admin/nvd-json-data-feeds
1
0
Fork 0
mirror of https://github.com/fkie-cad/nvd-json-data-feeds.git synced 2025-06-19 17:31:42 +00:00
Code Issues Packages Projects Releases Wiki Activity

Auto-Update: 2024-08-22T14:00:19.765020+00:00

Browse Source
This commit is contained in:
cad-safe-bot 2024-08-22 14:03:15 +00:00
parent a0a1647cfd
commit 007343481f
139 changed files with 3533 additions and 501 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
CVE-2021/CVE-2021-44xx/CVE-2021-4441.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2021-4441",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-08-22T02:15:04.563",
"lastModified": "2024-08-22T02:15:04.563",
"vulnStatus": "Received",
"lastModified": "2024-08-22T12:48:02.790",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: spi-zynq-qspi: Fix a NULL pointer dereference in zynq_qspi_exec_mem_op()\n\nIn zynq_qspi_exec_mem_op(), kzalloc() is directly used in memset(),\nwhich could lead to a NULL pointer dereference on failure of\nkzalloc().\n\nFix this bug by adding a check of tmpbuf.\n\nThis bug was found by a static analyzer. The analysis employs\ndifferential checking to identify inconsistent security operations\n(e.g., checks or kfrees) between two code paths and confirms that the\ninconsistent operations are not recovered in the current function or\nthe callers, so they constitute bugs.\n\nNote that, as a bug found by static analysis, it can be a false\npositive or hard to trigger. Multiple researchers have cross-reviewed\nthe bug.\n\nBuilds with CONFIG_SPI_ZYNQ_QSPI=m show no new warnings,\nand our static analyzer no longer warns about this code."
},
{
"lang": "es",
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: spi: spi-zynq-qspi: corrige una desreferencia de puntero NULL en zynq_qspi_exec_mem_op() En zynq_qspi_exec_mem_op(), kzalloc() se usa directamente en memset(), lo que podr\u00eda provocar un Desreferencia del puntero NULL en caso de falla de kzalloc(). Corrija este error agregando una verificaci\u00f3n de tmpbuf. Este error fue encontrado por un analizador est\u00e1tico. El an\u00e1lisis emplea verificaci\u00f3n diferencial para identificar operaciones de seguridad inconsistentes (por ejemplo, comprobaciones o kfrees) entre dos rutas de c\u00f3digo y confirma que las operaciones inconsistentes no se recuperan en la funci\u00f3n actual o en las personas que llaman, por lo que constituyen errores. Tenga en cuenta que, como error encontrado mediante an\u00e1lisis est\u00e1tico, puede ser un falso positivo o dif\u00edcil de activar. Varios investigadores han realizado una revisi\u00f3n cruzada del error. Las compilaciones con CONFIG_SPI_ZYNQ_QSPI=m no muestran nuevas advertencias y nuestro analizador est\u00e1tico ya no advierte sobre este c\u00f3digo."
}
],
"metrics": {},

24
CVE-2022/CVE-2022-01xx/CVE-2022-0185.json
View File

@ -2,8 +2,8 @@
"id": "CVE-2022-0185",
"sourceIdentifier": "secalert@redhat.com",
"published": "2022-02-11T18:15:10.890",
"lastModified": "2024-08-22T01:00:01.277",
"vulnStatus": "Analyzed",
"lastModified": "2024-08-22T13:35:00.450",
"vulnStatus": "Modified",
"cveTags": [],
"cisaExploitAdd": "2024-08-21",
"cisaActionDue": "2024-09-11",
@ -40,6 +40,26 @@
},
"exploitabilityScore": 2.5,
"impactScore": 5.9
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary",
"cvssData": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"attackVector": "LOCAL",
"attackComplexity": "LOW",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH"
},
"exploitabilityScore": 2.5,
"impactScore": 5.9
}
],
"cvssMetricV2": [

8
CVE-2022/CVE-2022-489xx/CVE-2022-48901.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2022-48901",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-08-22T02:15:04.733",
"lastModified": "2024-08-22T02:15:04.733",
"vulnStatus": "Received",
"lastModified": "2024-08-22T12:48:02.790",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: do not start relocation until in progress drops are done\n\nWe hit a bug with a recovering relocation on mount for one of our file\nsystems in production. I reproduced this locally by injecting errors\ninto snapshot delete with balance running at the same time. This\npresented as an error while looking up an extent item\n\n WARNING: CPU: 5 PID: 1501 at fs/btrfs/extent-tree.c:866 lookup_inline_extent_backref+0x647/0x680\n CPU: 5 PID: 1501 Comm: btrfs-balance Not tainted 5.16.0-rc8+ #8\n RIP: 0010:lookup_inline_extent_backref+0x647/0x680\n RSP: 0018:ffffae0a023ab960 EFLAGS: 00010202\n RAX: 0000000000000001 RBX: 0000000000000000 RCX: 0000000000000000\n RDX: 0000000000000000 RSI: 000000000000000c RDI: 0000000000000000\n RBP: ffff943fd2a39b60 R08: 0000000000000000 R09: 0000000000000001\n R10: 0001434088152de0 R11: 0000000000000000 R12: 0000000001d05000\n R13: ffff943fd2a39b60 R14: ffff943fdb96f2a0 R15: ffff9442fc923000\n FS: 0000000000000000(0000) GS:ffff944e9eb40000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f1157b1fca8 CR3: 000000010f092000 CR4: 0000000000350ee0\n Call Trace:\n <TASK>\n insert_inline_extent_backref+0x46/0xd0\n __btrfs_inc_extent_ref.isra.0+0x5f/0x200\n ? btrfs_merge_delayed_refs+0x164/0x190\n __btrfs_run_delayed_refs+0x561/0xfa0\n ? btrfs_search_slot+0x7b4/0xb30\n ? btrfs_update_root+0x1a9/0x2c0\n btrfs_run_delayed_refs+0x73/0x1f0\n ? btrfs_update_root+0x1a9/0x2c0\n btrfs_commit_transaction+0x50/0xa50\n ? btrfs_update_reloc_root+0x122/0x220\n prepare_to_merge+0x29f/0x320\n relocate_block_group+0x2b8/0x550\n btrfs_relocate_block_group+0x1a6/0x350\n btrfs_relocate_chunk+0x27/0xe0\n btrfs_balance+0x777/0xe60\n balance_kthread+0x35/0x50\n ? btrfs_balance+0xe60/0xe60\n kthread+0x16b/0x190\n ? set_kthread_struct+0x40/0x40\n ret_from_fork+0x22/0x30\n </TASK>\n\nNormally snapshot deletion and relocation are excluded from running at\nthe same time by the fs_info->cleaner_mutex. However if we had a\npending balance waiting to get the ->cleaner_mutex, and a snapshot\ndeletion was running, and then the box crashed, we would come up in a\nstate where we have a half deleted snapshot.\n\nAgain, in the normal case the snapshot deletion needs to complete before\nrelocation can start, but in this case relocation could very well start\nbefore the snapshot deletion completes, as we simply add the root to the\ndead roots list and wait for the next time the cleaner runs to clean up\nthe snapshot.\n\nFix this by setting a bit on the fs_info if we have any DEAD_ROOT's that\nhad a pending drop_progress key. If they do then we know we were in the\nmiddle of the drop operation and set a flag on the fs_info. Then\nbalance can wait until this flag is cleared to start up again.\n\nIf there are DEAD_ROOT's that don't have a drop_progress set then we're\nsafe to start balance right away as we'll be properly protected by the\ncleaner_mutex."
},
{
"lang": "es",
"value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: btrfs: no inicie la reubicaci\u00f3n hasta que se completen las ca\u00eddas en progreso. Nos topamos con un error con una reubicaci\u00f3n de recuperaci\u00f3n en el montaje para uno de nuestros sistemas de archivos en producci\u00f3n. Reproduje esto localmente inyectando errores en la eliminaci\u00f3n de instant\u00e1neas con el saldo ejecut\u00e1ndose al mismo tiempo. Esto se present\u00f3 como un error al buscar un elemento de extensi\u00f3n ADVERTENCIA: CPU: 5 PID: 1501 en fs/btrfs/extent-tree.c:866 lookup_inline_extent_backref+0x647/0x680 CPU: 5 PID: 1501 Comm: btrfs-balance No contaminado 5.16 .0-rc8+ #8 RIP: 0010:lookup_inline_extent_backref+0x647/0x680 RSP: 0018:ffffae0a023ab960 EFLAGS: 00010202 RAX: 0000000000000001 RBX: 0000000000000000 RCX: 000000000000000 RDX: 0000000000000000 RSI: 000000000000000c RDI: 0000000000000000 RBP: ffff943fd2a39b60 R08: 0000000000000000 R09: 000000000001 R10: 0001434088152de0 R11: 0000000000000000 R12: 0000000001d05000 R13: ffff943fd2a39b60 R14: ffff943fdb96f2a0 R15: ffff9442fc923000 FS: 000000000000000(0000) GS:ffff944e9eb40000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 3: 000000010f092000 CR4: 0000000000350ee0 Seguimiento de llamadas: insert_inline_extent_backref+0x46/0xd0 __btrfs_inc_extent_ref.isra.0+0x5f/0x200 ? btrfs_merge_delayed_refs+0x164/0x190 __btrfs_run_delayed_refs+0x561/0xfa0 ? btrfs_search_slot+0x7b4/0xb30? btrfs_update_root+0x1a9/0x2c0 btrfs_run_delayed_refs+0x73/0x1f0 ? btrfs_update_root+0x1a9/0x2c0 btrfs_commit_transaction+0x50/0xa50 ? btrfs_update_reloc_root+0x122/0x220 prepare_to_merge+0x29f/0x320 relocate_block_group+0x2b8/0x550 btrfs_relocate_block_group+0x1a6/0x350 btrfs_relocate_chunk+0x27/0xe0 btrfs_balance+0x777/0xe60 balance_kthread+0x35/0x50? btrfs_balance+0xe60/0xe60 kthread+0x16b/0x190 ? set_kthread_struct+0x40/0x40 ret_from_fork+0x22/0x30 Normalmente, fs_info-&gt;cleaner_mutex excluye la ejecuci\u00f3n simult\u00e1nea de la eliminaci\u00f3n y reubicaci\u00f3n de instant\u00e1neas. Sin embargo, si tuvi\u00e9ramos un saldo pendiente esperando obtener -&gt;cleaner_mutex, y se estuviera ejecutando una eliminaci\u00f3n de instant\u00e1nea y luego el cuadro fallara, llegar\u00edamos a un estado en el que tendr\u00edamos una instant\u00e1nea medio eliminada. Nuevamente, en el caso normal, la eliminaci\u00f3n de la instant\u00e1nea debe completarse antes de que pueda comenzar la reubicaci\u00f3n, pero en este caso la reubicaci\u00f3n podr\u00eda muy bien comenzar antes de que se complete la eliminaci\u00f3n de la instant\u00e1nea, ya que simplemente agregamos la ra\u00edz a la lista de ra\u00edces muertas y esperamos la pr\u00f3xima vez que se complete la eliminaci\u00f3n de la instant\u00e1nea. El limpiador se ejecuta para limpiar la instant\u00e1nea. Solucione este problema configurando un bit en fs_info si tenemos alg\u00fan DEAD_ROOT que tenga una clave drop_progress pendiente. Si lo hacen, entonces sabremos que est\u00e1bamos en medio de la operaci\u00f3n de colocaci\u00f3n y configuramos una bandera en fs_info. Luego, el saldo puede esperar hasta que se borre esta bandera para comenzar nuevamente. Si hay DEAD_ROOT que no tienen drop_progress configurado, entonces podemos comenzar a equilibrar de inmediato, ya que estaremos protegidos adecuadamente por clean_mutex."
}
],
"metrics": {},

8
CVE-2022/CVE-2022-489xx/CVE-2022-48902.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2022-48902",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-08-22T02:15:04.807",
"lastModified": "2024-08-22T02:15:04.807",
"vulnStatus": "Received",
"lastModified": "2024-08-22T12:48:02.790",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: do not WARN_ON() if we have PageError set\n\nWhenever we do any extent buffer operations we call\nassert_eb_page_uptodate() to complain loudly if we're operating on an\nnon-uptodate page. Our overnight tests caught this warning earlier this\nweek\n\n WARNING: CPU: 1 PID: 553508 at fs/btrfs/extent_io.c:6849 assert_eb_page_uptodate+0x3f/0x50\n CPU: 1 PID: 553508 Comm: kworker/u4:13 Tainted: G W 5.17.0-rc3+ #564\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-2.fc32 04/01/2014\n Workqueue: btrfs-cache btrfs_work_helper\n RIP: 0010:assert_eb_page_uptodate+0x3f/0x50\n RSP: 0018:ffffa961440a7c68 EFLAGS: 00010246\n RAX: 0017ffffc0002112 RBX: ffffe6e74453f9c0 RCX: 0000000000001000\n RDX: ffffe6e74467c887 RSI: ffffe6e74453f9c0 RDI: ffff8d4c5efc2fc0\n RBP: 0000000000000d56 R08: ffff8d4d4a224000 R09: 0000000000000000\n R10: 00015817fa9d1ef0 R11: 000000000000000c R12: 00000000000007b1\n R13: ffff8d4c5efc2fc0 R14: 0000000001500000 R15: 0000000001cb1000\n FS: 0000000000000000(0000) GS:ffff8d4dbbd00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007ff31d3448d8 CR3: 0000000118be8004 CR4: 0000000000370ee0\n Call Trace:\n\n extent_buffer_test_bit+0x3f/0x70\n free_space_test_bit+0xa6/0xc0\n load_free_space_tree+0x1f6/0x470\n caching_thread+0x454/0x630\n ? rcu_read_lock_sched_held+0x12/0x60\n ? rcu_read_lock_sched_held+0x12/0x60\n ? rcu_read_lock_sched_held+0x12/0x60\n ? lock_release+0x1f0/0x2d0\n btrfs_work_helper+0xf2/0x3e0\n ? lock_release+0x1f0/0x2d0\n ? finish_task_switch.isra.0+0xf9/0x3a0\n process_one_work+0x26d/0x580\n ? process_one_work+0x580/0x580\n worker_thread+0x55/0x3b0\n ? process_one_work+0x580/0x580\n kthread+0xf0/0x120\n ? kthread_complete_and_exit+0x20/0x20\n ret_from_fork+0x1f/0x30\n\nThis was partially fixed by c2e39305299f01 (\"btrfs: clear extent buffer\nuptodate when we fail to write it\"), however all that fix did was keep\nus from finding extent buffers after a failed writeout. It didn't keep\nus from continuing to use a buffer that we already had found.\n\nIn this case we're searching the commit root to cache the block group,\nso we can start committing the transaction and switch the commit root\nand then start writing. After the switch we can look up an extent\nbuffer that hasn't been written yet and start processing that block\ngroup. Then we fail to write that block out and clear Uptodate on the\npage, and then we start spewing these errors.\n\nNormally we're protected by the tree lock to a certain degree here. If\nwe read a block we have that block read locked, and we block the writer\nfrom locking the block before we submit it for the write. However this\nisn't necessarily fool proof because the read could happen before we do\nthe submit_bio and after we locked and unlocked the extent buffer.\n\nAlso in this particular case we have path->skip_locking set, so that\nwon't save us here. We'll simply get a block that was valid when we\nread it, but became invalid while we were using it.\n\nWhat we really want is to catch the case where we've \"read\" a block but\nit's not marked Uptodate. On read we ClearPageError(), so if we're\n!Uptodate and !Error we know we didn't do the right thing for reading\nthe page.\n\nFix this by checking !Uptodate && !Error, this way we will not complain\nif our buffer gets invalidated while we're using it, and we'll maintain\nthe spirit of the check which is to make sure we have a fully in-cache\nblock while we're messing with it."
},
{
"lang": "es",
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: btrfs: no haga WARN_ON() si tenemos configurado PageError. Siempre que realizamos operaciones de b\u00fafer de extensi\u00f3n, llamamos a afirmar_eb_page_uptodate() para quejarnos en voz alta si estamos operando en una p\u00e1gina no actualizada. Nuestras pruebas nocturnas detectaron esta advertencia a principios de esta semana ADVERTENCIA: CPU: 1 PID: 553508 en fs/btrfs/extent_io.c:6849 afirmar_eb_page_uptodate+0x3f/0x50 CPU: 1 PID: 553508 Comm: kworker/u4:13 Tainted: GW 5.17. 0-rc3+ #564 Nombre de hardware: PC est\u00e1ndar QEMU (Q35 + ICH9, 2009), BIOS 1.13.0-2.fc32 01/04/2014 Cola de trabajo: btrfs-cache btrfs_work_helper RIP: 0010:assert_eb_page_uptodate+0x3f/0x50 RSP: 0018 :ffffa961440a7c68 EFLAGS: 00010246 RAX: 0017ffffc0002112 RBX: ffffe6e74453f9c0 RCX: 00000000000001000 RDX: ffffe6e74467c887 RSI: ffffe6e74453f9c0 ffff8d4c5efc2fc0 RBP: 0000000000000d56 R08: ffff8d4d4a224000 R09: 0000000000000000 R10: 00015817fa9d1ef0 R11: 000000000000000c R12: 000000007b1 R13: ffff8d4c5efc2fc0 R14: 0000000001500000 R15: 0000000001cb1000 FS: 0000000000000000(0000) GS:ffff8d4dbbd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 448d8 CR3: 0000000118be8004 CR4: 0000000000370ee0 Seguimiento de llamadas: extend_buffer_test_bit+0x3f/0x70 free_space_test_bit+0xa6/0xc0 load_free_space_tree +0x1f6/0x470 caching_thread+0x454/0x630 ? rcu_read_lock_sched_held+0x12/0x60? rcu_read_lock_sched_held+0x12/0x60? rcu_read_lock_sched_held+0x12/0x60? lock_release+0x1f0/0x2d0 btrfs_work_helper+0xf2/0x3e0 ? lock_release+0x1f0/0x2d0? terminar_task_switch.isra.0+0xf9/0x3a0 proceso_one_work+0x26d/0x580 ? proceso_one_work+0x580/0x580 trabajador_thread+0x55/0x3b0? proceso_one_work+0x580/0x580 kthread+0xf0/0x120 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x1f/0x30 Esto fue solucionado parcialmente por c2e39305299f01 (\"btrfs: borrar la actualizaci\u00f3n del b\u00fafer de extensi\u00f3n cuando no logramos escribirlo\"), sin embargo, todo lo que esa soluci\u00f3n hizo fue evitar que encontr\u00e1ramos b\u00faferes de extensi\u00f3n despu\u00e9s de una escritura fallida. Eso no nos impidi\u00f3 seguir usando un b\u00fafer que ya hab\u00edamos encontrado. En este caso, estamos buscando la ra\u00edz de confirmaci\u00f3n para almacenar en cach\u00e9 el grupo de bloques, de modo que podamos comenzar a confirmar la transacci\u00f3n, cambiar la ra\u00edz de confirmaci\u00f3n y luego comenzar a escribir. Despu\u00e9s del cambio, podemos buscar un b\u00fafer de extensi\u00f3n que a\u00fan no se ha escrito y comenzar a procesar ese grupo de bloques. Luego no escribimos ese bloqueo y borramos Actualizar en la p\u00e1gina, y luego comenzamos a arrojar estos errores. Normalmente aqu\u00ed estamos protegidos hasta cierto punto por el candado del \u00e1rbol. Si leemos un bloque, tenemos la lectura del bloque bloqueada y evitamos que el escritor bloquee el bloque antes de enviarlo para la escritura. Sin embargo, esto no es necesariamente infalible porque la lectura podr\u00eda ocurrir antes de submit_bio y despu\u00e9s de bloquear y desbloquear el b\u00fafer de extensi\u00f3n. Tambi\u00e9n en este caso particular tenemos configurado path-&gt;skip_locking, por lo que eso no nos salvar\u00e1 aqu\u00ed. Simplemente obtendremos un bloque que era v\u00e1lido cuando lo le\u00edmos, pero dej\u00f3 de ser v\u00e1lido mientras lo us\u00e1bamos. Lo que realmente queremos es detectar el caso en el que hemos \"le\u00eddo\" un bloque pero no est\u00e1 marcado como Actualizado. Al leer, usamos ClearPageError(), por lo que si estamos !Uptodate y !Error sabremos que no hicimos lo correcto al leer la p\u00e1gina. Solucione esto marcando !Uptodate &amp;&amp; !Error, de esta manera no nos quejaremos si nuestro b\u00fafer se invalida mientras lo estamos usando, y mantendremos el esp\u00edritu de la verificaci\u00f3n, que es asegurarnos de que tengamos un cach\u00e9 completo. bloquear mientras estamos jugando con \u00e9l."
}
],
"metrics": {},

8
CVE-2022/CVE-2022-489xx/CVE-2022-48903.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2022-48903",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-08-22T02:15:04.897",
"lastModified": "2024-08-22T02:15:04.897",
"vulnStatus": "Received",
"lastModified": "2024-08-22T12:48:02.790",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix relocation crash due to premature return from btrfs_commit_transaction()\n\nWe are seeing crashes similar to the following trace:\n\n[38.969182] WARNING: CPU: 20 PID: 2105 at fs/btrfs/relocation.c:4070 btrfs_relocate_block_group+0x2dc/0x340 [btrfs]\n[38.973556] CPU: 20 PID: 2105 Comm: btrfs Not tainted 5.17.0-rc4 #54\n[38.974580] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014\n[38.976539] RIP: 0010:btrfs_relocate_block_group+0x2dc/0x340 [btrfs]\n[38.980336] RSP: 0000:ffffb0dd42e03c20 EFLAGS: 00010206\n[38.981218] RAX: ffff96cfc4ede800 RBX: ffff96cfc3ce0000 RCX: 000000000002ca14\n[38.982560] RDX: 0000000000000000 RSI: 4cfd109a0bcb5d7f RDI: ffff96cfc3ce0360\n[38.983619] RBP: ffff96cfc309c000 R08: 0000000000000000 R09: 0000000000000000\n[38.984678] R10: ffff96cec0000001 R11: ffffe84c80000000 R12: ffff96cfc4ede800\n[38.985735] R13: 0000000000000000 R14: 0000000000000000 R15: ffff96cfc3ce0360\n[38.987146] FS: 00007f11c15218c0(0000) GS:ffff96d6dfb00000(0000) knlGS:0000000000000000\n[38.988662] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[38.989398] CR2: 00007ffc922c8e60 CR3: 00000001147a6001 CR4: 0000000000370ee0\n[38.990279] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[38.991219] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[38.992528] Call Trace:\n[38.992854] <TASK>\n[38.993148] btrfs_relocate_chunk+0x27/0xe0 [btrfs]\n[38.993941] btrfs_balance+0x78e/0xea0 [btrfs]\n[38.994801] ? vsnprintf+0x33c/0x520\n[38.995368] ? __kmalloc_track_caller+0x351/0x440\n[38.996198] btrfs_ioctl_balance+0x2b9/0x3a0 [btrfs]\n[38.997084] btrfs_ioctl+0x11b0/0x2da0 [btrfs]\n[38.997867] ? mod_objcg_state+0xee/0x340\n[38.998552] ? seq_release+0x24/0x30\n[38.999184] ? proc_nr_files+0x30/0x30\n[38.999654] ? call_rcu+0xc8/0x2f0\n[39.000228] ? __x64_sys_ioctl+0x84/0xc0\n[39.000872] ? btrfs_ioctl_get_supported_features+0x30/0x30 [btrfs]\n[39.001973] __x64_sys_ioctl+0x84/0xc0\n[39.002566] do_syscall_64+0x3a/0x80\n[39.003011] entry_SYSCALL_64_after_hwframe+0x44/0xae\n[39.003735] RIP: 0033:0x7f11c166959b\n[39.007324] RSP: 002b:00007fff2543e998 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\n[39.008521] RAX: ffffffffffffffda RBX: 00007f11c1521698 RCX: 00007f11c166959b\n[39.009833] RDX: 00007fff2543ea40 RSI: 00000000c4009420 RDI: 0000000000000003\n[39.011270] RBP: 0000000000000003 R08: 0000000000000013 R09: 00007f11c16f94e0\n[39.012581] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fff25440df3\n[39.014046] R13: 0000000000000000 R14: 00007fff2543ea40 R15: 0000000000000001\n[39.015040] </TASK>\n[39.015418] ---[ end trace 0000000000000000 ]---\n[43.131559] ------------[ cut here ]------------\n[43.132234] kernel BUG at fs/btrfs/extent-tree.c:2717!\n[43.133031] invalid opcode: 0000 [#1] PREEMPT SMP PTI\n[43.133702] CPU: 1 PID: 1839 Comm: btrfs Tainted: G W 5.17.0-rc4 #54\n[43.134863] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014\n[43.136426] RIP: 0010:unpin_extent_range+0x37a/0x4f0 [btrfs]\n[43.139913] RSP: 0000:ffffb0dd4216bc70 EFLAGS: 00010246\n[43.140629] RAX: 0000000000000000 RBX: ffff96cfc34490f8 RCX: 0000000000000001\n[43.141604] RDX: 0000000080000001 RSI: 0000000051d00000 RDI: 00000000ffffffff\n[43.142645] RBP: 0000000000000000 R08: 0000000000000000 R09: ffff96cfd07dca50\n[43.143669] R10: ffff96cfc46e8a00 R11: fffffffffffec000 R12: 0000000041d00000\n[43.144657] R13: ffff96cfc3ce0000 R14: ffffb0dd4216bd08 R15: 0000000000000000\n[43.145686] FS: 00007f7657dd68c0(0000) GS:ffff96d6df640000(0000) knlGS:0000000000000000\n[43.146808] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[43.147584] CR2: 00007f7fe81bf5b0 CR3: 00000001093ee004 CR4: 0000000000370ee0\n[43.148589] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[43.149581] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 00000000000\n---truncated---"
},
{
"lang": "es",
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: btrfs: corrige el fallo de reubicaci\u00f3n debido al retorno prematuro de btrfs_commit_transaction() Estamos viendo fallos similares al siguiente rastro: [38.969182] ADVERTENCIA: CPU: 20 PID: 2105 en fs/btrfs /relocation.c:4070 btrfs_relocate_block_group + 0x2dc/0x340 [btrfs] [38.973556] cpu: 20 pid: 2105 coms: btrfs no tinted 5.17.0-rc4 #54 [38.974580] nombre de hardware: qtrfs no tinteded 5.17.0-rc4 #54 [38.974580] Nombre de hardware: QTRFS no est\u00e1 Tainted 5.17.0-rc4 #54 [38.974580] Nombre de hardware: QTRFS no Tainted 5.17.0-rc4 #54 [38.974580] Nombre de hardware: QTRFS no Tainted 5.17.0-rc4 #54 [38.974580] Nombre de hardware: QTRFS no Tainted 5.17. ), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 01/04/2014 [38.976539] RIP: 0010:btrfs_relocate_block_group+0x2dc/0x340 [btrfs] [38.980336] RSP: 42e03c20 EFLAGS: 00010206 [ 38.981218] RAX: ffff96cfc4ede800 RBX: ffff96cfc3ce0000 RCX: 000000000002ca14 [38.982560] RDX: 00000000000000000 RSI: 4cfd109a0bcb5d7f RDI: 3ce0360 [38.983619] RBP: ffff96cfc309c000 R08: 0000000000000000 R09: 0000000000000000 [38.984678] R10: ffff96cec0000001 R11: 12: ffff96cfc4ede800 [38.985735] R13: 0000000000000000 R14: 0000000000000000 R15: ffff96cfc3ce0360 [38.987146] FS: 00007f11c15218c0(0000) GS:ffff96d6dfb00000(0000) 0000000000000000 [38.988662] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [38.989398] CR2: 00007ffc922c8e60 CR3: 00000001147a6001 CR4: 0000000000370ee0 [38.990279] DR0: 0000000000000000 DR1: 00000000000000000 DR2: 00000000000000000 [38.991219] DR3: 000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [38.992528] Seguimiento de llamadas: [38.992854] [38.993148] btrfs_relocate_chunk+0x27/0xe0 [btrfs ] [38.993941] btrfs_balance+0x78e/0xea0 [btrfs] [38.994801] ? vsnprintf+0x33c/0x520 [38.995368] ? __kmalloc_track_caller+0x351/0x440 [38.996198] btrfs_ioctl_balance+0x2b9/0x3a0 [btrfs] [38.997084] btrfs_ioctl+0x11b0/0x2da0 [btrfs] [38.997867] ? mod_objcg_state+0xee/0x340 [38.998552] ? seq_release+0x24/0x30 [38.999184] ? proc_nr_files+0x30/0x30 [38.999654] ? call_rcu+0xc8/0x2f0 [39.000228] ? __x64_sys_ioctl+0x84/0xc0 [39.000872] ? btrfs_ioctl_get_supported_features+0x30/0x30 [btrfs] [39.001973] __x64_sys_ioctl+0x84/0xc0 [39.002566] do_syscall_64+0x3a/0x80 [39.003011] Entry_SYSCALL_64_after_hwframe+ 0x44/0xae [39.003735] RIP: 0033:0x7f11c166959b [39.007324] RSP: 002b:00007fff2543e998 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [39.008521] RAX: ffffffffffffffda RBX: 00007f11c1521698 RCX: 00007f11c166959b [39.009833] RDX: 00007fff2543 ea40 RSI: 00000000c4009420 RDI: 00000000000000003 [39.011270] RBP: 0000000000000003 R08: 00000000000000013 R09: 00007f11c16f94e0 [39.0125 81] R10: 0000000000000000 R11: 0000000000000246 R12 : 00007fff25440df3 [39.014046] R13: 00000000000000000 R14: 00007fff2543ea40 R15: 0000000000000001 [39.015040] [39.015418] ---[ final de seguimiento 0 000000000000000 ]--- [43.131559] ------------ [cortar aqu\u00ed]------------ [43.132234] \u00a1ERROR del kernel en fs/btrfs/extent-tree.c:2717! [43.133031] c\u00f3digo de operaci\u00f3n no v\u00e1lido: 0000 [#1] PREEMPT SMP PTI [43.133702] CPU: 1 PID: 1839 Comm: btrfs Tainted: GW 5.17.0-rc4 #54 [43.134863] Nombre de hardware: PC est\u00e1ndar QEMU (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 01/04/2014 [43.136426] RIP: 0010:unpin_extent_range+0x37a/0x4f0 [btrfs] [43.139913] RSP: 216bc70 EFLAGS: 00010246 [43.140629] RAX: 0000000000000000 RBX: ffff96cfc34490f8 RCX: 0000000000000001 [43.141604] RDX: 0000000080000001 RSI: 0000000051d00000 : 00000000ffffffff [43.142645] RBP: 0000000000000000 R08: 0000000000000000 R09: ffff96cfd07dca50 [43.143669] R10: ffff96cfc46e8a00 R11: 00 R12: 0000000041d00000 [43.144657 ] R13: ffff96cfc3ce0000 R14: ffffb0dd4216bd08 R15: 0000000000000000 [43.145686] FS: 00007f7657dd68c0(0000) GS:ffff96d6df640000(0000) 00000000000000 [43.146808] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [43.147584] CR2: 00007f7fe81bf5b0 CR3 : 00000001093ee004 CR4: 0000000000370ee0 [43.148589] ---truncado---"
}
],
"metrics": {},

8
CVE-2022/CVE-2022-489xx/CVE-2022-48904.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2022-48904",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-08-22T02:15:04.980",
"lastModified": "2024-08-22T02:15:04.980",
"vulnStatus": "Received",
"lastModified": "2024-08-22T12:48:02.790",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/amd: Fix I/O page table memory leak\n\nThe current logic updates the I/O page table mode for the domain\nbefore calling the logic to free memory used for the page table.\nThis results in IOMMU page table memory leak, and can be observed\nwhen launching VM w/ pass-through devices.\n\nFix by freeing the memory used for page table before updating the mode."
},
{
"lang": "es",
"value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: iommu/amd: corrige la p\u00e9rdida de memoria de la tabla de p\u00e1ginas de E/S. La l\u00f3gica actual actualiza el modo de tabla de p\u00e1ginas de E/S para el dominio antes de llamar a la l\u00f3gica para liberar la memoria utilizada para la tabla de p\u00e1ginas. Esto da como resultado una p\u00e9rdida de memoria en la tabla de p\u00e1ginas de IOMMU y se puede observar al iniciar VM con dispositivos de paso. Se soluciona liberando la memoria utilizada para la tabla de p\u00e1ginas antes de actualizar el modo."
}
],
"metrics": {},

8
CVE-2022/CVE-2022-489xx/CVE-2022-48905.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2022-48905",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-08-22T02:15:05.050",
"lastModified": "2024-08-22T02:15:05.050",
"vulnStatus": "Received",
"lastModified": "2024-08-22T12:48:02.790",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nibmvnic: free reset-work-item when flushing\n\nFix a tiny memory leak when flushing the reset work queue."
},
{
"lang": "es",
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ibmvnic: elemento de trabajo de reinicio gratuito al vaciar Se corrige una peque\u00f1a p\u00e9rdida de memoria al vaciar la cola de trabajo de reinicio."
}
],
"metrics": {},

8
CVE-2022/CVE-2022-489xx/CVE-2022-48906.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2022-48906",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-08-22T02:15:05.120",
"lastModified": "2024-08-22T02:15:05.120",
"vulnStatus": "Received",
"lastModified": "2024-08-22T12:48:02.790",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: Correctly set DATA_FIN timeout when number of retransmits is large\n\nSyzkaller with UBSAN uncovered a scenario where a large number of\nDATA_FIN retransmits caused a shift-out-of-bounds in the DATA_FIN\ntimeout calculation:\n\n================================================================================\nUBSAN: shift-out-of-bounds in net/mptcp/protocol.c:470:29\nshift exponent 32 is too large for 32-bit type 'unsigned int'\nCPU: 1 PID: 13059 Comm: kworker/1:0 Not tainted 5.17.0-rc2-00630-g5fbf21c90c60 #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014\nWorkqueue: events mptcp_worker\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106\n ubsan_epilogue+0xb/0x5a lib/ubsan.c:151\n __ubsan_handle_shift_out_of_bounds.cold+0xb2/0x20e lib/ubsan.c:330\n mptcp_set_datafin_timeout net/mptcp/protocol.c:470 [inline]\n __mptcp_retrans.cold+0x72/0x77 net/mptcp/protocol.c:2445\n mptcp_worker+0x58a/0xa70 net/mptcp/protocol.c:2528\n process_one_work+0x9df/0x16d0 kernel/workqueue.c:2307\n worker_thread+0x95/0xe10 kernel/workqueue.c:2454\n kthread+0x2f4/0x3b0 kernel/kthread.c:377\n ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295\n </TASK>\n================================================================================\n\nThis change limits the maximum timeout by limiting the size of the\nshift, which keeps all intermediate values in-bounds."
},
{
"lang": "es",
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: mptcp: establece correctamente el tiempo de espera de DATA_FIN cuando el n\u00famero de retransmisiones es grande Syzkaller con UBSAN descubri\u00f3 un escenario en el que una gran cantidad de retransmisiones de DATA_FIN provocaban un desplazamiento fuera de los l\u00edmites en el tiempo de espera de DATA_FIN c\u00e1lculo: =================================================== ================================ UBSAN: desplazamiento fuera de los l\u00edmites en net/mptcp/protocol.c: El exponente de desplazamiento 470:29 32 es demasiado grande para el tipo 'unsigned int' de 32 bits CPU: 1 PID: 13059 Comm: kworker/1:0 Not tainted 5.17.0-rc2-00630-g5fbf21c90c60 #1 Nombre de hardware: PC est\u00e1ndar QEMU (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 01/04/2014 Cola de trabajo: eventos mptcp_worker Seguimiento de llamadas: __dump_stack lib/dump_stack.c:88 [en l\u00ednea] dump_stack_lvl+0xcd/0x134 lib/dump_stack .c:106 ubsan_epilogue+0xb/0x5a lib/ubsan.c:151 __ubsan_handle_shift_out_of_bounds.cold+0xb2/0x20e lib/ubsan.c:330 mptcp_set_datafin_timeout net/mptcp/protocol.c:470 __mptcp_retrans.cold+0x7 2/0x77 net/mptcp/protocol.c:2445 mptcp_worker+0x58a/0xa70 net/mptcp/protocol.c:2528 Process_one_work+0x9df/0x16d0 kernel/workqueue.c:2307 trabajador_thread+0x95/0xe10 kernel/workqueue.c:2454 kthread+0x2f4 /0x3b0 kernel/kthread.c:377 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 ====================== ==================================================== ========= Este cambio limita el tiempo de espera m\u00e1ximo al limitar el tama\u00f1o del turno, lo que mantiene todos los valores intermedios dentro de los l\u00edmites."
}
],
"metrics": {},

8
CVE-2022/CVE-2022-489xx/CVE-2022-48907.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2022-48907",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-08-22T02:15:05.187",
"lastModified": "2024-08-22T02:15:05.187",
"vulnStatus": "Received",
"lastModified": "2024-08-22T12:48:02.790",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nauxdisplay: lcd2s: Fix memory leak in ->remove()\n\nOnce allocated the struct lcd2s_data is never freed.\nFix the memory leak by switching to devm_kzalloc()."
},
{
"lang": "es",
"value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: auxdisplay: lcd2s: corrige la p\u00e9rdida de memoria en -&gt;remove() Una vez asignada, la estructura lcd2s_data nunca se libera. Solucione la p\u00e9rdida de memoria cambiando a devm_kzalloc()."
}
],
"metrics": {},

8
CVE-2022/CVE-2022-489xx/CVE-2022-48908.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2022-48908",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-08-22T02:15:05.247",
"lastModified": "2024-08-22T02:15:05.247",
"vulnStatus": "Received",
"lastModified": "2024-08-22T12:48:02.790",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: arcnet: com20020: Fix null-ptr-deref in com20020pci_probe()\n\nDuring driver initialization, the pointer of card info, i.e. the\nvariable 'ci' is required. However, the definition of\n'com20020pci_id_table' reveals that this field is empty for some\ndevices, which will cause null pointer dereference when initializing\nthese devices.\n\nThe following log reveals it:\n\n[ 3.973806] KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]\n[ 3.973819] RIP: 0010:com20020pci_probe+0x18d/0x13e0 [com20020_pci]\n[ 3.975181] Call Trace:\n[ 3.976208] local_pci_probe+0x13f/0x210\n[ 3.977248] pci_device_probe+0x34c/0x6d0\n[ 3.977255] ? pci_uevent+0x470/0x470\n[ 3.978265] really_probe+0x24c/0x8d0\n[ 3.978273] __driver_probe_device+0x1b3/0x280\n[ 3.979288] driver_probe_device+0x50/0x370\n\nFix this by checking whether the 'ci' is a null pointer first."
},
{
"lang": "es",
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: arcnet: com20020: corrija null-ptr-deref en com20020pci_probe() Durante la inicializaci\u00f3n del controlador, se requiere el puntero de informaci\u00f3n de la tarjeta, es decir, la variable 'ci'. Sin embargo, la definici\u00f3n de 'com20020pci_id_table' revela que este campo est\u00e1 vac\u00edo para algunos dispositivos, lo que provocar\u00e1 una desreferencia del puntero nulo al inicializar estos dispositivos. El siguiente registro lo revela: [3.973806] KASAN: null-ptr-deref en el rango [0x0000000000000028-0x000000000000002f] [3.973819] RIP: 0010:com20020pci_probe+0x18d/0x13e0 [com20020_p ci] [3.975181] Seguimiento de llamadas: [3.976208] local_pci_probe+0x13f /0x210 [3.977248] pci_device_probe+0x34c/0x6d0 [3.977255]? pci_uevent+0x470/0x470 [3.978265] very_probe+0x24c/0x8d0 [3.978273] __driver_probe_device+0x1b3/0x280 [3.979288] driver_probe_device+0x50/0x370 Solucione este problema comprobando primero si el 'ci' es un puntero nulo."
}
],
"metrics": {},

8
CVE-2022/CVE-2022-489xx/CVE-2022-48909.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2022-48909",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-08-22T02:15:05.333",
"lastModified": "2024-08-22T02:15:05.333",
"vulnStatus": "Received",
"lastModified": "2024-08-22T12:48:02.790",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: fix connection leak\n\nThere's a potential leak issue under following execution sequence :\n\nsmc_release \t\t\t\tsmc_connect_work\nif (sk->sk_state == SMC_INIT)\n\t\t\t\t\tsend_clc_confirim\n\ttcp_abort();\n\t\t\t\t\t...\n\t\t\t\t\tsk.sk_state = SMC_ACTIVE\nsmc_close_active\nswitch(sk->sk_state) {\n...\ncase SMC_ACTIVE:\n\tsmc_close_final()\n\t// then wait peer closed\n\nUnfortunately, tcp_abort() may discard CLC CONFIRM messages that are\nstill in the tcp send buffer, in which case our connection token cannot\nbe delivered to the server side, which means that we cannot get a\npassive close message at all. Therefore, it is impossible for the to be\ndisconnected at all.\n\nThis patch tries a very simple way to avoid this issue, once the state\nhas changed to SMC_ACTIVE after tcp_abort(), we can actively abort the\nsmc connection, considering that the state is SMC_INIT before\ntcp_abort(), abandoning the complete disconnection process should not\ncause too much problem.\n\nIn fact, this problem may exist as long as the CLC CONFIRM message is\nnot received by the server. Whether a timer should be added after\nsmc_close_final() needs to be discussed in the future. But even so, this\npatch provides a faster release for connection in above case, it should\nalso be valuable."
},
{
"lang": "es",
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net/smc: reparar fuga de conexi\u00f3n Hay un posible problema de fuga en la siguiente secuencia de ejecuci\u00f3n: smc_release smc_connect_work if (sk-&gt;sk_state == SMC_INIT) send_clc_confirim tcp_abort(); ... sk.sk_state = SMC_ACTIVE smc_close_active switch(sk-&gt;sk_state) { ... case SMC_ACTIVE: smc_close_final() // luego espera el par cerrado Desafortunadamente, tcp_abort() puede descartar los mensajes CLC CONFIRM que todav\u00eda est\u00e1n en el b\u00fafer de env\u00edo tcp , en cuyo caso nuestro token de conexi\u00f3n no se puede entregar al lado del servidor, lo que significa que no podemos recibir ning\u00fan mensaje de cierre pasivo. Por lo tanto, es imposible desconectarlo en absoluto. Este parche intenta una forma muy sencilla de evitar este problema, una vez que el estado ha cambiado a SMC_ACTIVE despu\u00e9s de tcp_abort(), podemos cancelar activamente la conexi\u00f3n smc, considerando que el estado es SMC_INIT antes de tcp_abort(), abandonar el proceso de desconexi\u00f3n completo no deber\u00eda causar demasiado problema. De hecho, este problema puede existir siempre y cuando el servidor no reciba el mensaje CONFIRM CLC. En el futuro se deber\u00e1 discutir si se debe agregar un temporizador despu\u00e9s de smc_close_final(). Pero aun as\u00ed, este parche proporciona una liberaci\u00f3n m\u00e1s r\u00e1pida para la conexi\u00f3n. En el caso anterior, tambi\u00e9n deber\u00eda ser valioso."
}
],
"metrics": {},

8
CVE-2022/CVE-2022-489xx/CVE-2022-48910.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2022-48910",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-08-22T02:15:05.403",
"lastModified": "2024-08-22T02:15:05.403",
"vulnStatus": "Received",
"lastModified": "2024-08-22T12:48:02.790",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ipv6: ensure we call ipv6_mc_down() at most once\n\nThere are two reasons for addrconf_notify() to be called with NETDEV_DOWN:\neither the network device is actually going down, or IPv6 was disabled\non the interface.\n\nIf either of them stays down while the other is toggled, we repeatedly\ncall the code for NETDEV_DOWN, including ipv6_mc_down(), while never\ncalling the corresponding ipv6_mc_up() in between. This will cause a\nnew entry in idev->mc_tomb to be allocated for each multicast group\nthe interface is subscribed to, which in turn leaks one struct ifmcaddr6\nper nontrivial multicast group the interface is subscribed to.\n\nThe following reproducer will leak at least $n objects:\n\nip addr add ff2e::4242/32 dev eth0 autojoin\nsysctl -w net.ipv6.conf.eth0.disable_ipv6=1\nfor i in $(seq 1 $n); do\n\tip link set up eth0; ip link set down eth0\ndone\n\nJoining groups with IPV6_ADD_MEMBERSHIP (unprivileged) or setting the\nsysctl net.ipv6.conf.eth0.forwarding to 1 (=> subscribing to ff02::2)\ncan also be used to create a nontrivial idev->mc_list, which will the\nleak objects with the right up-down-sequence.\n\nBased on both sources for NETDEV_DOWN events the interface IPv6 state\nshould be considered:\n\n - not ready if the network interface is not ready OR IPv6 is disabled\n for it\n - ready if the network interface is ready AND IPv6 is enabled for it\n\nThe functions ipv6_mc_up() and ipv6_down() should only be run when this\nstate changes.\n\nImplement this by remembering when the IPv6 state is ready, and only\nrun ipv6_mc_down() if it actually changed from ready to not ready.\n\nThe other direction (not ready -> ready) already works correctly, as:\n\n - the interface notification triggered codepath for NETDEV_UP /\n NETDEV_CHANGE returns early if ipv6 is disabled, and\n - the disable_ipv6=0 triggered codepath skips fully initializing the\n interface as long as addrconf_link_ready(dev) returns false\n - calling ipv6_mc_up() repeatedly does not leak anything"
},
{
"lang": "es",
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: ipv6: aseg\u00farese de llamar a ipv6_mc_down() como m\u00e1ximo una vez. Hay dos razones para llamar a addrconf_notify() con NETDEV_DOWN: o el dispositivo de red realmente est\u00e1 cayendo o IPv6 estaba deshabilitado en la interfaz. Si alguno de ellos permanece inactivo mientras el otro est\u00e1 activado, llamamos repetidamente al c\u00f3digo para NETDEV_DOWN, incluido ipv6_mc_down(), pero nunca llamamos al ipv6_mc_up() correspondiente en el medio. Esto har\u00e1 que se asigne una nueva entrada en idev-&gt;mc_tomb para cada grupo de multidifusi\u00f3n al que est\u00e9 suscrita la interfaz, lo que a su vez filtrar\u00e1 una estructura ifmcaddr6 por cada grupo de multidifusi\u00f3n no trivial al que est\u00e9 suscrita la interfaz. El siguiente reproductor filtrar\u00e1 al menos $n objetos: ip addr add ff2e::4242/32 dev eth0 autojoin sysctl -w net.ipv6.conf.eth0.disable_ipv6=1 for i in $(seq 1 $n); configurar el enlace ip eth0; ip link set down eth0 done Unirse a grupos con IPV6_ADD_MEMBERSHIP (sin privilegios) o configurar sysctl net.ipv6.conf.eth0.forwarding en 1 (=&gt; suscribirse a ff02::2) tambi\u00e9n se puede usar para crear un idev-&gt;mc_list no trivial , que filtrar\u00e1 objetos con la secuencia correcta de arriba a abajo. Seg\u00fan ambas fuentes de eventos NETDEV_DOWN, se debe considerar el estado de la interfaz IPv6: - no lista si la interfaz de red no est\u00e1 lista O IPv6 est\u00e1 deshabilitado - lista si la interfaz de red est\u00e1 lista Y IPv6 est\u00e1 habilitada Las funciones ipv6_mc_up() e ipv6_down() solo debe ejecutarse cuando este estado cambie. Implemente esto recordando cu\u00e1ndo el estado de IPv6 est\u00e1 listo y solo ejecute ipv6_mc_down() si realmente cambi\u00f3 de listo a no listo. La otra direcci\u00f3n (no listo -&gt; listo) ya funciona correctamente, ya que: - la ruta de c\u00f3digo activada de notificaci\u00f3n de interfaz para NETDEV_UP / NETDEV_CHANGE regresa antes si ipv6 est\u00e1 deshabilitado, y - la ruta de c\u00f3digo activada enable_ipv6=0 omite la inicializaci\u00f3n completa de la interfaz siempre que addrconf_link_ready (dev) devuelve falso: llamar a ipv6_mc_up() repetidamente no filtra nada"
}
],
"metrics": {},

8
CVE-2022/CVE-2022-489xx/CVE-2022-48911.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2022-48911",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-08-22T02:15:05.483",
"lastModified": "2024-08-22T02:15:05.483",
"vulnStatus": "Received",
"lastModified": "2024-08-22T12:48:02.790",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_queue: fix possible use-after-free\n\nEric Dumazet says:\n The sock_hold() side seems suspect, because there is no guarantee\n that sk_refcnt is not already 0.\n\nOn failure, we cannot queue the packet and need to indicate an\nerror. The packet will be dropped by the caller.\n\nv2: split skb prefetch hunk into separate change"
},
{
"lang": "es",
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: netfilter: nf_queue: corrige posible use-after-free Eric Dumazet dice: El lado sock_hold() parece sospechoso, porque no hay garant\u00eda de que sk_refcnt no sea ya 0. En caso de falla, No podemos poner en cola el paquete y necesitamos indicar un error. La persona que llama descartar\u00e1 el paquete. v2: dividir el fragmento de captaci\u00f3n previa de skb en un cambio separado"
}
],
"metrics": {},

8
CVE-2022/CVE-2022-489xx/CVE-2022-48912.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2022-48912",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-08-22T02:15:05.550",
"lastModified": "2024-08-22T02:15:05.550",
"vulnStatus": "Received",
"lastModified": "2024-08-22T12:48:02.790",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: fix use-after-free in __nf_register_net_hook()\n\nWe must not dereference @new_hooks after nf_hook_mutex has been released,\nbecause other threads might have freed our allocated hooks already.\n\nBUG: KASAN: use-after-free in nf_hook_entries_get_hook_ops include/linux/netfilter.h:130 [inline]\nBUG: KASAN: use-after-free in hooks_validate net/netfilter/core.c:171 [inline]\nBUG: KASAN: use-after-free in __nf_register_net_hook+0x77a/0x820 net/netfilter/core.c:438\nRead of size 2 at addr ffff88801c1a8000 by task syz-executor237/4430\n\nCPU: 1 PID: 4430 Comm: syz-executor237 Not tainted 5.17.0-rc5-syzkaller-00306-g2293be58d6a1 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106\n print_address_description.constprop.0.cold+0x8d/0x336 mm/kasan/report.c:255\n __kasan_report mm/kasan/report.c:442 [inline]\n kasan_report.cold+0x83/0xdf mm/kasan/report.c:459\n nf_hook_entries_get_hook_ops include/linux/netfilter.h:130 [inline]\n hooks_validate net/netfilter/core.c:171 [inline]\n __nf_register_net_hook+0x77a/0x820 net/netfilter/core.c:438\n nf_register_net_hook+0x114/0x170 net/netfilter/core.c:571\n nf_register_net_hooks+0x59/0xc0 net/netfilter/core.c:587\n nf_synproxy_ipv6_init+0x85/0xe0 net/netfilter/nf_synproxy_core.c:1218\n synproxy_tg6_check+0x30d/0x560 net/ipv6/netfilter/ip6t_SYNPROXY.c:81\n xt_check_target+0x26c/0x9e0 net/netfilter/x_tables.c:1038\n check_target net/ipv6/netfilter/ip6_tables.c:530 [inline]\n find_check_entry.constprop.0+0x7f1/0x9e0 net/ipv6/netfilter/ip6_tables.c:573\n translate_table+0xc8b/0x1750 net/ipv6/netfilter/ip6_tables.c:735\n do_replace net/ipv6/netfilter/ip6_tables.c:1153 [inline]\n do_ip6t_set_ctl+0x56e/0xb90 net/ipv6/netfilter/ip6_tables.c:1639\n nf_setsockopt+0x83/0xe0 net/netfilter/nf_sockopt.c:101\n ipv6_setsockopt+0x122/0x180 net/ipv6/ipv6_sockglue.c:1024\n rawv6_setsockopt+0xd3/0x6a0 net/ipv6/raw.c:1084\n __sys_setsockopt+0x2db/0x610 net/socket.c:2180\n __do_sys_setsockopt net/socket.c:2191 [inline]\n __se_sys_setsockopt net/socket.c:2188 [inline]\n __x64_sys_setsockopt+0xba/0x150 net/socket.c:2188\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\nRIP: 0033:0x7f65a1ace7d9\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f65a1a7f308 EFLAGS: 00000246 ORIG_RAX: 0000000000000036\nRAX: ffffffffffffffda RBX: 0000000000000006 RCX: 00007f65a1ace7d9\nRDX: 0000000000000040 RSI: 0000000000000029 RDI: 0000000000000003\nRBP: 00007f65a1b574c8 R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000020000000 R11: 0000000000000246 R12: 00007f65a1b55130\nR13: 00007f65a1b574c0 R14: 00007f65a1b24090 R15: 0000000000022000\n </TASK>\n\nThe buggy address belongs to the page:\npage:ffffea0000706a00 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1c1a8\nflags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)\nraw: 00fff00000000000 ffffea0001c1b108 ffffea000046dd08 0000000000000000\nraw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\npage_owner tracks the page as freed\npage last allocated via order 2, migratetype Unmovable, gfp_mask 0x52dc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_ZERO), pid 4430, ts 1061781545818, free_ts 1061791488993\n prep_new_page mm/page_alloc.c:2434 [inline]\n get_page_from_freelist+0xa72/0x2f50 mm/page_alloc.c:4165\n __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5389\n __alloc_pages_node include/linux/gfp.h:572 [inline]\n alloc_pages_node include/linux/gfp.h:595 [inline]\n kmalloc_large_node+0x62/0x130 mm/slub.c:4438\n __kmalloc_node+0x35a/0x4a0 mm/slub.\n---truncated---"
},
{
"lang": "es",
"value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: netfilter: corrige el use-after-free en __nf_register_net_hook() No debemos eliminar la referencia a @new_hooks despu\u00e9s de que se haya lanzado nf_hook_mutex, porque es posible que otros subprocesos ya hayan liberado nuestros ganchos asignados. ERROR: KASAN: use-after-free en nf_hook_entries_get_hook_ops include/linux/netfilter.h:130 [en l\u00ednea] ERROR: KASAN: use-after-free en ganchos_validate net/netfilter/core.c:171 [en l\u00ednea] ERROR: KASAN: use-after-free en __nf_register_net_hook+0x77a/0x820 net/netfilter/core.c:438 Lectura de tama\u00f1o 2 en la direcci\u00f3n ffff88801c1a8000 por tarea syz-executor237/4430 CPU: 1 PID: 4430 Comm: syz-executor237 No contaminado 5.17.0 -rc5-syzkaller-00306-g2293be58d6a1 #0 Nombre del hardware: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Seguimiento de llamadas: __dump_stack lib/dump_stack.c:88 [en l\u00ednea] dump_stack_lvl+0xcd/ 0x134 lib/dump_stack.c:106 print_address_description.constprop.0.cold+0x8d/0x336 mm/kasan/report.c:255 __kasan_report mm/kasan/report.c:442 [en l\u00ednea] kasan_report.cold+0x83/0xdf mm/ kasan/report.c: 459 nf_hook_entries_get_hook_ops include/linux/netfilter.h: 130 [inline] gooks_validate net/netfilter/core.c: 171 [inline] __nf_register_net_hook+0x77a/0x820 net/netfilter/core.c: 438 nf_net_hook+0x77a/0x820 net/netfilter/core.c: 438 nf_net_hook+0x77a/0x820 net/netfilter/core.c: 438 nfhhook_net_net+0x11 /0x170 net/netfilter/core.c:571 nf_register_net_hooks+0x59/0xc0 net/netfilter/core.c:587 nf_synproxy_ipv6_init+0x85/0xe0 net/netfilter/nf_synproxy_core.c:1218 synproxy_tg6_check+0x30d/0x560 ipv6/filtro de red/ ip6t_SYNPROXY.c:81 xt_check_target+0x26c/0x9e0 net/netfilter/x_tables.c:1038 check_target net/ipv6/netfilter/ip6_tables.c:530 [en l\u00ednea] find_check_entry.constprop.0+0x7f1/0x9e0 net/ipv6/netfilter/ip6_tables .c:573 traducir_table+0xc8b/0x1750 net/ipv6/netfilter/ip6_tables.c:735 do_replace net/ipv6/netfilter/ip6_tables.c:1153 [en l\u00ednea] do_ip6t_set_ctl+0x56e/0xb90 net/ipv6/netfilter/ip6_tables.c: 1639 nf_setsockopt+0x83/0xe0 net/netfilter/nf_sockopt.c:101 ipv6_setsockopt+0x122/0x180 net/ipv6/ipv6_sockglue.c:1024 rawv6_setsockopt+0xd3/0x6a0 net/ipv6/raw.c:1084 ys_setsockopt+0x2db/0x610 neto/ socket.c:2180 __do_sys_setsockopt net/socket.c:2191 [en l\u00ednea] __se_sys_setsockopt net/socket.c:2188 [en l\u00ednea] __x64_sys_setsockopt+0xba/0x150 net/socket.c:2188 do_syscall_x64 arch/x86/entry/common.c : 50 [en l\u00ednea] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 Entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f65a1ace7d9 C\u00f3digo: 28 00 00 00 75 05 48 83 c4 28 c3 e8 1 15 00 00 90 48 89 F8 48 89 F7 48 89 D6 48 89 CA 4D 89 C2 4D 89 C8 4C 8B 4C 24 08 0F 05 &lt;48&gt; 3D 01 F0 FF FF 73 01 C3 48 C7 C1 B8 FF FF FF F7 D8 64 89 01 48 RSP: 002b:00007f65a1a7f308 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 RAX: ffffffffffffffda RBX: 00000000000000006 RCX: 00007f65a1ace7d9 RDX: 00000040 RSI: 0000000000000029 RDI: 0000000000000003 RBP: 00007f65a1b574c8 R08: 0000000000000001 R09: 000000000000000 R10: 000000002 0000000 R11: 0000000000000246 R12: 00007f65a1b55130 R13: 00007f65a1b574c0 R14: 00007f65a1b24090 R15: 0000000000022000 La direcci\u00f3n del error pertenece a la p\u00e1gina: p\u00e1gina:ffffea0000706a00 refcount:0 mapcount:0 mapeo:0000000000000000 index:0x0 pfn:0x1c1a8 flags: 0xfff000000 00000(nodo=0|zona=1|lastcpupid=0x7ff) crudo: 00fff00000000000 ffffea0001c1b108 ffffea000046dd08 0000000000000000 crudo: 0000000000000000 00000000000000000 00000000ffffffff 00000000000 00000 p\u00e1gina volcada porque: kasan: mal acceso detectado page_owner rastrea la p\u00e1gina como p\u00e1gina liberada asignada por \u00faltima vez mediante orden 2, migrar tipo Inamovible, gfp_mask 0x52dc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_ZERO) , pid 4430, ts 1061781545818, free_ts 1061791488993 prep_new_page mm/page_alloc.c:2434 [en l\u00ednea] ---truncado---"
}
],
"metrics": {},

8
CVE-2022/CVE-2022-489xx/CVE-2022-48913.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2022-48913",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-08-22T02:15:05.613",
"lastModified": "2024-08-22T02:15:05.613",
"vulnStatus": "Received",
"lastModified": "2024-08-22T12:48:02.790",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblktrace: fix use after free for struct blk_trace\n\nWhen tracing the whole disk, 'dropped' and 'msg' will be created\nunder 'q->debugfs_dir' and 'bt->dir' is NULL, thus blk_trace_free()\nwon't remove those files. What's worse, the following UAF can be\ntriggered because of accessing stale 'dropped' and 'msg':\n\n==================================================================\nBUG: KASAN: use-after-free in blk_dropped_read+0x89/0x100\nRead of size 4 at addr ffff88816912f3d8 by task blktrace/1188\n\nCPU: 27 PID: 1188 Comm: blktrace Not tainted 5.17.0-rc4-next-20220217+ #469\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_073836-4\nCall Trace:\n <TASK>\n dump_stack_lvl+0x34/0x44\n print_address_description.constprop.0.cold+0xab/0x381\n ? blk_dropped_read+0x89/0x100\n ? blk_dropped_read+0x89/0x100\n kasan_report.cold+0x83/0xdf\n ? blk_dropped_read+0x89/0x100\n kasan_check_range+0x140/0x1b0\n blk_dropped_read+0x89/0x100\n ? blk_create_buf_file_callback+0x20/0x20\n ? kmem_cache_free+0xa1/0x500\n ? do_sys_openat2+0x258/0x460\n full_proxy_read+0x8f/0xc0\n vfs_read+0xc6/0x260\n ksys_read+0xb9/0x150\n ? vfs_write+0x3d0/0x3d0\n ? fpregs_assert_state_consistent+0x55/0x60\n ? exit_to_user_mode_prepare+0x39/0x1e0\n do_syscall_64+0x35/0x80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\nRIP: 0033:0x7fbc080d92fd\nCode: ce 20 00 00 75 10 b8 00 00 00 00 0f 05 48 3d 01 f0 ff ff 73 31 c3 48 83 1\nRSP: 002b:00007fbb95ff9cb0 EFLAGS: 00000293 ORIG_RAX: 0000000000000000\nRAX: ffffffffffffffda RBX: 00007fbb95ff9dc0 RCX: 00007fbc080d92fd\nRDX: 0000000000000100 RSI: 00007fbb95ff9cc0 RDI: 0000000000000045\nRBP: 0000000000000045 R08: 0000000000406299 R09: 00000000fffffffd\nR10: 000000000153afa0 R11: 0000000000000293 R12: 00007fbb780008c0\nR13: 00007fbb78000938 R14: 0000000000608b30 R15: 00007fbb780029c8\n </TASK>\n\nAllocated by task 1050:\n kasan_save_stack+0x1e/0x40\n __kasan_kmalloc+0x81/0xa0\n do_blk_trace_setup+0xcb/0x410\n __blk_trace_setup+0xac/0x130\n blk_trace_ioctl+0xe9/0x1c0\n blkdev_ioctl+0xf1/0x390\n __x64_sys_ioctl+0xa5/0xe0\n do_syscall_64+0x35/0x80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nFreed by task 1050:\n kasan_save_stack+0x1e/0x40\n kasan_set_track+0x21/0x30\n kasan_set_free_info+0x20/0x30\n __kasan_slab_free+0x103/0x180\n kfree+0x9a/0x4c0\n __blk_trace_remove+0x53/0x70\n blk_trace_ioctl+0x199/0x1c0\n blkdev_common_ioctl+0x5e9/0xb30\n blkdev_ioctl+0x1a5/0x390\n __x64_sys_ioctl+0xa5/0xe0\n do_syscall_64+0x35/0x80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nThe buggy address belongs to the object at ffff88816912f380\n which belongs to the cache kmalloc-96 of size 96\nThe buggy address is located 88 bytes inside of\n 96-byte region [ffff88816912f380, ffff88816912f3e0)\nThe buggy address belongs to the page:\npage:000000009a1b4e7c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0f\nflags: 0x17ffffc0000200(slab|node=0|zone=2|lastcpupid=0x1fffff)\nraw: 0017ffffc0000200 ffffea00044f1100 dead000000000002 ffff88810004c780\nraw: 0000000000000000 0000000000200020 00000001ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\n\nMemory state around the buggy address:\n ffff88816912f280: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc\n ffff88816912f300: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc\n>ffff88816912f380: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc\n ^\n ffff88816912f400: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc\n ffff88816912f480: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc\n=================================================================="
},
{
"lang": "es",
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: blktrace: corrige el use after free para struct blk_trace Al rastrear todo el disco, se crear\u00e1n 'dropped' y 'msg' en 'q-&gt;debugfs_dir' y 'bt-&gt;dir ' es NULL, por lo tanto blk_trace_free() no eliminar\u00e1 esos archivos. Lo que es peor, el siguiente UAF se puede activar debido al acceso a 'soltado' y 'msg' obsoletos: ============================== ===================================== ERROR: KASAN: use after free en blk_dropped_read+0x89 /0x100 Lectura de tama\u00f1o 4 en la direcci\u00f3n ffff88816912f3d8 por tarea blktrace/1188 CPU: 27 PID: 1188 Comm: blktrace Not tainted 5.17.0-rc4-next-20220217+ #469 Nombre de hardware: PC est\u00e1ndar QEMU (i440FX + PIIX, 1996) , BIOS ?-20190727_073836-4 Seguimiento de llamadas: dump_stack_lvl+0x34/0x44 print_address_description.constprop.0.cold+0xab/0x381 ? blk_dropped_read+0x89/0x100? blk_dropped_read+0x89/0x100 kasan_report.cold+0x83/0xdf ? blk_dropped_read+0x89/0x100 kasan_check_range+0x140/0x1b0 blk_dropped_read+0x89/0x100 ? blk_create_buf_file_callback+0x20/0x20? kmem_cache_free+0xa1/0x500 ? do_sys_openat2+0x258/0x460 full_proxy_read+0x8f/0xc0 vfs_read+0xc6/0x260 ksys_read+0xb9/0x150 ? vfs_write+0x3d0/0x3d0? fpregs_assert_state_consistent+0x55/0x60? exit_to_user_mode_prepare+0x39/0x1e0 do_syscall_64+0x35/0x80 Entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7fbc080d92fd C\u00f3digo: ce 20 00 00 75 10 b8 00 00 00 00 0f 5 48 3d 01 f0 ff ff 73 31 c3 48 83 1 RSP: 002b :00007fbb95ff9cb0 EFLAGS: 00000293 ORIG_RAX: 0000000000000000 RAX: ffffffffffffffda RBX: 00007fbb95ff9dc0 RCX: 00007fbc080d92fd RDX: 0000000000000100 R SI: 00007fbb95ff9cc0 RDI: 0000000000000045 RBP: 0000000000000045 R08: 0000000000406299 R09: 00000000fffffffd R10: 000000000153afa0 R11: 000000000293 R12: 00007fbb780008c0 R13: 00007fbb78000938 R14: 0000000000608b30 R15: 00007fbb780029c8 Asignado por tarea 1050: kasan_save_stack+0x1e/0x40 __kasan_kmalloc+0x81/0xa0 do_blk_trace_setup+0xcb/0x410 __blk_trace_setup+0xac/0x130 e9/0x1c0 blkdev_ioctl+0xf1/0x390 __x64_sys_ioctl+0xa5/0xe0 do_syscall_64+0x35 /0x80 Entry_SYSCALL_64_after_hwframe+0x44/0xae Liberado por la tarea 1050: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 kasan_set_free_info+0x20/0x30 __kasan_slab_free+0x103/0x180 kfree+0x9a/0x4c 0 __blk_trace_remove+0x53/0x70 blk_trace_ioctl+0x199/0x1c0 blkdev_common_ioctl+0x5e9 /0xb30 blkdev_ioctl+0x1a5/0x390 __x64_sys_ioctl+0xa5/0xe0 do_syscall_64+0x35/0x80 Entry_SYSCALL_64_after_hwframe+0x44/0xae La direcci\u00f3n con errores pertenece al objeto en ffff88816912f380 que pertenece al cach\u00e9 kmalloc- 96 de tama\u00f1o 96 La direcci\u00f3n del error se encuentra 88 bytes dentro de regi\u00f3n de 96 bytes [ffff88816912f380, ffff88816912f3e0) La direcci\u00f3n con errores pertenece a la p\u00e1gina: p\u00e1gina:000000009a1b4e7c refcount:1 mapcount:0 mapeo:00000000000000000 \u00edndice:0x0f banderas: 0x17ffffc0000200(slab|node= 0|zona=2|\u00faltimopupid=0x1fffff ) sin procesar: 0017ffffc0000200 ffffea00044f1100 muerto000000000002 ffff88810004c780 sin procesar: 0000000000000000 0000000000200020 00000001ffffffff 000000000000 0000 p\u00e1gina volcada porque: kasan: mal acceso detectado Estado de la memoria alrededor de la direcci\u00f3n con errores: ffff88816912f280: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ffff88816912f300: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc &gt;ffff88816912f380: fa fb fb fb fb fb fb fb fb fb fb fc fc fc fc ^ ffff88816912f400: fa fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ffff88816912f480: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc =============================== ======================================="
}
],
"metrics": {},

8
CVE-2022/CVE-2022-489xx/CVE-2022-48914.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2022-48914",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-08-22T02:15:05.683",
"lastModified": "2024-08-22T02:15:05.683",
"vulnStatus": "Received",
"lastModified": "2024-08-22T12:48:02.790",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxen/netfront: destroy queues before real_num_tx_queues is zeroed\n\nxennet_destroy_queues() relies on info->netdev->real_num_tx_queues to\ndelete queues. Since d7dac083414eb5bb99a6d2ed53dc2c1b405224e5\n(\"net-sysfs: update the queue counts in the unregistration path\"),\nunregister_netdev() indirectly sets real_num_tx_queues to 0. Those two\nfacts together means, that xennet_destroy_queues() called from\nxennet_remove() cannot do its job, because it's called after\nunregister_netdev(). This results in kfree-ing queues that are still\nlinked in napi, which ultimately crashes:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000000\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: 0000 [#1] PREEMPT SMP PTI\n CPU: 1 PID: 52 Comm: xenwatch Tainted: G W 5.16.10-1.32.fc32.qubes.x86_64+ #226\n RIP: 0010:free_netdev+0xa3/0x1a0\n Code: ff 48 89 df e8 2e e9 00 00 48 8b 43 50 48 8b 08 48 8d b8 a0 fe ff ff 48 8d a9 a0 fe ff ff 49 39 c4 75 26 eb 47 e8 ed c1 66 ff <48> 8b 85 60 01 00 00 48 8d 95 60 01 00 00 48 89 ef 48 2d 60 01 00\n RSP: 0000:ffffc90000bcfd00 EFLAGS: 00010286\n RAX: 0000000000000000 RBX: ffff88800edad000 RCX: 0000000000000000\n RDX: 0000000000000001 RSI: ffffc90000bcfc30 RDI: 00000000ffffffff\n RBP: fffffffffffffea0 R08: 0000000000000000 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000001 R12: ffff88800edad050\n R13: ffff8880065f8f88 R14: 0000000000000000 R15: ffff8880066c6680\n FS: 0000000000000000(0000) GS:ffff8880f3300000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000000 CR3: 00000000e998c006 CR4: 00000000003706e0\n Call Trace:\n <TASK>\n xennet_remove+0x13d/0x300 [xen_netfront]\n xenbus_dev_remove+0x6d/0xf0\n __device_release_driver+0x17a/0x240\n device_release_driver+0x24/0x30\n bus_remove_device+0xd8/0x140\n device_del+0x18b/0x410\n ? _raw_spin_unlock+0x16/0x30\n ? klist_iter_exit+0x14/0x20\n ? xenbus_dev_request_and_reply+0x80/0x80\n device_unregister+0x13/0x60\n xenbus_dev_changed+0x18e/0x1f0\n xenwatch_thread+0xc0/0x1a0\n ? do_wait_intr_irq+0xa0/0xa0\n kthread+0x16b/0x190\n ? set_kthread_struct+0x40/0x40\n ret_from_fork+0x22/0x30\n </TASK>\n\nFix this by calling xennet_destroy_queues() from xennet_uninit(),\nwhen real_num_tx_queues is still available. This ensures that queues are\ndestroyed when real_num_tx_queues is set to 0, regardless of how\nunregister_netdev() was called.\n\nOriginally reported at\nhttps://github.com/QubesOS/qubes-issues/issues/7257"
},
{
"lang": "es",
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: xen/netfront: destruye colas antes de que real_num_tx_queues se ponga a cero xennet_destroy_queues() se basa en info-&gt;netdev-&gt;real_num_tx_queues para eliminar colas. Dado que d7dac083414eb5bb99a6d2ed53dc2c1b405224e5 (\"net-sysfs: actualice los recuentos de colas en la ruta de cancelaci\u00f3n de registro\"), unregister_netdev() establece indirectamente real_num_tx_queues en 0. Esos dos hechos juntos significan que xennet_destroy_queues() llamado desde xennet_remove() no puede hacer su trabajo, porque s llamado despu\u00e9s de unregister_netdev(). Esto da como resultado colas kfree-ing que todav\u00eda est\u00e1n vinculadas en napi, lo que finalmente falla: ERROR: desreferencia del puntero NULL del kernel, direcci\u00f3n: 0000000000000000 #PF: acceso de lectura del supervisor en modo kernel #PF: c\u00f3digo_error(0x0000) - PGD de p\u00e1gina no presente 0 P4D 0 Ups: 0000 [#1] PREEMPT SMP PTI CPU: 1 PID: 52 Comm: xenwatch Tainted: GW 5.16.10-1.32.fc32.qubes.x86_64+ #226 RIP: 0010:free_netdev+0xa3/0x1a0 C\u00f3digo: ff 48 89 df e8 2e e9 00 00 48 8b 43 50 48 8b 08 48 8d b8 a0 fe ff ff 48 8d a9 a0 fe ff ff 49 39 c4 75 26 eb 47 e8 ed c1 66 ff &lt;48&gt; 8b 85 60 01 00 0 48 8d 95 60 01 00 00 48 89 ef 48 2d 60 01 00 RSP: 0000:ffffc90000bcfd00 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff88800edad000 RCX: 0000000000000 RDX: 0000000000000001 RSI: ffffc90000bcfc30 RDI: 00000000ffffffff RBP: fffffffffffffea0 R08: 00000000000000000 R09: 00000000000000000 R10: 0000000000000000 R11: 0000000000000001 R12: ffff88800edad050 R13: ffff8880065f8f88 R14: 00000000000000000 R15: ffff8880066c6680 FS: 00000000000000(0000) GS:ffff8880f3300000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: CR3: 00000000e998c006 CR4: 00000000003706e0 Seguimiento de llamadas: xennet_remove+0x13d/0x300 [xen_netfront] xenbus_dev_remove+0x6d/0xf0 __device_release_driver+0x17a/0x240 device_release_driver+0x24/ 0x30 bus_remove_device+0xd8/0x140 dispositivo_del+0x18b/0x410? _raw_spin_unlock+0x16/0x30? klist_iter_exit+0x14/0x20? xenbus_dev_request_and_reply+0x80/0x80 dispositivo_unregister+0x13/0x60 xenbus_dev_changed+0x18e/0x1f0 xenwatch_thread+0xc0/0x1a0 ? do_wait_intr_irq+0xa0/0xa0 kthread+0x16b/0x190 ? set_kthread_struct+0x40/0x40 ret_from_fork+0x22/0x30 Solucione este problema llamando a xennet_destroy_queues() desde xennet_uninit(), cuando real_num_tx_queues todav\u00eda est\u00e9 disponible. Esto garantiza que las colas se destruyan cuando real_num_tx_queues se establece en 0, independientemente de c\u00f3mo se llam\u00f3 a unregister_netdev(). Reportado originalmente en https://github.com/QubesOS/qubes-issues/issues/7257"
}
],
"metrics": {},

8
CVE-2022/CVE-2022-489xx/CVE-2022-48915.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2022-48915",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-08-22T02:15:05.747",
"lastModified": "2024-08-22T02:15:05.747",
"vulnStatus": "Received",
"lastModified": "2024-08-22T12:48:02.790",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nthermal: core: Fix TZ_GET_TRIP NULL pointer dereference\n\nDo not call get_trip_hyst() from thermal_genl_cmd_tz_get_trip() if\nthe thermal zone does not define one."
},
{
"lang": "es",
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: Thermal: Core: corrige la desreferencia del puntero TZ_GET_TRIP NULL No llame a get_trip_hyst() desde Thermal_genl_cmd_tz_get_trip() si la zona t\u00e9rmica no define una."
}
],
"metrics": {},

8
CVE-2022/CVE-2022-489xx/CVE-2022-48916.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2022-48916",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-08-22T02:15:05.797",
"lastModified": "2024-08-22T02:15:05.797",
"vulnStatus": "Received",
"lastModified": "2024-08-22T12:48:02.790",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/vt-d: Fix double list_add when enabling VMD in scalable mode\n\nWhen enabling VMD and IOMMU scalable mode, the following kernel panic\ncall trace/kernel log is shown in Eagle Stream platform (Sapphire Rapids\nCPU) during booting:\n\npci 0000:59:00.5: Adding to iommu group 42\n...\nvmd 0000:59:00.5: PCI host bridge to bus 10000:80\npci 10000:80:01.0: [8086:352a] type 01 class 0x060400\npci 10000:80:01.0: reg 0x10: [mem 0x00000000-0x0001ffff 64bit]\npci 10000:80:01.0: enabling Extended Tags\npci 10000:80:01.0: PME# supported from D0 D3hot D3cold\npci 10000:80:01.0: DMAR: Setup RID2PASID failed\npci 10000:80:01.0: Failed to add to iommu group 42: -16\npci 10000:80:03.0: [8086:352b] type 01 class 0x060400\npci 10000:80:03.0: reg 0x10: [mem 0x00000000-0x0001ffff 64bit]\npci 10000:80:03.0: enabling Extended Tags\npci 10000:80:03.0: PME# supported from D0 D3hot D3cold\n------------[ cut here ]------------\nkernel BUG at lib/list_debug.c:29!\ninvalid opcode: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 0 PID: 7 Comm: kworker/0:1 Not tainted 5.17.0-rc3+ #7\nHardware name: Lenovo ThinkSystem SR650V3/SB27A86647, BIOS ESE101Y-1.00 01/13/2022\nWorkqueue: events work_for_cpu_fn\nRIP: 0010:__list_add_valid.cold+0x26/0x3f\nCode: 9a 4a ab ff 4c 89 c1 48 c7 c7 40 0c d9 9e e8 b9 b1 fe ff 0f\n 0b 48 89 f2 4c 89 c1 48 89 fe 48 c7 c7 f0 0c d9 9e e8 a2 b1\n fe ff <0f> 0b 48 89 d1 4c 89 c6 4c 89 ca 48 c7 c7 98 0c d9\n 9e e8 8b b1 fe\nRSP: 0000:ff5ad434865b3a40 EFLAGS: 00010246\nRAX: 0000000000000058 RBX: ff4d61160b74b880 RCX: ff4d61255e1fffa8\nRDX: 0000000000000000 RSI: 00000000fffeffff RDI: ffffffff9fd34f20\nRBP: ff4d611d8e245c00 R08: 0000000000000000 R09: ff5ad434865b3888\nR10: ff5ad434865b3880 R11: ff4d61257fdc6fe8 R12: ff4d61160b74b8a0\nR13: ff4d61160b74b8a0 R14: ff4d611d8e245c10 R15: ff4d611d8001ba70\nFS: 0000000000000000(0000) GS:ff4d611d5ea00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: ff4d611fa1401000 CR3: 0000000aa0210001 CR4: 0000000000771ef0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400\nPKRU: 55555554\nCall Trace:\n <TASK>\n intel_pasid_alloc_table+0x9c/0x1d0\n dmar_insert_one_dev_info+0x423/0x540\n ? device_to_iommu+0x12d/0x2f0\n intel_iommu_attach_device+0x116/0x290\n __iommu_attach_device+0x1a/0x90\n iommu_group_add_device+0x190/0x2c0\n __iommu_probe_device+0x13e/0x250\n iommu_probe_device+0x24/0x150\n iommu_bus_notifier+0x69/0x90\n blocking_notifier_call_chain+0x5a/0x80\n device_add+0x3db/0x7b0\n ? arch_memremap_can_ram_remap+0x19/0x50\n ? memremap+0x75/0x140\n pci_device_add+0x193/0x1d0\n pci_scan_single_device+0xb9/0xf0\n pci_scan_slot+0x4c/0x110\n pci_scan_child_bus_extend+0x3a/0x290\n vmd_enable_domain.constprop.0+0x63e/0x820\n vmd_probe+0x163/0x190\n local_pci_probe+0x42/0x80\n work_for_cpu_fn+0x13/0x20\n process_one_work+0x1e2/0x3b0\n worker_thread+0x1c4/0x3a0\n ? rescuer_thread+0x370/0x370\n kthread+0xc7/0xf0\n ? kthread_complete_and_exit+0x20/0x20\n ret_from_fork+0x1f/0x30\n </TASK>\nModules linked in:\n---[ end trace 0000000000000000 ]---\n...\nKernel panic - not syncing: Fatal exception\nKernel Offset: 0x1ca00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)\n---[ end Kernel panic - not syncing: Fatal exception ]---\n\nThe following 'lspci' output shows devices '10000:80:*' are subdevices of\nthe VMD device 0000:59:00.5:\n\n $ lspci\n ...\n 0000:59:00.5 RAID bus controller: Intel Corporation Volume Management Device NVMe RAID Controller (rev 20)\n ...\n 10000:80:01.0 PCI bridge: Intel Corporation Device 352a (rev 03)\n 10000:80:03.0 PCI bridge: Intel Corporation Device 352b (rev 03)\n 10000:80:05.0 PCI bridge: Intel Corporation Device 352c (rev 03)\n 10000:80:07.0 PCI bridge: Intel Corporation Device 352d (rev 03)\n 10000:81:00.0 Non-Volatile memory controller: Intel Corporation NVMe Datacenter SSD [3DNAND, Beta Rock Controller]\n 10000:82:00\n---truncated---"
},
{
"lang": "es",
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: iommu/vt-d: se corrige el doble list_add al habilitar VMD en modo escalable Al habilitar VMD e IOMMU en modo escalable, se muestra el siguiente registro de kernel/rastreo de llamadas de p\u00e1nico del kernel en la plataforma Eagle Stream (CPU Sapphire Rapids) durante el arranque: pci 0000:59:00.5: Agregar al grupo iommu 42... vmd 0000:59:00.5: Puente de host PCI al bus 10000:80 pci 10000:80:01.0: [8086:352a] tipo 01 clase 0x060400 pci 10000:80:01.0: reg 0x10: [mem 0x00000000-0x0001ffff 64bit] pci 10000:80:01.0: habilitaci\u00f3n de etiquetas extendidas pci 10000:80:01.0: PME# compatible desde D0 D3hot D3cold pci 10 000:80: 01.0: DMAR: La configuraci\u00f3n de RID2PASID fall\u00f3 pci 10000:80:01.0: No se pudo agregar al grupo iommu 42: -16 pci 10000:80:03.0: [8086:352b] tipo 01 clase 0x060400 pci 10000:80:03.0: reg 0x10: [mem 0x00000000-0x0001ffff 64 bits] pci 10000:80:03.0: habilitaci\u00f3n de etiquetas extendidas pci 10000:80:03.0: PME# admitido desde D0 D3hot D3cold ------------[ cortar aqu\u00ed ]--- --------- \u00a1ERROR del kernel en lib/list_debug.c:29! c\u00f3digo de operaci\u00f3n no v\u00e1lido: 0000 [#1] PREEMPT SMP NOPTI CPU: 0 PID: 7 Comm: kworker/0:1 Not tainted 5.17.0-rc3+ #7 Nombre del hardware: Lenovo ThinkSystem SR650V3/SB27A86647, BIOS ESE101Y-1.00 01/13/ Cola de trabajo 2022: eventos work_for_cpu_fn RIP: 0010:__list_add_valid.cold+0x26/0x3f C\u00f3digo: 9a 4a ab ff 4c 89 c1 48 c7 c7 40 0c d9 9e e8 b9 b1 fe ff 0f 0b 48 89 f2 4c 89 c1 48 fe 48 c7 c7 f0 0c d9 9e e8 a2 b1 fe ff &lt;0f&gt; 0b 48 89 d1 4c 89 c6 4c 89 ca 48 c7 c7 98 0c d9 9e e8 8b b1 fe RSP: 0000:ff5ad434865b3a40 EFLAGS: 00010246 RAX: 00000000058 RBX: ff4d61160b74b880 RCX: ff4d61255e1fffa8 RDX: 0000000000000000 RSI: 00000000fffeffff RDI: ffffffff9fd34f20 RBP: ff4d611d8e245c00 R08: 0000000000000000 R09: 888 R10: ff5ad434865b3880 R11: ff4d61257fdc6fe8 R12: ff4d61160b74b8a0 R13: ff4d61160b74b8a0 R14: ff4d611d8e245c10 R15: ff4d611d8001ba70 0000000000000000(0000) GS:ff4d611d5ea00000(0000) knlGS :0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ff4d611fa1401000 CR3: 0000000aa0210001 CR4: 0000000000771ef0 DR0: 000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 PKRU: 55555554 Llamar Seguimiento: intel_pasid_alloc_table+0x9c/0x1d0 dmar_insert_one_dev_info+0x423/0x540? device_to_iommu+0x12d/0x2f0 intel_iommu_attach_device+0x116/0x290 __iommu_attach_device+0x1a/0x90 iommu_group_add_device+0x190/0x2c0 __iommu_probe_device+0x13e/0x250 iommu_probe_device+0 x24/0x150 iommu_bus_notifier+0x69/0x90 blocking_notifier_call_chain+0x5a/0x80 device_add+0x3db/0x7b0 ? arch_memremap_can_ram_remap+0x19/0x50? memremap+0x75/0x140 pci_device_add+0x193/0x1d0 pci_scan_single_device+0xb9/0xf0 pci_scan_slot+0x4c/0x110 pci_scan_child_bus_extend+0x3a/0x290 vmd_enable_domain.constprop.0+0x63e/0x 820 vmd_probe+0x163/0x190 local_pci_probe+0x42/0x80 work_for_cpu_fn+0x13/0x20 proceso_one_work +0x1e2/0x3b0 hilo_trabajador+0x1c4/0x3a0 ? hilo_rescate+0x370/0x370 kthread+0xc7/0xf0 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x1f/0x30 m\u00f3dulos vinculados en: --- [end rastre 0xffffffff80000000-0xffffffffbffffff) ---[ fin del p\u00e1nico del kernel - no se sincroniza: excepci\u00f3n grave ]--- La siguiente salida 'lspci' muestra que los dispositivos '10000:80:*' son subdispositivos del dispositivo VMD 0000:59:00.5: $ lspci ... 0000:59:00.5 Controlador de bus RAID: Dispositivo de administraci\u00f3n de volumen Intel Corporation Controlador RAID NVMe (rev. 20) ... 10000:80:01.0 Puente PCI: Dispositivo Intel Corporation 352a (rev. 03) 10000:80:03.0 Puente PCI : Dispositivo Intel Corporation 352b (rev 03) 10000:80:05.0 Puente PCI: Dispositivo Intel Corporation 352c (rev 03) 10000:80:07.0 Puente PCI: Dispositivo Intel Corporation 352d (rev 03) 10000:81:00.0 Memoria no vol\u00e1til controlador: Intel Corporation NVMe Datacenter SSD [3DNAND, Beta Rock Controller] 10000:82:00 ---truncado---"
}
],
"metrics": {},

8
CVE-2022/CVE-2022-489xx/CVE-2022-48917.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2022-48917",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-08-22T02:15:05.853",
"lastModified": "2024-08-22T02:15:05.853",
"vulnStatus": "Received",
"lastModified": "2024-08-22T12:48:02.790",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: ops: Shift tested values in snd_soc_put_volsw() by +min\n\nWhile the $val/$val2 values passed in from userspace are always >= 0\nintegers, the limits of the control can be signed integers and the $min\ncan be non-zero and less than zero. To correctly validate $val/$val2\nagainst platform_max, add the $min offset to val first."
},
{
"lang": "es",
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ASoC: ops: Shift valores probados en snd_soc_put_volsw() por +min Mientras que los valores $val/$val2 pasados desde el espacio de usuario son siempre &gt;= 0 enteros, los l\u00edmites del control pueden ser n\u00fameros enteros con signo y $min puede ser distinto de cero y menor que cero. Para validar correctamente $val/$val2 contra platform_max, primero agregue el desplazamiento $min a val."
}
],
"metrics": {},

8
CVE-2022/CVE-2022-489xx/CVE-2022-48918.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2022-48918",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-08-22T02:15:05.920",
"lastModified": "2024-08-22T02:15:05.920",
"vulnStatus": "Received",
"lastModified": "2024-08-22T12:48:02.790",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niwlwifi: mvm: check debugfs_dir ptr before use\n\nWhen \"debugfs=off\" is used on the kernel command line, iwiwifi's\nmvm module uses an invalid/unchecked debugfs_dir pointer and causes\na BUG:\n\n BUG: kernel NULL pointer dereference, address: 000000000000004f\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: 0000 [#1] PREEMPT SMP\n CPU: 1 PID: 503 Comm: modprobe Tainted: G W 5.17.0-rc5 #7\n Hardware name: Dell Inc. Inspiron 15 5510/076F7Y, BIOS 2.4.1 11/05/2021\n RIP: 0010:iwl_mvm_dbgfs_register+0x692/0x700 [iwlmvm]\n Code: 69 a0 be 80 01 00 00 48 c7 c7 50 73 6a a0 e8 95 cf ee e0 48 8b 83 b0 1e 00 00 48 c7 c2 54 73 6a a0 be 64 00 00 00 48 8d 7d 8c <48> 8b 48 50 e8 15 22 07 e1 48 8b 43 28 48 8d 55 8c 48 c7 c7 5f 73\n RSP: 0018:ffffc90000a0ba68 EFLAGS: 00010246\n RAX: ffffffffffffffff RBX: ffff88817d6e3328 RCX: ffff88817d6e3328\n RDX: ffffffffa06a7354 RSI: 0000000000000064 RDI: ffffc90000a0ba6c\n RBP: ffffc90000a0bae0 R08: ffffffff824e4880 R09: ffffffffa069d620\n R10: ffffc90000a0ba00 R11: ffffffffffffffff R12: 0000000000000000\n R13: ffffc90000a0bb28 R14: ffff88817d6e3328 R15: ffff88817d6e3320\n FS: 00007f64dd92d740(0000) GS:ffff88847f640000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 000000000000004f CR3: 000000016fc79001 CR4: 0000000000770ee0\n PKRU: 55555554\n Call Trace:\n <TASK>\n ? iwl_mvm_mac_setup_register+0xbdc/0xda0 [iwlmvm]\n iwl_mvm_start_post_nvm+0x71/0x100 [iwlmvm]\n iwl_op_mode_mvm_start+0xab8/0xb30 [iwlmvm]\n _iwl_op_mode_start+0x6f/0xd0 [iwlwifi]\n iwl_opmode_register+0x6a/0xe0 [iwlwifi]\n ? 0xffffffffa0231000\n iwl_mvm_init+0x35/0x1000 [iwlmvm]\n ? 0xffffffffa0231000\n do_one_initcall+0x5a/0x1b0\n ? kmem_cache_alloc+0x1e5/0x2f0\n ? do_init_module+0x1e/0x220\n do_init_module+0x48/0x220\n load_module+0x2602/0x2bc0\n ? __kernel_read+0x145/0x2e0\n ? kernel_read_file+0x229/0x290\n __do_sys_finit_module+0xc5/0x130\n ? __do_sys_finit_module+0xc5/0x130\n __x64_sys_finit_module+0x13/0x20\n do_syscall_64+0x38/0x90\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n RIP: 0033:0x7f64dda564dd\n Code: 5b 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 1b 29 0f 00 f7 d8 64 89 01 48\n RSP: 002b:00007ffdba393f88 EFLAGS: 00000246 ORIG_RAX: 0000000000000139\n RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f64dda564dd\n RDX: 0000000000000000 RSI: 00005575399e2ab2 RDI: 0000000000000001\n RBP: 000055753a91c5e0 R08: 0000000000000000 R09: 0000000000000002\n R10: 0000000000000001 R11: 0000000000000246 R12: 00005575399e2ab2\n R13: 000055753a91ceb0 R14: 0000000000000000 R15: 000055753a923018\n </TASK>\n Modules linked in: btintel(+) btmtk bluetooth vfat snd_hda_codec_hdmi fat snd_hda_codec_realtek snd_hda_codec_generic iwlmvm(+) snd_sof_pci_intel_tgl mac80211 snd_sof_intel_hda_common soundwire_intel soundwire_generic_allocation soundwire_cadence soundwire_bus snd_sof_intel_hda snd_sof_pci snd_sof snd_sof_xtensa_dsp snd_soc_hdac_hda snd_hda_ext_core snd_soc_acpi_intel_match snd_soc_acpi snd_soc_core btrfs snd_compress snd_hda_intel snd_intel_dspcfg snd_intel_sdw_acpi snd_hda_codec raid6_pq iwlwifi snd_hda_core snd_pcm snd_timer snd soundcore cfg80211 intel_ish_ipc(+) thunderbolt rfkill intel_ishtp ucsi_acpi wmi i2c_hid_acpi i2c_hid evdev\n CR2: 000000000000004f\n ---[ end trace 0000000000000000 ]---\n\nCheck the debugfs_dir pointer for an error before using it.\n\n[change to make both conditional]"
},
{
"lang": "es",
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: iwlwifi: mvm: verifique debugfs_dir ptr antes de usarlo Cuando se usa \"debugfs=off\" en la l\u00ednea de comando del kernel, el m\u00f3dulo mvm de iwiwifi usa un puntero debugfs_dir no v\u00e1lido/no verificado y causa un ERROR: ERROR: desreferencia del puntero NULL del kernel, direcci\u00f3n: 000000000000004f #PF: acceso de lectura del supervisor en modo kernel #PF: c\u00f3digo_error(0x0000) - p\u00e1gina no presente PGD 0 P4D 0 Ups: 0000 [#1] PREEMPT SMP CPU: 1 PID: 503 Comunicaci\u00f3n: modprobe Contaminado: GW 5.17.0-rc5 #7 Nombre del hardware: Dell Inc. Inspiron 15 5510/076F7Y, BIOS 2.4.1 05/11/2021 RIP: 0010:iwl_mvm_dbgfs_register+0x692/0x700 [iwlmvm] C\u00f3digo: 69 a0 be 80 01 00 00 48 c7 c7 50 73 6a a0 e8 95 cf ee e0 48 8b 83 b0 1e 00 00 48 c7 c2 54 73 6a a0 be 64 00 00 00 48 8d 7d 8c &lt;48&gt; 8b 48 50 e8 22 07 e1 48 8b 43 28 48 8d 55 8c 48 c7 c7 5f 73 RSP: 0018:ffffc90000a0ba68 EFLAGS: 00010246 RAX: ffffffffffffffff RBX: ffff88817d6e3328 RCX: ffff88817d6e332 8 RDX: fffffffa06a7354 RSI: 0000000000000064 RDI: ffffc90000a0ba6c RBP: ffffc90000a0bae0 R08: ffffffff824e4880 R09: fffffffa069d620 R10 : ffffc90000a0ba00 R11: ffffffffffffffff R12: 0000000000000000 R13: ffffc90000a0bb28 R14: ffff88817d6e3328 R15: ffff88817d6e3320 FS: 00007f64dd92d74 0(0000) GS:ffff88847f640000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000000004f CR3: fc79001 CR4: 0000000000770ee0 PKRU: 55555554 Seguimiento de llamadas: ? iwl_mvm_mac_setup_register+0xbdc/0xda0 [iwlmvm] iwl_mvm_start_post_nvm+0x71/0x100 [iwlmvm] iwl_op_mode_mvm_start+0xab8/0xb30 [iwlmvm] _iwl_op_mode_start+0x6f/0xd0 [iwlwifi] _opmode_register+0x6a/0xe0 [iwlwifi] ? 0xffffffffa0231000 iwl_mvm_init+0x35/0x1000 [iwlmvm]? 0xffffffffa0231000 do_one_initcall+0x5a/0x1b0? kmem_cache_alloc+0x1e5/0x2f0? do_init_module+0x1e/0x220 do_init_module+0x48/0x220 load_module+0x2602/0x2bc0 ? __kernel_read+0x145/0x2e0? kernel_read_file+0x229/0x290 __do_sys_finit_module+0xc5/0x130 ? __do_sys_finit_module+0xc5/0x130 __x64_sys_finit_module+0x13/0x20 do_syscall_64+0x38/0x90 Entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f64dda564dd C\u00f3digo: 5b 41 c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 &lt;48&gt; 3d 01 f0 ff ff 73 01 c3 48 8b 0d 1b 29 0f 00 f7 d8 64 89 01 48 RSP:0 0007ffdba393f88 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f64dda564dd RDX: 0000000000000000 RSI: 00005575399e2ab2 RDI: 0000000000000001 RBP: 000055753a91c5e0 R08: 0000000000000000 R09: 0000000000000002 R10: 0000000000000001 R11: 00000000000000246 R12: 00005575399e2ab2 R13: 000055753a91ceb0 R14: 0000000000000000 R15: 000055753a923018 &lt; /TASK&gt; M\u00f3dulos vinculados en: btintel(+) btmtk bluetooth vfat snd_hda_codec_hdmi fat snd_hda_codec_realtek snd_hda_codec_generic iwlmvm(+) snd_sof_pci_intel_tgl mac80211 snd_sof_intel_hda_common soundwire_intel soundwire_generic_allocation soundwire_cade nce soundwire_bus snd_sof_intel_hda snd_sof_pci snd_sof snd_sof_xtensa_dsp snd_soc_hdac_hda snd_hda_ext_core snd_soc_acpi_intel_match snd_soc_acpi snd_soc_core btrfs snd_compress snd_hda_intel tel_dspcfg snd_intel_sdw_acpi snd_hda_codec raid6_pq iwlwifi snd_hda_core snd_pcm snd_timer snd soundcore cfg80211 intel_ish_ipc(+) thunderbolt rfkill intel_ishtp ucsi_acpi wmi i2c_hid_acpi i2c_hid evdev CR2: 000000000000004f ---[ end trace 00000000000000000 ]--- Verifique el puntero debugfs_dir para ver si hay un error antes de usarlo . [cambiar para hacer ambos condicionales]"
}
],
"metrics": {},

8
CVE-2022/CVE-2022-489xx/CVE-2022-48919.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2022-48919",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-08-22T02:15:05.987",
"lastModified": "2024-08-22T02:15:05.987",
"vulnStatus": "Received",
"lastModified": "2024-08-22T12:48:02.790",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: fix double free race when mount fails in cifs_get_root()\n\nWhen cifs_get_root() fails during cifs_smb3_do_mount() we call\ndeactivate_locked_super() which eventually will call delayed_free() which\nwill free the context.\nIn this situation we should not proceed to enter the out: section in\ncifs_smb3_do_mount() and free the same resources a second time.\n\n[Thu Feb 10 12:59:06 2022] BUG: KASAN: use-after-free in rcu_cblist_dequeue+0x32/0x60\n[Thu Feb 10 12:59:06 2022] Read of size 8 at addr ffff888364f4d110 by task swapper/1/0\n\n[Thu Feb 10 12:59:06 2022] CPU: 1 PID: 0 Comm: swapper/1 Tainted: G OE 5.17.0-rc3+ #4\n[Thu Feb 10 12:59:06 2022] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.0 12/17/2019\n[Thu Feb 10 12:59:06 2022] Call Trace:\n[Thu Feb 10 12:59:06 2022] <IRQ>\n[Thu Feb 10 12:59:06 2022] dump_stack_lvl+0x5d/0x78\n[Thu Feb 10 12:59:06 2022] print_address_description.constprop.0+0x24/0x150\n[Thu Feb 10 12:59:06 2022] ? rcu_cblist_dequeue+0x32/0x60\n[Thu Feb 10 12:59:06 2022] kasan_report.cold+0x7d/0x117\n[Thu Feb 10 12:59:06 2022] ? rcu_cblist_dequeue+0x32/0x60\n[Thu Feb 10 12:59:06 2022] __asan_load8+0x86/0xa0\n[Thu Feb 10 12:59:06 2022] rcu_cblist_dequeue+0x32/0x60\n[Thu Feb 10 12:59:06 2022] rcu_core+0x547/0xca0\n[Thu Feb 10 12:59:06 2022] ? call_rcu+0x3c0/0x3c0\n[Thu Feb 10 12:59:06 2022] ? __this_cpu_preempt_check+0x13/0x20\n[Thu Feb 10 12:59:06 2022] ? lock_is_held_type+0xea/0x140\n[Thu Feb 10 12:59:06 2022] rcu_core_si+0xe/0x10\n[Thu Feb 10 12:59:06 2022] __do_softirq+0x1d4/0x67b\n[Thu Feb 10 12:59:06 2022] __irq_exit_rcu+0x100/0x150\n[Thu Feb 10 12:59:06 2022] irq_exit_rcu+0xe/0x30\n[Thu Feb 10 12:59:06 2022] sysvec_hyperv_stimer0+0x9d/0xc0\n...\n[Thu Feb 10 12:59:07 2022] Freed by task 58179:\n[Thu Feb 10 12:59:07 2022] kasan_save_stack+0x26/0x50\n[Thu Feb 10 12:59:07 2022] kasan_set_track+0x25/0x30\n[Thu Feb 10 12:59:07 2022] kasan_set_free_info+0x24/0x40\n[Thu Feb 10 12:59:07 2022] ____kasan_slab_free+0x137/0x170\n[Thu Feb 10 12:59:07 2022] __kasan_slab_free+0x12/0x20\n[Thu Feb 10 12:59:07 2022] slab_free_freelist_hook+0xb3/0x1d0\n[Thu Feb 10 12:59:07 2022] kfree+0xcd/0x520\n[Thu Feb 10 12:59:07 2022] cifs_smb3_do_mount+0x149/0xbe0 [cifs]\n[Thu Feb 10 12:59:07 2022] smb3_get_tree+0x1a0/0x2e0 [cifs]\n[Thu Feb 10 12:59:07 2022] vfs_get_tree+0x52/0x140\n[Thu Feb 10 12:59:07 2022] path_mount+0x635/0x10c0\n[Thu Feb 10 12:59:07 2022] __x64_sys_mount+0x1bf/0x210\n[Thu Feb 10 12:59:07 2022] do_syscall_64+0x5c/0xc0\n[Thu Feb 10 12:59:07 2022] entry_SYSCALL_64_after_hwframe+0x44/0xae\n\n[Thu Feb 10 12:59:07 2022] Last potentially related work creation:\n[Thu Feb 10 12:59:07 2022] kasan_save_stack+0x26/0x50\n[Thu Feb 10 12:59:07 2022] __kasan_record_aux_stack+0xb6/0xc0\n[Thu Feb 10 12:59:07 2022] kasan_record_aux_stack_noalloc+0xb/0x10\n[Thu Feb 10 12:59:07 2022] call_rcu+0x76/0x3c0\n[Thu Feb 10 12:59:07 2022] cifs_umount+0xce/0xe0 [cifs]\n[Thu Feb 10 12:59:07 2022] cifs_kill_sb+0xc8/0xe0 [cifs]\n[Thu Feb 10 12:59:07 2022] deactivate_locked_super+0x5d/0xd0\n[Thu Feb 10 12:59:07 2022] cifs_smb3_do_mount+0xab9/0xbe0 [cifs]\n[Thu Feb 10 12:59:07 2022] smb3_get_tree+0x1a0/0x2e0 [cifs]\n[Thu Feb 10 12:59:07 2022] vfs_get_tree+0x52/0x140\n[Thu Feb 10 12:59:07 2022] path_mount+0x635/0x10c0\n[Thu Feb 10 12:59:07 2022] __x64_sys_mount+0x1bf/0x210\n[Thu Feb 10 12:59:07 2022] do_syscall_64+0x5c/0xc0\n[Thu Feb 10 12:59:07 2022] entry_SYSCALL_64_after_hwframe+0x44/0xae"
},
{
"lang": "es",
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: cifs: corrige doble ejecuci\u00f3n libre cuando falla el montaje en cifs_get_root() Cuando cifs_get_root() falla durante cifs_smb3_do_mount() llamamos a deactivate_locked_super() que eventualmente llamar\u00e1 a delay_free() que liberar\u00e1 el contexto. En esta situaci\u00f3n no debemos proceder a ingresar a la secci\u00f3n out: en cifs_smb3_do_mount() y liberar los mismos recursos por segunda vez. [Jueves 10 de febrero 12:59:06 2022] ERROR: KASAN: use-after-free en rcu_cblist_dequeue+0x32/0x60 [Jueves 10 de febrero 12:59:06 2022] Lectura de tama\u00f1o 8 en la direcci\u00f3n ffff888364f4d110 por task swapper/1/ 0 [jueves 10 de febrero 12:59:06 2022] CPU: 1 PID: 0 Comm: swapper/1 Tainted: G OE 5.17.0-rc3+ #4 [jueves 10 de febrero 12:59:06 2022] Nombre del hardware: Microsoft Corporation M\u00e1quina virtual/M\u00e1quina virtual, BIOS Hyper-V UEFI versi\u00f3n v4.0 17/12/2019 [jueves 10 de febrero 12:59:06 2022] Seguimiento de llamadas: [jueves 10 de febrero 12:59:06 2022] [jueves 10 de febrero 12:59:06 2022] dump_stack_lvl+0x5d/0x78 [jueves 10 de febrero 12:59:06 2022] print_address_description.constprop.0+0x24/0x150 [jueves 10 de febrero 12:59:06 2022] ? rcu_cblist_dequeue+0x32/0x60 [jueves 10 de febrero 12:59:06 2022] kasan_report.cold+0x7d/0x117 [jueves 10 de febrero 12:59:06 2022] ? rcu_cblist_dequeue+0x32/0x60 [jueves 10 de febrero 12:59:06 2022] __asan_load8+0x86/0xa0 [jueves 10 de febrero 12:59:06 2022] rcu_cblist_dequeue+0x32/0x60 [jueves 10 de febrero 12:59:06 2022] rcu_core+ 0x547/0xca0 [jueves 10 de febrero 12:59:06 2022]? call_rcu+0x3c0/0x3c0 [jueves 10 de febrero 12:59:06 2022]? __this_cpu_preempt_check+0x13/0x20 [jueves 10 de febrero 12:59:06 2022] ? lock_is_held_type+0xea/0x140 [jueves 10 de febrero 12:59:06 2022] rcu_core_si+0xe/0x10 [jueves 10 de febrero 12:59:06 2022] __do_softirq+0x1d4/0x67b [jueves 10 de febrero 12:59:06 2022] salida_rcu+ 0x100/0x150 [jueves 10 de febrero 12:59:06 2022] irq_exit_rcu+0xe/0x30 [jueves 10 de febrero 12:59:06 2022] sysvec_hyperv_stimer0+0x9d/0xc0 ... [jueves 10 de febrero 12:59:07 2022] Liberado por tarea 58179: [jueves 10 de febrero 12:59:07 2022] kasan_save_stack+0x26/0x50 [jueves 10 de febrero 12:59:07 2022] kasan_set_track+0x25/0x30 [jueves 10 de febrero 12:59:07 2022] kasan_set_free_info+0x24 /0x40 [jueves 10 de febrero 12:59:07 2022] ____kasan_slab_free+0x137/0x170 [jueves 10 de febrero 12:59:07 2022] __kasan_slab_free+0x12/0x20 [jueves 10 de febrero 12:59:07 2022] xb3/0x1d0 [Jueves 10 de febrero 12:59:07 2022] kfree+0xcd/0x520 [Jueves 10 de febrero 12:59:07 2022] cifs_smb3_do_mount+0x149/0xbe0 [cifs] [Jueves 10 de febrero 12:59:07 2022] smb3_get_tree+0x1a0/ 0x2e0 [cifs] [jueves 10 de febrero 12:59:07 2022] vfs_get_tree+0x52/0x140 [jueves 10 de febrero 12:59:07 2022] path_mount+0x635/0x10c0 [jueves 10 de febrero 12:59:07 2022] __x64_sys_mount+ 0x1bf /0x210 [jueves 10 de febrero 12:59:07 2022] do_syscall_64+0x5c/0xc0 [jueves 10 de febrero 12:59:07 2022] Entry_SYSCALL_64_after_hwframe+0x44/0xae [jueves 10 de febrero 12:59:07 2022] \u00daltima creaci\u00f3n de trabajo potencialmente relacionado : [jueves 10 de febrero 12:59:07 2022] kasan_save_stack+0x26/0x50 [jueves 10 de febrero 12:59:07 2022] __kasan_record_aux_stack+0xb6/0xc0 [jueves 10 de febrero 12:59:07 2022] kasan_record_aux_stack_noalloc+0 xb/0x10 [ Jueves 10 de febrero 12:59:07 2022] call_rcu+0x76/0x3c0 [Jueves 10 de febrero 12:59:07 2022] cifs_umount+0xce/0xe0 [cifs] [Jueves 10 de febrero 12:59:07 2022] cifs_kill_sb+0xc8/0xe0 [CIFS] [Jue 10 de febrero 12:59:07 2022] Deactivate_Locked_super+0x5d/0xd0 [justo 10 de febrero 12:59:07 2022] CIFS_SMB3_DO_MOUNT+0XAB9/0XBE0 [CIFS] [THU FEB 10 12:59:07 2022] SMB3 +0x1a0/0x2e0 [cifs] [jueves 10 de febrero 12:59:07 2022] vfs_get_tree+0x52/0x140 [jueves 10 de febrero 12:59:07 2022] path_mount+0x635/0x10c0 [jueves 10 de febrero 12:59:07 2022] __x64_sys_mount+0x1bf/0x210 [jueves 10 de febrero 12:59:07 2022] do_syscall_64+0x5c/0xc0 [jueves 10 de febrero 12:59:07 2022] Entry_SYSCALL_64_after_hwframe+0x44/0xae"
}
],
"metrics": {},

8
CVE-2022/CVE-2022-489xx/CVE-2022-48920.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2022-48920",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-08-22T02:15:06.080",
"lastModified": "2024-08-22T02:15:06.080",
"vulnStatus": "Received",
"lastModified": "2024-08-22T12:48:02.790",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: get rid of warning on transaction commit when using flushoncommit\n\nWhen using the flushoncommit mount option, during almost every transaction\ncommit we trigger a warning from __writeback_inodes_sb_nr():\n\n $ cat fs/fs-writeback.c:\n (...)\n static void __writeback_inodes_sb_nr(struct super_block *sb, ...\n {\n (...)\n WARN_ON(!rwsem_is_locked(&sb->s_umount));\n (...)\n }\n (...)\n\nThe trace produced in dmesg looks like the following:\n\n [947.473890] WARNING: CPU: 5 PID: 930 at fs/fs-writeback.c:2610 __writeback_inodes_sb_nr+0x7e/0xb3\n [947.481623] Modules linked in: nfsd nls_cp437 cifs asn1_decoder cifs_arc4 fscache cifs_md4 ipmi_ssif\n [947.489571] CPU: 5 PID: 930 Comm: btrfs-transacti Not tainted 95.16.3-srb-asrock-00001-g36437ad63879 #186\n [947.497969] RIP: 0010:__writeback_inodes_sb_nr+0x7e/0xb3\n [947.502097] Code: 24 10 4c 89 44 24 18 c6 (...)\n [947.519760] RSP: 0018:ffffc90000777e10 EFLAGS: 00010246\n [947.523818] RAX: 0000000000000000 RBX: 0000000000963300 RCX: 0000000000000000\n [947.529765] RDX: 0000000000000000 RSI: 000000000000fa51 RDI: ffffc90000777e50\n [947.535740] RBP: ffff888101628a90 R08: ffff888100955800 R09: ffff888100956000\n [947.541701] R10: 0000000000000002 R11: 0000000000000001 R12: ffff888100963488\n [947.547645] R13: ffff888100963000 R14: ffff888112fb7200 R15: ffff888100963460\n [947.553621] FS: 0000000000000000(0000) GS:ffff88841fd40000(0000) knlGS:0000000000000000\n [947.560537] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n [947.565122] CR2: 0000000008be50c4 CR3: 000000000220c000 CR4: 00000000001006e0\n [947.571072] Call Trace:\n [947.572354] <TASK>\n [947.573266] btrfs_commit_transaction+0x1f1/0x998\n [947.576785] ? start_transaction+0x3ab/0x44e\n [947.579867] ? schedule_timeout+0x8a/0xdd\n [947.582716] transaction_kthread+0xe9/0x156\n [947.585721] ? btrfs_cleanup_transaction.isra.0+0x407/0x407\n [947.590104] kthread+0x131/0x139\n [947.592168] ? set_kthread_struct+0x32/0x32\n [947.595174] ret_from_fork+0x22/0x30\n [947.597561] </TASK>\n [947.598553] ---[ end trace 644721052755541c ]---\n\nThis is because we started using writeback_inodes_sb() to flush delalloc\nwhen committing a transaction (when using -o flushoncommit), in order to\navoid deadlocks with filesystem freeze operations. This change was made\nby commit ce8ea7cc6eb313 (\"btrfs: don't call btrfs_start_delalloc_roots\nin flushoncommit\"). After that change we started producing that warning,\nand every now and then a user reports this since the warning happens too\noften, it spams dmesg/syslog, and a user is unsure if this reflects any\nproblem that might compromise the filesystem's reliability.\n\nWe can not just lock the sb->s_umount semaphore before calling\nwriteback_inodes_sb(), because that would at least deadlock with\nfilesystem freezing, since at fs/super.c:freeze_super() sync_filesystem()\nis called while we are holding that semaphore in write mode, and that can\ntrigger a transaction commit, resulting in a deadlock. It would also\ntrigger the same type of deadlock in the unmount path. Possibly, it could\nalso introduce some other locking dependencies that lockdep would report.\n\nTo fix this call try_to_writeback_inodes_sb() instead of\nwriteback_inodes_sb(), because that will try to read lock sb->s_umount\nand then will only call writeback_inodes_sb() if it was able to lock it.\nThis is fine because the cases where it can't read lock sb->s_umount\nare during a filesystem unmount or during a filesystem freeze - in those\ncases sb->s_umount is write locked and sync_filesystem() is called, which\ncalls writeback_inodes_sb(). In other words, in all cases where we can't\ntake a read lock on sb->s_umount, writeback is already being triggered\nelsewhere.\n\nAn alternative would be to call btrfs_start_delalloc_roots() with a\nnumber of pages different from LONG_MAX, for example matching the number\nof delalloc bytes we currently have, in \n---truncated---"
},
{
"lang": "es",
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: btrfs: elimina la advertencia en el commit de transacci\u00f3n cuando se usa fluoncommit Cuando se usa la opci\u00f3n de montaje fluoncommit, durante casi cada commit de transacci\u00f3n activamos una advertencia de __writeback_inodes_sb_nr(): $ cat fs/fs -writeback.c: (...) vac\u00edo est\u00e1tico __writeback_inodes_sb_nr(struct super_block *sb, ... { (...) WARN_ON(!rwsem_is_locked(&amp;sb-&gt;s_umount)); (...) } (... ) La traza producida en dmesg se parece a la siguiente: [947.473890] ADVERTENCIA: CPU: 5 PID: 930 en fs/fs-writeback.c:2610 __writeback_inodes_sb_nr+0x7e/0xb3 [947.481623] M\u00f3dulos vinculados en: nfsd nls_cp437 cifs asn1_decoder s_arc4 fscache cifs_md4 ipmi_ssif [947.489571] CPU: 5 PID: 930 Comm: btrfs-transacti No contaminado 95.16.3-srb-asrock-00001-g36437ad63879 #186 [947.497969] RIP: __writeback_inodes_sb_nr +0x7e/0xb3 [947.502097] C\u00f3digo: 24 10 4c 89 44 24 18 c6 (...) [947.519760] RSP: 0018:ffffc90000777e10 EFLAGS: 00010246 [947.523818] RAX: 0000000000000000 RBX: 0000000000963300 X: 0000000000000000 [947.529765] RDX: 0000000000000000 RSI: 000000000000fa51 RDI: ffffc90000777e50 [947.535740] RBP : ffff888101628a90 R08: ffff888100955800 R09: ffff888100956000 [947.541701] R10: 00000000000000002 R11: 0000000000000001 R12: ffff88810096 3488 [947.547645] R13: ffff888100963000 R14: ffff888112fb7200 R15: ffff888100963460 [947.553621] FS: 0000000000000000(0000) GS:ffff88841fd40 000(0000) knlGS:0000000000000000 [947.560537] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [947.565122] CR2: 0000000008be50c4 CR3: 000000000220c000 CR4: 00000000001006e 0 [947.571072] Seguimiento de llamadas: [947.572354] [947.573266] btrfs_commit_transaction+0x1f1/0x998 [947.576785] ? start_transaction+0x3ab/0x44e [947.579867] ? Schedule_timeout+0x8a/0xdd [947.582716] transacci\u00f3n_kthread+0xe9/0x156 [947.585721] ? btrfs_cleanup_transaction.isra.0+0x407/0x407 [947.590104] kthread+0x131/0x139 [947.592168] ? set_kthread_struct+0x32/0x32 [947.595174] ret_from_fork+0x22/0x30 [947.597561] [947.598553] ---[ end trace 644721052755541c ]--- Esto se debe a que comenzamos a usar writeback_inodes_sb() para vaciar delalloc cuando cometer una transacci\u00f3n (cuando se usa -o fluoncommit), para evitar interbloqueos con las operaciones de congelaci\u00f3n del sistema de archivos. Este cambio se realiz\u00f3 mediante el commit ce8ea7cc6eb313 (\"btrfs: no llame a btrfs_start_delalloc_roots en flowoncommit\"). Despu\u00e9s de ese cambio, comenzamos a producir esa advertencia y, de vez en cuando, un usuario informa esto ya que la advertencia ocurre con demasiada frecuencia, env\u00eda spam a dmesg/syslog y el usuario no est\u00e1 seguro de si esto refleja alg\u00fan problema que pueda comprometer la confiabilidad del sistema de archivos. No podemos simplemente bloquear el sem\u00e1foro sb-&gt;s_umount antes de llamar a writeback_inodes_sb(), porque eso al menos bloquear\u00eda el sistema de archivos, ya que en fs/super.c:freeze_super() se llama a sync_filesystem() mientras mantenemos ese sem\u00e1foro en modo de escritura, y eso puede desencadenar un commit de transacci\u00f3n, lo que resulta en un punto muerto. Tambi\u00e9n desencadenar\u00eda el mismo tipo de punto muerto en la ruta de desmontaje. Posiblemente, tambi\u00e9n podr\u00eda introducir algunas otras dependencias de bloqueo que lockdep informar\u00eda. Para solucionar este problema, llame a try_to_writeback_inodes_sb() en lugar de writeback_inodes_sb(), porque intentar\u00e1 leer el bloqueo sb-&gt;s_umount y luego solo llamar\u00e1 a writeback_inodes_sb() si pudo bloquearlo. Esto est\u00e1 bien porque los casos en los que no puede leer el bloqueo sb-&gt;s_umount son durante un desmontaje del sistema de archivos o durante una congelaci\u00f3n del sistema de archivos; en esos casos, sb-&gt;s_umount est\u00e1 bloqueado contra escritura y se llama a sync_filesystem(), que llama a writeback_inodes_sb() . En otras palabras, en todos los casos en los que no podemos adoptar un bloqueo de lectura en sb-&gt;s_umount, la reescritura ya se est\u00e1 activando en otro lugar. ---truncado---"
}
],
"metrics": {},

8
CVE-2022/CVE-2022-489xx/CVE-2022-48921.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2022-48921",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-08-22T02:15:08.197",
"lastModified": "2024-08-22T02:15:08.197",
"vulnStatus": "Received",
"lastModified": "2024-08-22T12:48:02.790",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/fair: Fix fault in reweight_entity\n\nSyzbot found a GPF in reweight_entity. This has been bisected to\ncommit 4ef0c5c6b5ba (\"kernel/sched: Fix sched_fork() access an invalid\nsched_task_group\")\n\nThere\u00a0is a race between sched_post_fork() and setpriority(PRIO_PGRP)\nwithin a thread group that causes a null-ptr-deref\u00a0in\nreweight_entity() in CFS. The scenario is that the main process spawns\nnumber of new threads, which then call setpriority(PRIO_PGRP, 0, -20),\nwait, and exit. For each of the new threads the copy_process() gets\ninvoked, which adds the new task_struct and calls sched_post_fork()\nfor it.\n\nIn the above scenario there is a possibility that\nsetpriority(PRIO_PGRP) and set_one_prio() will be called for a thread\nin the group that is just being created by copy_process(), and for\nwhich the sched_post_fork() has not been executed yet. This will\ntrigger a null pointer dereference in reweight_entity(),\u00a0as it will\ntry to access the run queue pointer, which hasn't been set.\n\nBefore the mentioned change the cfs_rq pointer for the task has been\nset in sched_fork(), which is called much earlier in copy_process(),\nbefore the new task is added to the thread_group. Now it is done in\nthe sched_post_fork(), which is called after that. To fix the issue\nthe remove the update_load param from the update_load param() function\nand call reweight_task() only if the task flag doesn't have the\nTASK_NEW flag set."
},
{
"lang": "es",
"value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: sched/fair: Solucionar falla en reweight_entity Syzbot encontr\u00f3 un GPF en reweight_entity. Esto se ha dividido en dos para el commit 4ef0c5c6b5ba (\"kernel/sched: Fix sched_fork() accede a un sched_task_group no v\u00e1lido\") Hay una ejecuci\u00f3n entre sched_post_fork() y setpriority(PRIO_PGRP) dentro de un grupo de subprocesos que provoca un null-ptr-deref en reweight_entity () en el SFC. El escenario es que el proceso principal genera una cantidad de subprocesos nuevos, que luego llaman a setpriority(PRIO_PGRP, 0, -20), esperan y salen. Para cada uno de los nuevos subprocesos, se invoca copy_process(), lo que agrega la nueva task_struct y llama a sched_post_fork() para ello. En el escenario anterior existe la posibilidad de que se llame a setpriority(PRIO_PGRP) y set_one_prio() para un subproceso en el grupo que acaba de crear copy_process(), y para el cual sched_post_fork() a\u00fan no se ha ejecutado. Esto desencadenar\u00e1 una desreferencia del puntero nulo en reweight_entity(), ya que intentar\u00e1 acceder al puntero de la cola de ejecuci\u00f3n, que no se ha configurado. Antes del cambio mencionado, el puntero cfs_rq para la tarea se configur\u00f3 en sched_fork(), que se llama mucho antes en copy_process(), antes de que la nueva tarea se agregue al thread_group. Ahora se hace en sched_post_fork(), que se llama despu\u00e9s de eso. Para solucionar el problema, elimine el par\u00e1metro update_load de la funci\u00f3n update_load param() y llame a reweight_task() solo si el indicador de tarea no tiene establecido el indicador TASK_NEW."
}
],
"metrics": {},

8
CVE-2022/CVE-2022-489xx/CVE-2022-48922.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2022-48922",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-08-22T02:15:08.267",
"lastModified": "2024-08-22T02:15:08.267",
"vulnStatus": "Received",
"lastModified": "2024-08-22T12:48:02.790",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: fix oops caused by irqsoff latency tracer\n\nThe trace_hardirqs_{on,off}() require the caller to setup frame pointer\nproperly. This because these two functions use macro 'CALLER_ADDR1' (aka.\n__builtin_return_address(1)) to acquire caller info. If the $fp is used\nfor other purpose, the code generated this macro (as below) could trigger\nmemory access fault.\n\n 0xffffffff8011510e <+80>: ld a1,-16(s0)\n 0xffffffff80115112 <+84>: ld s2,-8(a1) # <-- paging fault here\n\nThe oops message during booting if compiled with 'irqoff' tracer enabled:\n[ 0.039615][ T0] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000f8\n[ 0.041925][ T0] Oops [#1]\n[ 0.042063][ T0] Modules linked in:\n[ 0.042864][ T0] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.17.0-rc1-00233-g9a20c48d1ed2 #29\n[ 0.043568][ T0] Hardware name: riscv-virtio,qemu (DT)\n[ 0.044343][ T0] epc : trace_hardirqs_on+0x56/0xe2\n[ 0.044601][ T0] ra : restore_all+0x12/0x6e\n[ 0.044721][ T0] epc : ffffffff80126a5c ra : ffffffff80003b94 sp : ffffffff81403db0\n[ 0.044801][ T0] gp : ffffffff8163acd8 tp : ffffffff81414880 t0 : 0000000000000020\n[ 0.044882][ T0] t1 : 0098968000000000 t2 : 0000000000000000 s0 : ffffffff81403de0\n[ 0.044967][ T0] s1 : 0000000000000000 a0 : 0000000000000001 a1 : 0000000000000100\n[ 0.045046][ T0] a2 : 0000000000000000 a3 : 0000000000000000 a4 : 0000000000000000\n[ 0.045124][ T0] a5 : 0000000000000000 a6 : 0000000000000000 a7 : 0000000054494d45\n[ 0.045210][ T0] s2 : ffffffff80003b94 s3 : ffffffff81a8f1b0 s4 : ffffffff80e27b50\n[ 0.045289][ T0] s5 : ffffffff81414880 s6 : ffffffff8160fa00 s7 : 00000000800120e8\n[ 0.045389][ T0] s8 : 0000000080013100 s9 : 000000000000007f s10: 0000000000000000\n[ 0.045474][ T0] s11: 0000000000000000 t3 : 7fffffffffffffff t4 : 0000000000000000\n[ 0.045548][ T0] t5 : 0000000000000000 t6 : ffffffff814aa368\n[ 0.045620][ T0] status: 0000000200000100 badaddr: 00000000000000f8 cause: 000000000000000d\n[ 0.046402][ T0] [<ffffffff80003b94>] restore_all+0x12/0x6e\n\nThis because the $fp(aka. $s0) register is not used as frame pointer in the\nassembly entry code.\n\n\tresume_kernel:\n\t\tREG_L s0, TASK_TI_PREEMPT_COUNT(tp)\n\t\tbnez s0, restore_all\n\t\tREG_L s0, TASK_TI_FLAGS(tp)\n andi s0, s0, _TIF_NEED_RESCHED\n beqz s0, restore_all\n call preempt_schedule_irq\n j restore_all\n\nTo fix above issue, here we add one extra level wrapper for function\ntrace_hardirqs_{on,off}() so they can be safely called by low level entry\ncode."
},
{
"lang": "es",
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: riscv: corrige los errores causados por el rastreador de latencia irqsoff trace_hardirqs_{on,off}() requiere que la persona que llama configure el puntero del marco correctamente. Esto se debe a que estas dos funciones utilizan la macro 'CALLER_ADDR1' (tambi\u00e9n conocida como __builtin_return_address(1)) para adquirir informaci\u00f3n de la persona que llama. Si $fp se usa para otro prop\u00f3sito, el c\u00f3digo generado en esta macro (como se muestra a continuaci\u00f3n) podr\u00eda provocar una falla de acceso a la memoria. 0xffffffff8011510e &lt;+80&gt;: ld a1,-16(s0) 0xffffffff80115112 &lt;+84&gt;: ld s2,-8(a1) # &lt;-- error de paginaci\u00f3n aqu\u00ed El mensaje de ups durante el arranque si se compila con el rastreador 'irqoff' habilitado: [ 0.039615][T0] No se puede manejar la desreferencia del puntero NULL del kernel en la direcci\u00f3n virtual 00000000000000f8 [0.041925][T0] Ups [#1] [0.042063][T0] M\u00f3dulos vinculados en: [0.042864][T0] CPU: 0 PID: 0 Comm : swapper/0 No contaminado 5.17.0-rc1-00233-g9a20c48d1ed2 #29 [ 0.043568][ T0] Nombre de hardware: riscv-virtio,qemu (DT) [ 0.044343][ T0] epc : trace_hardirqs_on+0x56/0xe2 [ 0.044601] [T0] ra: restaurar_all+0x12/0x6e [0.044721][T0] epc: ffffffff80126a5c ra: ffffffff80003b94 sp: ffffffff81403db0 [0.044801][T0] gp: ffffffff8163acd8 tp: ffffffff81414880 t0: 0000000000000020 [0.044882][T0] t1: 0098968000000000 t2 : 0000000000000000 s0 : ffffffff81403de0 [ 0.044967][ T0] s1 : 0000000000000000 a0 : 0000000000000001 a1 : 0000000000000100 [ 0.045046][ T0] a2: 0000000000000000 a3: 0000000000000000 a4: 0000000000000000 [0.045124][T0] a5: 00000000000000000 a6: 0000000000000000 a7: 000000 0054494d45 [ 0.045210][ T0] s2 : ffffffff80003b94 s3 : ffffffff81a8f1b0 s4 : ffffffff80e27b50 [ 0.045289][ T0] s5 : ffffffff81414880 s6 : ffffffff8160fa00 s7 : 00800120e8 [ 0.045389][ T0] s8 : 0000000080013100 s9 : 000000000000007f s10: 00000000000000000 [ 0.045474][ T0 ] s11: 0000000000000000 t3: 7ffffffffffffff t4: 0000000000000000 [0.045548][T0] t5: 0000000000000000 t6: ffffffff814aa368 [0.045620][T0] 0000000200000100 badaddr: 00000000000000f8 causa: 000000000000000d [ 0.046402][ T0] [] restaurar_todo+ 0x12/0x6e Esto porque el $fp(aka. $s0) el registro no se utiliza como puntero de marco en el c\u00f3digo de entrada del ensamblado. resume_kernel: reg_l s0, task_ti_preempt_count (tp) bnez s0, restaure_all reg_l s0, task_ti_flags (tp) andi s0, s0, _tif_need_resched beqz s0, restaure_all call preempt_schedul S_ { on,off}() para que puedan ser llamados de forma segura mediante un c\u00f3digo de entrada de bajo nivel."
}
],
"metrics": {},

8
CVE-2022/CVE-2022-489xx/CVE-2022-48923.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2022-48923",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-08-22T02:15:08.377",
"lastModified": "2024-08-22T02:15:08.377",
"vulnStatus": "Received",
"lastModified": "2024-08-22T12:48:02.790",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: prevent copying too big compressed lzo segment\n\nCompressed length can be corrupted to be a lot larger than memory\nwe have allocated for buffer.\nThis will cause memcpy in copy_compressed_segment to write outside\nof allocated memory.\n\nThis mostly results in stuck read syscall but sometimes when using\nbtrfs send can get #GP\n\n kernel: general protection fault, probably for non-canonical address 0x841551d5c1000: 0000 [#1] PREEMPT SMP NOPTI\n kernel: CPU: 17 PID: 264 Comm: kworker/u256:7 Tainted: P OE 5.17.0-rc2-1 #12\n kernel: Workqueue: btrfs-endio btrfs_work_helper [btrfs]\n kernel: RIP: 0010:lzo_decompress_bio (./include/linux/fortify-string.h:225 fs/btrfs/lzo.c:322 fs/btrfs/lzo.c:394) btrfs\n Code starting with the faulting instruction\n ===========================================\n 0:* 48 8b 06 mov (%rsi),%rax <-- trapping instruction\n 3: 48 8d 79 08 lea 0x8(%rcx),%rdi\n 7: 48 83 e7 f8 and $0xfffffffffffffff8,%rdi\n b: 48 89 01 mov %rax,(%rcx)\n e: 44 89 f0 mov %r14d,%eax\n 11: 48 8b 54 06 f8 mov -0x8(%rsi,%rax,1),%rdx\n kernel: RSP: 0018:ffffb110812efd50 EFLAGS: 00010212\n kernel: RAX: 0000000000001000 RBX: 000000009ca264c8 RCX: ffff98996e6d8ff8\n kernel: RDX: 0000000000000064 RSI: 000841551d5c1000 RDI: ffffffff9500435d\n kernel: RBP: ffff989a3be856c0 R08: 0000000000000000 R09: 0000000000000000\n kernel: R10: 0000000000000000 R11: 0000000000001000 R12: ffff98996e6d8000\n kernel: R13: 0000000000000008 R14: 0000000000001000 R15: 000841551d5c1000\n kernel: FS: 0000000000000000(0000) GS:ffff98a09d640000(0000) knlGS:0000000000000000\n kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n kernel: CR2: 00001e9f984d9ea8 CR3: 000000014971a000 CR4: 00000000003506e0\n kernel: Call Trace:\n kernel: <TASK>\n kernel: end_compressed_bio_read (fs/btrfs/compression.c:104 fs/btrfs/compression.c:1363 fs/btrfs/compression.c:323) btrfs\n kernel: end_workqueue_fn (fs/btrfs/disk-io.c:1923) btrfs\n kernel: btrfs_work_helper (fs/btrfs/async-thread.c:326) btrfs\n kernel: process_one_work (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:212 ./include/trace/events/workqueue.h:108 kernel/workqueue.c:2312)\n kernel: worker_thread (./include/linux/list.h:292 kernel/workqueue.c:2455)\n kernel: ? process_one_work (kernel/workqueue.c:2397)\n kernel: kthread (kernel/kthread.c:377)\n kernel: ? kthread_complete_and_exit (kernel/kthread.c:332)\n kernel: ret_from_fork (arch/x86/entry/entry_64.S:301)\n kernel: </TASK>"
},
{
"lang": "es",
"value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: btrfs: evita copiar un segmento lzo comprimido demasiado grande. La longitud comprimida puede corromperse y ser mucho mayor que la memoria que hemos asignado para el b\u00fafer. Esto har\u00e1 que memcpy en copy_compressed_segment escriba fuera de la memoria asignada. Esto principalmente da como resultado una llamada al sistema de lectura bloqueada, pero a veces, cuando se usa el env\u00edo btrfs, se puede obtener el kernel #GP: falla de protecci\u00f3n general, probablemente para la direcci\u00f3n no can\u00f3nica 0x841551d5c1000: 0000 [#1] Kernel PREEMPT SMP NOPTI: CPU: 17 PID: 264 Comm: kworker /u256:7 Contaminado: P OE 5.17.0-rc2-1 #12 kernel: Workqueue: btrfs-endio btrfs_work_helper [btrfs] kernel: RIP: 0010:lzo_decompress_bio (./include/linux/fortify-string.h:225 fs /btrfs/lzo.c:322 fs/btrfs/lzo.c:394) C\u00f3digo btrfs que comienza con la instrucci\u00f3n err\u00f3nea ========================== ================== 0:* 48 8b 06 mov (%rsi),%rax &lt;-- instrucci\u00f3n de captura 3: 48 8d 79 08 lea 0x8(%rcx), %rdi 7: 48 83 e7 f8 y $0xffffffffffffffff8,%rdi b: 48 89 01 mov %rax,(%rcx) e: 44 89 f0 mov %r14d,%eax 11: 48 8b 54 06 f8 mov -0x8(% rsi,%rax,1),%rdx kernel: RSP: 0018:ffffb110812efd50 EFLAGS: 00010212 kernel: RAX: 0000000000001000 RBX: 000000009ca264c8 RCX: ffff98996e6d8ff8 kernel: RDX: 0000000064 RSI: 000841551d5c1000 RDI: ffffffff9500435d kernel: RBP: ffff989a3be856c0 R08: 0000000000000000 R09: 0000000000000000 kernel: R10: 0000000000000000 R11: 0000000000001000 R12: ffff98996e6d8000 kernel: R13: 0000000000000008 R14: 00000000000 01000 R15: 000841551d5c1000 kernel: FS: 0000000000000000(0000) GS:ffff98a09d640000(0000) knlGS:00000000000000000 kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 kernel: CR2: 00001e9f984d9ea8 CR3: 000000014971a000 CR4: 00000000003506e0 kernel: Seguimiento de llamadas: kernel: kernel: end_compressed_bio_read (fs/btrfs/compression.c: 104 fs/btrfs/compression.c:1363 fs /btrfs/compression.c:323) kernel btrfs: end_workqueue_fn (fs/btrfs/disk-io.c:1923) kernel btrfs: btrfs_work_helper (fs/btrfs/async-thread.c:326) kernel btrfs: Process_one_work (./ arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:212 ./include/trace/events/workqueue.h:108 kernel/workqueue.c:2312) kernel: trabajador_thread (. /include/linux/list.h:292 kernel/workqueue.c:2455) kernel:? Process_one_work (kernel/workqueue.c:2397) kernel: kthread (kernel/kthread.c:377) kernel:? kthread_complete_and_exit (kernel/kthread.c:332) kernel: ret_from_fork (arch/x86/entry/entry_64.S:301) kernel: "
}
],
"metrics": {},

8
CVE-2022/CVE-2022-489xx/CVE-2022-48924.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2022-48924",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-08-22T02:15:08.527",
"lastModified": "2024-08-22T02:15:08.527",
"vulnStatus": "Received",
"lastModified": "2024-08-22T12:48:02.790",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nthermal: int340x: fix memory leak in int3400_notify()\n\nIt is easy to hit the below memory leaks in my TigerLake platform:\n\nunreferenced object 0xffff927c8b91dbc0 (size 32):\n comm \"kworker/0:2\", pid 112, jiffies 4294893323 (age 83.604s)\n hex dump (first 32 bytes):\n 4e 41 4d 45 3d 49 4e 54 33 34 30 30 20 54 68 65 NAME=INT3400 The\n 72 6d 61 6c 00 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b a5 rmal.kkkkkkkkkk.\n backtrace:\n [<ffffffff9c502c3e>] __kmalloc_track_caller+0x2fe/0x4a0\n [<ffffffff9c7b7c15>] kvasprintf+0x65/0xd0\n [<ffffffff9c7b7d6e>] kasprintf+0x4e/0x70\n [<ffffffffc04cb662>] int3400_notify+0x82/0x120 [int3400_thermal]\n [<ffffffff9c8b7358>] acpi_ev_notify_dispatch+0x54/0x71\n [<ffffffff9c88f1a7>] acpi_os_execute_deferred+0x17/0x30\n [<ffffffff9c2c2c0a>] process_one_work+0x21a/0x3f0\n [<ffffffff9c2c2e2a>] worker_thread+0x4a/0x3b0\n [<ffffffff9c2cb4dd>] kthread+0xfd/0x130\n [<ffffffff9c201c1f>] ret_from_fork+0x1f/0x30\n\nFix it by calling kfree() accordingly."
},
{
"lang": "es",
"value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: t\u00e9rmica: int340x: corrige la p\u00e9rdida de memoria en int3400_notify() Es f\u00e1cil solucionar las siguientes p\u00e9rdidas de memoria en mi plataforma TigerLake: objeto sin referencia 0xffff927c8b91dbc0 (tama\u00f1o 32): comm \"kworker/0 :2\", pid 112, santiam\u00e9n 4294893323 (edad 83.604s) volcado hexadecimal (primeros 32 bytes): 4e 41 4d 45 3d 49 4e 54 33 34 30 30 20 54 68 65 NAME=INT3400 The 72 6d 61 6c 00 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b a5 rmal.kkkkkkkkkk. seguimiento: [] __kmalloc_track_caller+0x2fe/0x4a0 [] kvasprintf+0x65/0xd0 [] kasprintf+0x4e/0x70 [] notificar+0x82/0x120 [int3400_thermal] [] acpi_ev_notify_dispatch+0x54/0x71 [] acpi_os_execute_deferred+0x17/0x30 [] Process_one_work+0x21a/0x3f0 [] trabajador_thread+0x4a/0x3b0 ffffffff9c2cb4dd&gt;] kthread+0xfd/0x130 [] ret_from_fork+0x1f/0x30 Solucionarlo llamando a kfree() en consecuencia."
}
],
"metrics": {},

8
CVE-2022/CVE-2022-489xx/CVE-2022-48925.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2022-48925",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-08-22T02:15:08.750",
"lastModified": "2024-08-22T02:15:08.750",
"vulnStatus": "Received",
"lastModified": "2024-08-22T12:48:02.790",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/cma: Do not change route.addr.src_addr outside state checks\n\nIf the state is not idle then resolve_prepare_src() should immediately\nfail and no change to global state should happen. However, it\nunconditionally overwrites the src_addr trying to build a temporary any\naddress.\n\nFor instance if the state is already RDMA_CM_LISTEN then this will corrupt\nthe src_addr and would cause the test in cma_cancel_operation():\n\n if (cma_any_addr(cma_src_addr(id_priv)) && !id_priv->cma_dev)\n\nWhich would manifest as this trace from syzkaller:\n\n BUG: KASAN: use-after-free in __list_add_valid+0x93/0xa0 lib/list_debug.c:26\n Read of size 8 at addr ffff8881546491e0 by task syz-executor.1/32204\n\n CPU: 1 PID: 32204 Comm: syz-executor.1 Not tainted 5.12.0-rc8-syzkaller #0\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\n Call Trace:\n __dump_stack lib/dump_stack.c:79 [inline]\n dump_stack+0x141/0x1d7 lib/dump_stack.c:120\n print_address_description.constprop.0.cold+0x5b/0x2f8 mm/kasan/report.c:232\n __kasan_report mm/kasan/report.c:399 [inline]\n kasan_report.cold+0x7c/0xd8 mm/kasan/report.c:416\n __list_add_valid+0x93/0xa0 lib/list_debug.c:26\n __list_add include/linux/list.h:67 [inline]\n list_add_tail include/linux/list.h:100 [inline]\n cma_listen_on_all drivers/infiniband/core/cma.c:2557 [inline]\n rdma_listen+0x787/0xe00 drivers/infiniband/core/cma.c:3751\n ucma_listen+0x16a/0x210 drivers/infiniband/core/ucma.c:1102\n ucma_write+0x259/0x350 drivers/infiniband/core/ucma.c:1732\n vfs_write+0x28e/0xa30 fs/read_write.c:603\n ksys_write+0x1ee/0x250 fs/read_write.c:658\n do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nThis is indicating that an rdma_id_private was destroyed without doing\ncma_cancel_listens().\n\nInstead of trying to re-use the src_addr memory to indirectly create an\nany address derived from the dst build one explicitly on the stack and\nbind to that as any other normal flow would do. rdma_bind_addr() will copy\nit over the src_addr once it knows the state is valid.\n\nThis is similar to commit bc0bdc5afaa7 (\"RDMA/cma: Do not change\nroute.addr.src_addr.ss_family\")"
},
{
"lang": "es",
"value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: RDMA/cma: no cambie route.addr.src_addr fuera de las comprobaciones de estado. Si el estado no est\u00e1 inactivo, resolve_prepare_src() deber\u00eda fallar inmediatamente y no deber\u00eda ocurrir ning\u00fan cambio en el estado global. Sin embargo, sobrescribe incondicionalmente src_addr al intentar crear una direcci\u00f3n temporal. Por ejemplo, si el estado ya es RDMA_CM_LISTEN, esto da\u00f1ar\u00e1 src_addr y provocar\u00e1 la prueba en cma_cancel_operation(): if (cma_any_addr(cma_src_addr(id_priv)) &amp;&amp; !id_priv-&gt;cma_dev) Lo que se manifestar\u00eda como este rastro de syzkaller: ERROR : KASAN: use-after-free en __list_add_valid+0x93/0xa0 lib/list_debug.c:26 Lectura de tama\u00f1o 8 en addr ffff8881546491e0 por tarea syz-executor.1/32204 CPU: 1 PID: 32204 Comm: syz-executor.1 No contaminado 5.12.0-rc8-syzkaller #0 Nombre del hardware: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Seguimiento de llamadas: __dump_stack lib/dump_stack.c:79 [en l\u00ednea] dump_stack+0x141/0x1d7 lib /dump_stack.c:120 print_address_description.constprop.0.cold+0x5b/0x2f8 mm/kasan/report.c:232 __kasan_report mm/kasan/report.c:399 [en l\u00ednea] kasan_report.cold+0x7c/0xd8 mm/kasan/ report.c:416 __list_add_valid+0x93/0xa0 lib/list_debug.c:26 __list_add include/linux/list.h:67 [en l\u00ednea] list_add_tail include/linux/list.h:100 [en l\u00ednea] cma_listen_on_all drivers/infiniband/core/ cma.c:2557 [en l\u00ednea] rdma_listen+0x787/0xe00 controladores/infiniband/core/cma.c:3751 ucma_listen+0x16a/0x210 controladores/infiniband/core/ucma.c:1102 ucma_write+0x259/0x350 controladores/infiniband/core /ucma.c:1732 vfs_write+0x28e/0xa30 fs/read_write.c:603 ksys_write+0x1ee/0x250 fs/read_write.c:658 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 Entry_SYSCALL_64_after_hwframe+0x44/ 0xae Esto indica que un rdma_id_private fue destruido sin realizar cma_cancel_listens(). En lugar de intentar reutilizar la memoria src_addr para crear indirectamente cualquier direcci\u00f3n derivada del dst, cree una expl\u00edcitamente en la pila y vinc\u00falela como lo har\u00eda cualquier otro flujo normal. rdma_bind_addr() lo copiar\u00e1 sobre src_addr una vez que sepa que el estado es v\u00e1lido. Esto es similar al commit bc0bdc5afaa7 (\"RDMA/cma: No cambiar route.addr.src_addr.ss_family\")"
}
],
"metrics": {},

8
CVE-2022/CVE-2022-489xx/CVE-2022-48926.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2022-48926",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-08-22T04:15:15.363",
"lastModified": "2024-08-22T04:15:15.363",
"vulnStatus": "Received",
"lastModified": "2024-08-22T12:48:02.790",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: rndis: add spinlock for rndis response list\n\nThere's no lock for rndis response list. It could cause list corruption\nif there're two different list_add at the same time like below.\nIt's better to add in rndis_add_response / rndis_free_response\n/ rndis_get_next_response to prevent any race condition on response list.\n\n[ 361.894299] [1: irq/191-dwc3:16979] list_add corruption.\nnext->prev should be prev (ffffff80651764d0),\nbut was ffffff883dc36f80. (next=ffffff80651764d0).\n\n[ 361.904380] [1: irq/191-dwc3:16979] Call trace:\n[ 361.904391] [1: irq/191-dwc3:16979] __list_add_valid+0x74/0x90\n[ 361.904401] [1: irq/191-dwc3:16979] rndis_msg_parser+0x168/0x8c0\n[ 361.904409] [1: irq/191-dwc3:16979] rndis_command_complete+0x24/0x84\n[ 361.904417] [1: irq/191-dwc3:16979] usb_gadget_giveback_request+0x20/0xe4\n[ 361.904426] [1: irq/191-dwc3:16979] dwc3_gadget_giveback+0x44/0x60\n[ 361.904434] [1: irq/191-dwc3:16979] dwc3_ep0_complete_data+0x1e8/0x3a0\n[ 361.904442] [1: irq/191-dwc3:16979] dwc3_ep0_interrupt+0x29c/0x3dc\n[ 361.904450] [1: irq/191-dwc3:16979] dwc3_process_event_entry+0x78/0x6cc\n[ 361.904457] [1: irq/191-dwc3:16979] dwc3_process_event_buf+0xa0/0x1ec\n[ 361.904465] [1: irq/191-dwc3:16979] dwc3_thread_interrupt+0x34/0x5c"
},
{
"lang": "es",
"value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: usb: gadget: rndis: agregar spinlock para la lista de respuestas de rndis No hay bloqueo para la lista de respuestas de rndis. Podr\u00eda causar corrupci\u00f3n en la lista si hay dos list_add diferentes al mismo tiempo, como se muestra a continuaci\u00f3n. Es mejor agregar rndis_add_response / rndis_free_response / rndis_get_next_response para evitar cualquier condici\u00f3n de ejecuci\u00f3n en la lista de respuestas. [ 361.894299] [1: irq/191-dwc3:16979] list_add corrupci\u00f3n. siguiente-&gt;anterior deber\u00eda ser anterior (ffffff80651764d0), pero era ffffff883dc36f80. (siguiente=ffffff80651764d0). [ 361.904380] [1: irq/191-dwc3:16979] Rastreo de llamadas: [ 361.904391] [1: irq/191-dwc3:16979] __list_add_valid+0x74/0x90 [ 361.904401] [1: irq/191-dwc3:16979 ] rndis_msg_parser+0x168/0x8c0 [ 361.904409] [1: irq/191-dwc3:16979] rndis_command_complete+0x24/0x84 [ 361.904417] [1: irq/191-dwc3:16979] misi\u00f3n+0x20/0xe4 [ 361.904426] [1: irq /191-dwc3:16979] dwc3_gadget_giveback+0x44/0x60 [ 361.904434] [1: irq/191-dwc3:16979] dwc3_ep0_complete_data+0x1e8/0x3a0 [ 361.904442] [1: 16979] dwc3_ep0_interrupt+0x29c/0x3dc [ 361.904450] [1: irq/191-dwc3:16979] dwc3_process_event_entry+0x78/0x6cc [ 361.904457] [1: irq/191-dwc3:16979] dwc3_process_event_buf+0xa0/0x1ec [ 361.904465 ] [1: irq/191-dwc3: 16979] dwc3_thread_interrupt+0x34/0x5c"
}
],
"metrics": {},

8
CVE-2022/CVE-2022-489xx/CVE-2022-48927.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2022-48927",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-08-22T04:15:15.530",
"lastModified": "2024-08-22T04:15:15.530",
"vulnStatus": "Received",
"lastModified": "2024-08-22T12:48:02.790",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: adc: tsc2046: fix memory corruption by preventing array overflow\n\nOn one side we have indio_dev->num_channels includes all physical channels +\ntimestamp channel. On other side we have an array allocated only for\nphysical channels. So, fix memory corruption by ARRAY_SIZE() instead of\nnum_channels variable.\n\nNote the first case is a cleanup rather than a fix as the software\ntimestamp channel bit in active_scanmask is never set by the IIO core."
},
{
"lang": "es",
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: iio: adc: tsc2046: corrige la corrupci\u00f3n de la memoria evitando el desbordamiento de la matriz. Por un lado tenemos indio_dev-&gt;num_channels incluye todos los canales f\u00edsicos + canal de marca de tiempo. Del otro lado tenemos un array asignado s\u00f3lo para canales f\u00edsicos. Por lo tanto, corrija la corrupci\u00f3n de la memoria con ARRAY_SIZE() en lugar de la variable num_channels. Tenga en cuenta que el primer caso es una limpieza en lugar de una soluci\u00f3n, ya que el n\u00facleo IIO nunca establece el bit del canal de marca de tiempo del software en active_scanmask."
}
],
"metrics": {},

8
CVE-2022/CVE-2022-489xx/CVE-2022-48928.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2022-48928",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-08-22T04:15:15.677",
"lastModified": "2024-08-22T04:15:15.677",
"vulnStatus": "Received",
"lastModified": "2024-08-22T12:48:02.790",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: adc: men_z188_adc: Fix a resource leak in an error handling path\n\nIf iio_device_register() fails, a previous ioremap() is left unbalanced.\n\nUpdate the error handling path and add the missing iounmap() call, as\nalready done in the remove function."
},
{
"lang": "es",
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: iio: adc: men_z188_adc: corrige una fuga de recursos en una ruta de manejo de errores. Si iio_device_register() falla, un ioremap() anterior queda desequilibrado. Actualice la ruta de manejo de errores y agregue la llamada iounmap() que falta, como ya se hizo en la funci\u00f3n de eliminaci\u00f3n."
}
],
"metrics": {},

8
CVE-2022/CVE-2022-489xx/CVE-2022-48929.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2022-48929",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-08-22T04:15:15.773",
"lastModified": "2024-08-22T04:15:15.773",
"vulnStatus": "Received",
"lastModified": "2024-08-22T12:48:02.790",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix crash due to out of bounds access into reg2btf_ids.\n\nWhen commit e6ac2450d6de (\"bpf: Support bpf program calling kernel function\") added\nkfunc support, it defined reg2btf_ids as a cheap way to translate the verifier\nreg type to the appropriate btf_vmlinux BTF ID, however\ncommit c25b2ae13603 (\"bpf: Replace PTR_TO_XXX_OR_NULL with PTR_TO_XXX | PTR_MAYBE_NULL\")\nmoved the __BPF_REG_TYPE_MAX from the last member of bpf_reg_type enum to after\nthe base register types, and defined other variants using type flag\ncomposition. However, now, the direct usage of reg->type to index into\nreg2btf_ids may no longer fall into __BPF_REG_TYPE_MAX range, and hence lead to\nout of bounds access and kernel crash on dereference of bad pointer."
},
{
"lang": "es",
"value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: bpf: Se corrigi\u00f3 el bloqueo debido al acceso fuera de los l\u00edmites a reg2btf_ids. Cuando el commit e6ac2450d6de (\"bpf: admite la funci\u00f3n del kernel que llama al programa bpf\") agreg\u00f3 soporte para kfunc, defini\u00f3 reg2btf_ids como una forma econ\u00f3mica de traducir el tipo de registro del verificador al ID de BTF btf_vmlinux apropiado; sin embargo, commit c25b2ae13603 (\"bpf: reemplace PTR_TO_XXX_OR_NULL con PTR_TO_XXX | PTR_MAYBE_NULL\") movi\u00f3 __BPF_REG_TYPE_MAX del \u00faltimo miembro de la enumeraci\u00f3n bpf_reg_type a despu\u00e9s de los tipos de registro base y defini\u00f3 otras variantes utilizando la composici\u00f3n de indicadores de tipo. Sin embargo, ahora, el uso directo de reg-&gt;type para indexar en reg2btf_ids ya no puede caer en el rango __BPF_REG_TYPE_MAX y, por lo tanto, provocar un acceso fuera de los l\u00edmites y un bloqueo del kernel al desreferenciar un puntero incorrecto."
}
],
"metrics": {},

8
CVE-2022/CVE-2022-489xx/CVE-2022-48930.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2022-48930",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-08-22T04:15:15.870",
"lastModified": "2024-08-22T04:15:15.870",
"vulnStatus": "Received",
"lastModified": "2024-08-22T12:48:02.790",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/ib_srp: Fix a deadlock\n\nRemove the flush_workqueue(system_long_wq) call since flushing\nsystem_long_wq is deadlock-prone and since that call is redundant with a\npreceding cancel_work_sync()"
},
{
"lang": "es",
"value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: RDMA/ib_srp: corrige un punto muerto Elimine la llamada Flush_workqueue(system_long_wq) ya que vaciar system_long_wq es propenso a interbloqueo y esa llamada es redundante con un cancel_work_sync() anterior."
}
],
"metrics": {},

8
CVE-2022/CVE-2022-489xx/CVE-2022-48931.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2022-48931",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-08-22T04:15:16.010",
"lastModified": "2024-08-22T04:15:16.010",
"vulnStatus": "Received",
"lastModified": "2024-08-22T12:48:02.790",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nconfigfs: fix a race in configfs_{,un}register_subsystem()\n\nWhen configfs_register_subsystem() or configfs_unregister_subsystem()\nis executing link_group() or unlink_group(),\nit is possible that two processes add or delete list concurrently.\nSome unfortunate interleavings of them can cause kernel panic.\n\nOne of cases is:\nA --> B --> C --> D\nA <-- B <-- C <-- D\n\n delete list_head *B | delete list_head *C\n--------------------------------|-----------------------------------\nconfigfs_unregister_subsystem | configfs_unregister_subsystem\n unlink_group | unlink_group\n unlink_obj | unlink_obj\n list_del_init | list_del_init\n __list_del_entry | __list_del_entry\n __list_del | __list_del\n // next == C |\n next->prev = prev |\n | next->prev = prev\n prev->next = next |\n | // prev == B\n | prev->next = next\n\nFix this by adding mutex when calling link_group() or unlink_group(),\nbut parent configfs_subsystem is NULL when config_item is root.\nSo I create a mutex configfs_subsystem_mutex."
},
{
"lang": "es",
"value": "En el kernel de Linux se ha resuelto la siguiente vulnerabilidad: configfs: arregla una ejecuci\u00f3n en configfs_{,un}register_subsystem() Cuando configfs_register_subsystem() o configfs_unregister_subsystem() est\u00e1 ejecutando link_group() o unlink_group(), es posible que dos procesos agregar o eliminar la lista al mismo tiempo. Algunas intercalaciones desafortunadas de ellos pueden causar p\u00e1nico en el kernel. Uno de los casos es: A --&gt; B --&gt; C --&gt; DA &lt;-- B &lt;-- C &lt;-- D eliminar list_head *B | eliminar list_head *C --------------------------------|------------- ---------------------- configfs_unregister_subsystem | configfs_unregister_subsystem unlink_group | desvincular_grupo desvincular_obj | unlink_obj list_del_init | list_del_init __list_del_entry | __list_del_entry __list_del | __list_del // siguiente == C | siguiente-&gt;anterior = anterior | | siguiente-&gt;anterior = anterior anterior-&gt;siguiente = siguiente | | // anterior == B | prev-&gt;next = next Solucione esto agregando mutex al llamar a link_group() o unlink_group(), pero el configfs_subsystem principal es NULL cuando config_item es root. Entonces creo un mutex configfs_subsystem_mutex."
}
],
"metrics": {},

8
CVE-2022/CVE-2022-489xx/CVE-2022-48932.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2022-48932",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-08-22T04:15:16.087",
"lastModified": "2024-08-22T04:15:16.087",
"vulnStatus": "Received",
"lastModified": "2024-08-22T12:48:02.790",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: DR, Fix slab-out-of-bounds in mlx5_cmd_dr_create_fte\n\nWhen adding a rule with 32 destinations, we hit the following out-of-band\naccess issue:\n\n BUG: KASAN: slab-out-of-bounds in mlx5_cmd_dr_create_fte+0x18ee/0x1e70\n\nThis patch fixes the issue by both increasing the allocated buffers to\naccommodate for the needed actions and by checking the number of actions\nto prevent this issue when a rule with too many actions is provided."
},
{
"lang": "es",
"value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: net/mlx5: DR, corrigi\u00f3 slab-out-of-bounds en mlx5_cmd_dr_create_fte Al agregar una regla con 32 destinos, encontramos el siguiente problema de acceso fuera de banda: ERROR: KASAN: slab-out-of-bounds en mlx5_cmd_dr_create_fte+0x18ee/0x1e70 Este parche soluciona el problema aumentando los b\u00faferes asignados para acomodar las acciones necesarias y verificando la cantidad de acciones para evitar este problema cuando una regla con demasiadas acciones se proporciona."
}
],
"metrics": {},

8
CVE-2022/CVE-2022-489xx/CVE-2022-48933.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2022-48933",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-08-22T04:15:16.143",
"lastModified": "2024-08-22T04:15:16.143",
"vulnStatus": "Received",
"lastModified": "2024-08-22T12:48:02.790",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: fix memory leak during stateful obj update\n\nstateful objects can be updated from the control plane.\nThe transaction logic allocates a temporary object for this purpose.\n\nThe ->init function was called for this object, so plain kfree() leaks\nresources. We must call ->destroy function of the object.\n\nnft_obj_destroy does this, but it also decrements the module refcount,\nbut the update path doesn't increment it.\n\nTo avoid special-casing the update object release, do module_get for\nthe update case too and release it via nft_obj_destroy()."
},
{
"lang": "es",
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: netfilter: nf_tables: corrige la p\u00e9rdida de memoria durante la actualizaci\u00f3n de objetos con estado. Los objetos con estado se pueden actualizar desde el plano de control. La l\u00f3gica de transacci\u00f3n asigna un objeto temporal para este prop\u00f3sito. La funci\u00f3n -&gt;init fue llamada para este objeto, por lo que kfree() simple pierde recursos. Debemos llamar a la funci\u00f3n -&gt;destruir del objeto. nft_obj_destroy hace esto, pero tambi\u00e9n disminuye el recuento del m\u00f3dulo, pero la ruta de actualizaci\u00f3n no lo incrementa. Para evitar usar may\u00fasculas y min\u00fasculas especiales en la versi\u00f3n del objeto de actualizaci\u00f3n, utilice module_get para el caso de actualizaci\u00f3n tambi\u00e9n y lib\u00e9rela mediante nft_obj_destroy()."
}
],
"metrics": {},

8
CVE-2022/CVE-2022-489xx/CVE-2022-48934.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2022-48934",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-08-22T04:15:16.357",
"lastModified": "2024-08-22T04:15:16.357",
"vulnStatus": "Received",
"lastModified": "2024-08-22T12:48:02.790",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfp: flower: Fix a potential leak in nfp_tunnel_add_shared_mac()\n\nida_simple_get() returns an id between min (0) and max (NFP_MAX_MAC_INDEX)\ninclusive.\nSo NFP_MAX_MAC_INDEX (0xff) is a valid id.\n\nIn order for the error handling path to work correctly, the 'invalid'\nvalue for 'ida_idx' should not be in the 0..NFP_MAX_MAC_INDEX range,\ninclusive.\n\nSo set it to -1."
},
{
"lang": "es",
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: nfp: flower: corrige una fuga potencial en nfp_tunnel_add_shared_mac() ida_simple_get() devuelve una identificaci\u00f3n entre min (0) y max (NFP_MAX_MAC_INDEX) incluida. Entonces NFP_MAX_MAC_INDEX (0xff) es una identificaci\u00f3n v\u00e1lida. Para que la ruta de manejo de errores funcione correctamente, el valor 'no v\u00e1lido' para 'ida_idx' no debe estar en el rango 0..NFP_MAX_MAC_INDEX, incluida. As\u00ed que config\u00farelo en -1."
}
],
"metrics": {},

8
CVE-2022/CVE-2022-489xx/CVE-2022-48935.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2022-48935",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-08-22T04:15:16.877",
"lastModified": "2024-08-22T04:15:16.877",
"vulnStatus": "Received",
"lastModified": "2024-08-22T12:48:02.790",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: unregister flowtable hooks on netns exit\n\nUnregister flowtable hooks before they are releases via\nnf_tables_flowtable_destroy() otherwise hook core reports UAF.\n\nBUG: KASAN: use-after-free in nf_hook_entries_grow+0x5a7/0x700 net/netfilter/core.c:142 net/netfilter/core.c:142\nRead of size 4 at addr ffff8880736f7438 by task syz-executor579/3666\n\nCPU: 0 PID: 3666 Comm: syz-executor579 Not tainted 5.16.0-rc5-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:88 [inline]\n __dump_stack lib/dump_stack.c:88 [inline] lib/dump_stack.c:106\n dump_stack_lvl+0x1dc/0x2d8 lib/dump_stack.c:106 lib/dump_stack.c:106\n print_address_description+0x65/0x380 mm/kasan/report.c:247 mm/kasan/report.c:247\n __kasan_report mm/kasan/report.c:433 [inline]\n __kasan_report mm/kasan/report.c:433 [inline] mm/kasan/report.c:450\n kasan_report+0x19a/0x1f0 mm/kasan/report.c:450 mm/kasan/report.c:450\n nf_hook_entries_grow+0x5a7/0x700 net/netfilter/core.c:142 net/netfilter/core.c:142\n __nf_register_net_hook+0x27e/0x8d0 net/netfilter/core.c:429 net/netfilter/core.c:429\n nf_register_net_hook+0xaa/0x180 net/netfilter/core.c:571 net/netfilter/core.c:571\n nft_register_flowtable_net_hooks+0x3c5/0x730 net/netfilter/nf_tables_api.c:7232 net/netfilter/nf_tables_api.c:7232\n nf_tables_newflowtable+0x2022/0x2cf0 net/netfilter/nf_tables_api.c:7430 net/netfilter/nf_tables_api.c:7430\n nfnetlink_rcv_batch net/netfilter/nfnetlink.c:513 [inline]\n nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:634 [inline]\n nfnetlink_rcv_batch net/netfilter/nfnetlink.c:513 [inline] net/netfilter/nfnetlink.c:652\n nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:634 [inline] net/netfilter/nfnetlink.c:652\n nfnetlink_rcv+0x10e6/0x2550 net/netfilter/nfnetlink.c:652 net/netfilter/nfnetlink.c:652\n\n__nft_release_hook() calls nft_unregister_flowtable_net_hooks() which\nonly unregisters the hooks, then after RCU grace period, it is\nguaranteed that no packets add new entries to the flowtable (no flow\noffload rules and flowtable hooks are reachable from packet path), so it\nis safe to call nf_flow_table_free() which cleans up the remaining\nentries from the flowtable (both software and hardware) and it unbinds\nthe flow_block."
},
{
"lang": "es",
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: netfilter: nf_tables: anular el registro de los ganchos de la tabla de flujo en la salida de netns. Anular el registro de los ganchos de la tabla de flujo antes de que se publiquen a trav\u00e9s de nf_tables_flowtable_destroy(); de lo contrario, enganche los informes centrales UAF. ERROR: KASAN: use-after-free en nf_hook_entries_grow+0x5a7/0x700 net/netfilter/core.c:142 net/netfilter/core.c:142 Lectura de tama\u00f1o 4 en la direcci\u00f3n ffff8880736f7438 por la tarea syz-executor579/3666 CPU: 0 PID: 3666 Comm: syz-executor579 Not tainted 5.16.0-rc5-syzkaller #0 Nombre del hardware: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Seguimiento de llamadas: __dump_stack lib/dump_stack.c :88 [en l\u00ednea] __dump_stack lib/dump_stack.c:88 [en l\u00ednea] lib/dump_stack.c:106 dump_stack_lvl+0x1dc/0x2d8 lib/dump_stack.c:106 lib/dump_stack.c:106 print_address_description+0x65/0x380 mm/kasan /report.c:247 mm/kasan/report.c:247 __kasan_report mm/kasan/report.c:433 [en l\u00ednea] __kasan_report mm/kasan/report.c:433 [en l\u00ednea] mm/kasan/report.c:450 kasan_report+0x19a/0x1f0 mm/kasan/report.c:450 mm/kasan/report.c:450 nf_hook_entries_grow+0x5a7/0x700 net/netfilter/core.c:142 net/netfilter/core.c:142 __nf_register_net_hook+0x27e/ 0x8d0 net/netfilter/core.c:429 net/netfilter/core.c:429 nf_register_net_hook+0xaa/0x180 net/netfilter/core.c:571 net/netfilter/core.c:571 nft_register_flowtable_net_hooks+0x3c5/0x730 net/netfilter /nf_tables_api.c:7232 net/netfilter/nf_tables_api.c:7232 nf_tables_newflowtable+0x2022/0x2cf0 net/netfilter/nf_tables_api.c:7430 net/netfilter/nf_tables_api.c:7430 nfnetlink_rcv_batch net/netfilter/nfnetlink .c:513 [en l\u00ednea ] nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:634 [en l\u00ednea] nfnetlink_rcv_batch net/netfilter/nfnetlink.c:513 [en l\u00ednea] net/netfilter/nfnetlink.c:652 nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:634 [en l\u00ednea] neto /netfilter/nfnetlink.c:652 nfnetlink_rcv+0x10e6/0x2550 net/netfilter/nfnetlink.c:652 net/netfilter/nfnetlink.c:652 __nft_release_hook() llama a nft_unregister_flowtable_net_hooks() que solo cancela el registro de los ganchos, luego, despu\u00e9s del per\u00edodo de gracia de RCU, se garantiza que ning\u00fan paquete agregue nuevas entradas a la tabla de flujo (no se puede acceder a reglas de descarga de flujo ni a enlaces de tabla de flujo desde la ruta del paquete), por lo que es seguro llamar a nf_flow_table_free() que limpia las entradas restantes de la tabla de flujo (tanto de software como de hardware) y desvincula flow_block."
}
],
"metrics": {},

8
CVE-2022/CVE-2022-489xx/CVE-2022-48936.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2022-48936",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-08-22T04:15:16.950",
"lastModified": "2024-08-22T04:15:16.950",
"vulnStatus": "Received",
"lastModified": "2024-08-22T12:48:02.790",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngso: do not skip outer ip header in case of ipip and net_failover\n\nWe encounter a tcp drop issue in our cloud environment. Packet GROed in\nhost forwards to a VM virtio_net nic with net_failover enabled. VM acts\nas a IPVS LB with ipip encapsulation. The full path like:\nhost gro -> vm virtio_net rx -> net_failover rx -> ipvs fullnat\n -> ipip encap -> net_failover tx -> virtio_net tx\n\nWhen net_failover transmits a ipip pkt (gso_type = 0x0103, which means\nSKB_GSO_TCPV4, SKB_GSO_DODGY and SKB_GSO_IPXIP4), there is no gso\ndid because it supports TSO and GSO_IPXIP4. But network_header points to\ninner ip header.\n\nCall Trace:\n tcp4_gso_segment ------> return NULL\n inet_gso_segment ------> inner iph, network_header points to\n ipip_gso_segment\n inet_gso_segment ------> outer iph\n skb_mac_gso_segment\n\nAfterwards virtio_net transmits the pkt, only inner ip header is modified.\nAnd the outer one just keeps unchanged. The pkt will be dropped in remote\nhost.\n\nCall Trace:\n inet_gso_segment ------> inner iph, outer iph is skipped\n skb_mac_gso_segment\n __skb_gso_segment\n validate_xmit_skb\n validate_xmit_skb_list\n sch_direct_xmit\n __qdisc_run\n __dev_queue_xmit ------> virtio_net\n dev_hard_start_xmit\n __dev_queue_xmit ------> net_failover\n ip_finish_output2\n ip_output\n iptunnel_xmit\n ip_tunnel_xmit\n ipip_tunnel_xmit ------> ipip\n dev_hard_start_xmit\n __dev_queue_xmit\n ip_finish_output2\n ip_output\n ip_forward\n ip_rcv\n __netif_receive_skb_one_core\n netif_receive_skb_internal\n napi_gro_receive\n receive_buf\n virtnet_poll\n net_rx_action\n\nThe root cause of this issue is specific with the rare combination of\nSKB_GSO_DODGY and a tunnel device that adds an SKB_GSO_ tunnel option.\nSKB_GSO_DODGY is set from external virtio_net. We need to reset network\nheader when callbacks.gso_segment() returns NULL.\n\nThis patch also includes ipv6_gso_segment(), considering SIT, etc."
},
{
"lang": "es",
"value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: gso: no omita el encabezado de IP externo en caso de ipip y net_failover. Nos encontramos con un problema de ca\u00edda de TCP en nuestro entorno de nube. El paquete GROed en el host se reenv\u00eda a una NIC virtio_net de VM con net_failover habilitado. VM act\u00faa como IPVS LB con encapsulaci\u00f3n ipip. La ruta completa como: host gro -&gt; vm virtio_net rx -&gt; net_failover rx -&gt; ipvs fullnat -&gt; ipip encap -&gt; net_failover tx -&gt; virtio_net tx Cuando net_failover transmite un paquete ipip (gso_type = 0x0103, que significa SKB_GSO_TCPV4, SKB_GSO_DODGY y SKB_GSO_IPXIP 4 ), no existe gso porque admite TSO y GSO_IPXIP4. Pero network_header apunta al encabezado IP interno. Seguimiento de llamadas: tcp4_gso_segment ------&gt; return NULL inet_gso_segment ------&gt; iph interno, network_header apunta a ipip_gso_segment inet_gso_segment ------&gt; iph externo skb_mac_gso_segment Luego, virtio_net transmite el paquete, solo se muestra el encabezado de IP interno modificado. Y el exterior simplemente se mantiene sin cambios. El paquete se colocar\u00e1 en el host remoto. Seguimiento de llamadas: inet_gso_segment ------&gt; iph interno, se omite el iph externo skb_mac_gso_segment __skb_gso_segment validar_xmit_skb validar_xmit_skb_list sch_direct_xmit __qdisc_run __dev_queue_xmit ------&gt; virtio_net dev_hard_start_xmit __dev_queue_xmit --- ---&gt; net_failover ip_finish_output2 ip_output iptunnel_xmit ip_tunnel_xmit ipip_tunnel_xmit -- ----&gt; ipip dev_hard_start_xmit __dev_queue_xmit ip_finish_output2 ip_output ip_forward ip_rcv __netif_receive_skb_one_core netif_receive_skb_internal napi_gro_receiveceived_buf virtnet_poll net_rx_action La causa ra\u00edz de este problema es espec\u00edfica de la rara combinaci\u00f3n de SKB_GSO_DODGY y un dispositivo de t\u00fanel que agrega una opci\u00f3n de t\u00fanel SKB_GSO_. SKB_GSO_DODGY se configura desde virtio_net externo. Necesitamos restablecer el encabezado de la red cuando callbacks.gso_segment() devuelve NULL. Este parche tambi\u00e9n incluye ipv6_gso_segment(), considerando SIT, etc."
}
],
"metrics": {},

8
CVE-2022/CVE-2022-489xx/CVE-2022-48937.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2022-48937",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-08-22T04:15:17.137",
"lastModified": "2024-08-22T04:15:17.137",
"vulnStatus": "Received",
"lastModified": "2024-08-22T12:48:02.790",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: add a schedule point in io_add_buffers()\n\nLooping ~65535 times doing kmalloc() calls can trigger soft lockups,\nespecially with DEBUG features (like KASAN).\n\n[ 253.536212] watchdog: BUG: soft lockup - CPU#64 stuck for 26s! [b219417889:12575]\n[ 253.544433] Modules linked in: vfat fat i2c_mux_pca954x i2c_mux spidev cdc_acm xhci_pci xhci_hcd sha3_generic gq(O)\n[ 253.544451] CPU: 64 PID: 12575 Comm: b219417889 Tainted: G S O 5.17.0-smp-DEV #801\n[ 253.544457] RIP: 0010:kernel_text_address (./include/asm-generic/sections.h:192 ./include/linux/kallsyms.h:29 kernel/extable.c:67 kernel/extable.c:98)\n[ 253.544464] Code: 0f 93 c0 48 c7 c1 e0 63 d7 a4 48 39 cb 0f 92 c1 20 c1 0f b6 c1 5b 5d c3 90 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 53 48 89 fb <48> c7 c0 00 00 80 a0 41 be 01 00 00 00 48 39 c7 72 0c 48 c7 c0 40\n[ 253.544468] RSP: 0018:ffff8882d8baf4c0 EFLAGS: 00000246\n[ 253.544471] RAX: 1ffff1105b175e00 RBX: ffffffffa13ef09a RCX: 00000000a13ef001\n[ 253.544474] RDX: ffffffffa13ef09a RSI: ffff8882d8baf558 RDI: ffffffffa13ef09a\n[ 253.544476] RBP: ffff8882d8baf4d8 R08: ffff8882d8baf5e0 R09: 0000000000000004\n[ 253.544479] R10: ffff8882d8baf5e8 R11: ffffffffa0d59a50 R12: ffff8882eab20380\n[ 253.544481] R13: ffffffffa0d59a50 R14: dffffc0000000000 R15: 1ffff1105b175eb0\n[ 253.544483] FS: 00000000016d3380(0000) GS:ffff88af48c00000(0000) knlGS:0000000000000000\n[ 253.544486] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 253.544488] CR2: 00000000004af0f0 CR3: 00000002eabfa004 CR4: 00000000003706e0\n[ 253.544491] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 253.544492] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 253.544494] Call Trace:\n[ 253.544496] <TASK>\n[ 253.544498] ? io_queue_sqe (fs/io_uring.c:7143)\n[ 253.544505] __kernel_text_address (kernel/extable.c:78)\n[ 253.544508] unwind_get_return_address (arch/x86/kernel/unwind_frame.c:19)\n[ 253.544514] arch_stack_walk (arch/x86/kernel/stacktrace.c:27)\n[ 253.544517] ? io_queue_sqe (fs/io_uring.c:7143)\n[ 253.544521] stack_trace_save (kernel/stacktrace.c:123)\n[ 253.544527] ____kasan_kmalloc (mm/kasan/common.c:39 mm/kasan/common.c:45 mm/kasan/common.c:436 mm/kasan/common.c:515)\n[ 253.544531] ? ____kasan_kmalloc (mm/kasan/common.c:39 mm/kasan/common.c:45 mm/kasan/common.c:436 mm/kasan/common.c:515)\n[ 253.544533] ? __kasan_kmalloc (mm/kasan/common.c:524)\n[ 253.544535] ? kmem_cache_alloc_trace (./include/linux/kasan.h:270 mm/slab.c:3567)\n[ 253.544541] ? io_issue_sqe (fs/io_uring.c:4556 fs/io_uring.c:4589 fs/io_uring.c:6828)\n[ 253.544544] ? __io_queue_sqe (fs/io_uring.c:?)\n[ 253.544551] __kasan_kmalloc (mm/kasan/common.c:524)\n[ 253.544553] kmem_cache_alloc_trace (./include/linux/kasan.h:270 mm/slab.c:3567)\n[ 253.544556] ? io_issue_sqe (fs/io_uring.c:4556 fs/io_uring.c:4589 fs/io_uring.c:6828)\n[ 253.544560] io_issue_sqe (fs/io_uring.c:4556 fs/io_uring.c:4589 fs/io_uring.c:6828)\n[ 253.544564] ? __kasan_slab_alloc (mm/kasan/common.c:45 mm/kasan/common.c:436 mm/kasan/common.c:469)\n[ 253.544567] ? __kasan_slab_alloc (mm/kasan/common.c:39 mm/kasan/common.c:45 mm/kasan/common.c:436 mm/kasan/common.c:469)\n[ 253.544569] ? kmem_cache_alloc_bulk (mm/slab.h:732 mm/slab.c:3546)\n[ 253.544573] ? __io_alloc_req_refill (fs/io_uring.c:2078)\n[ 253.544578] ? io_submit_sqes (fs/io_uring.c:7441)\n[ 253.544581] ? __se_sys_io_uring_enter (fs/io_uring.c:10154 fs/io_uring.c:10096)\n[ 253.544584] ? __x64_sys_io_uring_enter (fs/io_uring.c:10096)\n[ 253.544587] ? do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)\n[ 253.544590] ? entry_SYSCALL_64_after_hwframe (??:?)\n[ 253.544596] __io_queue_sqe (fs/io_uring.c:?)\n[ 253.544600] io_queue_sqe (fs/io_uring.c:7143)\n[ 253.544603] io_submit_sqe (fs/io_uring.c:?)\n[ 253.544608] io_submit_sqes (fs/io_uring.c:?)\n[ 253.544612] __se_sys_io_uring_enter (fs/io_uring.c:10154 fs/io_uri\n---truncated---"
},
{
"lang": "es",
"value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: io_uring: agregue un punto de programaci\u00f3n en io_add_buffers() Realizar bucles ~65535 veces al realizar llamadas kmalloc() puede desencadenar bloqueos suaves, especialmente con funciones DEBUG (como KASAN). [253.536212] perro guardi\u00e1n: ERROR: bloqueo suave - \u00a1CPU#64 bloqueada durante 26 segundos! [b219417889:12575] [253.544433] M\u00f3dulos vinculados en: vfat fat i2c_mux_pca954x i2c_mux spidev cdc_acm xhci_pci xhci_hcd sha3_generic gq(O) [253.544451] CPU: 64 PID: 12575 Comm: 417889 Contaminado: GSO 5.17.0-smp-DEV #801 [ 253.544457] RIP: 0010:kernel_text_address (./include/asm-generic/sections.h:192 ./include/linux/kallsyms.h:29 kernel/extable.c:67 kernel/extable.c:98) [ 253.544464] C\u00f3digo: 0f 93 c0 48 c7 c1 e0 63 d7 a4 48 39 cb 0f 92 c1 20 c1 0f b6 c1 5b 5d c3 90 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 53 48 89 fb &lt;48&gt; c7 c0 00 00 80 a0 41 be 01 00 00 00 48 39 c7 72 0c 48 c7 c0 40 [ 253.544468] RSP: 0018:ffff8882d8baf4c0 EFLAGS: 00000246 [ 253.544471] RAX: 1ffff1105b1 75e00 RBX: fffffffa13ef09a RCX: 00000000a13ef001 [ 253.544474] RDX: fffffffa13ef09a RSI: ffff8882d8baf558 RDI: fffffffa13ef09a [ 253.544476] RBP: ffff8882d8baf4d8 R08: ffff8882d8baf5e0 R09: 00000000000000004 [ 253.544479] R10: ffff8882d8baf5e8 R11: 0d59a50 R12: ffff8882eab20380 [ 253.544481] R13: fffffffa0d59a50 R14: dffffc0000000000 R15: 1ffff1105b175eb0 [ 253.544483] FS: 00000000016d3380( 0000) GS: ffff88af48c00000(0000) knlGS:00000000000000000 [ 253.544486] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 253.544488] CR2: af0f0 CR3: 00000002eabfa004 CR4: 00000000003706e0 [ 253.544491] DR0: 0000000000000000 DR1: 00000000000000000 DR2: 0000000000000000 253.544 492] DR3 : 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 253.544494] Seguimiento de llamadas: [ 253.544496] [ 253.544498] ? io_queue_sqe (fs/io_uring.c:7143) [ 253.544505] __kernel_text_address (kernel/extable.c:78) [ 253.544508] unwind_get_return_address (arch/x86/kernel/unwind_frame.c:19) [ 253.544514] arch_stack_walk (arch/ x86/n\u00facleo /stacktrace.c:27) [253.544517]? io_queue_sqe (fs/io_uring.c:7143) [ 253.544521] stack_trace_save (kernel/stacktrace.c:123) [ 253.544527] ____kasan_kmalloc (mm/kasan/common.c:39 mm/kasan/common.c:45 mm/kasan/ common.c:436 mm/kasan/common.c:515) [ 253.544531] ? ____kasan_kmalloc (mm/kasan/common.c:39 mm/kasan/common.c:45 mm/kasan/common.c:436 mm/kasan/common.c:515) [ 253.544533] ? __kasan_kmalloc (mm/kasan/common.c:524) [253.544535]? kmem_cache_alloc_trace (./include/linux/kasan.h:270 mm/slab.c:3567) [ 253.544541] ? io_issue_sqe (fs/io_uring.c:4556 fs/io_uring.c:4589 fs/io_uring.c:6828) [253.544544]? __io_queue_sqe (fs/io_uring.c:?) [ 253.544551] __kasan_kmalloc (mm/kasan/common.c:524) [ 253.544553] kmem_cache_alloc_trace (./include/linux/kasan.h:270 mm/slab.c:3567) [ 253.544556] ? io_issue_sqe (fs/io_uring.c:4556 fs/io_uring.c:4589 fs/io_uring.c:6828) [ 253.544560] io_issue_sqe (fs/io_uring.c:4556 fs/io_uring.c:4589 fs/io_uring.c:6828 ) [253.544564] ? __kasan_slab_alloc (mm/kasan/common.c:45 mm/kasan/common.c:436 mm/kasan/common.c:469) [ 253.544567] ? __kasan_slab_alloc (mm/kasan/common.c:39 mm/kasan/common.c:45 mm/kasan/common.c:436 mm/kasan/common.c:469) [ 253.544569] ? kmem_cache_alloc_bulk (mm/slab.h:732 mm/slab.c:3546) [ 253.544573] ? __io_alloc_req_refill (fs/io_uring.c:2078) [253.544578]? io_submit_sqes (fs/io_uring.c:7441) [253.544581]? __se_sys_io_uring_enter (fs/io_uring.c:10154 fs/io_uring.c:10096) [253.544584]? __x64_sys_io_uring_enter (fs/io_uring.c:10096) [253.544587]? do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) [253.544590]? entrada_SYSCALL_64_after_hwframe (??:?) [ 253.544596] __io_queue_sqe (fs/io_uring.c:?) [ 253.544600] io_queue_sqe (fs/io_uring.c:7143) [ 253.544603] io_submit_sqe (fs/io_uring.c :?) [ 253.544608] io_submit_sqes (fs/io_uring.c:?) [ 253.544612] __se_sys_io_uring_enter (fs/io_uring.c:10154 fs/io_uri ---truncado---"
}
],
"metrics": {},

8
CVE-2022/CVE-2022-489xx/CVE-2022-48938.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2022-48938",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-08-22T04:15:17.787",
"lastModified": "2024-08-22T04:15:17.787",
"vulnStatus": "Received",
"lastModified": "2024-08-22T12:48:02.790",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nCDC-NCM: avoid overflow in sanity checking\n\nA broken device may give an extreme offset like 0xFFF0\nand a reasonable length for a fragment. In the sanity\ncheck as formulated now, this will create an integer\noverflow, defeating the sanity check. Both offset\nand offset + len need to be checked in such a manner\nthat no overflow can occur.\nAnd those quantities should be unsigned."
},
{
"lang": "es",
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: CDC-NCM: evitar desbordamiento en la comprobaci\u00f3n de cordura Un dispositivo roto puede dar un desplazamiento extremo como 0xFFF0 y una longitud razonable para un fragmento. En la verificaci\u00f3n de cordura tal como est\u00e1 formulada ahora, esto crear\u00e1 un desbordamiento de enteros, anulando la verificaci\u00f3n de cordura. Tanto el desplazamiento como el desplazamiento + len deben comprobarse de tal manera que no pueda producirse un desbordamiento. Y esas cantidades deber\u00edan estar sin firmar."
}
],
"metrics": {},

8
CVE-2022/CVE-2022-489xx/CVE-2022-48939.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2022-48939",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-08-22T04:15:17.843",
"lastModified": "2024-08-22T04:15:17.843",
"vulnStatus": "Received",
"lastModified": "2024-08-22T12:48:02.790",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Add schedule points in batch ops\n\nsyzbot reported various soft lockups caused by bpf batch operations.\n\n INFO: task kworker/1:1:27 blocked for more than 140 seconds.\n INFO: task hung in rcu_barrier\n\nNothing prevents batch ops to process huge amount of data,\nwe need to add schedule points in them.\n\nNote that maybe_wait_bpf_programs(map) calls from\ngeneric_map_delete_batch() can be factorized by moving\nthe call after the loop.\n\nThis will be done later in -next tree once we get this fix merged,\nunless there is strong opinion doing this optimization sooner."
},
{
"lang": "es",
"value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: bpf: agregar puntos de programaci\u00f3n en operaciones por lotes syzbot inform\u00f3 varios bloqueos suaves causados por operaciones por lotes de bpf. INFORMACI\u00d3N: tarea kworker/1:1:27 bloqueada durante m\u00e1s de 140 segundos. INFORMACI\u00d3N: tarea colgada en rcu_barrier Nada impide que las operaciones por lotes procesen una gran cantidad de datos, necesitamos agregar puntos de programaci\u00f3n en ellas. Tenga en cuenta que las llamadas de Maybe_wait_bpf_programs(map) desde generic_map_delete_batch() se pueden factorizar moviendo la llamada despu\u00e9s del ciclo. Esto se har\u00e1 m\u00e1s adelante en el \u00e1rbol siguiente una vez que combinemos esta soluci\u00f3n, a menos que haya una opini\u00f3n firme sobre realizar esta optimizaci\u00f3n antes."
}
],
"metrics": {},

8
CVE-2022/CVE-2022-489xx/CVE-2022-48940.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2022-48940",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-08-22T04:15:17.907",
"lastModified": "2024-08-22T04:15:17.907",
"vulnStatus": "Received",
"lastModified": "2024-08-22T12:48:02.790",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix crash due to incorrect copy_map_value\n\nWhen both bpf_spin_lock and bpf_timer are present in a BPF map value,\ncopy_map_value needs to skirt both objects when copying a value into and\nout of the map. However, the current code does not set both s_off and\nt_off in copy_map_value, which leads to a crash when e.g. bpf_spin_lock\nis placed in map value with bpf_timer, as bpf_map_update_elem call will\nbe able to overwrite the other timer object.\n\nWhen the issue is not fixed, an overwriting can produce the following\nsplat:\n\n[root@(none) bpf]# ./test_progs -t timer_crash\n[ 15.930339] bpf_testmod: loading out-of-tree module taints kernel.\n[ 16.037849] ==================================================================\n[ 16.038458] BUG: KASAN: user-memory-access in __pv_queued_spin_lock_slowpath+0x32b/0x520\n[ 16.038944] Write of size 8 at addr 0000000000043ec0 by task test_progs/325\n[ 16.039399]\n[ 16.039514] CPU: 0 PID: 325 Comm: test_progs Tainted: G OE 5.16.0+ #278\n[ 16.039983] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ArchLinux 1.15.0-1 04/01/2014\n[ 16.040485] Call Trace:\n[ 16.040645] <TASK>\n[ 16.040805] dump_stack_lvl+0x59/0x73\n[ 16.041069] ? __pv_queued_spin_lock_slowpath+0x32b/0x520\n[ 16.041427] kasan_report.cold+0x116/0x11b\n[ 16.041673] ? __pv_queued_spin_lock_slowpath+0x32b/0x520\n[ 16.042040] __pv_queued_spin_lock_slowpath+0x32b/0x520\n[ 16.042328] ? memcpy+0x39/0x60\n[ 16.042552] ? pv_hash+0xd0/0xd0\n[ 16.042785] ? lockdep_hardirqs_off+0x95/0xd0\n[ 16.043079] __bpf_spin_lock_irqsave+0xdf/0xf0\n[ 16.043366] ? bpf_get_current_comm+0x50/0x50\n[ 16.043608] ? jhash+0x11a/0x270\n[ 16.043848] bpf_timer_cancel+0x34/0xe0\n[ 16.044119] bpf_prog_c4ea1c0f7449940d_sys_enter+0x7c/0x81\n[ 16.044500] bpf_trampoline_6442477838_0+0x36/0x1000\n[ 16.044836] __x64_sys_nanosleep+0x5/0x140\n[ 16.045119] do_syscall_64+0x59/0x80\n[ 16.045377] ? lock_is_held_type+0xe4/0x140\n[ 16.045670] ? irqentry_exit_to_user_mode+0xa/0x40\n[ 16.046001] ? mark_held_locks+0x24/0x90\n[ 16.046287] ? asm_exc_page_fault+0x1e/0x30\n[ 16.046569] ? asm_exc_page_fault+0x8/0x30\n[ 16.046851] ? lockdep_hardirqs_on+0x7e/0x100\n[ 16.047137] entry_SYSCALL_64_after_hwframe+0x44/0xae\n[ 16.047405] RIP: 0033:0x7f9e4831718d\n[ 16.047602] Code: b4 0c 00 0f 05 eb a9 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d b3 6c 0c 00 f7 d8 64 89 01 48\n[ 16.048764] RSP: 002b:00007fff488086b8 EFLAGS: 00000206 ORIG_RAX: 0000000000000023\n[ 16.049275] RAX: ffffffffffffffda RBX: 00007f9e48683740 RCX: 00007f9e4831718d\n[ 16.049747] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00007fff488086d0\n[ 16.050225] RBP: 00007fff488086f0 R08: 00007fff488085d7 R09: 00007f9e4cb594a0\n[ 16.050648] R10: 0000000000000000 R11: 0000000000000206 R12: 00007f9e484cde30\n[ 16.051124] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n[ 16.051608] </TASK>\n[ 16.051762] =================================================================="
},
{
"lang": "es",
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: bpf: soluciona el fallo debido a copy_map_value incorrecto Cuando tanto bpf_spin_lock como bpf_timer est\u00e1n presentes en un valor de mapa BPF, copy_map_value necesita eludir ambos objetos al copiar un valor dentro y fuera del mapa. Sin embargo, el c\u00f3digo actual no establece s_off y t_off en copy_map_value, lo que provoca un bloqueo cuando, por ejemplo, bpf_spin_lock se coloca en el valor del mapa con bpf_timer, ya que la llamada a bpf_map_update_elem podr\u00e1 sobrescribir el otro objeto de temporizador. Cuando el problema no se soluciona, una sobrescritura puede producir el siguiente s\u00edmbolo: [root@(none) bpf]# ./test_progs -t timer_crash [15.930339] bpf_testmod: cargando el n\u00facleo de contaminaci\u00f3n del m\u00f3dulo fuera del \u00e1rbol. [16.037849] ================================================= =================== [16.038458] ERROR: KASAN: acceso a memoria de usuario en __pv_queued_spin_lock_slowpath+0x32b/0x520 [16.038944] Escritura de tama\u00f1o 8 en la direcci\u00f3n 0000000000043ec0 por tarea test_progs /325 [ 16.039399] [ 16.039514] CPU: 0 PID: 325 Comm: test_progs Contaminado: G OE 5.16.0+ #278 [ 16.039983] Nombre de hardware: PC est\u00e1ndar QEMU (i440FX + PIIX, 1996), BIOS ArchLinux 1.15.0- 1 01/04/2014 [ 16.040485] Seguimiento de llamadas: [ 16.040645] [ 16.040805] dump_stack_lvl+0x59/0x73 [ 16.041069] ? __pv_queued_spin_lock_slowpath+0x32b/0x520 [ 16.041427] kasan_report.cold+0x116/0x11b [ 16.041673] ? __pv_queued_spin_lock_slowpath+0x32b/0x520 [16.042040] __pv_queued_spin_lock_slowpath+0x32b/0x520 [16.042328] ? memcpy+0x39/0x60 [16.042552]? pv_hash+0xd0/0xd0 [16.042785]? lockdep_hardirqs_off+0x95/0xd0 [ 16.043079] __bpf_spin_lock_irqsave+0xdf/0xf0 [ 16.043366] ? bpf_get_current_comm+0x50/0x50 [16.043608]? jhash+0x11a/0x270 [ 16.043848] bpf_timer_cancel+0x34/0xe0 [ 16.044119] bpf_prog_c4ea1c0f7449940d_sys_enter+0x7c/0x81 [ 16.044500] 7838_0+0x36/0x1000 [ 16.044836] __x64_sys_nanosleep+0x5/0x140 [ 16.045119] do_syscall_64+0x59/0x80 [ 16.045377] ? lock_is_held_type+0xe4/0x140 [16.045670]? irqentry_exit_to_user_mode+0xa/0x40 [16.046001]? mark_held_locks+0x24/0x90 [16.046287]? asm_exc_page_fault+0x1e/0x30 [16.046569]? asm_exc_page_fault+0x8/0x30 [16.046851]? lockdep_hardirqs_on+0x7e/0x100 [16.047137] Entry_SYSCALL_64_after_hwframe+0x44/0xae [16.047405] RIP: 0033:0x7f9e4831718d [16.047602] C\u00f3digo: b4 0c 00 0f 05 eb a9 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 &lt;48&gt; 3d 01 f0 ff ff 73 01 c3 48 8b 0d b3 6c 0c 00 f7 d8 64 89 01 48 [ 16.048764] : 002b:00007fff488086b8 EFLAGS: 00000206 ORIG_RAX: 0000000000000023 [ 16.049275] RAX: ffffffffffffffda RBX: 00007f9e48683740 RCX: 00007f9e4831718d [ 16.049747] RDX: 000000000000 RSI: 0000000000000000 RDI: 00007fff488086d0 [ 16.050225] RBP: 00007fff488086f0 R08: 00007fff488085d7 R09: 00007f9e4cb594a0 [ 16.050648] R10: 0000000000000000 R11: 0000000000000206 R12: 00007f9e484cde30 [ 16.051124] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 16.051608 ] [ 16.051762] ========================= ============================================"
}
],
"metrics": {},

8
CVE-2022/CVE-2022-489xx/CVE-2022-48941.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2022-48941",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-08-22T04:15:17.967",
"lastModified": "2024-08-22T04:15:17.967",
"vulnStatus": "Received",
"lastModified": "2024-08-22T12:48:02.790",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: fix concurrent reset and removal of VFs\n\nCommit c503e63200c6 (\"ice: Stop processing VF messages during teardown\")\nintroduced a driver state flag, ICE_VF_DEINIT_IN_PROGRESS, which is\nintended to prevent some issues with concurrently handling messages from\nVFs while tearing down the VFs.\n\nThis change was motivated by crashes caused while tearing down and\nbringing up VFs in rapid succession.\n\nIt turns out that the fix actually introduces issues with the VF driver\ncaused because the PF no longer responds to any messages sent by the VF\nduring its .remove routine. This results in the VF potentially removing\nits DMA memory before the PF has shut down the device queues.\n\nAdditionally, the fix doesn't actually resolve concurrency issues within\nthe ice driver. It is possible for a VF to initiate a reset just prior\nto the ice driver removing VFs. This can result in the remove task\nconcurrently operating while the VF is being reset. This results in\nsimilar memory corruption and panics purportedly fixed by that commit.\n\nFix this concurrency at its root by protecting both the reset and\nremoval flows using the existing VF cfg_lock. This ensures that we\ncannot remove the VF while any outstanding critical tasks such as a\nvirtchnl message or a reset are occurring.\n\nThis locking change also fixes the root cause originally fixed by commit\nc503e63200c6 (\"ice: Stop processing VF messages during teardown\"), so we\ncan simply revert it.\n\nNote that I kept these two changes together because simply reverting the\noriginal commit alone would leave the driver vulnerable to worse race\nconditions."
},
{
"lang": "es",
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ice: corrige el restablecimiento y la eliminaci\u00f3n simult\u00e1neos de VF. El commit c503e63200c6 (\"ice: deja de procesar mensajes VF durante el desmontaje\") introdujo un indicador de estado del controlador, ICE_VF_DEINIT_IN_PROGRESS, cuyo objetivo es evitar algunos problemas con el manejo simult\u00e1neo de mensajes de VF mientras se derriban los VF. Este cambio fue motivado por accidentes causados al derribar y levantar VF en r\u00e1pida sucesi\u00f3n. Resulta que la soluci\u00f3n en realidad introduce problemas con el controlador VF causados porque el PF ya no responde a ning\u00fan mensaje enviado por el VF durante su rutina .remove. Esto da como resultado que el VF elimine potencialmente su memoria DMA antes de que el PF haya cerrado las colas de dispositivos. Adem\u00e1s, la soluci\u00f3n en realidad no resuelve los problemas de concurrencia dentro del controlador Ice. Es posible que un VF inicie un reinicio justo antes de que el conductor de hielo elimine los VF. Esto puede provocar que la tarea de eliminaci\u00f3n funcione simult\u00e1neamente mientras se restablece el VF. Esto da como resultado una corrupci\u00f3n de memoria similar y p\u00e1nicos supuestamente solucionados por esa confirmaci\u00f3n. Corrija esta simultaneidad desde la ra\u00edz protegiendo los flujos de reinicio y eliminaci\u00f3n utilizando el VF cfg_lock existente. Esto garantiza que no podamos eliminar el VF mientras se est\u00e9n realizando tareas cr\u00edticas pendientes, como un mensaje virtchnl o un reinicio. Este cambio de bloqueo tambi\u00e9n soluciona la causa ra\u00edz solucionada originalmente mediante el commit c503e63200c6 (\"ice: Detener el procesamiento de mensajes VF durante el desmontaje\"), por lo que simplemente podemos revertirlo. Tenga en cuenta que mantuve estos dos cambios juntos porque simplemente revertir el compromiso original dejar\u00eda al conductor vulnerable a peores condiciones de ejecuci\u00f3n."
}
],
"metrics": {},

8
CVE-2022/CVE-2022-489xx/CVE-2022-48942.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2022-48942",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-08-22T04:15:18.953",
"lastModified": "2024-08-22T04:15:18.953",
"vulnStatus": "Received",
"lastModified": "2024-08-22T12:48:02.790",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhwmon: Handle failure to register sensor with thermal zone correctly\n\nIf an attempt is made to a sensor with a thermal zone and it fails,\nthe call to devm_thermal_zone_of_sensor_register() may return -ENODEV.\nThis may result in crashes similar to the following.\n\nUnable to handle kernel NULL pointer dereference at virtual address 00000000000003cd\n...\nInternal error: Oops: 96000021 [#1] PREEMPT SMP\n...\npstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : mutex_lock+0x18/0x60\nlr : thermal_zone_device_update+0x40/0x2e0\nsp : ffff800014c4fc60\nx29: ffff800014c4fc60 x28: ffff365ee3f6e000 x27: ffffdde218426790\nx26: ffff365ee3f6e000 x25: 0000000000000000 x24: ffff365ee3f6e000\nx23: ffffdde218426870 x22: ffff365ee3f6e000 x21: 00000000000003cd\nx20: ffff365ee8bf3308 x19: ffffffffffffffed x18: 0000000000000000\nx17: ffffdde21842689c x16: ffffdde1cb7a0b7c x15: 0000000000000040\nx14: ffffdde21a4889a0 x13: 0000000000000228 x12: 0000000000000000\nx11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000\nx8 : 0000000001120000 x7 : 0000000000000001 x6 : 0000000000000000\nx5 : 0068000878e20f07 x4 : 0000000000000000 x3 : 00000000000003cd\nx2 : ffff365ee3f6e000 x1 : 0000000000000000 x0 : 00000000000003cd\nCall trace:\n mutex_lock+0x18/0x60\n hwmon_notify_event+0xfc/0x110\n 0xffffdde1cb7a0a90\n 0xffffdde1cb7a0b7c\n irq_thread_fn+0x2c/0xa0\n irq_thread+0x134/0x240\n kthread+0x178/0x190\n ret_from_fork+0x10/0x20\nCode: d503201f d503201f d2800001 aa0103e4 (c8e47c02)\n\nJon Hunter reports that the exact call sequence is:\n\nhwmon_notify_event()\n --> hwmon_thermal_notify()\n --> thermal_zone_device_update()\n --> update_temperature()\n --> mutex_lock()\n\nThe hwmon core needs to handle all errors returned from calls\nto devm_thermal_zone_of_sensor_register(). If the call fails\nwith -ENODEV, report that the sensor was not attached to a\nthermal zone but continue to register the hwmon device."
},
{
"lang": "es",
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: hwmon: Maneja la falla al registrar correctamente el sensor con zona t\u00e9rmica. Si se intenta acceder a un sensor con zona t\u00e9rmica y falla, la llamada a devm_thermal_zone_of_sensor_register() puede devolver -ENODEV. Esto puede provocar fallos similares a los siguientes. No se puede manejar la desreferencia del puntero NULL del kernel en la direcci\u00f3n virtual 00000000000003cd... Error interno: Ups: 96000021 [#1] PREEMPT SMP... pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc: mutex_lock+0x18/0x60 lr: Thermal_zone_device_update+0x40/0x2e0 sp: ffff800014c4fc60 x29: ffff800014c4fc60 x28: ffff365ee3f6e000 x27: ffffdde218426790 x26: f6e000 x25: 0000000000000000 x24: ffff365ee3f6e000 x23: ffffdde218426870 x22: ffff365ee3f6e000 x21: 00000000000003cd x20: ffff365ee8bf3308 ffffffffffffffff x18: 0000000000000000 x17: ffffdde21842689c x16: ffffdde1cb7a0b7c x15: 0000000000000040 x14: ffffdde21a4889a0 x13: 0000000000000228 x12: 00000000000000 x11: 0000000000000000 x10: 0000000000000000 x9: 0000000000000000 x8: 0000000001120000 x7: 0000000000000001 x6: 0000 000000000000 x5: 0068000878e20f07 x4: 0000000000000000 x3: 00000000000003cd x2: ffff365ee3f6e000 x1: 0000000000000000 x0: 00000000000003cd Rastreo de llamadas: mutex_lock+0x18/0x60 hwmon_notify_event+0xfc/0x110 0xffffdde1cb7a0a90 0xffffdde1cb7a0b7c thread_fn+0x2c/0xa0 irq_thread+0x134/0x240 kthread+0x178/0x190 ret_from_fork+0x10/0x20 C\u00f3digo: d503201f d503201f d2800001 aa0103e4 (c8e47c02 ) Jon Hunter informa que la secuencia de llamada exacta es: hwmon_notify_event() --&gt; hwmon_thermal_notify() --&gt; Thermal_zone_device_update() --&gt; update_temperature() --&gt; mutex_lock() El n\u00facleo de hwmon necesita manejar todos los errores devueltos por las llamadas a devm_thermal_zone_of_sensor_register(). Si la llamada falla con -ENODEV, informe que el sensor no estaba conectado a una zona t\u00e9rmica pero contin\u00fae registrando el dispositivo hwmon."
}
],
"metrics": {},

8
CVE-2022/CVE-2022-489xx/CVE-2022-48943.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2022-48943",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-08-22T04:15:19.027",
"lastModified": "2024-08-22T04:15:19.027",
"vulnStatus": "Received",
"lastModified": "2024-08-22T12:48:02.790",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86/mmu: make apf token non-zero to fix bug\n\nIn current async pagefault logic, when a page is ready, KVM relies on\nkvm_arch_can_dequeue_async_page_present() to determine whether to deliver\na READY event to the Guest. This function test token value of struct\nkvm_vcpu_pv_apf_data, which must be reset to zero by Guest kernel when a\nREADY event is finished by Guest. If value is zero meaning that a READY\nevent is done, so the KVM can deliver another.\nBut the kvm_arch_setup_async_pf() may produce a valid token with zero\nvalue, which is confused with previous mention and may lead the loss of\nthis READY event.\n\nThis bug may cause task blocked forever in Guest:\n INFO: task stress:7532 blocked for more than 1254 seconds.\n Not tainted 5.10.0 #16\n \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n task:stress state:D stack: 0 pid: 7532 ppid: 1409\n flags:0x00000080\n Call Trace:\n __schedule+0x1e7/0x650\n schedule+0x46/0xb0\n kvm_async_pf_task_wait_schedule+0xad/0xe0\n ? exit_to_user_mode_prepare+0x60/0x70\n __kvm_handle_async_pf+0x4f/0xb0\n ? asm_exc_page_fault+0x8/0x30\n exc_page_fault+0x6f/0x110\n ? asm_exc_page_fault+0x8/0x30\n asm_exc_page_fault+0x1e/0x30\n RIP: 0033:0x402d00\n RSP: 002b:00007ffd31912500 EFLAGS: 00010206\n RAX: 0000000000071000 RBX: ffffffffffffffff RCX: 00000000021a32b0\n RDX: 000000000007d011 RSI: 000000000007d000 RDI: 00000000021262b0\n RBP: 00000000021262b0 R08: 0000000000000003 R09: 0000000000000086\n R10: 00000000000000eb R11: 00007fefbdf2baa0 R12: 0000000000000000\n R13: 0000000000000002 R14: 000000000007d000 R15: 0000000000001000"
},
{
"lang": "es",
"value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: KVM: x86/mmu: haga que el token apf sea distinto de cero para corregir el error En la l\u00f3gica de error de p\u00e1gina as\u00edncrona actual, cuando una p\u00e1gina est\u00e1 lista, KVM se basa en kvm_arch_can_dequeue_async_page_present() para determinar si se debe entregar un evento LISTO para el Invitado. Esta funci\u00f3n prueba el valor del token de la estructura kvm_vcpu_pv_apf_data, que el kernel invitado debe restablecer a cero cuando el invitado finaliza un evento READY. Si el valor es cero, significa que se realiz\u00f3 un evento READY, por lo que el KVM puede entregar otro. Pero kvm_arch_setup_async_pf() puede producir un token v\u00e1lido con valor cero, lo que se confunde con la menci\u00f3n anterior y puede provocar la p\u00e9rdida de este evento READY. Este error puede causar que la tarea se bloquee para siempre en Guest: INFORMACI\u00d3N: tarea de estr\u00e9s:7532 bloqueada durante m\u00e1s de 1254 segundos. Not tainted 5.10.0 #16 \"echo 0 &gt; /proc/sys/kernel/hung_task_timeout_secs\" desactiva este mensaje. tarea:estr\u00e9s estado:D pila: 0 pid: 7532 ppid: 1409 banderas:0x00000080 Seguimiento de llamadas: __schedule+0x1e7/0x650 Schedule+0x46/0xb0 kvm_async_pf_task_wait_schedule+0xad/0xe0 ? exit_to_user_mode_prepare+0x60/0x70 __kvm_handle_async_pf+0x4f/0xb0 ? asm_exc_page_fault+0x8/0x30 exc_page_fault+0x6f/0x110? asm_exc_page_fault+0x8/0x30 asm_exc_page_fault+0x1e/0x30 RIP: 0033:0x402d00 RSP: 002b:00007ffd31912500 EFLAGS: 00010206 RAX: 0000000000071000 RBX: ffffffff RCX: 00000000021a32b0 RDX: 000000000007d011 RSI: 000000000007d000 RDI: 00000000021262b0 RBP: 00000000021262b0 R08: 03 R09: 0000000000000086 R10: 000000000000000000EB R11: 00007FEFBDF2BAA0 R12: 00000000000000000000 R13: 0000000000000002 R14: 000000000007D000 R15: 00000000001000"
}
],
"metrics": {},

8
CVE-2023/CVE-2023-22xx/CVE-2023-2270.json
View File

@ -2,13 +2,13 @@
"id": "CVE-2023-2270",
"sourceIdentifier": "psirt@netskope.com",
"published": "2023-06-15T05:15:09.773",
"lastModified": "2023-06-30T00:08:10.847",
"vulnStatus": "Analyzed",
"lastModified": "2024-08-22T13:15:04.820",
"vulnStatus": "Modified",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Netskope client service running with NT\\SYSTEM privileges accepts network connections from localhost to start various services and execute commands. The connection handling function of Netskope client before R100 in this service utilized a relative path to download and unzip configuration files on the machine. This relative path provided a way for local users to write arbitrary files at a location which is accessible to only higher privileged users. This can be exploited by local users to execute code with NT\\SYSTEM privileges on the end machine.\n"
"value": "The Netskope client service running with NT\\SYSTEM privileges accepts network connections from localhost to start various services and execute commands. The connection handling function of Netskope client before R100 in this service utilized a relative path to download and unzip configuration files on the machine. This relative path provided a way for local users to write arbitrary files at a location which is accessible to only higher privileged users. This can be exploited by local users to execute code with NT\\SYSTEM privileges on the end machine."
}
],
"metrics": {
@ -72,7 +72,7 @@
"description": [
{
"lang": "en",
"value": "CWE-20"
"value": "CWE-22"
}
]
}

8
CVE-2023/CVE-2023-299xx/CVE-2023-29929.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2023-29929",
"sourceIdentifier": "cve@mitre.org",
"published": "2024-08-21T18:15:09.173",
"lastModified": "2024-08-21T21:35:00.720",
"vulnStatus": "Received",
"lastModified": "2024-08-22T12:48:02.790",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Buffer Overflow vulnerability found in Kemptechnologies Loadmaster before v.7.2.60.0 allows a remote attacker to casue a denial of service via the libkemplink.so, isreverse library."
},
{
"lang": "es",
"value": "La vulnerabilidad de desbordamiento de b\u00fafer encontrada en Kemptechnologies Loadmaster anterior a v.7.2.60.0 permite a un atacante remoto provocar una denegaci\u00f3n de servicio a trav\u00e9s de la librer\u00eda libkemplink.so, isreverse."
}
],
"metrics": {

97
CVE-2023/CVE-2023-419xx/CVE-2023-41919.json
View File

@ -2,8 +2,8 @@
"id": "CVE-2023-41919",
"sourceIdentifier": "cert@ncsc.nl",
"published": "2024-07-02T08:15:03.680",
"lastModified": "2024-07-02T12:09:16.907",
"vulnStatus": "Undergoing Analysis",
"lastModified": "2024-08-22T13:44:19.347",
"vulnStatus": "Analyzed",
"cveTags": [],
"descriptions": [
{
@ -17,6 +17,26 @@
],
"metrics": {
"cvssMetricV31": [
{
"source": "nvd@nist.gov",
"type": "Primary",
"cvssData": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9
},
{
"source": "cert@ncsc.nl",
"type": "Secondary",
@ -40,6 +60,16 @@
]
},
"weaknesses": [
{
"source": "nvd@nist.gov",
"type": "Primary",
"description": [
{
"lang": "en",
"value": "CWE-798"
}
]
},
{
"source": "cert@ncsc.nl",
"type": "Secondary",
@ -51,10 +81,71 @@
]
}
],
"configurations": [
{
"operator": "AND",
"nodes": [
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:o:kiloview:p2_firmware:*:*:*:*:*:*:*:*",
"versionEndIncluding": "4.8.2605",
"matchCriteriaId": "981702C0-11D2-4F9B-AF7F-E55C5B5F07E8"
}
]
},
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": false,
"criteria": "cpe:2.3:h:kiloview:p2:-:*:*:*:*:*:*:*",
"matchCriteriaId": "FAD8304E-A310-4C8F-AA4B-4CE20F3F1943"
}
]
}
]
},
{
"operator": "AND",
"nodes": [
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:o:kiloview:p1_firmware:*:*:*:*:*:*:*:*",
"versionEndIncluding": "4.8.2605",
"matchCriteriaId": "93E280EE-9B00-428B-A8FF-CC03D5A6EC69"
}
]
},
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": false,
"criteria": "cpe:2.3:h:kiloview:p1:-:*:*:*:*:*:*:*",
"matchCriteriaId": "BC15AF27-4AFD-4D51-B842-651BEE81E7C2"
}
]
}
]
}
],
"references": [
{
"url": "https://advisories.ncsc.nl/advisory?id=NCSC-2024-0273",
"source": "cert@ncsc.nl"
"source": "cert@ncsc.nl",
"tags": [
"Third Party Advisory"
]
}
]
}

8
CVE-2024/CVE-2024-204xx/CVE-2024-20417.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2024-20417",
"sourceIdentifier": "ykramarz@cisco.com",
"published": "2024-08-21T20:15:08.533",
"lastModified": "2024-08-21T20:15:08.533",
"vulnStatus": "Received",
"lastModified": "2024-08-22T12:48:02.790",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple vulnerabilities in the REST API of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to conduct blind SQL injection attacks.\r\n\r\nThese vulnerabilities are due to insufficient validation of user-supplied input in REST API calls. An attacker could exploit these vulnerabilities by sending crafted input to an affected device. A successful exploit could allow the attacker to view or modify data on the affected device."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades en la API REST de Cisco Identity Services Engine (ISE) podr\u00edan permitir que un atacante remoto autenticado realice ataques de inyecci\u00f3n SQL ciegos. Estas vulnerabilidades se deben a una validaci\u00f3n insuficiente de la entrada proporcionada por el usuario en las llamadas a la API REST. Un atacante podr\u00eda aprovechar estas vulnerabilidades enviando datos manipulados a un dispositivo afectado. Un exploit exitoso podr\u00eda permitir al atacante ver o modificar datos en el dispositivo afectado."
}
],
"metrics": {

8
CVE-2024/CVE-2024-204xx/CVE-2024-20466.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2024-20466",
"sourceIdentifier": "ykramarz@cisco.com",
"published": "2024-08-21T20:15:08.737",
"lastModified": "2024-08-21T20:15:08.737",
"vulnStatus": "Received",
"lastModified": "2024-08-22T12:48:02.790",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to obtain sensitive information from an affected device.\r\n\r\nThis vulnerability is due to improper enforcement of administrative privilege levels for high-value sensitive data. An attacker with read-only Administrator privileges for the web-based management interface on an affected device could exploit this vulnerability by browsing to a page that contains sensitive data. A successful exploit could allow the attacker to collect sensitive information regarding the configuration of the system."
},
{
"lang": "es",
"value": "Una vulnerabilidad en la interfaz de administraci\u00f3n basada en web de Cisco Identity Services Engine (ISE) podr\u00eda permitir que un atacante remoto autenticado obtenga informaci\u00f3n confidencial de un dispositivo afectado. Esta vulnerabilidad se debe a la aplicaci\u00f3n inadecuada de niveles de privilegios administrativos para datos confidenciales de alto valor. Un atacante con privilegios de administrador de solo lectura para la interfaz de administraci\u00f3n basada en web en un dispositivo afectado podr\u00eda aprovechar esta vulnerabilidad navegando a una p\u00e1gina que contenga datos confidenciales. Un exploit exitoso podr\u00eda permitir al atacante recopilar informaci\u00f3n confidencial sobre la configuraci\u00f3n del sistema."
}
],
"metrics": {

8
CVE-2024/CVE-2024-204xx/CVE-2024-20486.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2024-20486",
"sourceIdentifier": "ykramarz@cisco.com",
"published": "2024-08-21T20:15:08.933",
"lastModified": "2024-08-21T20:15:08.933",
"vulnStatus": "Received",
"lastModified": "2024-08-22T12:48:02.790",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected device.\r\n\r\nThis vulnerability is due to insufficient CSRF protections for the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a crafted link. A successful exploit could allow the attacker to perform arbitrary actions on the affected device with the privileges of the targeted user."
},
{
"lang": "es",
"value": "Una vulnerabilidad en la interfaz de administraci\u00f3n basada en web de Cisco Identity Services Engine (ISE) podr\u00eda permitir que un atacante remoto no autenticado lleve a cabo un ataque de cross-site request forgery (CSRF) y realice acciones arbitrarias en un dispositivo afectado. Esta vulnerabilidad se debe a protecciones CSRF insuficientes para la interfaz de administraci\u00f3n basada en web de un dispositivo afectado. Un atacante podr\u00eda aprovechar esta vulnerabilidad persuadiendo a un usuario de la interfaz para que siga un enlace manipulado. Un exploit exitoso podr\u00eda permitir al atacante realizar acciones arbitrarias en el dispositivo afectado con los privilegios del usuario objetivo."
}
],
"metrics": {

8
CVE-2024/CVE-2024-204xx/CVE-2024-20488.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2024-20488",
"sourceIdentifier": "ykramarz@cisco.com",
"published": "2024-08-21T19:15:13.163",
"lastModified": "2024-08-21T19:15:13.163",
"vulnStatus": "Received",
"lastModified": "2024-08-22T12:48:02.790",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in the web-based management interface of Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface.\r\n\r\nThis vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information."
},
{
"lang": "es",
"value": "Una vulnerabilidad en la interfaz de administraci\u00f3n basada en web de Cisco Unified Communications Manager (Unified CM) y Cisco Unified Communications Manager Session Management Edition (Unified CM SME) podr\u00eda permitir que un atacante remoto no autenticado lleve a cabo un ataque de cross-site scripting (XSS) contra un usuario de la interfaz. Esta vulnerabilidad existe porque la interfaz de administraci\u00f3n basada en web no valida adecuadamente la entrada proporcionada por el usuario. Un atacante podr\u00eda aprovechar esta vulnerabilidad persuadiendo a un usuario de la interfaz para que haga clic en un enlace manipulado. Un exploit exitoso podr\u00eda permitir al atacante ejecutar c\u00f3digo de script arbitrario en el contexto de la interfaz afectada o acceder a informaci\u00f3n confidencial basada en el navegador."
}
],
"metrics": {

12
CVE-2024/CVE-2024-215xx/CVE-2024-21509.json
View File

@ -2,7 +2,7 @@
"id": "CVE-2024-21509",
"sourceIdentifier": "report@snyk.io",
"published": "2024-04-10T05:15:48.547",
"lastModified": "2024-04-10T13:23:38.787",
"lastModified": "2024-08-22T13:35:00.907",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
@ -49,6 +49,16 @@
"value": "CWE-1321"
}
]
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary",
"description": [
{
"lang": "en",
"value": "CWE-1321"
}
]
}
],
"references": [

62
CVE-2024/CVE-2024-282xx/CVE-2024-28200.json
View File

@ -2,8 +2,8 @@
"id": "CVE-2024-28200",
"sourceIdentifier": "a5532a13-c4dd-4202-bef1-e0b8f2f8d12b",
"published": "2024-07-01T21:15:03.143",
"lastModified": "2024-07-02T12:09:16.907",
"vulnStatus": "Undergoing Analysis",
"lastModified": "2024-08-22T13:36:13.033",
"vulnStatus": "Analyzed",
"cveTags": [],
"descriptions": [
{
@ -17,6 +17,26 @@
],
"metrics": {
"cvssMetricV31": [
{
"source": "nvd@nist.gov",
"type": "Primary",
"cvssData": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9
},
{
"source": "a5532a13-c4dd-4202-bef1-e0b8f2f8d12b",
"type": "Secondary",
@ -40,6 +60,16 @@
]
},
"weaknesses": [
{
"source": "nvd@nist.gov",
"type": "Primary",
"description": [
{
"lang": "en",
"value": "CWE-287"
}
]
},
{
"source": "a5532a13-c4dd-4202-bef1-e0b8f2f8d12b",
"type": "Secondary",
@ -51,14 +81,38 @@
]
}
],
"configurations": [
{
"nodes": [
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:a:n-able:n-central:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2024.2",
"matchCriteriaId": "99868AED-F82D-4C33-990C-B749973BD9C0"
}
]
}
]
}
],
"references": [
{
"url": "https://documentation.n-able.com/N-central/Release_Notes/GA/Content/2024.2%20Release%20Notes.htm",
"source": "a5532a13-c4dd-4202-bef1-e0b8f2f8d12b"
"source": "a5532a13-c4dd-4202-bef1-e0b8f2f8d12b",
"tags": [
"Vendor Advisory"
]
},
{
"url": "https://me.n-able.com/s/security-advisory/aArVy0000000673KAA/cve202428200-ncentral-authentication-bypass",
"source": "a5532a13-c4dd-4202-bef1-e0b8f2f8d12b"
"source": "a5532a13-c4dd-4202-bef1-e0b8f2f8d12b",
"tags": [
"Release Notes"
]
}
]
}

8
CVE-2024/CVE-2024-289xx/CVE-2024-28987.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2024-28987",
"sourceIdentifier": "psirt@solarwinds.com",
"published": "2024-08-21T22:15:04.350",
"lastModified": "2024-08-21T22:15:04.350",
"vulnStatus": "Received",
"lastModified": "2024-08-22T12:48:02.790",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The SolarWinds Web Help Desk (WHD) software is affected by a hardcoded credential vulnerability, allowing remote unauthenticated user to access internal functionality and modify data."
},
{
"lang": "es",
"value": "El software SolarWinds Web Help Desk (WHD) se ve afectado por una vulnerabilidad de credencial codificada, lo que permite a un usuario remoto no autenticado acceder a la funcionalidad interna y modificar datos."
}
],
"metrics": {

64
CVE-2024/CVE-2024-322xx/CVE-2024-32230.json
View File

@ -2,8 +2,8 @@
"id": "CVE-2024-32230",
"sourceIdentifier": "cve@mitre.org",
"published": "2024-07-01T21:15:03.617",
"lastModified": "2024-07-02T12:09:16.907",
"vulnStatus": "Undergoing Analysis",
"lastModified": "2024-08-22T13:24:40.597",
"vulnStatus": "Analyzed",
"cveTags": [],
"descriptions": [
{
@ -15,11 +15,67 @@
"value": "FFmpeg 7.0 es vulnerable al desbordamiento del b\u00fafer. Hay un error de par\u00e1metro de tama\u00f1o negativo en libavcodec/mpegvideo_enc.c:1216:21 en load_input_picture en FFmpeg7.0"
}
],
"metrics": {},
"metrics": {
"cvssMetricV31": [
{
"source": "nvd@nist.gov",
"type": "Primary",
"cvssData": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"attackVector": "LOCAL",
"attackComplexity": "LOW",
"privilegesRequired": "NONE",
"userInteraction": "REQUIRED",
"scope": "UNCHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9
}
]
},
"weaknesses": [
{
"source": "nvd@nist.gov",
"type": "Primary",
"description": [
{
"lang": "en",
"value": "CWE-120"
}
]
}
],
"configurations": [
{
"nodes": [
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:a:ffmpeg:ffmpeg:7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "53081022-F93B-4ED8-8D24-CD47DC87A17D"
}
]
}
]
}
],
"references": [
{
"url": "https://trac.ffmpeg.org/ticket/10952",
"source": "cve@mitre.org"
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Vendor Advisory"
]
}
]
}

8
CVE-2024/CVE-2024-329xx/CVE-2024-32939.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2024-32939",
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"published": "2024-08-22T07:15:03.353",
"lastModified": "2024-08-22T07:15:03.353",
"vulnStatus": "Received",
"lastModified": "2024-08-22T12:48:02.790",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0, 9.8.x <= 9.8.2, when shared channels are enabled, fail to redact remote users' original email addresses stored in user props when email addresses are otherwise configured not to be visible in the local server.\""
},
{
"lang": "es",
"value": "Las versiones de Mattermost 9.9.x &lt;= 9.9.1, 9.5.x &lt;= 9.5.7, 9.10.x &lt;= 9.10.0, 9.8.x &lt;= 9.8.2, cuando los canales compartidos est\u00e1n habilitados, no se pueden redactar las direcciones de correo electr\u00f3nico originales de los usuarios remotos almacenadas en las propiedades del usuario cuando las direcciones de correo electr\u00f3nico est\u00e1n configuradas para no ser visibles en el servidor local."
}
],
"metrics": {

80
CVE-2024/CVE-2024-351xx/CVE-2024-35124.json
View File

@ -2,8 +2,8 @@
"id": "CVE-2024-35124",
"sourceIdentifier": "psirt@us.ibm.com",
"published": "2024-08-13T12:15:06.163",
"lastModified": "2024-08-13T12:58:25.437",
"vulnStatus": "Undergoing Analysis",
"lastModified": "2024-08-22T13:31:16.353",
"vulnStatus": "Analyzed",
"cveTags": [],
"descriptions": [
{
@ -17,6 +17,26 @@
],
"metrics": {
"cvssMetricV31": [
{
"source": "nvd@nist.gov",
"type": "Primary",
"cvssData": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"attackVector": "NETWORK",
"attackComplexity": "HIGH",
"privilegesRequired": "NONE",
"userInteraction": "REQUIRED",
"scope": "UNCHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH"
},
"exploitabilityScore": 1.6,
"impactScore": 5.9
},
{
"source": "psirt@us.ibm.com",
"type": "Secondary",
@ -41,8 +61,18 @@
},
"weaknesses": [
{
"source": "psirt@us.ibm.com",
"source": "nvd@nist.gov",
"type": "Primary",
"description": [
{
"lang": "en",
"value": "CWE-306"
}
]
},
{
"source": "psirt@us.ibm.com",
"type": "Secondary",
"description": [
{
"lang": "en",
@ -51,14 +81,54 @@
]
}
],
"configurations": [
{
"nodes": [
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:o:ibm:openbmc:*:*:*:*:*:*:*:*",
"versionStartIncluding": "fw1020.00",
"versionEndIncluding": "fw1020.60",
"matchCriteriaId": "2822802F-0AC9-43FA-807D-72B48CD7B61F"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:ibm:openbmc:*:*:*:*:*:*:*:*",
"versionStartIncluding": "fw1030.00",
"versionEndIncluding": "fw1030.50",
"matchCriteriaId": "40CAE3FC-6661-4AEB-8D03-A00CE25994C0"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:ibm:openbmc:*:*:*:*:*:*:*:*",
"versionStartIncluding": "fw1050.00",
"versionEndIncluding": "fw1050.10",
"matchCriteriaId": "E30757DE-5CEA-4705-8EAA-486363521FF3"
}
]
}
]
}
],
"references": [
{
"url": "https://https://exchange.xforce.ibmcloud.com/vulnerabilities/290674",
"source": "psirt@us.ibm.com"
"source": "psirt@us.ibm.com",
"tags": [
"VDB Entry",
"Vendor Advisory"
]
},
{
"url": "https://www.ibm.com/support/pages/node/7163195",
"source": "psirt@us.ibm.com"
"source": "psirt@us.ibm.com",
"tags": [
"Vendor Advisory"
]
}
]
}

4
CVE-2024/CVE-2024-351xx/CVE-2024-35151.json
View File

@ -2,8 +2,8 @@
"id": "CVE-2024-35151",
"sourceIdentifier": "psirt@us.ibm.com",
"published": "2024-08-22T11:15:13.250",
"lastModified": "2024-08-22T11:15:13.250",
"vulnStatus": "Received",
"lastModified": "2024-08-22T12:48:02.790",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{

65
CVE-2024/CVE-2024-372xx/CVE-2024-37287.json
View File

@ -2,8 +2,8 @@
"id": "CVE-2024-37287",
"sourceIdentifier": "bressers@elastic.co",
"published": "2024-08-13T12:15:06.433",
"lastModified": "2024-08-13T12:58:25.437",
"vulnStatus": "Undergoing Analysis",
"lastModified": "2024-08-22T13:33:12.477",
"vulnStatus": "Analyzed",
"cveTags": [],
"descriptions": [
{
@ -17,6 +17,26 @@
],
"metrics": {
"cvssMetricV31": [
{
"source": "nvd@nist.gov",
"type": "Primary",
"cvssData": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "HIGH",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9
},
{
"source": "bressers@elastic.co",
"type": "Secondary",
@ -40,6 +60,16 @@
]
},
"weaknesses": [
{
"source": "nvd@nist.gov",
"type": "Primary",
"description": [
{
"lang": "en",
"value": "CWE-1321"
}
]
},
{
"source": "bressers@elastic.co",
"type": "Secondary",
@ -51,10 +81,39 @@
]
}
],
"configurations": [
{
"nodes": [
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*",
"versionStartIncluding": "7.7.0",
"versionEndExcluding": "7.17.23",
"matchCriteriaId": "1A4E337B-545C-4BBC-9A58-7E0D9CAE53F4"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:*",
"versionStartIncluding": "8.0.0",
"versionEndExcluding": "8.14.2",
"matchCriteriaId": "143567E3-C153-414B-9EDD-52B3EF60B6AD"
}
]
}
]
}
],
"references": [
{
"url": "https://discuss.elastic.co/t/kibana-8-14-2-7-17-23-security-update-esa-2024-22/",
"source": "bressers@elastic.co"
"source": "bressers@elastic.co",
"tags": [
"Vendor Advisory"
]
}
]
}

361
CVE-2024/CVE-2024-385xx/CVE-2024-38501.json
View File

@ -2,8 +2,8 @@
"id": "CVE-2024-38501",
"sourceIdentifier": "info@cert.vde.com",
"published": "2024-08-13T13:15:12.130",
"lastModified": "2024-08-13T17:11:53.553",
"vulnStatus": "Undergoing Analysis",
"lastModified": "2024-08-22T13:34:42.653",
"vulnStatus": "Analyzed",
"cveTags": [],
"descriptions": [
{
@ -51,10 +51,365 @@
]
}
],
"configurations": [
{
"operator": "AND",
"nodes": [
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:o:pepperl-fuchs:icdm-rx\\/tcp_socketserver_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "11.65",
"matchCriteriaId": "76F48804-5A09-45EB-9358-588C12531643"
}
]
},
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": false,
"criteria": "cpe:2.3:h:pepperl-fuchs:icdm-rx\\/tcp-16db9\\/rj45-rm:-:*:*:*:*:*:*:*",
"matchCriteriaId": "74FA0423-B701-4FD9-AB55-0C9EEEE0A28F"
},
{
"vulnerable": false,
"criteria": "cpe:2.3:h:pepperl-fuchs:icdm-rx\\/tcp-16rj45\\/2rj45-pm:-:*:*:*:*:*:*:*",
"matchCriteriaId": "99FF2849-0342-4E29-8976-8A69FBD19105"
},
{
"vulnerable": false,
"criteria": "cpe:2.3:h:pepperl-fuchs:icdm-rx\\/tcp-16rj45\\/rj45-rm:-:*:*:*:*:*:*:*",
"matchCriteriaId": "BD7C60B0-3074-4DA5-9CAB-1D86FD345A2B"
},
{
"vulnerable": false,
"criteria": "cpe:2.3:h:pepperl-fuchs:icdm-rx\\/tcp-2db9\\/rj45-din:-:*:*:*:*:*:*:*",
"matchCriteriaId": "04558366-D4BC-4EA2-87DD-D884ADBC225E"
},
{
"vulnerable": false,
"criteria": "cpe:2.3:h:pepperl-fuchs:icdm-rx\\/tcp-2st\\/rj45-din:-:*:*:*:*:*:*:*",
"matchCriteriaId": "5B14B2C3-5072-4DA1-A94C-D5DFD772CA61"
},
{
"vulnerable": false,
"criteria": "cpe:2.3:h:pepperl-fuchs:icdm-rx\\/tcp-32rj45\\/rj45-rm:-:*:*:*:*:*:*:*",
"matchCriteriaId": "31A3AC39-07B6-4638-BD37-E43FEFC7453F"
},
{
"vulnerable": false,
"criteria": "cpe:2.3:h:pepperl-fuchs:icdm-rx\\/tcp-4db9\\/2rj45-din:-:*:*:*:*:*:*:*",
"matchCriteriaId": "414C289E-538E-4958-AAA9-682920F6C3B2"
},
{
"vulnerable": false,
"criteria": "cpe:2.3:h:pepperl-fuchs:icdm-rx\\/tcp-4db9\\/2rj45-pm:-:*:*:*:*:*:*:*",
"matchCriteriaId": "D4966738-4A3C-4182-9D86-1B5D376EEAED"
},
{
"vulnerable": false,
"criteria": "cpe:2.3:h:pepperl-fuchs:icdm-rx\\/tcp-8db9\\/2rj45-pm:-:*:*:*:*:*:*:*",
"matchCriteriaId": "522B8CFC-FD02-4002-8518-923D93F9941B"
},
{
"vulnerable": false,
"criteria": "cpe:2.3:h:pepperl-fuchs:icdm-rx\\/tcp-db9\\/rj45-din:-:*:*:*:*:*:*:*",
"matchCriteriaId": "D01ADEB1-C000-4DAE-9470-8380D998548B"
},
{
"vulnerable": false,
"criteria": "cpe:2.3:h:pepperl-fuchs:icdm-rx\\/tcp-db9\\/rj45-pm:-:*:*:*:*:*:*:*",
"matchCriteriaId": "7B9732BD-A75B-4D8A-A710-491F348A6056"
},
{
"vulnerable": false,
"criteria": "cpe:2.3:h:pepperl-fuchs:icdm-rx\\/tcp-db9\\/rj45-pm2:-:*:*:*:*:*:*:*",
"matchCriteriaId": "A85AD844-2330-4128-95E9-A12330D16152"
},
{
"vulnerable": false,
"criteria": "cpe:2.3:h:pepperl-fuchs:icdm-rx\\/tcp-st\\/rj45-din:-:*:*:*:*:*:*:*",
"matchCriteriaId": "CE154902-5B25-401C-A096-013AEC156F4E"
}
]
}
]
},
{
"operator": "AND",
"nodes": [
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:o:pepperl-fuchs:profinet_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "3.4.9",
"matchCriteriaId": "504996AD-D6AD-4C58-8FBC-293B72E567FC"
}
]
},
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": false,
"criteria": "cpe:2.3:h:pepperl-fuchs:icdm-rx\\/pn-2db9\\/rj45-din:-:*:*:*:*:*:*:*",
"matchCriteriaId": "E53643B1-13E5-4A89-8BE3-5FAA0E8C28C9"
},
{
"vulnerable": false,
"criteria": "cpe:2.3:h:pepperl-fuchs:icdm-rx\\/pn-2st\\/rj45-din:-:*:*:*:*:*:*:*",
"matchCriteriaId": "DA5209DC-117F-46DE-85B2-DA59BDE28255"
},
{
"vulnerable": false,
"criteria": "cpe:2.3:h:pepperl-fuchs:icdm-rx\\/pn-4db9\\/2rj45-din:-:*:*:*:*:*:*:*",
"matchCriteriaId": "1051031D-9D38-43B0-B0A5-D6DA83EC32EE"
},
{
"vulnerable": false,
"criteria": "cpe:2.3:h:pepperl-fuchs:icdm-rx\\/pn-db9\\/rj45-din:-:*:*:*:*:*:*:*",
"matchCriteriaId": "FE812DA2-DF93-4424-9856-FFB1A97461B9"
},
{
"vulnerable": false,
"criteria": "cpe:2.3:h:pepperl-fuchs:icdm-rx\\/pn-db9\\/rj45-pm:-:*:*:*:*:*:*:*",
"matchCriteriaId": "8D85A19A-B02D-4A33-ABC8-4CB705946051"
},
{
"vulnerable": false,
"criteria": "cpe:2.3:h:pepperl-fuchs:icdm-rx\\/pn-st\\/rj45-din:-:*:*:*:*:*:*:*",
"matchCriteriaId": "429274C3-C388-43CF-8D4C-4F71C348B14E"
}
]
}
]
},
{
"operator": "AND",
"nodes": [
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:o:pepperl-fuchs:profinet\\/modbus_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.0.7",
"matchCriteriaId": "96BC0CEB-A9B5-45BD-8AF3-73A2C5C56DDD"
}
]
},
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": false,
"criteria": "cpe:2.3:h:pepperl-fuchs:icdm-rx\\/pn1-2db9\\/rj45-din:-:*:*:*:*:*:*:*",
"matchCriteriaId": "AAAC75E1-369D-4417-8A4D-4DE8A6443D9A"
},
{
"vulnerable": false,
"criteria": "cpe:2.3:h:pepperl-fuchs:icdm-rx\\/pn1-2st\\/rj45-din:-:*:*:*:*:*:*:*",
"matchCriteriaId": "BE3B448B-C3E5-48D2-8167-0BDEE44E5A56"
},
{
"vulnerable": false,
"criteria": "cpe:2.3:h:pepperl-fuchs:icdm-rx\\/pn1-4db9\\/2rj45-din:-:*:*:*:*:*:*:*",
"matchCriteriaId": "28BED750-59B0-4B01-8D71-5C73B875C055"
},
{
"vulnerable": false,
"criteria": "cpe:2.3:h:pepperl-fuchs:icdm-rx\\/pn1-db9\\/rj45-din:-:*:*:*:*:*:*:*",
"matchCriteriaId": "53A6C459-94EF-47E5-B0AF-40161AC4ABBC"
},
{
"vulnerable": false,
"criteria": "cpe:2.3:h:pepperl-fuchs:icdm-rx\\/pn1-db9\\/rj45-pm:-:*:*:*:*:*:*:*",
"matchCriteriaId": "40FE8D87-3C85-4749-B519-533006EAFF7D"
},
{
"vulnerable": false,
"criteria": "cpe:2.3:h:pepperl-fuchs:icdm-rx\\/pn1-st\\/rj45-din:-:*:*:*:*:*:*:*",
"matchCriteriaId": "E482103C-13D7-4BE7-AD9E-1EFE1FBDC8C2"
}
]
}
]
},
{
"operator": "AND",
"nodes": [
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:o:pepperl-fuchs:modbus_router_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.09",
"matchCriteriaId": "A19029DF-A3AB-4EDD-8655-E7FD8B8A2008"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:pepperl-fuchs:modbus_server_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.11",
"matchCriteriaId": "F8A8EC37-6A6E-4DC0-9EE6-91E2CF2E6471"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:pepperl-fuchs:modbus_tcp_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.11",
"matchCriteriaId": "E746E0B5-1D83-4384-811B-2307F7C43369"
}
]
},
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": false,
"criteria": "cpe:2.3:h:pepperl-fuchs:icdm-rx\\/mod-4db9\\/2rj45-din:-:*:*:*:*:*:*:*",
"matchCriteriaId": "EFE4CDAC-4561-44B5-B348-0CA52935D4F6"
},
{
"vulnerable": false,
"criteria": "cpe:2.3:h:pepperl-fuchs:icdm-rx\\/mod-db9\\/rj45-din:-:*:*:*:*:*:*:*",
"matchCriteriaId": "7576D41E-F76E-4DD8-A2D2-414077324B96"
},
{
"vulnerable": false,
"criteria": "cpe:2.3:h:pepperl-fuchs:icdm-rx\\/mod-st\\/rj45-din:-:*:*:*:*:*:*:*",
"matchCriteriaId": "E444EA03-AA16-41E2-B3C6-E6FFE9283862"
}
]
}
]
},
{
"operator": "AND",
"nodes": [
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:o:pepperl-fuchs:ethernet\\/ip_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.22",
"matchCriteriaId": "0358942E-C89F-45B6-92FA-59EA192260F7"
}
]
},
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": false,
"criteria": "cpe:2.3:h:pepperl-fuchs:icdm-rx\\/en-2db9\\/rj45-din:-:*:*:*:*:*:*:*",
"matchCriteriaId": "D67F1B4C-96EA-4768-85CE-6DA4EB63B154"
},
{
"vulnerable": false,
"criteria": "cpe:2.3:h:pepperl-fuchs:icdm-rx\\/en-2st\\/rj45-din:-:*:*:*:*:*:*:*",
"matchCriteriaId": "F108AD5F-2202-4C8C-896B-B1703D8DFFB8"
},
{
"vulnerable": false,
"criteria": "cpe:2.3:h:pepperl-fuchs:icdm-rx\\/en-4db9\\/2rj45-din:-:*:*:*:*:*:*:*",
"matchCriteriaId": "3EC4D443-1860-481C-9574-5FC5106B1B0C"
},
{
"vulnerable": false,
"criteria": "cpe:2.3:h:pepperl-fuchs:icdm-rx\\/en-db9\\/rj45-din:-:*:*:*:*:*:*:*",
"matchCriteriaId": "49F3E1E2-004C-46FC-84A7-07E8AC09B96F"
},
{
"vulnerable": false,
"criteria": "cpe:2.3:h:pepperl-fuchs:icdm-rx\\/en-db9\\/rj45-pm:-:*:*:*:*:*:*:*",
"matchCriteriaId": "368CA225-66FE-4CE2-8E8D-17BDA1A2DBF9"
},
{
"vulnerable": false,
"criteria": "cpe:2.3:h:pepperl-fuchs:icdm-rx\\/en-st\\/rj45-din:-:*:*:*:*:*:*:*",
"matchCriteriaId": "B1378603-4440-4C77-B890-73C9896068C6"
}
]
}
]
},
{
"operator": "AND",
"nodes": [
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:o:pepperl-fuchs:eip\\/modbus_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.08",
"matchCriteriaId": "5FCEE06D-1D22-4467-A544-F25E1600D4A2"
}
]
},
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": false,
"criteria": "cpe:2.3:h:pepperl-fuchs:icdm-rx\\/en1-2db9\\/rj45-din:-:*:*:*:*:*:*:*",
"matchCriteriaId": "1223BB5A-6DC0-4778-B248-E40A0FA09D5E"
},
{
"vulnerable": false,
"criteria": "cpe:2.3:h:pepperl-fuchs:icdm-rx\\/en1-2st\\/rj45-din:-:*:*:*:*:*:*:*",
"matchCriteriaId": "BD2CA662-6B40-40BA-9D34-043C0350F8AB"
},
{
"vulnerable": false,
"criteria": "cpe:2.3:h:pepperl-fuchs:icdm-rx\\/en1-4db9\\/2rj45-din:-:*:*:*:*:*:*:*",
"matchCriteriaId": "CB85CB22-4936-4A02-B978-08744F08F054"
},
{
"vulnerable": false,
"criteria": "cpe:2.3:h:pepperl-fuchs:icdm-rx\\/en1-db9\\/rj45-din:-:*:*:*:*:*:*:*",
"matchCriteriaId": "5DF9C895-E0FF-4EE2-9664-0F9063D9F24B"
},
{
"vulnerable": false,
"criteria": "cpe:2.3:h:pepperl-fuchs:icdm-rx\\/en1-db9\\/rj45-pm:-:*:*:*:*:*:*:*",
"matchCriteriaId": "F1C39534-9887-4DEF-9169-FF5B842B1A58"
},
{
"vulnerable": false,
"criteria": "cpe:2.3:h:pepperl-fuchs:icdm-rx\\/en1-st\\/rj45-din:-:*:*:*:*:*:*:*",
"matchCriteriaId": "EEA4298A-DA92-4661-98BA-12580B750B4E"
}
]
}
]
}
],
"references": [
{
"url": "https://cert.vde.com/en/advisories/VDE-2024-033",
"source": "info@cert.vde.com"
"source": "info@cert.vde.com",
"tags": [
"Third Party Advisory"
]
}
]
}

361
CVE-2024/CVE-2024-385xx/CVE-2024-38502.json
View File

@ -2,8 +2,8 @@
"id": "CVE-2024-38502",
"sourceIdentifier": "info@cert.vde.com",
"published": "2024-08-13T13:15:12.460",
"lastModified": "2024-08-13T17:11:53.553",
"vulnStatus": "Undergoing Analysis",
"lastModified": "2024-08-22T13:35:47.970",
"vulnStatus": "Analyzed",
"cveTags": [],
"descriptions": [
{
@ -51,10 +51,365 @@
]
}
],
"configurations": [
{
"operator": "AND",
"nodes": [
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:o:pepperl-fuchs:icdm-rx\\/tcp_socketserver_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "11.65",
"matchCriteriaId": "76F48804-5A09-45EB-9358-588C12531643"
}
]
},
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": false,
"criteria": "cpe:2.3:h:pepperl-fuchs:icdm-rx\\/tcp-16db9\\/rj45-rm:-:*:*:*:*:*:*:*",
"matchCriteriaId": "74FA0423-B701-4FD9-AB55-0C9EEEE0A28F"
},
{
"vulnerable": false,
"criteria": "cpe:2.3:h:pepperl-fuchs:icdm-rx\\/tcp-16rj45\\/2rj45-pm:-:*:*:*:*:*:*:*",
"matchCriteriaId": "99FF2849-0342-4E29-8976-8A69FBD19105"
},
{
"vulnerable": false,
"criteria": "cpe:2.3:h:pepperl-fuchs:icdm-rx\\/tcp-16rj45\\/rj45-rm:-:*:*:*:*:*:*:*",
"matchCriteriaId": "BD7C60B0-3074-4DA5-9CAB-1D86FD345A2B"
},
{
"vulnerable": false,
"criteria": "cpe:2.3:h:pepperl-fuchs:icdm-rx\\/tcp-2db9\\/rj45-din:-:*:*:*:*:*:*:*",
"matchCriteriaId": "04558366-D4BC-4EA2-87DD-D884ADBC225E"
},
{
"vulnerable": false,
"criteria": "cpe:2.3:h:pepperl-fuchs:icdm-rx\\/tcp-2st\\/rj45-din:-:*:*:*:*:*:*:*",
"matchCriteriaId": "5B14B2C3-5072-4DA1-A94C-D5DFD772CA61"
},
{
"vulnerable": false,
"criteria": "cpe:2.3:h:pepperl-fuchs:icdm-rx\\/tcp-32rj45\\/rj45-rm:-:*:*:*:*:*:*:*",
"matchCriteriaId": "31A3AC39-07B6-4638-BD37-E43FEFC7453F"
},
{
"vulnerable": false,
"criteria": "cpe:2.3:h:pepperl-fuchs:icdm-rx\\/tcp-4db9\\/2rj45-din:-:*:*:*:*:*:*:*",
"matchCriteriaId": "414C289E-538E-4958-AAA9-682920F6C3B2"
},
{
"vulnerable": false,
"criteria": "cpe:2.3:h:pepperl-fuchs:icdm-rx\\/tcp-4db9\\/2rj45-pm:-:*:*:*:*:*:*:*",
"matchCriteriaId": "D4966738-4A3C-4182-9D86-1B5D376EEAED"
},
{
"vulnerable": false,
"criteria": "cpe:2.3:h:pepperl-fuchs:icdm-rx\\/tcp-8db9\\/2rj45-pm:-:*:*:*:*:*:*:*",
"matchCriteriaId": "522B8CFC-FD02-4002-8518-923D93F9941B"
},
{
"vulnerable": false,
"criteria": "cpe:2.3:h:pepperl-fuchs:icdm-rx\\/tcp-db9\\/rj45-din:-:*:*:*:*:*:*:*",
"matchCriteriaId": "D01ADEB1-C000-4DAE-9470-8380D998548B"
},
{
"vulnerable": false,
"criteria": "cpe:2.3:h:pepperl-fuchs:icdm-rx\\/tcp-db9\\/rj45-pm:-:*:*:*:*:*:*:*",
"matchCriteriaId": "7B9732BD-A75B-4D8A-A710-491F348A6056"
},
{
"vulnerable": false,
"criteria": "cpe:2.3:h:pepperl-fuchs:icdm-rx\\/tcp-db9\\/rj45-pm2:-:*:*:*:*:*:*:*",
"matchCriteriaId": "A85AD844-2330-4128-95E9-A12330D16152"
},
{
"vulnerable": false,
"criteria": "cpe:2.3:h:pepperl-fuchs:icdm-rx\\/tcp-st\\/rj45-din:-:*:*:*:*:*:*:*",
"matchCriteriaId": "CE154902-5B25-401C-A096-013AEC156F4E"
}
]
}
]
},
{
"operator": "AND",
"nodes": [
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:o:pepperl-fuchs:profinet_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "3.4.9",
"matchCriteriaId": "504996AD-D6AD-4C58-8FBC-293B72E567FC"
}
]
},
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": false,
"criteria": "cpe:2.3:h:pepperl-fuchs:icdm-rx\\/pn-2db9\\/rj45-din:-:*:*:*:*:*:*:*",
"matchCriteriaId": "E53643B1-13E5-4A89-8BE3-5FAA0E8C28C9"
},
{
"vulnerable": false,
"criteria": "cpe:2.3:h:pepperl-fuchs:icdm-rx\\/pn-2st\\/rj45-din:-:*:*:*:*:*:*:*",
"matchCriteriaId": "DA5209DC-117F-46DE-85B2-DA59BDE28255"
},
{
"vulnerable": false,
"criteria": "cpe:2.3:h:pepperl-fuchs:icdm-rx\\/pn-4db9\\/2rj45-din:-:*:*:*:*:*:*:*",
"matchCriteriaId": "1051031D-9D38-43B0-B0A5-D6DA83EC32EE"
},
{
"vulnerable": false,
"criteria": "cpe:2.3:h:pepperl-fuchs:icdm-rx\\/pn-db9\\/rj45-din:-:*:*:*:*:*:*:*",
"matchCriteriaId": "FE812DA2-DF93-4424-9856-FFB1A97461B9"
},
{
"vulnerable": false,
"criteria": "cpe:2.3:h:pepperl-fuchs:icdm-rx\\/pn-db9\\/rj45-pm:-:*:*:*:*:*:*:*",
"matchCriteriaId": "8D85A19A-B02D-4A33-ABC8-4CB705946051"
},
{
"vulnerable": false,
"criteria": "cpe:2.3:h:pepperl-fuchs:icdm-rx\\/pn-st\\/rj45-din:-:*:*:*:*:*:*:*",
"matchCriteriaId": "429274C3-C388-43CF-8D4C-4F71C348B14E"
}
]
}
]
},
{
"operator": "AND",
"nodes": [
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:o:pepperl-fuchs:profinet\\/modbus_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.0.7",
"matchCriteriaId": "96BC0CEB-A9B5-45BD-8AF3-73A2C5C56DDD"
}
]
},
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": false,
"criteria": "cpe:2.3:h:pepperl-fuchs:icdm-rx\\/pn1-2db9\\/rj45-din:-:*:*:*:*:*:*:*",
"matchCriteriaId": "AAAC75E1-369D-4417-8A4D-4DE8A6443D9A"
},
{
"vulnerable": false,
"criteria": "cpe:2.3:h:pepperl-fuchs:icdm-rx\\/pn1-2st\\/rj45-din:-:*:*:*:*:*:*:*",
"matchCriteriaId": "BE3B448B-C3E5-48D2-8167-0BDEE44E5A56"
},
{
"vulnerable": false,
"criteria": "cpe:2.3:h:pepperl-fuchs:icdm-rx\\/pn1-4db9\\/2rj45-din:-:*:*:*:*:*:*:*",
"matchCriteriaId": "28BED750-59B0-4B01-8D71-5C73B875C055"
},
{
"vulnerable": false,
"criteria": "cpe:2.3:h:pepperl-fuchs:icdm-rx\\/pn1-db9\\/rj45-din:-:*:*:*:*:*:*:*",
"matchCriteriaId": "53A6C459-94EF-47E5-B0AF-40161AC4ABBC"
},
{
"vulnerable": false,
"criteria": "cpe:2.3:h:pepperl-fuchs:icdm-rx\\/pn1-db9\\/rj45-pm:-:*:*:*:*:*:*:*",
"matchCriteriaId": "40FE8D87-3C85-4749-B519-533006EAFF7D"
},
{
"vulnerable": false,
"criteria": "cpe:2.3:h:pepperl-fuchs:icdm-rx\\/pn1-st\\/rj45-din:-:*:*:*:*:*:*:*",
"matchCriteriaId": "E482103C-13D7-4BE7-AD9E-1EFE1FBDC8C2"
}
]
}
]
},
{
"operator": "AND",
"nodes": [
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:o:pepperl-fuchs:modbus_router_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.09",
"matchCriteriaId": "A19029DF-A3AB-4EDD-8655-E7FD8B8A2008"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:pepperl-fuchs:modbus_server_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.11",
"matchCriteriaId": "F8A8EC37-6A6E-4DC0-9EE6-91E2CF2E6471"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:pepperl-fuchs:modbus_tcp_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.11",
"matchCriteriaId": "E746E0B5-1D83-4384-811B-2307F7C43369"
}
]
},
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": false,
"criteria": "cpe:2.3:h:pepperl-fuchs:icdm-rx\\/mod-4db9\\/2rj45-din:-:*:*:*:*:*:*:*",
"matchCriteriaId": "EFE4CDAC-4561-44B5-B348-0CA52935D4F6"
},
{
"vulnerable": false,
"criteria": "cpe:2.3:h:pepperl-fuchs:icdm-rx\\/mod-db9\\/rj45-din:-:*:*:*:*:*:*:*",
"matchCriteriaId": "7576D41E-F76E-4DD8-A2D2-414077324B96"
},
{
"vulnerable": false,
"criteria": "cpe:2.3:h:pepperl-fuchs:icdm-rx\\/mod-st\\/rj45-din:-:*:*:*:*:*:*:*",
"matchCriteriaId": "E444EA03-AA16-41E2-B3C6-E6FFE9283862"
}
]
}
]
},
{
"operator": "AND",
"nodes": [
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:o:pepperl-fuchs:ethernet\\/ip_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.22",
"matchCriteriaId": "0358942E-C89F-45B6-92FA-59EA192260F7"
}
]
},
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": false,
"criteria": "cpe:2.3:h:pepperl-fuchs:icdm-rx\\/en-2db9\\/rj45-din:-:*:*:*:*:*:*:*",
"matchCriteriaId": "D67F1B4C-96EA-4768-85CE-6DA4EB63B154"
},
{
"vulnerable": false,
"criteria": "cpe:2.3:h:pepperl-fuchs:icdm-rx\\/en-2st\\/rj45-din:-:*:*:*:*:*:*:*",
"matchCriteriaId": "F108AD5F-2202-4C8C-896B-B1703D8DFFB8"
},
{
"vulnerable": false,
"criteria": "cpe:2.3:h:pepperl-fuchs:icdm-rx\\/en-4db9\\/2rj45-din:-:*:*:*:*:*:*:*",
"matchCriteriaId": "3EC4D443-1860-481C-9574-5FC5106B1B0C"
},
{
"vulnerable": false,
"criteria": "cpe:2.3:h:pepperl-fuchs:icdm-rx\\/en-db9\\/rj45-din:-:*:*:*:*:*:*:*",
"matchCriteriaId": "49F3E1E2-004C-46FC-84A7-07E8AC09B96F"
},
{
"vulnerable": false,
"criteria": "cpe:2.3:h:pepperl-fuchs:icdm-rx\\/en-db9\\/rj45-pm:-:*:*:*:*:*:*:*",
"matchCriteriaId": "368CA225-66FE-4CE2-8E8D-17BDA1A2DBF9"
},
{
"vulnerable": false,
"criteria": "cpe:2.3:h:pepperl-fuchs:icdm-rx\\/en-st\\/rj45-din:-:*:*:*:*:*:*:*",
"matchCriteriaId": "B1378603-4440-4C77-B890-73C9896068C6"
}
]
}
]
},
{
"operator": "AND",
"nodes": [
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:o:pepperl-fuchs:eip\\/modbus_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.08",
"matchCriteriaId": "5FCEE06D-1D22-4467-A544-F25E1600D4A2"
}
]
},
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": false,
"criteria": "cpe:2.3:h:pepperl-fuchs:icdm-rx\\/en1-2db9\\/rj45-din:-:*:*:*:*:*:*:*",
"matchCriteriaId": "1223BB5A-6DC0-4778-B248-E40A0FA09D5E"
},
{
"vulnerable": false,
"criteria": "cpe:2.3:h:pepperl-fuchs:icdm-rx\\/en1-2st\\/rj45-din:-:*:*:*:*:*:*:*",
"matchCriteriaId": "BD2CA662-6B40-40BA-9D34-043C0350F8AB"
},
{
"vulnerable": false,
"criteria": "cpe:2.3:h:pepperl-fuchs:icdm-rx\\/en1-4db9\\/2rj45-din:-:*:*:*:*:*:*:*",
"matchCriteriaId": "CB85CB22-4936-4A02-B978-08744F08F054"
},
{
"vulnerable": false,
"criteria": "cpe:2.3:h:pepperl-fuchs:icdm-rx\\/en1-db9\\/rj45-din:-:*:*:*:*:*:*:*",
"matchCriteriaId": "5DF9C895-E0FF-4EE2-9664-0F9063D9F24B"
},
{
"vulnerable": false,
"criteria": "cpe:2.3:h:pepperl-fuchs:icdm-rx\\/en1-db9\\/rj45-pm:-:*:*:*:*:*:*:*",
"matchCriteriaId": "F1C39534-9887-4DEF-9169-FF5B842B1A58"
},
{
"vulnerable": false,
"criteria": "cpe:2.3:h:pepperl-fuchs:icdm-rx\\/en1-st\\/rj45-din:-:*:*:*:*:*:*:*",
"matchCriteriaId": "EEA4298A-DA92-4661-98BA-12580B750B4E"
}
]
}
]
}
],
"references": [
{
"url": "https://cert.vde.com/en/advisories/VDE-2024-033",
"source": "info@cert.vde.com"
"source": "info@cert.vde.com",
"tags": [
"Third Party Advisory"
]
}
]
}

107
CVE-2024/CVE-2024-394xx/CVE-2024-39486.json
View File

@ -2,8 +2,8 @@
"id": "CVE-2024-39486",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-06T10:15:03.393",
"lastModified": "2024-07-15T07:15:17.263",
"vulnStatus": "Undergoing Analysis",
"lastModified": "2024-08-22T13:48:52.847",
"vulnStatus": "Analyzed",
"cveTags": [],
"descriptions": [
{
@ -15,19 +15,114 @@
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drm/drm_file: corrige la ejecuci\u00f3n de recuento de pid filp-&gt;pid se supone que es un puntero recontado; sin embargo, antes de este parche, drm_file_update_pid() solo incrementa el recuento de una estructura pid despu\u00e9s de almacenar un puntero a ella en filp-&gt;pid y eliminar dev-&gt;filelist_mutex, haciendo posible la siguiente ejecuci\u00f3n: proceso A proceso B ==== ===== ========= comenzar drm_file_update_pid mutex_lock(&amp;dev-&gt;filelist_mutex) rcu_replace_pointer(filp-&gt;pid, , 1) mutex_unlock(&amp;dev-&gt;filelist_mutex) begin drm_file_update_pid mutex_lock(&amp;dev- &gt;filelist_mutex) rcu_replace_pointer(filp-&gt;pid, , 1) mutex_unlock(&amp;dev-&gt;filelist_mutex) get_pid() synchronize_rcu() put_pid() *** pid B alcanza refcount 0 y se libera aqu\u00ed *** get_pid() *** UAF *** synchronize_rcu() put_pid() Hasta donde yo s\u00e9, esta ejecuci\u00f3n solo puede ocurrir con CONFIG_PREEMPT_RCU=y porque requiere que RCU detecte un estado inactivo en el c\u00f3digo que no llame expl\u00edcitamente al programador. Esta ejecuci\u00f3n conduce a use after free de una \"estructura pid\". Probablemente sea algo dif\u00edcil de lograr porque el proceso A tiene que pasar por una operaci\u00f3n synchronize_rcu() mientras que el proceso B est\u00e1 entre mutex_unlock() y get_pid(). Solucionelo asegur\u00e1ndose de que cuando se almacene en el archivo un puntero al pid de la tarea actual, se haya tomado una referencia adicional al pid. Esta soluci\u00f3n tambi\u00e9n elimina la condici\u00f3n de synchronize_rcu(); Creo que la optimizaci\u00f3n es una complejidad innecesaria, ya que en ese caso normalmente habr\u00edamos abandonado la verificaci\u00f3n sin bloqueo anterior."
}
],
"metrics": {},
"metrics": {
"cvssMetricV31": [
{
"source": "nvd@nist.gov",
"type": "Primary",
"cvssData": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"attackVector": "LOCAL",
"attackComplexity": "HIGH",
"privilegesRequired": "LOW",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"availabilityImpact": "HIGH",
"baseScore": 7.0,
"baseSeverity": "HIGH"
},
"exploitabilityScore": 1.0,
"impactScore": 5.9
}
]
},
"weaknesses": [
{
"source": "nvd@nist.gov",
"type": "Primary",
"description": [
{
"lang": "en",
"value": "CWE-416"
}
]
}
],
"configurations": [
{
"nodes": [
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.6.9",
"versionEndExcluding": "6.6.37",
"matchCriteriaId": "A5921D6B-4FCC-4C29-8923-DE2113CE1C03"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.7",
"versionEndExcluding": "6.9.8",
"matchCriteriaId": "E95105F2-32E3-4C5F-9D18-7AEFD0E6275C"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:6.10:rc1:*:*:*:*:*:*",
"matchCriteriaId": "2EBB4392-5FA6-4DA9-9772-8F9C750109FA"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:6.10:rc2:*:*:*:*:*:*",
"matchCriteriaId": "331C2F14-12C7-45D5-893D-8C52EE38EA10"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:6.10:rc3:*:*:*:*:*:*",
"matchCriteriaId": "3173713D-909A-4DD3-9DD4-1E171EB057EE"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:6.10:rc4:*:*:*:*:*:*",
"matchCriteriaId": "79F18AFA-40F7-43F0-BA30-7BDB65F918B9"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:6.10:rc5:*:*:*:*:*:*",
"matchCriteriaId": "BD973AA4-A789-49BD-8D57-B2846935D3C7"
}
]
}
]
}
],
"references": [
{
"url": "https://git.kernel.org/stable/c/0acce2a5c619ef1abdee783d7fea5eac78ce4844",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"tags": [
"Patch"
]
},
{
"url": "https://git.kernel.org/stable/c/16682588ead4a593cf1aebb33b36df4d1e9e4ffa",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"tags": [
"Patch"
]
},
{
"url": "https://git.kernel.org/stable/c/4f2a129b33a2054e62273edd5a051c34c08d96e9",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"tags": [
"Patch"
]
}
]
}

8
CVE-2024/CVE-2024-395xx/CVE-2024-39576.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2024-39576",
"sourceIdentifier": "security_alert@emc.com",
"published": "2024-08-22T03:15:03.717",
"lastModified": "2024-08-22T03:15:03.717",
"vulnStatus": "Received",
"lastModified": "2024-08-22T12:48:02.790",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Dell Power Manager (DPM), versions 3.15.0 and prior, contains an Incorrect Privilege Assignment vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Code execution and Elevation of privileges."
},
{
"lang": "es",
"value": "Dell Power Manager (DPM), versiones 3.15.0 y anteriores, contiene una vulnerabilidad de asignaci\u00f3n de privilegios incorrecta. Un atacante con pocos privilegios y acceso local podr\u00eda explotar esta vulnerabilidad, lo que provocar\u00eda la ejecuci\u00f3n de c\u00f3digo y la elevaci\u00f3n de privilegios."
}
],
"metrics": {

4
CVE-2024/CVE-2024-397xx/CVE-2024-39744.json
View File

@ -2,8 +2,8 @@
"id": "CVE-2024-39744",
"sourceIdentifier": "psirt@us.ibm.com",
"published": "2024-08-22T11:15:13.513",
"lastModified": "2024-08-22T11:15:13.513",
"vulnStatus": "Received",
"lastModified": "2024-08-22T12:48:02.790",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{

4
CVE-2024/CVE-2024-397xx/CVE-2024-39745.json
View File

@ -2,8 +2,8 @@
"id": "CVE-2024-39745",
"sourceIdentifier": "psirt@us.ibm.com",
"published": "2024-08-22T11:15:13.710",
"lastModified": "2024-08-22T11:15:13.710",
"vulnStatus": "Received",
"lastModified": "2024-08-22T12:48:02.790",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{

4
CVE-2024/CVE-2024-397xx/CVE-2024-39746.json
View File

@ -2,8 +2,8 @@
"id": "CVE-2024-39746",
"sourceIdentifier": "psirt@us.ibm.com",
"published": "2024-08-22T11:15:13.920",
"lastModified": "2024-08-22T11:15:13.920",
"vulnStatus": "Received",
"lastModified": "2024-08-22T12:48:02.790",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{

8
CVE-2024/CVE-2024-398xx/CVE-2024-39810.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2024-39810",
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"published": "2024-08-22T07:15:03.743",
"lastModified": "2024-08-22T07:15:03.743",
"vulnStatus": "Received",
"lastModified": "2024-08-22T12:48:02.790",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mattermost versions 9.5.x <= 9.5.7 and 9.10.x <= 9.10.0 fail to time limit and size limit the CA path file in the ElasticSearch configuration which allows a System Role with access to the Elasticsearch system console to add any file as a CA path field, such as /dev/zero and, after testing the connection, cause the application to crash."
},
{
"lang": "es",
"value": "Las versiones 9.5.x &lt;= 9.5.7 y 9.10.x &lt;= 9.10.0 de Mattermost no limitan el tiempo ni el tama\u00f1o del archivo de ruta de CA en la configuraci\u00f3n de ElasticSearch, lo que permite que una funci\u00f3n del sistema con acceso a la consola del sistema Elasticsearch agregue cualquier archivo. como un campo de ruta de CA, como /dev/zero y, despu\u00e9s de probar la conexi\u00f3n, provocar que la aplicaci\u00f3n falle."
}
],
"metrics": {

8
CVE-2024/CVE-2024-398xx/CVE-2024-39836.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2024-39836",
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"published": "2024-08-22T07:15:03.960",
"lastModified": "2024-08-22T07:15:03.960",
"vulnStatus": "Received",
"lastModified": "2024-08-22T12:48:02.790",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 and 9.8.x <= 9.8.2 fail to ensure that remote/synthetic users cannot create sessions or reset passwords, which allows\u00a0the munged email addresses, created by shared channels, to be used to receive email notifications and to reset passwords, when\u00a0they are valid, functional emails."
},
{
"lang": "es",
"value": "Las versiones de Mattermost 9.9.x &lt;= 9.9.1, 9.5.x &lt;= 9.5.7, 9.10.x &lt;= 9.10.0 y 9.8.x &lt;= 9.8.2 no garantizan que los usuarios remotos/sint\u00e9ticos no puedan crear sesiones ni restablecer contrase\u00f1as, que permite que las direcciones de correo electr\u00f3nico eliminadas, creadas por canales compartidos, se utilicen para recibir notificaciones por correo electr\u00f3nico y restablecer contrase\u00f1as, cuando sean correos electr\u00f3nicos v\u00e1lidos y funcionales."
}
],
"metrics": {

52
CVE-2024/CVE-2024-406xx/CVE-2024-40697.json
View File

@ -2,8 +2,8 @@
"id": "CVE-2024-40697",
"sourceIdentifier": "psirt@us.ibm.com",
"published": "2024-08-13T11:15:17.750",
"lastModified": "2024-08-13T12:58:25.437",
"vulnStatus": "Undergoing Analysis",
"lastModified": "2024-08-22T13:27:20.743",
"vulnStatus": "Analyzed",
"cveTags": [],
"descriptions": [
{
@ -17,6 +17,26 @@
],
"metrics": {
"cvssMetricV31": [
{
"source": "nvd@nist.gov",
"type": "Primary",
"cvssData": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6
},
{
"source": "psirt@us.ibm.com",
"type": "Secondary",
@ -51,14 +71,38 @@
]
}
],
"configurations": [
{
"nodes": [
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:a:ibm:common_licensing:9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "60A24280-F68D-4C5A-B12A-BCC1BDC53FBC"
}
]
}
]
}
],
"references": [
{
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/297895",
"source": "psirt@us.ibm.com"
"source": "psirt@us.ibm.com",
"tags": [
"VDB Entry",
"Vendor Advisory"
]
},
{
"url": "https://www.ibm.com/support/pages/node/7165250",
"source": "psirt@us.ibm.com"
"source": "psirt@us.ibm.com",
"tags": [
"Vendor Advisory"
]
}
]
}

8
CVE-2024/CVE-2024-408xx/CVE-2024-40886.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2024-40886",
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"published": "2024-08-22T07:15:04.183",
"lastModified": "2024-08-22T07:15:04.183",
"vulnStatus": "Received",
"lastModified": "2024-08-22T12:48:02.790",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0, 9.8.x <= 9.8.2 fail to sanitize user inputs in the frontend that are used for redirection which allows for\u00a0a one-click client-side path traversal that is leading to CSRF in User Management page of the system console."
},
{
"lang": "es",
"value": "Las versiones de Mattermost 9.9.x &lt;= 9.9.1, 9.5.x &lt;= 9.5.7, 9.10.x &lt;= 9.10.0, 9.8.x &lt;= 9.8.2 no desinfectan las entradas del usuario en la interfaz que se utilizan para la redirecci\u00f3n lo que permite path traversal del lado del cliente con un solo clic que conduce a CSRF en la p\u00e1gina Administraci\u00f3n de usuarios de la consola del sistema."
}
],
"metrics": {

94
CVE-2024/CVE-2024-410xx/CVE-2024-41057.json
View File

@ -2,8 +2,8 @@
"id": "CVE-2024-41057",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-29T15:15:13.773",
"lastModified": "2024-07-29T16:21:52.517",
"vulnStatus": "Undergoing Analysis",
"lastModified": "2024-08-22T13:38:03.577",
"vulnStatus": "Analyzed",
"cveTags": [],
"descriptions": [
{
@ -15,23 +15,103 @@
"value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: cachefiles: fix slab-use-after-free in cachefiles_withdraw_cookie() Recibimos el siguiente problema en nuestra prueba de estr\u00e9s de inyecci\u00f3n de fallos: ============ ==================================================== ==== ERROR: KASAN: slab-use-after-free en cachefiles_withdraw_cookie+0x4d9/0x600 Lectura de tama\u00f1o 8 en la direcci\u00f3n ffff888118efc000 por tarea kworker/u78:0/109 CPU: 13 PID: 109 Comm: kworker/u78:0 No contaminado 6.8.0-dirty #566 Seguimiento de llamadas: kasan_report+0x93/0xc0 cachefiles_withdraw_cookie+0x4d9/0x600 fscache_cookie_state_machine+0x5c8/0x1230 fscache_cookie_worker+0x91/0x1c0 Process_one_work+0x7fa/0x1800 [...] Asignado por la tarea 117: kmalloc_trace+0x1b3/0x3c0 cachefiles_acquire_volume+0xf3/0x9c0 fscache_create_volume_work+0x97/0x150 Process_one_work+0x7fa/0x1800 [...] Liberado por la tarea 120301: kfree+0xf1/0x2c0 cachefiles_withdraw_cache+0x3fa/0x92 0 cachefiles_put_unbind_pincount+0x1f6/0x250 cachefiles_daemon_release+0x13b/0x290 __fput+0x204/0xa00 task_work_run+0x139/0x230 do_exit+0x87a/0x29b0 [...] ================================ ==================================== El siguiente es el proceso que desencadena el problema: p1 | p2 ------------------------------------------------- ----------- fscache_begin_lookup fscache_begin_volume_access fscache_cache_is_live(fscache_cache) cachefiles_daemon_release cachefiles_put_unbind_pincount cachefiles_daemon_unbind cachefiles_withdraw_cache fscache_withdraw_cache fscache_set_cache_state(cache, FSCACHE_CACHE_IS_WITHDRAWN); cachefiles_withdraw_objects(cache) fscache_wait_for_objects(fscache) atomic_read(&amp;fscache_cache-&gt;object_count) == 0 fscache_perform_lookup cachefiles_lookup_cookie cachefiles_alloc_object refcount_set(&amp;object-&gt;ref, 1); objeto-&gt;volumen = volumen fscache_count_object(vcookie-&gt;cache); atomic_inc(&amp;fscache_cache-&gt;object_count) cachefiles_withdraw_volumes cachefiles_withdraw_volume fscache_withdraw_volume __cachefiles_free_volume kfree(cachefiles_volume) fscache_cookie_state_machine cachefiles_withdraw_cookie cache = objeto-&gt;volumen-&gt;cache; // archivos_cach\u00e9_volumen UAF !!! Despu\u00e9s de configurar FSCACHE_CACHE_IS_WITHDRAWN, primero espere a que se completen todas las b\u00fasquedas de cookies y luego espere a que fscache_cache-&gt;object_count == 0 para evitar que la cookie salga despu\u00e9s de que se haya liberado el volumen y desencadene el problema anterior. Por lo tanto, llame a fscache_withdraw_volume() antes de llamar a cachefiles_withdraw_objects(). De esta manera, despu\u00e9s de configurar FSCACHE_CACHE_IS_WITHDRAWN, solo ocurrir\u00e1n los dos casos siguientes: 1) fscache_begin_lookup falla en fscache_begin_volume_access(). 2) fscache_withdraw_volume() garantizar\u00e1 que fscache_count_object() se haya ejecutado antes de llamar a fscache_wait_for_objects()."
}
],
"metrics": {},
"metrics": {
"cvssMetricV31": [
{
"source": "nvd@nist.gov",
"type": "Primary",
"cvssData": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"attackVector": "LOCAL",
"attackComplexity": "LOW",
"privilegesRequired": "LOW",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9
}
]
},
"weaknesses": [
{
"source": "nvd@nist.gov",
"type": "Primary",
"description": [
{
"lang": "en",
"value": "CWE-416"
}
]
}
],
"configurations": [
{
"nodes": [
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.17",
"versionEndExcluding": "6.1.101",
"matchCriteriaId": "DB356B3F-4040-49B4-8BB9-E2643A2E9B13"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.2",
"versionEndExcluding": "6.6.42",
"matchCriteriaId": "972274A2-D688-4C37-BE42-689B58B4C225"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.7",
"versionEndExcluding": "6.9.11",
"matchCriteriaId": "01E300B3-8B39-4A2D-8B03-4631433D3915"
}
]
}
]
}
],
"references": [
{
"url": "https://git.kernel.org/stable/c/5d8f805789072ea7fd39504694b7bd17e5f751c4",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"tags": [
"Patch"
]
},
{
"url": "https://git.kernel.org/stable/c/8de253177112a47c9af157d23ae934779188b4e1",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"tags": [
"Patch"
]
},
{
"url": "https://git.kernel.org/stable/c/9e67589a4a7b7e5660b524d1d5fe61242bcbcc11",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"tags": [
"Patch"
]
},
{
"url": "https://git.kernel.org/stable/c/ef81340401e8a371d6b17f69e76d861920972cfe",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"tags": [
"Patch"
]
}
]
}

93
CVE-2024/CVE-2024-410xx/CVE-2024-41076.json
View File

@ -2,8 +2,8 @@
"id": "CVE-2024-41076",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-29T15:15:15.237",
"lastModified": "2024-07-29T16:21:52.517",
"vulnStatus": "Undergoing Analysis",
"lastModified": "2024-08-22T13:23:39.187",
"vulnStatus": "Analyzed",
"cveTags": [],
"descriptions": [
{
@ -15,23 +15,102 @@
"value": " En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: NFSv4: corrige la p\u00e9rdida de memoria en nfs4_set_security_label Filtramos nfs_fattr y nfs4_label cada vez que configuramos un xattr de seguridad."
}
],
"metrics": {},
"metrics": {
"cvssMetricV31": [
{
"source": "nvd@nist.gov",
"type": "Primary",
"cvssData": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"attackVector": "LOCAL",
"attackComplexity": "LOW",
"privilegesRequired": "LOW",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM"
},
"exploitabilityScore": 1.8,
"impactScore": 3.6
}
]
},
"weaknesses": [
{
"source": "nvd@nist.gov",
"type": "Primary",
"description": [
{
"lang": "en",
"value": "CWE-401"
}
]
}
],
"configurations": [
{
"nodes": [
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.101",
"matchCriteriaId": "BC2B5B53-6D0E-4FA7-B414-71D3FF089CAA"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.2",
"versionEndExcluding": "6.6.42",
"matchCriteriaId": "972274A2-D688-4C37-BE42-689B58B4C225"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.7",
"versionEndExcluding": "6.9.11",
"matchCriteriaId": "01E300B3-8B39-4A2D-8B03-4631433D3915"
}
]
}
]
}
],
"references": [
{
"url": "https://git.kernel.org/stable/c/899604a7c958771840941caff9ee3dd8193d984c",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"tags": [
"Patch"
]
},
{
"url": "https://git.kernel.org/stable/c/aad11473f8f4be3df86461081ce35ec5b145ba68",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"tags": [
"Patch"
]
},
{
"url": "https://git.kernel.org/stable/c/b98090699319e64f5de1e8db5bb75870f1eb1c6e",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"tags": [
"Patch"
]
},
{
"url": "https://git.kernel.org/stable/c/d130220ccc94d74d70da984a199477937e7bf03c",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"tags": [
"Patch"
]
}
]
}

69
CVE-2024/CVE-2024-410xx/CVE-2024-41080.json
View File

@ -2,8 +2,8 @@
"id": "CVE-2024-41080",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-29T15:15:15.523",
"lastModified": "2024-07-29T16:21:52.517",
"vulnStatus": "Awaiting Analysis",
"lastModified": "2024-08-22T13:39:43.347",
"vulnStatus": "Analyzed",
"cveTags": [],
"descriptions": [
{
@ -15,15 +15,74 @@
"value": "En el kernel de Linux se ha resuelto la siguiente vulnerabilidad: io_uring: soluciona posible punto muerto en io_register_iowq_max_workers() La funci\u00f3n io_register_iowq_max_workers() llama a io_put_sq_data(), que adquiere el sqd-&gt;lock sin liberar uring_lock. De manera similar a la confirmaci\u00f3n 009ad9f0c6ee (\"io_uring: drop ctx-&gt;uring_lock before adquiring sqd-&gt;lock\"), esto puede conducir a una posible situaci\u00f3n de punto muerto. Para resolver este problema, uring_lock se libera antes de llamar a io_put_sq_data() y luego se vuelve a adquirir despu\u00e9s de la llamada a la funci\u00f3n. Este cambio garantiza que los bloqueos se adquieran en el orden correcto, evitando la posibilidad de un punto muerto."
}
],
"metrics": {},
"metrics": {
"cvssMetricV31": [
{
"source": "nvd@nist.gov",
"type": "Primary",
"cvssData": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"attackVector": "LOCAL",
"attackComplexity": "LOW",
"privilegesRequired": "LOW",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM"
},
"exploitabilityScore": 1.8,
"impactScore": 3.6
}
]
},
"weaknesses": [
{
"source": "nvd@nist.gov",
"type": "Primary",
"description": [
{
"lang": "en",
"value": "CWE-667"
}
]
}
],
"configurations": [
{
"nodes": [
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9.11",
"matchCriteriaId": "E5165B93-C9B7-47E9-8137-35D791A1B1D1"
}
]
}
]
}
],
"references": [
{
"url": "https://git.kernel.org/stable/c/73254a297c2dd094abec7c9efee32455ae875bdf",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"tags": [
"Patch"
]
},
{
"url": "https://git.kernel.org/stable/c/b571a367502c7ef94c688ef9c7f7d69a2ce3bcca",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"tags": [
"Patch"
]
}
]
}

82
CVE-2024/CVE-2024-410xx/CVE-2024-41084.json
View File

@ -2,8 +2,8 @@
"id": "CVE-2024-41084",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-29T16:15:03.873",
"lastModified": "2024-07-29T16:21:52.517",
"vulnStatus": "Undergoing Analysis",
"lastModified": "2024-08-22T13:18:10.240",
"vulnStatus": "Analyzed",
"cveTags": [],
"descriptions": [
{
@ -15,19 +15,89 @@
"value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: cxl/region: evitar la desreferencia del puntero nulo en la b\u00fasqueda de regiones cxl_dpa_to_region() busca una regi\u00f3n basada en memdev y DPA. Se supone err\u00f3neamente que un endpoint encontrado mapeando el DPA tambi\u00e9n pertenece a una regi\u00f3n completamente ensamblada. Cuando no es cierto, se produce una desreferencia del puntero nulo al buscar el nombre de la regi\u00f3n. Esto aparece durante la prueba de la b\u00fasqueda de regiones despu\u00e9s de un error al ensamblar una regi\u00f3n definida por el BIOS o si la b\u00fasqueda coincidi\u00f3 con el ensamblaje de la regi\u00f3n definida por el BIOS. No limpiar las regiones definidas por el BIOS que fallan en el ensamblaje es un problema en s\u00ed mismo y una soluci\u00f3n a ese problema aliviar\u00e1 parte del impacto. Esto no aliviar\u00e1 las condiciones de carrera, as\u00ed que endurezcamos este camino. El cambio de comportamiento es que el kernel oops debido a una desreferencia de puntero nulo se reemplaza con un mensaje dev_dbg() que indica que se asign\u00f3 un endpoint. Se agregan comentarios adicionales para que los futuros usuarios de esta funci\u00f3n puedan comprender m\u00e1s claramente lo que proporciona."
}
],
"metrics": {},
"metrics": {
"cvssMetricV31": [
{
"source": "nvd@nist.gov",
"type": "Primary",
"cvssData": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"attackVector": "LOCAL",
"attackComplexity": "LOW",
"privilegesRequired": "LOW",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM"
},
"exploitabilityScore": 1.8,
"impactScore": 3.6
}
]
},
"weaknesses": [
{
"source": "nvd@nist.gov",
"type": "Primary",
"description": [
{
"lang": "en",
"value": "CWE-476"
}
]
}
],
"configurations": [
{
"nodes": [
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.4",
"versionEndExcluding": "6.6.37",
"matchCriteriaId": "99BA6BEA-A8FA-4C05-955A-F9CF38DD37DD"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.7",
"versionEndExcluding": "6.9.8",
"matchCriteriaId": "E95105F2-32E3-4C5F-9D18-7AEFD0E6275C"
}
]
}
]
}
],
"references": [
{
"url": "https://git.kernel.org/stable/c/285f2a08841432fc3e498b1cd00cce5216cdf189",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"tags": [
"Patch"
]
},
{
"url": "https://git.kernel.org/stable/c/a9e099e29e925f8b31cfe53e8a786b9796f8e453",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"tags": [
"Patch"
]
},
{
"url": "https://git.kernel.org/stable/c/b8a40a6dbfb0150c1081384caa9bbe28ce5d5060",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"tags": [
"Patch"
]
}
]
}

70
CVE-2024/CVE-2024-410xx/CVE-2024-41085.json
View File

@ -2,8 +2,8 @@
"id": "CVE-2024-41085",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-29T16:15:03.960",
"lastModified": "2024-07-29T16:21:52.517",
"vulnStatus": "Undergoing Analysis",
"lastModified": "2024-08-22T13:16:24.190",
"vulnStatus": "Analyzed",
"cveTags": [],
"descriptions": [
{
@ -15,15 +15,75 @@
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: cxl/mem: no se corrige cxl_nvd durante el autoensamblaje de la regi\u00f3n pmem. Cuando el subsistema CXL ensambla autom\u00e1ticamente una regi\u00f3n pmem durante el sondeo del puerto del endpoint cxl, presione siempre debajo de calltrace. ERROR: desreferencia del puntero NULL del kernel, direcci\u00f3n: 0000000000000078 #PF: acceso de lectura del supervisor en modo kernel #PF: c\u00f3digo_error(0x0000) - p\u00e1gina no presente RIP: 0010:cxl_pmem_region_probe+0x22e/0x360 [cxl_pmem] Seguimiento de llamadas: ? __morir+0x24/0x70 ? page_fault_oops+0x82/0x160? do_user_addr_fault+0x65/0x6b0? exc_page_fault+0x7d/0x170? asm_exc_page_fault+0x26/0x30? cxl_pmem_region_probe+0x22e/0x360 [cxl_pmem] ? cxl_pmem_region_probe+0x1ac/0x360 [cxl_pmem] cxl_bus_probe+0x1b/0x60 [cxl_core] really_probe+0x173/0x410? __pfx___device_attach_driver+0x10/0x10 __driver_probe_device+0x80/0x170 driver_probe_device+0x1e/0x90 __device_attach_driver+0x90/0x120 bus_for_each_drv+0x84/0xe0 __device_attach+0xbc/0x1f0 be_device+0x90/0xa0 device_add+0x51c/0x710 devm_cxl_add_pmem_region+0x1b5/0x380 [cxl_core] cxl_bus_probe+ 0x1b/0x60 [cxl_core] El cxl_nvd de memdev debe estar disponible durante el sondeo de la regi\u00f3n pmem. Actualmente, cxl_nvd est\u00e1 registrado despu\u00e9s de la sonda del puerto del endpoint. La sonda de endpoint, en el caso de autoensamblaje de regiones, puede provocar una sonda de regi\u00f3n pmem que requiera el cxl_nvd a\u00fan no disponible. Ajuste la secuencia para que se cumpla esta dependencia. Esto requiere agregar un par\u00e1metro de puerto a cxl_find_nvdimm_bridge() que se puede usar para consultar el puerto ra\u00edz ancestro. El puerto del endpoint a\u00fan no est\u00e1 disponible, pero compartir\u00e1 un ancestro com\u00fan con su padre, as\u00ed que inicie la consulta desde all\u00ed."
}
],
"metrics": {},
"metrics": {
"cvssMetricV31": [
{
"source": "nvd@nist.gov",
"type": "Primary",
"cvssData": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"attackVector": "LOCAL",
"attackComplexity": "LOW",
"privilegesRequired": "LOW",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM"
},
"exploitabilityScore": 1.8,
"impactScore": 3.6
}
]
},
"weaknesses": [
{
"source": "nvd@nist.gov",
"type": "Primary",
"description": [
{
"lang": "en",
"value": "CWE-476"
}
]
}
],
"configurations": [
{
"nodes": [
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.2",
"versionEndExcluding": "6.9.8",
"matchCriteriaId": "B1E72D1C-41AE-472D-B8E0-41305E0F9994"
}
]
}
]
}
],
"references": [
{
"url": "https://git.kernel.org/stable/c/1d064e4fbebcf5b18dc10c1f3973487eb163b600",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"tags": [
"Patch"
]
},
{
"url": "https://git.kernel.org/stable/c/84ec985944ef34a34a1605b93ce401aa8737af96",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"tags": [
"Patch"
]
}
]
}

94
CVE-2024/CVE-2024-410xx/CVE-2024-41088.json
View File

@ -2,8 +2,8 @@
"id": "CVE-2024-41088",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-29T16:15:04.217",
"lastModified": "2024-07-29T16:21:52.517",
"vulnStatus": "Undergoing Analysis",
"lastModified": "2024-08-22T13:16:08.143",
"vulnStatus": "Analyzed",
"cveTags": [],
"descriptions": [
{
@ -15,23 +15,103 @@
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: can: mcp251xfd: corrige el bucle infinito cuando falla xmit Cuando falla la funci\u00f3n mcp251xfd_start_xmit(), el controlador deja de procesar mensajes y la rutina de interrupci\u00f3n no regresa, ejecut\u00e1ndose indefinidamente incluso despu\u00e9s de finalizar el aplicaci\u00f3n en ejecuci\u00f3n. Mensajes de error: [441.298819] mcp251xfd spi2.0 can0: ERROR en mcp251xfd_start_xmit: -16 [441.306498] mcp251xfd spi2.0 can0: El b\u00fafer FIFO de evento de transmisi\u00f3n no est\u00e1 vac\u00edo. (seq=0x000017c7, tef_tail=0x000017cf, tef_head=0x000017d0, tx_head=0x000017d3). ... y repetir para siempre. El problema puede desencadenarse cuando varios dispositivos comparten la misma interfaz SPI. Y hay acceso simult\u00e1neo al autob\u00fas. El problema ocurre porque tx_ring-&gt;head incrementa incluso si falla mcp251xfd_start_xmit(). En consecuencia, el controlador omite un paquete TX mientras espera una respuesta en mcp251xfd_handle_tefif_one(). Resuelva el problema iniciando una cola de trabajo para escribir el obj tx sincr\u00f3nicamente si err = -EBUSY. En caso de otro error, disminuya tx_ring-&gt;head, elimine skb de la pila de eco y elimine el mensaje. [mkl: utilice una redacci\u00f3n m\u00e1s imperativa en la descripci\u00f3n del parche]"
}
],
"metrics": {},
"metrics": {
"cvssMetricV31": [
{
"source": "nvd@nist.gov",
"type": "Primary",
"cvssData": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"attackVector": "LOCAL",
"attackComplexity": "LOW",
"privilegesRequired": "LOW",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM"
},
"exploitabilityScore": 1.8,
"impactScore": 3.6
}
]
},
"weaknesses": [
{
"source": "nvd@nist.gov",
"type": "Primary",
"description": [
{
"lang": "en",
"value": "CWE-835"
}
]
}
],
"configurations": [
{
"nodes": [
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.10",
"versionEndExcluding": "6.1.97",
"matchCriteriaId": "0D1B1C19-B25B-4A8A-904D-D71AC2162CE0"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.2",
"versionEndExcluding": "6.6.37",
"matchCriteriaId": "D72E033B-5323-4C4D-8818-36E1EBC3535F"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.7",
"versionEndExcluding": "6.9.8",
"matchCriteriaId": "E95105F2-32E3-4C5F-9D18-7AEFD0E6275C"
}
]
}
]
}
],
"references": [
{
"url": "https://git.kernel.org/stable/c/3e72558c1711d524e3150103739ddd06650e291b",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"tags": [
"Patch"
]
},
{
"url": "https://git.kernel.org/stable/c/6c6b4afa59c2fb4d1759235f866d8caed2aa4729",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"tags": [
"Patch"
]
},
{
"url": "https://git.kernel.org/stable/c/d8fb63e46c884c898a38f061c2330f7729e75510",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"tags": [
"Patch"
]
},
{
"url": "https://git.kernel.org/stable/c/f926c022ebaabf7963bebf89a97201d66978a025",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"tags": [
"Patch"
]
}
]
}

82
CVE-2024/CVE-2024-410xx/CVE-2024-41094.json
View File

@ -2,8 +2,8 @@
"id": "CVE-2024-41094",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-29T16:15:04.543",
"lastModified": "2024-07-29T16:21:52.517",
"vulnStatus": "Undergoing Analysis",
"lastModified": "2024-08-22T13:15:40.843",
"vulnStatus": "Analyzed",
"cveTags": [],
"descriptions": [
{
@ -15,19 +15,89 @@
"value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: drm/fbdev-dma: solo configurar smem_start est\u00e1 habilitado por opci\u00f3n de m\u00f3dulo. Solo exporte la estructura fb_info.fix.smem_start si as\u00ed lo requiere el usuario y la memoria no proviene de vmalloc( ). La configuraci\u00f3n de struct fb_info.fix.smem_start interrumpe los sistemas donde la memoria DMA est\u00e1 respaldada por el espacio de direcciones vmalloc. A continuaci\u00f3n se muestra un error de ejemplo. [3.536043] ------------[ cortar aqu\u00ed ]------------ [ 3.540716] virt_to_phys usado para direcciones no lineales: 000000007fc4f540 (0xffff800086001000) [ 3.552628] ADVERTENCIA : CPU: 4 PID: 61 en arch/arm64/mm/physaddr.c:12 __virt_to_phys+0x68/0x98 [ 3.565455] M\u00f3dulos vinculados en: [ 3.568525] CPU: 4 PID: 61 Comm: kworker/u12:5 No contaminado 6.6 .23-06226-g4986cc3e1b75-dirty #250 [ 3.577310] Nombre de hardware: placa NXP i.MX95 19X19 (DT) [ 3.582452] Cola de trabajo: events_unbound deferred_probe_work_func [ 3.588291] pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT- SSBS BTYPE=--) [ 3.595233] pc : __virt_to_phys+0x68/0x98 [ 3.599246] lr : __virt_to_phys+0x68/0x98 [ 3.603276] sp : ffff800083603990 [ 3.677939] Rastreo de llamadas: [ 3.68039 3] __virt_to_phys+0x68/0x98 [ 3.684067] drm_fbdev_dma_helper_fb_probe +0x138/0x238 [ 3.689214] __drm_fb_helper_initial_config_and_unlock+0x2b0/0x4c0 [ 3.695385] drm_fb_helper_initial_config+0x4c/0x68 [ 3.700264] xe0 [ 3.705161] drm_client_register+0x60/0xb0 [ 3.709269] drm_fbdev_dma_setup+0x94/0x148 Adem\u00e1s, se supone memoria DMA a por contiguo en el espacio de direcciones f\u00edsicas, lo cual no est\u00e1 garantizado por vmalloc(). Resuelva esto verificando el indicador del m\u00f3dulo drm_leak_fbdev_smem cuando DRM asign\u00f3 la instancia de la estructura fb_info. Luego, Fbdev-dma solo configura smem_start solo si es necesario (a trav\u00e9s de FBINFO_HIDE_SMEM_START). Tambi\u00e9n garantice que el framebuffer no est\u00e9 ubicado en el espacio de direcciones vmalloc."
}
],
"metrics": {},
"metrics": {
"cvssMetricV31": [
{
"source": "nvd@nist.gov",
"type": "Primary",
"cvssData": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"attackVector": "LOCAL",
"attackComplexity": "LOW",
"privilegesRequired": "LOW",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM"
},
"exploitabilityScore": 1.8,
"impactScore": 3.6
}
]
},
"weaknesses": [
{
"source": "nvd@nist.gov",
"type": "Primary",
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
]
}
],
"configurations": [
{
"nodes": [
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.4",
"versionEndExcluding": "6.6.37",
"matchCriteriaId": "99BA6BEA-A8FA-4C05-955A-F9CF38DD37DD"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.7",
"versionEndExcluding": "6.9.8",
"matchCriteriaId": "E95105F2-32E3-4C5F-9D18-7AEFD0E6275C"
}
]
}
]
}
],
"references": [
{
"url": "https://git.kernel.org/stable/c/00702cfa8432ac67a72f56de5e1d278ddea2ebde",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"tags": [
"Patch"
]
},
{
"url": "https://git.kernel.org/stable/c/d92a7580392ad4681b1d4f9275d00b95375ebe01",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"tags": [
"Patch"
]
},
{
"url": "https://git.kernel.org/stable/c/f29fcfbf6067c0d8c83f84a045da9276c08deac5",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"tags": [
"Patch"
]
}
]
}

142
CVE-2024/CVE-2024-410xx/CVE-2024-41097.json
View File

@ -2,8 +2,8 @@
"id": "CVE-2024-41097",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-29T16:15:04.753",
"lastModified": "2024-07-29T16:21:52.517",
"vulnStatus": "Undergoing Analysis",
"lastModified": "2024-08-22T13:14:48.640",
"vulnStatus": "Analyzed",
"cveTags": [],
"descriptions": [
{
@ -15,39 +15,159 @@
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: usb: atm: cxacru: corrige la comprobaci\u00f3n de endpoints en cxacru_bind() Syzbot todav\u00eda informa de un problema bastante antiguo [1] que se produce debido a una comprobaci\u00f3n incompleta de los endpoints USB actuales. Como tal, se pueden usar tipos de endpoints incorrectos en la etapa de env\u00edo de urb, lo que a su vez activa una advertencia en usb_submit_urb(). Solucione el problema verificando que los tipos de endpoints requeridos est\u00e9n presentes tanto para los endpoints de entrada como para los de salida, teniendo en cuenta el tipo de endpoint cmd. Desafortunadamente, este parche no ha sido probado en hardware real. [1] Informe Syzbot: usb 1-1: BOGUS urb xfer, tuber\u00eda 1! = tipo 3 ADVERTENCIA: CPU: 0 PID: 8667 en drivers/usb/core/urb.c:502 usb_submit_urb+0xed2/0x18a0 drivers/usb/ core/urb.c:502 M\u00f3dulos vinculados en: CPU: 0 PID: 8667 Comm: kworker/0:4 Not tainted 5.14.0-rc4-syzkaller #0 Nombre del hardware: Google Google Compute Engine/Google Compute Engine, BIOS Google 01 /01/2011 Cola de trabajo: usb_hub_wq hub_event RIP: 0010:usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502 ... Seguimiento de llamadas: cxacru_cm+0x3c0/0x8e0 drivers/usb/atm/cxacru.c:649 cxacru_card_status+0x22/0xd0 drivers/usb/atm/cxacru.c:760 cxacru_bind+0x7ac/0x11a0 drivers/usb/atm/cxacru.c:1209 usbatm_usb_probe+0x321/0x1ae0 drivers/usb/atm/usbatm.c:1055 cxacru_usb_probe+ 0xdf/0x1e0 drivers/usb/atm/cxacru.c:1363 usb_probe_interface+0x315/0x7f0 drivers/usb/core/driver.c:396 call_driver_probe drivers/base/dd.c:517 [en l\u00ednea] Actually_probe+0x23c/0xcd0 drivers/ base/dd.c:595 __driver_probe_device+0x338/0x4d0 drivers/base/dd.c:747 driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:777 __device_attach_driver+0x20b/0x2f0 drivers/base/dd.c:894 bus_for_each_drv +0x15f/0x1e0 drivers/base/bus.c:427 __device_attach+0x228/0x4a0 drivers/base/dd.c:965 bus_probe_device+0x1e4/0x290 drivers/base/bus.c:487 device_add+0xc2f/0x2180 drivers/base/ core.c:3354 usb_set_configuration+0x113a/0x1910 drivers/usb/core/message.c:2170 usb_generic_driver_probe+0xba/0x100 drivers/usb/core/generic.c:238 usb_probe_device+0xd9/0x2c0 drivers/usb/core/driver. c:293"
}
],
"metrics": {},
"metrics": {
"cvssMetricV31": [
{
"source": "nvd@nist.gov",
"type": "Primary",
"cvssData": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"attackVector": "LOCAL",
"attackComplexity": "LOW",
"privilegesRequired": "LOW",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM"
},
"exploitabilityScore": 1.8,
"impactScore": 3.6
}
]
},
"weaknesses": [
{
"source": "nvd@nist.gov",
"type": "Primary",
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
]
}
],
"configurations": [
{
"nodes": [
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "2.6.36",
"versionEndExcluding": "4.19.317",
"matchCriteriaId": "F047368E-4579-4AAA-86A2-1456F0A34F5D"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.20",
"versionEndExcluding": "5.4.279",
"matchCriteriaId": "F4E38E58-1B9F-4DF2-AD3D-A8BEAA2959D8"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.5",
"versionEndExcluding": "5.10.221",
"matchCriteriaId": "659E1520-6345-41AF-B893-A7C0647585A0"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.11",
"versionEndExcluding": "5.15.162",
"matchCriteriaId": "10A39ACC-3005-40E8-875C-98A372D1FFD5"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.16",
"versionEndExcluding": "6.1.97",
"matchCriteriaId": "748B6C4B-1F61-47F9-96CC-8899B8412D84"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.2",
"versionEndExcluding": "6.6.37",
"matchCriteriaId": "D72E033B-5323-4C4D-8818-36E1EBC3535F"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.7",
"versionEndExcluding": "6.9.8",
"matchCriteriaId": "E95105F2-32E3-4C5F-9D18-7AEFD0E6275C"
}
]
}
]
}
],
"references": [
{
"url": "https://git.kernel.org/stable/c/1aac4be1aaa5177506219f01dce5e29194e5e95a",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"tags": [
"Patch"
]
},
{
"url": "https://git.kernel.org/stable/c/23926d316d2836315cb113569f91393266eb5b47",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"tags": [
"Patch"
]
},
{
"url": "https://git.kernel.org/stable/c/2eabb655a968b862bc0c31629a09f0fbf3c80d51",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"tags": [
"Patch"
]
},
{
"url": "https://git.kernel.org/stable/c/5159a81924311c1ec786ad9fdef784ead8676a6a",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"tags": [
"Patch"
]
},
{
"url": "https://git.kernel.org/stable/c/5584c776a1af7807ca815ee6265f2c1429fc5727",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"tags": [
"Patch"
]
},
{
"url": "https://git.kernel.org/stable/c/75ddbf776dd04a09fb9e5267ead5d0c989f84506",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"tags": [
"Patch"
]
},
{
"url": "https://git.kernel.org/stable/c/ac9007520e392541a29daebaae8b9109007bc781",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"tags": [
"Patch"
]
},
{
"url": "https://git.kernel.org/stable/c/f536f09eb45e4de8d1b9accee9d992aa1846f1d4",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"tags": [
"Patch"
]
}
]
}

8
CVE-2024/CVE-2024-415xx/CVE-2024-41572.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2024-41572",
"sourceIdentifier": "cve@mitre.org",
"published": "2024-08-21T19:15:13.380",
"lastModified": "2024-08-21T19:15:13.380",
"vulnStatus": "Received",
"lastModified": "2024-08-22T12:48:02.790",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Learning with Texts (LWT) 2.0.3 is vulnerable to Cross Site Scripting (XSS). The application has a specific function that does not filter special characters in URL parameters. Remote attackers can inject JavaScript code without authorization."
},
{
"lang": "es",
"value": "Learning with Texts (LWT) 2.0.3 es vulnerable a Cross Site Scripting (XSS). La aplicaci\u00f3n tiene una funci\u00f3n espec\u00edfica que no filtra caracteres especiales en los par\u00e1metros de la URL. Los atacantes remotos pueden inyectar c\u00f3digo JavaScript sin autorizaci\u00f3n."
}
],
"metrics": {},

80
CVE-2024/CVE-2024-416xx/CVE-2024-41623.json
View File

@ -2,8 +2,8 @@
"id": "CVE-2024-41623",
"sourceIdentifier": "cve@mitre.org",
"published": "2024-08-13T14:15:12.203",
"lastModified": "2024-08-13T17:11:53.553",
"vulnStatus": "Undergoing Analysis",
"lastModified": "2024-08-22T13:50:16.117",
"vulnStatus": "Analyzed",
"cveTags": [],
"descriptions": [
{
@ -15,15 +15,85 @@
"value": "Un problema en D3D Security D3D IP Camera (D8801) v.V9.1.17.1.4-20180428 permite a un atacante local ejecutar c\u00f3digo arbitrario a trav\u00e9s de un payload manipulado"
}
],
"metrics": {},
"metrics": {
"cvssMetricV31": [
{
"source": "nvd@nist.gov",
"type": "Primary",
"cvssData": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9
}
]
},
"weaknesses": [
{
"source": "nvd@nist.gov",
"type": "Primary",
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
]
}
],
"configurations": [
{
"operator": "AND",
"nodes": [
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:o:d3dsecurity:d8801_firmware:9.1.17.1.4-20180428:*:*:*:*:*:*:*",
"matchCriteriaId": "1C3F351E-C21F-4472-B1A5-F9CBFD8EA9A7"
}
]
},
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": false,
"criteria": "cpe:2.3:h:d3dsecurity:d8801:-:*:*:*:*:*:*:*",
"matchCriteriaId": "F3410840-4985-4639-9462-DA4155AB64FD"
}
]
}
]
}
],
"references": [
{
"url": "http://d3d.com",
"source": "cve@mitre.org"
"source": "cve@mitre.org",
"tags": [
"Not Applicable"
]
},
{
"url": "https://github.com/Anonymous120386/Anonymous",
"source": "cve@mitre.org"
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
]
}
]
}

52
CVE-2024/CVE-2024-417xx/CVE-2024-41774.json
View File

@ -2,8 +2,8 @@
"id": "CVE-2024-41774",
"sourceIdentifier": "psirt@us.ibm.com",
"published": "2024-08-13T11:15:17.973",
"lastModified": "2024-08-13T12:58:25.437",
"vulnStatus": "Undergoing Analysis",
"lastModified": "2024-08-22T13:27:39.753",
"vulnStatus": "Analyzed",
"cveTags": [],
"descriptions": [
{
@ -17,6 +17,26 @@
],
"metrics": {
"cvssMetricV31": [
{
"source": "nvd@nist.gov",
"type": "Primary",
"cvssData": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "HIGH",
"userInteraction": "REQUIRED",
"scope": "CHANGED",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7
},
{
"source": "psirt@us.ibm.com",
"type": "Secondary",
@ -51,14 +71,38 @@
]
}
],
"configurations": [
{
"nodes": [
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:a:ibm:common_licensing:9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "60A24280-F68D-4C5A-B12A-BCC1BDC53FBC"
}
]
}
]
}
],
"references": [
{
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/350348",
"source": "psirt@us.ibm.com"
"source": "psirt@us.ibm.com",
"tags": [
"VDB Entry",
"Vendor Advisory"
]
},
{
"url": "https://www.ibm.com/support/pages/node/7165251",
"source": "psirt@us.ibm.com"
"source": "psirt@us.ibm.com",
"tags": [
"Vendor Advisory"
]
}
]
}

8
CVE-2024/CVE-2024-420xx/CVE-2024-42056.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2024-42056",
"sourceIdentifier": "cve@mitre.org",
"published": "2024-08-22T01:15:03.460",
"lastModified": "2024-08-22T01:15:03.460",
"vulnStatus": "Received",
"lastModified": "2024-08-22T12:48:02.790",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Retool (self-hosted enterprise) through 3.40.0 inserts resource authentication credentials into sent data. Credentials for users with \"Use\" permissions can be discovered (by an authenticated attacker) via the /api/resources endpoint. The earliest affected version is 3.18.1."
},
{
"lang": "es",
"value": "Retool (empresa autohospedada) hasta 3.40.0 inserta credenciales de autenticaci\u00f3n de recursos en los datos enviados. Las credenciales de los usuarios con permisos de \"Uso\" pueden ser descubiertas (por un atacante autenticado) a trav\u00e9s del endpoint /api/resources. La primera versi\u00f3n afectada es la 3.18.1."
}
],
"metrics": {},

142
CVE-2024/CVE-2024-421xx/CVE-2024-42101.json
View File

@ -2,8 +2,8 @@
"id": "CVE-2024-42101",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-30T08:15:02.647",
"lastModified": "2024-07-30T13:32:45.943",
"vulnStatus": "Undergoing Analysis",
"lastModified": "2024-08-22T12:58:21.527",
"vulnStatus": "Analyzed",
"cveTags": [],
"descriptions": [
{
@ -15,39 +15,159 @@
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drm/nouveau: corrige la desreferencia del puntero null en nouveau_connector_get_modes En nouveau_connector_get_modes(), el valor de retorno de drm_mode_duplicate() se asigna al modo, lo que conducir\u00e1 a una posible desreferencia del puntero NULL en caso de fallo. de drm_mode_duplicate(). Agregue una marca para evitar npd."
}
],
"metrics": {},
"metrics": {
"cvssMetricV31": [
{
"source": "nvd@nist.gov",
"type": "Primary",
"cvssData": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"attackVector": "LOCAL",
"attackComplexity": "LOW",
"privilegesRequired": "LOW",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM"
},
"exploitabilityScore": 1.8,
"impactScore": 3.6
}
]
},
"weaknesses": [
{
"source": "nvd@nist.gov",
"type": "Primary",
"description": [
{
"lang": "en",
"value": "CWE-476"
}
]
}
],
"configurations": [
{
"nodes": [
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "2.6.33",
"versionEndExcluding": "4.19.318",
"matchCriteriaId": "3B1B0891-675D-44A6-A78B-4BCE21CD8A4E"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.20",
"versionEndExcluding": "5.4.280",
"matchCriteriaId": "625DBFAB-C3D0-4309-A27F-12D6428FB38F"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.5",
"versionEndExcluding": "5.10.222",
"matchCriteriaId": "00696AC5-EE29-437F-97F9-C4D66608B327"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.11",
"versionEndExcluding": "5.15.163",
"matchCriteriaId": "A97DEB09-4927-40F8-B5C6-F5BD5EAE0CFD"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.16",
"versionEndExcluding": "6.1.98",
"matchCriteriaId": "E09E92A5-27EF-40E4-926A-B1CDC8270551"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.2",
"versionEndExcluding": "6.6.39",
"matchCriteriaId": "29E894E4-668F-4DB0-81F7-4FB5F698E970"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.7",
"versionEndExcluding": "6.9.9",
"matchCriteriaId": "ADCC1407-0CB3-4C8F-B4C5-07F682CD7085"
}
]
}
]
}
],
"references": [
{
"url": "https://git.kernel.org/stable/c/1f32535238493008587a8c5cb17eb2ca097592ef",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"tags": [
"Patch"
]
},
{
"url": "https://git.kernel.org/stable/c/274cba8d2d1b48c72d8bd90e76c9e2dc1aa0a81d",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"tags": [
"Patch"
]
},
{
"url": "https://git.kernel.org/stable/c/744b229f09134ccd091427a6f9ea6d97302cfdd9",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"tags": [
"Patch"
]
},
{
"url": "https://git.kernel.org/stable/c/7db5411c5d0bd9c29b8c2ad93c36b5c16ea46c9e",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"tags": [
"Patch"
]
},
{
"url": "https://git.kernel.org/stable/c/80bec6825b19d95ccdfd3393cf8ec15ff2a749b4",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"tags": [
"Patch"
]
},
{
"url": "https://git.kernel.org/stable/c/9baf60323efa992b7c915094529f0a1882c34e7e",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"tags": [
"Patch"
]
},
{
"url": "https://git.kernel.org/stable/c/e36364f5f3785d054a94e57e971385284886d41a",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"tags": [
"Patch"
]
},
{
"url": "https://git.kernel.org/stable/c/f48dd3f19614022f2e1b794fbd169d2b4c398c07",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"tags": [
"Patch"
]
}
]
}

8
CVE-2024/CVE-2024-424xx/CVE-2024-42411.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2024-42411",
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"published": "2024-08-22T07:15:04.397",
"lastModified": "2024-08-22T07:15:04.397",
"vulnStatus": "Received",
"lastModified": "2024-08-22T12:48:02.790",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0, 9.8.x <= 9.8.2 fail to restrict the input in POST /api/v4/users which allows\u00a0a user to manipulate the creation date in POST /api/v4/users tricking the admin into believing their account is much older."
},
{
"lang": "es",
"value": "Las versiones de Mattermost 9.9.x &lt;= 9.9.1, 9.5.x &lt;= 9.5.7, 9.10.x &lt;= 9.10.0, 9.8.x &lt;= 9.8.2 no pueden restringir la entrada en POST /api/v4/users lo que permite a un usuario manipular la fecha de creaci\u00f3n en POST /api/v4/users enga\u00f1ando al administrador haci\u00e9ndole creer que su cuenta es mucho m\u00e1s antigua."
}
],
"metrics": {

8
CVE-2024/CVE-2024-427xx/CVE-2024-42777.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2024-42777",
"sourceIdentifier": "cve@mitre.org",
"published": "2024-08-21T18:15:09.930",
"lastModified": "2024-08-21T21:35:09.833",
"vulnStatus": "Received",
"lastModified": "2024-08-22T12:48:02.790",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An Unrestricted file upload vulnerability was found in \"/music/ajax.php?action=signup\" of Kashipara Music Management System v1.0, which allows attackers to execute arbitrary code via uploading a crafted PHP file."
},
{
"lang": "es",
"value": "Se encontr\u00f3 una vulnerabilidad de carga de archivos sin restricciones en \"/music/ajax.php?action=signup\" de Kashipara Music Management System v1.0, que permite a los atacantes ejecutar c\u00f3digo arbitrario cargando un archivo PHP manipulado."
}
],
"metrics": {

8
CVE-2024/CVE-2024-427xx/CVE-2024-42778.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2024-42778",
"sourceIdentifier": "cve@mitre.org",
"published": "2024-08-21T18:15:10.003",
"lastModified": "2024-08-21T18:15:10.003",
"vulnStatus": "Received",
"lastModified": "2024-08-22T12:48:02.790",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An Unrestricted file upload vulnerability was found in \"/music/ajax.php?action=save_playlist\" in Kashipara Music Management System v1.0. This allows attackers to execute arbitrary code via uploading a crafted PHP file."
},
{
"lang": "es",
"value": "Se encontr\u00f3 una vulnerabilidad de carga de archivos sin restricciones en \"/music/ajax.php?action=save_playlist\" en Kashipara Music Management System v1.0. Esto permite a los atacantes ejecutar c\u00f3digo arbitrario cargando un archivo PHP manipulado."
}
],
"metrics": {},

8
CVE-2024/CVE-2024-427xx/CVE-2024-42779.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2024-42779",
"sourceIdentifier": "cve@mitre.org",
"published": "2024-08-21T18:15:10.073",
"lastModified": "2024-08-21T18:15:10.073",
"vulnStatus": "Received",
"lastModified": "2024-08-22T12:48:02.790",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An Unrestricted file upload vulnerability was found in \"/music/ajax.php?action=save_music\" in Kashipara Music Management System v1.0. This allows attackers to execute arbitrary code via uploading a crafted PHP file."
},
{
"lang": "es",
"value": "Se encontr\u00f3 una vulnerabilidad de carga de archivos sin restricciones en \"/music/ajax.php?action=save_music\" en Kashipara Music Management System v1.0. Esto permite a los atacantes ejecutar c\u00f3digo arbitrario cargando un archivo PHP manipulado."
}
],
"metrics": {},

8
CVE-2024/CVE-2024-427xx/CVE-2024-42780.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2024-42780",
"sourceIdentifier": "cve@mitre.org",
"published": "2024-08-21T18:15:10.150",
"lastModified": "2024-08-21T18:15:10.150",
"vulnStatus": "Received",
"lastModified": "2024-08-22T12:48:02.790",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An Unrestricted file upload vulnerability was found in \"/music/ajax.php?action=save_genre\" in Kashipara Music Management System v1.0. This allows attackers to execute arbitrary code via uploading a crafted PHP file."
},
{
"lang": "es",
"value": "Se encontr\u00f3 una vulnerabilidad de carga de archivos sin restricciones en \"/music/ajax.php?action=save_genre\" en Kashipara Music Management System v1.0. Esto permite a los atacantes ejecutar c\u00f3digo arbitrario cargando un archivo PHP manipulado."
}
],
"metrics": {},

8
CVE-2024/CVE-2024-427xx/CVE-2024-42781.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2024-42781",
"sourceIdentifier": "cve@mitre.org",
"published": "2024-08-21T18:15:10.227",
"lastModified": "2024-08-21T18:15:10.227",
"vulnStatus": "Received",
"lastModified": "2024-08-22T12:48:02.790",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A SQL injection vulnerability in \"/music/ajax.php?action=login\" of Kashipara Music Management System v1.0 allows remote attackers to execute arbitrary SQL commands and bypass Login via the email parameter."
},
{
"lang": "es",
"value": "Una vulnerabilidad de inyecci\u00f3n SQL en \"/music/ajax.php?action=login\" de Kashipara Music Management System v1.0 permite a atacantes remotos ejecutar comandos SQL arbitrarios y omitir el inicio de sesi\u00f3n mediante el par\u00e1metro de correo electr\u00f3nico."
}
],
"metrics": {},

8
CVE-2024/CVE-2024-427xx/CVE-2024-42782.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2024-42782",
"sourceIdentifier": "cve@mitre.org",
"published": "2024-08-21T18:15:10.303",
"lastModified": "2024-08-21T18:15:10.303",
"vulnStatus": "Received",
"lastModified": "2024-08-22T12:48:02.790",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A SQL injection vulnerability in \"/music/ajax.php?action=find_music\" in Kashipara Music Management System v1.0 allows an attacker to execute arbitrary SQL commands via the \"search\" parameter."
},
{
"lang": "es",
"value": "Una vulnerabilidad de inyecci\u00f3n SQL en \"/music/ajax.php?action=find_music\" en Kashipara Music Management System v1.0 permite a un atacante ejecutar comandos SQL arbitrarios a trav\u00e9s del par\u00e1metro \"buscar\"."
}
],
"metrics": {},

8
CVE-2024/CVE-2024-427xx/CVE-2024-42783.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2024-42783",
"sourceIdentifier": "cve@mitre.org",
"published": "2024-08-21T18:15:10.453",
"lastModified": "2024-08-21T18:15:10.453",
"vulnStatus": "Received",
"lastModified": "2024-08-22T12:48:02.790",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Kashipara Music Management System v1.0 is vulnerable to SQL Injection via /music/manage_playlist_items.php. An attacker can execute arbitrary SQL commands via the \"pid\" parameter."
},
{
"lang": "es",
"value": "Kashipara Music Management System v1.0 es vulnerable a la inyecci\u00f3n SQL a trav\u00e9s de /music/manage_playlist_items.php. Un atacante puede ejecutar comandos SQL arbitrarios mediante el par\u00e1metro \"pid\"."
}
],
"metrics": {},

8
CVE-2024/CVE-2024-427xx/CVE-2024-42784.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2024-42784",
"sourceIdentifier": "cve@mitre.org",
"published": "2024-08-21T18:15:10.630",
"lastModified": "2024-08-21T18:15:10.630",
"vulnStatus": "Received",
"lastModified": "2024-08-22T12:48:02.790",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A SQL injection vulnerability in \"/music/controller.php?page=view_music\" in Kashipara Music Management System v1.0 allows an attacker to execute arbitrary SQL commands via the \"id\" parameter."
},
{
"lang": "es",
"value": "Una vulnerabilidad de inyecci\u00f3n SQL en \"/music/controller.php?page=view_music\" en Kashipara Music Management System v1.0 permite a un atacante ejecutar comandos SQL arbitrarios a trav\u00e9s del par\u00e1metro \"id\"."
}
],
"metrics": {},

8
CVE-2024/CVE-2024-427xx/CVE-2024-42785.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2024-42785",
"sourceIdentifier": "cve@mitre.org",
"published": "2024-08-21T18:15:10.707",
"lastModified": "2024-08-21T18:15:10.707",
"vulnStatus": "Received",
"lastModified": "2024-08-22T12:48:02.790",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A SQL injection vulnerability in /music/index.php?page=view_playlist in Kashipara Music Management System v1.0 allows an attacker to execute arbitrary SQL commands via the \"id\" parameter."
},
{
"lang": "es",
"value": "Una vulnerabilidad de inyecci\u00f3n SQL en /music/index.php?page=view_playlist en Kashipara Music Management System v1.0 permite a un atacante ejecutar comandos SQL arbitrarios a trav\u00e9s del par\u00e1metro \"id\"."
}
],
"metrics": {},

8
CVE-2024/CVE-2024-427xx/CVE-2024-42786.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2024-42786",
"sourceIdentifier": "cve@mitre.org",
"published": "2024-08-21T18:15:10.783",
"lastModified": "2024-08-21T21:35:10.637",
"vulnStatus": "Received",
"lastModified": "2024-08-22T12:48:02.790",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A SQL injection vulnerability in \"/music/view_user.php\" in Kashipara Music Management System v1.0 allows an attacker to execute arbitrary SQL commands via the \"id\" parameter of View User Profile Page."
},
{
"lang": "es",
"value": "Una vulnerabilidad de inyecci\u00f3n SQL en \"/music/view_user.php\" en Kashipara Music Management System v1.0 permite a un atacante ejecutar comandos SQL arbitrarios a trav\u00e9s del par\u00e1metro \"id\" de Ver p\u00e1gina de perfil de usuario."
}
],
"metrics": {

8
CVE-2024/CVE-2024-430xx/CVE-2024-43033.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2024-43033",
"sourceIdentifier": "cve@mitre.org",
"published": "2024-08-22T01:15:03.540",
"lastModified": "2024-08-22T01:15:03.540",
"vulnStatus": "Received",
"lastModified": "2024-08-22T12:48:02.790",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "JPress through 5.1.1 on Windows has an arbitrary file upload vulnerability that could cause arbitrary code execution via ::$DATA to AttachmentController, such as a .jsp::$DATA file to io.jpress.web.commons.controller.AttachmentController#upload. NOTE: this is unrelated to the attack vector for CVE-2024-32358."
},
{
"lang": "es",
"value": "JPress hasta 5.1.1 en Windows tiene una vulnerabilidad de carga de archivos arbitrarios que podr\u00eda causar la ejecuci\u00f3n de c\u00f3digo arbitrario a trav\u00e9s de ::$DATA a AttachmentController, como un archivo .jsp::$DATA a io.jpress.web.commons.controller.AttachmentController# subir. NOTA: esto no est\u00e1 relacionado con el vector de ataque de CVE-2024-32358."
}
],
"metrics": {},

56
CVE-2024/CVE-2024-433xx/CVE-2024-43331.json Normal file
View File

@ -0,0 +1,56 @@
{
"id": "CVE-2024-43331",
"sourceIdentifier": "audit@patchstack.com",
"published": "2024-08-22T12:15:05.600",
"lastModified": "2024-08-22T12:48:02.790",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Missing Authorization vulnerability in VeronaLabs WP SMS.This issue affects WP SMS: from n/a through 6.9.3."
}
],
"metrics": {
"cvssMetricV31": [
{
"source": "audit@patchstack.com",
"type": "Secondary",
"cvssData": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4
}
]
},
"weaknesses": [
{
"source": "audit@patchstack.com",
"type": "Primary",
"description": [
{
"lang": "en",
"value": "CWE-862"
}
]
}
],
"references": [
{
"url": "https://patchstack.com/database/vulnerability/wp-sms/wordpress-wp-sms-plugin-6-9-3-broken-access-control-vulnerability?_s_id=cve",
"source": "audit@patchstack.com"
}
]
}

8
CVE-2024/CVE-2024-438xx/CVE-2024-43813.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2024-43813",
"sourceIdentifier": "responsibledisclosure@mattermost.com",
"published": "2024-08-22T07:15:04.620",
"lastModified": "2024-08-22T07:15:04.620",
"vulnStatus": "Received",
"lastModified": "2024-08-22T12:48:02.790",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Mattermost versions 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 fail to enforce proper access controls which allows\u00a0any authenticated user, including guests, to mark any channel inside any team as read for any user."
},
{
"lang": "es",
"value": "Las versiones 9.5.x &lt;= 9.5.7, 9.10.x &lt;= 9.10.0 de Mattermost no aplican controles de acceso adecuados que permiten a cualquier usuario autenticado, incluidos los invitados, marcar cualquier canal dentro de cualquier equipo como le\u00eddo para cualquier usuario."
}
],
"metrics": {

8
CVE-2024/CVE-2024-451xx/CVE-2024-45163.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2024-45163",
"sourceIdentifier": "cve@mitre.org",
"published": "2024-08-22T04:15:20.247",
"lastModified": "2024-08-22T04:15:20.247",
"vulnStatus": "Received",
"lastModified": "2024-08-22T12:48:02.790",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Mirai botnet through 2024-08-19 mishandles simultaneous TCP connections to the CNC (command and control) server. Unauthenticated sessions remain open, causing resource consumption. For example, an attacker can send a recognized username (such as root), or can send arbitrary data."
},
{
"lang": "es",
"value": "Mirai botnet hasta el 19 de agosto de 2024 maneja mal las conexiones TCP simult\u00e1neas al servidor CNC (comando y control). Las sesiones no autenticadas permanecen abiertas, lo que provoca un consumo de recursos. Por ejemplo, un atacante puede enviar un nombre de usuario reconocido (como root) o puede enviar datos arbitrarios."
}
],
"metrics": {},

8
CVE-2024/CVE-2024-451xx/CVE-2024-45165.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2024-45165",
"sourceIdentifier": "cve@mitre.org",
"published": "2024-08-22T04:15:22.310",
"lastModified": "2024-08-22T04:15:22.310",
"vulnStatus": "Received",
"lastModified": "2024-08-22T12:48:02.790",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in UCI IDOL 2 (aka uciIDOL or IDOL2) through 2.12. Data is sent between client and server with encryption. However, the key is derived from the string \"(c)2007 UCI Software GmbH B.Boll\" (without quotes). The key is both static and hardcoded. With access to messages, this results in message decryption and encryption by an attacker. Thus, it enables passive and active man-in-the-middle attacks."
},
{
"lang": "es",
"value": "Se descubri\u00f3 un problema en UCI IDOL 2 (tambi\u00e9n conocido como uciIDOL o IDOL2) hasta 2.12. Los datos se env\u00edan entre el cliente y el servidor con cifrado. Sin embargo, la clave se deriva de la cadena \"(c)2007 UCI Software GmbH B.Boll\" (sin comillas). La clave es est\u00e1tica y est\u00e1 codificada. Con el acceso a los mensajes, esto da como resultado que un atacante descifre y cifre los mensajes. Por lo tanto, permite ataques de intermediario pasivos y activos."
}
],
"metrics": {},

Some files were not shown because too many files have changed in this diff Show More