admin/cvelist
1
0
Fork 0
mirror of https://github.com/CVEProject/cvelist.git synced 2025-07-29 05:56:59 +00:00
Code Issues Packages Projects Releases Wiki Activity

"-Synchronized-Data."

Browse Source
This commit is contained in:
CVE Team 2024-12-29 03:19:53 +00:00
parent e1f86be29b
commit f4f1e680d3
No known key found for this signature in database
GPG Key ID: BC5FD8F2443B23B7
13 changed files with 1641 additions and 52 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

104
2024/53xxx/CVE-2024-53164.json
View File

@ -1,18 +1,114 @@
{
"data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2024-53164",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ASSIGNER": "cve@kernel.org",
"STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sched: fix ordering of qlen adjustment\n\nChanges to sch->q.qlen around qdisc_tree_reduce_backlog() need to happen\n_before_ a call to said function because otherwise it may fail to notify\nparent qdiscs when the child is about to become empty."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "Linux",
"product": {
"product_data": [
{
"product_name": "Linux",
"version": {
"version_data": [
{
"version_affected": "<",
"version_name": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"version_value": "489422e2befff88a1de52b2acebe7b333bded025"
},
{
"version_value": "not down converted",
"x_cve_json_5_version_data": {
"versions": [
{
"version": "6.1.122",
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.6.68",
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.12.7",
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.13-rc2",
"lessThanOrEqual": "*",
"status": "unaffected",
"versionType": "original_commit_for_fix"
}
],
"defaultStatus": "affected"
}
}
]
}
}
]
}
}
]
}
},
"references": {
"reference_data": [
{
"url": "https://git.kernel.org/stable/c/489422e2befff88a1de52b2acebe7b333bded025",
"refsource": "MISC",
"name": "https://git.kernel.org/stable/c/489422e2befff88a1de52b2acebe7b333bded025"
},
{
"url": "https://git.kernel.org/stable/c/97e13434b5da8e91bdf965352fad2141d13d72d3",
"refsource": "MISC",
"name": "https://git.kernel.org/stable/c/97e13434b5da8e91bdf965352fad2141d13d72d3"
},
{
"url": "https://git.kernel.org/stable/c/e3e54ad9eff8bdaa70f897e5342e34b76109497f",
"refsource": "MISC",
"name": "https://git.kernel.org/stable/c/e3e54ad9eff8bdaa70f897e5342e34b76109497f"
},
{
"url": "https://git.kernel.org/stable/c/5eb7de8cd58e73851cd37ff8d0666517d9926948",
"refsource": "MISC",
"name": "https://git.kernel.org/stable/c/5eb7de8cd58e73851cd37ff8d0666517d9926948"
}
]
},
"generator": {
"engine": "bippy-5f407fcff5a0"
}
}

169
2024/53xxx/CVE-2024-53165.json
View File

@ -1,18 +1,179 @@
{
"data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2024-53165",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ASSIGNER": "cve@kernel.org",
"STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsh: intc: Fix use-after-free bug in register_intc_controller()\n\nIn the error handling for this function, d is freed without ever\nremoving it from intc_list which would lead to a use after free.\nTo fix this, let's only add it to the list after everything has\nsucceeded."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "Linux",
"product": {
"product_data": [
{
"product_name": "Linux",
"version": {
"version_data": [
{
"version_affected": "<",
"version_name": "2dcec7a988a1895540460a0bf5603bab63d5a3ed",
"version_value": "3c7c806b3eafd94ae0f77305a174d63b69ec187c"
},
{
"version_value": "not down converted",
"x_cve_json_5_version_data": {
"versions": [
{
"version": "2.6.30",
"status": "affected"
},
{
"version": "0",
"lessThan": "2.6.30",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "4.19.325",
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "5.4.287",
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "5.10.231",
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "5.15.174",
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.1.120",
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.6.64",
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.11.11",
"lessThanOrEqual": "6.11.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.12.2",
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.13-rc1",
"lessThanOrEqual": "*",
"status": "unaffected",
"versionType": "original_commit_for_fix"
}
],
"defaultStatus": "affected"
}
}
]
}
}
]
}
}
]
}
},
"references": {
"reference_data": [
{
"url": "https://git.kernel.org/stable/c/3c7c806b3eafd94ae0f77305a174d63b69ec187c",
"refsource": "MISC",
"name": "https://git.kernel.org/stable/c/3c7c806b3eafd94ae0f77305a174d63b69ec187c"
},
{
"url": "https://git.kernel.org/stable/c/d8de818df12d86a1a26a8efd7b4b3b9c6dc3c5cc",
"refsource": "MISC",
"name": "https://git.kernel.org/stable/c/d8de818df12d86a1a26a8efd7b4b3b9c6dc3c5cc"
},
{
"url": "https://git.kernel.org/stable/c/971b4893457788e0e123ea552f0bb126a5300e61",
"refsource": "MISC",
"name": "https://git.kernel.org/stable/c/971b4893457788e0e123ea552f0bb126a5300e61"
},
{
"url": "https://git.kernel.org/stable/c/c3f4f4547fb291982f5ef56c048277c4d5ccc4e4",
"refsource": "MISC",
"name": "https://git.kernel.org/stable/c/c3f4f4547fb291982f5ef56c048277c4d5ccc4e4"
},
{
"url": "https://git.kernel.org/stable/c/c43df7dae28fb9fce96ef088250c1e3c3a77c527",
"refsource": "MISC",
"name": "https://git.kernel.org/stable/c/c43df7dae28fb9fce96ef088250c1e3c3a77c527"
},
{
"url": "https://git.kernel.org/stable/c/b8b84dcdf3ab1d414304819f824b10efba64132c",
"refsource": "MISC",
"name": "https://git.kernel.org/stable/c/b8b84dcdf3ab1d414304819f824b10efba64132c"
},
{
"url": "https://git.kernel.org/stable/c/6ba6e19912570b2ad68298be0be1dc779014a303",
"refsource": "MISC",
"name": "https://git.kernel.org/stable/c/6ba6e19912570b2ad68298be0be1dc779014a303"
},
{
"url": "https://git.kernel.org/stable/c/588bdec1ff8b81517dbae0ae51c9df52c0b952d3",
"refsource": "MISC",
"name": "https://git.kernel.org/stable/c/588bdec1ff8b81517dbae0ae51c9df52c0b952d3"
},
{
"url": "https://git.kernel.org/stable/c/63e72e551942642c48456a4134975136cdcb9b3c",
"refsource": "MISC",
"name": "https://git.kernel.org/stable/c/63e72e551942642c48456a4134975136cdcb9b3c"
}
]
},
"generator": {
"engine": "bippy-5f407fcff5a0"
}
}

114
2024/53xxx/CVE-2024-53166.json
View File

@ -1,18 +1,124 @@
{
"data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2024-53166",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ASSIGNER": "cve@kernel.org",
"STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock, bfq: fix bfqq uaf in bfq_limit_depth()\n\nSet new allocated bfqq to bic or remove freed bfqq from bic are both\nprotected by bfqd->lock, however bfq_limit_depth() is deferencing bfqq\nfrom bic without the lock, this can lead to UAF if the io_context is\nshared by multiple tasks.\n\nFor example, test bfq with io_uring can trigger following UAF in v6.6:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in bfqq_group+0x15/0x50\n\nCall Trace:\n <TASK>\n dump_stack_lvl+0x47/0x80\n print_address_description.constprop.0+0x66/0x300\n print_report+0x3e/0x70\n kasan_report+0xb4/0xf0\n bfqq_group+0x15/0x50\n bfqq_request_over_limit+0x130/0x9a0\n bfq_limit_depth+0x1b5/0x480\n __blk_mq_alloc_requests+0x2b5/0xa00\n blk_mq_get_new_requests+0x11d/0x1d0\n blk_mq_submit_bio+0x286/0xb00\n submit_bio_noacct_nocheck+0x331/0x400\n __block_write_full_folio+0x3d0/0x640\n writepage_cb+0x3b/0xc0\n write_cache_pages+0x254/0x6c0\n write_cache_pages+0x254/0x6c0\n do_writepages+0x192/0x310\n filemap_fdatawrite_wbc+0x95/0xc0\n __filemap_fdatawrite_range+0x99/0xd0\n filemap_write_and_wait_range.part.0+0x4d/0xa0\n blkdev_read_iter+0xef/0x1e0\n io_read+0x1b6/0x8a0\n io_issue_sqe+0x87/0x300\n io_wq_submit_work+0xeb/0x390\n io_worker_handle_work+0x24d/0x550\n io_wq_worker+0x27f/0x6c0\n ret_from_fork_asm+0x1b/0x30\n </TASK>\n\nAllocated by task 808602:\n kasan_save_stack+0x1e/0x40\n kasan_set_track+0x21/0x30\n __kasan_slab_alloc+0x83/0x90\n kmem_cache_alloc_node+0x1b1/0x6d0\n bfq_get_queue+0x138/0xfa0\n bfq_get_bfqq_handle_split+0xe3/0x2c0\n bfq_init_rq+0x196/0xbb0\n bfq_insert_request.isra.0+0xb5/0x480\n bfq_insert_requests+0x156/0x180\n blk_mq_insert_request+0x15d/0x440\n blk_mq_submit_bio+0x8a4/0xb00\n submit_bio_noacct_nocheck+0x331/0x400\n __blkdev_direct_IO_async+0x2dd/0x330\n blkdev_write_iter+0x39a/0x450\n io_write+0x22a/0x840\n io_issue_sqe+0x87/0x300\n io_wq_submit_work+0xeb/0x390\n io_worker_handle_work+0x24d/0x550\n io_wq_worker+0x27f/0x6c0\n ret_from_fork+0x2d/0x50\n ret_from_fork_asm+0x1b/0x30\n\nFreed by task 808589:\n kasan_save_stack+0x1e/0x40\n kasan_set_track+0x21/0x30\n kasan_save_free_info+0x27/0x40\n __kasan_slab_free+0x126/0x1b0\n kmem_cache_free+0x10c/0x750\n bfq_put_queue+0x2dd/0x770\n __bfq_insert_request.isra.0+0x155/0x7a0\n bfq_insert_request.isra.0+0x122/0x480\n bfq_insert_requests+0x156/0x180\n blk_mq_dispatch_plug_list+0x528/0x7e0\n blk_mq_flush_plug_list.part.0+0xe5/0x590\n __blk_flush_plug+0x3b/0x90\n blk_finish_plug+0x40/0x60\n do_writepages+0x19d/0x310\n filemap_fdatawrite_wbc+0x95/0xc0\n __filemap_fdatawrite_range+0x99/0xd0\n filemap_write_and_wait_range.part.0+0x4d/0xa0\n blkdev_read_iter+0xef/0x1e0\n io_read+0x1b6/0x8a0\n io_issue_sqe+0x87/0x300\n io_wq_submit_work+0xeb/0x390\n io_worker_handle_work+0x24d/0x550\n io_wq_worker+0x27f/0x6c0\n ret_from_fork+0x2d/0x50\n ret_from_fork_asm+0x1b/0x30\n\nFix the problem by protecting bic_to_bfqq() with bfqd->lock."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "Linux",
"product": {
"product_data": [
{
"product_name": "Linux",
"version": {
"version_data": [
{
"version_affected": "<",
"version_name": "76f1df88bbc2f984eb0418cc90de0a8384e63604",
"version_value": "906cdbdd3b018ff69cc830173bce277a847d4fdc"
},
{
"version_value": "not down converted",
"x_cve_json_5_version_data": {
"versions": [
{
"version": "5.17",
"status": "affected"
},
{
"version": "0",
"lessThan": "5.17",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.6.64",
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.11.11",
"lessThanOrEqual": "6.11.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.12.2",
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.13-rc1",
"lessThanOrEqual": "*",
"status": "unaffected",
"versionType": "original_commit_for_fix"
}
],
"defaultStatus": "affected"
}
}
]
}
}
]
}
}
]
}
},
"references": {
"reference_data": [
{
"url": "https://git.kernel.org/stable/c/906cdbdd3b018ff69cc830173bce277a847d4fdc",
"refsource": "MISC",
"name": "https://git.kernel.org/stable/c/906cdbdd3b018ff69cc830173bce277a847d4fdc"
},
{
"url": "https://git.kernel.org/stable/c/dcaa738afde55085ac6056252e319479cf23cde2",
"refsource": "MISC",
"name": "https://git.kernel.org/stable/c/dcaa738afde55085ac6056252e319479cf23cde2"
},
{
"url": "https://git.kernel.org/stable/c/01a853faaeaf3379ccf358ade582b1d28752126e",
"refsource": "MISC",
"name": "https://git.kernel.org/stable/c/01a853faaeaf3379ccf358ade582b1d28752126e"
},
{
"url": "https://git.kernel.org/stable/c/e8b8344de3980709080d86c157d24e7de07d70ad",
"refsource": "MISC",
"name": "https://git.kernel.org/stable/c/e8b8344de3980709080d86c157d24e7de07d70ad"
}
]
},
"generator": {
"engine": "bippy-5f407fcff5a0"
}
}

103
2024/53xxx/CVE-2024-53167.json
View File

@ -1,18 +1,113 @@
{
"data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2024-53167",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ASSIGNER": "cve@kernel.org",
"STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfs/blocklayout: Don't attempt unregister for invalid block device\n\nSince commit d869da91cccb (\"nfs/blocklayout: Fix premature PR key\nunregistration\") an unmount of a pNFS SCSI layout-enabled NFS may\ndereference a NULL block_device in:\n\n bl_unregister_scsi+0x16/0xe0 [blocklayoutdriver]\n bl_free_device+0x70/0x80 [blocklayoutdriver]\n bl_free_deviceid_node+0x12/0x30 [blocklayoutdriver]\n nfs4_put_deviceid_node+0x60/0xc0 [nfsv4]\n nfs4_deviceid_purge_client+0x132/0x190 [nfsv4]\n unset_pnfs_layoutdriver+0x59/0x60 [nfsv4]\n nfs4_destroy_server+0x36/0x70 [nfsv4]\n nfs_free_server+0x23/0xe0 [nfs]\n deactivate_locked_super+0x30/0xb0\n cleanup_mnt+0xba/0x150\n task_work_run+0x59/0x90\n syscall_exit_to_user_mode+0x217/0x220\n do_syscall_64+0x8e/0x160\n\nThis happens because even though we were able to create the\nnfs4_deviceid_node, the lookup for the device was unable to attach the\nblock device to the pnfs_block_dev.\n\nIf we never found a block device to register, we can avoid this case with\nthe PNFS_BDEV_REGISTERED flag. Move the deref behind the test for the\nflag."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "Linux",
"product": {
"product_data": [
{
"product_name": "Linux",
"version": {
"version_data": [
{
"version_affected": "<",
"version_name": "d869da91cccb90320e101a2758f1e2b3803ade5c",
"version_value": "3402704a424f34bbcca7f4a4503859357f422217"
},
{
"version_value": "not down converted",
"x_cve_json_5_version_data": {
"versions": [
{
"version": "6.11",
"status": "affected"
},
{
"version": "0",
"lessThan": "6.11",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.11.11",
"lessThanOrEqual": "6.11.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.12.2",
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.13-rc1",
"lessThanOrEqual": "*",
"status": "unaffected",
"versionType": "original_commit_for_fix"
}
],
"defaultStatus": "affected"
}
}
]
}
}
]
}
}
]
}
},
"references": {
"reference_data": [
{
"url": "https://git.kernel.org/stable/c/3402704a424f34bbcca7f4a4503859357f422217",
"refsource": "MISC",
"name": "https://git.kernel.org/stable/c/3402704a424f34bbcca7f4a4503859357f422217"
},
{
"url": "https://git.kernel.org/stable/c/faa4bacfaeed827a4ca8cb8529a3ce65a9e8ef46",
"refsource": "MISC",
"name": "https://git.kernel.org/stable/c/faa4bacfaeed827a4ca8cb8529a3ce65a9e8ef46"
},
{
"url": "https://git.kernel.org/stable/c/3a4ce14d9a6b868e0787e4582420b721c04ee41e",
"refsource": "MISC",
"name": "https://git.kernel.org/stable/c/3a4ce14d9a6b868e0787e4582420b721c04ee41e"
}
]
},
"generator": {
"engine": "bippy-5f407fcff5a0"
}
}

114
2024/53xxx/CVE-2024-53168.json
View File

@ -1,18 +1,124 @@
{
"data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2024-53168",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ASSIGNER": "cve@kernel.org",
"STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsunrpc: fix one UAF issue caused by sunrpc kernel tcp socket\n\nBUG: KASAN: slab-use-after-free in tcp_write_timer_handler+0x156/0x3e0\nRead of size 1 at addr ffff888111f322cd by task swapper/0/0\n\nCPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.0-rc4-dirty #7\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1\nCall Trace:\n <IRQ>\n dump_stack_lvl+0x68/0xa0\n print_address_description.constprop.0+0x2c/0x3d0\n print_report+0xb4/0x270\n kasan_report+0xbd/0xf0\n tcp_write_timer_handler+0x156/0x3e0\n tcp_write_timer+0x66/0x170\n call_timer_fn+0xfb/0x1d0\n __run_timers+0x3f8/0x480\n run_timer_softirq+0x9b/0x100\n handle_softirqs+0x153/0x390\n __irq_exit_rcu+0x103/0x120\n irq_exit_rcu+0xe/0x20\n sysvec_apic_timer_interrupt+0x76/0x90\n </IRQ>\n <TASK>\n asm_sysvec_apic_timer_interrupt+0x1a/0x20\nRIP: 0010:default_idle+0xf/0x20\nCode: 4c 01 c7 4c 29 c2 e9 72 ff ff ff 90 90 90 90 90 90 90 90 90 90 90 90\n 90 90 90 90 f3 0f 1e fa 66 90 0f 00 2d 33 f8 25 00 fb f4 <fa> c3 cc cc cc\n cc 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90\nRSP: 0018:ffffffffa2007e28 EFLAGS: 00000242\nRAX: 00000000000f3b31 RBX: 1ffffffff4400fc7 RCX: ffffffffa09c3196\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff9f00590f\nRBP: 0000000000000000 R08: 0000000000000001 R09: ffffed102360835d\nR10: ffff88811b041aeb R11: 0000000000000001 R12: 0000000000000000\nR13: ffffffffa202d7c0 R14: 0000000000000000 R15: 00000000000147d0\n default_idle_call+0x6b/0xa0\n cpuidle_idle_call+0x1af/0x1f0\n do_idle+0xbc/0x130\n cpu_startup_entry+0x33/0x40\n rest_init+0x11f/0x210\n start_kernel+0x39a/0x420\n x86_64_start_reservations+0x18/0x30\n x86_64_start_kernel+0x97/0xa0\n common_startup_64+0x13e/0x141\n </TASK>\n\nAllocated by task 595:\n kasan_save_stack+0x24/0x50\n kasan_save_track+0x14/0x30\n __kasan_slab_alloc+0x87/0x90\n kmem_cache_alloc_noprof+0x12b/0x3f0\n copy_net_ns+0x94/0x380\n create_new_namespaces+0x24c/0x500\n unshare_nsproxy_namespaces+0x75/0xf0\n ksys_unshare+0x24e/0x4f0\n __x64_sys_unshare+0x1f/0x30\n do_syscall_64+0x70/0x180\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nFreed by task 100:\n kasan_save_stack+0x24/0x50\n kasan_save_track+0x14/0x30\n kasan_save_free_info+0x3b/0x60\n __kasan_slab_free+0x54/0x70\n kmem_cache_free+0x156/0x5d0\n cleanup_net+0x5d3/0x670\n process_one_work+0x776/0xa90\n worker_thread+0x2e2/0x560\n kthread+0x1a8/0x1f0\n ret_from_fork+0x34/0x60\n ret_from_fork_asm+0x1a/0x30\n\nReproduction script:\n\nmkdir -p /mnt/nfsshare\nmkdir -p /mnt/nfs/netns_1\nmkfs.ext4 /dev/sdb\nmount /dev/sdb /mnt/nfsshare\nsystemctl restart nfs-server\nchmod 777 /mnt/nfsshare\nexportfs -i -o rw,no_root_squash *:/mnt/nfsshare\n\nip netns add netns_1\nip link add name veth_1_peer type veth peer veth_1\nifconfig veth_1_peer 11.11.0.254 up\nip link set veth_1 netns netns_1\nip netns exec netns_1 ifconfig veth_1 11.11.0.1\n\nip netns exec netns_1 /root/iptables -A OUTPUT -d 11.11.0.254 -p tcp \\\n\t--tcp-flags FIN FIN -j DROP\n\n(note: In my environment, a DESTROY_CLIENTID operation is always sent\n immediately, breaking the nfs tcp connection.)\nip netns exec netns_1 timeout -s 9 300 mount -t nfs -o proto=tcp,vers=4.1 \\\n\t11.11.0.254:/mnt/nfsshare /mnt/nfs/netns_1\n\nip netns del netns_1\n\nThe reason here is that the tcp socket in netns_1 (nfs side) has been\nshutdown and closed (done in xs_destroy), but the FIN message (with ack)\nis discarded, and the nfsd side keeps sending retransmission messages.\nAs a result, when the tcp sock in netns_1 processes the received message,\nit sends the message (FIN message) in the sending queue, and the tcp timer\nis re-established. When the network namespace is deleted, the net structure\naccessed by tcp's timer handler function causes problems.\n\nTo fix this problem, let's hold netns refcnt for the tcp kernel socket as\ndone in other modules. This is an ugly hack which can easily be backported\nto earlier kernels. A proper fix which cleans up the interfaces will\nfollow, but may not be so easy to backport."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "Linux",
"product": {
"product_data": [
{
"product_name": "Linux",
"version": {
"version_data": [
{
"version_affected": "<",
"version_name": "26abe14379f8e2fa3fd1bcf97c9a7ad9364886fe",
"version_value": "0ca87e5063757132a044d35baba40a7d4bb25394"
},
{
"version_value": "not down converted",
"x_cve_json_5_version_data": {
"versions": [
{
"version": "4.2",
"status": "affected"
},
{
"version": "0",
"lessThan": "4.2",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.6.64",
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.11.11",
"lessThanOrEqual": "6.11.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.12.2",
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.13-rc1",
"lessThanOrEqual": "*",
"status": "unaffected",
"versionType": "original_commit_for_fix"
}
],
"defaultStatus": "affected"
}
}
]
}
}
]
}
}
]
}
},
"references": {
"reference_data": [
{
"url": "https://git.kernel.org/stable/c/0ca87e5063757132a044d35baba40a7d4bb25394",
"refsource": "MISC",
"name": "https://git.kernel.org/stable/c/0ca87e5063757132a044d35baba40a7d4bb25394"
},
{
"url": "https://git.kernel.org/stable/c/694ccb05b79ee5f5a9f14c2f80d2635d3bb8bdc3",
"refsource": "MISC",
"name": "https://git.kernel.org/stable/c/694ccb05b79ee5f5a9f14c2f80d2635d3bb8bdc3"
},
{
"url": "https://git.kernel.org/stable/c/61c0a5eac96836de5e3a5897eccdc63162a94936",
"refsource": "MISC",
"name": "https://git.kernel.org/stable/c/61c0a5eac96836de5e3a5897eccdc63162a94936"
},
{
"url": "https://git.kernel.org/stable/c/3f23f96528e8fcf8619895c4c916c52653892ec1",
"refsource": "MISC",
"name": "https://git.kernel.org/stable/c/3f23f96528e8fcf8619895c4c916c52653892ec1"
}
]
},
"generator": {
"engine": "bippy-5f407fcff5a0"
}
}

103
2024/53xxx/CVE-2024-53169.json
View File

@ -1,18 +1,113 @@
{
"data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2024-53169",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ASSIGNER": "cve@kernel.org",
"STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-fabrics: fix kernel crash while shutting down controller\n\nThe nvme keep-alive operation, which executes at a periodic interval,\ncould potentially sneak in while shutting down a fabric controller.\nThis may lead to a race between the fabric controller admin queue\ndestroy code path (invoked while shutting down controller) and hw/hctx\nqueue dispatcher called from the nvme keep-alive async request queuing\noperation. This race could lead to the kernel crash shown below:\n\nCall Trace:\n autoremove_wake_function+0x0/0xbc (unreliable)\n __blk_mq_sched_dispatch_requests+0x114/0x24c\n blk_mq_sched_dispatch_requests+0x44/0x84\n blk_mq_run_hw_queue+0x140/0x220\n nvme_keep_alive_work+0xc8/0x19c [nvme_core]\n process_one_work+0x200/0x4e0\n worker_thread+0x340/0x504\n kthread+0x138/0x140\n start_kernel_thread+0x14/0x18\n\nWhile shutting down fabric controller, if nvme keep-alive request sneaks\nin then it would be flushed off. The nvme_keep_alive_end_io function is\nthen invoked to handle the end of the keep-alive operation which\ndecrements the admin->q_usage_counter and assuming this is the last/only\nrequest in the admin queue then the admin->q_usage_counter becomes zero.\nIf that happens then blk-mq destroy queue operation (blk_mq_destroy_\nqueue()) which could be potentially running simultaneously on another\ncpu (as this is the controller shutdown code path) would forward\nprogress and deletes the admin queue. So, now from this point onward\nwe are not supposed to access the admin queue resources. However the\nissue here's that the nvme keep-alive thread running hw/hctx queue\ndispatch operation hasn't yet finished its work and so it could still\npotentially access the admin queue resource while the admin queue had\nbeen already deleted and that causes the above crash.\n\nThe above kernel crash is regression caused due to changes implemented\nin commit a54a93d0e359 (\"nvme: move stopping keep-alive into\nnvme_uninit_ctrl()\"). Ideally we should stop keep-alive before destroyin\ng the admin queue and freeing the admin tagset so that it wouldn't sneak\nin during the shutdown operation. However we removed the keep alive stop\noperation from the beginning of the controller shutdown code path in commit\na54a93d0e359 (\"nvme: move stopping keep-alive into nvme_uninit_ctrl()\")\nand added it under nvme_uninit_ctrl() which executes very late in the\nshutdown code path after the admin queue is destroyed and its tagset is\nremoved. So this change created the possibility of keep-alive sneaking in\nand interfering with the shutdown operation and causing observed kernel\ncrash.\n\nTo fix the observed crash, we decided to move nvme_stop_keep_alive() from\nnvme_uninit_ctrl() to nvme_remove_admin_tag_set(). This change would ensure\nthat we don't forward progress and delete the admin queue until the keep-\nalive operation is finished (if it's in-flight) or cancelled and that would\nhelp contain the race condition explained above and hence avoid the crash.\n\nMoving nvme_stop_keep_alive() to nvme_remove_admin_tag_set() instead of\nadding nvme_stop_keep_alive() to the beginning of the controller shutdown\ncode path in nvme_stop_ctrl(), as was the case earlier before commit\na54a93d0e359 (\"nvme: move stopping keep-alive into nvme_uninit_ctrl()\"),\nwould help save one callsite of nvme_stop_keep_alive()."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "Linux",
"product": {
"product_data": [
{
"product_name": "Linux",
"version": {
"version_data": [
{
"version_affected": "<",
"version_name": "a54a93d0e3599b05856971734e15418ac551a14c",
"version_value": "30794f4952decb2ec8efa42f704cac5304499a41"
},
{
"version_value": "not down converted",
"x_cve_json_5_version_data": {
"versions": [
{
"version": "6.11",
"status": "affected"
},
{
"version": "0",
"lessThan": "6.11",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.11.11",
"lessThanOrEqual": "6.11.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.12.2",
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.13-rc1",
"lessThanOrEqual": "*",
"status": "unaffected",
"versionType": "original_commit_for_fix"
}
],
"defaultStatus": "affected"
}
}
]
}
}
]
}
}
]
}
},
"references": {
"reference_data": [
{
"url": "https://git.kernel.org/stable/c/30794f4952decb2ec8efa42f704cac5304499a41",
"refsource": "MISC",
"name": "https://git.kernel.org/stable/c/30794f4952decb2ec8efa42f704cac5304499a41"
},
{
"url": "https://git.kernel.org/stable/c/5416b76a8156c1b8491f78f8a728f422104bb919",
"refsource": "MISC",
"name": "https://git.kernel.org/stable/c/5416b76a8156c1b8491f78f8a728f422104bb919"
},
{
"url": "https://git.kernel.org/stable/c/e9869c85c81168a1275f909d5972a3fc435304be",
"refsource": "MISC",
"name": "https://git.kernel.org/stable/c/e9869c85c81168a1275f909d5972a3fc435304be"
}
]
},
"generator": {
"engine": "bippy-5f407fcff5a0"
}
}

103
2024/53xxx/CVE-2024-53170.json
View File

@ -1,18 +1,113 @@
{
"data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2024-53170",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ASSIGNER": "cve@kernel.org",
"STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: fix uaf for flush rq while iterating tags\n\nblk_mq_clear_flush_rq_mapping() is not called during scsi probe, by\nchecking blk_queue_init_done(). However, QUEUE_FLAG_INIT_DONE is cleared\nin del_gendisk by commit aec89dc5d421 (\"block: keep q_usage_counter in\natomic mode after del_gendisk\"), hence for disk like scsi, following\nblk_mq_destroy_queue() will not clear flush rq from tags->rqs[] as well,\ncause following uaf that is found by our syzkaller for v6.6:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in blk_mq_find_and_get_req+0x16e/0x1a0 block/blk-mq-tag.c:261\nRead of size 4 at addr ffff88811c969c20 by task kworker/1:2H/224909\n\nCPU: 1 PID: 224909 Comm: kworker/1:2H Not tainted 6.6.0-ga836a5060850 #32\nWorkqueue: kblockd blk_mq_timeout_work\nCall Trace:\n\n__dump_stack lib/dump_stack.c:88 [inline]\ndump_stack_lvl+0x91/0xf0 lib/dump_stack.c:106\nprint_address_description.constprop.0+0x66/0x300 mm/kasan/report.c:364\nprint_report+0x3e/0x70 mm/kasan/report.c:475\nkasan_report+0xb8/0xf0 mm/kasan/report.c:588\nblk_mq_find_and_get_req+0x16e/0x1a0 block/blk-mq-tag.c:261\nbt_iter block/blk-mq-tag.c:288 [inline]\n__sbitmap_for_each_set include/linux/sbitmap.h:295 [inline]\nsbitmap_for_each_set include/linux/sbitmap.h:316 [inline]\nbt_for_each+0x455/0x790 block/blk-mq-tag.c:325\nblk_mq_queue_tag_busy_iter+0x320/0x740 block/blk-mq-tag.c:534\nblk_mq_timeout_work+0x1a3/0x7b0 block/blk-mq.c:1673\nprocess_one_work+0x7c4/0x1450 kernel/workqueue.c:2631\nprocess_scheduled_works kernel/workqueue.c:2704 [inline]\nworker_thread+0x804/0xe40 kernel/workqueue.c:2785\nkthread+0x346/0x450 kernel/kthread.c:388\nret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147\nret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:293\n\nAllocated by task 942:\nkasan_save_stack+0x22/0x50 mm/kasan/common.c:45\nkasan_set_track+0x25/0x30 mm/kasan/common.c:52\n____kasan_kmalloc mm/kasan/common.c:374 [inline]\n__kasan_kmalloc mm/kasan/common.c:383 [inline]\n__kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:380\nkasan_kmalloc include/linux/kasan.h:198 [inline]\n__do_kmalloc_node mm/slab_common.c:1007 [inline]\n__kmalloc_node+0x69/0x170 mm/slab_common.c:1014\nkmalloc_node include/linux/slab.h:620 [inline]\nkzalloc_node include/linux/slab.h:732 [inline]\nblk_alloc_flush_queue+0x144/0x2f0 block/blk-flush.c:499\nblk_mq_alloc_hctx+0x601/0x940 block/blk-mq.c:3788\nblk_mq_alloc_and_init_hctx+0x27f/0x330 block/blk-mq.c:4261\nblk_mq_realloc_hw_ctxs+0x488/0x5e0 block/blk-mq.c:4294\nblk_mq_init_allocated_queue+0x188/0x860 block/blk-mq.c:4350\nblk_mq_init_queue_data block/blk-mq.c:4166 [inline]\nblk_mq_init_queue+0x8d/0x100 block/blk-mq.c:4176\nscsi_alloc_sdev+0x843/0xd50 drivers/scsi/scsi_scan.c:335\nscsi_probe_and_add_lun+0x77c/0xde0 drivers/scsi/scsi_scan.c:1189\n__scsi_scan_target+0x1fc/0x5a0 drivers/scsi/scsi_scan.c:1727\nscsi_scan_channel drivers/scsi/scsi_scan.c:1815 [inline]\nscsi_scan_channel+0x14b/0x1e0 drivers/scsi/scsi_scan.c:1791\nscsi_scan_host_selected+0x2fe/0x400 drivers/scsi/scsi_scan.c:1844\nscsi_scan+0x3a0/0x3f0 drivers/scsi/scsi_sysfs.c:151\nstore_scan+0x2a/0x60 drivers/scsi/scsi_sysfs.c:191\ndev_attr_store+0x5c/0x90 drivers/base/core.c:2388\nsysfs_kf_write+0x11c/0x170 fs/sysfs/file.c:136\nkernfs_fop_write_iter+0x3fc/0x610 fs/kernfs/file.c:338\ncall_write_iter include/linux/fs.h:2083 [inline]\nnew_sync_write+0x1b4/0x2d0 fs/read_write.c:493\nvfs_write+0x76c/0xb00 fs/read_write.c:586\nksys_write+0x127/0x250 fs/read_write.c:639\ndo_syscall_x64 arch/x86/entry/common.c:51 [inline]\ndo_syscall_64+0x70/0x120 arch/x86/entry/common.c:81\nentry_SYSCALL_64_after_hwframe+0x78/0xe2\n\nFreed by task 244687:\nkasan_save_stack+0x22/0x50 mm/kasan/common.c:45\nkasan_set_track+0x25/0x30 mm/kasan/common.c:52\nkasan_save_free_info+0x2b/0x50 mm/kasan/generic.c:522\n____kasan_slab_free mm/kasan/common.c:236 [inline]\n__kasan_slab_free+0x12a/0x1b0 mm/kasan/common.c:244\nkasan_slab_free include/linux/kasan.h:164 [in\n---truncated---"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "Linux",
"product": {
"product_data": [
{
"product_name": "Linux",
"version": {
"version_data": [
{
"version_affected": "<",
"version_name": "6cfeadbff3f8905f2854735ebb88e581402c16c4",
"version_value": "a0e93b9fefafe97d596f9c98701ae6c3b04b3ff6"
},
{
"version_value": "not down converted",
"x_cve_json_5_version_data": {
"versions": [
{
"version": "5.19",
"status": "affected"
},
{
"version": "0",
"lessThan": "5.19",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.11.11",
"lessThanOrEqual": "6.11.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.12.2",
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.13-rc1",
"lessThanOrEqual": "*",
"status": "unaffected",
"versionType": "original_commit_for_fix"
}
],
"defaultStatus": "affected"
}
}
]
}
}
]
}
}
]
}
},
"references": {
"reference_data": [
{
"url": "https://git.kernel.org/stable/c/a0e93b9fefafe97d596f9c98701ae6c3b04b3ff6",
"refsource": "MISC",
"name": "https://git.kernel.org/stable/c/a0e93b9fefafe97d596f9c98701ae6c3b04b3ff6"
},
{
"url": "https://git.kernel.org/stable/c/61092568f2a9acb0e6e186f03f2e0649a4e86d09",
"refsource": "MISC",
"name": "https://git.kernel.org/stable/c/61092568f2a9acb0e6e186f03f2e0649a4e86d09"
},
{
"url": "https://git.kernel.org/stable/c/3802f73bd80766d70f319658f334754164075bc3",
"refsource": "MISC",
"name": "https://git.kernel.org/stable/c/3802f73bd80766d70f319658f334754164075bc3"
}
]
},
"generator": {
"engine": "bippy-5f407fcff5a0"
}
}

158
2024/53xxx/CVE-2024-53171.json
View File

@ -1,18 +1,168 @@
{
"data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2024-53171",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ASSIGNER": "cve@kernel.org",
"STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nubifs: authentication: Fix use-after-free in ubifs_tnc_end_commit\n\nAfter an insertion in TNC, the tree might split and cause a node to\nchange its `znode->parent`. A further deletion of other nodes in the\ntree (which also could free the nodes), the aforementioned node's\n`znode->cparent` could still point to a freed node. This\n`znode->cparent` may not be updated when getting nodes to commit in\n`ubifs_tnc_start_commit()`. This could then trigger a use-after-free\nwhen accessing the `znode->cparent` in `write_index()` in\n`ubifs_tnc_end_commit()`.\n\nThis can be triggered by running\n\n rm -f /etc/test-file.bin\n dd if=/dev/urandom of=/etc/test-file.bin bs=1M count=60 conv=fsync\n\nin a loop, and with `CONFIG_UBIFS_FS_AUTHENTICATION`. KASAN then\nreports:\n\n BUG: KASAN: use-after-free in ubifs_tnc_end_commit+0xa5c/0x1950\n Write of size 32 at addr ffffff800a3af86c by task ubifs_bgt0_20/153\n\n Call trace:\n dump_backtrace+0x0/0x340\n show_stack+0x18/0x24\n dump_stack_lvl+0x9c/0xbc\n print_address_description.constprop.0+0x74/0x2b0\n kasan_report+0x1d8/0x1f0\n kasan_check_range+0xf8/0x1a0\n memcpy+0x84/0xf4\n ubifs_tnc_end_commit+0xa5c/0x1950\n do_commit+0x4e0/0x1340\n ubifs_bg_thread+0x234/0x2e0\n kthread+0x36c/0x410\n ret_from_fork+0x10/0x20\n\n Allocated by task 401:\n kasan_save_stack+0x38/0x70\n __kasan_kmalloc+0x8c/0xd0\n __kmalloc+0x34c/0x5bc\n tnc_insert+0x140/0x16a4\n ubifs_tnc_add+0x370/0x52c\n ubifs_jnl_write_data+0x5d8/0x870\n do_writepage+0x36c/0x510\n ubifs_writepage+0x190/0x4dc\n __writepage+0x58/0x154\n write_cache_pages+0x394/0x830\n do_writepages+0x1f0/0x5b0\n filemap_fdatawrite_wbc+0x170/0x25c\n file_write_and_wait_range+0x140/0x190\n ubifs_fsync+0xe8/0x290\n vfs_fsync_range+0xc0/0x1e4\n do_fsync+0x40/0x90\n __arm64_sys_fsync+0x34/0x50\n invoke_syscall.constprop.0+0xa8/0x260\n do_el0_svc+0xc8/0x1f0\n el0_svc+0x34/0x70\n el0t_64_sync_handler+0x108/0x114\n el0t_64_sync+0x1a4/0x1a8\n\n Freed by task 403:\n kasan_save_stack+0x38/0x70\n kasan_set_track+0x28/0x40\n kasan_set_free_info+0x28/0x4c\n __kasan_slab_free+0xd4/0x13c\n kfree+0xc4/0x3a0\n tnc_delete+0x3f4/0xe40\n ubifs_tnc_remove_range+0x368/0x73c\n ubifs_tnc_remove_ino+0x29c/0x2e0\n ubifs_jnl_delete_inode+0x150/0x260\n ubifs_evict_inode+0x1d4/0x2e4\n evict+0x1c8/0x450\n iput+0x2a0/0x3c4\n do_unlinkat+0x2cc/0x490\n __arm64_sys_unlinkat+0x90/0x100\n invoke_syscall.constprop.0+0xa8/0x260\n do_el0_svc+0xc8/0x1f0\n el0_svc+0x34/0x70\n el0t_64_sync_handler+0x108/0x114\n el0t_64_sync+0x1a4/0x1a8\n\nThe offending `memcpy()` in `ubifs_copy_hash()` has a use-after-free\nwhen a node becomes root in TNC but still has a `cparent` to an already\nfreed node. More specifically, consider the following TNC:\n\n zroot\n /\n /\n zp1\n /\n /\n zn\n\nInserting a new node `zn_new` with a key smaller then `zn` will trigger\na split in `tnc_insert()` if `zp1` is full:\n\n zroot\n / \\\n / \\\n zp1 zp2\n / \\\n / \\\n zn_new zn\n\n`zn->parent` has now been moved to `zp2`, *but* `zn->cparent` still\npoints to `zp1`.\n\nNow, consider a removal of all the nodes _except_ `zn`. Just when\n`tnc_delete()` is about to delete `zroot` and `zp2`:\n\n zroot\n \\\n \\\n zp2\n \\\n \\\n zn\n\n`zroot` and `zp2` get freed and the tree collapses:\n\n zn\n\n`zn` now becomes the new `zroot`.\n\n`get_znodes_to_commit()` will now only find `zn`, the new `zroot`, and\n`write_index()` will check its `znode->cparent` that wrongly points to\nthe already freed `zp1`. `ubifs_copy_hash()` thus gets wrongly called\nwith `znode->cparent->zbranch[znode->iip].hash` that triggers the\nuse-after-free!\n\nFix this by explicitly setting `znode->cparent` to `NULL` in\n`get_znodes_to_commit()` for the root node. The search for the dirty\nnodes\n---truncated---"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "Linux",
"product": {
"product_data": [
{
"product_name": "Linux",
"version": {
"version_data": [
{
"version_affected": "<",
"version_name": "16a26b20d2afd0cf063816725b45b12e78d5bb31",
"version_value": "daac4aa1825de0dbc1a6eede2fa7f9fc53f14223"
},
{
"version_value": "not down converted",
"x_cve_json_5_version_data": {
"versions": [
{
"version": "4.20",
"status": "affected"
},
{
"version": "0",
"lessThan": "4.20",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "5.4.287",
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "5.10.231",
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "5.15.174",
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.1.120",
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.6.64",
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.11.11",
"lessThanOrEqual": "6.11.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.12.2",
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.13-rc1",
"lessThanOrEqual": "*",
"status": "unaffected",
"versionType": "original_commit_for_fix"
}
],
"defaultStatus": "affected"
}
}
]
}
}
]
}
}
]
}
},
"references": {
"reference_data": [
{
"url": "https://git.kernel.org/stable/c/daac4aa1825de0dbc1a6eede2fa7f9fc53f14223",
"refsource": "MISC",
"name": "https://git.kernel.org/stable/c/daac4aa1825de0dbc1a6eede2fa7f9fc53f14223"
},
{
"url": "https://git.kernel.org/stable/c/8d8b3f5f4cbfbf6cb0ea4a4d5dc296872b4151eb",
"refsource": "MISC",
"name": "https://git.kernel.org/stable/c/8d8b3f5f4cbfbf6cb0ea4a4d5dc296872b4151eb"
},
{
"url": "https://git.kernel.org/stable/c/4d9807048b851d7a58d5bd089c16254af896e4df",
"refsource": "MISC",
"name": "https://git.kernel.org/stable/c/4d9807048b851d7a58d5bd089c16254af896e4df"
},
{
"url": "https://git.kernel.org/stable/c/74981f7577d183acad1cd58f74c10d263711a215",
"refsource": "MISC",
"name": "https://git.kernel.org/stable/c/74981f7577d183acad1cd58f74c10d263711a215"
},
{
"url": "https://git.kernel.org/stable/c/01d3a2293d7e4edfff96618c15727db7e51f11b6",
"refsource": "MISC",
"name": "https://git.kernel.org/stable/c/01d3a2293d7e4edfff96618c15727db7e51f11b6"
},
{
"url": "https://git.kernel.org/stable/c/398a91599d263e41c5f95a2fd4ebdb6280b5c6c3",
"refsource": "MISC",
"name": "https://git.kernel.org/stable/c/398a91599d263e41c5f95a2fd4ebdb6280b5c6c3"
},
{
"url": "https://git.kernel.org/stable/c/2497479aecebe869d23a0064e0fd1a03e34f0e2a",
"refsource": "MISC",
"name": "https://git.kernel.org/stable/c/2497479aecebe869d23a0064e0fd1a03e34f0e2a"
},
{
"url": "https://git.kernel.org/stable/c/4617fb8fc15effe8eda4dd898d4e33eb537a7140",
"refsource": "MISC",
"name": "https://git.kernel.org/stable/c/4617fb8fc15effe8eda4dd898d4e33eb537a7140"
}
]
},
"generator": {
"engine": "bippy-5f407fcff5a0"
}
}

169
2024/53xxx/CVE-2024-53172.json
View File

@ -1,18 +1,179 @@
{
"data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2024-53172",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ASSIGNER": "cve@kernel.org",
"STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nubi: fastmap: Fix duplicate slab cache names while attaching\n\nSince commit 4c39529663b9 (\"slab: Warn on duplicate cache names when\nDEBUG_VM=y\"), the duplicate slab cache names can be detected and a\nkernel WARNING is thrown out.\nIn UBI fast attaching process, alloc_ai() could be invoked twice\nwith the same slab cache name 'ubi_aeb_slab_cache', which will trigger\nfollowing warning messages:\n kmem_cache of name 'ubi_aeb_slab_cache' already exists\n WARNING: CPU: 0 PID: 7519 at mm/slab_common.c:107\n __kmem_cache_create_args+0x100/0x5f0\n Modules linked in: ubi(+) nandsim [last unloaded: nandsim]\n CPU: 0 UID: 0 PID: 7519 Comm: modprobe Tainted: G 6.12.0-rc2\n RIP: 0010:__kmem_cache_create_args+0x100/0x5f0\n Call Trace:\n __kmem_cache_create_args+0x100/0x5f0\n alloc_ai+0x295/0x3f0 [ubi]\n ubi_attach+0x3c3/0xcc0 [ubi]\n ubi_attach_mtd_dev+0x17cf/0x3fa0 [ubi]\n ubi_init+0x3fb/0x800 [ubi]\n do_init_module+0x265/0x7d0\n __x64_sys_finit_module+0x7a/0xc0\n\nThe problem could be easily reproduced by loading UBI device by fastmap\nwith CONFIG_DEBUG_VM=y.\nFix it by using different slab names for alloc_ai() callers."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "Linux",
"product": {
"product_data": [
{
"product_name": "Linux",
"version": {
"version_data": [
{
"version_affected": "<",
"version_name": "d2158f69a7d469c21c37f7028c18aa8c54707de3",
"version_value": "ef52b7191ac41e68b1bf070d00c5b04ed16e4920"
},
{
"version_value": "not down converted",
"x_cve_json_5_version_data": {
"versions": [
{
"version": "4.1",
"status": "affected"
},
{
"version": "0",
"lessThan": "4.1",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "4.19.325",
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "5.4.287",
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "5.10.231",
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "5.15.174",
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.1.120",
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.6.64",
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.11.11",
"lessThanOrEqual": "6.11.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.12.2",
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.13-rc1",
"lessThanOrEqual": "*",
"status": "unaffected",
"versionType": "original_commit_for_fix"
}
],
"defaultStatus": "affected"
}
}
]
}
}
]
}
}
]
}
},
"references": {
"reference_data": [
{
"url": "https://git.kernel.org/stable/c/ef52b7191ac41e68b1bf070d00c5b04ed16e4920",
"refsource": "MISC",
"name": "https://git.kernel.org/stable/c/ef52b7191ac41e68b1bf070d00c5b04ed16e4920"
},
{
"url": "https://git.kernel.org/stable/c/871c148f8e0c32e505df9393ba4a303c3c3fe988",
"refsource": "MISC",
"name": "https://git.kernel.org/stable/c/871c148f8e0c32e505df9393ba4a303c3c3fe988"
},
{
"url": "https://git.kernel.org/stable/c/04c0b0f37617099479c34e207c5550d081f585a6",
"refsource": "MISC",
"name": "https://git.kernel.org/stable/c/04c0b0f37617099479c34e207c5550d081f585a6"
},
{
"url": "https://git.kernel.org/stable/c/b1ee0aa4945c49cbbd779da81040fcec4de80fd1",
"refsource": "MISC",
"name": "https://git.kernel.org/stable/c/b1ee0aa4945c49cbbd779da81040fcec4de80fd1"
},
{
"url": "https://git.kernel.org/stable/c/6afdcb285794e75d2c8995e3a44f523c176cc2de",
"refsource": "MISC",
"name": "https://git.kernel.org/stable/c/6afdcb285794e75d2c8995e3a44f523c176cc2de"
},
{
"url": "https://git.kernel.org/stable/c/612824dd0c9465ef365ace38b056c663d110956d",
"refsource": "MISC",
"name": "https://git.kernel.org/stable/c/612824dd0c9465ef365ace38b056c663d110956d"
},
{
"url": "https://git.kernel.org/stable/c/3d8558135cd56a2a8052024be4073e160f36658c",
"refsource": "MISC",
"name": "https://git.kernel.org/stable/c/3d8558135cd56a2a8052024be4073e160f36658c"
},
{
"url": "https://git.kernel.org/stable/c/7402c4bcb8a3f0d2ef4e687cd45c76be489cf509",
"refsource": "MISC",
"name": "https://git.kernel.org/stable/c/7402c4bcb8a3f0d2ef4e687cd45c76be489cf509"
},
{
"url": "https://git.kernel.org/stable/c/bcddf52b7a17adcebc768d26f4e27cf79adb424c",
"refsource": "MISC",
"name": "https://git.kernel.org/stable/c/bcddf52b7a17adcebc768d26f4e27cf79adb424c"
}
]
},
"generator": {
"engine": "bippy-5f407fcff5a0"
}
}

169
2024/53xxx/CVE-2024-53173.json
View File

@ -1,18 +1,179 @@
{
"data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2024-53173",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ASSIGNER": "cve@kernel.org",
"STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSv4.0: Fix a use-after-free problem in the asynchronous open()\n\nYang Erkun reports that when two threads are opening files at the same\ntime, and are forced to abort before a reply is seen, then the call to\nnfs_release_seqid() in nfs4_opendata_free() can result in a\nuse-after-free of the pointer to the defunct rpc task of the other\nthread.\nThe fix is to ensure that if the RPC call is aborted before the call to\nnfs_wait_on_sequence() is complete, then we must call nfs_release_seqid()\nin nfs4_open_release() before the rpc_task is freed."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "Linux",
"product": {
"product_data": [
{
"product_name": "Linux",
"version": {
"version_data": [
{
"version_affected": "<",
"version_name": "24ac23ab88df5b21b5b2df8cde748bf99b289099",
"version_value": "1cfae9575296f5040cdc84b0730e79078c081d2d"
},
{
"version_value": "not down converted",
"x_cve_json_5_version_data": {
"versions": [
{
"version": "2.6.16",
"status": "affected"
},
{
"version": "0",
"lessThan": "2.6.16",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "4.19.325",
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "5.4.287",
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "5.10.231",
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "5.15.174",
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.1.120",
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.6.64",
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.11.11",
"lessThanOrEqual": "6.11.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.12.2",
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.13-rc1",
"lessThanOrEqual": "*",
"status": "unaffected",
"versionType": "original_commit_for_fix"
}
],
"defaultStatus": "affected"
}
}
]
}
}
]
}
}
]
}
},
"references": {
"reference_data": [
{
"url": "https://git.kernel.org/stable/c/1cfae9575296f5040cdc84b0730e79078c081d2d",
"refsource": "MISC",
"name": "https://git.kernel.org/stable/c/1cfae9575296f5040cdc84b0730e79078c081d2d"
},
{
"url": "https://git.kernel.org/stable/c/7bf6bf130af8ee7d93a99c28a7512df3017ec759",
"refsource": "MISC",
"name": "https://git.kernel.org/stable/c/7bf6bf130af8ee7d93a99c28a7512df3017ec759"
},
{
"url": "https://git.kernel.org/stable/c/5237a297ffd374a1c4157a53543b7a69d7bbbc03",
"refsource": "MISC",
"name": "https://git.kernel.org/stable/c/5237a297ffd374a1c4157a53543b7a69d7bbbc03"
},
{
"url": "https://git.kernel.org/stable/c/2ab9639f16b05d948066a6c4cf19a0fdc61046ff",
"refsource": "MISC",
"name": "https://git.kernel.org/stable/c/2ab9639f16b05d948066a6c4cf19a0fdc61046ff"
},
{
"url": "https://git.kernel.org/stable/c/ba6e6c04f60fe52d91520ac4d749d372d4c74521",
"refsource": "MISC",
"name": "https://git.kernel.org/stable/c/ba6e6c04f60fe52d91520ac4d749d372d4c74521"
},
{
"url": "https://git.kernel.org/stable/c/229a30ed42bb87bcb044c5523fabd9e4f0e75648",
"refsource": "MISC",
"name": "https://git.kernel.org/stable/c/229a30ed42bb87bcb044c5523fabd9e4f0e75648"
},
{
"url": "https://git.kernel.org/stable/c/e2277a1d9d5cd0d625a4fd7c04fce2b53e66df77",
"refsource": "MISC",
"name": "https://git.kernel.org/stable/c/e2277a1d9d5cd0d625a4fd7c04fce2b53e66df77"
},
{
"url": "https://git.kernel.org/stable/c/b56ae8e715557b4fc227c9381d2e681ffafe7b15",
"refsource": "MISC",
"name": "https://git.kernel.org/stable/c/b56ae8e715557b4fc227c9381d2e681ffafe7b15"
},
{
"url": "https://git.kernel.org/stable/c/2fdb05dc0931250574f0cb0ebeb5ed8e20f4a889",
"refsource": "MISC",
"name": "https://git.kernel.org/stable/c/2fdb05dc0931250574f0cb0ebeb5ed8e20f4a889"
}
]
},
"generator": {
"engine": "bippy-5f407fcff5a0"
}
}

148
2024/53xxx/CVE-2024-53174.json
View File

@ -1,18 +1,158 @@
{
"data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2024-53174",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ASSIGNER": "cve@kernel.org",
"STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nSUNRPC: make sure cache entry active before cache_show\n\nThe function `c_show` was called with protection from RCU. This only\nensures that `cp` will not be freed. Therefore, the reference count for\n`cp` can drop to zero, which will trigger a refcount use-after-free\nwarning when `cache_get` is called. To resolve this issue, use\n`cache_get_rcu` to ensure that `cp` remains active.\n\n------------[ cut here ]------------\nrefcount_t: addition on 0; use-after-free.\nWARNING: CPU: 7 PID: 822 at lib/refcount.c:25\nrefcount_warn_saturate+0xb1/0x120\nCPU: 7 UID: 0 PID: 822 Comm: cat Not tainted 6.12.0-rc3+ #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\n1.16.1-2.fc37 04/01/2014\nRIP: 0010:refcount_warn_saturate+0xb1/0x120\n\nCall Trace:\n <TASK>\n c_show+0x2fc/0x380 [sunrpc]\n seq_read_iter+0x589/0x770\n seq_read+0x1e5/0x270\n proc_reg_read+0xe1/0x140\n vfs_read+0x125/0x530\n ksys_read+0xc1/0x160\n do_syscall_64+0x5f/0x170\n entry_SYSCALL_64_after_hwframe+0x76/0x7e"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "Linux",
"product": {
"product_data": [
{
"product_name": "Linux",
"version": {
"version_data": [
{
"version_affected": "<",
"version_name": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"version_value": "e9be26735d055c42543a4d047a769cc6d0fb1504"
},
{
"version_value": "not down converted",
"x_cve_json_5_version_data": {
"versions": [
{
"version": "5.4.287",
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "5.10.231",
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "5.15.174",
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.1.120",
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.6.64",
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.11.11",
"lessThanOrEqual": "6.11.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.12.2",
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.13-rc1",
"lessThanOrEqual": "*",
"status": "unaffected",
"versionType": "original_commit_for_fix"
}
],
"defaultStatus": "affected"
}
}
]
}
}
]
}
}
]
}
},
"references": {
"reference_data": [
{
"url": "https://git.kernel.org/stable/c/e9be26735d055c42543a4d047a769cc6d0fb1504",
"refsource": "MISC",
"name": "https://git.kernel.org/stable/c/e9be26735d055c42543a4d047a769cc6d0fb1504"
},
{
"url": "https://git.kernel.org/stable/c/02999e135b013d85c6df738746e8e24699befee4",
"refsource": "MISC",
"name": "https://git.kernel.org/stable/c/02999e135b013d85c6df738746e8e24699befee4"
},
{
"url": "https://git.kernel.org/stable/c/c7dac3af57e38b2054f990e573256d90bf887958",
"refsource": "MISC",
"name": "https://git.kernel.org/stable/c/c7dac3af57e38b2054f990e573256d90bf887958"
},
{
"url": "https://git.kernel.org/stable/c/068c0b50f3f700b94f78850834cd91ae3b34c2c1",
"refsource": "MISC",
"name": "https://git.kernel.org/stable/c/068c0b50f3f700b94f78850834cd91ae3b34c2c1"
},
{
"url": "https://git.kernel.org/stable/c/acfaf37888e0f0732fb6a50ff093dce6d99994d0",
"refsource": "MISC",
"name": "https://git.kernel.org/stable/c/acfaf37888e0f0732fb6a50ff093dce6d99994d0"
},
{
"url": "https://git.kernel.org/stable/c/ec305f303bf070b4f6896b7a76009f702956d402",
"refsource": "MISC",
"name": "https://git.kernel.org/stable/c/ec305f303bf070b4f6896b7a76009f702956d402"
},
{
"url": "https://git.kernel.org/stable/c/d882e2b7fad3f5e5fac66184a347f408813f654a",
"refsource": "MISC",
"name": "https://git.kernel.org/stable/c/d882e2b7fad3f5e5fac66184a347f408813f654a"
},
{
"url": "https://git.kernel.org/stable/c/2862eee078a4d2d1f584e7f24fa50dddfa5f3471",
"refsource": "MISC",
"name": "https://git.kernel.org/stable/c/2862eee078a4d2d1f584e7f24fa50dddfa5f3471"
}
]
},
"generator": {
"engine": "bippy-5f407fcff5a0"
}
}

125
2024/53xxx/CVE-2024-53175.json
View File

@ -1,18 +1,135 @@
{
"data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2024-53175",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ASSIGNER": "cve@kernel.org",
"STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipc: fix memleak if msg_init_ns failed in create_ipc_ns\n\nPercpu memory allocation may failed during create_ipc_ns however this\nfail is not handled properly since ipc sysctls and mq sysctls is not\nreleased properly. Fix this by release these two resource when failure.\n\nHere is the kmemleak stack when percpu failed:\n\nunreferenced object 0xffff88819de2a600 (size 512):\n comm \"shmem_2nstest\", pid 120711, jiffies 4300542254\n hex dump (first 32 bytes):\n 60 aa 9d 84 ff ff ff ff fc 18 48 b2 84 88 ff ff `.........H.....\n 04 00 00 00 a4 01 00 00 20 e4 56 81 ff ff ff ff ........ .V.....\n backtrace (crc be7cba35):\n [<ffffffff81b43f83>] __kmalloc_node_track_caller_noprof+0x333/0x420\n [<ffffffff81a52e56>] kmemdup_noprof+0x26/0x50\n [<ffffffff821b2f37>] setup_mq_sysctls+0x57/0x1d0\n [<ffffffff821b29cc>] copy_ipcs+0x29c/0x3b0\n [<ffffffff815d6a10>] create_new_namespaces+0x1d0/0x920\n [<ffffffff815d7449>] copy_namespaces+0x2e9/0x3e0\n [<ffffffff815458f3>] copy_process+0x29f3/0x7ff0\n [<ffffffff8154b080>] kernel_clone+0xc0/0x650\n [<ffffffff8154b6b1>] __do_sys_clone+0xa1/0xe0\n [<ffffffff843df8ff>] do_syscall_64+0xbf/0x1c0\n [<ffffffff846000b0>] entry_SYSCALL_64_after_hwframe+0x4b/0x53"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "Linux",
"product": {
"product_data": [
{
"product_name": "Linux",
"version": {
"version_data": [
{
"version_affected": "<",
"version_name": "72d1e611082eda18689106a0c192f2827072713c",
"version_value": "3d230cfd4b9b0558c7b2039ba1def2ce6b6cd158"
},
{
"version_value": "not down converted",
"x_cve_json_5_version_data": {
"versions": [
{
"version": "6.1",
"status": "affected"
},
{
"version": "0",
"lessThan": "6.1",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.1.120",
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.6.64",
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.11.11",
"lessThanOrEqual": "6.11.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.12.2",
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.13-rc1",
"lessThanOrEqual": "*",
"status": "unaffected",
"versionType": "original_commit_for_fix"
}
],
"defaultStatus": "affected"
}
}
]
}
}
]
}
}
]
}
},
"references": {
"reference_data": [
{
"url": "https://git.kernel.org/stable/c/3d230cfd4b9b0558c7b2039ba1def2ce6b6cd158",
"refsource": "MISC",
"name": "https://git.kernel.org/stable/c/3d230cfd4b9b0558c7b2039ba1def2ce6b6cd158"
},
{
"url": "https://git.kernel.org/stable/c/10209665b5bf199f8065b2e7d2b2dc6cdf227117",
"refsource": "MISC",
"name": "https://git.kernel.org/stable/c/10209665b5bf199f8065b2e7d2b2dc6cdf227117"
},
{
"url": "https://git.kernel.org/stable/c/8fed302872e26c7bf44d855c53a1cde747172d58",
"refsource": "MISC",
"name": "https://git.kernel.org/stable/c/8fed302872e26c7bf44d855c53a1cde747172d58"
},
{
"url": "https://git.kernel.org/stable/c/928de5fcd462498b8334107035da8ab85e316d8a",
"refsource": "MISC",
"name": "https://git.kernel.org/stable/c/928de5fcd462498b8334107035da8ab85e316d8a"
},
{
"url": "https://git.kernel.org/stable/c/bc8f5921cd69188627c08041276238de222ab466",
"refsource": "MISC",
"name": "https://git.kernel.org/stable/c/bc8f5921cd69188627c08041276238de222ab466"
}
]
},
"generator": {
"engine": "bippy-5f407fcff5a0"
}
}

114
2024/53xxx/CVE-2024-53176.json
View File

@ -1,18 +1,124 @@
{
"data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2024-53176",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"ASSIGNER": "cve@kernel.org",
"STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: During unmount, ensure all cached dir instances drop their dentry\n\nThe unmount process (cifs_kill_sb() calling close_all_cached_dirs()) can\nrace with various cached directory operations, which ultimately results\nin dentries not being dropped and these kernel BUGs:\n\nBUG: Dentry ffff88814f37e358{i=1000000000080,n=/} still in use (2) [unmount of cifs cifs]\nVFS: Busy inodes after unmount of cifs (cifs)\n------------[ cut here ]------------\nkernel BUG at fs/super.c:661!\n\nThis happens when a cfid is in the process of being cleaned up when, and\nhas been removed from the cfids->entries list, including:\n\n- Receiving a lease break from the server\n- Server reconnection triggers invalidate_all_cached_dirs(), which\n removes all the cfids from the list\n- The laundromat thread decides to expire an old cfid.\n\nTo solve these problems, dropping the dentry is done in queued work done\nin a newly-added cfid_put_wq workqueue, and close_all_cached_dirs()\nflushes that workqueue after it drops all the dentries of which it's\naware. This is a global workqueue (rather than scoped to a mount), but\nthe queued work is minimal.\n\nThe final cleanup work for cleaning up a cfid is performed via work\nqueued in the serverclose_wq workqueue; this is done separate from\ndropping the dentries so that close_all_cached_dirs() doesn't block on\nany server operations.\n\nBoth of these queued works expect to invoked with a cfid reference and\na tcon reference to avoid those objects from being freed while the work\nis ongoing.\n\nWhile we're here, add proper locking to close_all_cached_dirs(), and\nlocking around the freeing of cfid->dentry."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "Linux",
"product": {
"product_data": [
{
"product_name": "Linux",
"version": {
"version_data": [
{
"version_affected": "<",
"version_name": "ebe98f1447bbccf8228335c62d86af02a0ed23f7",
"version_value": "73934e535cffbda1490fa97d82690a0f9aa73e94"
},
{
"version_value": "not down converted",
"x_cve_json_5_version_data": {
"versions": [
{
"version": "6.1",
"status": "affected"
},
{
"version": "0",
"lessThan": "6.1",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.6.64",
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.11.11",
"lessThanOrEqual": "6.11.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.12.2",
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.13-rc1",
"lessThanOrEqual": "*",
"status": "unaffected",
"versionType": "original_commit_for_fix"
}
],
"defaultStatus": "affected"
}
}
]
}
}
]
}
}
]
}
},
"references": {
"reference_data": [
{
"url": "https://git.kernel.org/stable/c/73934e535cffbda1490fa97d82690a0f9aa73e94",
"refsource": "MISC",
"name": "https://git.kernel.org/stable/c/73934e535cffbda1490fa97d82690a0f9aa73e94"
},
{
"url": "https://git.kernel.org/stable/c/ff4528bbc82d0d90073751f7b49e7b9e9c7e5638",
"refsource": "MISC",
"name": "https://git.kernel.org/stable/c/ff4528bbc82d0d90073751f7b49e7b9e9c7e5638"
},
{
"url": "https://git.kernel.org/stable/c/548812afd96982a76a93ba76c0582ea670c40d9e",
"refsource": "MISC",
"name": "https://git.kernel.org/stable/c/548812afd96982a76a93ba76c0582ea670c40d9e"
},
{
"url": "https://git.kernel.org/stable/c/3fa640d035e5ae526769615c35cb9ed4be6e3662",
"refsource": "MISC",
"name": "https://git.kernel.org/stable/c/3fa640d035e5ae526769615c35cb9ed4be6e3662"
}
]
},
"generator": {
"engine": "bippy-5f407fcff5a0"
}
}