admin/nvd-json-data-feeds
1
0
Fork 0
mirror of https://github.com/fkie-cad/nvd-json-data-feeds.git synced 2025-05-08 19:47:09 +00:00
Code Issues Packages Projects Releases Wiki Activity

Auto-Update: 2024-05-21T16:00:31.608050+00:00

Browse Source
This commit is contained in:
cad-safe-bot 2024-05-21 16:03:24 +00:00
parent c8d077b7dd
commit 11aa743084
231 changed files with 8305 additions and 146 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
CVE-2020/CVE-2020-367xx/CVE-2020-36788.json Normal file
View File

@ -0,0 +1,28 @@
{
"id": "CVE-2020-36788",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:11.187",
"lastModified": "2024-05-21T15:15:11.187",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/nouveau: avoid a use-after-free when BO init fails\n\nnouveau_bo_init() is backed by ttm_bo_init() and ferries its return code\nback to the caller. On failures, ttm_bo_init() invokes the provided\ndestructor which should de-initialize and free the memory.\n\nThus, when nouveau_bo_init() returns an error the gem object has already\nbeen released and the memory freed by nouveau_bo_del_ttm()."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/548f2ff8ea5e0ce767ae3418d1ec5308990be87d",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/bcf34aa5082ee2343574bc3f4d1c126030913e54",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/f86e19d918a85492ad1a01fcdc0ad5ecbdac6f96",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

14
CVE-2021/CVE-2021-290xx/CVE-2021-29096.json
View File

@ -2,7 +2,7 @@
"id": "CVE-2021-29096",
"sourceIdentifier": "psirt@esri.com",
"published": "2021-03-25T19:15:14.533",
"lastModified": "2023-11-07T03:32:27.497",
"lastModified": "2024-05-21T14:14:17.320",
"vulnStatus": "Modified",
"descriptions": [
{
@ -114,12 +114,6 @@
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:a:esri:arcgis_desktop:*:*:*:*:*:*:*:*",
"versionEndIncluding": "10.8.1",
"matchCriteriaId": "B127210C-C14A-467E-8644-D736C474758A"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:a:esri:arcgis_engine:*:*:*:*:*:*:*:*",
@ -132,6 +126,12 @@
"versionEndIncluding": "2.7",
"matchCriteriaId": "B3B1EC12-C1FB-408B-823C-8FF6581ED8ED"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:a:esri:arcmap:*:*:*:*:*:*:*:*",
"versionEndIncluding": "10.8.1",
"matchCriteriaId": "C055EC7D-F119-4350-9C8D-731873D70D4F"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:a:esri:arcreader:*:*:*:*:*:*:*:*",

14
CVE-2021/CVE-2021-290xx/CVE-2021-29097.json
View File

@ -2,7 +2,7 @@
"id": "CVE-2021-29097",
"sourceIdentifier": "psirt@esri.com",
"published": "2021-03-25T21:15:13.467",
"lastModified": "2023-11-07T03:32:27.850",
"lastModified": "2024-05-21T14:14:17.320",
"vulnStatus": "Modified",
"descriptions": [
{
@ -124,18 +124,18 @@
"versionEndIncluding": "10.8.1",
"matchCriteriaId": "6F2E7485-F644-42FB-BC99-22F5BD1D0DD1"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:a:esri:arcgis_desktop:*:*:*:*:*:*:*:*",
"versionEndIncluding": "10.8.1",
"matchCriteriaId": "B127210C-C14A-467E-8644-D736C474758A"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:a:esri:arcgis_pro:*:*:*:*:*:*:*:*",
"versionEndIncluding": "2.7",
"matchCriteriaId": "B3B1EC12-C1FB-408B-823C-8FF6581ED8ED"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:a:esri:arcmap:*:*:*:*:*:*:*:*",
"versionEndIncluding": "10.8.1",
"matchCriteriaId": "C055EC7D-F119-4350-9C8D-731873D70D4F"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:a:esri:arcreader:*:*:*:*:*:*:*:*",

14
CVE-2021/CVE-2021-290xx/CVE-2021-29098.json
View File

@ -2,7 +2,7 @@
"id": "CVE-2021-29098",
"sourceIdentifier": "psirt@esri.com",
"published": "2021-03-25T21:15:13.543",
"lastModified": "2023-11-07T03:32:28.130",
"lastModified": "2024-05-21T14:14:17.320",
"vulnStatus": "Modified",
"descriptions": [
{
@ -120,18 +120,18 @@
"versionEndIncluding": "10.8.1",
"matchCriteriaId": "6F2E7485-F644-42FB-BC99-22F5BD1D0DD1"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:a:esri:arcgis_desktop:*:*:*:*:*:*:*:*",
"versionEndIncluding": "10.8.1",
"matchCriteriaId": "B127210C-C14A-467E-8644-D736C474758A"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:a:esri:arcgis_pro:*:*:*:*:*:*:*:*",
"versionEndIncluding": "2.7",
"matchCriteriaId": "B3B1EC12-C1FB-408B-823C-8FF6581ED8ED"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:a:esri:arcmap:*:*:*:*:*:*:*:*",
"versionEndIncluding": "10.8.1",
"matchCriteriaId": "C055EC7D-F119-4350-9C8D-731873D70D4F"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:a:esri:arcreader:*:*:*:*:*:*:*:*",

6
CVE-2021/CVE-2021-291xx/CVE-2021-29101.json
View File

@ -2,7 +2,7 @@
"id": "CVE-2021-29101",
"sourceIdentifier": "psirt@esri.com",
"published": "2021-05-05T19:15:08.737",
"lastModified": "2023-11-07T03:32:28.990",
"lastModified": "2024-05-21T14:27:22.657",
"vulnStatus": "Modified",
"descriptions": [
{
@ -116,9 +116,9 @@
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:a:arcgis:geoevent_server:*:*:*:*:*:*:*:*",
"criteria": "cpe:2.3:a:esri:arcgis_geoevent_server:*:*:*:*:*:*:*:*",
"versionEndIncluding": "10.8.1",
"matchCriteriaId": "F7971067-9840-4F6B-A0F7-58B9CE65A7D5"
"matchCriteriaId": "CE3D4BE2-3782-4ABF-BCE8-9E068DC05571"
}
]
}

44
CVE-2021/CVE-2021-472xx/CVE-2021-47220.json Normal file
View File

@ -0,0 +1,44 @@
{
"id": "CVE-2021-47220",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:11.290",
"lastModified": "2024-05-21T15:15:11.290",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc3: core: fix kernel panic when do reboot\n\nWhen do system reboot, it calls dwc3_shutdown and the whole debugfs\nfor dwc3 has removed first, when the gadget tries to do deinit, and\nremove debugfs for its endpoints, it meets NULL pointer dereference\nissue when call debugfs_lookup. Fix it by removing the whole dwc3\ndebugfs later than dwc3_drd_exit.\n\n[ 2924.958838] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000002\n....\n[ 2925.030994] pstate: 60000005 (nZCv daif -PAN -UAO -TCO BTYPE=--)\n[ 2925.037005] pc : inode_permission+0x2c/0x198\n[ 2925.041281] lr : lookup_one_len_common+0xb0/0xf8\n[ 2925.045903] sp : ffff80001276ba70\n[ 2925.049218] x29: ffff80001276ba70 x28: ffff0000c01f0000 x27: 0000000000000000\n[ 2925.056364] x26: ffff800011791e70 x25: 0000000000000008 x24: dead000000000100\n[ 2925.063510] x23: dead000000000122 x22: 0000000000000000 x21: 0000000000000001\n[ 2925.070652] x20: ffff8000122c6188 x19: 0000000000000000 x18: 0000000000000000\n[ 2925.077797] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000004\n[ 2925.084943] x14: ffffffffffffffff x13: 0000000000000000 x12: 0000000000000030\n[ 2925.092087] x11: 0101010101010101 x10: 7f7f7f7f7f7f7f7f x9 : ffff8000102b2420\n[ 2925.099232] x8 : 7f7f7f7f7f7f7f7f x7 : feff73746e2f6f64 x6 : 0000000000008080\n[ 2925.106378] x5 : 61c8864680b583eb x4 : 209e6ec2d263dbb7 x3 : 000074756f307065\n[ 2925.113523] x2 : 0000000000000001 x1 : 0000000000000000 x0 : ffff8000122c6188\n[ 2925.120671] Call trace:\n[ 2925.123119] inode_permission+0x2c/0x198\n[ 2925.127042] lookup_one_len_common+0xb0/0xf8\n[ 2925.131315] lookup_one_len_unlocked+0x34/0xb0\n[ 2925.135764] lookup_positive_unlocked+0x14/0x50\n[ 2925.140296] debugfs_lookup+0x68/0xa0\n[ 2925.143964] dwc3_gadget_free_endpoints+0x84/0xb0\n[ 2925.148675] dwc3_gadget_exit+0x28/0x78\n[ 2925.152518] dwc3_drd_exit+0x100/0x1f8\n[ 2925.156267] dwc3_remove+0x11c/0x120\n[ 2925.159851] dwc3_shutdown+0x14/0x20\n[ 2925.163432] platform_shutdown+0x28/0x38\n[ 2925.167360] device_shutdown+0x15c/0x378\n[ 2925.171291] kernel_restart_prepare+0x3c/0x48\n[ 2925.175650] kernel_restart+0x1c/0x68\n[ 2925.179316] __do_sys_reboot+0x218/0x240\n[ 2925.183247] __arm64_sys_reboot+0x28/0x30\n[ 2925.187262] invoke_syscall+0x48/0x100\n[ 2925.191017] el0_svc_common.constprop.0+0x48/0xc8\n[ 2925.195726] do_el0_svc+0x28/0x88\n[ 2925.199045] el0_svc+0x20/0x30\n[ 2925.202104] el0_sync_handler+0xa8/0xb0\n[ 2925.205942] el0_sync+0x148/0x180\n[ 2925.209270] Code: a9025bf5 2a0203f5 121f0056 370802b5 (79400660)\n[ 2925.215372] ---[ end trace 124254d8e485a58b ]---\n[ 2925.220012] Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b\n[ 2925.227676] Kernel Offset: disabled\n[ 2925.231164] CPU features: 0x00001001,20000846\n[ 2925.235521] Memory Limit: none\n[ 2925.238580] ---[ end Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b ]---\n\n(cherry picked from commit 2a042767814bd0edf2619f06fecd374e266ea068)"
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/174c27583b3807ac96228c442735b02622d8d1c3",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/4bf584a03eec674975ee9fe36c8583d9d470dab1",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/58b5e02c6ca0e2b7c87cd8023ff786ef3c0eef74",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/7f9745ab342bcce5efd5d4d2297d0a3dd9db0eac",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/fa8c413e6b74ae5d12daf911c73238c5bdacd8e6",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/fd7c4bd582494934be15d41aebe0dbe23790605f",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/ff4c63f3e8cb7af2ce51cc56b031e08fd23c758b",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

28
CVE-2021/CVE-2021-472xx/CVE-2021-47221.json Normal file
View File

@ -0,0 +1,28 @@
{
"id": "CVE-2021-47221",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:11.380",
"lastModified": "2024-05-21T15:15:11.380",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/slub: actually fix freelist pointer vs redzoning\n\nIt turns out that SLUB redzoning (\"slub_debug=Z\") checks from\ns->object_size rather than from s->inuse (which is normally bumped to\nmake room for the freelist pointer), so a cache created with an object\nsize less than 24 would have the freelist pointer written beyond\ns->object_size, causing the redzone to be corrupted by the freelist\npointer. This was very visible with \"slub_debug=ZF\":\n\n BUG test (Tainted: G B ): Right Redzone overwritten\n -----------------------------------------------------------------------------\n\n INFO: 0xffff957ead1c05de-0xffff957ead1c05df @offset=1502. First byte 0x1a instead of 0xbb\n INFO: Slab 0xffffef3950b47000 objects=170 used=170 fp=0x0000000000000000 flags=0x8000000000000200\n INFO: Object 0xffff957ead1c05d8 @offset=1496 fp=0xffff957ead1c0620\n\n Redzone (____ptrval____): bb bb bb bb bb bb bb bb ........\n Object (____ptrval____): 00 00 00 00 00 f6 f4 a5 ........\n Redzone (____ptrval____): 40 1d e8 1a aa @....\n Padding (____ptrval____): 00 00 00 00 00 00 00 00 ........\n\nAdjust the offset to stay within s->object_size.\n\n(Note that no caches of in this size range are known to exist in the\nkernel currently.)"
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/ce6e8bee7a3883e8008b30f5887dbb426aac6a35",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/e41a49fadbc80b60b48d3c095d9e2ee7ef7c9a8e",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/f6ed2357541612a13a5841b3af4dc32ed984a25f",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

40
CVE-2021/CVE-2021-472xx/CVE-2021-47222.json Normal file
View File

@ -0,0 +1,40 @@
{
"id": "CVE-2021-47222",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:11.453",
"lastModified": "2024-05-21T15:15:11.453",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bridge: fix vlan tunnel dst refcnt when egressing\n\nThe egress tunnel code uses dst_clone() and directly sets the result\nwhich is wrong because the entry might have 0 refcnt or be already deleted,\ncausing number of problems. It also triggers the WARN_ON() in dst_hold()[1]\nwhen a refcnt couldn't be taken. Fix it by using dst_hold_safe() and\nchecking if a reference was actually taken before setting the dst.\n\n[1] dmesg WARN_ON log and following refcnt errors\n WARNING: CPU: 5 PID: 38 at include/net/dst.h:230 br_handle_egress_vlan_tunnel+0x10b/0x134 [bridge]\n Modules linked in: 8021q garp mrp bridge stp llc bonding ipv6 virtio_net\n CPU: 5 PID: 38 Comm: ksoftirqd/5 Kdump: loaded Tainted: G W 5.13.0-rc3+ #360\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 04/01/2014\n RIP: 0010:br_handle_egress_vlan_tunnel+0x10b/0x134 [bridge]\n Code: e8 85 bc 01 e1 45 84 f6 74 90 45 31 f6 85 db 48 c7 c7 a0 02 19 a0 41 0f 94 c6 31 c9 31 d2 44 89 f6 e8 64 bc 01 e1 85 db 75 02 <0f> 0b 31 c9 31 d2 44 89 f6 48 c7 c7 70 02 19 a0 e8 4b bc 01 e1 49\n RSP: 0018:ffff8881003d39e8 EFLAGS: 00010246\n RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000\n RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffffffffa01902a0\n RBP: ffff8881040c6700 R08: 0000000000000000 R09: 0000000000000001\n R10: 2ce93d0054fe0d00 R11: 54fe0d00000e0000 R12: ffff888109515000\n R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000401\n FS: 0000000000000000(0000) GS:ffff88822bf40000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f42ba70f030 CR3: 0000000109926000 CR4: 00000000000006e0\n Call Trace:\n br_handle_vlan+0xbc/0xca [bridge]\n __br_forward+0x23/0x164 [bridge]\n deliver_clone+0x41/0x48 [bridge]\n br_handle_frame_finish+0x36f/0x3aa [bridge]\n ? skb_dst+0x2e/0x38 [bridge]\n ? br_handle_ingress_vlan_tunnel+0x3e/0x1c8 [bridge]\n ? br_handle_frame_finish+0x3aa/0x3aa [bridge]\n br_handle_frame+0x2c3/0x377 [bridge]\n ? __skb_pull+0x33/0x51\n ? vlan_do_receive+0x4f/0x36a\n ? br_handle_frame_finish+0x3aa/0x3aa [bridge]\n __netif_receive_skb_core+0x539/0x7c6\n ? __list_del_entry_valid+0x16e/0x1c2\n __netif_receive_skb_list_core+0x6d/0xd6\n netif_receive_skb_list_internal+0x1d9/0x1fa\n gro_normal_list+0x22/0x3e\n dev_gro_receive+0x55b/0x600\n ? detach_buf_split+0x58/0x140\n napi_gro_receive+0x94/0x12e\n virtnet_poll+0x15d/0x315 [virtio_net]\n __napi_poll+0x2c/0x1c9\n net_rx_action+0xe6/0x1fb\n __do_softirq+0x115/0x2d8\n run_ksoftirqd+0x18/0x20\n smpboot_thread_fn+0x183/0x19c\n ? smpboot_unregister_percpu_thread+0x66/0x66\n kthread+0x10a/0x10f\n ? kthread_mod_delayed_work+0xb6/0xb6\n ret_from_fork+0x22/0x30\n ---[ end trace 49f61b07f775fd2b ]---\n dst_release: dst:00000000c02d677a refcnt:-1\n dst_release underflow"
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/25053a8404ba17ca48f5553d487afc1882e9f56c",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/42020f7f37a90d24b9551f5f7eba3f7c7c102968",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/79855be6445b6592bddb7bd7167083ec8cdbd73f",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/84fc1c944e45ab317e2e70a0e7f76fa2a5e43b6e",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/cfc579f9d89af4ada58c69b03bcaa4887840f3b3",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/fc7fdd8c5c2ad2fe3e297698be9d4dbe4a4e0579",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

40
CVE-2021/CVE-2021-472xx/CVE-2021-47223.json Normal file
View File

@ -0,0 +1,40 @@
{
"id": "CVE-2021-47223",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:11.530",
"lastModified": "2024-05-21T15:15:11.530",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bridge: fix vlan tunnel dst null pointer dereference\n\nThis patch fixes a tunnel_dst null pointer dereference due to lockless\naccess in the tunnel egress path. When deleting a vlan tunnel the\ntunnel_dst pointer is set to NULL without waiting a grace period (i.e.\nwhile it's still usable) and packets egressing are dereferencing it\nwithout checking. Use READ/WRITE_ONCE to annotate the lockless use of\ntunnel_id, use RCU for accessing tunnel_dst and make sure it is read\nonly once and checked in the egress path. The dst is already properly RCU\nprotected so we don't need to do anything fancy than to make sure\ntunnel_id and tunnel_dst are read only once and checked in the egress path."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/24a6e55f17aa123bc1fc54b7d3c410b41bc16530",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/58e2071742e38f29f051b709a5cca014ba51166f",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/a2241e62f6b4a774d8a92048fdf59c45f6c2fe5c",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/abb02e05cb1c0a30dd873a29f33bc092067dc35d",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/ad7feefe7164892db424c45687472db803d87f79",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/fe0448a3fad365a747283a00a1d1ad5e8d6675b7",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

32
CVE-2021/CVE-2021-472xx/CVE-2021-47224.json Normal file
View File

@ -0,0 +1,32 @@
{
"id": "CVE-2021-47224",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:11.687",
"lastModified": "2024-05-21T15:15:11.687",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ll_temac: Make sure to free skb when it is completely used\n\nWith the skb pointer piggy-backed on the TX BD, we have a simple and\nefficient way to free the skb buffer when the frame has been transmitted.\nBut in order to avoid freeing the skb while there are still fragments from\nthe skb in use, we need to piggy-back on the TX BD of the skb, not the\nfirst.\n\nWithout this, we are doing use-after-free on the DMA side, when the first\nBD of a multi TX BD packet is seen as completed in xmit_done, and the\nremaining BDs are still being processed."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/019ab7d044d0ebf97e1236bb8935b7809be92358",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/6aa32217a9a446275440ee8724b1ecaf1838df47",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/6d120ab4dc39a543c6b63361e1d0541c382900a3",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/e8afe05bd359ebe12a61dbdc94c06c00ea3e8d4b",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

24
CVE-2021/CVE-2021-472xx/CVE-2021-47225.json Normal file
View File

@ -0,0 +1,24 @@
{
"id": "CVE-2021-47225",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:11.760",
"lastModified": "2024-05-21T15:15:11.760",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmac80211: fix deadlock in AP/VLAN handling\n\nSyzbot reports that when you have AP_VLAN interfaces that are up\nand close the AP interface they belong to, we get a deadlock. No\nsurprise - since we dev_close() them with the wiphy mutex held,\nwhich goes back into the netdev notifier in cfg80211 and tries to\nacquire the wiphy mutex there.\n\nTo fix this, we need to do two things:\n 1) prevent changing iftype while AP_VLANs are up, we can't\n easily fix this case since cfg80211 already calls us with\n the wiphy mutex held, but change_interface() is relatively\n rare in drivers anyway, so changing iftype isn't used much\n (and userspace has to fall back to down/change/up anyway)\n 2) pull the dev_close() loop over VLANs out of the wiphy mutex\n section in the normal stop case"
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/8043903fcb72f545c52e3ec74d6fd82ef79ce7c5",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/d5befb224edbe53056c2c18999d630dafb4a08b9",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

28
CVE-2021/CVE-2021-472xx/CVE-2021-47226.json Normal file
View File

@ -0,0 +1,28 @@
{
"id": "CVE-2021-47226",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:11.823",
"lastModified": "2024-05-21T15:15:11.823",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/fpu: Invalidate FPU state after a failed XRSTOR from a user buffer\n\nBoth Intel and AMD consider it to be architecturally valid for XRSTOR to\nfail with #PF but nonetheless change the register state. The actual\nconditions under which this might occur are unclear [1], but it seems\nplausible that this might be triggered if one sibling thread unmaps a page\nand invalidates the shared TLB while another sibling thread is executing\nXRSTOR on the page in question.\n\n__fpu__restore_sig() can execute XRSTOR while the hardware registers\nare preserved on behalf of a different victim task (using the\nfpu_fpregs_owner_ctx mechanism), and, in theory, XRSTOR could fail but\nmodify the registers.\n\nIf this happens, then there is a window in which __fpu__restore_sig()\ncould schedule out and the victim task could schedule back in without\nreloading its own FPU registers. This would result in part of the FPU\nstate that __fpu__restore_sig() was attempting to load leaking into the\nvictim task's user-visible state.\n\nInvalidate preserved FPU registers on XRSTOR failure to prevent this\nsituation from corrupting any state.\n\n[1] Frequent readers of the errata lists might imagine \"complex\n microarchitectural conditions\"."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/002665dcba4bbec8c82f0aeb4bd3f44334ed2c14",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/a7748e021b9fb7739e3cb88449296539de0b6817",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/d8778e393afa421f1f117471144f8ce6deb6953a",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

28
CVE-2021/CVE-2021-472xx/CVE-2021-47227.json Normal file
View File

@ -0,0 +1,28 @@
{
"id": "CVE-2021-47227",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:11.900",
"lastModified": "2024-05-21T15:15:11.900",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/fpu: Prevent state corruption in __fpu__restore_sig()\n\nThe non-compacted slowpath uses __copy_from_user() and copies the entire\nuser buffer into the kernel buffer, verbatim. This means that the kernel\nbuffer may now contain entirely invalid state on which XRSTOR will #GP.\nvalidate_user_xstate_header() can detect some of that corruption, but that\nleaves the onus on callers to clear the buffer.\n\nPrior to XSAVES support, it was possible just to reinitialize the buffer,\ncompletely, but with supervisor states that is not longer possible as the\nbuffer clearing code split got it backwards. Fixing that is possible but\nnot corrupting the state in the first place is more robust.\n\nAvoid corruption of the kernel XSAVE buffer by using copy_user_to_xstate()\nwhich validates the XSAVE header contents before copying the actual states\nto the kernel. copy_user_to_xstate() was previously only called for\ncompacted-format kernel buffers, but it works for both compacted and\nnon-compacted forms.\n\nUsing it for the non-compacted form is slower because of multiple\n__copy_from_user() operations, but that cost is less important than robust\ncode in an already slow path.\n\n[ Changelog polished by Dave Hansen ]"
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/076f732b16a5bf842686e1b43ab6021a2d98233e",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/484cea4f362e1eeb5c869abbfb5f90eae6421b38",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/ec25ea1f3f05d6f8ee51d1277efea986eafd4f2a",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

28
CVE-2021/CVE-2021-472xx/CVE-2021-47228.json Normal file
View File

@ -0,0 +1,28 @@
{
"id": "CVE-2021-47228",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:12.250",
"lastModified": "2024-05-21T15:15:12.250",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/ioremap: Map EFI-reserved memory as encrypted for SEV\n\nSome drivers require memory that is marked as EFI boot services\ndata. In order for this memory to not be re-used by the kernel\nafter ExitBootServices(), efi_mem_reserve() is used to preserve it\nby inserting a new EFI memory descriptor and marking it with the\nEFI_MEMORY_RUNTIME attribute.\n\nUnder SEV, memory marked with the EFI_MEMORY_RUNTIME attribute needs to\nbe mapped encrypted by Linux, otherwise the kernel might crash at boot\nlike below:\n\n EFI Variables Facility v0.08 2004-May-17\n general protection fault, probably for non-canonical address 0x3597688770a868b2: 0000 [#1] SMP NOPTI\n CPU: 13 PID: 1 Comm: swapper/0 Not tainted 5.12.4-2-default #1 openSUSE Tumbleweed\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015\n RIP: 0010:efi_mokvar_entry_next\n [...]\n Call Trace:\n efi_mokvar_sysfs_init\n ? efi_mokvar_table_init\n do_one_initcall\n ? __kmalloc\n kernel_init_freeable\n ? rest_init\n kernel_init\n ret_from_fork\n\nExpand the __ioremap_check_other() function to additionally check for\nthis other type of boot data reserved at runtime and indicate that it\nshould be mapped encrypted for an SEV guest.\n\n [ bp: Massage commit message. ]"
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/208bb686e7fa7fff16e8fa78ff0db34aa9acdbd7",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/8d651ee9c71bb12fc0c8eb2786b66cbe5aa3e43b",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/b7a05aba39f733ec337c5b952e112dd2dc4fc404",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

40
CVE-2021/CVE-2021-472xx/CVE-2021-47229.json Normal file
View File

@ -0,0 +1,40 @@
{
"id": "CVE-2021-47229",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:12.323",
"lastModified": "2024-05-21T15:15:12.323",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: aardvark: Fix kernel panic during PIO transfer\n\nTrying to start a new PIO transfer by writing value 0 in PIO_START register\nwhen previous transfer has not yet completed (which is indicated by value 1\nin PIO_START) causes an External Abort on CPU, which results in kernel\npanic:\n\n SError Interrupt on CPU0, code 0xbf000002 -- SError\n Kernel panic - not syncing: Asynchronous SError Interrupt\n\nTo prevent kernel panic, it is required to reject a new PIO transfer when\nprevious one has not finished yet.\n\nIf previous PIO transfer is not finished yet, the kernel may issue a new\nPIO request only if the previous PIO transfer timed out.\n\nIn the past the root cause of this issue was incorrectly identified (as it\noften happens during link retraining or after link down event) and special\nhack was implemented in Trusted Firmware to catch all SError events in EL3,\nto ignore errors with code 0xbf000002 and not forwarding any other errors\nto kernel and instead throw panic from EL3 Trusted Firmware handler.\n\nLinks to discussion and patches about this issue:\nhttps://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/commit/?id=3c7dcdac5c50\nhttps://lore.kernel.org/linux-pci/20190316161243.29517-1-repk@triplefau.lt/\nhttps://lore.kernel.org/linux-pci/971be151d24312cc533989a64bd454b4@www.loen.fr/\nhttps://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/1541\n\nBut the real cause was the fact that during link retraining or after link\ndown event the PIO transfer may take longer time, up to the 1.44s until it\ntimes out. This increased probability that a new PIO transfer would be\nissued by kernel while previous one has not finished yet.\n\nAfter applying this change into the kernel, it is possible to revert the\nmentioned TF-A hack and SError events do not have to be caught in TF-A EL3."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/1a1dbc4473974867fe8c5f195c17b341c8e82867",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/3d213a4ddf49a860be6e795482c17f87e0c82b2a",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/400e6b1860c8be61388d0b77814c53260f96e17a",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/4c90f90a91d75c3c73dd633827c90e8746d9f54d",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/b00a9aaa4be20ad6e3311fb78a485eae0899e89a",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/f18139966d072dab8e4398c95ce955a9742e04f7",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

32
CVE-2021/CVE-2021-472xx/CVE-2021-47230.json Normal file
View File

@ -0,0 +1,32 @@
{
"id": "CVE-2021-47230",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:12.400",
"lastModified": "2024-05-21T15:15:12.400",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: Immediately reset the MMU context when the SMM flag is cleared\n\nImmediately reset the MMU context when the vCPU's SMM flag is cleared so\nthat the SMM flag in the MMU role is always synchronized with the vCPU's\nflag. If RSM fails (which isn't correctly emulated), KVM will bail\nwithout calling post_leave_smm() and leave the MMU in a bad state.\n\nThe bad MMU role can lead to a NULL pointer dereference when grabbing a\nshadow page's rmap for a page fault as the initial lookups for the gfn\nwill happen with the vCPU's SMM flag (=0), whereas the rmap lookup will\nuse the shadow page's SMM flag, which comes from the MMU (=1). SMM has\nan entirely different set of memslots, and so the initial lookup can find\na memslot (SMM=0) and then explode on the rmap memslot lookup (SMM=1).\n\n general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN\n KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\n CPU: 1 PID: 8410 Comm: syz-executor382 Not tainted 5.13.0-rc5-syzkaller #0\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\n RIP: 0010:__gfn_to_rmap arch/x86/kvm/mmu/mmu.c:935 [inline]\n RIP: 0010:gfn_to_rmap+0x2b0/0x4d0 arch/x86/kvm/mmu/mmu.c:947\n Code: <42> 80 3c 20 00 74 08 4c 89 ff e8 f1 79 a9 00 4c 89 fb 4d 8b 37 44\n RSP: 0018:ffffc90000ffef98 EFLAGS: 00010246\n RAX: 0000000000000000 RBX: ffff888015b9f414 RCX: ffff888019669c40\n RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000001\n RBP: 0000000000000001 R08: ffffffff811d9cdb R09: ffffed10065a6002\n R10: ffffed10065a6002 R11: 0000000000000000 R12: dffffc0000000000\n R13: 0000000000000003 R14: 0000000000000001 R15: 0000000000000000\n FS: 000000000124b300(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000000 CR3: 0000000028e31000 CR4: 00000000001526e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n rmap_add arch/x86/kvm/mmu/mmu.c:965 [inline]\n mmu_set_spte+0x862/0xe60 arch/x86/kvm/mmu/mmu.c:2604\n __direct_map arch/x86/kvm/mmu/mmu.c:2862 [inline]\n direct_page_fault+0x1f74/0x2b70 arch/x86/kvm/mmu/mmu.c:3769\n kvm_mmu_do_page_fault arch/x86/kvm/mmu.h:124 [inline]\n kvm_mmu_page_fault+0x199/0x1440 arch/x86/kvm/mmu/mmu.c:5065\n vmx_handle_exit+0x26/0x160 arch/x86/kvm/vmx/vmx.c:6122\n vcpu_enter_guest+0x3bdd/0x9630 arch/x86/kvm/x86.c:9428\n vcpu_run+0x416/0xc20 arch/x86/kvm/x86.c:9494\n kvm_arch_vcpu_ioctl_run+0x4e8/0xa40 arch/x86/kvm/x86.c:9722\n kvm_vcpu_ioctl+0x70f/0xbb0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3460\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:1069 [inline]\n __se_sys_ioctl+0xfb/0x170 fs/ioctl.c:1055\n do_syscall_64+0x3f/0xb0 arch/x86/entry/common.c:47\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n RIP: 0033:0x440ce9"
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/669a8866e468fd020d34eb00e08cb41d3774b71b",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/78fcb2c91adfec8ce3a2ba6b4d0dda89f2f4a7c6",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/cbb425f62df9df7abee4b3f068f7ed6ffc3561e2",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/df9a40cfb3be2cbeb1c17bb67c59251ba16630f3",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

40
CVE-2021/CVE-2021-472xx/CVE-2021-47231.json Normal file
View File

@ -0,0 +1,40 @@
{
"id": "CVE-2021-47231",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:12.477",
"lastModified": "2024-05-21T15:15:12.477",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: mcba_usb: fix memory leak in mcba_usb\n\nSyzbot reported memory leak in SocketCAN driver for Microchip CAN BUS\nAnalyzer Tool. The problem was in unfreed usb_coherent.\n\nIn mcba_usb_start() 20 coherent buffers are allocated and there is\nnothing, that frees them:\n\n1) In callback function the urb is resubmitted and that's all\n2) In disconnect function urbs are simply killed, but URB_FREE_BUFFER\n is not set (see mcba_usb_start) and this flag cannot be used with\n coherent buffers.\n\nFail log:\n| [ 1354.053291][ T8413] mcba_usb 1-1:0.0 can0: device disconnected\n| [ 1367.059384][ T8420] kmemleak: 20 new suspected memory leaks (see /sys/kernel/debug/kmem)\n\nSo, all allocated buffers should be freed with usb_free_coherent()\nexplicitly\n\nNOTE:\nThe same pattern for allocating and freeing coherent buffers\nis used in drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c"
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/6bd3d80d1f019cefa7011056c54b323f1d8b8e83",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/6f87c0e21ad20dd3d22108e33db1c552dfa352a0",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/89df95ce32be204eef2e7d4b2f6fb552fb191a68",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/91c02557174be7f72e46ed7311e3bea1939840b0",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/a115198caaab6d663bef75823a3c5f0802306d60",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/d0760a4ef85697bc756d06eae17ae27f3f055401",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

32
CVE-2021/CVE-2021-472xx/CVE-2021-47232.json Normal file
View File

@ -0,0 +1,32 @@
{
"id": "CVE-2021-47232",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:12.557",
"lastModified": "2024-05-21T15:15:12.557",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: j1939: fix Use-after-Free, hold skb ref while in use\n\nThis patch fixes a Use-after-Free found by the syzbot.\n\nThe problem is that a skb is taken from the per-session skb queue,\nwithout incrementing the ref count. This leads to a Use-after-Free if\nthe skb is taken concurrently from the session queue due to a CTS."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/1071065eeb33d32b7d98c2ce7591881ae7381705",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/2030043e616cab40f510299f09b636285e0a3678",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/22cba878abf646cd3a02ee7c8c2cef7afe66a256",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/509ab6bfdd0c76daebbad0f0af07da712116de22",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

28
CVE-2021/CVE-2021-472xx/CVE-2021-47233.json Normal file
View File

@ -0,0 +1,28 @@
{
"id": "CVE-2021-47233",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:12.630",
"lastModified": "2024-05-21T15:15:12.630",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nregulator: rt4801: Fix NULL pointer dereference if priv->enable_gpios is NULL\n\ndevm_gpiod_get_array_optional may return NULL if no GPIO was assigned."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/ba8a26a7ce8617f9f3d6230de34b2302df086b41",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/cb2381cbecb81a8893b2d1e1af29bc2e5531df27",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/dc68f0c9e4a001e02376fe87f4bdcacadb27e8a1",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

28
CVE-2021/CVE-2021-472xx/CVE-2021-47234.json Normal file
View File

@ -0,0 +1,28 @@
{
"id": "CVE-2021-47234",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:12.710",
"lastModified": "2024-05-21T15:15:12.710",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nphy: phy-mtk-tphy: Fix some resource leaks in mtk_phy_init()\n\nUse clk_disable_unprepare() in the error path of mtk_phy_init() to fix\nsome resource leaks."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/6472955af5e88b5489b6d78316082ad56ea3e489",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/9a17907946232d01aa2ec109da5f93b8d31dd425",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/aaac9a1bd370338ce372669eb9a6059d16b929aa",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

48
CVE-2021/CVE-2021-472xx/CVE-2021-47235.json Normal file
View File

@ -0,0 +1,48 @@
{
"id": "CVE-2021-47235",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:12.777",
"lastModified": "2024-05-21T15:15:12.777",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ethernet: fix potential use-after-free in ec_bhf_remove\n\nstatic void ec_bhf_remove(struct pci_dev *dev)\n{\n...\n\tstruct ec_bhf_priv *priv = netdev_priv(net_dev);\n\n\tunregister_netdev(net_dev);\n\tfree_netdev(net_dev);\n\n\tpci_iounmap(dev, priv->dma_io);\n\tpci_iounmap(dev, priv->io);\n...\n}\n\npriv is netdev private data, but it is used\nafter free_netdev(). It can cause use-after-free when accessing priv\npointer. So, fix it by moving free_netdev() after pci_iounmap()\ncalls."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/0260916843cc74f3906acf8b6f256693e01530a2",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/19f88ca68ccf8771276a606765239b167654f84a",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/1cafc540b7bf1b6a5a77dc000205fe337ef6eba6",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/95deeb29d831e2fae608439e243e7a520611e7ea",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/9cca0c2d70149160407bda9a9446ce0c29b6e6c6",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/b1ad283755095a4b9d1431aeb357d7df1a33d3bb",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/d11d79e52ba080ee567cb7d7eb42a5ade60a8130",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/db2bc3cfd2bc01621014d4f17cdfc74611f339c8",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

48
CVE-2021/CVE-2021-472xx/CVE-2021-47236.json Normal file
View File

@ -0,0 +1,48 @@
{
"id": "CVE-2021-47236",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:12.857",
"lastModified": "2024-05-21T15:15:12.857",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: cdc_eem: fix tx fixup skb leak\n\nwhen usbnet transmit a skb, eem fixup it in eem_tx_fixup(),\nif skb_copy_expand() failed, it return NULL,\nusbnet_start_xmit() will have no chance to free original skb.\n\nfix it by free orginal skb in eem_tx_fixup() first,\nthen check skb clone status, if failed, return NULL to usbnet."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/05b2b9f7d24b5663d9b47427fe1555bdafd3ea02",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/14184ec5c958b589ba934da7363a2877879204df",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/1bcacd6088d61c0ac6a990d87975600a81f3247e",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/81de2ed06df8b5451e050fe6a318af3263dbff3f",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/b4f7a9fc9d094c0c4a66f2ad7c37b1dbe9e78f88",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/c3b26fdf1b32f91c7a3bc743384b4a298ab53ad7",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/f12554b0ff639e74612cc01b3b4a049e098d2d65",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/f4e6a7f19c82f39b1803e91c54718f0d7143767d",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

48
CVE-2021/CVE-2021-472xx/CVE-2021-47237.json Normal file
View File

@ -0,0 +1,48 @@
{
"id": "CVE-2021-47237",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:12.930",
"lastModified": "2024-05-21T15:15:12.930",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hamradio: fix memory leak in mkiss_close\n\nMy local syzbot instance hit memory leak in\nmkiss_open()[1]. The problem was in missing\nfree_netdev() in mkiss_close().\n\nIn mkiss_open() netdevice is allocated and then\nregistered, but in mkiss_close() netdevice was\nonly unregistered, but not freed.\n\nFail log:\n\nBUG: memory leak\nunreferenced object 0xffff8880281ba000 (size 4096):\n comm \"syz-executor.1\", pid 11443, jiffies 4295046091 (age 17.660s)\n hex dump (first 32 bytes):\n 61 78 30 00 00 00 00 00 00 00 00 00 00 00 00 00 ax0.............\n 00 27 fa 2a 80 88 ff ff 00 00 00 00 00 00 00 00 .'.*............\n backtrace:\n [<ffffffff81a27201>] kvmalloc_node+0x61/0xf0\n [<ffffffff8706e7e8>] alloc_netdev_mqs+0x98/0xe80\n [<ffffffff84e64192>] mkiss_open+0xb2/0x6f0 [1]\n [<ffffffff842355db>] tty_ldisc_open+0x9b/0x110\n [<ffffffff84236488>] tty_set_ldisc+0x2e8/0x670\n [<ffffffff8421f7f3>] tty_ioctl+0xda3/0x1440\n [<ffffffff81c9f273>] __x64_sys_ioctl+0x193/0x200\n [<ffffffff8911263a>] do_syscall_64+0x3a/0xb0\n [<ffffffff89200068>] entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nBUG: memory leak\nunreferenced object 0xffff8880141a9a00 (size 96):\n comm \"syz-executor.1\", pid 11443, jiffies 4295046091 (age 17.660s)\n hex dump (first 32 bytes):\n e8 a2 1b 28 80 88 ff ff e8 a2 1b 28 80 88 ff ff ...(.......(....\n 98 92 9c aa b0 40 02 00 00 00 00 00 00 00 00 00 .....@..........\n backtrace:\n [<ffffffff8709f68b>] __hw_addr_create_ex+0x5b/0x310\n [<ffffffff8709fb38>] __hw_addr_add_ex+0x1f8/0x2b0\n [<ffffffff870a0c7b>] dev_addr_init+0x10b/0x1f0\n [<ffffffff8706e88b>] alloc_netdev_mqs+0x13b/0xe80\n [<ffffffff84e64192>] mkiss_open+0xb2/0x6f0 [1]\n [<ffffffff842355db>] tty_ldisc_open+0x9b/0x110\n [<ffffffff84236488>] tty_set_ldisc+0x2e8/0x670\n [<ffffffff8421f7f3>] tty_ioctl+0xda3/0x1440\n [<ffffffff81c9f273>] __x64_sys_ioctl+0x193/0x200\n [<ffffffff8911263a>] do_syscall_64+0x3a/0xb0\n [<ffffffff89200068>] entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nBUG: memory leak\nunreferenced object 0xffff8880219bfc00 (size 512):\n comm \"syz-executor.1\", pid 11443, jiffies 4295046091 (age 17.660s)\n hex dump (first 32 bytes):\n 00 a0 1b 28 80 88 ff ff 80 8f b1 8d ff ff ff ff ...(............\n 80 8f b1 8d ff ff ff ff 00 00 00 00 00 00 00 00 ................\n backtrace:\n [<ffffffff81a27201>] kvmalloc_node+0x61/0xf0\n [<ffffffff8706eec7>] alloc_netdev_mqs+0x777/0xe80\n [<ffffffff84e64192>] mkiss_open+0xb2/0x6f0 [1]\n [<ffffffff842355db>] tty_ldisc_open+0x9b/0x110\n [<ffffffff84236488>] tty_set_ldisc+0x2e8/0x670\n [<ffffffff8421f7f3>] tty_ioctl+0xda3/0x1440\n [<ffffffff81c9f273>] __x64_sys_ioctl+0x193/0x200\n [<ffffffff8911263a>] do_syscall_64+0x3a/0xb0\n [<ffffffff89200068>] entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nBUG: memory leak\nunreferenced object 0xffff888029b2b200 (size 256):\n comm \"syz-executor.1\", pid 11443, jiffies 4295046091 (age 17.660s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n [<ffffffff81a27201>] kvmalloc_node+0x61/0xf0\n [<ffffffff8706f062>] alloc_netdev_mqs+0x912/0xe80\n [<ffffffff84e64192>] mkiss_open+0xb2/0x6f0 [1]\n [<ffffffff842355db>] tty_ldisc_open+0x9b/0x110\n [<ffffffff84236488>] tty_set_ldisc+0x2e8/0x670\n [<ffffffff8421f7f3>] tty_ioctl+0xda3/0x1440\n [<ffffffff81c9f273>] __x64_sys_ioctl+0x193/0x200\n [<ffffffff8911263a>] do_syscall_64+0x3a/0xb0\n [<ffffffff89200068>] entry_SYSCALL_64_after_hwframe+0x44/0xae"
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/290b0b6432e2599021db0b8d6046f756d931c29f",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/3942d0f9ace1a95a74930b5b4fc0e5005c62b37b",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/765a8a04f828db7222b36a42b1031f576bfe95c3",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/7edcc682301492380fbdd604b4516af5ae667a13",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/a49cbb762ef20655f5c91abdc13658b0af5e159d",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/c16c4716a1b5ba4f83c7e00da457cba06761f119",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/c634ba0b4159838ff45a60d3a0ace3b4118077a5",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/f4de2b43d13b7cf3ced9310e371b90c836dbd7cd",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

44
CVE-2021/CVE-2021-472xx/CVE-2021-47238.json Normal file
View File

@ -0,0 +1,44 @@
{
"id": "CVE-2021-47238",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:13.017",
"lastModified": "2024-05-21T15:15:13.017",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ipv4: fix memory leak in ip_mc_add1_src\n\nBUG: memory leak\nunreferenced object 0xffff888101bc4c00 (size 32):\n comm \"syz-executor527\", pid 360, jiffies 4294807421 (age 19.329s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 01 00 00 00 00 00 00 00 ac 14 14 bb 00 00 02 00 ................\n backtrace:\n [<00000000f17c5244>] kmalloc include/linux/slab.h:558 [inline]\n [<00000000f17c5244>] kzalloc include/linux/slab.h:688 [inline]\n [<00000000f17c5244>] ip_mc_add1_src net/ipv4/igmp.c:1971 [inline]\n [<00000000f17c5244>] ip_mc_add_src+0x95f/0xdb0 net/ipv4/igmp.c:2095\n [<000000001cb99709>] ip_mc_source+0x84c/0xea0 net/ipv4/igmp.c:2416\n [<0000000052cf19ed>] do_ip_setsockopt net/ipv4/ip_sockglue.c:1294 [inline]\n [<0000000052cf19ed>] ip_setsockopt+0x114b/0x30c0 net/ipv4/ip_sockglue.c:1423\n [<00000000477edfbc>] raw_setsockopt+0x13d/0x170 net/ipv4/raw.c:857\n [<00000000e75ca9bb>] __sys_setsockopt+0x158/0x270 net/socket.c:2117\n [<00000000bdb993a8>] __do_sys_setsockopt net/socket.c:2128 [inline]\n [<00000000bdb993a8>] __se_sys_setsockopt net/socket.c:2125 [inline]\n [<00000000bdb993a8>] __x64_sys_setsockopt+0xba/0x150 net/socket.c:2125\n [<000000006a1ffdbd>] do_syscall_64+0x40/0x80 arch/x86/entry/common.c:47\n [<00000000b11467c4>] entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nIn commit 24803f38a5c0 (\"igmp: do not remove igmp souce list info when set\nlink down\"), the ip_mc_clear_src() in ip_mc_destroy_dev() was removed,\nbecause it was also called in igmpv3_clear_delrec().\n\nRough callgraph:\n\ninetdev_destroy\n-> ip_mc_destroy_dev\n -> igmpv3_clear_delrec\n -> ip_mc_clear_src\n-> RCU_INIT_POINTER(dev->ip_ptr, NULL)\n\nHowever, ip_mc_clear_src() called in igmpv3_clear_delrec() doesn't\nrelease in_dev->mc_list->sources. And RCU_INIT_POINTER() assigns the\nNULL to dev->ip_ptr. As a result, in_dev cannot be obtained through\ninetdev_by_index() and then in_dev->mc_list->sources cannot be released\nby ip_mc_del1_src() in the sock_close. Rough call sequence goes like:\n\nsock_close\n-> __sock_release\n -> inet_release\n -> ip_mc_drop_socket\n -> inetdev_by_index\n -> ip_mc_leave_src\n -> ip_mc_del_src\n -> ip_mc_del1_src\n\nSo we still need to call ip_mc_clear_src() in ip_mc_destroy_dev() to free\nin_dev->mc_list->sources."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/0dc13e75507faa17ac9f7562b4ef7bf8fcd78422",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/1e28018b5c83d5073f74a6fb72eabe8370b2f501",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/3dd2aeac2e9624cff9fa634710837e4f2e352758",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/6cff57eea3347f79f1867cc53e1093b6614138d8",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/77de6ee73f54a9a89c0afa0bf4c53b239aa9953a",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/ac31cc837cafb57a271babad8ccffbf733caa076",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/d8e2973029b8b2ce477b564824431f3385c77083",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

48
CVE-2021/CVE-2021-472xx/CVE-2021-47239.json Normal file
View File

@ -0,0 +1,48 @@
{
"id": "CVE-2021-47239",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:13.100",
"lastModified": "2024-05-21T15:15:13.100",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: fix possible use-after-free in smsc75xx_bind\n\nThe commit 46a8b29c6306 (\"net: usb: fix memory leak in smsc75xx_bind\")\nfails to clean up the work scheduled in smsc75xx_reset->\nsmsc75xx_set_multicast, which leads to use-after-free if the work is\nscheduled to start after the deallocation. In addition, this patch\nalso removes a dangling pointer - dev->data[0].\n\nThis patch calls cancel_work_sync to cancel the scheduled work and set\nthe dangling pointer to NULL."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/14616c372a7be01a2fb8c56c9d8debd232b9e43d",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/2fc8300c9cfa5167fcb5b1a2a07db6f53e82f59b",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/4252bf6c2b245f47011098113d405ffad6ad5d5b",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/56b786d86694e079d8aad9b314e015cd4ac02a3d",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/570a52cf3e01d19f7fd1a251dfc52b0cd86c13cb",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/64160d1741a3de5204d1a822e058e0b4cc526504",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/7cc8b2e05fcea6edd022d26e82091d781af8fd9b",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/c4e3be2e7742863e454ce31faf8fd0109c00050b",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

36
CVE-2021/CVE-2021-472xx/CVE-2021-47240.json Normal file
View File

@ -0,0 +1,36 @@
{
"id": "CVE-2021-47240",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:13.177",
"lastModified": "2024-05-21T15:15:13.177",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: qrtr: fix OOB Read in qrtr_endpoint_post\n\nSyzbot reported slab-out-of-bounds Read in\nqrtr_endpoint_post. The problem was in wrong\n_size_ type:\n\n\tif (len != ALIGN(size, 4) + hdrlen)\n\t\tgoto err;\n\nIf size from qrtr_hdr is 4294967293 (0xfffffffd), the result of\nALIGN(size, 4) will be 0. In case of len == hdrlen and size == 4294967293\nin header this check won't fail and\n\n\tskb_put_data(skb, data + hdrlen, size);\n\nwill read out of bound from data, which is hdrlen allocated block."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/19892ab9c9d838e2e5a7744d36e4bb8b7c3292fe",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/26b8d10703a9be45d6097946b2b4011f7dd2c56f",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/960b08dd36de1e341e3eb43d1c547513e338f4f8",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/ad9d24c9429e2159d1e279dc3a83191ccb4daf1d",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/f8111c0d7ed42ede41a3d0d393b104de0730a8a6",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

28
CVE-2021/CVE-2021-472xx/CVE-2021-47241.json Normal file
View File

@ -0,0 +1,28 @@
{
"id": "CVE-2021-47241",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:13.250",
"lastModified": "2024-05-21T15:15:13.250",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nethtool: strset: fix message length calculation\n\nOuter nest for ETHTOOL_A_STRSET_STRINGSETS is not accounted for.\nThis may result in ETHTOOL_MSG_STRSET_GET producing a warning like:\n\n calculated message payload length (684) not sufficient\n WARNING: CPU: 0 PID: 30967 at net/ethtool/netlink.c:369 ethnl_default_doit+0x87a/0xa20\n\nand a splat.\n\nAs usually with such warnings three conditions must be met for the warning\nto trigger:\n - there must be no skb size rounding up (e.g. reply_size of 684);\n - string set must be per-device (so that the header gets populated);\n - the device name must be at least 12 characters long.\n\nall in all with current user space it looks like reading priv flags\nis the only place this could potentially happen. Or with syzbot :)"
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/cfc7f0e70d649e6d2233fba0d9390b525677d971",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/e175aef902697826d344ce3a12189329848fe898",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/fb3a948143688e14e2cfd2a2812877923d0e5e92",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

24
CVE-2021/CVE-2021-472xx/CVE-2021-47242.json Normal file
View File

@ -0,0 +1,24 @@
{
"id": "CVE-2021-47242",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:13.327",
"lastModified": "2024-05-21T15:15:13.327",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix soft lookup in subflow_error_report()\n\nMaxim reported a soft lookup in subflow_error_report():\n\n watchdog: BUG: soft lockup - CPU#0 stuck for 22s! [swapper/0:0]\n RIP: 0010:native_queued_spin_lock_slowpath\n RSP: 0018:ffffa859c0003bc0 EFLAGS: 00000202\n RAX: 0000000000000101 RBX: 0000000000000001 RCX: 0000000000000000\n RDX: ffff9195c2772d88 RSI: 0000000000000000 RDI: ffff9195c2772d88\n RBP: ffff9195c2772d00 R08: 00000000000067b0 R09: c6e31da9eb1e44f4\n R10: ffff9195ef379700 R11: ffff9195edb50710 R12: ffff9195c2772d88\n R13: ffff9195f500e3d0 R14: ffff9195ef379700 R15: ffff9195ef379700\n FS: 0000000000000000(0000) GS:ffff91961f400000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 000000c000407000 CR3: 0000000002988000 CR4: 00000000000006f0\n Call Trace:\n <IRQ>\n _raw_spin_lock_bh\n subflow_error_report\n mptcp_subflow_data_available\n __mptcp_move_skbs_from_subflow\n mptcp_data_ready\n tcp_data_queue\n tcp_rcv_established\n tcp_v4_do_rcv\n tcp_v4_rcv\n ip_protocol_deliver_rcu\n ip_local_deliver_finish\n __netif_receive_skb_one_core\n netif_receive_skb\n rtl8139_poll 8139too\n __napi_poll\n net_rx_action\n __do_softirq\n __irq_exit_rcu\n common_interrupt\n </IRQ>\n\nThe calling function - mptcp_subflow_data_available() - can be invoked\nfrom different contexts:\n- plain ssk socket lock\n- ssk socket lock + mptcp_data_lock\n- ssk socket lock + mptcp_data_lock + msk socket lock.\n\nSince subflow_error_report() tries to acquire the mptcp_data_lock, the\nlatter two call chains will cause soft lookup.\n\nThis change addresses the issue moving the error reporting call to\nouter functions, where the held locks list is known and the we can\nacquire only the needed one."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/27ef25c72373222aaa5fe7b5cd890ae9cfb89a8d",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/499ada5073361c631f2a3c4a8aed44d53b6f82ec",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

36
CVE-2021/CVE-2021-472xx/CVE-2021-47243.json Normal file
View File

@ -0,0 +1,36 @@
{
"id": "CVE-2021-47243",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:13.403",
"lastModified": "2024-05-21T15:15:13.403",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsch_cake: Fix out of bounds when parsing TCP options and header\n\nThe TCP option parser in cake qdisc (cake_get_tcpopt and\ncake_tcph_may_drop) could read one byte out of bounds. When the length\nis 1, the execution flow gets into the loop, reads one byte of the\nopcode, and if the opcode is neither TCPOPT_EOL nor TCPOPT_NOP, it reads\none more byte, which exceeds the length of 1.\n\nThis fix is inspired by commit 9609dad263f8 (\"ipv4: tcp_input: fix stack\nout of bounds when parsing TCP options.\").\n\nv2 changes:\n\nAdded doff validation in cake_get_tcphdr to avoid parsing garbage as TCP\nheader. Although it wasn't strictly an out-of-bounds access (memory was\nallocated), garbage values could be read where CAKE expected the TCP\nheader if doff was smaller than 5."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/3371392c60e2685af30bd4547badd880f5df2b3f",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/3b491dd593d582ceeb27aa617600712a6bd14246",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/4cefa061fc63f4d2dff5ab4083f43857cd7a2335",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/595897ef118d6fe66690c4fc5b572028c9da95b7",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/ba91c49dedbde758ba0b72f57ac90b06ddf8e548",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

28
CVE-2021/CVE-2021-472xx/CVE-2021-47244.json Normal file
View File

@ -0,0 +1,28 @@
{
"id": "CVE-2021-47244",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:13.477",
"lastModified": "2024-05-21T15:15:13.477",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: Fix out of bounds when parsing TCP options\n\nThe TCP option parser in mptcp (mptcp_get_options) could read one byte\nout of bounds. When the length is 1, the execution flow gets into the\nloop, reads one byte of the opcode, and if the opcode is neither\nTCPOPT_EOL nor TCPOPT_NOP, it reads one more byte, which exceeds the\nlength of 1.\n\nThis fix is inspired by commit 9609dad263f8 (\"ipv4: tcp_input: fix stack\nout of bounds when parsing TCP options.\")."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/07718be265680dcf496347d475ce1a5442f55ad7",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/73eeba71dc9932970befa009e68272a3d5ec4a58",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/76e02b8905d0691e89e104a882f3bba7dd0f6037",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

48
CVE-2021/CVE-2021-472xx/CVE-2021-47245.json Normal file
View File

@ -0,0 +1,48 @@
{
"id": "CVE-2021-47245",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:13.550",
"lastModified": "2024-05-21T15:15:13.550",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: synproxy: Fix out of bounds when parsing TCP options\n\nThe TCP option parser in synproxy (synproxy_parse_options) could read\none byte out of bounds. When the length is 1, the execution flow gets\ninto the loop, reads one byte of the opcode, and if the opcode is\nneither TCPOPT_EOL nor TCPOPT_NOP, it reads one more byte, which exceeds\nthe length of 1.\n\nThis fix is inspired by commit 9609dad263f8 (\"ipv4: tcp_input: fix stack\nout of bounds when parsing TCP options.\").\n\nv2 changes:\n\nAdded an early return when length < 0 to avoid calling\nskb_header_pointer with negative length."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/576c1526b4d83c44ad7b673cb841f36cbc6cb6c4",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/5fc177ab759418c9537433e63301096e733fb915",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/674b5f0c6a4fc5d3abce877048290cea6091fcb1",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/6defc77d48eff74075b80ad5925061b2fc010d98",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/7d9a9a1a88a3da574e019b4de756bc73337b3b0b",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/9cdf299ba4e153b5e56187648420de22c6216f02",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/e1eb98cfeafdd85537e7e3cefe93ca9bfbcc3ea8",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/f648089337cb8ed40b2bb96e244f72b9d97dc96b",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

32
CVE-2021/CVE-2021-472xx/CVE-2021-47246.json Normal file
View File

@ -0,0 +1,32 @@
{
"id": "CVE-2021-47246",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:13.623",
"lastModified": "2024-05-21T15:15:13.623",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Fix page reclaim for dead peer hairpin\n\nWhen adding a hairpin flow, a firmware-side send queue is created for\nthe peer net device, which claims some host memory pages for its\ninternal ring buffer. If the peer net device is removed/unbound before\nthe hairpin flow is deleted, then the send queue is not destroyed which\nleads to a stack trace on pci device remove:\n\n[ 748.005230] mlx5_core 0000:08:00.2: wait_func:1094:(pid 12985): MANAGE_PAGES(0x108) timeout. Will cause a leak of a command resource\n[ 748.005231] mlx5_core 0000:08:00.2: reclaim_pages:514:(pid 12985): failed reclaiming pages: err -110\n[ 748.001835] mlx5_core 0000:08:00.2: mlx5_reclaim_root_pages:653:(pid 12985): failed reclaiming pages (-110) for func id 0x0\n[ 748.002171] ------------[ cut here ]------------\n[ 748.001177] FW pages counter is 4 after reclaiming all pages\n[ 748.001186] WARNING: CPU: 1 PID: 12985 at drivers/net/ethernet/mellanox/mlx5/core/pagealloc.c:685 mlx5_reclaim_startup_pages+0x34b/0x460 [mlx5_core] [ +0.002771] Modules linked in: cls_flower mlx5_ib mlx5_core ptp pps_core act_mirred sch_ingress openvswitch nsh xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 br_netfilter rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi rdma_cm ib_umad ib_ipoib iw_cm ib_cm ib_uverbs ib_core overlay fuse [last unloaded: pps_core]\n[ 748.007225] CPU: 1 PID: 12985 Comm: tee Not tainted 5.12.0+ #1\n[ 748.001376] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n[ 748.002315] RIP: 0010:mlx5_reclaim_startup_pages+0x34b/0x460 [mlx5_core]\n[ 748.001679] Code: 28 00 00 00 0f 85 22 01 00 00 48 81 c4 b0 00 00 00 31 c0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 48 c7 c7 40 cc 19 a1 e8 9f 71 0e e2 <0f> 0b e9 30 ff ff ff 48 c7 c7 a0 cc 19 a1 e8 8c 71 0e e2 0f 0b e9\n[ 748.003781] RSP: 0018:ffff88815220faf8 EFLAGS: 00010286\n[ 748.001149] RAX: 0000000000000000 RBX: ffff8881b4900280 RCX: 0000000000000000\n[ 748.001445] RDX: 0000000000000027 RSI: 0000000000000004 RDI: ffffed102a441f51\n[ 748.001614] RBP: 00000000000032b9 R08: 0000000000000001 R09: ffffed1054a15ee8\n[ 748.001446] R10: ffff8882a50af73b R11: ffffed1054a15ee7 R12: fffffbfff07c1e30\n[ 748.001447] R13: dffffc0000000000 R14: ffff8881b492cba8 R15: 0000000000000000\n[ 748.001429] FS: 00007f58bd08b580(0000) GS:ffff8882a5080000(0000) knlGS:0000000000000000\n[ 748.001695] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 748.001309] CR2: 000055a026351740 CR3: 00000001d3b48006 CR4: 0000000000370ea0\n[ 748.001506] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 748.001483] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 748.001654] Call Trace:\n[ 748.000576] ? mlx5_satisfy_startup_pages+0x290/0x290 [mlx5_core]\n[ 748.001416] ? mlx5_cmd_teardown_hca+0xa2/0xd0 [mlx5_core]\n[ 748.001354] ? mlx5_cmd_init_hca+0x280/0x280 [mlx5_core]\n[ 748.001203] mlx5_function_teardown+0x30/0x60 [mlx5_core]\n[ 748.001275] mlx5_uninit_one+0xa7/0xc0 [mlx5_core]\n[ 748.001200] remove_one+0x5f/0xc0 [mlx5_core]\n[ 748.001075] pci_device_remove+0x9f/0x1d0\n[ 748.000833] device_release_driver_internal+0x1e0/0x490\n[ 748.001207] unbind_store+0x19f/0x200\n[ 748.000942] ? sysfs_file_ops+0x170/0x170\n[ 748.001000] kernfs_fop_write_iter+0x2bc/0x450\n[ 748.000970] new_sync_write+0x373/0x610\n[ 748.001124] ? new_sync_read+0x600/0x600\n[ 748.001057] ? lock_acquire+0x4d6/0x700\n[ 748.000908] ? lockdep_hardirqs_on_prepare+0x400/0x400\n[ 748.001126] ? fd_install+0x1c9/0x4d0\n[ 748.000951] vfs_write+0x4d0/0x800\n[ 748.000804] ksys_write+0xf9/0x1d0\n[ 748.000868] ? __x64_sys_read+0xb0/0xb0\n[ 748.000811] ? filp_open+0x50/0x50\n[ 748.000919] ? syscall_enter_from_user_mode+0x1d/0x50\n[ 748.001223] do_syscall_64+0x3f/0x80\n[ 748.000892] entry_SYSCALL_64_after_hwframe+0x44/0xae\n[ 748.00\n---truncated---"
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/4b16118665e94c90a3e84a5190486fd0e4eedd74",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/a3e5fd9314dfc4314a9567cde96e1aef83a7458a",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/b374c1304f6d3d4752ad1412427b7bf02bb1fd61",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/be7f3f401d224e1efe8112b2fa8b837eeb8c5e52",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

24
CVE-2021/CVE-2021-472xx/CVE-2021-47247.json Normal file
View File

@ -0,0 +1,24 @@
{
"id": "CVE-2021-47247",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:13.703",
"lastModified": "2024-05-21T15:15:13.703",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Fix use-after-free of encap entry in neigh update handler\n\nFunction mlx5e_rep_neigh_update() wasn't updated to accommodate rtnl lock\nremoval from TC filter update path and properly handle concurrent encap\nentry insertion/deletion which can lead to following use-after-free:\n\n [23827.464923] ==================================================================\n [23827.469446] BUG: KASAN: use-after-free in mlx5e_encap_take+0x72/0x140 [mlx5_core]\n [23827.470971] Read of size 4 at addr ffff8881d132228c by task kworker/u20:6/21635\n [23827.472251]\n [23827.472615] CPU: 9 PID: 21635 Comm: kworker/u20:6 Not tainted 5.13.0-rc3+ #5\n [23827.473788] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n [23827.475639] Workqueue: mlx5e mlx5e_rep_neigh_update [mlx5_core]\n [23827.476731] Call Trace:\n [23827.477260] dump_stack+0xbb/0x107\n [23827.477906] print_address_description.constprop.0+0x18/0x140\n [23827.478896] ? mlx5e_encap_take+0x72/0x140 [mlx5_core]\n [23827.479879] ? mlx5e_encap_take+0x72/0x140 [mlx5_core]\n [23827.480905] kasan_report.cold+0x7c/0xd8\n [23827.481701] ? mlx5e_encap_take+0x72/0x140 [mlx5_core]\n [23827.482744] kasan_check_range+0x145/0x1a0\n [23827.493112] mlx5e_encap_take+0x72/0x140 [mlx5_core]\n [23827.494054] ? mlx5e_tc_tun_encap_info_equal_generic+0x140/0x140 [mlx5_core]\n [23827.495296] mlx5e_rep_neigh_update+0x41e/0x5e0 [mlx5_core]\n [23827.496338] ? mlx5e_rep_neigh_entry_release+0xb80/0xb80 [mlx5_core]\n [23827.497486] ? read_word_at_a_time+0xe/0x20\n [23827.498250] ? strscpy+0xa0/0x2a0\n [23827.498889] process_one_work+0x8ac/0x14e0\n [23827.499638] ? lockdep_hardirqs_on_prepare+0x400/0x400\n [23827.500537] ? pwq_dec_nr_in_flight+0x2c0/0x2c0\n [23827.501359] ? rwlock_bug.part.0+0x90/0x90\n [23827.502116] worker_thread+0x53b/0x1220\n [23827.502831] ? process_one_work+0x14e0/0x14e0\n [23827.503627] kthread+0x328/0x3f0\n [23827.504254] ? _raw_spin_unlock_irq+0x24/0x40\n [23827.505065] ? __kthread_bind_mask+0x90/0x90\n [23827.505912] ret_from_fork+0x1f/0x30\n [23827.506621]\n [23827.506987] Allocated by task 28248:\n [23827.507694] kasan_save_stack+0x1b/0x40\n [23827.508476] __kasan_kmalloc+0x7c/0x90\n [23827.509197] mlx5e_attach_encap+0xde1/0x1d40 [mlx5_core]\n [23827.510194] mlx5e_tc_add_fdb_flow+0x397/0xc40 [mlx5_core]\n [23827.511218] __mlx5e_add_fdb_flow+0x519/0xb30 [mlx5_core]\n [23827.512234] mlx5e_configure_flower+0x191c/0x4870 [mlx5_core]\n [23827.513298] tc_setup_cb_add+0x1d5/0x420\n [23827.514023] fl_hw_replace_filter+0x382/0x6a0 [cls_flower]\n [23827.514975] fl_change+0x2ceb/0x4a51 [cls_flower]\n [23827.515821] tc_new_tfilter+0x89a/0x2070\n [23827.516548] rtnetlink_rcv_msg+0x644/0x8c0\n [23827.517300] netlink_rcv_skb+0x11d/0x340\n [23827.518021] netlink_unicast+0x42b/0x700\n [23827.518742] netlink_sendmsg+0x743/0xc20\n [23827.519467] sock_sendmsg+0xb2/0xe0\n [23827.520131] ____sys_sendmsg+0x590/0x770\n [23827.520851] ___sys_sendmsg+0xd8/0x160\n [23827.521552] __sys_sendmsg+0xb7/0x140\n [23827.522238] do_syscall_64+0x3a/0x70\n [23827.522907] entry_SYSCALL_64_after_hwframe+0x44/0xae\n [23827.523797]\n [23827.524163] Freed by task 25948:\n [23827.524780] kasan_save_stack+0x1b/0x40\n [23827.525488] kasan_set_track+0x1c/0x30\n [23827.526187] kasan_set_free_info+0x20/0x30\n [23827.526968] __kasan_slab_free+0xed/0x130\n [23827.527709] slab_free_freelist_hook+0xcf/0x1d0\n [23827.528528] kmem_cache_free_bulk+0x33a/0x6e0\n [23827.529317] kfree_rcu_work+0x55f/0xb70\n [23827.530024] process_one_work+0x8ac/0x14e0\n [23827.530770] worker_thread+0x53b/0x1220\n [23827.531480] kthread+0x328/0x3f0\n [23827.532114] ret_from_fork+0x1f/0x30\n [23827.532785]\n [23827.533147] Last potentially related work creation:\n [23827.534007] kasan_save_stack+0x1b/0x40\n [23827.534710] kasan_record_aux_stack+0xab/0xc0\n [23827.535492] kvfree_call_rcu+0x31/0x7b0\n [23827.536206] mlx5e_tc_del\n---truncated---"
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/b6447b72aca571632e71bb73a797118d5ce46a93",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/fb1a3132ee1ac968316e45d21a48703a6db0b6c3",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

44
CVE-2021/CVE-2021-472xx/CVE-2021-47248.json Normal file
View File

@ -0,0 +1,44 @@
{
"id": "CVE-2021-47248",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:13.780",
"lastModified": "2024-05-21T15:15:13.780",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nudp: fix race between close() and udp_abort()\n\nKaustubh reported and diagnosed a panic in udp_lib_lookup().\nThe root cause is udp_abort() racing with close(). Both\nracing functions acquire the socket lock, but udp{v6}_destroy_sock()\nrelease it before performing destructive actions.\n\nWe can't easily extend the socket lock scope to avoid the race,\ninstead use the SOCK_DEAD flag to prevent udp_abort from doing\nany action when the critical race happens.\n\nDiagnosed-and-tested-by: Kaustubh Pandey <kapandey@codeaurora.org>"
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/2f73448041bd0682d4b552cfd314ace66107f1ad",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/5a88477c1c85e4baa51e91f2d40f2166235daa56",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/65310b0aff86980a011c7c7bfa487a333d4ca241",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/8729ec8a2238152a4afc212a331a6cd2c61aeeac",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/a0882f68f54f7a8b6308261acee9bd4faab5a69e",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/a8b897c7bcd47f4147d066e22cc01d1026d7640e",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/e3c36c773aed0fef8b1d3d555b43393ec564400f",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

48
CVE-2021/CVE-2021-472xx/CVE-2021-47249.json Normal file
View File

@ -0,0 +1,48 @@
{
"id": "CVE-2021-47249",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:13.857",
"lastModified": "2024-05-21T15:15:13.857",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: rds: fix memory leak in rds_recvmsg\n\nSyzbot reported memory leak in rds. The problem\nwas in unputted refcount in case of error.\n\nint rds_recvmsg(struct socket *sock, struct msghdr *msg, size_t size,\n\t\tint msg_flags)\n{\n...\n\n\tif (!rds_next_incoming(rs, &inc)) {\n\t\t...\n\t}\n\nAfter this \"if\" inc refcount incremented and\n\n\tif (rds_cmsg_recv(inc, msg, rs)) {\n\t\tret = -EFAULT;\n\t\tgoto out;\n\t}\n...\nout:\n\treturn ret;\n}\n\nin case of rds_cmsg_recv() fail the refcount won't be\ndecremented. And it's easy to see from ftrace log, that\nrds_inc_addref() don't have rds_inc_put() pair in\nrds_recvmsg() after rds_cmsg_recv()\n\n 1) | rds_recvmsg() {\n 1) 3.721 us | rds_inc_addref();\n 1) 3.853 us | rds_message_inc_copy_to_user();\n 1) + 10.395 us | rds_cmsg_recv();\n 1) + 34.260 us | }"
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/06b7cb0194bd1ede0dd27f3a946e7c0279fba44a",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/1f79bc8ae81c05eb112a53f981cb2c244ee50d02",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/2038cd15eacdf7512755c27686822e0052eb9042",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/423c6939758fb3b9cf5abbd1e7792068a5c4ae8c",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/49bfcbfd989a8f1f23e705759a6bb099de2cff9f",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/5946fbf48355f5a8caeff72580c7658da5966b86",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/8c3ec88b03e9e4ca117dcdc4204fd3edcd02084f",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/b25b60d076164edb3025e85aabd2cf50a5215b91",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

48
CVE-2021/CVE-2021-472xx/CVE-2021-47250.json Normal file
View File

@ -0,0 +1,48 @@
{
"id": "CVE-2021-47250",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:13.930",
"lastModified": "2024-05-21T15:15:13.930",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ipv4: fix memory leak in netlbl_cipsov4_add_std\n\nReported by syzkaller:\nBUG: memory leak\nunreferenced object 0xffff888105df7000 (size 64):\ncomm \"syz-executor842\", pid 360, jiffies 4294824824 (age 22.546s)\nhex dump (first 32 bytes):\n00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\nbacktrace:\n[<00000000e67ed558>] kmalloc include/linux/slab.h:590 [inline]\n[<00000000e67ed558>] kzalloc include/linux/slab.h:720 [inline]\n[<00000000e67ed558>] netlbl_cipsov4_add_std net/netlabel/netlabel_cipso_v4.c:145 [inline]\n[<00000000e67ed558>] netlbl_cipsov4_add+0x390/0x2340 net/netlabel/netlabel_cipso_v4.c:416\n[<0000000006040154>] genl_family_rcv_msg_doit.isra.0+0x20e/0x320 net/netlink/genetlink.c:739\n[<00000000204d7a1c>] genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]\n[<00000000204d7a1c>] genl_rcv_msg+0x2bf/0x4f0 net/netlink/genetlink.c:800\n[<00000000c0d6a995>] netlink_rcv_skb+0x134/0x3d0 net/netlink/af_netlink.c:2504\n[<00000000d78b9d2c>] genl_rcv+0x24/0x40 net/netlink/genetlink.c:811\n[<000000009733081b>] netlink_unicast_kernel net/netlink/af_netlink.c:1314 [inline]\n[<000000009733081b>] netlink_unicast+0x4a0/0x6a0 net/netlink/af_netlink.c:1340\n[<00000000d5fd43b8>] netlink_sendmsg+0x789/0xc70 net/netlink/af_netlink.c:1929\n[<000000000a2d1e40>] sock_sendmsg_nosec net/socket.c:654 [inline]\n[<000000000a2d1e40>] sock_sendmsg+0x139/0x170 net/socket.c:674\n[<00000000321d1969>] ____sys_sendmsg+0x658/0x7d0 net/socket.c:2350\n[<00000000964e16bc>] ___sys_sendmsg+0xf8/0x170 net/socket.c:2404\n[<000000001615e288>] __sys_sendmsg+0xd3/0x190 net/socket.c:2433\n[<000000004ee8b6a5>] do_syscall_64+0x37/0x90 arch/x86/entry/common.c:47\n[<00000000171c7cee>] entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nThe memory of doi_def->map.std pointing is allocated in\nnetlbl_cipsov4_add_std, but no place has freed it. It should be\nfreed in cipso_v4_doi_free which frees the cipso DOI resource."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/086e92b1d68c6338535f715aad173f8cf4bfbc8c",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/0ffb460be3abac86f884a8c548bb02724ec370f4",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/212166510582631994be4f4b3fe15e10a03c1dd4",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/398a24447eb60f060c8994221cb5ae6caf355fa1",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/5340858147e3dc60913fb3dd0cbb758ec4a26e66",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/6dcea66d3bb519b426282588f38e884e07893c1f",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/d612c3f3fae221e7ea736d196581c2217304bbbc",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/deeeb65c6ee404f2d1fb80b38b2730645c0f4663",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

28
CVE-2021/CVE-2021-472xx/CVE-2021-47251.json Normal file
View File

@ -0,0 +1,28 @@
{
"id": "CVE-2021-47251",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:14.007",
"lastModified": "2024-05-21T15:15:14.007",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmac80211: fix skb length check in ieee80211_scan_rx()\n\nReplace hard-coded compile-time constants for header length check\nwith dynamic determination based on the frame type. Otherwise, we\nhit a validation WARN_ON in cfg80211 later.\n\n[style fixes, reword commit message]"
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/5a1cd67a801cf5ef989c4783e07b86a25b143126",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/d1b949c70206178b12027f66edc088d40375b5cb",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/e298aa358f0ca658406d524b6639fe389cb6e11e",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

48
CVE-2021/CVE-2021-472xx/CVE-2021-47252.json Normal file
View File

@ -0,0 +1,48 @@
{
"id": "CVE-2021-47252",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:14.083",
"lastModified": "2024-05-21T15:15:14.083",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbatman-adv: Avoid WARN_ON timing related checks\n\nThe soft/batadv interface for a queued OGM can be changed during the time\nthe OGM was queued for transmission and when the OGM is actually\ntransmitted by the worker.\n\nBut WARN_ON must be used to denote kernel bugs and not to print simple\nwarnings. A warning can simply be printed using pr_warn."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/282baa8104af44e04c4af3e7f933b44267c7f86f",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/2eb4e0b3631832a4291c8bf4c9db873f60b128c8",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/45011f2973f6b52cf50db397bb27bf805f5f0e7f",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/6031daaaf6d5c359c99dfffa102e332df234ff09",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/77a99aad5bc3ea105806ebae6be3cbadc2fc615e",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/9f460ae31c4435fd022c443a6029352217a16ac1",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/e7fbd8184fa9e85f0d648c499841cb7ff6dec9f4",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/e8e9d2968a9d08bf5c683afca182f1537edebf8d",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

28
CVE-2021/CVE-2021-472xx/CVE-2021-47253.json Normal file
View File

@ -0,0 +1,28 @@
{
"id": "CVE-2021-47253",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:14.160",
"lastModified": "2024-05-21T15:15:14.160",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix potential memory leak in DMUB hw_init\n\n[Why]\nOn resume we perform DMUB hw_init which allocates memory:\ndm_resume->dm_dmub_hw_init->dc_dmub_srv_create->kzalloc\nThat results in memory leak in suspend/resume scenarios.\n\n[How]\nAllocate memory for the DC wrapper to DMUB only if it was not\nallocated before.\nNo need to reallocate it on suspend/resume."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/9e8c2af010463197315fa54a6c17e74988b5259c",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/aa000f828e60ac15d6340f606ec4a673966f5b0b",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/c5699e2d863f58221044efdc3fa712dd32d55cde",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

48
CVE-2021/CVE-2021-472xx/CVE-2021-47254.json Normal file
View File

@ -0,0 +1,48 @@
{
"id": "CVE-2021-47254",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:14.233",
"lastModified": "2024-05-21T15:15:14.233",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngfs2: Fix use-after-free in gfs2_glock_shrink_scan\n\nThe GLF_LRU flag is checked under lru_lock in gfs2_glock_remove_from_lru() to\nremove the glock from the lru list in __gfs2_glock_put().\n\nOn the shrink scan path, the same flag is cleared under lru_lock but because\nof cond_resched_lock(&lru_lock) in gfs2_dispose_glock_lru(), progress on the\nput side can be made without deleting the glock from the lru list.\n\nKeep GLF_LRU across the race window opened by cond_resched_lock(&lru_lock) to\nensure correct behavior on both sides - clear GLF_LRU after list_del under\nlru_lock."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/0364742decb0f02bc183404868b82896f7992595",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/094bf5670e762afa243d2c41a5c4ab71c7447bf4",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/1ab19c5de4c537ec0d9b21020395a5b5a6c059b2",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/38ce329534500bf4ae71f81df6a37a406cf187b4",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/86fd5b27db743a0ce0cc245e3a34813b2aa6ec1d",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/92869945cc5b78ee8a1ef90336fe070893e3458a",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/a61156314b66456ab6a291ed5deba1ebd002ab3c",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/e87ef30fe73e7e10d2c85bdcc778dcec24dca553",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

32
CVE-2021/CVE-2021-472xx/CVE-2021-47255.json Normal file
View File

@ -0,0 +1,32 @@
{
"id": "CVE-2021-47255",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:14.303",
"lastModified": "2024-05-21T15:15:14.303",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nkvm: LAPIC: Restore guard to prevent illegal APIC register access\n\nPer the SDM, \"any access that touches bytes 4 through 15 of an APIC\nregister may cause undefined behavior and must not be executed.\"\nWorse, such an access in kvm_lapic_reg_read can result in a leak of\nkernel stack contents. Prior to commit 01402cf81051 (\"kvm: LAPIC:\nwrite down valid APIC registers\"), such an access was explicitly\ndisallowed. Restore the guard that was removed in that commit."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/018685461a5b9a9a70e664ac77aef0d7415a3fd5",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/218bf772bddd221489c38dde6ef8e917131161f6",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/a2aff09807fbe4018c269d3773a629949058b210",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/bf99ea52970caeb4583bdba1192c1f9b53b12c84",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

40
CVE-2021/CVE-2021-472xx/CVE-2021-47256.json Normal file
View File

@ -0,0 +1,40 @@
{
"id": "CVE-2021-47256",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:14.380",
"lastModified": "2024-05-21T15:15:14.380",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/memory-failure: make sure wait for page writeback in memory_failure\n\nOur syzkaller trigger the \"BUG_ON(!list_empty(&inode->i_wb_list))\" in\nclear_inode:\n\n kernel BUG at fs/inode.c:519!\n Internal error: Oops - BUG: 0 [#1] SMP\n Modules linked in:\n Process syz-executor.0 (pid: 249, stack limit = 0x00000000a12409d7)\n CPU: 1 PID: 249 Comm: syz-executor.0 Not tainted 4.19.95\n Hardware name: linux,dummy-virt (DT)\n pstate: 80000005 (Nzcv daif -PAN -UAO)\n pc : clear_inode+0x280/0x2a8\n lr : clear_inode+0x280/0x2a8\n Call trace:\n clear_inode+0x280/0x2a8\n ext4_clear_inode+0x38/0xe8\n ext4_free_inode+0x130/0xc68\n ext4_evict_inode+0xb20/0xcb8\n evict+0x1a8/0x3c0\n iput+0x344/0x460\n do_unlinkat+0x260/0x410\n __arm64_sys_unlinkat+0x6c/0xc0\n el0_svc_common+0xdc/0x3b0\n el0_svc_handler+0xf8/0x160\n el0_svc+0x10/0x218\n Kernel panic - not syncing: Fatal exception\n\nA crash dump of this problem show that someone called __munlock_pagevec\nto clear page LRU without lock_page: do_mmap -> mmap_region -> do_munmap\n-> munlock_vma_pages_range -> __munlock_pagevec.\n\nAs a result memory_failure will call identify_page_state without\nwait_on_page_writeback. And after truncate_error_page clear the mapping\nof this page. end_page_writeback won't call sb_clear_inode_writeback to\nclear inode->i_wb_list. That will trigger BUG_ON in clear_inode!\n\nFix it by checking PageWriteback too to help determine should we skip\nwait_on_page_writeback."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/28788dc5c70597395b6b451dae4549bbaa8e2c56",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/566345aaabac853aa866f53a219c4b02a6beb527",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/6d210d547adc2218ef8b5bcf23518c5f2f1fd872",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/9e379da727a7a031be9b877cde7b9c34a0fb8306",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/d05267fd27a5c4f54e06daefa3035995d765ca0c",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/e8675d291ac007e1c636870db880f837a9ea112a",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

44
CVE-2021/CVE-2021-472xx/CVE-2021-47257.json Normal file
View File

@ -0,0 +1,44 @@
{
"id": "CVE-2021-47257",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:14.460",
"lastModified": "2024-05-21T15:15:14.460",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ieee802154: fix null deref in parse dev addr\n\nFix a logic error that could result in a null deref if the user sets\nthe mode incorrectly for the given addr type."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/1f95741981c899c4724647291fec5faa3c777185",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/5f728ec65485625e30f46e5b4917ff023ad29ea0",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/9fdd04918a452980631ecc499317881c1d120b70",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/c6998ccfefa652bac3f9b236821e392af43efa1e",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/c7836de2cadd88bc2f20f2c5a3d4ef4c73aef627",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/d0f47648b87b6d5f204cb7f3cbce6d36dab85a67",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/fdd51e34f45311ab6e48d2147cbc2904731b9993",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

44
CVE-2021/CVE-2021-472xx/CVE-2021-47258.json Normal file
View File

@ -0,0 +1,44 @@
{
"id": "CVE-2021-47258",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:14.537",
"lastModified": "2024-05-21T15:15:14.537",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: core: Fix error handling of scsi_host_alloc()\n\nAfter device is initialized via device_initialize(), or its name is set via\ndev_set_name(), the device has to be freed via put_device(). Otherwise\ndevice name will be leaked because it is allocated dynamically in\ndev_set_name().\n\nFix the leak by replacing kfree() with put_device(). Since\nscsi_host_dev_release() properly handles IDA and kthread removal, remove\nspecial-casing these from the error handling as well."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/2dc85045ae65b9302a1d2e2ddd7ce4c030153a6a",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/45d83db4728127944b237c0c8248987df9d478e7",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/66a834d092930cf41d809c0e989b13cd6f9ca006",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/79296e292d67fa7b5fb8d8c27343683e823872c8",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/7a696ce1d5d16a33a6cd6400bbcc0339b2460e11",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/8958181c1663e24a13434448e7d6b96b5d04900a",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/db08ce595dd64ea9859f7d088b51cbfc8e685c66",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

40
CVE-2021/CVE-2021-472xx/CVE-2021-47259.json Normal file
View File

@ -0,0 +1,40 @@
{
"id": "CVE-2021-47259",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:14.610",
"lastModified": "2024-05-21T15:15:14.610",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFS: Fix use-after-free in nfs4_init_client()\n\nKASAN reports a use-after-free when attempting to mount two different\nexports through two different NICs that belong to the same server.\n\nOlga was able to hit this with kernels starting somewhere between 5.7\nand 5.10, but I traced the patch that introduced the clear_bit() call to\n4.13. So something must have changed in the refcounting of the clp\npointer to make this call to nfs_put_client() the very last one."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/3e3c7ebbfac152d08be75c92802a64a1f6471a15",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/42c10b0db064e45f5c5ae7019bbf2168ffab766c",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/476bdb04c501fc64bf3b8464ffddefc8dbe01577",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/72651c6579a25317a90536181d311c663d0329ab",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/c3b6cf64dfe4ef96e7341508d50d6998da7062c7",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/c7eab9e2d7b4e983ce280276fb920af649955897",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

48
CVE-2021/CVE-2021-472xx/CVE-2021-47260.json Normal file
View File

@ -0,0 +1,48 @@
{
"id": "CVE-2021-47260",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:14.690",
"lastModified": "2024-05-21T15:15:14.690",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFS: Fix a potential NULL dereference in nfs_get_client()\n\nNone of the callers are expecting NULL returns from nfs_get_client() so\nthis code will lead to an Oops. It's better to return an error\npointer. I expect that this is dead code so hopefully no one is\naffected."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/0057ecef9f324007c0ba5fcca4ddd131178ce78b",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/09226e8303beeec10f2ff844d2e46d1371dc58e0",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/279ad78a00f8b9c5ff24171a59297187a3bd44b7",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/4b380a7d84ef2ce3f4f5bec5d8706ed937ac6502",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/58ddf61f10b8f9b7b1341644bfee2f1c6508d4e1",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/634f17ff1d59905eb3b4bbbc00805961d08beaee",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/a979e601000982a3ca693171a6d4dffc47f8ad00",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/fab8bfdfb4aac9e4e8363666333adfdf21e89106",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

36
CVE-2021/CVE-2021-472xx/CVE-2021-47261.json Normal file
View File

@ -0,0 +1,36 @@
{
"id": "CVE-2021-47261",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:14.770",
"lastModified": "2024-05-21T15:15:14.770",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nIB/mlx5: Fix initializing CQ fragments buffer\n\nThe function init_cq_frag_buf() can be called to initialize the current CQ\nfragments buffer cq->buf, or the temporary cq->resize_buf that is filled\nduring CQ resize operation.\n\nHowever, the offending commit started to use function get_cqe() for\ngetting the CQEs, the issue with this change is that get_cqe() always\nreturns CQEs from cq->buf, which leads us to initialize the wrong buffer,\nand in case of enlarging the CQ we try to access elements beyond the size\nof the current cq->buf and eventually hit a kernel panic.\n\n [exception RIP: init_cq_frag_buf+103]\n [ffff9f799ddcbcd8] mlx5_ib_resize_cq at ffffffffc0835d60 [mlx5_ib]\n [ffff9f799ddcbdb0] ib_resize_cq at ffffffffc05270df [ib_core]\n [ffff9f799ddcbdc0] llt_rdma_setup_qp at ffffffffc0a6a712 [llt]\n [ffff9f799ddcbe10] llt_rdma_cc_event_action at ffffffffc0a6b411 [llt]\n [ffff9f799ddcbe98] llt_rdma_client_conn_thread at ffffffffc0a6bb75 [llt]\n [ffff9f799ddcbec8] kthread at ffffffffa66c5da1\n [ffff9f799ddcbf50] ret_from_fork_nospec_begin at ffffffffa6d95ddd\n\nFix it by getting the needed CQE by calling mlx5_frag_buf_get_wqe() that\ntakes the correct source buffer as a parameter."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/1ec2dcd680c71d0d36fa25638b327a468babd5c9",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/2ba0aa2feebda680ecfc3c552e867cf4d1b05a3a",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/3e670c54eda238cb8a1ea93538a79ae89285c1c4",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/91f7fdc4cc10542ca1045c06aad23365f0d067e0",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/e3ecd9c09fcc10cf6b2bc67e2990c397c40a8c26",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

32
CVE-2021/CVE-2021-472xx/CVE-2021-47262.json Normal file
View File

@ -0,0 +1,32 @@
{
"id": "CVE-2021-47262",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:14.930",
"lastModified": "2024-05-21T15:15:14.930",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: Ensure liveliness of nested VM-Enter fail tracepoint message\n\nUse the __string() machinery provided by the tracing subystem to make a\ncopy of the string literals consumed by the \"nested VM-Enter failed\"\ntracepoint. A complete copy is necessary to ensure that the tracepoint\ncan't outlive the data/memory it consumes and deference stale memory.\n\nBecause the tracepoint itself is defined by kvm, if kvm-intel and/or\nkvm-amd are built as modules, the memory holding the string literals\ndefined by the vendor modules will be freed when the module is unloaded,\nwhereas the tracepoint and its data in the ring buffer will live until\nkvm is unloaded (or \"indefinitely\" if kvm is built-in).\n\nThis bug has existed since the tracepoint was added, but was recently\nexposed by a new check in tracing to detect exactly this type of bug.\n\n fmt: '%s%s\n ' current_buffer: ' vmx_dirty_log_t-140127 [003] .... kvm_nested_vmenter_failed: '\n WARNING: CPU: 3 PID: 140134 at kernel/trace/trace.c:3759 trace_check_vprintf+0x3be/0x3e0\n CPU: 3 PID: 140134 Comm: less Not tainted 5.13.0-rc1-ce2e73ce600a-req #184\n Hardware name: ASUS Q87M-E/Q87M-E, BIOS 1102 03/03/2014\n RIP: 0010:trace_check_vprintf+0x3be/0x3e0\n Code: <0f> 0b 44 8b 4c 24 1c e9 a9 fe ff ff c6 44 02 ff 00 49 8b 97 b0 20\n RSP: 0018:ffffa895cc37bcb0 EFLAGS: 00010282\n RAX: 0000000000000000 RBX: ffffa895cc37bd08 RCX: 0000000000000027\n RDX: 0000000000000027 RSI: 00000000ffffdfff RDI: ffff9766cfad74f8\n RBP: ffffffffc0a041d4 R08: ffff9766cfad74f0 R09: ffffa895cc37bad8\n R10: 0000000000000001 R11: 0000000000000001 R12: ffffffffc0a041d4\n R13: ffffffffc0f4dba8 R14: 0000000000000000 R15: ffff976409f2c000\n FS: 00007f92fa200740(0000) GS:ffff9766cfac0000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000559bd11b0000 CR3: 000000019fbaa002 CR4: 00000000001726e0\n Call Trace:\n trace_event_printf+0x5e/0x80\n trace_raw_output_kvm_nested_vmenter_failed+0x3a/0x60 [kvm]\n print_trace_line+0x1dd/0x4e0\n s_show+0x45/0x150\n seq_read_iter+0x2d5/0x4c0\n seq_read+0x106/0x150\n vfs_read+0x98/0x180\n ksys_read+0x5f/0xe0\n do_syscall_64+0x40/0xb0\n entry_SYSCALL_64_after_hwframe+0x44/0xae"
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/796d3bd4ac9316e70c181189318cd2bd98af34bc",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/9fb088ce13bc3c59a51260207b487db3e556f275",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/d046f724bbd725a24007b7e52b2d675249870888",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/f31500b0d437a2464ca5972d8f5439e156b74960",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

28
CVE-2021/CVE-2021-472xx/CVE-2021-47263.json Normal file
View File

@ -0,0 +1,28 @@
{
"id": "CVE-2021-47263",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:15.007",
"lastModified": "2024-05-21T15:15:15.007",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpio: wcd934x: Fix shift-out-of-bounds error\n\nbit-mask for pins 0 to 4 is BIT(0) to BIT(4) however we ended up with BIT(n - 1)\nwhich is not right, and this was caught by below usban check\n\nUBSAN: shift-out-of-bounds in drivers/gpio/gpio-wcd934x.c:34:14"
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/dbec64b11c65d74f31427e2b9d5746fbf17bf840",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/dd55331d493b7ea75c5db1f24d6822946fde2862",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/e0b518a2eb44d8a74c19e50f79a8ed393e96d634",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

28
CVE-2021/CVE-2021-472xx/CVE-2021-47264.json Normal file
View File

@ -0,0 +1,28 @@
{
"id": "CVE-2021-47264",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:15.070",
"lastModified": "2024-05-21T15:15:15.070",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: core: Fix Null-point-dereference in fmt_single_name()\n\nCheck the return value of devm_kstrdup() in case of\nNull-point-dereference."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/047fd16015a79180771650aa6ce71f68b2c23368",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/0e2c9aeb00289f279b8181fbd4c20765127d8943",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/41daf6ba594d55f201c50280ebcd430590441da1",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

24
CVE-2021/CVE-2021-472xx/CVE-2021-47265.json Normal file
View File

@ -0,0 +1,24 @@
{
"id": "CVE-2021-47265",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:15.147",
"lastModified": "2024-05-21T15:15:15.147",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA: Verify port when creating flow rule\n\nValidate port value provided by the user and with that remove no longer\nneeded validation by the driver. The missing check in the mlx5_ib driver\ncould cause to the below oops.\n\nCall trace:\n _create_flow_rule+0x2d4/0xf28 [mlx5_ib]\n mlx5_ib_create_flow+0x2d0/0x5b0 [mlx5_ib]\n ib_uverbs_ex_create_flow+0x4cc/0x624 [ib_uverbs]\n ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0xd4/0x150 [ib_uverbs]\n ib_uverbs_cmd_verbs.isra.7+0xb28/0xc50 [ib_uverbs]\n ib_uverbs_ioctl+0x158/0x1d0 [ib_uverbs]\n do_vfs_ioctl+0xd0/0xaf0\n ksys_ioctl+0x84/0xb4\n __arm64_sys_ioctl+0x28/0xc4\n el0_svc_common.constprop.3+0xa4/0x254\n el0_svc_handler+0x84/0xa0\n el0_svc+0x10/0x26c\n Code: b9401260 f9615681 51000400 8b001c20 (f9403c1a)"
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/2adcb4c5a52a2623cd2b43efa7041e74d19f3a5e",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/8dc1b0e0ca204596c50bcd159ee069ae0f998176",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

32
CVE-2021/CVE-2021-472xx/CVE-2021-47266.json Normal file
View File

@ -0,0 +1,32 @@
{
"id": "CVE-2021-47266",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:15.213",
"lastModified": "2024-05-21T15:15:15.213",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/ipoib: Fix warning caused by destroying non-initial netns\n\nAfter the commit 5ce2dced8e95 (\"RDMA/ipoib: Set rtnl_link_ops for ipoib\ninterfaces\"), if the IPoIB device is moved to non-initial netns,\ndestroying that netns lets the device vanish instead of moving it back to\nthe initial netns, This is happening because default_device_exit() skips\nthe interfaces due to having rtnl_link_ops set.\n\nSteps to reporoduce:\n ip netns add foo\n ip link set mlx5_ib0 netns foo\n ip netns delete foo\n\nWARNING: CPU: 1 PID: 704 at net/core/dev.c:11435 netdev_exit+0x3f/0x50\nModules linked in: xt_CHECKSUM xt_MASQUERADE xt_conntrack ipt_REJECT\nnf_reject_ipv4 nft_compat nft_counter nft_chain_nat nf_nat nf_conntrack\nnf_defrag_ipv6 nf_defrag_ipv4 nf_tables nfnetlink tun d\n fuse\nCPU: 1 PID: 704 Comm: kworker/u64:3 Tainted: G S W 5.13.0-rc1+ #1\nHardware name: Dell Inc. PowerEdge R630/02C2CP, BIOS 2.1.5 04/11/2016\nWorkqueue: netns cleanup_net\nRIP: 0010:netdev_exit+0x3f/0x50\nCode: 48 8b bb 30 01 00 00 e8 ef 81 b1 ff 48 81 fb c0 3a 54 a1 74 13 48\n8b 83 90 00 00 00 48 81 c3 90 00 00 00 48 39 d8 75 02 5b c3 <0f> 0b 5b\nc3 66 66 2e 0f 1f 84 00 00 00 00 00 66 90 0f 1f 44 00\nRSP: 0018:ffffb297079d7e08 EFLAGS: 00010206\nRAX: ffff8eb542c00040 RBX: ffff8eb541333150 RCX: 000000008010000d\nRDX: 000000008010000e RSI: 000000008010000d RDI: ffff8eb440042c00\nRBP: ffffb297079d7e48 R08: 0000000000000001 R09: ffffffff9fdeac00\nR10: ffff8eb5003be000 R11: 0000000000000001 R12: ffffffffa1545620\nR13: ffffffffa1545628 R14: 0000000000000000 R15: ffffffffa1543b20\nFS: 0000000000000000(0000) GS:ffff8ed37fa00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00005601b5f4c2e8 CR3: 0000001fc8c10002 CR4: 00000000003706e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n ops_exit_list.isra.9+0x36/0x70\n cleanup_net+0x234/0x390\n process_one_work+0x1cb/0x360\n ? process_one_work+0x360/0x360\n worker_thread+0x30/0x370\n ? process_one_work+0x360/0x360\n kthread+0x116/0x130\n ? kthread_park+0x80/0x80\n ret_from_fork+0x22/0x30\n\nTo avoid the above warning and later on the kernel panic that could happen\non shutdown due to a NULL pointer dereference, make sure to set the\nnetns_refund flag that was introduced by commit 3a5ca857079e (\"can: dev:\nMove device back to init netns on owning netns delete\") to properly\nrestore the IPoIB interfaces to the initial netns."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/0a672f7d89db2da17ae02733ccc08458be72a6f8",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/64f1fb6acc2ab95982fc4334f351d7576c26f313",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/67cf4e447b5e5e9e94996cb6812ae2828e0e0e27",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/a3e74fb9247cd530dca246699d5eb5a691884d32",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

44
CVE-2021/CVE-2021-472xx/CVE-2021-47267.json Normal file
View File

@ -0,0 +1,44 @@
{
"id": "CVE-2021-47267",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:15.297",
"lastModified": "2024-05-21T15:15:15.297",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: fix various gadget panics on 10gbps cabling\n\nusb_assign_descriptors() is called with 5 parameters,\nthe last 4 of which are the usb_descriptor_header for:\n full-speed (USB1.1 - 12Mbps [including USB1.0 low-speed @ 1.5Mbps),\n high-speed (USB2.0 - 480Mbps),\n super-speed (USB3.0 - 5Gbps),\n super-speed-plus (USB3.1 - 10Gbps).\n\nThe differences between full/high/super-speed descriptors are usually\nsubstantial (due to changes in the maximum usb block size from 64 to 512\nto 1024 bytes and other differences in the specs), while the difference\nbetween 5 and 10Gbps descriptors may be as little as nothing\n(in many cases the same tuning is simply good enough).\n\nHowever if a gadget driver calls usb_assign_descriptors() with\na NULL descriptor for super-speed-plus and is then used on a max 10gbps\nconfiguration, the kernel will crash with a null pointer dereference,\nwhen a 10gbps capable device port + cable + host port combination shows up.\n(This wouldn't happen if the gadget max-speed was set to 5gbps, but\nit of course defaults to the maximum, and there's no real reason to\nartificially limit it)\n\nThe fix is to simply use the 5gbps descriptor as the 10gbps descriptor,\nif a 10gbps descriptor wasn't provided.\n\nObviously this won't fix the problem if the 5gbps descriptor is also\nNULL, but such cases can't be so trivially solved (and any such gadgets\nare unlikely to be used with USB3 ports any way)."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/032e288097a553db5653af552dd8035cd2a0ba96",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/45f9a2fe737dc0a5df270787f2231aee8985cd59",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/5ef23506695b01d5d56a13a092a97f2478069d75",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/70cd19cb5bd94bbb5bacfc9c1e4ee0071699a604",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/b972eff874637402ddc4a7dd11fb22538a0b6d28",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/ca6bc277430d90375452b60b047763a090b7673e",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/fd24be23abf3e94260be0f00bb42c7e91d495f87",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

28
CVE-2021/CVE-2021-472xx/CVE-2021-47268.json Normal file
View File

@ -0,0 +1,28 @@
{
"id": "CVE-2021-47268",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:15.390",
"lastModified": "2024-05-21T15:15:15.390",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: tcpm: cancel vdm and state machine hrtimer when unregister tcpm port\n\nA pending hrtimer may expire after the kthread_worker of tcpm port\nis destroyed, see below kernel dump when do module unload, fix it\nby cancel the 2 hrtimers.\n\n[ 111.517018] Unable to handle kernel paging request at virtual address ffff8000118cb880\n[ 111.518786] blk_update_request: I/O error, dev sda, sector 60061185 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 0\n[ 111.526594] Mem abort info:\n[ 111.526597] ESR = 0x96000047\n[ 111.526600] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 111.526604] SET = 0, FnV = 0\n[ 111.526607] EA = 0, S1PTW = 0\n[ 111.526610] Data abort info:\n[ 111.526612] ISV = 0, ISS = 0x00000047\n[ 111.526615] CM = 0, WnR = 1\n[ 111.526619] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000041d75000\n[ 111.526623] [ffff8000118cb880] pgd=10000001bffff003, p4d=10000001bffff003, pud=10000001bfffe003, pmd=10000001bfffa003, pte=0000000000000000\n[ 111.526642] Internal error: Oops: 96000047 [#1] PREEMPT SMP\n[ 111.526647] Modules linked in: dwc3_imx8mp dwc3 phy_fsl_imx8mq_usb [last unloaded: tcpci]\n[ 111.526663] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.13.0-rc4-00927-gebbe9dbd802c-dirty #36\n[ 111.526670] Hardware name: NXP i.MX8MPlus EVK board (DT)\n[ 111.526674] pstate: 800000c5 (Nzcv daIF -PAN -UAO -TCO BTYPE=--)\n[ 111.526681] pc : queued_spin_lock_slowpath+0x1a0/0x390\n[ 111.526695] lr : _raw_spin_lock_irqsave+0x88/0xb4\n[ 111.526703] sp : ffff800010003e20\n[ 111.526706] x29: ffff800010003e20 x28: ffff00017f380180\n[ 111.537156] buffer_io_error: 6 callbacks suppressed\n[ 111.537162] Buffer I/O error on dev sda1, logical block 60040704, async page read\n[ 111.539932] x27: ffff00017f3801c0\n[ 111.539938] x26: ffff800010ba2490 x25: 0000000000000000 x24: 0000000000000001\n[ 111.543025] blk_update_request: I/O error, dev sda, sector 60061186 op 0x0:(READ) flags 0x0 phys_seg 7 prio class 0\n[ 111.548304]\n[ 111.548306] x23: 00000000000000c0 x22: ffff0000c2a9f184 x21: ffff00017f380180\n[ 111.551374] Buffer I/O error on dev sda1, logical block 60040705, async page read\n[ 111.554499]\n[ 111.554503] x20: ffff0000c5f14210 x19: 00000000000000c0 x18: 0000000000000000\n[ 111.557391] Buffer I/O error on dev sda1, logical block 60040706, async page read\n[ 111.561218]\n[ 111.561222] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000\n[ 111.564205] Buffer I/O error on dev sda1, logical block 60040707, async page read\n[ 111.570887] x14: 00000000000000f5 x13: 0000000000000001 x12: 0000000000000040\n[ 111.570902] x11: ffff0000c05ac6d8\n[ 111.583420] Buffer I/O error on dev sda1, logical block 60040708, async page read\n[ 111.588978] x10: 0000000000000000 x9 : 0000000000040000\n[ 111.588988] x8 : 0000000000000000\n[ 111.597173] Buffer I/O error on dev sda1, logical block 60040709, async page read\n[ 111.605766] x7 : ffff00017f384880 x6 : ffff8000118cb880\n[ 111.605777] x5 : ffff00017f384880\n[ 111.611094] Buffer I/O error on dev sda1, logical block 60040710, async page read\n[ 111.617086] x4 : 0000000000000000 x3 : ffff0000c2a9f184\n[ 111.617096] x2 : ffff8000118cb880\n[ 111.622242] Buffer I/O error on dev sda1, logical block 60040711, async page read\n[ 111.626927] x1 : ffff8000118cb880 x0 : ffff00017f384888\n[ 111.626938] Call trace:\n[ 111.626942] queued_spin_lock_slowpath+0x1a0/0x390\n[ 111.795809] kthread_queue_work+0x30/0xc0\n[ 111.799828] state_machine_timer_handler+0x20/0x30\n[ 111.804624] __hrtimer_run_queues+0x140/0x1e0\n[ 111.808990] hrtimer_interrupt+0xec/0x2c0\n[ 111.813004] arch_timer_handler_phys+0x38/0x50\n[ 111.817456] handle_percpu_devid_irq+0x88/0x150\n[ 111.821991] __handle_domain_irq+0x80/0xe0\n[ 111.826093] gic_handle_irq+0xc0/0x140\n[ 111.829848] el1_irq+0xbc/0x154\n[ 111.832991] arch_cpu_idle+0x1c/0x2c\n[ 111.836572] default_idle_call+0x24/0x6c\n[ 111.840497] do_idle+0x238/0x2ac\n[ 1\n---truncated---"
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/18eaf0de50eadeeb395b83310b259b21ad8ed0a6",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/3a13ff7ef4349d70d1d18378d661117dd5af8efe",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/d0a06696a8a4d99f649240b6f9b8a2e55452ecf5",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

48
CVE-2021/CVE-2021-472xx/CVE-2021-47269.json Normal file
View File

@ -0,0 +1,48 @@
{
"id": "CVE-2021-47269",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:15.470",
"lastModified": "2024-05-21T15:15:15.470",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc3: ep0: fix NULL pointer exception\n\nThere is no validation of the index from dwc3_wIndex_to_dep() and we might\nbe referring a non-existing ep and trigger a NULL pointer exception. In\ncertain configurations we might use fewer eps and the index might wrongly\nindicate a larger ep index than existing.\n\nBy adding this validation from the patch we can actually report a wrong\nindex back to the caller.\n\nIn our usecase we are using a composite device on an older kernel, but\nupstream might use this fix also. Unfortunately, I cannot describe the\nhardware for others to reproduce the issue as it is a proprietary\nimplementation.\n\n[ 82.958261] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a4\n[ 82.966891] Mem abort info:\n[ 82.969663] ESR = 0x96000006\n[ 82.972703] Exception class = DABT (current EL), IL = 32 bits\n[ 82.978603] SET = 0, FnV = 0\n[ 82.981642] EA = 0, S1PTW = 0\n[ 82.984765] Data abort info:\n[ 82.987631] ISV = 0, ISS = 0x00000006\n[ 82.991449] CM = 0, WnR = 0\n[ 82.994409] user pgtable: 4k pages, 39-bit VAs, pgdp = 00000000c6210ccc\n[ 83.000999] [00000000000000a4] pgd=0000000053aa5003, pud=0000000053aa5003, pmd=0000000000000000\n[ 83.009685] Internal error: Oops: 96000006 [#1] PREEMPT SMP\n[ 83.026433] Process irq/62-dwc3 (pid: 303, stack limit = 0x000000003985154c)\n[ 83.033470] CPU: 0 PID: 303 Comm: irq/62-dwc3 Not tainted 4.19.124 #1\n[ 83.044836] pstate: 60000085 (nZCv daIf -PAN -UAO)\n[ 83.049628] pc : dwc3_ep0_handle_feature+0x414/0x43c\n[ 83.054558] lr : dwc3_ep0_interrupt+0x3b4/0xc94\n\n...\n\n[ 83.141788] Call trace:\n[ 83.144227] dwc3_ep0_handle_feature+0x414/0x43c\n[ 83.148823] dwc3_ep0_interrupt+0x3b4/0xc94\n[ 83.181546] ---[ end trace aac6b5267d84c32f ]---"
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/366369b89bedd59b1425386e8d4a18a466e420e4",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/470403639114895e2697c766fbe17be8d0e9b67a",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/60156089f07e724e4dc8483702d5e1ede4522749",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/788755756dd4a6aba1de479fec20b0fa600e7f19",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/96b74a99d360235c24052f1d060e64ac53f43528",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/990dc90750772622d44ca2ea6652c521e6f67e16",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/bd551e7c85939de2182010273450bfa78c3742fc",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/d00889080ab60051627dab1d85831cd9db750e2a",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

44
CVE-2021/CVE-2021-472xx/CVE-2021-47270.json Normal file
View File

@ -0,0 +1,44 @@
{
"id": "CVE-2021-47270",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:15.540",
"lastModified": "2024-05-21T15:15:15.540",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: fix various gadgets null ptr deref on 10gbps cabling.\n\nThis avoids a null pointer dereference in\nf_{ecm,eem,hid,loopback,printer,rndis,serial,sourcesink,subset,tcm}\nby simply reusing the 5gbps config for 10gbps."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/10770d2ac0094b053c8897d96d7b2737cd72f7c5",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/4b289a0f3033f465b4fd51ba995251a7867a2aa2",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/8cd5f45c1b769e3e9e0f4325dd08b6c3749dc7ee",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/90c4d05780d47e14a50e11a7f17373104cd47d25",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/b4903f7fdc484628d0b8022daf86e2439d3ab4db",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/beb1e67a5ca8d69703c776db9000527f44c0c93c",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/f17aae7c4009160f0630a91842a281773976a5bc",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

24
CVE-2021/CVE-2021-472xx/CVE-2021-47271.json Normal file
View File

@ -0,0 +1,24 @@
{
"id": "CVE-2021-47271",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:15.610",
"lastModified": "2024-05-21T15:15:15.610",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: cdnsp: Fix deadlock issue in cdnsp_thread_irq_handler\n\nPatch fixes the following critical issue caused by deadlock which has been\ndetected during testing NCM class:\n\nsmp: csd: Detected non-responsive CSD lock (#1) on CPU#0\nsmp: csd: CSD lock (#1) unresponsive.\n....\nRIP: 0010:native_queued_spin_lock_slowpath+0x61/0x1d0\nRSP: 0018:ffffbc494011cde0 EFLAGS: 00000002\nRAX: 0000000000000101 RBX: ffff9ee8116b4a68 RCX: 0000000000000000\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff9ee8116b4658\nRBP: ffffbc494011cde0 R08: 0000000000000001 R09: 0000000000000000\nR10: ffff9ee8116b4670 R11: 0000000000000000 R12: ffff9ee8116b4658\nR13: ffff9ee8116b4670 R14: 0000000000000246 R15: ffff9ee8116b4658\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f7bcc41a830 CR3: 000000007a612003 CR4: 00000000001706e0\nCall Trace:\n <IRQ>\n do_raw_spin_lock+0xc0/0xd0\n _raw_spin_lock_irqsave+0x95/0xa0\n cdnsp_gadget_ep_queue.cold+0x88/0x107 [cdnsp_udc_pci]\n usb_ep_queue+0x35/0x110\n eth_start_xmit+0x220/0x3d0 [u_ether]\n ncm_tx_timeout+0x34/0x40 [usb_f_ncm]\n ? ncm_free_inst+0x50/0x50 [usb_f_ncm]\n __hrtimer_run_queues+0xac/0x440\n hrtimer_run_softirq+0x8c/0xb0\n __do_softirq+0xcf/0x428\n asm_call_irq_on_stack+0x12/0x20\n </IRQ>\n do_softirq_own_stack+0x61/0x70\n irq_exit_rcu+0xc1/0xd0\n sysvec_apic_timer_interrupt+0x52/0xb0\n asm_sysvec_apic_timer_interrupt+0x12/0x20\nRIP: 0010:do_raw_spin_trylock+0x18/0x40\nRSP: 0018:ffffbc494138bda8 EFLAGS: 00000246\nRAX: 0000000000000000 RBX: ffff9ee8116b4658 RCX: 0000000000000000\nRDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff9ee8116b4658\nRBP: ffffbc494138bda8 R08: 0000000000000001 R09: 0000000000000000\nR10: ffff9ee8116b4670 R11: 0000000000000000 R12: ffff9ee8116b4658\nR13: ffff9ee8116b4670 R14: ffff9ee7b5c73d80 R15: ffff9ee8116b4000\n _raw_spin_lock+0x3d/0x70\n ? cdnsp_thread_irq_handler.cold+0x32/0x112c [cdnsp_udc_pci]\n cdnsp_thread_irq_handler.cold+0x32/0x112c [cdnsp_udc_pci]\n ? cdnsp_remove_request+0x1f0/0x1f0 [cdnsp_udc_pci]\n ? cdnsp_thread_irq_handler+0x5/0xa0 [cdnsp_udc_pci]\n ? irq_thread+0xa0/0x1c0\n irq_thread_fn+0x28/0x60\n irq_thread+0x105/0x1c0\n ? __kthread_parkme+0x42/0x90\n ? irq_forced_thread_fn+0x90/0x90\n ? wake_threads_waitq+0x30/0x30\n ? irq_thread_check_affinity+0xe0/0xe0\n kthread+0x12a/0x160\n ? kthread_park+0x90/0x90\n ret_from_fork+0x22/0x30\n\nThe root cause of issue is spin_lock/spin_unlock instruction instead\nspin_lock_irqsave/spin_lock_irqrestore in cdnsp_thread_irq_handler\nfunction."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/a9aecef198faae3240921b707bc09b602e966fce",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/ae746b6f4ce619cf4032fd798a232b010907a397",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

28
CVE-2021/CVE-2021-472xx/CVE-2021-47272.json Normal file
View File

@ -0,0 +1,28 @@
{
"id": "CVE-2021-47272",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:15.687",
"lastModified": "2024-05-21T15:15:15.687",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc3: gadget: Bail from dwc3_gadget_exit() if dwc->gadget is NULL\n\nThere exists a possible scenario in which dwc3_gadget_init() can fail:\nduring during host -> peripheral mode switch in dwc3_set_mode(), and\na pending gadget driver fails to bind. Then, if the DRD undergoes\nanother mode switch from peripheral->host the resulting\ndwc3_gadget_exit() will attempt to reference an invalid and dangling\ndwc->gadget pointer as well as call dma_free_coherent() on unmapped\nDMA pointers.\n\nThe exact scenario can be reproduced as follows:\n - Start DWC3 in peripheral mode\n - Configure ConfigFS gadget with FunctionFS instance (or use g_ffs)\n - Run FunctionFS userspace application (open EPs, write descriptors, etc)\n - Bind gadget driver to DWC3's UDC\n - Switch DWC3 to host mode\n => dwc3_gadget_exit() is called. usb_del_gadget() will put the\n\tConfigFS driver instance on the gadget_driver_pending_list\n - Stop FunctionFS application (closes the ep files)\n - Switch DWC3 to peripheral mode\n => dwc3_gadget_init() fails as usb_add_gadget() calls\n\tcheck_pending_gadget_drivers() and attempts to rebind the UDC\n\tto the ConfigFS gadget but fails with -19 (-ENODEV) because the\n\tFFS instance is not in FFS_ACTIVE state (userspace has not\n\tre-opened and written the descriptors yet, i.e. desc_ready!=0).\n - Switch DWC3 back to host mode\n => dwc3_gadget_exit() is called again, but this time dwc->gadget\n\tis invalid.\n\nAlthough it can be argued that userspace should take responsibility\nfor ensuring that the FunctionFS application be ready prior to\nallowing the composite driver bind to the UDC, failure to do so\nshould not result in a panic from the kernel driver.\n\nFix this by setting dwc->gadget to NULL in the failure path of\ndwc3_gadget_init() and add a check to dwc3_gadget_exit() to bail out\nunless the gadget pointer is valid."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/03715ea2e3dbbc56947137ce3b4ac18a726b2f87",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/4aad390363d2b9b3e92428dd34d27bb7ea8f1ee8",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/851dee5a5da56564a70290713aee665403bb0b24",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

28
CVE-2021/CVE-2021-472xx/CVE-2021-47273.json Normal file
View File

@ -0,0 +1,28 @@
{
"id": "CVE-2021-47273",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:15.760",
"lastModified": "2024-05-21T15:15:15.760",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc3-meson-g12a: fix usb2 PHY glue init when phy0 is disabled\n\nWhen only PHY1 is used (for example on Odroid-HC4), the regmap init code\nuses the usb2 ports when doesn't initialize the PHY1 regmap entry.\n\nThis fixes:\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000020\n...\npc : regmap_update_bits_base+0x40/0xa0\nlr : dwc3_meson_g12a_usb2_init_phy+0x4c/0xf8\n...\nCall trace:\nregmap_update_bits_base+0x40/0xa0\ndwc3_meson_g12a_usb2_init_phy+0x4c/0xf8\ndwc3_meson_g12a_usb2_init+0x7c/0xc8\ndwc3_meson_g12a_usb_init+0x28/0x48\ndwc3_meson_g12a_probe+0x298/0x540\nplatform_probe+0x70/0xe0\nreally_probe+0xf0/0x4d8\ndriver_probe_device+0xfc/0x168\n..."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/4d2aa178d2ad2fb156711113790dde13e9aa2376",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/750a0d75564293be3ed50f13ef7f38ab75106421",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/d8dd3754e707104a34f8ec595034d503ea8871a2",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

44
CVE-2021/CVE-2021-472xx/CVE-2021-47274.json Normal file
View File

@ -0,0 +1,44 @@
{
"id": "CVE-2021-47274",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:15.830",
"lastModified": "2024-05-21T15:15:15.830",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Correct the length check which causes memory corruption\n\nWe've suffered from severe kernel crashes due to memory corruption on\nour production environment, like,\n\nCall Trace:\n[1640542.554277] general protection fault: 0000 [#1] SMP PTI\n[1640542.554856] CPU: 17 PID: 26996 Comm: python Kdump: loaded Tainted:G\n[1640542.556629] RIP: 0010:kmem_cache_alloc+0x90/0x190\n[1640542.559074] RSP: 0018:ffffb16faa597df8 EFLAGS: 00010286\n[1640542.559587] RAX: 0000000000000000 RBX: 0000000000400200 RCX:\n0000000006e931bf\n[1640542.560323] RDX: 0000000006e931be RSI: 0000000000400200 RDI:\nffff9a45ff004300\n[1640542.560996] RBP: 0000000000400200 R08: 0000000000023420 R09:\n0000000000000000\n[1640542.561670] R10: 0000000000000000 R11: 0000000000000000 R12:\nffffffff9a20608d\n[1640542.562366] R13: ffff9a45ff004300 R14: ffff9a45ff004300 R15:\n696c662f65636976\n[1640542.563128] FS: 00007f45d7c6f740(0000) GS:ffff9a45ff840000(0000)\nknlGS:0000000000000000\n[1640542.563937] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[1640542.564557] CR2: 00007f45d71311a0 CR3: 000000189d63e004 CR4:\n00000000003606e0\n[1640542.565279] DR0: 0000000000000000 DR1: 0000000000000000 DR2:\n0000000000000000\n[1640542.566069] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:\n0000000000000400\n[1640542.566742] Call Trace:\n[1640542.567009] anon_vma_clone+0x5d/0x170\n[1640542.567417] __split_vma+0x91/0x1a0\n[1640542.567777] do_munmap+0x2c6/0x320\n[1640542.568128] vm_munmap+0x54/0x70\n[1640542.569990] __x64_sys_munmap+0x22/0x30\n[1640542.572005] do_syscall_64+0x5b/0x1b0\n[1640542.573724] entry_SYSCALL_64_after_hwframe+0x44/0xa9\n[1640542.575642] RIP: 0033:0x7f45d6e61e27\n\nJames Wang has reproduced it stably on the latest 4.19 LTS.\nAfter some debugging, we finally proved that it's due to ftrace\nbuffer out-of-bound access using a debug tool as follows:\n[ 86.775200] BUG: Out-of-bounds write at addr 0xffff88aefe8b7000\n[ 86.780806] no_context+0xdf/0x3c0\n[ 86.784327] __do_page_fault+0x252/0x470\n[ 86.788367] do_page_fault+0x32/0x140\n[ 86.792145] page_fault+0x1e/0x30\n[ 86.795576] strncpy_from_unsafe+0x66/0xb0\n[ 86.799789] fetch_memory_string+0x25/0x40\n[ 86.804002] fetch_deref_string+0x51/0x60\n[ 86.808134] kprobe_trace_func+0x32d/0x3a0\n[ 86.812347] kprobe_dispatcher+0x45/0x50\n[ 86.816385] kprobe_ftrace_handler+0x90/0xf0\n[ 86.820779] ftrace_ops_assist_func+0xa1/0x140\n[ 86.825340] 0xffffffffc00750bf\n[ 86.828603] do_sys_open+0x5/0x1f0\n[ 86.832124] do_syscall_64+0x5b/0x1b0\n[ 86.835900] entry_SYSCALL_64_after_hwframe+0x44/0xa9\n\ncommit b220c049d519 (\"tracing: Check length before giving out\nthe filter buffer\") adds length check to protect trace data\noverflow introduced in 0fc1b09ff1ff, seems that this fix can't prevent\noverflow entirely, the length check should also take the sizeof\nentry->array[0] into account, since this array[0] is filled the\nlength of trace data and occupy addtional space and risk overflow."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/2d598902799886d67947406f26ee8e5fd2ca097f",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/31ceae385556c37e4d286cb6378696448f566883",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/3e08a9f9760f4a70d633c328a76408e62d6f80a3",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/43c32c22254b9328d7abb1c2b0f689dc67838e60",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/b16a249eca2230c2cd66fa1d4b94743bd9b6ef92",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/d63f00ec908b3be635ead5d6029cc94246e1f38d",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/edcce01e0e50840a9aa6a70baed21477bdd2c9f9",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

24
CVE-2021/CVE-2021-472xx/CVE-2021-47275.json Normal file
View File

@ -0,0 +1,24 @@
{
"id": "CVE-2021-47275",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:15.903",
"lastModified": "2024-05-21T15:15:15.903",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbcache: avoid oversized read request in cache missing code path\n\nIn the cache missing code path of cached device, if a proper location\nfrom the internal B+ tree is matched for a cache miss range, function\ncached_dev_cache_miss() will be called in cache_lookup_fn() in the\nfollowing code block,\n[code block 1]\n 526 unsigned int sectors = KEY_INODE(k) == s->iop.inode\n 527 ? min_t(uint64_t, INT_MAX,\n 528 KEY_START(k) - bio->bi_iter.bi_sector)\n 529 : INT_MAX;\n 530 int ret = s->d->cache_miss(b, s, bio, sectors);\n\nHere s->d->cache_miss() is the call backfunction pointer initialized as\ncached_dev_cache_miss(), the last parameter 'sectors' is an important\nhint to calculate the size of read request to backing device of the\nmissing cache data.\n\nCurrent calculation in above code block may generate oversized value of\n'sectors', which consequently may trigger 2 different potential kernel\npanics by BUG() or BUG_ON() as listed below,\n\n1) BUG_ON() inside bch_btree_insert_key(),\n[code block 2]\n 886 BUG_ON(b->ops->is_extents && !KEY_SIZE(k));\n2) BUG() inside biovec_slab(),\n[code block 3]\n 51 default:\n 52 BUG();\n 53 return NULL;\n\nAll the above panics are original from cached_dev_cache_miss() by the\noversized parameter 'sectors'.\n\nInside cached_dev_cache_miss(), parameter 'sectors' is used to calculate\nthe size of data read from backing device for the cache missing. This\nsize is stored in s->insert_bio_sectors by the following lines of code,\n[code block 4]\n 909 s->insert_bio_sectors = min(sectors, bio_sectors(bio) + reada);\n\nThen the actual key inserting to the internal B+ tree is generated and\nstored in s->iop.replace_key by the following lines of code,\n[code block 5]\n 911 s->iop.replace_key = KEY(s->iop.inode,\n 912 bio->bi_iter.bi_sector + s->insert_bio_sectors,\n 913 s->insert_bio_sectors);\nThe oversized parameter 'sectors' may trigger panic 1) by BUG_ON() from\nthe above code block.\n\nAnd the bio sending to backing device for the missing data is allocated\nwith hint from s->insert_bio_sectors by the following lines of code,\n[code block 6]\n 926 cache_bio = bio_alloc_bioset(GFP_NOWAIT,\n 927 DIV_ROUND_UP(s->insert_bio_sectors, PAGE_SECTORS),\n 928 &dc->disk.bio_split);\nThe oversized parameter 'sectors' may trigger panic 2) by BUG() from the\nagove code block.\n\nNow let me explain how the panics happen with the oversized 'sectors'.\nIn code block 5, replace_key is generated by macro KEY(). From the\ndefinition of macro KEY(),\n[code block 7]\n 71 #define KEY(inode, offset, size) \\\n 72 ((struct bkey) { \\\n 73 .high = (1ULL << 63) | ((__u64) (size) << 20) | (inode), \\\n 74 .low = (offset) \\\n 75 })\n\nHere 'size' is 16bits width embedded in 64bits member 'high' of struct\nbkey. But in code block 1, if \"KEY_START(k) - bio->bi_iter.bi_sector\" is\nvery probably to be larger than (1<<16) - 1, which makes the bkey size\ncalculation in code block 5 is overflowed. In one bug report the value\nof parameter 'sectors' is 131072 (= 1 << 17), the overflowed 'sectors'\nresults the overflowed s->insert_bio_sectors in code block 4, then makes\nsize field of s->iop.replace_key to be 0 in code block 5. Then the 0-\nsized s->iop.replace_key is inserted into the internal B+ tree as cache\nmissing check key (a special key to detect and avoid a racing between\nnormal write request and cache missing read request) as,\n[code block 8]\n 915 ret = bch_btree_insert_check_key(b, &s->op, &s->iop.replace_key);\n\nThen the 0-sized s->iop.replace_key as 3rd parameter triggers the bkey\nsize check BUG_ON() in code block 2, and causes the kernel panic 1).\n\nAnother ke\n---truncated---"
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/41fe8d088e96472f63164e213de44ec77be69478",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/555002a840ab88468e252b0eedf0b05e2ce7099c",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

48
CVE-2021/CVE-2021-472xx/CVE-2021-47276.json Normal file
View File

@ -0,0 +1,48 @@
{
"id": "CVE-2021-47276",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:15.983",
"lastModified": "2024-05-21T15:15:15.983",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nftrace: Do not blindly read the ip address in ftrace_bug()\n\nIt was reported that a bug on arm64 caused a bad ip address to be used for\nupdating into a nop in ftrace_init(), but the error path (rightfully)\nreturned -EINVAL and not -EFAULT, as the bug caused more than one error to\noccur. But because -EINVAL was returned, the ftrace_bug() tried to report\nwhat was at the location of the ip address, and read it directly. This\ncaused the machine to panic, as the ip was not pointing to a valid memory\naddress.\n\nInstead, read the ip address with copy_from_kernel_nofault() to safely\naccess the memory, and if it faults, report that the address faulted,\notherwise report what was in that location."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/0bc62e398bbd9e600959e610def5109957437b28",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/3e4ddeb68751fb4fb657199aed9cfd5d02796875",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/4aedc2bc2b32c93555f47c95610efb89cc1ec09b",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/6c14133d2d3f768e0a35128faac8aa6ed4815051",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/7e4e824b109f1d41ccf223fbb0565d877d6223a2",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/862dcc14f2803c556bdd73b43c27b023fafce2fb",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/97524384762c1fb9b3ded931498dd2047bd0de81",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/acf671ba79c1feccc3ec7cfdcffead4efcec49e7",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

48
CVE-2021/CVE-2021-472xx/CVE-2021-47277.json Normal file
View File

@ -0,0 +1,48 @@
{
"id": "CVE-2021-47277",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:16.053",
"lastModified": "2024-05-21T15:15:16.053",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nkvm: avoid speculation-based attacks from out-of-range memslot accesses\n\nKVM's mechanism for accessing guest memory translates a guest physical\naddress (gpa) to a host virtual address using the right-shifted gpa\n(also known as gfn) and a struct kvm_memory_slot. The translation is\nperformed in __gfn_to_hva_memslot using the following formula:\n\n hva = slot->userspace_addr + (gfn - slot->base_gfn) * PAGE_SIZE\n\nIt is expected that gfn falls within the boundaries of the guest's\nphysical memory. However, a guest can access invalid physical addresses\nin such a way that the gfn is invalid.\n\n__gfn_to_hva_memslot is called from kvm_vcpu_gfn_to_hva_prot, which first\nretrieves a memslot through __gfn_to_memslot. While __gfn_to_memslot\ndoes check that the gfn falls within the boundaries of the guest's\nphysical memory or not, a CPU can speculate the result of the check and\ncontinue execution speculatively using an illegal gfn. The speculation\ncan result in calculating an out-of-bounds hva. If the resulting host\nvirtual address is used to load another guest physical address, this\nis effectively a Spectre gadget consisting of two consecutive reads,\nthe second of which is data dependent on the first.\n\nRight now it's not clear if there are any cases in which this is\nexploitable. One interesting case was reported by the original author\nof this patch, and involves visiting guest page tables on x86. Right\nnow these are not vulnerable because the hva read goes through get_user(),\nwhich contains an LFENCE speculation barrier. However, there are\npatches in progress for x86 uaccess.h to mask kernel addresses instead of\nusing LFENCE; once these land, a guest could use speculation to read\nfrom the VMM's ring 3 address space. Other architectures such as ARM\nalready use the address masking method, and would be susceptible to\nthis same kind of data-dependent access gadgets. Therefore, this patch\nproactively protects from these attacks by masking out-of-bounds gfns\nin __gfn_to_hva_memslot, which blocks speculation of invalid hvas.\n\nSean Christopherson noted that this patch does not cover\nkvm_read_guest_offset_cached. This however is limited to a few bytes\npast the end of the cache, and therefore it is unlikely to be useful in\nthe context of building a chain of data dependent accesses."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/22b87fb17a28d37331bb9c1110737627b17f6781",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/3098b86390a6b9ea52657689f08410baf130ceff",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/361ce3b917aff93123e9e966d8608655c967f438",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/740621309b25bbf619b8a0ba5fd50a8e58989441",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/7af299b97734c7e7f465b42a2139ce4d77246975",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/bff1fbf0cf0712686f1df59a83fba6e31d2746a0",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/da27a83fd6cc7780fea190e1f5c19e87019da65c",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/ed0e2a893092c7fcb4ff7ba74e5efce53a6f5940",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

24
CVE-2021/CVE-2021-472xx/CVE-2021-47278.json Normal file
View File

@ -0,0 +1,24 @@
{
"id": "CVE-2021-47278",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:16.143",
"lastModified": "2024-05-21T15:15:16.143",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbus: mhi: pci_generic: Fix possible use-after-free in mhi_pci_remove()\n\nThis driver's remove path calls del_timer(). However, that function\ndoes not wait until the timer handler finishes. This means that the\ntimer handler may still be running after the driver's remove function\nhas finished, which would result in a use-after-free.\n\nFix by calling del_timer_sync(), which makes sure the timer handler\nhas finished, and unable to re-schedule itself."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/0b67808ade8893a1b3608ddd74fac7854786c919",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/c597d5c59c7a6417dba06590f59b922e01188e8d",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

24
CVE-2021/CVE-2021-472xx/CVE-2021-47279.json Normal file
View File

@ -0,0 +1,24 @@
{
"id": "CVE-2021-47279",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:16.210",
"lastModified": "2024-05-21T15:15:16.210",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: misc: brcmstb-usb-pinmap: check return value after calling platform_get_resource()\n\nIt will cause null-ptr-deref if platform_get_resource() returns NULL,\nwe need check the return value."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/2147684be1ebdaf845783139b9bc4eba3fecd9e4",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/fbf649cd6d64d40c03c5397ecd6b1ae922ba7afc",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

40
CVE-2021/CVE-2021-472xx/CVE-2021-47280.json Normal file
View File

@ -0,0 +1,40 @@
{
"id": "CVE-2021-47280",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:16.277",
"lastModified": "2024-05-21T15:15:16.277",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm: Fix use-after-free read in drm_getunique()\n\nThere is a time-of-check-to-time-of-use error in drm_getunique() due\nto retrieving file_priv->master prior to locking the device's master\nmutex.\n\nAn example can be seen in the crash report of the use-after-free error\nfound by Syzbot:\nhttps://syzkaller.appspot.com/bug?id=148d2f1dfac64af52ffd27b661981a540724f803\n\nIn the report, the master pointer was used after being freed. This is\nbecause another process had acquired the device's master mutex in\ndrm_setmaster_ioctl(), then overwrote fpriv->master in\ndrm_new_set_master(). The old value of fpriv->master was subsequently\nfreed before the mutex was unlocked.\n\nTo fix this, we lock the device's master mutex before retrieving the\npointer from from fpriv->master. This patch passes the Syzbot\nreproducer test."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/17dab9326ff263c62dab1dbac4492e2938a049e4",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/491d52e0078860b33b6c14f0a7ac74ca1b603bd6",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/7d233ba700ceb593905ea82b42dadb4ec8ef85e9",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/b246b4c70c1250e7814f409b243000f9c0bf79a3",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/b436acd1cf7fac0ba987abd22955d98025c80c2b",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/f773f8cccac13c7e7bbd9182e7996c727742488e",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

28
CVE-2021/CVE-2021-472xx/CVE-2021-47281.json Normal file
View File

@ -0,0 +1,28 @@
{
"id": "CVE-2021-47281",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:16.353",
"lastModified": "2024-05-21T15:15:16.353",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: seq: Fix race of snd_seq_timer_open()\n\nThe timer instance per queue is exclusive, and snd_seq_timer_open()\nshould have managed the concurrent accesses. It looks as if it's\nchecking the already existing timer instance at the beginning, but\nit's not right, because there is no protection, hence any later\nconcurrent call of snd_seq_timer_open() may override the timer\ninstance easily. This may result in UAF, as the leftover timer\ninstance can keep running while the queue itself gets closed, as\nspotted by syzkaller recently.\n\nFor avoiding the race, add a proper check at the assignment of\ntmr->timeri again, and return -EBUSY if it's been already registered."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/536a7646c00a0f14fee49e5e313109e5da2f6031",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/83e197a8414c0ba545e7e3916ce05f836f349273",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/bd7d88b0874f82f7b29d1a53e574cedaf23166ba",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

32
CVE-2021/CVE-2021-472xx/CVE-2021-47282.json Normal file
View File

@ -0,0 +1,32 @@
{
"id": "CVE-2021-47282",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:16.430",
"lastModified": "2024-05-21T15:15:16.430",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: bcm2835: Fix out-of-bounds access with more than 4 slaves\n\nCommit 571e31fa60b3 (\"spi: bcm2835: Cache CS register value for\n->prepare_message()\") limited the number of slaves to 3 at compile-time.\nThe limitation was necessitated by a statically-sized array prepare_cs[]\nin the driver private data which contains a per-slave register value.\n\nThe commit sought to enforce the limitation at run-time by setting the\ncontroller's num_chipselect to 3: Slaves with a higher chipselect are\nrejected by spi_add_device().\n\nHowever the commit neglected that num_chipselect only limits the number\nof *native* chipselects. If GPIO chipselects are specified in the\ndevice tree for more than 3 slaves, num_chipselect is silently raised by\nof_spi_get_gpio_numbers() and the result are out-of-bounds accesses to\nthe statically-sized array prepare_cs[].\n\nAs a bandaid fix which is backportable to stable, raise the number of\nallowed slaves to 24 (which \"ought to be enough for anybody\"), enforce\nthe limitation on slave ->setup and revert num_chipselect to 3 (which is\nthe number of native chipselects supported by the controller).\nAn upcoming for-next commit will allow an arbitrary number of slaves."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/01415ff85a24308059e06ca3e97fd7bf75648690",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/13817d466eb8713a1ffd254f537402f091d48444",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/82a8ffba54d31e97582051cb56ba1f988018681e",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/b5502580cf958b094f3b69dfe4eece90eae01fbc",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

28
CVE-2021/CVE-2021-472xx/CVE-2021-47283.json Normal file
View File

@ -0,0 +1,28 @@
{
"id": "CVE-2021-47283",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:16.503",
"lastModified": "2024-05-21T15:15:16.503",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet:sfc: fix non-freed irq in legacy irq mode\n\nSFC driver can be configured via modparam to work using MSI-X, MSI or\nlegacy IRQ interrupts. In the last one, the interrupt was not properly\nreleased on module remove.\n\nIt was not freed because the flag irqs_hooked was not set during\ninitialization in the case of using legacy IRQ.\n\nExample of (trimmed) trace during module remove without this fix:\n\nremove_proc_entry: removing non-empty directory 'irq/125', leaking at least '0000:3b:00.1'\nWARNING: CPU: 39 PID: 3658 at fs/proc/generic.c:715 remove_proc_entry+0x15c/0x170\n...trimmed...\nCall Trace:\n unregister_irq_proc+0xe3/0x100\n free_desc+0x29/0x70\n irq_free_descs+0x47/0x70\n mp_unmap_irq+0x58/0x60\n acpi_unregister_gsi_ioapic+0x2a/0x40\n acpi_pci_irq_disable+0x78/0xb0\n pci_disable_device+0xd1/0x100\n efx_pci_remove+0xa1/0x1e0 [sfc]\n pci_device_remove+0x38/0xa0\n __device_release_driver+0x177/0x230\n driver_detach+0xcb/0x110\n bus_remove_driver+0x58/0xd0\n pci_unregister_driver+0x2a/0xb0\n efx_exit_module+0x24/0xf40 [sfc]\n __do_sys_delete_module.constprop.0+0x171/0x280\n ? exit_to_user_mode_prepare+0x83/0x1d0\n do_syscall_64+0x3d/0x80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\nRIP: 0033:0x7f9f9385800b\n...trimmed..."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/81c4d1d83f88e15b26f4522a35cba6ffd8c5dfdd",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/8d717c9135a3340ae62d1699484850bfb4112b0c",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/8f03eeb6e0a0a0b8d617ee0a4bce729e47130036",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

48
CVE-2021/CVE-2021-472xx/CVE-2021-47284.json Normal file
View File

@ -0,0 +1,48 @@
{
"id": "CVE-2021-47284",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:16.577",
"lastModified": "2024-05-21T15:15:16.577",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nisdn: mISDN: netjet: Fix crash in nj_probe:\n\n'nj_setup' in netjet.c might fail with -EIO and in this case\n'card->irq' is initialized and is bigger than zero. A subsequent call to\n'nj_release' will free the irq that has not been requested.\n\nFix this bug by deleting the previous assignment to 'card->irq' and just\nkeep the assignment before 'request_irq'.\n\nThe KASAN's log reveals it:\n\n[ 3.354615 ] WARNING: CPU: 0 PID: 1 at kernel/irq/manage.c:1826\nfree_irq+0x100/0x480\n[ 3.355112 ] Modules linked in:\n[ 3.355310 ] CPU: 0 PID: 1 Comm: swapper/0 Not tainted\n5.13.0-rc1-00144-g25a1298726e #13\n[ 3.355816 ] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS\nrel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014\n[ 3.356552 ] RIP: 0010:free_irq+0x100/0x480\n[ 3.356820 ] Code: 6e 08 74 6f 4d 89 f4 e8 5e ac 09 00 4d 8b 74 24 18\n4d 85 f6 75 e3 e8 4f ac 09 00 8b 75 c8 48 c7 c7 78 c1 2e 85 e8 e0 cf f5\nff <0f> 0b 48 8b 75 c0 4c 89 ff e8 72 33 0b 03 48 8b 43 40 4c 8b a0 80\n[ 3.358012 ] RSP: 0000:ffffc90000017b48 EFLAGS: 00010082\n[ 3.358357 ] RAX: 0000000000000000 RBX: ffff888104dc8000 RCX:\n0000000000000000\n[ 3.358814 ] RDX: ffff8881003c8000 RSI: ffffffff8124a9e6 RDI:\n00000000ffffffff\n[ 3.359272 ] RBP: ffffc90000017b88 R08: 0000000000000000 R09:\n0000000000000000\n[ 3.359732 ] R10: ffffc900000179f0 R11: 0000000000001d04 R12:\n0000000000000000\n[ 3.360195 ] R13: ffff888107dc6000 R14: ffff888107dc6928 R15:\nffff888104dc80a8\n[ 3.360652 ] FS: 0000000000000000(0000) GS:ffff88817bc00000(0000)\nknlGS:0000000000000000\n[ 3.361170 ] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 3.361538 ] CR2: 0000000000000000 CR3: 000000000582e000 CR4:\n00000000000006f0\n[ 3.362003 ] DR0: 0000000000000000 DR1: 0000000000000000 DR2:\n0000000000000000\n[ 3.362175 ] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:\n0000000000000400\n[ 3.362175 ] Call Trace:\n[ 3.362175 ] nj_release+0x51/0x1e0\n[ 3.362175 ] nj_probe+0x450/0x950\n[ 3.362175 ] ? pci_device_remove+0x110/0x110\n[ 3.362175 ] local_pci_probe+0x45/0xa0\n[ 3.362175 ] pci_device_probe+0x12b/0x1d0\n[ 3.362175 ] really_probe+0x2a9/0x610\n[ 3.362175 ] driver_probe_device+0x90/0x1d0\n[ 3.362175 ] ? mutex_lock_nested+0x1b/0x20\n[ 3.362175 ] device_driver_attach+0x68/0x70\n[ 3.362175 ] __driver_attach+0x124/0x1b0\n[ 3.362175 ] ? device_driver_attach+0x70/0x70\n[ 3.362175 ] bus_for_each_dev+0xbb/0x110\n[ 3.362175 ] ? rdinit_setup+0x45/0x45\n[ 3.362175 ] driver_attach+0x27/0x30\n[ 3.362175 ] bus_add_driver+0x1eb/0x2a0\n[ 3.362175 ] driver_register+0xa9/0x180\n[ 3.362175 ] __pci_register_driver+0x82/0x90\n[ 3.362175 ] ? w6692_init+0x38/0x38\n[ 3.362175 ] nj_init+0x36/0x38\n[ 3.362175 ] do_one_initcall+0x7f/0x3d0\n[ 3.362175 ] ? rdinit_setup+0x45/0x45\n[ 3.362175 ] ? rcu_read_lock_sched_held+0x4f/0x80\n[ 3.362175 ] kernel_init_freeable+0x2aa/0x301\n[ 3.362175 ] ? rest_init+0x2c0/0x2c0\n[ 3.362175 ] kernel_init+0x18/0x190\n[ 3.362175 ] ? rest_init+0x2c0/0x2c0\n[ 3.362175 ] ? rest_init+0x2c0/0x2c0\n[ 3.362175 ] ret_from_fork+0x1f/0x30\n[ 3.362175 ] Kernel panic - not syncing: panic_on_warn set ...\n[ 3.362175 ] CPU: 0 PID: 1 Comm: swapper/0 Not tainted\n5.13.0-rc1-00144-g25a1298726e #13\n[ 3.362175 ] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS\nrel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014\n[ 3.362175 ] Call Trace:\n[ 3.362175 ] dump_stack+0xba/0xf5\n[ 3.362175 ] ? free_irq+0x100/0x480\n[ 3.362175 ] panic+0x15a/0x3f2\n[ 3.362175 ] ? __warn+0xf2/0x150\n[ 3.362175 ] ? free_irq+0x100/0x480\n[ 3.362175 ] __warn+0x108/0x150\n[ 3.362175 ] ? free_irq+0x100/0x480\n[ 3.362175 ] report_bug+0x119/0x1c0\n[ 3.362175 ] handle_bug+0x3b/0x80\n[ 3.362175 ] exc_invalid_op+0x18/0x70\n[ 3.362175 ] asm_exc_invalid_op+0x12/0x20\n[ 3.362175 ] RIP: 0010:free_irq+0x100\n---truncated---"
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/143fc7220961220eecc04669e5909af8847bf8c8",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/4c1fcb6ec964b44edbf84235134582a5ffae1521",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/6249193e03709ea625e10706ecaf17fea0427d3d",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/958cb1078ca60d214826fd90a0961a447fade59a",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/9d7d4649dc1c53acf76df260fd519db698ed20d7",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/9f6f852550d0e1b7735651228116ae9d300f69b3",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/a0a37e4454ca1c0b424edc2c9c2487c2c46a1be6",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/bf78e25bd3f487208e042c67c8a31706c2dba265",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

48
CVE-2021/CVE-2021-472xx/CVE-2021-47285.json Normal file
View File

@ -0,0 +1,48 @@
{
"id": "CVE-2021-47285",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:16.653",
"lastModified": "2024-05-21T15:15:16.653",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/nfc/rawsock.c: fix a permission check bug\n\nThe function rawsock_create() calls a privileged function sk_alloc(), which requires a ns-aware check to check net->user_ns, i.e., ns_capable(). However, the original code checks the init_user_ns using capable(). So we replace the capable() with ns_capable()."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/1e5cab50208c8fb7351b798cb1d569debfeb994a",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/38cb2e23188af29c43966acee9dbb18b62e26cfe",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/8ab78863e9eff11910e1ac8bcf478060c29b379e",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/90d0a3c76965d7a10fc87c07be3e9714e2130d5c",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/c08e0be44759d0b5affc5888be4aa5e536873335",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/d6a21a3fb03300fbaa9fc3ed99f8b0962ce28362",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/ec72482564ff99c6832d33610d9f8ab7ecc81b6d",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/f3ed12af6bbbaf79eddb0ae14656b8ecacea74f0",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

28
CVE-2021/CVE-2021-472xx/CVE-2021-47286.json Normal file
View File

@ -0,0 +1,28 @@
{
"id": "CVE-2021-47286",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:16.723",
"lastModified": "2024-05-21T15:15:16.723",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbus: mhi: core: Validate channel ID when processing command completions\n\nMHI reads the channel ID from the event ring element sent by the\ndevice which can be any value between 0 and 255. In order to\nprevent any out of bound accesses, add a check against the maximum\nnumber of channels supported by the controller and those channels\nnot configured yet so as to skip processing of that event ring\nelement."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/3efec3b4b16fc7af25676a94230a8ab2a3bb867c",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/546362a9ef2ef40b57c6605f14e88ced507f8dd0",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/aed4f5b51aba41e2afd7cfda20a0571a6a67dfe9",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

24
CVE-2021/CVE-2021-472xx/CVE-2021-47287.json Normal file
View File

@ -0,0 +1,24 @@
{
"id": "CVE-2021-47287",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:16.797",
"lastModified": "2024-05-21T15:15:16.797",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndriver core: auxiliary bus: Fix memory leak when driver_register() fail\n\nIf driver_register() returns with error we need to free the memory\nallocated for auxdrv->driver.name before returning from\n__auxiliary_driver_register()"
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/4afa0c22eed33cfe0c590742387f0d16f32412f3",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/ce5b3de58fc21303722df46551f7eb9a91afb409",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

48
CVE-2021/CVE-2021-472xx/CVE-2021-47288.json Normal file
View File

@ -0,0 +1,48 @@
{
"id": "CVE-2021-47288",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:16.867",
"lastModified": "2024-05-21T15:15:16.867",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: ngene: Fix out-of-bounds bug in ngene_command_config_free_buf()\n\nFix an 11-year old bug in ngene_command_config_free_buf() while\naddressing the following warnings caught with -Warray-bounds:\n\narch/alpha/include/asm/string.h:22:16: warning: '__builtin_memcpy' offset [12, 16] from the object at 'com' is out of the bounds of referenced subobject 'config' with type 'unsigned char' at offset 10 [-Warray-bounds]\narch/x86/include/asm/string_32.h:182:25: warning: '__builtin_memcpy' offset [12, 16] from the object at 'com' is out of the bounds of referenced subobject 'config' with type 'unsigned char' at offset 10 [-Warray-bounds]\n\nThe problem is that the original code is trying to copy 6 bytes of\ndata into a one-byte size member _config_ of the wrong structue\nFW_CONFIGURE_BUFFERS, in a single call to memcpy(). This causes a\nlegitimate compiler warning because memcpy() overruns the length\nof &com.cmd.ConfigureBuffers.config. It seems that the right\nstructure is FW_CONFIGURE_FREE_BUFFERS, instead, because it contains\n6 more members apart from the header _hdr_. Also, the name of\nthe function ngene_command_config_free_buf() suggests that the actual\nintention is to ConfigureFreeBuffers, instead of ConfigureBuffers\n(which takes place in the function ngene_command_config_buf(), above).\n\nFix this by enclosing those 6 members of struct FW_CONFIGURE_FREE_BUFFERS\ninto new struct config, and use &com.cmd.ConfigureFreeBuffers.config as\nthe destination address, instead of &com.cmd.ConfigureBuffers.config,\nwhen calling memcpy().\n\nThis also helps with the ongoing efforts to globally enable\n-Warray-bounds and get us closer to being able to tighten the\nFORTIFY_SOURCE routines on memcpy()."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/4487b968e5eacd02c493303dc2b61150bb7fe4b2",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/8d4abca95ecc82fc8c41912fa0085281f19cc29f",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/b9a178f189bb6d75293573e181928735f5e3e070",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/c6ddeb63dd543b5474b0217c4e47538b7ffd7686",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/e617fa62f6cf859a7b042cdd6c73af905ff8fca3",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/e818f2ff648581a6c553ae2bebc5dcef9a8bb90c",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/e991457afdcb5f4dbc5bc9d79eaf775be33e7092",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/ec731c6ef564ee6fc101fc5d73e3a3a953d09a00",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

32
CVE-2021/CVE-2021-472xx/CVE-2021-47289.json Normal file
View File

@ -0,0 +1,32 @@
{
"id": "CVE-2021-47289",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:16.950",
"lastModified": "2024-05-21T15:15:16.950",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: fix NULL pointer dereference\n\nCommit 71f642833284 (\"ACPI: utils: Fix reference counting in\nfor_each_acpi_dev_match()\") started doing \"acpi_dev_put()\" on a pointer\nthat was possibly NULL. That fails miserably, because that helper\ninline function is not set up to handle that case.\n\nJust make acpi_dev_put() silently accept a NULL pointer, rather than\ncalling down to put_device() with an invalid offset off that NULL\npointer."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/38f54217b423c0101d03a00feec6fb8ec608b12e",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/cae3fa3d8165761f3000f523b11cfa1cd35206bc",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/ccf23a0888077a25a0793a746c3941db2a7562e4",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/fc68f42aa737dc15e7665a4101d4168aadb8e4c4",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

24
CVE-2021/CVE-2021-472xx/CVE-2021-47290.json Normal file
View File

@ -0,0 +1,24 @@
{
"id": "CVE-2021-47290",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:17.027",
"lastModified": "2024-05-21T15:15:17.027",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: Fix NULL dereference on XCOPY completion\n\nCPU affinity control added with commit 39ae3edda325 (\"scsi: target: core:\nMake completion affinity configurable\") makes target_complete_cmd() queue\nwork on a CPU based on se_tpg->se_tpg_wwn->cmd_compl_affinity state.\n\nLIO's EXTENDED COPY worker is a special case in that read/write cmds are\ndispatched using the global xcopy_pt_tpg, which carries a NULL se_tpg_wwn\npointer following initialization in target_xcopy_setup_pt().\n\nThe NULL xcopy_pt_tpg->se_tpg_wwn pointer is dereferenced on completion of\nany EXTENDED COPY initiated read/write cmds. E.g using the libiscsi\nSCSI.ExtendedCopy.Simple test:\n\n BUG: kernel NULL pointer dereference, address: 00000000000001a8\n RIP: 0010:target_complete_cmd+0x9d/0x130 [target_core_mod]\n Call Trace:\n fd_execute_rw+0x148/0x42a [target_core_file]\n ? __dynamic_pr_debug+0xa7/0xe0\n ? target_check_reservation+0x5b/0x940 [target_core_mod]\n __target_execute_cmd+0x1e/0x90 [target_core_mod]\n transport_generic_new_cmd+0x17c/0x330 [target_core_mod]\n target_xcopy_issue_pt_cmd+0x9/0x60 [target_core_mod]\n target_xcopy_read_source.isra.7+0x10b/0x1b0 [target_core_mod]\n ? target_check_fua+0x40/0x40 [target_core_mod]\n ? transport_complete_task_attr+0x130/0x130 [target_core_mod]\n target_xcopy_do_work+0x61f/0xc00 [target_core_mod]\n\nThis fix makes target_complete_cmd() queue work on se_cmd->cpuid if\nse_tpg_wwn is NULL."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/a47fa41381a09e5997afd762664db4f5f6657e03",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/e7732c5a19a15a62b0b23fd683a639b0483e1f40",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

32
CVE-2021/CVE-2021-472xx/CVE-2021-47291.json Normal file
View File

@ -0,0 +1,32 @@
{
"id": "CVE-2021-47291",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:17.100",
"lastModified": "2024-05-21T15:15:17.100",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: fix another slab-out-of-bounds in fib6_nh_flush_exceptions\n\nWhile running the self-tests on a KASAN enabled kernel, I observed a\nslab-out-of-bounds splat very similar to the one reported in\ncommit 821bbf79fe46 (\"ipv6: Fix KASAN: slab-out-of-bounds Read in\n fib6_nh_flush_exceptions\").\n\nWe additionally need to take care of fib6_metrics initialization\nfailure when the caller provides an nh.\n\nThe fix is similar, explicitly free the route instead of calling\nfib6_info_release on a half-initialized object."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/115784bcccf135c3a3548098153413d76f16aae0",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/830251361425c5be044db4d826aaf304ea3d14c6",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/8fb4792f091e608a0a1d353dfdf07ef55a719db5",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/ce8fafb68051fba52546f8bbe8621f7641683680",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

24
CVE-2021/CVE-2021-472xx/CVE-2021-47292.json Normal file
View File

@ -0,0 +1,24 @@
{
"id": "CVE-2021-47292",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:17.173",
"lastModified": "2024-05-21T15:15:17.173",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: fix memleak in io_init_wq_offload()\n\nI got memory leak report when doing fuzz test:\n\nBUG: memory leak\nunreferenced object 0xffff888107310a80 (size 96):\ncomm \"syz-executor.6\", pid 4610, jiffies 4295140240 (age 20.135s)\nhex dump (first 32 bytes):\n01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N..........\nbacktrace:\n[<000000001974933b>] kmalloc include/linux/slab.h:591 [inline]\n[<000000001974933b>] kzalloc include/linux/slab.h:721 [inline]\n[<000000001974933b>] io_init_wq_offload fs/io_uring.c:7920 [inline]\n[<000000001974933b>] io_uring_alloc_task_context+0x466/0x640 fs/io_uring.c:7955\n[<0000000039d0800d>] __io_uring_add_tctx_node+0x256/0x360 fs/io_uring.c:9016\n[<000000008482e78c>] io_uring_add_tctx_node fs/io_uring.c:9052 [inline]\n[<000000008482e78c>] __do_sys_io_uring_enter fs/io_uring.c:9354 [inline]\n[<000000008482e78c>] __se_sys_io_uring_enter fs/io_uring.c:9301 [inline]\n[<000000008482e78c>] __x64_sys_io_uring_enter+0xabc/0xc20 fs/io_uring.c:9301\n[<00000000b875f18f>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n[<00000000b875f18f>] do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80\n[<000000006b0a8484>] entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nCPU0 CPU1\nio_uring_enter io_uring_enter\nio_uring_add_tctx_node io_uring_add_tctx_node\n__io_uring_add_tctx_node __io_uring_add_tctx_node\nio_uring_alloc_task_context io_uring_alloc_task_context\nio_init_wq_offload io_init_wq_offload\nhash = kzalloc hash = kzalloc\nctx->hash_map = hash ctx->hash_map = hash <- one of the hash is leaked\n\nWhen calling io_uring_enter() in parallel, the 'hash_map' will be leaked,\nadd uring_lock to protect 'hash_map'."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/362a9e65289284f36403058eea2462d0330c1f24",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/502731a03f27cba1513fbbff77e508185ffce5bb",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

36
CVE-2021/CVE-2021-472xx/CVE-2021-47293.json Normal file
View File

@ -0,0 +1,36 @@
{
"id": "CVE-2021-47293",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:17.243",
"lastModified": "2024-05-21T15:15:17.243",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_skbmod: Skip non-Ethernet packets\n\nCurrently tcf_skbmod_act() assumes that packets use Ethernet as their L2\nprotocol, which is not always the case. As an example, for CAN devices:\n\n\t$ ip link add dev vcan0 type vcan\n\t$ ip link set up vcan0\n\t$ tc qdisc add dev vcan0 root handle 1: htb\n\t$ tc filter add dev vcan0 parent 1: protocol ip prio 10 \\\n\t\tmatchall action skbmod swap mac\n\nDoing the above silently corrupts all the packets. Do not perform skbmod\nactions for non-Ethernet packets."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/071729150be9e1d1b851b70efb6d91ee9269d57b",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/34f1e1f657fae2891b485a3b2b95fe4d2aef9f0d",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/727d6a8b7ef3d25080fad228b2c4a1d4da5999c6",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/a88414fb1117f2fe65fb88e45ba694e1d09d5024",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/e4fdca366806f6bab374d1a95e626a10a3854b0c",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

48
CVE-2021/CVE-2021-472xx/CVE-2021-47294.json Normal file
View File

@ -0,0 +1,48 @@
{
"id": "CVE-2021-47294",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:17.323",
"lastModified": "2024-05-21T15:15:17.323",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetrom: Decrease sock refcount when sock timers expire\n\nCommit 63346650c1a9 (\"netrom: switch to sock timer API\") switched to use\nsock timer API. It replaces mod_timer() by sk_reset_timer(), and\ndel_timer() by sk_stop_timer().\n\nFunction sk_reset_timer() will increase the refcount of sock if it is\ncalled on an inactive timer, hence, in case the timer expires, we need to\ndecrease the refcount ourselves in the handler, otherwise, the sock\nrefcount will be unbalanced and the sock will never be freed."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/25df44e90ff5959b5c24ad361b648504a7e39ef3",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/48866fd5c361ea417ed24b43fc2a7dc2f5b060ef",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/517a16b1a88bdb6b530f48d5d153478b2552d9a8",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/6811744bd0efb9e472cb15d066cdb460beb8cb8a",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/853262355518cd1247515b74e83fabf038aa6c29",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/9619cc7d97c3aa8ed3cfd2b8678b74fb6d6c7950",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/a01634bf91f2b6c42583770eb6815fb6d1e251cf",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/bc1660206c3723c37ed4d622ad81781f1e987250",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

32
CVE-2021/CVE-2021-472xx/CVE-2021-47295.json Normal file
View File

@ -0,0 +1,32 @@
{
"id": "CVE-2021-47295",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:17.400",
"lastModified": "2024-05-21T15:15:17.400",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sched: fix memory leak in tcindex_partial_destroy_work\n\nSyzbot reported memory leak in tcindex_set_parms(). The problem was in\nnon-freed perfect hash in tcindex_partial_destroy_work().\n\nIn tcindex_set_parms() new tcindex_data is allocated and some fields from\nold one are copied to new one, but not the perfect hash. Since\ntcindex_partial_destroy_work() is the destroy function for old\ntcindex_data, we need to free perfect hash to avoid memory leak."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/8d7924ce85bae64e7a67c366c7c50840f49f3a62",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/8e9662fde6d63c78eb1350f6167f64c9d71a865b",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/cac71d27745f92ee13f0ecc668ffe151a4a9c9b1",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/f5051bcece50140abd1a11a2d36dc3ec5484fc32",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

36
CVE-2021/CVE-2021-472xx/CVE-2021-47296.json Normal file
View File

@ -0,0 +1,36 @@
{
"id": "CVE-2021-47296",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:17.477",
"lastModified": "2024-05-21T15:15:17.477",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: PPC: Fix kvm_arch_vcpu_ioctl vcpu_load leak\n\nvcpu_put is not called if the user copy fails. This can result in preempt\nnotifier corruption and crashes, among other issues."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/9bafc34dc4ad0cef18727c557f21ed3c3304df50",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/a4a488915feaad38345cc01b80d52e8200ff5209",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/bc4188a2f56e821ea057aca6bf444e138d06c252",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/e14ef1095387f764d95614d3ec9e4d07c82a3533",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/f38527f1890543cdfca8dfd06f75f9887cce6151",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

48
CVE-2021/CVE-2021-472xx/CVE-2021-47297.json Normal file
View File

@ -0,0 +1,48 @@
{
"id": "CVE-2021-47297",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:17.553",
"lastModified": "2024-05-21T15:15:17.553",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix uninit-value in caif_seqpkt_sendmsg\n\nWhen nr_segs equal to zero in iovec_from_user, the object\nmsg->msg_iter.iov is uninit stack memory in caif_seqpkt_sendmsg\nwhich is defined in ___sys_sendmsg. So we cann't just judge\nmsg->msg_iter.iov->base directlly. We can use nr_segs to judge\nmsg in caif_seqpkt_sendmsg whether has data buffers.\n\n=====================================================\nBUG: KMSAN: uninit-value in caif_seqpkt_sendmsg+0x693/0xf60 net/caif/caif_socket.c:542\nCall Trace:\n __dump_stack lib/dump_stack.c:77 [inline]\n dump_stack+0x1c9/0x220 lib/dump_stack.c:118\n kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:118\n __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215\n caif_seqpkt_sendmsg+0x693/0xf60 net/caif/caif_socket.c:542\n sock_sendmsg_nosec net/socket.c:652 [inline]\n sock_sendmsg net/socket.c:672 [inline]\n ____sys_sendmsg+0x12b6/0x1350 net/socket.c:2343\n ___sys_sendmsg net/socket.c:2397 [inline]\n __sys_sendmmsg+0x808/0xc90 net/socket.c:2480\n __compat_sys_sendmmsg net/compat.c:656 [inline]"
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/1582a02fecffcee306663035a295e28e1c4aaaff",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/452c3ed7bf63721b07bc2238ed1261bb26027e85",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/5c6d8e2f7187b8e45a18c27acb7a3885f03ee3db",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/9413c0abb57f70a953b1116318d6aa478013c35d",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/991e634360f2622a683b48dfe44fe6d9cb765a09",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/d4c7797ab1517515f0d08b3bc1c6b48883889c54",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/d9d646acad2c3590e189bb5d5c86ab8bd8a2dfc3",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/ffe31dd70b70a40cd6b21b78c1713a23e021843a",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

28
CVE-2021/CVE-2021-472xx/CVE-2021-47298.json Normal file
View File

@ -0,0 +1,28 @@
{
"id": "CVE-2021-47298",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:17.657",
"lastModified": "2024-05-21T15:15:17.657",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, sockmap: Fix potential memory leak on unlikely error case\n\nIf skb_linearize is needed and fails we could leak a msg on the error\nhandling. To fix ensure we kfree the msg block before returning error.\nFound during code review."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/6c508a1c6c62793dc6e6872cad4b200097bab7c9",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/715f378f42909c401ec043f5150c4fdf57fb8889",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/7e6b27a69167f97c56b5437871d29e9722c3e470",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

28
CVE-2021/CVE-2021-472xx/CVE-2021-47299.json Normal file
View File

@ -0,0 +1,28 @@
{
"id": "CVE-2021-47299",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:17.743",
"lastModified": "2024-05-21T15:15:17.743",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxdp, net: Fix use-after-free in bpf_xdp_link_release\n\nThe problem occurs between dev_get_by_index() and dev_xdp_attach_link().\nAt this point, dev_xdp_uninstall() is called. Then xdp link will not be\ndetached automatically when dev is released. But link->dev already\npoints to dev, when xdp link is released, dev will still be accessed,\nbut dev has been released.\n\ndev_get_by_index() |\nlink->dev = dev |\n | rtnl_lock()\n | unregister_netdevice_many()\n | dev_xdp_uninstall()\n | rtnl_unlock()\nrtnl_lock(); |\ndev_xdp_attach_link() |\nrtnl_unlock(); |\n | netdev_run_todo() // dev released\nbpf_xdp_link_release() |\n /* access dev. |\n use-after-free */ |\n\n[ 45.966867] BUG: KASAN: use-after-free in bpf_xdp_link_release+0x3b8/0x3d0\n[ 45.967619] Read of size 8 at addr ffff00000f9980c8 by task a.out/732\n[ 45.968297]\n[ 45.968502] CPU: 1 PID: 732 Comm: a.out Not tainted 5.13.0+ #22\n[ 45.969222] Hardware name: linux,dummy-virt (DT)\n[ 45.969795] Call trace:\n[ 45.970106] dump_backtrace+0x0/0x4c8\n[ 45.970564] show_stack+0x30/0x40\n[ 45.970981] dump_stack_lvl+0x120/0x18c\n[ 45.971470] print_address_description.constprop.0+0x74/0x30c\n[ 45.972182] kasan_report+0x1e8/0x200\n[ 45.972659] __asan_report_load8_noabort+0x2c/0x50\n[ 45.973273] bpf_xdp_link_release+0x3b8/0x3d0\n[ 45.973834] bpf_link_free+0xd0/0x188\n[ 45.974315] bpf_link_put+0x1d0/0x218\n[ 45.974790] bpf_link_release+0x3c/0x58\n[ 45.975291] __fput+0x20c/0x7e8\n[ 45.975706] ____fput+0x24/0x30\n[ 45.976117] task_work_run+0x104/0x258\n[ 45.976609] do_notify_resume+0x894/0xaf8\n[ 45.977121] work_pending+0xc/0x328\n[ 45.977575]\n[ 45.977775] The buggy address belongs to the page:\n[ 45.978369] page:fffffc00003e6600 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4f998\n[ 45.979522] flags: 0x7fffe0000000000(node=0|zone=0|lastcpupid=0x3ffff)\n[ 45.980349] raw: 07fffe0000000000 fffffc00003e6708 ffff0000dac3c010 0000000000000000\n[ 45.981309] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000\n[ 45.982259] page dumped because: kasan: bad access detected\n[ 45.982948]\n[ 45.983153] Memory state around the buggy address:\n[ 45.983753] ffff00000f997f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n[ 45.984645] ffff00000f998000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n[ 45.985533] >ffff00000f998080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n[ 45.986419] ^\n[ 45.987112] ffff00000f998100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n[ 45.988006] ffff00000f998180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n[ 45.988895] ==================================================================\n[ 45.989773] Disabling lock debugging due to kernel taint\n[ 45.990552] Kernel panic - not syncing: panic_on_warn set ...\n[ 45.991166] CPU: 1 PID: 732 Comm: a.out Tainted: G B 5.13.0+ #22\n[ 45.991929] Hardware name: linux,dummy-virt (DT)\n[ 45.992448] Call trace:\n[ 45.992753] dump_backtrace+0x0/0x4c8\n[ 45.993208] show_stack+0x30/0x40\n[ 45.993627] dump_stack_lvl+0x120/0x18c\n[ 45.994113] dump_stack+0x1c/0x34\n[ 45.994530] panic+0x3a4/0x7d8\n[ 45.994930] end_report+0x194/0x198\n[ 45.995380] kasan_report+0x134/0x200\n[ 45.995850] __asan_report_load8_noabort+0x2c/0x50\n[ 45.996453] bpf_xdp_link_release+0x3b8/0x3d0\n[ 45.997007] bpf_link_free+0xd0/0x188\n[ 45.997474] bpf_link_put+0x1d0/0x218\n[ 45.997942] bpf_link_release+0x3c/0x58\n[ 45.998429] __fput+0x20c/0x7e8\n[ 45.998833] ____fput+0x24/0x30\n[ 45.999247] task_work_run+0x104/0x258\n[ 45.999731] do_notify_resume+0x894/0xaf8\n[ 46.000236] work_pending\n---truncated---"
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/5acc7d3e8d342858405fbbc671221f676b547ce7",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/a7537dc73e69ad9c0b67ad24ad3ebee954ed0af6",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/ca9ba1de8f09976b45ccc8e655c51c6201992139",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

28
CVE-2021/CVE-2021-473xx/CVE-2021-47300.json Normal file
View File

@ -0,0 +1,28 @@
{
"id": "CVE-2021-47300",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:17.820",
"lastModified": "2024-05-21T15:15:17.820",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix tail_call_reachable rejection for interpreter when jit failed\n\nDuring testing of f263a81451c1 (\"bpf: Track subprog poke descriptors correctly\nand fix use-after-free\") under various failure conditions, for example, when\njit_subprogs() fails and tries to clean up the program to be run under the\ninterpreter, we ran into the following freeze:\n\n [...]\n #127/8 tailcall_bpf2bpf_3:FAIL\n [...]\n [ 92.041251] BUG: KASAN: slab-out-of-bounds in ___bpf_prog_run+0x1b9d/0x2e20\n [ 92.042408] Read of size 8 at addr ffff88800da67f68 by task test_progs/682\n [ 92.043707]\n [ 92.044030] CPU: 1 PID: 682 Comm: test_progs Tainted: G O 5.13.0-53301-ge6c08cb33a30-dirty #87\n [ 92.045542] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1 04/01/2014\n [ 92.046785] Call Trace:\n [ 92.047171] ? __bpf_prog_run_args64+0xc0/0xc0\n [ 92.047773] ? __bpf_prog_run_args32+0x8b/0xb0\n [ 92.048389] ? __bpf_prog_run_args64+0xc0/0xc0\n [ 92.049019] ? ktime_get+0x117/0x130\n [...] // few hundred [similar] lines more\n [ 92.659025] ? ktime_get+0x117/0x130\n [ 92.659845] ? __bpf_prog_run_args64+0xc0/0xc0\n [ 92.660738] ? __bpf_prog_run_args32+0x8b/0xb0\n [ 92.661528] ? __bpf_prog_run_args64+0xc0/0xc0\n [ 92.662378] ? print_usage_bug+0x50/0x50\n [ 92.663221] ? print_usage_bug+0x50/0x50\n [ 92.664077] ? bpf_ksym_find+0x9c/0xe0\n [ 92.664887] ? ktime_get+0x117/0x130\n [ 92.665624] ? kernel_text_address+0xf5/0x100\n [ 92.666529] ? __kernel_text_address+0xe/0x30\n [ 92.667725] ? unwind_get_return_address+0x2f/0x50\n [ 92.668854] ? ___bpf_prog_run+0x15d4/0x2e20\n [ 92.670185] ? ktime_get+0x117/0x130\n [ 92.671130] ? __bpf_prog_run_args64+0xc0/0xc0\n [ 92.672020] ? __bpf_prog_run_args32+0x8b/0xb0\n [ 92.672860] ? __bpf_prog_run_args64+0xc0/0xc0\n [ 92.675159] ? ktime_get+0x117/0x130\n [ 92.677074] ? lock_is_held_type+0xd5/0x130\n [ 92.678662] ? ___bpf_prog_run+0x15d4/0x2e20\n [ 92.680046] ? ktime_get+0x117/0x130\n [ 92.681285] ? __bpf_prog_run32+0x6b/0x90\n [ 92.682601] ? __bpf_prog_run64+0x90/0x90\n [ 92.683636] ? lock_downgrade+0x370/0x370\n [ 92.684647] ? mark_held_locks+0x44/0x90\n [ 92.685652] ? ktime_get+0x117/0x130\n [ 92.686752] ? lockdep_hardirqs_on+0x79/0x100\n [ 92.688004] ? ktime_get+0x117/0x130\n [ 92.688573] ? __cant_migrate+0x2b/0x80\n [ 92.689192] ? bpf_test_run+0x2f4/0x510\n [ 92.689869] ? bpf_test_timer_continue+0x1c0/0x1c0\n [ 92.690856] ? rcu_read_lock_bh_held+0x90/0x90\n [ 92.691506] ? __kasan_slab_alloc+0x61/0x80\n [ 92.692128] ? eth_type_trans+0x128/0x240\n [ 92.692737] ? __build_skb+0x46/0x50\n [ 92.693252] ? bpf_prog_test_run_skb+0x65e/0xc50\n [ 92.693954] ? bpf_prog_test_run_raw_tp+0x2d0/0x2d0\n [ 92.694639] ? __fget_light+0xa1/0x100\n [ 92.695162] ? bpf_prog_inc+0x23/0x30\n [ 92.695685] ? __sys_bpf+0xb40/0x2c80\n [ 92.696324] ? bpf_link_get_from_fd+0x90/0x90\n [ 92.697150] ? mark_held_locks+0x24/0x90\n [ 92.698007] ? lockdep_hardirqs_on_prepare+0x124/0x220\n [ 92.699045] ? finish_task_switch+0xe6/0x370\n [ 92.700072] ? lockdep_hardirqs_on+0x79/0x100\n [ 92.701233] ? finish_task_switch+0x11d/0x370\n [ 92.702264] ? __switch_to+0x2c0/0x740\n [ 92.703148] ? mark_held_locks+0x24/0x90\n [ 92.704155] ? __x64_sys_bpf+0x45/0x50\n [ 92.705146] ? do_syscall_64+0x35/0x80\n [ 92.706953] ? entry_SYSCALL_64_after_hwframe+0x44/0xae\n [...]\n\nTurns out that the program rejection from e411901c0b77 (\"bpf: allow for tailcalls\nin BPF subprograms for x64 JIT\") is buggy since env->prog->aux->tail_call_reachable\nis never true. Commit ebf7d1f508a7 (\"bpf, x64: rework pro/epilogue and tailcall\nhandling in JIT\") added a tracker into check_max_stack_depth() which propagates\nthe tail_call_reachable condition throughout the subprograms. This info is then\nassigned to the subprogram's \n---truncated---"
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/39f1735c8107ef43a53c4daf82f330d880488d8f",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/5dd0a6b8582ffbfa88351949d50eccd5b6694ade",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/cbb086074dab631ac43f8645cbac1d7b148e05c4",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

40
CVE-2021/CVE-2021-473xx/CVE-2021-47301.json Normal file
View File

@ -0,0 +1,40 @@
{
"id": "CVE-2021-47301",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:17.890",
"lastModified": "2024-05-21T15:15:17.890",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nigb: Fix use-after-free error during reset\n\nCleans the next descriptor to watch (next_to_watch) when cleaning the\nTX ring.\n\nFailure to do so can cause invalid memory accesses. If igb_poll() runs\nwhile the controller is reset this can lead to the driver try to free\na skb that was already freed.\n\n(The crash is harder to reproduce with the igb driver, but the same\npotential problem exists as the code is identical to igc)"
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/7b292608db23ccbbfbfa50cdb155d01725d7a52e",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/88e0720133d42d34851c8721cf5f289a50a8710f",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/8e24c12f2ff6d32fd9f057382f08e748ec97194c",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/d3ccb18ed5ac3283c7b31ecc685b499e580d5492",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/d7367f781e5a9ca5df9082b15b272b55e76931f8",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/f153664d8e70c11d0371341613651e1130e20240",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

32
CVE-2021/CVE-2021-473xx/CVE-2021-47302.json Normal file
View File

@ -0,0 +1,32 @@
{
"id": "CVE-2021-47302",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:17.960",
"lastModified": "2024-05-21T15:15:17.960",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nigc: Fix use-after-free error during reset\n\nCleans the next descriptor to watch (next_to_watch) when cleaning the\nTX ring.\n\nFailure to do so can cause invalid memory accesses. If igc_poll() runs\nwhile the controller is being reset this can lead to the driver try to\nfree a skb that was already freed.\n\nLog message:\n\n [ 101.525242] refcount_t: underflow; use-after-free.\n [ 101.525251] WARNING: CPU: 1 PID: 646 at lib/refcount.c:28 refcount_warn_saturate+0xab/0xf0\n [ 101.525259] Modules linked in: sch_etf(E) sch_mqprio(E) rfkill(E) intel_rapl_msr(E) intel_rapl_common(E)\n x86_pkg_temp_thermal(E) intel_powerclamp(E) coretemp(E) binfmt_misc(E) kvm_intel(E) kvm(E) irqbypass(E) crc32_pclmul(E)\n ghash_clmulni_intel(E) aesni_intel(E) mei_wdt(E) libaes(E) crypto_simd(E) cryptd(E) glue_helper(E) snd_hda_codec_hdmi(E)\n rapl(E) intel_cstate(E) snd_hda_intel(E) snd_intel_dspcfg(E) sg(E) soundwire_intel(E) intel_uncore(E) at24(E)\n soundwire_generic_allocation(E) iTCO_wdt(E) soundwire_cadence(E) intel_pmc_bxt(E) serio_raw(E) snd_hda_codec(E)\n iTCO_vendor_support(E) watchdog(E) snd_hda_core(E) snd_hwdep(E) snd_soc_core(E) snd_compress(E) snd_pcsp(E)\n soundwire_bus(E) snd_pcm(E) evdev(E) snd_timer(E) mei_me(E) snd(E) soundcore(E) mei(E) configfs(E) ip_tables(E) x_tables(E)\n autofs4(E) ext4(E) crc32c_generic(E) crc16(E) mbcache(E) jbd2(E) sd_mod(E) t10_pi(E) crc_t10dif(E) crct10dif_generic(E)\n i915(E) ahci(E) libahci(E) ehci_pci(E) igb(E) xhci_pci(E) ehci_hcd(E)\n [ 101.525303] drm_kms_helper(E) dca(E) xhci_hcd(E) libata(E) crct10dif_pclmul(E) cec(E) crct10dif_common(E) tsn(E) igc(E)\n e1000e(E) ptp(E) i2c_i801(E) crc32c_intel(E) psmouse(E) i2c_algo_bit(E) i2c_smbus(E) scsi_mod(E) lpc_ich(E) pps_core(E)\n usbcore(E) drm(E) button(E) video(E)\n [ 101.525318] CPU: 1 PID: 646 Comm: irq/37-enp7s0-T Tainted: G E 5.10.30-rt37-tsn1-rt-ipipe #ipipe\n [ 101.525320] Hardware name: SIEMENS AG SIMATIC IPC427D/A5E31233588, BIOS V17.02.09 03/31/2017\n [ 101.525322] RIP: 0010:refcount_warn_saturate+0xab/0xf0\n [ 101.525325] Code: 05 31 48 44 01 01 e8 f0 c6 42 00 0f 0b c3 80 3d 1f 48 44 01 00 75 90 48 c7 c7 78 a8 f3 a6 c6 05 0f 48\n 44 01 01 e8 d1 c6 42 00 <0f> 0b c3 80 3d fe 47 44 01 00 0f 85 6d ff ff ff 48 c7 c7 d0 a8 f3\n [ 101.525327] RSP: 0018:ffffbdedc0917cb8 EFLAGS: 00010286\n [ 101.525329] RAX: 0000000000000000 RBX: ffff98fd6becbf40 RCX: 0000000000000001\n [ 101.525330] RDX: 0000000000000001 RSI: ffffffffa6f2700c RDI: 00000000ffffffff\n [ 101.525332] RBP: ffff98fd6becc14c R08: ffffffffa7463d00 R09: ffffbdedc0917c50\n [ 101.525333] R10: ffffffffa74c3578 R11: 0000000000000034 R12: 00000000ffffff00\n [ 101.525335] R13: ffff98fd6b0b1000 R14: 0000000000000039 R15: ffff98fd6be35c40\n [ 101.525337] FS: 0000000000000000(0000) GS:ffff98fd6e240000(0000) knlGS:0000000000000000\n [ 101.525339] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n [ 101.525341] CR2: 00007f34135a3a70 CR3: 0000000150210003 CR4: 00000000001706e0\n [ 101.525343] Call Trace:\n [ 101.525346] sock_wfree+0x9c/0xa0\n [ 101.525353] unix_destruct_scm+0x7b/0xa0\n [ 101.525358] skb_release_head_state+0x40/0x90\n [ 101.525362] skb_release_all+0xe/0x30\n [ 101.525364] napi_consume_skb+0x57/0x160\n [ 101.525367] igc_poll+0xb7/0xc80 [igc]\n [ 101.525376] ? sched_clock+0x5/0x10\n [ 101.525381] ? sched_clock_cpu+0xe/0x100\n [ 101.525385] net_rx_action+0x14c/0x410\n [ 101.525388] __do_softirq+0xe9/0x2f4\n [ 101.525391] __local_bh_enable_ip+0xe3/0x110\n [ 101.525395] ? irq_finalize_oneshot.part.47+0xe0/0xe0\n [ 101.525398] irq_forced_thread_fn+0x6a/0x80\n [ 101.525401] irq_thread+0xe8/0x180\n [ 101.525403] ? wake_threads_waitq+0x30/0x30\n [ 101.525406] ? irq_thread_check_affinity+0xd0/0xd0\n [ 101.525408] kthread+0x183/0x1a0\n [ 101.525412] ? kthread_park+0x80/0x80\n [ 101.525415] ret_from_fork+0x22/0x30"
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/56ea7ed103b46970e171eb1c95916f393d64eeff",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/a9508e0edfe369ac95d0825bcdca976436ce780f",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/e15f629036bac005fc758b4ad17896cf2312add4",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/ea5e36b7367ea0a36ef73a163768f16d2977bd83",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

28
CVE-2021/CVE-2021-473xx/CVE-2021-47303.json Normal file
View File

@ -0,0 +1,28 @@
{
"id": "CVE-2021-47303",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:18.037",
"lastModified": "2024-05-21T15:15:18.037",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Track subprog poke descriptors correctly and fix use-after-free\n\nSubprograms are calling map_poke_track(), but on program release there is no\nhook to call map_poke_untrack(). However, on program release, the aux memory\n(and poke descriptor table) is freed even though we still have a reference to\nit in the element list of the map aux data. When we run map_poke_run(), we then\nend up accessing free'd memory, triggering KASAN in prog_array_map_poke_run():\n\n [...]\n [ 402.824689] BUG: KASAN: use-after-free in prog_array_map_poke_run+0xc2/0x34e\n [ 402.824698] Read of size 4 at addr ffff8881905a7940 by task hubble-fgs/4337\n [ 402.824705] CPU: 1 PID: 4337 Comm: hubble-fgs Tainted: G I 5.12.0+ #399\n [ 402.824715] Call Trace:\n [ 402.824719] dump_stack+0x93/0xc2\n [ 402.824727] print_address_description.constprop.0+0x1a/0x140\n [ 402.824736] ? prog_array_map_poke_run+0xc2/0x34e\n [ 402.824740] ? prog_array_map_poke_run+0xc2/0x34e\n [ 402.824744] kasan_report.cold+0x7c/0xd8\n [ 402.824752] ? prog_array_map_poke_run+0xc2/0x34e\n [ 402.824757] prog_array_map_poke_run+0xc2/0x34e\n [ 402.824765] bpf_fd_array_map_update_elem+0x124/0x1a0\n [...]\n\nThe elements concerned are walked as follows:\n\n for (i = 0; i < elem->aux->size_poke_tab; i++) {\n poke = &elem->aux->poke_tab[i];\n [...]\n\nThe access to size_poke_tab is a 4 byte read, verified by checking offsets\nin the KASAN dump:\n\n [ 402.825004] The buggy address belongs to the object at ffff8881905a7800\n which belongs to the cache kmalloc-1k of size 1024\n [ 402.825008] The buggy address is located 320 bytes inside of\n 1024-byte region [ffff8881905a7800, ffff8881905a7c00)\n\nThe pahole output of bpf_prog_aux:\n\n struct bpf_prog_aux {\n [...]\n /* --- cacheline 5 boundary (320 bytes) --- */\n u32 size_poke_tab; /* 320 4 */\n [...]\n\nIn general, subprograms do not necessarily manage their own data structures.\nFor example, BTF func_info and linfo are just pointers to the main program\nstructure. This allows reference counting and cleanup to be done on the latter\nwhich simplifies their management a bit. The aux->poke_tab struct, however,\ndid not follow this logic. The initial proposed fix for this use-after-free\nbug further embedded poke data tracking into the subprogram with proper\nreference counting. However, Daniel and Alexei questioned why we were treating\nthese objects special; I agree, its unnecessary. The fix here removes the per\nsubprogram poke table allocation and map tracking and instead simply points\nthe aux->poke_tab pointer at the main programs poke table. This way, map\ntracking is simplified to the main program and we do not need to manage them\nper subprogram.\n\nThis also means, bpf_prog_free_deferred(), which unwinds the program reference\ncounting and kfrees objects, needs to ensure that we don't try to double free\nthe poke_tab when free'ing the subprog structures. This is easily solved by\nNULL'ing the poke_tab pointer. The second detail is to ensure that per\nsubprogram JIT logic only does fixups on poke_tab[] entries it owns. To do\nthis, we add a pointer in the poke structure to point at the subprogram value\nso JITs can easily check while walking the poke_tab structure if the current\nentry belongs to the current program. The aux pointer is stable and therefore\nsuitable for such comparison. On the jit_subprogs() error path, we omit\ncleaning up the poke->aux field because these are only ever referenced from\nthe JIT side, but on error we will never make it to the JIT, so its fine to\nleave them dangling. Removing these pointers would complicate the error path\nfor no reason. However, we do need to untrack all poke descriptors from the\nmain program as otherwise they could race with the freeing of JIT memory from\nthe subprograms. Lastly, a748c6975dea3 (\"bpf: propagate poke des\n---truncated---"
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/599148d40366bd5d1d504a3a8fcd65e21107e500",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/a9f36bf3613c65cb587c70fac655c775d911409b",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/f263a81451c12da5a342d90572e317e611846f2c",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

28
CVE-2021/CVE-2021-473xx/CVE-2021-47304.json Normal file
View File

@ -0,0 +1,28 @@
{
"id": "CVE-2021-47304",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:18.110",
"lastModified": "2024-05-21T15:15:18.110",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: fix tcp_init_transfer() to not reset icsk_ca_initialized\n\nThis commit fixes a bug (found by syzkaller) that could cause spurious\ndouble-initializations for congestion control modules, which could cause\nmemory leaks or other problems for congestion control modules (like CDG)\nthat allocate memory in their init functions.\n\nThe buggy scenario constructed by syzkaller was something like:\n\n(1) create a TCP socket\n(2) initiate a TFO connect via sendto()\n(3) while socket is in TCP_SYN_SENT, call setsockopt(TCP_CONGESTION),\n which calls:\n tcp_set_congestion_control() ->\n tcp_reinit_congestion_control() ->\n tcp_init_congestion_control()\n(4) receive ACK, connection is established, call tcp_init_transfer(),\n set icsk_ca_initialized=0 (without first calling cc->release()),\n call tcp_init_congestion_control() again.\n\nNote that in this sequence tcp_init_congestion_control() is called\ntwice without a cc->release() call in between. Thus, for CC modules\nthat allocate memory in their init() function, e.g, CDG, a memory leak\nmay occur. The syzkaller tool managed to find a reproducer that\ntriggered such a leak in CDG.\n\nThe bug was introduced when that commit 8919a9b31eb4 (\"tcp: Only init\ncongestion control if not initialized already\")\nintroduced icsk_ca_initialized and set icsk_ca_initialized to 0 in\ntcp_init_transfer(), missing the possibility for a sequence like the\none above, where a process could call setsockopt(TCP_CONGESTION) in\nstate TCP_SYN_SENT (i.e. after the connect() or TFO open sendmsg()),\nwhich would call tcp_init_congestion_control(). It did not intend to\nreset any initialization that the user had already explicitly made;\nit just missed the possibility of that particular sequence (which\nsyzkaller managed to find)."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/ad4ba3404931745a5977ad12db4f0c34080e52f7",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/be5d1b61a2ad28c7e57fe8bfa277373e8ecffcdc",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/fe77b85828ca9ddc42977b79de9e40d18545b4fe",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

40
CVE-2021/CVE-2021-473xx/CVE-2021-47305.json Normal file
View File

@ -0,0 +1,40 @@
{
"id": "CVE-2021-47305",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:18.177",
"lastModified": "2024-05-21T15:15:18.177",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndma-buf/sync_file: Don't leak fences on merge failure\n\nEach add_fence() call does a dma_fence_get() on the relevant fence. In\nthe error path, we weren't calling dma_fence_put() so all those fences\ngot leaked. Also, in the krealloc_array failure case, we weren't\nfreeing the fences array. Instead, ensure that i and fences are always\nzero-initialized and dma_fence_put() all the fences and kfree(fences) on\nevery error path."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/0d514185ae792d3a1903c8e1a83899aa996705ce",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/19edcd97727aae9362444a859a24d99a8730cb27",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/19f51c2529339280d2c8c6427cd3e21ddf1ac3f8",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/41f45e91c92c8480242ea448d54e28c753b13902",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/e0355a0ad31a1d677b2a4514206de4902bd550e8",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/ffe000217c5068c5da07ccb1c0f8cce7ad767435",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

32
CVE-2021/CVE-2021-473xx/CVE-2021-47306.json Normal file
View File

@ -0,0 +1,32 @@
{
"id": "CVE-2021-47306",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:18.250",
"lastModified": "2024-05-21T15:15:18.250",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fddi: fix UAF in fza_probe\n\nfp is netdev private data and it cannot be\nused after free_netdev() call. Using fp after free_netdev()\ncan cause UAF bug. Fix it by moving free_netdev() after error message.\n\nTURBOchannel adapter\")"
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/04b06716838bfc26742dbed3ae1d3697fe5317ee",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/bdfbb51f7a437ae8ea91317a5c133ec13adf3c47",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/deb7178eb940e2c5caca1b1db084a69b2e59b4c9",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/f33605908a9b6063525e9f68e62d739948c5fccf",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

32
CVE-2021/CVE-2021-473xx/CVE-2021-47307.json Normal file
View File

@ -0,0 +1,32 @@
{
"id": "CVE-2021-47307",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:18.320",
"lastModified": "2024-05-21T15:15:18.320",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: prevent NULL deref in cifs_compose_mount_options()\n\nThe optional @ref parameter might contain an NULL node_name, so\nprevent dereferencing it in cifs_compose_mount_options().\n\nAddresses-Coverity: 1476408 (\"Explicit null dereferenced\")"
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/03313d1c3a2f086bb60920607ab79ac8f8578306",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/ae3d181f4e912f51af7776ea165f199b16fc165d",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/e58c162789becede894d3e94c0ce6695a2ef5796",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/f7d1fa65e74263d11f90ddd33b4d4cd905a93759",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

40
CVE-2021/CVE-2021-473xx/CVE-2021-47308.json Normal file
View File

@ -0,0 +1,40 @@
{
"id": "CVE-2021-47308",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:18.383",
"lastModified": "2024-05-21T15:15:18.383",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: libfc: Fix array index out of bound exception\n\nFix array index out of bound exception in fc_rport_prli_resp()."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/0fe70c15f9435bb3c50954778245d62ee38b0e03",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/44651522941c623e20882b3b443f23f77de1ea8b",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/4921b1618045ffab71b1050bf0014df3313a2289",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/8511293e643a18b248510ae5734e4f360754348c",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/a4a54c54af2516caa9c145015844543cfc84316a",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/b27c4577557045f1ab3cdfeabfc7f3cd24aca1fe",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

48
CVE-2021/CVE-2021-473xx/CVE-2021-47309.json Normal file
View File

@ -0,0 +1,48 @@
{
"id": "CVE-2021-47309",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:18.453",
"lastModified": "2024-05-21T15:15:18.453",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: validate lwtstate->data before returning from skb_tunnel_info()\n\nskb_tunnel_info() returns pointer of lwtstate->data as ip_tunnel_info\ntype without validation. lwtstate->data can have various types such as\nmpls_iptunnel_encap, etc and these are not compatible.\nSo skb_tunnel_info() should validate before returning that pointer.\n\nSplat looks like:\nBUG: KASAN: slab-out-of-bounds in vxlan_get_route+0x418/0x4b0 [vxlan]\nRead of size 2 at addr ffff888106ec2698 by task ping/811\n\nCPU: 1 PID: 811 Comm: ping Not tainted 5.13.0+ #1195\nCall Trace:\n dump_stack_lvl+0x56/0x7b\n print_address_description.constprop.8.cold.13+0x13/0x2ee\n ? vxlan_get_route+0x418/0x4b0 [vxlan]\n ? vxlan_get_route+0x418/0x4b0 [vxlan]\n kasan_report.cold.14+0x83/0xdf\n ? vxlan_get_route+0x418/0x4b0 [vxlan]\n vxlan_get_route+0x418/0x4b0 [vxlan]\n [ ... ]\n vxlan_xmit_one+0x148b/0x32b0 [vxlan]\n [ ... ]\n vxlan_xmit+0x25c5/0x4780 [vxlan]\n [ ... ]\n dev_hard_start_xmit+0x1ae/0x6e0\n __dev_queue_xmit+0x1f39/0x31a0\n [ ... ]\n neigh_xmit+0x2f9/0x940\n mpls_xmit+0x911/0x1600 [mpls_iptunnel]\n lwtunnel_xmit+0x18f/0x450\n ip_finish_output2+0x867/0x2040\n [ ... ]"
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/2179d96ec702cc33ead02a9ce40ece599b8538c5",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/67a9c94317402b826fc3db32afc8f39336803d97",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/83bdcfbd968bcc91a0632b7b625e4a9b0cba5e0d",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/8aa13a86964cdec4fd969ef677c6614ff068641a",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/8bb1589c89e61e3b182dd546f1021928ebb5c2a6",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/a915379594f1e045421635c6316d8f3ffa018c58",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/b61d327cd3cc5ea591f3bf751dd11e034f388bb5",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/e7f3c9df40515a6c6b46f36c4c94cf48a043f887",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

48
CVE-2021/CVE-2021-473xx/CVE-2021-47310.json Normal file
View File

@ -0,0 +1,48 @@
{
"id": "CVE-2021-47310",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:18.520",
"lastModified": "2024-05-21T15:15:18.520",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ti: fix UAF in tlan_remove_one\n\npriv is netdev private data and it cannot be\nused after free_netdev() call. Using priv after free_netdev()\ncan cause UAF bug. Fix it by moving free_netdev() at the end of the\nfunction."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/0336f8ffece62f882ab3012820965a786a983f70",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/0538b0ab7d2c396e385694228c7cdcd2d2c514e9",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/93efab0ef2a607fff9166d447c4035f98b5db342",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/a0a817b2d308fac090a05cbbe80988e073ac5193",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/a18a8d9cfbb112ad72e625372849adc3986fd6bf",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/b7e5563f2a7862a9e4796abb9908b092f677e3c1",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/c263ae8c7e4c482387de5e6c89e213f8173fe8b6",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/f2a062fcfe1d6f1b0a86fa76ae21c277d65f4405",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

44
CVE-2021/CVE-2021-473xx/CVE-2021-47311.json Normal file
View File

@ -0,0 +1,44 @@
{
"id": "CVE-2021-47311",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:18.590",
"lastModified": "2024-05-21T15:15:18.590",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: qcom/emac: fix UAF in emac_remove\n\nadpt is netdev private data and it cannot be\nused after free_netdev() call. Using adpt after free_netdev()\ncan cause UAF bug. Fix it by moving free_netdev() at the end of the\nfunction."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/11e9d163d631198bb3eb41a677a61b499516c0f7",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/2b70ca92847c619d6264c7372ef74fcbfd1e048c",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/4d04a42b926e682140776e54188f4a44f1f01a81",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/8a225a6e07a57a1538d53637cb3d82bd3e477839",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/ad297cd2db8953e2202970e9504cab247b6c7cb4",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/b1e091331920f8fbfc747dcbd16263fcd71abb2d",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/b560521eca03d0a2db6093a5a632cbdd0a0cf833",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

24
CVE-2021/CVE-2021-473xx/CVE-2021-47312.json Normal file
View File

@ -0,0 +1,24 @@
{
"id": "CVE-2021-47312",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:18.660",
"lastModified": "2024-05-21T15:15:18.660",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: Fix dereference of null pointer flow\n\nIn the case where chain->flags & NFT_CHAIN_HW_OFFLOAD is false then\nnft_flow_rule_create is not called and flow is NULL. The subsequent\nerror handling execution via label err_destroy_flow_rule will lead\nto a null pointer dereference on flow when calling nft_flow_rule_destroy.\nSince the error path to err_destroy_flow_rule has to cater for null\nand non-null flows, only call nft_flow_rule_destroy if flow is non-null\nto fix this issue.\n\nAddresses-Coverity: (\"Explicity null dereference\")"
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/4ca041f919f13783b0b03894783deee00dbca19a",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/70a5a1950cca02c5cd161bb3846b4d983eed97d3",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

28
CVE-2021/CVE-2021-473xx/CVE-2021-47313.json Normal file
View File

@ -0,0 +1,28 @@
{
"id": "CVE-2021-47313",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:18.727",
"lastModified": "2024-05-21T15:15:18.727",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncpufreq: CPPC: Fix potential memleak in cppc_cpufreq_cpu_init\n\nIt's a classic example of memleak, we allocate something, we fail and\nnever free the resources.\n\nMake sure we free all resources on policy ->init() failures."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/b775383355755885b19d2acef977f1ca132e80a3",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/e1b2b2b61d30d7ce057ec17237c217d152ed97f2",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/fe2535a44904a77615a3af8e8fd7dafb98fb0e1b",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

52
CVE-2021/CVE-2021-473xx/CVE-2021-47314.json Normal file
View File

@ -0,0 +1,52 @@
{
"id": "CVE-2021-47314",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-05-21T15:15:18.790",
"lastModified": "2024-05-21T15:15:18.790",
"vulnStatus": "Received",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmemory: fsl_ifc: fix leak of private memory on probe failure\n\nOn probe error the driver should free the memory allocated for private\nstructure. Fix this by using resource-managed allocation."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/3b45b8a7d549bd92ec94b5357c2c2c1a7ed107e4",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/443f6ca6fd186b4fa4e6f377b6e19a91feb1a0d5",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/48ee69825f7480622ed447b0249123236d3b3ad0",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/7626ffbea708e5aba6912295c012d2b409a1769f",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/8018476756066e97ecb886c3dc024aeb7d5792ad",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/8e0d09b1232d0538066c40ed4c13086faccbdff6",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/a6b45b4932f7b0c36b41fb56a35ad679ece939a0",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/b5789e23773f4a852fbfe244b63f675e265d3a7f",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/ee1aa737ba0b75ab8af3444c4ae5bdba36aed6e6",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

Some files were not shown because too many files have changed in this diff Show More