve/published/2024/CVE-2024-26845 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26845 +++ b/cve/published/2024/CVE-2024-26845 diff --git a/cve/published/2024/CVE-2024-26845.json b/cve/published/2024/CVE-2024-26845.json new file mode 100644 index 00000000..a583d3f9 --- /dev/null +++ b/cve/published/2024/CVE-2024-26845.json @@ -0,0 +1,168 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: core: Add TMF to tmr_list handling\n\nAn abort that is responded to by iSCSI itself is added to tmr_list but does\nnot go to target core. A LUN_RESET that goes through tmr_list takes a\nrefcounter on the abort and waits for completion. However, the abort will\nbe never complete because it was not started in target core.\n\n Unable to locate ITT: 0x05000000 on CID: 0\n Unable to locate RefTaskTag: 0x05000000 on CID: 0.\n wait_for_tasks: Stopping tmf LUN_RESET with tag 0x0 ref_task_tag 0x0 i_state 34 t_state ISTATE_PROCESSING refcnt 2 transport_state active,stop,fabric_stop\n wait for tasks: tmf LUN_RESET with tag 0x0 ref_task_tag 0x0 i_state 34 t_state ISTATE_PROCESSING refcnt 2 transport_state active,stop,fabric_stop\n...\n INFO: task kworker/0:2:49 blocked for more than 491 seconds.\n task:kworker/0:2 state:D stack: 0 pid: 49 ppid: 2 flags:0x00000800\n Workqueue: events target_tmr_work [target_core_mod]\nCall Trace:\n __switch_to+0x2c4/0x470\n _schedule+0x314/0x1730\n schedule+0x64/0x130\n schedule_timeout+0x168/0x430\n wait_for_completion+0x140/0x270\n target_put_cmd_and_wait+0x64/0xb0 [target_core_mod]\n core_tmr_lun_reset+0x30/0xa0 [target_core_mod]\n target_tmr_work+0xc8/0x1b0 [target_core_mod]\n process_one_work+0x2d4/0x5d0\n worker_thread+0x78/0x6c0\n\nTo fix this, only add abort to tmr_list if it will be handled by target\ncore." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "1da177e4c3f4", + "lessThan": "425a571a7e6f", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "11f3fe5001ed", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "168ed59170de", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "a9849b67b440", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "e717bd412001", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "36bc5040c863", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "bd508f96b5fe", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "83ab68168a3d", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "4.19.308", + "lessThanOrEqual": "4.19.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.4.270", + "lessThanOrEqual": "5.4.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.10.211", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.150", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.80", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.19", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.7", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/425a571a7e6fc389954cf2564e1edbba3740e171" + }, + { + "url": "https://git.kernel.org/stable/c/11f3fe5001ed05721e641f0ecaa7a73b7deb245d" + }, + { + "url": "https://git.kernel.org/stable/c/168ed59170de1fd7274080fe102216162d6826cf" + }, + { + "url": "https://git.kernel.org/stable/c/a9849b67b4402a12eb35eadc9306c1ef9847d53d" + }, + { + "url": "https://git.kernel.org/stable/c/e717bd412001495f17400bfc09f606f1b594ef5a" + }, + { + "url": "https://git.kernel.org/stable/c/36bc5040c863b44af06094b22f1e50059227b9cb" + }, + { + "url": "https://git.kernel.org/stable/c/bd508f96b5fef96d8a0ce9cbb211d82bcfc2341f" + }, + { + "url": "https://git.kernel.org/stable/c/83ab68168a3d990d5ff39ab030ad5754cbbccb25" + } + ], + "title": "scsi: target: core: Add TMF to tmr_list handling", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26845", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26845.mbox b/cve/published/2024/CVE-2024-26845.mbox new file mode 100644 index 00000000..b572d634 --- /dev/null +++ b/cve/published/2024/CVE-2024-26845.mbox @@ -0,0 +1,103 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26845: scsi: target: core: Add TMF to tmr_list handling +Message-Id: <2024041717-CVE-2024-26845-90d2@gregkh> +Content-Length: 3547 +Lines: 86 +X-Developer-Signature: v=1; a=openpgp-sha256; l=3634; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=+UsDjCNClT7bNbg8FQViwSwoyAmqd+wbOqCP8XW2iJA=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGnyCzgL2jo0u1er7M/8PeP1gT+h90XskufbvF6/7O7Td + asKLh/Y0hHLwiDIxCArpsjyZRvP0f0VhxS9DG1Pw8xhZQIZwsDFKQATuS7KML9Cu9P899eoEx/q + J6vm/DadM/l3+DeGOTx3ut/In3l6sODC5Iwtj1fFcUY/9gQA +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +scsi: target: core: Add TMF to tmr_list handling + +An abort that is responded to by iSCSI itself is added to tmr_list but does +not go to target core. A LUN_RESET that goes through tmr_list takes a +refcounter on the abort and waits for completion. However, the abort will +be never complete because it was not started in target core. + + Unable to locate ITT: 0x05000000 on CID: 0 + Unable to locate RefTaskTag: 0x05000000 on CID: 0. + wait_for_tasks: Stopping tmf LUN_RESET with tag 0x0 ref_task_tag 0x0 i_state 34 t_state ISTATE_PROCESSING refcnt 2 transport_state active,stop,fabric_stop + wait for tasks: tmf LUN_RESET with tag 0x0 ref_task_tag 0x0 i_state 34 t_state ISTATE_PROCESSING refcnt 2 transport_state active,stop,fabric_stop +... + INFO: task kworker/0:2:49 blocked for more than 491 seconds. + task:kworker/0:2 state:D stack: 0 pid: 49 ppid: 2 flags:0x00000800 + Workqueue: events target_tmr_work [target_core_mod] +Call Trace: + __switch_to+0x2c4/0x470 + _schedule+0x314/0x1730 + schedule+0x64/0x130 + schedule_timeout+0x168/0x430 + wait_for_completion+0x140/0x270 + target_put_cmd_and_wait+0x64/0xb0 [target_core_mod] + core_tmr_lun_reset+0x30/0xa0 [target_core_mod] + target_tmr_work+0xc8/0x1b0 [target_core_mod] + process_one_work+0x2d4/0x5d0 + worker_thread+0x78/0x6c0 + +To fix this, only add abort to tmr_list if it will be handled by target +core. + +The Linux kernel CVE team has assigned CVE-2024-26845 to this issue. + + +Affected and fixed versions +=========================== + + Fixed in 4.19.308 with commit 425a571a7e6f + Fixed in 5.4.270 with commit 11f3fe5001ed + Fixed in 5.10.211 with commit 168ed59170de + Fixed in 5.15.150 with commit a9849b67b440 + Fixed in 6.1.80 with commit e717bd412001 + Fixed in 6.6.19 with commit 36bc5040c863 + Fixed in 6.7.7 with commit bd508f96b5fe + Fixed in 6.8 with commit 83ab68168a3d + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26845 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/target/target_core_device.c + drivers/target/target_core_transport.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/425a571a7e6fc389954cf2564e1edbba3740e171 + https://git.kernel.org/stable/c/11f3fe5001ed05721e641f0ecaa7a73b7deb245d + https://git.kernel.org/stable/c/168ed59170de1fd7274080fe102216162d6826cf + https://git.kernel.org/stable/c/a9849b67b4402a12eb35eadc9306c1ef9847d53d + https://git.kernel.org/stable/c/e717bd412001495f17400bfc09f606f1b594ef5a + https://git.kernel.org/stable/c/36bc5040c863b44af06094b22f1e50059227b9cb + https://git.kernel.org/stable/c/bd508f96b5fef96d8a0ce9cbb211d82bcfc2341f + https://git.kernel.org/stable/c/83ab68168a3d990d5ff39ab030ad5754cbbccb25 diff --git a/cve/published/2024/CVE-2024-26845.sha1 b/cve/published/2024/CVE-2024-26845.sha1 new file mode 100644 index 00000000..666c642b --- /dev/null +++ b/cve/published/2024/CVE-2024-26845.sha1 @@ -0,0 +1 @@ +83ab68168a3d990d5ff39ab030ad5754cbbccb25 diff --git a/cve/reserved/2024/CVE-2024-26846 b/cve/published/2024/CVE-2024-26846 index e69de29b..e69de29b 100644 --- a/cve/reserved/2024/CVE-2024-26846 +++ b/cve/published/2024/CVE-2024-26846 diff --git a/cve/published/2024/CVE-2024-26846.json b/cve/published/2024/CVE-2024-26846.json new file mode 100644 index 00000000..a369a8d5 --- /dev/null +++ b/cve/published/2024/CVE-2024-26846.json @@ -0,0 +1,138 @@ +{ + "containers": { + "cna": { + "providerMetadata": { + "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" + }, + "descriptions": [ + { + "lang": "en", + "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-fc: do not wait in vain when unloading module\n\nThe module exit path has race between deleting all controllers and\nfreeing 'left over IDs'. To prevent double free a synchronization\nbetween nvme_delete_ctrl and ida_destroy has been added by the initial\ncommit.\n\nThere is some logic around trying to prevent from hanging forever in\nwait_for_completion, though it does not handling all cases. E.g.\nblktests is able to reproduce the situation where the module unload\nhangs forever.\n\nIf we completely rely on the cleanup code executed from the\nnvme_delete_ctrl path, all IDs will be freed eventually. This makes\ncalling ida_destroy unnecessary. We only have to ensure that all\nnvme_delete_ctrl code has been executed before we leave\nnvme_fc_exit_module. This is done by flushing the nvme_delete_wq\nworkqueue.\n\nWhile at it, remove the unused nvme_fc_wq workqueue too." + } + ], + "affected": [ + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "unaffected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "1da177e4c3f4", + "lessThan": "4f2c95015ec2", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "0bf567d6d9ff", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "085195aa90a9", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "baa6b7eb8c66", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "c0882c366418", + "status": "affected", + "versionType": "git" + }, + { + "version": "1da177e4c3f4", + "lessThan": "70fbfc47a392", + "status": "affected", + "versionType": "git" + } + ] + }, + { + "product": "Linux", + "vendor": "Linux", + "defaultStatus": "affected", + "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", + "versions": [ + { + "version": "5.10.211", + "lessThanOrEqual": "5.10.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "5.15.150", + "lessThanOrEqual": "5.15.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.1.80", + "lessThanOrEqual": "6.1.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.6.19", + "lessThanOrEqual": "6.6.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.7.7", + "lessThanOrEqual": "6.7.*", + "status": "unaffected", + "versionType": "custom" + }, + { + "version": "6.8", + "lessThanOrEqual": "*", + "status": "unaffected", + "versionType": "original_commit_for_fix" + } + ] + } + ], + "references": [ + { + "url": "https://git.kernel.org/stable/c/4f2c95015ec2a1899161be6c0bdaecedd5a7bfb2" + }, + { + "url": "https://git.kernel.org/stable/c/0bf567d6d9ffe09e059bbdfb4d07143cef42c75c" + }, + { + "url": "https://git.kernel.org/stable/c/085195aa90a924c79e35569bcdad860d764a8e17" + }, + { + "url": "https://git.kernel.org/stable/c/baa6b7eb8c66486bd64608adc63fe03b30d3c0b9" + }, + { + "url": "https://git.kernel.org/stable/c/c0882c366418bf9c19e1ba7f270fe377a9bf5d67" + }, + { + "url": "https://git.kernel.org/stable/c/70fbfc47a392b98e5f8dba70c6efc6839205c982" + } + ], + "title": "nvme-fc: do not wait in vain when unloading module", + "x_generator": { + "engine": "bippy-d175d3acf727" + } + } + }, + "cveMetadata": { + "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", + "cveID": "CVE-2024-26846", + "requesterUserId": "gregkh@kernel.org", + "serial": "1", + "state": "PUBLISHED" + }, + "dataType": "CVE_RECORD", + "dataVersion": "5.0" +} diff --git a/cve/published/2024/CVE-2024-26846.mbox b/cve/published/2024/CVE-2024-26846.mbox new file mode 100644 index 00000000..a1447d34 --- /dev/null +++ b/cve/published/2024/CVE-2024-26846.mbox @@ -0,0 +1,89 @@ +From bippy-d175d3acf727 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +To: <linux-cve-announce@vger.kernel.org> +Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> +Subject: CVE-2024-26846: nvme-fc: do not wait in vain when unloading module +Message-Id: <2024041717-CVE-2024-26846-9593@gregkh> +Content-Length: 2767 +Lines: 72 +X-Developer-Signature: v=1; a=openpgp-sha256; l=2840; + i=gregkh@linuxfoundation.org; h=from:subject:message-id; + bh=9tQOZ93/mwbA0h2OFKR9p/ihdSltEp1H12LQ/zqLn9E=; + b=owGbwMvMwCRo6H6F97bub03G02pJDGnyCzifL4sw/KLWoWt4NEJD7eCzx46PXr6Y47B5VuKH5 + /8YMvpUO2JZGASZGGTFFFm+bOM5ur/ikKKXoe1pmDmsTCBDGLg4BWAiN9IZ5if+u7q1JSz564wZ + LLEKvxcYl60XV2ZYMHfxy73+j1/sPMjWPPUEx+/z1TM/pwEA +X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; + fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 + +Description +=========== + +In the Linux kernel, the following vulnerability has been resolved: + +nvme-fc: do not wait in vain when unloading module + +The module exit path has race between deleting all controllers and +freeing 'left over IDs'. To prevent double free a synchronization +between nvme_delete_ctrl and ida_destroy has been added by the initial +commit. + +There is some logic around trying to prevent from hanging forever in +wait_for_completion, though it does not handling all cases. E.g. +blktests is able to reproduce the situation where the module unload +hangs forever. + +If we completely rely on the cleanup code executed from the +nvme_delete_ctrl path, all IDs will be freed eventually. This makes +calling ida_destroy unnecessary. We only have to ensure that all +nvme_delete_ctrl code has been executed before we leave +nvme_fc_exit_module. This is done by flushing the nvme_delete_wq +workqueue. + +While at it, remove the unused nvme_fc_wq workqueue too. + +The Linux kernel CVE team has assigned CVE-2024-26846 to this issue. + + +Affected and fixed versions +=========================== + + Fixed in 5.10.211 with commit 4f2c95015ec2 + Fixed in 5.15.150 with commit 0bf567d6d9ff + Fixed in 6.1.80 with commit 085195aa90a9 + Fixed in 6.6.19 with commit baa6b7eb8c66 + Fixed in 6.7.7 with commit c0882c366418 + Fixed in 6.8 with commit 70fbfc47a392 + +Please see https://www.kernel.org for a full list of currently supported +kernel versions by the kernel community. + +Unaffected versions might change over time as fixes are backported to +older supported kernel versions. The official CVE entry at + https://cve.org/CVERecord/?id=CVE-2024-26846 +will be updated if fixes are backported, please check that for the most +up to date information about this issue. + + +Affected files +============== + +The file(s) affected by this issue are: + drivers/nvme/host/fc.c + + +Mitigation +========== + +The Linux kernel CVE team recommends that you update to the latest +stable kernel version for this, and many other bugfixes. Individual +changes are never tested alone, but rather are part of a larger kernel +release. Cherry-picking individual commits is not recommended or +supported by the Linux kernel community at all. If however, updating to +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: + https://git.kernel.org/stable/c/4f2c95015ec2a1899161be6c0bdaecedd5a7bfb2 + https://git.kernel.org/stable/c/0bf567d6d9ffe09e059bbdfb4d07143cef42c75c + https://git.kernel.org/stable/c/085195aa90a924c79e35569bcdad860d764a8e17 + https://git.kernel.org/stable/c/baa6b7eb8c66486bd64608adc63fe03b30d3c0b9 + https://git.kernel.org/stable/c/c0882c366418bf9c19e1ba7f270fe377a9bf5d67 + https://git.kernel.org/stable/c/70fbfc47a392b98e5f8dba70c6efc6839205c982 diff --git a/cve/published/2024/CVE-2024-26846.sha1 b/cve/published/2024/CVE-2024-26846.sha1 new file mode 100644 index 00000000..2e38ef03 --- /dev/null +++ b/cve/published/2024/CVE-2024-26846.sha1 @@ -0,0 +1 @@ +70fbfc47a392b98e5f8dba70c6efc6839205c982 |