admin/nvd-json-data-feeds
1
0
Fork 0
mirror of https://github.com/fkie-cad/nvd-json-data-feeds.git synced 2025-05-07 11:07:05 +00:00
Code Issues Packages Projects Releases Wiki Activity

Auto-Update: 2024-07-29T16:00:18.237348+00:00

Browse Source
This commit is contained in:
cad-safe-bot 2024-07-29 16:03:14 +00:00
parent 9b5680b0fe
commit 4d727f9004
232 changed files with 3896 additions and 499 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
CVE-2023/CVE-2023-507xx/CVE-2023-50700.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2023-50700",
"sourceIdentifier": "cve@mitre.org",
"published": "2024-07-26T17:15:10.803",
"lastModified": "2024-07-26T17:15:10.803",
"vulnStatus": "Received",
"lastModified": "2024-07-29T14:12:08.783",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Insecure Permissions vulnerability in Deepin dde-file-manager 6.0.54 and earlier allows privileged operations to be called by unprivileged users via the D-Bus method."
},
{
"lang": "es",
"value": " La vulnerabilidad de permisos inseguros en Deepin dde-file-manager 6.0.54 y versiones anteriores permite que usuarios sin privilegios llamen a operaciones privilegiadas a trav\u00e9s del m\u00e9todo D-Bus."
}
],
"metrics": {},

8
CVE-2024/CVE-2024-17xx/CVE-2024-1798.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2024-1798",
"sourceIdentifier": "security@wordfence.com",
"published": "2024-07-27T02:15:09.800",
"lastModified": "2024-07-27T02:15:09.800",
"vulnStatus": "Received",
"lastModified": "2024-07-29T14:12:08.783",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Tutor LMS \u2013 Migration Tool plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the tutor_lp_export_xml function in all versions up to, and including, 2.2.0. This makes it possible for unauthenticated attackers to export courses, including private and password protected courses."
},
{
"lang": "es",
"value": "El complemento Tutor LMS \u2013 Migration Tool para WordPress es vulnerable al acceso no autorizado a los datos debido a una falta de verificaci\u00f3n de capacidad en la funci\u00f3n tutor_lp_export_xml en todas las versiones hasta la 2.2.0 incluida. Esto hace posible que atacantes no autenticados exporten cursos, incluidos cursos privados y protegidos con contrase\u00f1a."
}
],
"metrics": {

8
CVE-2024/CVE-2024-18xx/CVE-2024-1804.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2024-1804",
"sourceIdentifier": "security@wordfence.com",
"published": "2024-07-27T02:15:10.060",
"lastModified": "2024-07-27T02:15:10.060",
"vulnStatus": "Received",
"lastModified": "2024-07-29T14:12:08.783",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Tutor LMS \u2013 Migration Tool plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the tutor_import_from_xml function in all versions up to, and including, 2.2.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to import courses."
},
{
"lang": "es",
"value": " El complemento Tutor LMS \u2013 Migration Tool para WordPress es vulnerable a modificaciones no autorizadas de datos debido a una falta de verificaci\u00f3n de capacidad en la funci\u00f3n tutor_import_from_xml en todas las versiones hasta la 2.2.0 incluida. Esto hace posible que atacantes autenticados, con acceso de nivel de suscriptor y superior, importen cursos."
}
],
"metrics": {

8
CVE-2024/CVE-2024-242xx/CVE-2024-24257.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2024-24257",
"sourceIdentifier": "cve@mitre.org",
"published": "2024-07-26T17:15:11.173",
"lastModified": "2024-07-26T17:15:11.173",
"vulnStatus": "Received",
"lastModified": "2024-07-29T14:12:08.783",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue in skteco.com Central Control Attendance Machine web management platform v.3.0 allows an attacker to obtain sensitive information via a crafted script to the csl/user component."
},
{
"lang": "es",
"value": "Un problema en Central Control Attendance Machine web management platform v.3.0 de skteco.com permite a un atacante obtener informaci\u00f3n confidencial a trav\u00e9s de un script manipulado para el componente csl/user."
}
],
"metrics": {},

8
CVE-2024/CVE-2024-265xx/CVE-2024-26520.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2024-26520",
"sourceIdentifier": "cve@mitre.org",
"published": "2024-07-26T17:15:11.507",
"lastModified": "2024-07-26T17:15:11.507",
"vulnStatus": "Received",
"lastModified": "2024-07-29T14:12:08.783",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue in Hangzhou Xiongwei Technology Development Co., Ltd. Restaurant Digital Comprehensive Management platform v1 allows an attacker to bypass authentication and perform arbitrary password resets."
},
{
"lang": "es",
"value": " Un problema en Hangzhou Xiongwei Technology Development Co., Ltd. Restaurant Digital Comprehensive Management platform v1 permite a un atacante omitir la autenticaci\u00f3n y realizar restablecimientos de contrase\u00f1a arbitrarios."
}
],
"metrics": {},

8
CVE-2024/CVE-2024-273xx/CVE-2024-27357.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2024-27357",
"sourceIdentifier": "cve@mitre.org",
"published": "2024-07-26T17:15:11.580",
"lastModified": "2024-07-26T17:15:11.580",
"vulnStatus": "Received",
"lastModified": "2024-07-29T14:12:08.783",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in WithSecure Elements Agent through 23.x for macOS, WithSecure Elements Client Security through 23.x for macOS, and WithSecure MDR through 23.x for macOS. Local Privilege Escalation can occur during installations or updates by admins."
},
{
"lang": "es",
"value": " Se descubri\u00f3 un problema en WithSecure Elements Agent hasta 23.x para macOS, WithSecure Elements Client Security hasta 23.x para macOS y WithSecure MDR hasta 23.x para macOS. La escalada de privilegios locales puede ocurrir durante las instalaciones o actualizaciones por parte de los administradores."
}
],
"metrics": {},

8
CVE-2024/CVE-2024-273xx/CVE-2024-27358.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2024-27358",
"sourceIdentifier": "cve@mitre.org",
"published": "2024-07-26T17:15:11.650",
"lastModified": "2024-07-26T17:15:11.650",
"vulnStatus": "Received",
"lastModified": "2024-07-29T14:12:08.783",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in WithSecure Elements Agent through 23.x for macOS and WithSecure Elements Client Security through 23.x for macOS. Local users can block an admin from completing an installation, aka a Denial-of-Service (DoS)."
},
{
"lang": "es",
"value": " Se descubri\u00f3 un problema en WithSecure Elements Agent hasta 23.x para macOS y WithSecure Elements Client Security hasta 23.x para macOS. Los usuarios locales pueden impedir que un administrador complete una instalaci\u00f3n, tambi\u00e9n conocido como Denegaci\u00f3n de servicio (DoS)."
}
],
"metrics": {},

8
CVE-2024/CVE-2024-326xx/CVE-2024-32671.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2024-32671",
"sourceIdentifier": "PSIRT@samsung.com",
"published": "2024-07-29T03:15:02.017",
"lastModified": "2024-07-29T03:15:02.017",
"vulnStatus": "Received",
"lastModified": "2024-07-29T14:12:08.783",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Heap-based Buffer Overflow vulnerability in Samsung Open Source Escargot JavaScript engine allows Overflow Buffers.This issue affects Escargot: 4.0.0."
},
{
"lang": "es",
"value": " La vulnerabilidad de desbordamiento de b\u00fafer de almacenamiento din\u00e1mico en el motor JavaScript Escargot de c\u00f3digo abierto de Samsung permite desbordamiento de b\u00fafer. Este problema afecta a Escargot: 4.0.0."
}
],
"metrics": {

2
CVE-2024/CVE-2024-339xx/CVE-2024-33901.json
View File

@ -2,7 +2,7 @@
"id": "CVE-2024-33901",
"sourceIdentifier": "cve@mitre.org",
"published": "2024-05-20T21:15:09.243",
"lastModified": "2024-05-21T17:15:09.143",
"lastModified": "2024-07-29T15:15:10.533",
"vulnStatus": "Awaiting Analysis",
"cveTags": [
{

8
CVE-2024/CVE-2024-370xx/CVE-2024-37034.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2024-37034",
"sourceIdentifier": "cve@mitre.org",
"published": "2024-07-26T22:15:03.853",
"lastModified": "2024-07-26T22:15:03.853",
"vulnStatus": "Received",
"lastModified": "2024-07-29T14:12:08.783",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Couchbase Server before 7.2.5 and 7.6.0 before 7.6.1. It does not ensure that credentials are negotiated with the Key-Value (KV) service using SCRAM-SHA when remote link encryption is configured for Half-Secure."
},
{
"lang": "es",
"value": " Se descubri\u00f3 un problema en Couchbase Server anterior a 7.2.5 y 7.6.0 anterior a 7.6.1. No garantiza que las credenciales se negocien con el servicio Key-Value (KV) mediante SCRAM-SHA cuando el cifrado de enlace remoto est\u00e1 configurado para Half-Secure."
}
],
"metrics": {},

8
CVE-2024/CVE-2024-373xx/CVE-2024-37381.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2024-37381",
"sourceIdentifier": "support@hackerone.com",
"published": "2024-07-29T06:15:01.827",
"lastModified": "2024-07-29T06:15:01.827",
"vulnStatus": "Received",
"lastModified": "2024-07-29T14:12:08.783",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2024 flat allows an authenticated attacker within the same network to execute arbitrary code."
},
{
"lang": "es",
"value": " Una vulnerabilidad de inyecci\u00f3n SQL no especificada en el servidor central de Ivanti EPM 2024 permite que un atacante autenticado dentro de la misma red ejecute c\u00f3digo arbitrario."
}
],
"metrics": {

60
CVE-2024/CVE-2024-379xx/CVE-2024-37906.json Normal file
View File

@ -0,0 +1,60 @@
{
"id": "CVE-2024-37906",
"sourceIdentifier": "security-advisories@github.com",
"published": "2024-07-29T15:15:10.747",
"lastModified": "2024-07-29T15:15:10.747",
"vulnStatus": "Received",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Admidio is a free, open source user management system for websites of organizations and groups. In Admidio before version 4.3.9, there is an SQL Injection in the `/adm_program/modules/ecards/ecard_send.php` source file of the Admidio Application. The SQL Injection results in a compromise of the application's database. The value of `ecard_recipients `POST parameter is being directly concatenated with the SQL query in the source code causing the SQL Injection. The SQL Injection can be exploited by a member user, using blind condition-based, time-based, and Out of band interaction SQL Injection payloads. This vulnerability is fixed in 4.3.9."
}
],
"metrics": {
"cvssMetricV31": [
{
"source": "security-advisories@github.com",
"type": "Secondary",
"cvssData": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "LOW",
"userInteraction": "NONE",
"scope": "CHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL"
},
"exploitabilityScore": 3.1,
"impactScore": 6.0
}
]
},
"weaknesses": [
{
"source": "security-advisories@github.com",
"type": "Secondary",
"description": [
{
"lang": "en",
"value": "CWE-89"
}
]
}
],
"references": [
{
"url": "https://github.com/Admidio/admidio/commit/3ff02b0c64a6911ab3e81cd61077f392c0b25248",
"source": "security-advisories@github.com"
},
{
"url": "https://github.com/Admidio/admidio/security/advisories/GHSA-69wx-xc6j-28v3",
"source": "security-advisories@github.com"
}
]
}

8
CVE-2024/CVE-2024-385xx/CVE-2024-38508.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2024-38508",
"sourceIdentifier": "psirt@lenovo.com",
"published": "2024-07-26T20:15:03.597",
"lastModified": "2024-07-26T20:15:03.597",
"vulnStatus": "Received",
"lastModified": "2024-07-29T14:12:08.783",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A privilege escalation vulnerability was discovered in the web interface or SSH captive command shell interface of XCC that could allow an authenticated XCC user with elevated privileges to perform command injection via a specially crafted request."
},
{
"lang": "es",
"value": " Se descubri\u00f3 una vulnerabilidad de escalada de privilegios en la interfaz web o en la interfaz de shell de comandos cautivos SSH de XCC que podr\u00eda permitir a un usuario de XCC autenticado con privilegios elevados realizar la inyecci\u00f3n de comandos a trav\u00e9s de una solicitud especialmente manipulada."
}
],
"metrics": {

8
CVE-2024/CVE-2024-385xx/CVE-2024-38509.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2024-38509",
"sourceIdentifier": "psirt@lenovo.com",
"published": "2024-07-26T20:15:03.830",
"lastModified": "2024-07-26T20:15:03.830",
"vulnStatus": "Received",
"lastModified": "2024-07-29T14:12:08.783",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A privilege escalation vulnerability was discovered in XCC that could allow an authenticated XCC user with elevated privileges to execute arbitrary code via a specially crafted IPMI command."
},
{
"lang": "es",
"value": "Se descubri\u00f3 una vulnerabilidad de escalada de privilegios en XCC que podr\u00eda permitir a un usuario de XCC autenticado con privilegios elevados ejecutar c\u00f3digo arbitrario a trav\u00e9s de un comando IPMI especialmente manipulado."
}
],
"metrics": {

8
CVE-2024/CVE-2024-385xx/CVE-2024-38510.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2024-38510",
"sourceIdentifier": "psirt@lenovo.com",
"published": "2024-07-26T20:15:04.053",
"lastModified": "2024-07-26T20:15:04.053",
"vulnStatus": "Received",
"lastModified": "2024-07-29T14:12:08.783",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A privilege escalation vulnerability was discovered in the SSH captive command shell interface that could allow an authenticated XCC user with elevated privileges to perform command injection via specially crafted file uploads."
},
{
"lang": "es",
"value": " Se descubri\u00f3 una vulnerabilidad de escalada de privilegios en la interfaz del shell de comandos cautivos SSH que podr\u00eda permitir a un usuario XCC autenticado con privilegios elevados realizar la inyecci\u00f3n de comandos mediante cargas de archivos especialmente manipuladas."
}
],
"metrics": {

8
CVE-2024/CVE-2024-385xx/CVE-2024-38511.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2024-38511",
"sourceIdentifier": "psirt@lenovo.com",
"published": "2024-07-26T20:15:04.263",
"lastModified": "2024-07-26T20:15:04.263",
"vulnStatus": "Received",
"lastModified": "2024-07-29T14:12:08.783",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A privilege escalation vulnerability was discovered in an upload processing functionality of XCC that could allow an authenticated XCC user with elevated privileges to perform command injection via specially crafted file uploads."
},
{
"lang": "es",
"value": " Se descubri\u00f3 una vulnerabilidad de escalada de privilegios en una funcionalidad de procesamiento de carga de XCC que podr\u00eda permitir a un usuario de XCC autenticado con privilegios elevados realizar inyecci\u00f3n de comandos mediante cargas de archivos especialmente manipuladas."
}
],
"metrics": {

8
CVE-2024/CVE-2024-385xx/CVE-2024-38512.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2024-38512",
"sourceIdentifier": "psirt@lenovo.com",
"published": "2024-07-26T20:15:04.470",
"lastModified": "2024-07-26T20:15:04.470",
"vulnStatus": "Received",
"lastModified": "2024-07-29T14:12:08.783",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A privilege escalation vulnerability was discovered in XCC that could allow an authenticated XCC user with elevated privileges to perform command injection via specially crafted IPMI commands."
},
{
"lang": "es",
"value": " Se descubri\u00f3 una vulnerabilidad de escalada de privilegios en XCC que podr\u00eda permitir a un usuario de XCC autenticado con privilegios elevados realizar inyecci\u00f3n de comandos a trav\u00e9s de comandos IPMI especialmente manipulados."
}
],
"metrics": {

60
CVE-2024/CVE-2024-385xx/CVE-2024-38529.json Normal file
View File

@ -0,0 +1,60 @@
{
"id": "CVE-2024-38529",
"sourceIdentifier": "security-advisories@github.com",
"published": "2024-07-29T15:15:10.990",
"lastModified": "2024-07-29T15:15:10.990",
"vulnStatus": "Received",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Admidio is a free, open source user management system for websites of organizations and groups. In Admidio before version 4.3.10, there is a Remote Code Execution Vulnerability in the Message module of the Admidio Application, where it is possible to upload a PHP file in the attachment. The uploaded file can be accessed publicly through the URL `{admidio_base_url}/adm_my_files/messages_attachments/{file_name}`. The vulnerability is caused due to the lack of file extension verification, allowing malicious files to be uploaded to the server and public availability of the uploaded file. This vulnerability is fixed in 4.3.10."
}
],
"metrics": {
"cvssMetricV31": [
{
"source": "security-advisories@github.com",
"type": "Secondary",
"cvssData": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "LOW",
"userInteraction": "REQUIRED",
"scope": "CHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"availabilityImpact": "HIGH",
"baseScore": 9.0,
"baseSeverity": "CRITICAL"
},
"exploitabilityScore": 2.3,
"impactScore": 6.0
}
]
},
"weaknesses": [
{
"source": "security-advisories@github.com",
"type": "Secondary",
"description": [
{
"lang": "en",
"value": "CWE-434"
}
]
}
],
"references": [
{
"url": "https://github.com/Admidio/admidio/commit/3b1cc1cda05747edebe15f2825b79bc5a673d94c",
"source": "security-advisories@github.com"
},
{
"url": "https://github.com/Admidio/admidio/security/advisories/GHSA-g872-jwwr-vggm",
"source": "security-advisories@github.com"
}
]
}

8
CVE-2024/CVE-2024-388xx/CVE-2024-38871.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2024-38871",
"sourceIdentifier": "0fc0942c-577d-436f-ae8e-945763c79b02",
"published": "2024-07-26T18:15:03.137",
"lastModified": "2024-07-26T18:15:03.137",
"vulnStatus": "Received",
"lastModified": "2024-07-29T14:12:08.783",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Zohocorp ManageEngine Exchange Reporter Plus versions 5717 and below are vulnerable to the authenticated SQL injection in the reports module."
},
{
"lang": "es",
"value": " Zohocorp ManageEngine Exchange Reporter Plus versiones 5717 e inferiores son vulnerables a la inyecci\u00f3n de SQL autenticado en el m\u00f3dulo reports."
}
],
"metrics": {

8
CVE-2024/CVE-2024-388xx/CVE-2024-38872.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2024-38872",
"sourceIdentifier": "0fc0942c-577d-436f-ae8e-945763c79b02",
"published": "2024-07-26T18:15:03.350",
"lastModified": "2024-07-26T18:15:03.350",
"vulnStatus": "Received",
"lastModified": "2024-07-29T14:12:08.783",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Zohocorp ManageEngine Exchange Reporter Plus versions 5717 and below are vulnerable to the authenticated SQL injection in the monitoring module."
},
{
"lang": "es",
"value": " Zohocorp ManageEngine Exchange Reporter Plus versiones 5717 e inferiores son vulnerables a la inyecci\u00f3n de SQL autenticado en el m\u00f3dulo de monitoreo."
}
],
"metrics": {

8
CVE-2024/CVE-2024-393xx/CVE-2024-39304.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2024-39304",
"sourceIdentifier": "security-advisories@github.com",
"published": "2024-07-26T18:15:03.557",
"lastModified": "2024-07-26T18:15:03.557",
"vulnStatus": "Received",
"lastModified": "2024-07-29T14:12:08.783",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ChurchCRM is an open-source church management system. Versions of the application prior to 5.9.2 are vulnerable to an authenticated SQL injection due to an improper sanitization of user input. Authentication is required, but no elevated privileges are necessary. This allows attackers to inject SQL statements directly into the database query due to inadequate sanitization of the EID parameter in in a GET request to `/GetText.php`. Version 5.9.2 patches the issue."
},
{
"lang": "es",
"value": "ChurchCRM es un sistema de gesti\u00f3n de iglesias de c\u00f3digo abierto. Las versiones de la aplicaci\u00f3n anteriores a la 5.9.2 son vulnerables a una inyecci\u00f3n SQL autenticada debido a una sanitizaci\u00f3n inadecuada de la entrada del usuario. Se requiere autenticaci\u00f3n, pero no se necesitan privilegios elevados. Esto permite a los atacantes inyectar declaraciones SQL directamente en la consulta de la base de datos debido a una sanitizaci\u00f3n inadecuada del par\u00e1metro EID en una solicitud GET a `/GetText.php`. La versi\u00f3n 5.9.2 soluciona el problema."
}
],
"metrics": {

8
CVE-2024/CVE-2024-401xx/CVE-2024-40116.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2024-40116",
"sourceIdentifier": "cve@mitre.org",
"published": "2024-07-26T20:15:04.980",
"lastModified": "2024-07-26T20:15:04.980",
"vulnStatus": "Received",
"lastModified": "2024-07-29T14:12:08.783",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue in Solar-Log 1000 before v2.8.2 and build 52-23.04.2013 was discovered to store plaintext passwords in the export.html, email.html, and sms.html files."
},
{
"lang": "es",
"value": "Se descubri\u00f3 un problema en Solar-Log 1000 anterior a v2.8.2 y compilaci\u00f3n 52-23.04.2013 al almacenar contrase\u00f1as en texto plano en los archivos export.html, email.html y sms.html."
}
],
"metrics": {},

8
CVE-2024/CVE-2024-401xx/CVE-2024-40117.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2024-40117",
"sourceIdentifier": "cve@mitre.org",
"published": "2024-07-26T20:15:05.033",
"lastModified": "2024-07-26T20:15:05.033",
"vulnStatus": "Received",
"lastModified": "2024-07-29T14:12:08.783",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Incorrect access control in Solar-Log 1000 before v2.8.2 and build 52- 23.04.2013 allows attackers to obtain Administrative privileges via connecting to the web administration server."
},
{
"lang": "es",
"value": " El control de acceso incorrecto en Solar-Log 1000 anterior a v2.8.2 y compilaci\u00f3n 52-23.04.2013 permite a los atacantes obtener privilegios administrativos mediante la conexi\u00f3n al servidor de administraci\u00f3n web."
}
],
"metrics": {},

8
CVE-2024/CVE-2024-404xx/CVE-2024-40433.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2024-40433",
"sourceIdentifier": "cve@mitre.org",
"published": "2024-07-26T22:15:03.943",
"lastModified": "2024-07-26T22:15:03.943",
"vulnStatus": "Received",
"lastModified": "2024-07-29T14:12:08.783",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Insecure Permissions vulnerability in Tencent wechat v.8.0.37 allows an attacker to escalate privileges via the web-view component."
},
{
"lang": "es",
"value": " La vulnerabilidad de permisos inseguros en Tencent wechat v.8.0.37 permite a un atacante escalar privilegios a trav\u00e9s del componente de vista web."
}
],
"metrics": {},

25
CVE-2024/CVE-2024-405xx/CVE-2024-40576.json Normal file
View File

@ -0,0 +1,25 @@
{
"id": "CVE-2024-40576",
"sourceIdentifier": "cve@mitre.org",
"published": "2024-07-29T14:15:03.677",
"lastModified": "2024-07-29T14:15:03.677",
"vulnStatus": "Received",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross Site Scripting vulnerability in Best House Rental Management System 1.0 allows a remote attacker to execute arbitrary code via the \"House No\" and \"Description\" parameters in the houses page at the index.php component."
}
],
"metrics": {},
"references": [
{
"url": "https://github.com/jubilianite/CVEs/blob/main/CVE-2024-40576.md",
"source": "cve@mitre.org"
},
{
"url": "https://www.sourcecodester.com/php/17375/best-courier-management-system-project-php.html",
"source": "cve@mitre.org"
}
]
}

8
CVE-2024/CVE-2024-406xx/CVE-2024-40689.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2024-40689",
"sourceIdentifier": "psirt@us.ibm.com",
"published": "2024-07-26T14:15:02.863",
"lastModified": "2024-07-26T14:15:02.863",
"vulnStatus": "Received",
"lastModified": "2024-07-29T14:12:08.783",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "IBM InfoSphere Information Server 11.7 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify, or delete information in the back-end database. IBM X-Force ID: 297719."
},
{
"lang": "es",
"value": "IBM InfoSphere Information Server 11.7 es vulnerable a la inyecci\u00f3n SQL. Un atacante remoto podr\u00eda enviar declaraciones SQL especialmente manipuladas, que podr\u00edan permitirle ver, agregar, modificar o eliminar informaci\u00f3n en la base de datos back-end. ID de IBM X-Force: 297719."
}
],
"metrics": {

8
CVE-2024/CVE-2024-410xx/CVE-2024-41013.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2024-41013",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-29T07:15:05.430",
"lastModified": "2024-07-29T07:15:05.430",
"vulnStatus": "Received",
"lastModified": "2024-07-29T14:12:08.783",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfs: don't walk off the end of a directory data block\n\nThis adds sanity checks for xfs_dir2_data_unused and xfs_dir2_data_entry\nto make sure don't stray beyond valid memory region. Before patching, the\nloop simply checks that the start offset of the dup and dep is within the\nrange. So in a crafted image, if last entry is xfs_dir2_data_unused, we\ncan change dup->length to dup->length-1 and leave 1 byte of space. In the\nnext traversal, this space will be considered as dup or dep. We may\nencounter an out of bound read when accessing the fixed members.\n\nIn the patch, we make sure that the remaining bytes large enough to hold\nan unused entry before accessing xfs_dir2_data_unused and\nxfs_dir2_data_unused is XFS_DIR2_DATA_ALIGN byte aligned. We also make\nsure that the remaining bytes large enough to hold a dirent with a\nsingle-byte name before accessing xfs_dir2_data_entry."
},
{
"lang": "es",
"value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: xfs: no salga del final de un bloque de datos de directorio. Esto agrega controles de sanitizaci\u00f3n para xfs_dir2_data_unused y xfs_dir2_data_entry para asegurarse de que no se desv\u00eden m\u00e1s all\u00e1 de la regi\u00f3n de memoria v\u00e1lida. Antes de parchear, el bucle simplemente verifica que el desplazamiento inicial de dup y dep est\u00e9 dentro del rango. Entonces, en una imagen manipulada, si la \u00faltima entrada es xfs_dir2_data_unused, podemos cambiar dup->length a dup->length-1 y dejar 1 byte de espacio. En el pr\u00f3ximo recorrido, este espacio se considerar\u00e1 dup o dep. Es posible que nos encontremos con una lectura fuera de los l\u00edmites al acceder a los miembros fijos. En el parche, nos aseguramos de que los bytes restantes sean lo suficientemente grandes como para contener una entrada no utilizada antes de acceder a xfs_dir2_data_unused y xfs_dir2_data_unused est\u00e9n alineados con los bytes XFS_DIR2_DATA_ALIGN. Tambi\u00e9n nos aseguramos de que los bytes restantes sean lo suficientemente grandes como para contener un directorio con un nombre de un solo byte antes de acceder a xfs_dir2_data_entry."
}
],
"metrics": {},

8
CVE-2024/CVE-2024-410xx/CVE-2024-41014.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2024-41014",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-29T07:15:05.810",
"lastModified": "2024-07-29T07:15:05.810",
"vulnStatus": "Received",
"lastModified": "2024-07-29T14:12:08.783",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfs: add bounds checking to xlog_recover_process_data\n\nThere is a lack of verification of the space occupied by fixed members\nof xlog_op_header in the xlog_recover_process_data.\n\nWe can create a crafted image to trigger an out of bounds read by\nfollowing these steps:\n 1) Mount an image of xfs, and do some file operations to leave records\n 2) Before umounting, copy the image for subsequent steps to simulate\n abnormal exit. Because umount will ensure that tail_blk and\n head_blk are the same, which will result in the inability to enter\n xlog_recover_process_data\n 3) Write a tool to parse and modify the copied image in step 2\n 4) Make the end of the xlog_op_header entries only 1 byte away from\n xlog_rec_header->h_size\n 5) xlog_rec_header->h_num_logops++\n 6) Modify xlog_rec_header->h_crc\n\nFix:\nAdd a check to make sure there is sufficient space to access fixed members\nof xlog_op_header."
},
{
"lang": "es",
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: xfs: agregar verificaci\u00f3n de l\u00edmites a xlog_recover_process_data Falta verificaci\u00f3n del espacio ocupado por los miembros fijos de xlog_op_header en xlog_recover_process_data. Podemos crear una imagen manipulada para activar una lectura fuera de los l\u00edmites siguiendo estos pasos: 1) Montar una imagen de xfs y realizar algunas operaciones de archivo para dejar registros 2) Antes de desmontar, copie la imagen para los pasos posteriores para simular una salida anormal. Porque umount garantizar\u00e1 que tail_blk y head_blk sean iguales, lo que resultar\u00e1 en la imposibilidad de ingresar xlog_recover_process_data 3) Escriba una herramienta para analizar y modificar la imagen copiada en el paso 2 4) Haga que el final de las entradas xlog_op_header est\u00e9 a solo 1 byte de distancia xlog_rec_header->h_size 5) xlog_rec_header->h_num_logops++ 6) Modificar xlog_rec_header->h_crc Soluci\u00f3n: agregue una marca para asegurarse de que haya suficiente espacio para acceder a los miembros fijos de xlog_op_header."
}
],
"metrics": {},

8
CVE-2024/CVE-2024-410xx/CVE-2024-41015.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2024-41015",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-29T07:15:06.033",
"lastModified": "2024-07-29T07:15:06.033",
"vulnStatus": "Received",
"lastModified": "2024-07-29T14:12:08.783",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: add bounds checking to ocfs2_check_dir_entry()\n\nThis adds sanity checks for ocfs2_dir_entry to make sure all members of\nocfs2_dir_entry don't stray beyond valid memory region."
},
{
"lang": "es",
"value": " En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: ocfs2: agregue verificaci\u00f3n de l\u00edmites a ocfs2_check_dir_entry() Esto agrega comprobaciones de sanitizaci\u00f3n para ocfs2_dir_entry para garantizar que todos los miembros de ocfs2_dir_entry no se desv\u00eden m\u00e1s all\u00e1 de la regi\u00f3n de memoria v\u00e1lida."
}
],
"metrics": {},

8
CVE-2024/CVE-2024-410xx/CVE-2024-41016.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2024-41016",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-29T07:15:06.293",
"lastModified": "2024-07-29T07:15:06.293",
"vulnStatus": "Received",
"lastModified": "2024-07-29T14:12:08.783",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: strict bound check before memcmp in ocfs2_xattr_find_entry()\n\nxattr in ocfs2 maybe 'non-indexed', which saved with additional space\nrequested. It's better to check if the memory is out of bound before\nmemcmp, although this possibility mainly comes from crafted poisonous\nimages."
},
{
"lang": "es",
"value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: ocfs2: verificaci\u00f3n de l\u00edmite estricto antes de memcmp en ocfs2_xattr_find_entry() xattr en ocfs2 puede ser 'non-indexed', lo que se guard\u00f3 con espacio adicional solicitado. Es mejor comprobar si la memoria est\u00e1 fuera de los l\u00edmites antes de memcmp, aunque esta posibilidad proviene principalmente de im\u00e1genes venenosas creadas."
}
],
"metrics": {},

8
CVE-2024/CVE-2024-410xx/CVE-2024-41017.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2024-41017",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-29T07:15:06.523",
"lastModified": "2024-07-29T07:15:06.523",
"vulnStatus": "Received",
"lastModified": "2024-07-29T14:12:08.783",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: don't walk off the end of ealist\n\nAdd a check before visiting the members of ea to\nmake sure each ea stays within the ealist."
},
{
"lang": "es",
"value": " En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: jfs: no salga del final de ealist. Agregue una verificaci\u00f3n antes de visitar a los miembros de ea para asegurarse de que cada ea permanezca dentro de ealist."
}
],
"metrics": {},

8
CVE-2024/CVE-2024-410xx/CVE-2024-41018.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2024-41018",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-29T07:15:06.790",
"lastModified": "2024-07-29T07:15:06.790",
"vulnStatus": "Received",
"lastModified": "2024-07-29T14:12:08.783",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Add a check for attr_names and oatbl\n\nAdded out-of-bound checking for *ane (ATTR_NAME_ENTRY)."
},
{
"lang": "es",
"value": " En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: fs/ntfs3: agregue una verificaci\u00f3n para attr_names y oatbl. Se agreg\u00f3 una verificaci\u00f3n fuera de los l\u00edmites para *ane (ATTR_NAME_ENTRY)."
}
],
"metrics": {},

8
CVE-2024/CVE-2024-410xx/CVE-2024-41019.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2024-41019",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-29T07:15:07.023",
"lastModified": "2024-07-29T07:15:07.023",
"vulnStatus": "Received",
"lastModified": "2024-07-29T14:12:08.783",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Validate ff offset\n\nThis adds sanity checks for ff offset. There is a check\non rt->first_free at first, but walking through by ff\nwithout any check. If the second ff is a large offset.\nWe may encounter an out-of-bound read."
},
{
"lang": "es",
"value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: fs/ntfs3: Validar ff offset Esto agrega comprobaciones de sanitizaci\u00f3n para ff offset. Al principio hay una verificaci\u00f3n en rt->first_free, pero pasa por ff sin ninguna verificaci\u00f3n. Si el segundo ff es un desplazamiento grande. Es posible que nos encontremos con una lectura fuera de los l\u00edmites."
}
],
"metrics": {},

53
CVE-2024/CVE-2024-410xx/CVE-2024-41020.json Normal file
View File

@ -0,0 +1,53 @@
{
"id": "CVE-2024-41020",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-29T14:15:03.773",
"lastModified": "2024-07-29T14:15:03.773",
"vulnStatus": "Received",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfilelock: Fix fcntl/close race recovery compat path\n\nWhen I wrote commit 3cad1bc01041 (\"filelock: Remove locks reliably when\nfcntl/close race is detected\"), I missed that there are two copies of the\ncode I was patching: The normal version, and the version for 64-bit offsets\non 32-bit kernels.\nThanks to Greg KH for stumbling over this while doing the stable\nbackport...\n\nApply exactly the same fix to the compat path for 32-bit kernels."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/4c43ad4ab41602201d34c66ac62130fe339d686f",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/53e21cfa68a7d12de378b7116c75571f73e0dfa2",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/5b0af8e4c70e4b884bb94ff5f0cd49ecf1273c02",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/73ae349534ebc377328e7d21891e589626c6e82c",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/911cc83e56a2de5a40758766c6a70d6998248860",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/a561145f3ae973ebf3e0aee41624e92a6c5cb38d",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/ed898f9ca3fa32c56c858b463ceb9d9936cc69c4",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/f4d0775c6e2f1340ca0725f0337de149aaa989ca",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/f8138f2ad2f745b9a1c696a05b749eabe44337ea",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

29
CVE-2024/CVE-2024-410xx/CVE-2024-41021.json Normal file
View File

@ -0,0 +1,29 @@
{
"id": "CVE-2024-41021",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-29T14:15:03.870",
"lastModified": "2024-07-29T14:15:03.870",
"vulnStatus": "Received",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/mm: Fix VM_FAULT_HWPOISON handling in do_exception()\n\nThere is no support for HWPOISON, MEMORY_FAILURE, or ARCH_HAS_COPY_MC on\ns390. Therefore we do not expect to see VM_FAULT_HWPOISON in\ndo_exception().\n\nHowever, since commit af19487f00f3 (\"mm: make PTE_MARKER_SWAPIN_ERROR more\ngeneral\"), it is possible to see VM_FAULT_HWPOISON in combination with\nPTE_MARKER_POISONED, even on architectures that do not support HWPOISON\notherwise. In this case, we will end up on the BUG() in do_exception().\n\nFix this by treating VM_FAULT_HWPOISON the same as VM_FAULT_SIGBUS, similar\nto x86 when MEMORY_FAILURE is not configured. Also print unexpected fault\nflags, for easier debugging.\n\nNote that VM_FAULT_HWPOISON_LARGE is not expected, because s390 cannot\nsupport swap entries on other levels than PTE level."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/9e13767ccefdc4f8aa92514b592b60f6b54882ff",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/a3aefb871222a9880602d1a44a558177b4143e3b",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/df39038cd89525d465c2c8827eb64116873f141a",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

49
CVE-2024/CVE-2024-410xx/CVE-2024-41022.json Normal file
View File

@ -0,0 +1,49 @@
{
"id": "CVE-2024-41022",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-29T14:15:03.943",
"lastModified": "2024-07-29T14:15:03.943",
"vulnStatus": "Received",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix signedness bug in sdma_v4_0_process_trap_irq()\n\nThe \"instance\" variable needs to be signed for the error handling to work."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/298e2ce222e712ffafa47288c5b2fcf33d72fda3",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/3dd9734878a9042f0358301d19a2b006a0fc4d06",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/4edb0a84e6b32e75dc9bd6dd085b2c2ff19ec287",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/544fa213f15d27f0370795845d55eeb3e00080d2",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/6769a23697f17f9bf9365ca8ed62fe37e361a05a",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/a5224e2123ce21102f346f518db80f004d5053a7",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/d347c9a398bf7eab9408d207c0a50fb720f9de7d",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/e8dfbf83a82bbfb9680921719fbe65e535af59ea",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

25
CVE-2024/CVE-2024-410xx/CVE-2024-41023.json Normal file
View File

@ -0,0 +1,25 @@
{
"id": "CVE-2024-41023",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-29T15:15:11.200",
"lastModified": "2024-07-29T15:15:11.200",
"vulnStatus": "Received",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/deadline: Fix task_struct reference leak\n\nDuring the execution of the following stress test with linux-rt:\n\nstress-ng --cyclic 30 --timeout 30 --minimize --quiet\n\nkmemleak frequently reported a memory leak concerning the task_struct:\n\nunreferenced object 0xffff8881305b8000 (size 16136):\n comm \"stress-ng\", pid 614, jiffies 4294883961 (age 286.412s)\n object hex dump (first 32 bytes):\n 02 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 .@..............\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n debug hex dump (first 16 bytes):\n 53 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 S...............\n backtrace:\n [<00000000046b6790>] dup_task_struct+0x30/0x540\n [<00000000c5ca0f0b>] copy_process+0x3d9/0x50e0\n [<00000000ced59777>] kernel_clone+0xb0/0x770\n [<00000000a50befdc>] __do_sys_clone+0xb6/0xf0\n [<000000001dbf2008>] do_syscall_64+0x5d/0xf0\n [<00000000552900ff>] entry_SYSCALL_64_after_hwframe+0x6e/0x76\n\nThe issue occurs in start_dl_timer(), which increments the task_struct\nreference count and sets a timer. The timer callback, dl_task_timer,\nis supposed to decrement the reference count upon expiration. However,\nif enqueue_task_dl() is called before the timer expires and cancels it,\nthe reference count is not decremented, leading to the leak.\n\nThis patch fixes the reference leak by ensuring the task_struct\nreference count is properly decremented when the timer is canceled."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/7a54d31face626f62de415ebe77b43f76c3ffaf4",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/b58652db66c910c2245f5bee7deca41c12d707b9",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

29
CVE-2024/CVE-2024-410xx/CVE-2024-41024.json Normal file
View File

@ -0,0 +1,29 @@
{
"id": "CVE-2024-41024",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-29T15:15:11.270",
"lastModified": "2024-07-29T15:15:11.270",
"vulnStatus": "Received",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc: fastrpc: Restrict untrusted app to attach to privileged PD\n\nUntrusted application with access to only non-secure fastrpc device\nnode can attach to root_pd or static PDs if it can make the respective\ninit request. This can cause problems as the untrusted application\ncan send bad requests to root_pd or static PDs. Add changes to reject\nattach to privileged PDs if the request is being made using non-secure\nfastrpc device node."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/5e305b5986dc52122a9368a1461f0c13e1de3fd6",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/bab2f5e8fd5d2f759db26b78d9db57412888f187",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/c69fd8afacebfdf2f8a1ee1ea7e0723786529874",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

29
CVE-2024/CVE-2024-410xx/CVE-2024-41025.json Normal file
View File

@ -0,0 +1,29 @@
{
"id": "CVE-2024-41025",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-29T15:15:11.343",
"lastModified": "2024-07-29T15:15:11.343",
"vulnStatus": "Received",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc: fastrpc: Fix memory leak in audio daemon attach operation\n\nAudio PD daemon send the name as part of the init IOCTL call. This\nname needs to be copied to kernel for which memory is allocated.\nThis memory is never freed which might result in memory leak. Free\nthe memory when it is not needed."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/8b8b82dcf393ceaca8c88939338fd4c30b5b11b2",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/ad0bd973a033003ca578c42a760d1dc77aeea15e",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/dbf4c31c9b039fd9734da156036492a2a7f78f64",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

25
CVE-2024/CVE-2024-410xx/CVE-2024-41026.json Normal file
View File

@ -0,0 +1,25 @@
{
"id": "CVE-2024-41026",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-29T15:15:11.413",
"lastModified": "2024-07-29T15:15:11.413",
"vulnStatus": "Received",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: davinci_mmc: Prevent transmitted data size from exceeding sgm's length\n\nNo check is done on the size of the data to be transmiited. This causes\na kernel panic when this size exceeds the sg_miter's length.\n\nLimit the number of transmitted bytes to sgm->length."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/16198eef11c1929374381d7f6271b4bf6aa44615",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/c561c4ecce712f94b442db5960e281f13b28df2e",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

37
CVE-2024/CVE-2024-410xx/CVE-2024-41027.json Normal file
View File

@ -0,0 +1,37 @@
{
"id": "CVE-2024-41027",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-29T15:15:11.483",
"lastModified": "2024-07-29T15:15:11.483",
"vulnStatus": "Received",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nFix userfaultfd_api to return EINVAL as expected\n\nCurrently if we request a feature that is not set in the Kernel config we\nfail silently and return all the available features. However, the man\npage indicates we should return an EINVAL.\n\nWe need to fix this issue since we can end up with a Kernel warning should\na program request the feature UFFD_FEATURE_WP_UNPOPULATED on a kernel with\nthe config not set with this feature.\n\n [ 200.812896] WARNING: CPU: 91 PID: 13634 at mm/memory.c:1660 zap_pte_range+0x43d/0x660\n [ 200.820738] Modules linked in:\n [ 200.869387] CPU: 91 PID: 13634 Comm: userfaultfd Kdump: loaded Not tainted 6.9.0-rc5+ #8\n [ 200.877477] Hardware name: Dell Inc. PowerEdge R6525/0N7YGH, BIOS 2.7.3 03/30/2022\n [ 200.885052] RIP: 0010:zap_pte_range+0x43d/0x660"
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/14875fd5f9bcf60ac5518c63bfb676ade44aa7c6",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/1723f04caacb32cadc4e063725d836a0c4450694",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/519547760f16eae7803d2658d9524bc5ba7a20a7",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/8111f902b7c95d75fc80c7e577f5045886c6b384",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/cd94cac4069a763ab5206be2c64c9a8beae590ba",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

33
CVE-2024/CVE-2024-410xx/CVE-2024-41028.json Normal file
View File

@ -0,0 +1,33 @@
{
"id": "CVE-2024-41028",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-29T15:15:11.553",
"lastModified": "2024-07-29T15:15:11.553",
"vulnStatus": "Received",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: toshiba_acpi: Fix array out-of-bounds access\n\nIn order to use toshiba_dmi_quirks[] together with the standard DMI\nmatching functions, it must be terminated by a empty entry.\n\nSince this entry is missing, an array out-of-bounds access occurs\nevery time the quirk list is processed.\n\nFix this by adding the terminating empty entry."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/0d71da43d6b7916d36cf1953d793da80433c50bf",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/639868f1cb87b683cf830353bbee0c4078202313",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/b6e02c6b0377d4339986e07aeb696c632cd392aa",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/e030aa6c972641cb069086a8c7a0f747653e472a",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

25
CVE-2024/CVE-2024-410xx/CVE-2024-41029.json Normal file
View File

@ -0,0 +1,25 @@
{
"id": "CVE-2024-41029",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-29T15:15:11.627",
"lastModified": "2024-07-29T15:15:11.627",
"vulnStatus": "Received",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmem: core: limit cell sysfs permissions to main attribute ones\n\nThe cell sysfs attribute should not provide more access to the nvmem\ndata than the main attribute itself.\nFor example if nvme_config::root_only was set, the cell attribute\nwould still provide read access to everybody.\n\nMask out permissions not available on the main attribute."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/6bef98bafd82903a8d461463f9594f19f1fd6a85",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/aa066afaaac32caf2160d58d4e3010ee04421c62",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

33
CVE-2024/CVE-2024-410xx/CVE-2024-41030.json Normal file
View File

@ -0,0 +1,33 @@
{
"id": "CVE-2024-41030",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-29T15:15:11.697",
"lastModified": "2024-07-29T15:15:11.697",
"vulnStatus": "Received",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: discard write access to the directory open\n\nmay_open() does not allow a directory to be opened with the write access.\nHowever, some writing flags set by client result in adding write access\non server, making ksmbd incompatible with FUSE file system. Simply, let's\ndiscard the write access when opening a directory.\n\nlist_add corruption. next is NULL.\n------------[ cut here ]------------\nkernel BUG at lib/list_debug.c:26!\npc : __list_add_valid+0x88/0xbc\nlr : __list_add_valid+0x88/0xbc\nCall trace:\n__list_add_valid+0x88/0xbc\nfuse_finish_open+0x11c/0x170\nfuse_open_common+0x284/0x5e8\nfuse_dir_open+0x14/0x24\ndo_dentry_open+0x2a4/0x4e0\ndentry_open+0x50/0x80\nsmb2_open+0xbe4/0x15a4\nhandle_ksmbd_work+0x478/0x5ec\nprocess_one_work+0x1b4/0x448\nworker_thread+0x25c/0x430\nkthread+0x104/0x1d4\nret_from_fork+0x10/0x20"
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/198498b2049c0f11f7670be6974570e02b0cc035",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/66cf853e1c7a2407f15d9f7aaa3e47d61745e361",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/9e84b1ba5c98fb5c9f869c85db1d870354613baa",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/e2e33caa5dc2eae7bddf88b22ce11ec3d760e5cd",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

29
CVE-2024/CVE-2024-410xx/CVE-2024-41031.json Normal file
View File

@ -0,0 +1,29 @@
{
"id": "CVE-2024-41031",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-29T15:15:11.770",
"lastModified": "2024-07-29T15:15:11.770",
"vulnStatus": "Received",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/filemap: skip to create PMD-sized page cache if needed\n\nOn ARM64, HPAGE_PMD_ORDER is 13 when the base page size is 64KB. The\nPMD-sized page cache can't be supported by xarray as the following error\nmessages indicate.\n\n------------[ cut here ]------------\nWARNING: CPU: 35 PID: 7484 at lib/xarray.c:1025 xas_split_alloc+0xf8/0x128\nModules linked in: nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib \\\nnft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct \\\nnft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 \\\nip_set rfkill nf_tables nfnetlink vfat fat virtio_balloon drm \\\nfuse xfs libcrc32c crct10dif_ce ghash_ce sha2_ce sha256_arm64 \\\nsha1_ce virtio_net net_failover virtio_console virtio_blk failover \\\ndimlib virtio_mmio\nCPU: 35 PID: 7484 Comm: test Kdump: loaded Tainted: G W 6.10.0-rc5-gavin+ #9\nHardware name: QEMU KVM Virtual Machine, BIOS edk2-20240524-1.el9 05/24/2024\npstate: 83400005 (Nzcv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--)\npc : xas_split_alloc+0xf8/0x128\nlr : split_huge_page_to_list_to_order+0x1c4/0x720\nsp : ffff800087a4f6c0\nx29: ffff800087a4f6c0 x28: ffff800087a4f720 x27: 000000001fffffff\nx26: 0000000000000c40 x25: 000000000000000d x24: ffff00010625b858\nx23: ffff800087a4f720 x22: ffffffdfc0780000 x21: 0000000000000000\nx20: 0000000000000000 x19: ffffffdfc0780000 x18: 000000001ff40000\nx17: 00000000ffffffff x16: 0000018000000000 x15: 51ec004000000000\nx14: 0000e00000000000 x13: 0000000000002000 x12: 0000000000000020\nx11: 51ec000000000000 x10: 51ece1c0ffff8000 x9 : ffffbeb961a44d28\nx8 : 0000000000000003 x7 : ffffffdfc0456420 x6 : ffff0000e1aa6eb8\nx5 : 20bf08b4fe778fca x4 : ffffffdfc0456420 x3 : 0000000000000c40\nx2 : 000000000000000d x1 : 000000000000000c x0 : 0000000000000000\nCall trace:\n xas_split_alloc+0xf8/0x128\n split_huge_page_to_list_to_order+0x1c4/0x720\n truncate_inode_partial_folio+0xdc/0x160\n truncate_inode_pages_range+0x1b4/0x4a8\n truncate_pagecache_range+0x84/0xa0\n xfs_flush_unmap_range+0x70/0x90 [xfs]\n xfs_file_fallocate+0xfc/0x4d8 [xfs]\n vfs_fallocate+0x124/0x2e8\n ksys_fallocate+0x4c/0xa0\n __arm64_sys_fallocate+0x24/0x38\n invoke_syscall.constprop.0+0x7c/0xd8\n do_el0_svc+0xb4/0xd0\n el0_svc+0x44/0x1d8\n el0t_64_sync_handler+0x134/0x150\n el0t_64_sync+0x17c/0x180\n\nFix it by skipping to allocate PMD-sized page cache when its size is\nlarger than MAX_PAGECACHE_ORDER. For this specific case, we will fall to\nregular path where the readahead window is determined by BDI's sysfs file\n(read_ahead_kb)."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/06b5a69c27ec405a3c3f2da8520ff1ee70b94a21",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/1ef650d3b1b2a16473981b447f38705fe9b93972",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/3390916aca7af1893ed2ebcdfee1d6fdb65bb058",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

29
CVE-2024/CVE-2024-410xx/CVE-2024-41032.json Normal file
View File

@ -0,0 +1,29 @@
{
"id": "CVE-2024-41032",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-29T15:15:11.850",
"lastModified": "2024-07-29T15:15:11.850",
"vulnStatus": "Received",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: vmalloc: check if a hash-index is in cpu_possible_mask\n\nThe problem is that there are systems where cpu_possible_mask has gaps\nbetween set CPUs, for example SPARC. In this scenario addr_to_vb_xa()\nhash function can return an index which accesses to not-possible and not\nsetup CPU area using per_cpu() macro. This results in an oops on SPARC.\n\nA per-cpu vmap_block_queue is also used as hash table, incorrectly\nassuming the cpu_possible_mask has no gaps. Fix it by adjusting an index\nto a next possible CPU."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/28acd531c9a365dac01b32e6bc54aed8c1429bcb",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/47f9b6e49b422392fb0e348a65eb925103ba1882",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/a34acf30b19bc4ee3ba2f1082756ea2604c19138",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

25
CVE-2024/CVE-2024-410xx/CVE-2024-41033.json Normal file
View File

@ -0,0 +1,25 @@
{
"id": "CVE-2024-41033",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-29T15:15:11.920",
"lastModified": "2024-07-29T15:15:11.920",
"vulnStatus": "Received",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncachestat: do not flush stats in recency check\n\nsyzbot detects that cachestat() is flushing stats, which can sleep, in its\nRCU read section (see [1]). This is done in the workingset_test_recent()\nstep (which checks if the folio's eviction is recent).\n\nMove the stat flushing step to before the RCU read section of cachestat,\nand skip stat flushing during the recency check.\n\n[1]: https://lore.kernel.org/cgroups/000000000000f71227061bdf97e0@google.com/"
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/1d1ba14e00d290b1ed616ed78c8c49bf897ce390",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/5a4d8944d6b1e1aaaa83ea42c116b520b4ed0394",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

49
CVE-2024/CVE-2024-410xx/CVE-2024-41034.json Normal file
View File

@ -0,0 +1,49 @@
{
"id": "CVE-2024-41034",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-29T15:15:11.990",
"lastModified": "2024-07-29T15:15:11.990",
"vulnStatus": "Received",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix kernel bug on rename operation of broken directory\n\nSyzbot reported that in rename directory operation on broken directory on\nnilfs2, __block_write_begin_int() called to prepare block write may fail\nBUG_ON check for access exceeding the folio/page size.\n\nThis is because nilfs_dotdot(), which gets parent directory reference\nentry (\"..\") of the directory to be moved or renamed, does not check\nconsistency enough, and may return location exceeding folio/page size for\nbroken directories.\n\nFix this issue by checking required directory entries (\".\" and \"..\") in\nthe first chunk of the directory in nilfs_dotdot()."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/1a8879c0771a68d70ee2e5e66eea34207e8c6231",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/24c1c8566a9b6be51f5347be2ea76e25fc82b11e",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/298cd810d7fb687c90a14d8f9fd1b8719a7cb8a5",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/60f61514374e4a0c3b65b08c6024dd7e26150bfd",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/7000b438dda9d0f41a956fc9bffed92d2eb6be0d",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/a9a466a69b85059b341239766a10efdd3ee68a4b",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/a9e1ddc09ca55746079cc479aa3eb6411f0d99d4",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/ff9767ba2cb949701e45e6e4287f8af82986b703",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

49
CVE-2024/CVE-2024-410xx/CVE-2024-41035.json Normal file
View File

@ -0,0 +1,49 @@
{
"id": "CVE-2024-41035",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-29T15:15:12.077",
"lastModified": "2024-07-29T15:15:12.077",
"vulnStatus": "Received",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: core: Fix duplicate endpoint bug by clearing reserved bits in the descriptor\n\nSyzbot has identified a bug in usbcore (see the Closes: tag below)\ncaused by our assumption that the reserved bits in an endpoint\ndescriptor's bEndpointAddress field will always be 0. As a result of\nthe bug, the endpoint_is_duplicate() routine in config.c (and possibly\nother routines as well) may believe that two descriptors are for\ndistinct endpoints, even though they have the same direction and\nendpoint number. This can lead to confusion, including the bug\nidentified by syzbot (two descriptors with matching endpoint numbers\nand directions, where one was interrupt and the other was bulk).\n\nTo fix the bug, we will clear the reserved bits in bEndpointAddress\nwhen we parse the descriptor. (Note that both the USB-2.0 and USB-3.1\nspecs say these bits are \"Reserved, reset to zero\".) This requires us\nto make a copy of the descriptor earlier in usb_parse_endpoint() and\nuse the copy instead of the original when checking for duplicates."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/2bd8534a1b83c65702aec3cab164170f8e584188",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/37514a5c1251a8c5c95c323f55050736e7069ac7",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/60abea505b726b38232a0ef410d2bd1994a77f78",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/647d61aef106dbed9c70447bcddbd4968e67ca64",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/9edcf317620d7c6a8354911b69b874cf89716646",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/a368ecde8a5055b627749b09c6218ef793043e47",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/d09dd21bb5215d583ca9a1cb1464dbc77a7e88cf",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/d8418fd083d1b90a6c007cf8dcf81aeae274727b",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

33
CVE-2024/CVE-2024-410xx/CVE-2024-41036.json Normal file
View File

@ -0,0 +1,33 @@
{
"id": "CVE-2024-41036",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-29T15:15:12.170",
"lastModified": "2024-07-29T15:15:12.170",
"vulnStatus": "Received",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ks8851: Fix deadlock with the SPI chip variant\n\nWhen SMP is enabled and spinlocks are actually functional then there is\na deadlock with the 'statelock' spinlock between ks8851_start_xmit_spi\nand ks8851_irq:\n\n watchdog: BUG: soft lockup - CPU#0 stuck for 27s!\n call trace:\n queued_spin_lock_slowpath+0x100/0x284\n do_raw_spin_lock+0x34/0x44\n ks8851_start_xmit_spi+0x30/0xb8\n ks8851_start_xmit+0x14/0x20\n netdev_start_xmit+0x40/0x6c\n dev_hard_start_xmit+0x6c/0xbc\n sch_direct_xmit+0xa4/0x22c\n __qdisc_run+0x138/0x3fc\n qdisc_run+0x24/0x3c\n net_tx_action+0xf8/0x130\n handle_softirqs+0x1ac/0x1f0\n __do_softirq+0x14/0x20\n ____do_softirq+0x10/0x1c\n call_on_irq_stack+0x3c/0x58\n do_softirq_own_stack+0x1c/0x28\n __irq_exit_rcu+0x54/0x9c\n irq_exit_rcu+0x10/0x1c\n el1_interrupt+0x38/0x50\n el1h_64_irq_handler+0x18/0x24\n el1h_64_irq+0x64/0x68\n __netif_schedule+0x6c/0x80\n netif_tx_wake_queue+0x38/0x48\n ks8851_irq+0xb8/0x2c8\n irq_thread_fn+0x2c/0x74\n irq_thread+0x10c/0x1b0\n kthread+0xc8/0xd8\n ret_from_fork+0x10/0x20\n\nThis issue has not been identified earlier because tests were done on\na device with SMP disabled and so spinlocks were actually NOPs.\n\nNow use spin_(un)lock_bh for TX queue related locking to avoid execution\nof softirq work synchronously that would lead to a deadlock."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/0913ec336a6c0c4a2b296bd9f74f8e41c4c83c8c",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/10fec0cd0e8f56ff06c46bb24254c7d8f8f2bbf0",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/80ece00137300d74642f2038c8fe5440deaf9f05",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/a0c69c492f4a8fad52f0a97565241c926160c9a4",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

29
CVE-2024/CVE-2024-410xx/CVE-2024-41037.json Normal file
View File

@ -0,0 +1,29 @@
{
"id": "CVE-2024-41037",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-29T15:15:12.240",
"lastModified": "2024-07-29T15:15:12.240",
"vulnStatus": "Received",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: SOF: Intel: hda: fix null deref on system suspend entry\n\nWhen system enters suspend with an active stream, SOF core\ncalls hw_params_upon_resume(). On Intel platforms with HDA DMA used\nto manage the link DMA, this leads to call chain of\n\n hda_dsp_set_hw_params_upon_resume()\n -> hda_dsp_dais_suspend()\n -> hda_dai_suspend()\n -> hda_ipc4_post_trigger()\n\nA bug is hit in hda_dai_suspend() as hda_link_dma_cleanup() is run first,\nwhich clears hext_stream->link_substream, and then hda_ipc4_post_trigger()\nis called with a NULL snd_pcm_substream pointer."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/8246bbf818ed7b8d5afc92b951e6d562b45c2450",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/9065693dcc13f287b9e4991f43aee70cf5538fdd",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/993af0f2d9f24e3c18a445ae22b34190d1fcad61",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

33
CVE-2024/CVE-2024-410xx/CVE-2024-41038.json Normal file
View File

@ -0,0 +1,33 @@
{
"id": "CVE-2024-41038",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-29T15:15:12.320",
"lastModified": "2024-07-29T15:15:12.320",
"vulnStatus": "Received",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: cs_dsp: Prevent buffer overrun when processing V2 alg headers\n\nCheck that all fields of a V2 algorithm header fit into the available\nfirmware data buffer.\n\nThe wmfw V2 format introduced variable-length strings in the algorithm\nblock header. This means the overall header length is variable, and the\nposition of most fields varies depending on the length of the string\nfields. Each field must be checked to ensure that it does not overflow\nthe firmware data buffer.\n\nAs this ia bugfix patch, the fixes avoid making any significant change to\nthe existing code. This makes it easier to review and less likely to\nintroduce new bugs."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/014239b9971d79421a0ba652579e1ca1b7b57b6d",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/2163aff6bebbb752edf73f79700f5e2095f3559e",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/6619aa48a011364e9f29083cc76368e6acfe5b11",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/76ea8e13aaefdfda6e5601323d6ea5340359dcfa",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

33
CVE-2024/CVE-2024-410xx/CVE-2024-41039.json Normal file
View File

@ -0,0 +1,33 @@
{
"id": "CVE-2024-41039",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-29T15:15:12.393",
"lastModified": "2024-07-29T15:15:12.393",
"vulnStatus": "Received",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: cs_dsp: Fix overflow checking of wmfw header\n\nFix the checking that firmware file buffer is large enough for the\nwmfw header, to prevent overrunning the buffer.\n\nThe original code tested that the firmware data buffer contained\nenough bytes for the sums of the size of the structs\n\n\twmfw_header + wmfw_adsp1_sizes + wmfw_footer\n\nBut wmfw_adsp1_sizes is only used on ADSP1 firmware. For ADSP2 and\nHalo Core the equivalent struct is wmfw_adsp2_sizes, which is\n4 bytes longer. So the length check didn't guarantee that there\nare enough bytes in the firmware buffer for a header with\nwmfw_adsp2_sizes.\n\nThis patch splits the length check into three separate parts. Each\nof the wmfw_header, wmfw_adsp?_sizes and wmfw_footer are checked\nseparately before they are used."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/3019b86bce16fbb5bc1964f3544d0ce7d0137278",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/49a79f344d0a17c6a5eef53716cc76fcdbfca9ba",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/9c9877a96e033bf6c6470b3b4f06106d91ace11e",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/fd035f0810b33c2a8792effdb82bf35920221565",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

41
CVE-2024/CVE-2024-410xx/CVE-2024-41040.json Normal file
View File

@ -0,0 +1,41 @@
{
"id": "CVE-2024-41040",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-29T15:15:12.473",
"lastModified": "2024-07-29T15:15:12.473",
"vulnStatus": "Received",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: Fix UAF when resolving a clash\n\nKASAN reports the following UAF:\n\n BUG: KASAN: slab-use-after-free in tcf_ct_flow_table_process_conn+0x12b/0x380 [act_ct]\n Read of size 1 at addr ffff888c07603600 by task handler130/6469\n\n Call Trace:\n <IRQ>\n dump_stack_lvl+0x48/0x70\n print_address_description.constprop.0+0x33/0x3d0\n print_report+0xc0/0x2b0\n kasan_report+0xd0/0x120\n __asan_load1+0x6c/0x80\n tcf_ct_flow_table_process_conn+0x12b/0x380 [act_ct]\n tcf_ct_act+0x886/0x1350 [act_ct]\n tcf_action_exec+0xf8/0x1f0\n fl_classify+0x355/0x360 [cls_flower]\n __tcf_classify+0x1fd/0x330\n tcf_classify+0x21c/0x3c0\n sch_handle_ingress.constprop.0+0x2c5/0x500\n __netif_receive_skb_core.constprop.0+0xb25/0x1510\n __netif_receive_skb_list_core+0x220/0x4c0\n netif_receive_skb_list_internal+0x446/0x620\n napi_complete_done+0x157/0x3d0\n gro_cell_poll+0xcf/0x100\n __napi_poll+0x65/0x310\n net_rx_action+0x30c/0x5c0\n __do_softirq+0x14f/0x491\n __irq_exit_rcu+0x82/0xc0\n irq_exit_rcu+0xe/0x20\n common_interrupt+0xa1/0xb0\n </IRQ>\n <TASK>\n asm_common_interrupt+0x27/0x40\n\n Allocated by task 6469:\n kasan_save_stack+0x38/0x70\n kasan_set_track+0x25/0x40\n kasan_save_alloc_info+0x1e/0x40\n __kasan_krealloc+0x133/0x190\n krealloc+0xaa/0x130\n nf_ct_ext_add+0xed/0x230 [nf_conntrack]\n tcf_ct_act+0x1095/0x1350 [act_ct]\n tcf_action_exec+0xf8/0x1f0\n fl_classify+0x355/0x360 [cls_flower]\n __tcf_classify+0x1fd/0x330\n tcf_classify+0x21c/0x3c0\n sch_handle_ingress.constprop.0+0x2c5/0x500\n __netif_receive_skb_core.constprop.0+0xb25/0x1510\n __netif_receive_skb_list_core+0x220/0x4c0\n netif_receive_skb_list_internal+0x446/0x620\n napi_complete_done+0x157/0x3d0\n gro_cell_poll+0xcf/0x100\n __napi_poll+0x65/0x310\n net_rx_action+0x30c/0x5c0\n __do_softirq+0x14f/0x491\n\n Freed by task 6469:\n kasan_save_stack+0x38/0x70\n kasan_set_track+0x25/0x40\n kasan_save_free_info+0x2b/0x60\n ____kasan_slab_free+0x180/0x1f0\n __kasan_slab_free+0x12/0x30\n slab_free_freelist_hook+0xd2/0x1a0\n __kmem_cache_free+0x1a2/0x2f0\n kfree+0x78/0x120\n nf_conntrack_free+0x74/0x130 [nf_conntrack]\n nf_ct_destroy+0xb2/0x140 [nf_conntrack]\n __nf_ct_resolve_clash+0x529/0x5d0 [nf_conntrack]\n nf_ct_resolve_clash+0xf6/0x490 [nf_conntrack]\n __nf_conntrack_confirm+0x2c6/0x770 [nf_conntrack]\n tcf_ct_act+0x12ad/0x1350 [act_ct]\n tcf_action_exec+0xf8/0x1f0\n fl_classify+0x355/0x360 [cls_flower]\n __tcf_classify+0x1fd/0x330\n tcf_classify+0x21c/0x3c0\n sch_handle_ingress.constprop.0+0x2c5/0x500\n __netif_receive_skb_core.constprop.0+0xb25/0x1510\n __netif_receive_skb_list_core+0x220/0x4c0\n netif_receive_skb_list_internal+0x446/0x620\n napi_complete_done+0x157/0x3d0\n gro_cell_poll+0xcf/0x100\n __napi_poll+0x65/0x310\n net_rx_action+0x30c/0x5c0\n __do_softirq+0x14f/0x491\n\nThe ct may be dropped if a clash has been resolved but is still passed to\nthe tcf_ct_flow_table_process_conn function for further usage. This issue\ncan be fixed by retrieving ct from skb again after confirming conntrack."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/26488172b0292bed837b95a006a3f3431d1898c3",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/2b4d68df3f57ea746c430941ba9c03d7d8b5a23f",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/4e71b10a100861fb27d9c5755dfd68f615629fae",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/799a34901b634008db4a7ece3900e2b971d4c932",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/b81a523d54ea689414f67c9fb81a5b917a41ed55",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/ef472cc6693b16b202a916482df72f35d94bd69e",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

45
CVE-2024/CVE-2024-410xx/CVE-2024-41041.json Normal file
View File

@ -0,0 +1,45 @@
{
"id": "CVE-2024-41041",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-29T15:15:12.563",
"lastModified": "2024-07-29T15:15:12.563",
"vulnStatus": "Received",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nudp: Set SOCK_RCU_FREE earlier in udp_lib_get_port().\n\nsyzkaller triggered the warning [0] in udp_v4_early_demux().\n\nIn udp_v[46]_early_demux() and sk_lookup(), we do not touch the refcount\nof the looked-up sk and use sock_pfree() as skb->destructor, so we check\nSOCK_RCU_FREE to ensure that the sk is safe to access during the RCU grace\nperiod.\n\nCurrently, SOCK_RCU_FREE is flagged for a bound socket after being put\ninto the hash table. Moreover, the SOCK_RCU_FREE check is done too early\nin udp_v[46]_early_demux() and sk_lookup(), so there could be a small race\nwindow:\n\n CPU1 CPU2\n ---- ----\n udp_v4_early_demux() udp_lib_get_port()\n | |- hlist_add_head_rcu()\n |- sk = __udp4_lib_demux_lookup() |\n |- DEBUG_NET_WARN_ON_ONCE(sk_is_refcounted(sk));\n `- sock_set_flag(sk, SOCK_RCU_FREE)\n\nWe had the same bug in TCP and fixed it in commit 871019b22d1b (\"net:\nset SOCK_RCU_FREE before inserting socket into hashtable\").\n\nLet's apply the same fix for UDP.\n\n[0]:\nWARNING: CPU: 0 PID: 11198 at net/ipv4/udp.c:2599 udp_v4_early_demux+0x481/0xb70 net/ipv4/udp.c:2599\nModules linked in:\nCPU: 0 PID: 11198 Comm: syz-executor.1 Not tainted 6.9.0-g93bda33046e7 #13\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nRIP: 0010:udp_v4_early_demux+0x481/0xb70 net/ipv4/udp.c:2599\nCode: c5 7a 15 fe bb 01 00 00 00 44 89 e9 31 ff d3 e3 81 e3 bf ef ff ff 89 de e8 2c 74 15 fe 85 db 0f 85 02 06 00 00 e8 9f 7a 15 fe <0f> 0b e8 98 7a 15 fe 49 8d 7e 60 e8 4f 39 2f fe 49 c7 46 60 20 52\nRSP: 0018:ffffc9000ce3fa58 EFLAGS: 00010293\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff8318c92c\nRDX: ffff888036ccde00 RSI: ffffffff8318c2f1 RDI: 0000000000000001\nRBP: ffff88805a2dd6e0 R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000000000000 R11: 0001ffffffffffff R12: ffff88805a2dd680\nR13: 0000000000000007 R14: ffff88800923f900 R15: ffff88805456004e\nFS: 00007fc449127640(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007fc449126e38 CR3: 000000003de4b002 CR4: 0000000000770ef0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600\nPKRU: 55555554\nCall Trace:\n <TASK>\n ip_rcv_finish_core.constprop.0+0xbdd/0xd20 net/ipv4/ip_input.c:349\n ip_rcv_finish+0xda/0x150 net/ipv4/ip_input.c:447\n NF_HOOK include/linux/netfilter.h:314 [inline]\n NF_HOOK include/linux/netfilter.h:308 [inline]\n ip_rcv+0x16c/0x180 net/ipv4/ip_input.c:569\n __netif_receive_skb_one_core+0xb3/0xe0 net/core/dev.c:5624\n __netif_receive_skb+0x21/0xd0 net/core/dev.c:5738\n netif_receive_skb_internal net/core/dev.c:5824 [inline]\n netif_receive_skb+0x271/0x300 net/core/dev.c:5884\n tun_rx_batched drivers/net/tun.c:1549 [inline]\n tun_get_user+0x24db/0x2c50 drivers/net/tun.c:2002\n tun_chr_write_iter+0x107/0x1a0 drivers/net/tun.c:2048\n new_sync_write fs/read_write.c:497 [inline]\n vfs_write+0x76f/0x8d0 fs/read_write.c:590\n ksys_write+0xbf/0x190 fs/read_write.c:643\n __do_sys_write fs/read_write.c:655 [inline]\n __se_sys_write fs/read_write.c:652 [inline]\n __x64_sys_write+0x41/0x50 fs/read_write.c:652\n x64_sys_call+0xe66/0x1990 arch/x86/include/generated/asm/syscalls_64.h:2\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x4b/0x110 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\nRIP: 0033:0x7fc44a68bc1f\nCode: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 e9 cf f5 ff 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 3c d0 f5 ff 48\nRSP: 002b:00007fc449126c90 EFLAGS: 00000293 ORIG_RAX: 0000000000000001\nRAX: ffffffffffffffda RBX: 00000000004bc050 RCX: 00007fc44a68bc1f\nR\n---truncated---"
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/20ceae10623c3b29fdf7609690849475bcdebdb0",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/5c0b485a8c6116516f33925b9ce5b6104a6eadfd",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/7a67c4e47626e6daccda62888f8b096abb5d3940",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/9f965684c57c3117cfd2f754dd3270383c529fba",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/a6db0d3ea6536e7120871e5448b3032570152ec6",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/c5fd77ca13d657c6e99bf04f0917445e6a80231e",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/ddf516e50bf8a7bc9b3bd8a9831f9c7a8131a32a",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

25
CVE-2024/CVE-2024-410xx/CVE-2024-41042.json Normal file
View File

@ -0,0 +1,25 @@
{
"id": "CVE-2024-41042",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-29T15:15:12.647",
"lastModified": "2024-07-29T15:15:12.647",
"vulnStatus": "Received",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: prefer nft_chain_validate\n\nnft_chain_validate already performs loop detection because a cycle will\nresult in a call stack overflow (ctx->level >= NFT_JUMP_STACK_SIZE).\n\nIt also follows maps via ->validate callback in nft_lookup, so there\nappears no reason to iterate the maps again.\n\nnf_tables_check_loops() and all its helper functions can be removed.\nThis improves ruleset load time significantly, from 23s down to 12s.\n\nThis also fixes a crash bug. Old loop detection code can result in\nunbounded recursion:\n\nBUG: TASK stack guard page was hit at ....\nOops: stack guard page: 0000 [#1] PREEMPT SMP KASAN\nCPU: 4 PID: 1539 Comm: nft Not tainted 6.10.0-rc5+ #1\n[..]\n\nwith a suitable ruleset during validation of register stores.\n\nI can't see any actual reason to attempt to check for this from\nnft_validate_register_store(), at this point the transaction is still in\nprogress, so we don't have a full picture of the rule graph.\n\nFor nf-next it might make sense to either remove it or make this depend\non table->validate_state in case we could catch an error earlier\n(for improved error reporting to userspace)."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/9df785aeb7dcc8efd1d4110bb27d26005298ebae",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/cff3bd012a9512ac5ed858d38e6ed65f6391008c",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

25
CVE-2024/CVE-2024-410xx/CVE-2024-41043.json Normal file
View File

@ -0,0 +1,25 @@
{
"id": "CVE-2024-41043",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-29T15:15:12.710",
"lastModified": "2024-07-29T15:15:12.710",
"vulnStatus": "Received",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nfnetlink_queue: drop bogus WARN_ON\n\nHappens when rules get flushed/deleted while packet is out, so remove\nthis WARN_ON.\n\nThis WARN exists in one form or another since v4.14, no need to backport\nthis to older releases, hence use a more recent fixes tag."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/631a4b3ddc7831b20442c59c28b0476d0704c9af",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/86858da8335db48bde9be02abd7156a69d622e86",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

49
CVE-2024/CVE-2024-410xx/CVE-2024-41044.json Normal file
View File

@ -0,0 +1,49 @@
{
"id": "CVE-2024-41044",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-29T15:15:12.783",
"lastModified": "2024-07-29T15:15:12.783",
"vulnStatus": "Received",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nppp: reject claimed-as-LCP but actually malformed packets\n\nSince 'ppp_async_encode()' assumes valid LCP packets (with code\nfrom 1 to 7 inclusive), add 'ppp_check_packet()' to ensure that\nLCP packet has an actual body beyond PPP_LCP header bytes, and\nreject claimed-as-LCP but actually malformed data otherwise."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/099502ca410922b56353ccef2749bc0de669da78",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/3134bdf7356ed952dcecb480861d2afcc1e40492",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/3ba12c2afd933fc1bf800f6d3f6c7ec8f602ce56",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/6e8f1c21174f9482033bbb59f13ce1a8cbe843c3",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/97d1efd8be26615ff680cdde86937d5943138f37",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/d683e7f3fc48f59576af34631b4fb07fd931343e",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/ebc5c630457783d17d0c438b0ad70b232a64a82f",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/f2aeb7306a898e1cbd03963d376f4b6656ca2b55",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

25
CVE-2024/CVE-2024-410xx/CVE-2024-41045.json Normal file
View File

@ -0,0 +1,25 @@
{
"id": "CVE-2024-41045",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-29T15:15:12.873",
"lastModified": "2024-07-29T15:15:12.873",
"vulnStatus": "Received",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Defer work in bpf_timer_cancel_and_free\n\nCurrently, the same case as previous patch (two timer callbacks trying\nto cancel each other) can be invoked through bpf_map_update_elem as\nwell, or more precisely, freeing map elements containing timers. Since\nthis relies on hrtimer_cancel as well, it is prone to the same deadlock\nsituation as the previous patch.\n\nIt would be sufficient to use hrtimer_try_to_cancel to fix this problem,\nas the timer cannot be enqueued after async_cancel_and_free. Once\nasync_cancel_and_free has been done, the timer must be reinitialized\nbefore it can be armed again. The callback running in parallel trying to\narm the timer will fail, and freeing bpf_hrtimer without waiting is\nsufficient (given kfree_rcu), and bpf_timer_cb will return\nHRTIMER_NORESTART, preventing the timer from being rearmed again.\n\nHowever, there exists a UAF scenario where the callback arms the timer\nbefore entering this function, such that if cancellation fails (due to\ntimer callback invoking this routine, or the target timer callback\nrunning concurrently). In such a case, if the timer expiration is\nsignificantly far in the future, the RCU grace period expiration\nhappening before it will free the bpf_hrtimer state and along with it\nthe struct hrtimer, that is enqueued.\n\nHence, it is clear cancellation needs to occur after\nasync_cancel_and_free, and yet it cannot be done inline due to deadlock\nissues. We thus modify bpf_timer_cancel_and_free to defer work to the\nglobal workqueue, adding a work_struct alongside rcu_head (both used at\n_different_ points of time, so can share space).\n\nUpdate existing code comments to reflect the new state of affairs."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/7aa5a19279c3639ae8b758b63f05d0c616a39fa1",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/a6fcd19d7eac1335eb76bc16b6a66b7f574d1d69",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

49
CVE-2024/CVE-2024-410xx/CVE-2024-41046.json Normal file
View File

@ -0,0 +1,49 @@
{
"id": "CVE-2024-41046",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-29T15:15:12.943",
"lastModified": "2024-07-29T15:15:12.943",
"vulnStatus": "Received",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ethernet: lantiq_etop: fix double free in detach\n\nThe number of the currently released descriptor is never incremented\nwhich results in the same skb being released multiple times."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/1a2db00a554cfda57c397cce79b2804bf9633fec",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/22b16618a80858b3a9d607708444426948cc4ae1",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/69ad5fa0ce7c548262e0770fc2b726fe7ab4f156",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/84aaaa796a19195fc59290154fef9aeb1fba964f",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/907443174e76b854d28024bd079f0e53b94dc9a1",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/9d23909ae041761cb2aa0c3cb1748598d8b6bc54",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/c2b66e2b3939af63699e4a4bd25a8ac4a9b1d1b3",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/e1533b6319ab9c3a97dad314dd88b3783bc41b69",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

37
CVE-2024/CVE-2024-410xx/CVE-2024-41047.json Normal file
View File

@ -0,0 +1,37 @@
{
"id": "CVE-2024-41047",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-29T15:15:13.027",
"lastModified": "2024-07-29T15:15:13.027",
"vulnStatus": "Received",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: Fix XDP program unloading while removing the driver\n\nThe commit 6533e558c650 (\"i40e: Fix reset path while removing\nthe driver\") introduced a new PF state \"__I40E_IN_REMOVE\" to block\nmodifying the XDP program while the driver is being removed.\nUnfortunately, such a change is useful only if the \".ndo_bpf()\"\ncallback was called out of the rmmod context because unloading the\nexisting XDP program is also a part of driver removing procedure.\nIn other words, from the rmmod context the driver is expected to\nunload the XDP program without reporting any errors. Otherwise,\nthe kernel warning with callstack is printed out to dmesg.\n\nExample failing scenario:\n 1. Load the i40e driver.\n 2. Load the XDP program.\n 3. Unload the i40e driver (using \"rmmod\" command).\n\nThe example kernel warning log:\n\n[ +0.004646] WARNING: CPU: 94 PID: 10395 at net/core/dev.c:9290 unregister_netdevice_many_notify+0x7a9/0x870\n[...]\n[ +0.010959] RIP: 0010:unregister_netdevice_many_notify+0x7a9/0x870\n[...]\n[ +0.002726] Call Trace:\n[ +0.002457] <TASK>\n[ +0.002119] ? __warn+0x80/0x120\n[ +0.003245] ? unregister_netdevice_many_notify+0x7a9/0x870\n[ +0.005586] ? report_bug+0x164/0x190\n[ +0.003678] ? handle_bug+0x3c/0x80\n[ +0.003503] ? exc_invalid_op+0x17/0x70\n[ +0.003846] ? asm_exc_invalid_op+0x1a/0x20\n[ +0.004200] ? unregister_netdevice_many_notify+0x7a9/0x870\n[ +0.005579] ? unregister_netdevice_many_notify+0x3cc/0x870\n[ +0.005586] unregister_netdevice_queue+0xf7/0x140\n[ +0.004806] unregister_netdev+0x1c/0x30\n[ +0.003933] i40e_vsi_release+0x87/0x2f0 [i40e]\n[ +0.004604] i40e_remove+0x1a1/0x420 [i40e]\n[ +0.004220] pci_device_remove+0x3f/0xb0\n[ +0.003943] device_release_driver_internal+0x19f/0x200\n[ +0.005243] driver_detach+0x48/0x90\n[ +0.003586] bus_remove_driver+0x6d/0xf0\n[ +0.003939] pci_unregister_driver+0x2e/0xb0\n[ +0.004278] i40e_exit_module+0x10/0x5f0 [i40e]\n[ +0.004570] __do_sys_delete_module.isra.0+0x197/0x310\n[ +0.005153] do_syscall_64+0x85/0x170\n[ +0.003684] ? syscall_exit_to_user_mode+0x69/0x220\n[ +0.004886] ? do_syscall_64+0x95/0x170\n[ +0.003851] ? exc_page_fault+0x7e/0x180\n[ +0.003932] entry_SYSCALL_64_after_hwframe+0x71/0x79\n[ +0.005064] RIP: 0033:0x7f59dc9347cb\n[ +0.003648] Code: 73 01 c3 48 8b 0d 65 16 0c 00 f7 d8 64 89 01 48 83\nc8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 b0 00 00 00 0f\n05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 35 16 0c 00 f7 d8 64 89 01 48\n[ +0.018753] RSP: 002b:00007ffffac99048 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0\n[ +0.007577] RAX: ffffffffffffffda RBX: 0000559b9bb2f6e0 RCX: 00007f59dc9347cb\n[ +0.007140] RDX: 0000000000000000 RSI: 0000000000000800 RDI: 0000559b9bb2f748\n[ +0.007146] RBP: 00007ffffac99070 R08: 1999999999999999 R09: 0000000000000000\n[ +0.007133] R10: 00007f59dc9a5ac0 R11: 0000000000000206 R12: 0000000000000000\n[ +0.007141] R13: 00007ffffac992d8 R14: 0000559b9bb2f6e0 R15: 0000000000000000\n[ +0.007151] </TASK>\n[ +0.002204] ---[ end trace 0000000000000000 ]---\n\nFix this by checking if the XDP program is being loaded or unloaded.\nThen, block only loading a new program while \"__I40E_IN_REMOVE\" is set.\nAlso, move testing \"__I40E_IN_REMOVE\" flag to the beginning of XDP_SETUP\ncallback to avoid unnecessary operations and checks."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/0075b8c94d76830c7b6f018f6e4eeb0bf6465fdc",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/01fc5142ae6b06b61ed51a624f2732d6525d8ea3",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/4bc336b2345f1485438c0eb7246d9c8a8d09f8ff",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/5266302cb2c74d8ab0e9a69d5752fffaea70496e",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/b399a68054dfb36eed121846ef5fcddba40b7740",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

37
CVE-2024/CVE-2024-410xx/CVE-2024-41048.json Normal file
View File

@ -0,0 +1,37 @@
{
"id": "CVE-2024-41048",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-29T15:15:13.103",
"lastModified": "2024-07-29T15:15:13.103",
"vulnStatus": "Received",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nskmsg: Skip zero length skb in sk_msg_recvmsg\n\nWhen running BPF selftests (./test_progs -t sockmap_basic) on a Loongarch\nplatform, the following kernel panic occurs:\n\n [...]\n Oops[#1]:\n CPU: 22 PID: 2824 Comm: test_progs Tainted: G OE 6.10.0-rc2+ #18\n Hardware name: LOONGSON Dabieshan/Loongson-TC542F0, BIOS Loongson-UDK2018\n ... ...\n ra: 90000000048bf6c0 sk_msg_recvmsg+0x120/0x560\n ERA: 9000000004162774 copy_page_to_iter+0x74/0x1c0\n CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE)\n PRMD: 0000000c (PPLV0 +PIE +PWE)\n EUEN: 00000007 (+FPE +SXE +ASXE -BTE)\n ECFG: 00071c1d (LIE=0,2-4,10-12 VS=7)\n ESTAT: 00010000 [PIL] (IS= ECode=1 EsubCode=0)\n BADV: 0000000000000040\n PRID: 0014c011 (Loongson-64bit, Loongson-3C5000)\n Modules linked in: bpf_testmod(OE) xt_CHECKSUM xt_MASQUERADE xt_conntrack\n Process test_progs (pid: 2824, threadinfo=0000000000863a31, task=...)\n Stack : ...\n Call Trace:\n [<9000000004162774>] copy_page_to_iter+0x74/0x1c0\n [<90000000048bf6c0>] sk_msg_recvmsg+0x120/0x560\n [<90000000049f2b90>] tcp_bpf_recvmsg_parser+0x170/0x4e0\n [<90000000049aae34>] inet_recvmsg+0x54/0x100\n [<900000000481ad5c>] sock_recvmsg+0x7c/0xe0\n [<900000000481e1a8>] __sys_recvfrom+0x108/0x1c0\n [<900000000481e27c>] sys_recvfrom+0x1c/0x40\n [<9000000004c076ec>] do_syscall+0x8c/0xc0\n [<9000000003731da4>] handle_syscall+0xc4/0x160\n Code: ...\n ---[ end trace 0000000000000000 ]---\n Kernel panic - not syncing: Fatal exception\n Kernel relocated by 0x3510000\n .text @ 0x9000000003710000\n .data @ 0x9000000004d70000\n .bss @ 0x9000000006469400\n ---[ end Kernel panic - not syncing: Fatal exception ]---\n [...]\n\nThis crash happens every time when running sockmap_skb_verdict_shutdown\nsubtest in sockmap_basic.\n\nThis crash is because a NULL pointer is passed to page_address() in the\nsk_msg_recvmsg(). Due to the different implementations depending on the\narchitecture, page_address(NULL) will trigger a panic on Loongarch\nplatform but not on x86 platform. So this bug was hidden on x86 platform\nfor a while, but now it is exposed on Loongarch platform. The root cause\nis that a zero length skb (skb->len == 0) was put on the queue.\n\nThis zero length skb is a TCP FIN packet, which was sent by shutdown(),\ninvoked in test_sockmap_skb_verdict_shutdown():\n\n\tshutdown(p1, SHUT_WR);\n\nIn this case, in sk_psock_skb_ingress_enqueue(), num_sge is zero, and no\npage is put to this sge (see sg_set_page in sg_set_page), but this empty\nsge is queued into ingress_msg list.\n\nAnd in sk_msg_recvmsg(), this empty sge is used, and a NULL page is got by\nsg_page(sge). Pass this NULL page to copy_page_to_iter(), which passes it\nto kmap_local_page() and to page_address(), then kernel panics.\n\nTo solve this, we should skip this zero length skb. So in sk_msg_recvmsg(),\nif copy is zero, that means it's a zero length skb, skip invoking\ncopy_page_to_iter(). We are using the EFAULT return triggered by\ncopy_page_to_iter to check for is_fin in tcp_bpf.c."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/195b7bcdfc5adc5b2468f279dd9eb7eebd2e7632",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/b180739b45a38b4caa88fe16bb5273072e6613dc",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/f0c18025693707ec344a70b6887f7450bf4c826b",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/f8bd689f37f4198a4c61c4684f591ba639595b97",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/fb61d7b9fb6ef0032de469499a54dab4c7260d0d",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

45
CVE-2024/CVE-2024-410xx/CVE-2024-41049.json Normal file
View File

@ -0,0 +1,45 @@
{
"id": "CVE-2024-41049",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-29T15:15:13.177",
"lastModified": "2024-07-29T15:15:13.177",
"vulnStatus": "Received",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfilelock: fix potential use-after-free in posix_lock_inode\n\nLight Hsieh reported a KASAN UAF warning in trace_posix_lock_inode().\nThe request pointer had been changed earlier to point to a lock entry\nthat was added to the inode's list. However, before the tracepoint could\nfire, another task raced in and freed that lock.\n\nFix this by moving the tracepoint inside the spinlock, which should\nensure that this doesn't happen."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/02a8964260756c70b20393ad4006948510ac9967",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/116599f6a26906cf33f67975c59f0692ecf7e9b2",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/1b3ec4f7c03d4b07bad70697d7e2f4088d2cfe92",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/1cbbb3d9475c403ebedc327490c7c2b991398197",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/432b06b69d1d354a171f7499141116536579eb6a",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/5cb36e35bc10ea334810937990c2b9023dacb1b0",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/7d4c14f4b511fd4c0dc788084ae59b4656ace58b",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

33
CVE-2024/CVE-2024-410xx/CVE-2024-41050.json Normal file
View File

@ -0,0 +1,33 @@
{
"id": "CVE-2024-41050",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-29T15:15:13.260",
"lastModified": "2024-07-29T15:15:13.260",
"vulnStatus": "Received",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncachefiles: cyclic allocation of msg_id to avoid reuse\n\nReusing the msg_id after a maliciously completed reopen request may cause\na read request to remain unprocessed and result in a hung, as shown below:\n\n t1 | t2 | t3\n-------------------------------------------------\ncachefiles_ondemand_select_req\n cachefiles_ondemand_object_is_close(A)\n cachefiles_ondemand_set_object_reopening(A)\n queue_work(fscache_object_wq, &info->work)\n ondemand_object_worker\n cachefiles_ondemand_init_object(A)\n cachefiles_ondemand_send_req(OPEN)\n // get msg_id 6\n wait_for_completion(&req_A->done)\ncachefiles_ondemand_daemon_read\n // read msg_id 6 req_A\n cachefiles_ondemand_get_fd\n copy_to_user\n // Malicious completion msg_id 6\n copen 6,-1\n cachefiles_ondemand_copen\n complete(&req_A->done)\n // will not set the object to close\n // because ondemand_id && fd is valid.\n\n // ondemand_object_worker() is done\n // but the object is still reopening.\n\n // new open req_B\n cachefiles_ondemand_init_object(B)\n cachefiles_ondemand_send_req(OPEN)\n // reuse msg_id 6\nprocess_open_req\n copen 6,A.size\n // The expected failed copen was executed successfully\n\nExpect copen to fail, and when it does, it closes fd, which sets the\nobject to close, and then close triggers reopen again. However, due to\nmsg_id reuse resulting in a successful copen, the anonymous fd is not\nclosed until the daemon exits. Therefore read requests waiting for reopen\nto complete may trigger hung task.\n\nTo avoid this issue, allocate the msg_id cyclically to avoid reusing the\nmsg_id for a very short duration of time."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/19f4f399091478c95947f6bd7ad61622300c30d9",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/35710c6c4a1c64478ec1b5e0e81d386c0844dec6",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/9d3bf4e9aa23f0d9e99ebe7a94f232ddba54ee17",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/de045a82e1a4e04be62718d3c2981a55150765a0",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

33
CVE-2024/CVE-2024-410xx/CVE-2024-41051.json Normal file
View File

@ -0,0 +1,33 @@
{
"id": "CVE-2024-41051",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-29T15:15:13.327",
"lastModified": "2024-07-29T15:15:13.327",
"vulnStatus": "Received",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncachefiles: wait for ondemand_object_worker to finish when dropping object\n\nWhen queuing ondemand_object_worker() to re-open the object,\ncachefiles_object is not pinned. The cachefiles_object may be freed when\nthe pending read request is completed intentionally and the related\nerofs is umounted. If ondemand_object_worker() runs after the object is\nfreed, it will incur use-after-free problem as shown below.\n\nprocess A processs B process C process D\n\ncachefiles_ondemand_send_req()\n// send a read req X\n// wait for its completion\n\n // close ondemand fd\n cachefiles_ondemand_fd_release()\n // set object as CLOSE\n\n cachefiles_ondemand_daemon_read()\n // set object as REOPENING\n queue_work(fscache_wq, &info->ondemand_work)\n\n // close /dev/cachefiles\n cachefiles_daemon_release\n cachefiles_flush_reqs\n complete(&req->done)\n\n// read req X is completed\n// umount the erofs fs\ncachefiles_put_object()\n// object will be freed\ncachefiles_ondemand_deinit_obj_info()\nkmem_cache_free(object)\n // both info and object are freed\n ondemand_object_worker()\n\nWhen dropping an object, it is no longer necessary to reopen the object,\nso use cancel_work_sync() to cancel or wait for ondemand_object_worker()\nto finish."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/12e009d60852f7bce0afc373ca0b320f14150418",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/b26525b2183632f16a3a4108fe6a4bfa8afac6ed",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/d3179bae72b1b5e555ba839d6d9f40a350a4d78a",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/ec9289369259d982e735a71437e32e6b4035290c",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

29
CVE-2024/CVE-2024-410xx/CVE-2024-41052.json Normal file
View File

@ -0,0 +1,29 @@
{
"id": "CVE-2024-41052",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-29T15:15:13.407",
"lastModified": "2024-07-29T15:15:13.407",
"vulnStatus": "Received",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/pci: Init the count variable in collecting hot-reset devices\n\nThe count variable is used without initialization, it results in mistakes\nin the device counting and crashes the userspace if the get hot reset info\npath is triggered."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/5a88a3f67e37e39f933b38ebb4985ba5822e9eca",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/f44136b9652291ac1fc39ca67c053ac624d0d11b",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/f476dffc52ea70745dcabf63288e770e50ac9ab3",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

29
CVE-2024/CVE-2024-410xx/CVE-2024-41053.json Normal file
View File

@ -0,0 +1,29 @@
{
"id": "CVE-2024-41053",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-29T15:15:13.473",
"lastModified": "2024-07-29T15:15:13.473",
"vulnStatus": "Received",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ufs: core: Fix ufshcd_abort_one racing issue\n\nWhen ufshcd_abort_one is racing with the completion ISR, the completed tag\nof the request's mq_hctx pointer will be set to NULL by ISR. Return\nsuccess when request is completed by ISR because ufshcd_abort_one does not\nneed to do anything.\n\nThe racing flow is:\n\nThread A\nufshcd_err_handler\t\t\t\t\tstep 1\n\t...\n\tufshcd_abort_one\n\t\tufshcd_try_to_abort_task\n\t\t\tufshcd_cmd_inflight(true)\tstep 3\n\t\tufshcd_mcq_req_to_hwq\n\t\t\tblk_mq_unique_tag\n\t\t\t\trq->mq_hctx->queue_num\tstep 5\n\nThread B\nufs_mtk_mcq_intr(cq complete ISR)\t\t\tstep 2\n\tscsi_done\n\t\t...\n\t\t__blk_mq_free_request\n\t\t\trq->mq_hctx = NULL;\t\tstep 4\n\nBelow is KE back trace.\n ufshcd_try_to_abort_task: cmd at tag 41 not pending in the device.\n ufshcd_try_to_abort_task: cmd at tag=41 is cleared.\n Aborting tag 41 / CDB 0x28 succeeded\n Unable to handle kernel NULL pointer dereference at virtual address 0000000000000194\n pc : [0xffffffddd7a79bf8] blk_mq_unique_tag+0x8/0x14\n lr : [0xffffffddd6155b84] ufshcd_mcq_req_to_hwq+0x1c/0x40 [ufs_mediatek_mod_ise]\n do_mem_abort+0x58/0x118\n el1_abort+0x3c/0x5c\n el1h_64_sync_handler+0x54/0x90\n el1h_64_sync+0x68/0x6c\n blk_mq_unique_tag+0x8/0x14\n ufshcd_err_handler+0xae4/0xfa8 [ufs_mediatek_mod_ise]\n process_one_work+0x208/0x4fc\n worker_thread+0x228/0x438\n kthread+0x104/0x1d4\n ret_from_fork+0x10/0x20"
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/74736103fb4123c71bf11fb7a6abe7c884c5269e",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/b5a6ac887256762758bfe7f2918cb0233aa544f4",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/c3111b3cf3889bfa7b73ebff83d7397db9b7e5e0",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

29
CVE-2024/CVE-2024-410xx/CVE-2024-41054.json Normal file
View File

@ -0,0 +1,29 @@
{
"id": "CVE-2024-41054",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-29T15:15:13.557",
"lastModified": "2024-07-29T15:15:13.557",
"vulnStatus": "Received",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ufs: core: Fix ufshcd_clear_cmd racing issue\n\nWhen ufshcd_clear_cmd is racing with the completion ISR, the completed tag\nof the request's mq_hctx pointer will be set to NULL by the ISR. And\nufshcd_clear_cmd's call to ufshcd_mcq_req_to_hwq will get NULL pointer KE.\nReturn success when the request is completed by ISR because sq does not\nneed cleanup.\n\nThe racing flow is:\n\nThread A\nufshcd_err_handler\t\t\t\t\tstep 1\n\tufshcd_try_to_abort_task\n\t\tufshcd_cmd_inflight(true)\t\tstep 3\n\t\tufshcd_clear_cmd\n\t\t\t...\n\t\t\tufshcd_mcq_req_to_hwq\n\t\t\tblk_mq_unique_tag\n\t\t\t\trq->mq_hctx->queue_num\tstep 5\n\nThread B\nufs_mtk_mcq_intr(cq complete ISR)\t\t\tstep 2\n\tscsi_done\n\t\t...\n\t\t__blk_mq_free_request\n\t\t\trq->mq_hctx = NULL;\t\tstep 4\n\nBelow is KE back trace:\n\n ufshcd_try_to_abort_task: cmd pending in the device. tag = 6\n Unable to handle kernel NULL pointer dereference at virtual address 0000000000000194\n pc : [0xffffffd589679bf8] blk_mq_unique_tag+0x8/0x14\n lr : [0xffffffd5862f95b4] ufshcd_mcq_sq_cleanup+0x6c/0x1cc [ufs_mediatek_mod_ise]\n Workqueue: ufs_eh_wq_0 ufshcd_err_handler [ufs_mediatek_mod_ise]\n Call trace:\n dump_backtrace+0xf8/0x148\n show_stack+0x18/0x24\n dump_stack_lvl+0x60/0x7c\n dump_stack+0x18/0x3c\n mrdump_common_die+0x24c/0x398 [mrdump]\n ipanic_die+0x20/0x34 [mrdump]\n notify_die+0x80/0xd8\n die+0x94/0x2b8\n __do_kernel_fault+0x264/0x298\n do_page_fault+0xa4/0x4b8\n do_translation_fault+0x38/0x54\n do_mem_abort+0x58/0x118\n el1_abort+0x3c/0x5c\n el1h_64_sync_handler+0x54/0x90\n el1h_64_sync+0x68/0x6c\n blk_mq_unique_tag+0x8/0x14\n ufshcd_clear_cmd+0x34/0x118 [ufs_mediatek_mod_ise]\n ufshcd_try_to_abort_task+0x2c8/0x5b4 [ufs_mediatek_mod_ise]\n ufshcd_err_handler+0xa7c/0xfa8 [ufs_mediatek_mod_ise]\n process_one_work+0x208/0x4fc\n worker_thread+0x228/0x438\n kthread+0x104/0x1d4\n ret_from_fork+0x10/0x20"
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/11d81233f4ebe6907b12c79ad7d8787aa4db0633",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/9307a998cb9846a2557fdca286997430bee36a2a",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/bed0896008334eeee4b4bfd7150491ca098cbf72",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

41
CVE-2024/CVE-2024-410xx/CVE-2024-41055.json Normal file
View File

@ -0,0 +1,41 @@
{
"id": "CVE-2024-41055",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-29T15:15:13.620",
"lastModified": "2024-07-29T15:15:13.620",
"vulnStatus": "Received",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: prevent derefencing NULL ptr in pfn_section_valid()\n\nCommit 5ec8e8ea8b77 (\"mm/sparsemem: fix race in accessing\nmemory_section->usage\") changed pfn_section_valid() to add a READ_ONCE()\ncall around \"ms->usage\" to fix a race with section_deactivate() where\nms->usage can be cleared. The READ_ONCE() call, by itself, is not enough\nto prevent NULL pointer dereference. We need to check its value before\ndereferencing it."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/0100aeb8a12d51950418e685f879cc80cb8e5982",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/797323d1cf92d09b7a017cfec576d9babf99cde7",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/82f0b6f041fad768c28b4ad05a683065412c226e",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/941e816185661bf2b44b488565d09444ae316509",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/adccdf702b4ea913ded5ff512239e382d7473b63",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/bc17f2377818dca643a74499c3f5333500c90503",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

33
CVE-2024/CVE-2024-410xx/CVE-2024-41056.json Normal file
View File

@ -0,0 +1,33 @@
{
"id": "CVE-2024-41056",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-29T15:15:13.703",
"lastModified": "2024-07-29T15:15:13.703",
"vulnStatus": "Received",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: cs_dsp: Use strnlen() on name fields in V1 wmfw files\n\nUse strnlen() instead of strlen() on the algorithm and coefficient name\nstring arrays in V1 wmfw files.\n\nIn V1 wmfw files the name is a NUL-terminated string in a fixed-size\narray. cs_dsp should protect against overrunning the array if the NUL\nterminator is missing."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/16d76857d6b5426f41b587d0bb925de3f25bfb21",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/392cff2f86a25a4286ff3151c7739143c61c1781",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/53a9f8cdbf35a682e9894e1a606f4640e5359185",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/680e126ec0400f6daecf0510c5bb97a55779ff03",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

33
CVE-2024/CVE-2024-410xx/CVE-2024-41057.json Normal file
View File

@ -0,0 +1,33 @@
{
"id": "CVE-2024-41057",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-29T15:15:13.773",
"lastModified": "2024-07-29T15:15:13.773",
"vulnStatus": "Received",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncachefiles: fix slab-use-after-free in cachefiles_withdraw_cookie()\n\nWe got the following issue in our fault injection stress test:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in cachefiles_withdraw_cookie+0x4d9/0x600\nRead of size 8 at addr ffff888118efc000 by task kworker/u78:0/109\n\nCPU: 13 PID: 109 Comm: kworker/u78:0 Not tainted 6.8.0-dirty #566\nCall Trace:\n <TASK>\n kasan_report+0x93/0xc0\n cachefiles_withdraw_cookie+0x4d9/0x600\n fscache_cookie_state_machine+0x5c8/0x1230\n fscache_cookie_worker+0x91/0x1c0\n process_one_work+0x7fa/0x1800\n [...]\n\nAllocated by task 117:\n kmalloc_trace+0x1b3/0x3c0\n cachefiles_acquire_volume+0xf3/0x9c0\n fscache_create_volume_work+0x97/0x150\n process_one_work+0x7fa/0x1800\n [...]\n\nFreed by task 120301:\n kfree+0xf1/0x2c0\n cachefiles_withdraw_cache+0x3fa/0x920\n cachefiles_put_unbind_pincount+0x1f6/0x250\n cachefiles_daemon_release+0x13b/0x290\n __fput+0x204/0xa00\n task_work_run+0x139/0x230\n do_exit+0x87a/0x29b0\n [...]\n==================================================================\n\nFollowing is the process that triggers the issue:\n\n p1 | p2\n------------------------------------------------------------\n fscache_begin_lookup\n fscache_begin_volume_access\n fscache_cache_is_live(fscache_cache)\ncachefiles_daemon_release\n cachefiles_put_unbind_pincount\n cachefiles_daemon_unbind\n cachefiles_withdraw_cache\n fscache_withdraw_cache\n fscache_set_cache_state(cache, FSCACHE_CACHE_IS_WITHDRAWN);\n cachefiles_withdraw_objects(cache)\n fscache_wait_for_objects(fscache)\n atomic_read(&fscache_cache->object_count) == 0\n fscache_perform_lookup\n cachefiles_lookup_cookie\n cachefiles_alloc_object\n refcount_set(&object->ref, 1);\n object->volume = volume\n fscache_count_object(vcookie->cache);\n atomic_inc(&fscache_cache->object_count)\n cachefiles_withdraw_volumes\n cachefiles_withdraw_volume\n fscache_withdraw_volume\n __cachefiles_free_volume\n kfree(cachefiles_volume)\n fscache_cookie_state_machine\n cachefiles_withdraw_cookie\n cache = object->volume->cache;\n // cachefiles_volume UAF !!!\n\nAfter setting FSCACHE_CACHE_IS_WITHDRAWN, wait for all the cookie lookups\nto complete first, and then wait for fscache_cache->object_count == 0 to\navoid the cookie exiting after the volume has been freed and triggering\nthe above issue. Therefore call fscache_withdraw_volume() before calling\ncachefiles_withdraw_objects().\n\nThis way, after setting FSCACHE_CACHE_IS_WITHDRAWN, only the following two\ncases will occur:\n1) fscache_begin_lookup fails in fscache_begin_volume_access().\n2) fscache_withdraw_volume() will ensure that fscache_count_object() has\n been executed before calling fscache_wait_for_objects()."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/5d8f805789072ea7fd39504694b7bd17e5f751c4",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/8de253177112a47c9af157d23ae934779188b4e1",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/9e67589a4a7b7e5660b524d1d5fe61242bcbcc11",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/ef81340401e8a371d6b17f69e76d861920972cfe",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

33
CVE-2024/CVE-2024-410xx/CVE-2024-41058.json Normal file
View File

@ -0,0 +1,33 @@
{
"id": "CVE-2024-41058",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-29T15:15:13.847",
"lastModified": "2024-07-29T15:15:13.847",
"vulnStatus": "Received",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncachefiles: fix slab-use-after-free in fscache_withdraw_volume()\n\nWe got the following issue in our fault injection stress test:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in fscache_withdraw_volume+0x2e1/0x370\nRead of size 4 at addr ffff88810680be08 by task ondemand-04-dae/5798\n\nCPU: 0 PID: 5798 Comm: ondemand-04-dae Not tainted 6.8.0-dirty #565\nCall Trace:\n kasan_check_range+0xf6/0x1b0\n fscache_withdraw_volume+0x2e1/0x370\n cachefiles_withdraw_volume+0x31/0x50\n cachefiles_withdraw_cache+0x3ad/0x900\n cachefiles_put_unbind_pincount+0x1f6/0x250\n cachefiles_daemon_release+0x13b/0x290\n __fput+0x204/0xa00\n task_work_run+0x139/0x230\n\nAllocated by task 5820:\n __kmalloc+0x1df/0x4b0\n fscache_alloc_volume+0x70/0x600\n __fscache_acquire_volume+0x1c/0x610\n erofs_fscache_register_volume+0x96/0x1a0\n erofs_fscache_register_fs+0x49a/0x690\n erofs_fc_fill_super+0x6c0/0xcc0\n vfs_get_super+0xa9/0x140\n vfs_get_tree+0x8e/0x300\n do_new_mount+0x28c/0x580\n [...]\n\nFreed by task 5820:\n kfree+0xf1/0x2c0\n fscache_put_volume.part.0+0x5cb/0x9e0\n erofs_fscache_unregister_fs+0x157/0x1b0\n erofs_kill_sb+0xd9/0x1c0\n deactivate_locked_super+0xa3/0x100\n vfs_get_super+0x105/0x140\n vfs_get_tree+0x8e/0x300\n do_new_mount+0x28c/0x580\n [...]\n==================================================================\n\nFollowing is the process that triggers the issue:\n\n mount failed | daemon exit\n------------------------------------------------------------\n deactivate_locked_super cachefiles_daemon_release\n erofs_kill_sb\n erofs_fscache_unregister_fs\n fscache_relinquish_volume\n __fscache_relinquish_volume\n fscache_put_volume(fscache_volume, fscache_volume_put_relinquish)\n zero = __refcount_dec_and_test(&fscache_volume->ref, &ref);\n cachefiles_put_unbind_pincount\n cachefiles_daemon_unbind\n cachefiles_withdraw_cache\n cachefiles_withdraw_volumes\n list_del_init(&volume->cache_link)\n fscache_free_volume(fscache_volume)\n cache->ops->free_volume\n cachefiles_free_volume\n list_del_init(&cachefiles_volume->cache_link);\n kfree(fscache_volume)\n cachefiles_withdraw_volume\n fscache_withdraw_volume\n fscache_volume->n_accesses\n // fscache_volume UAF !!!\n\nThe fscache_volume in cache->volumes must not have been freed yet, but its\nreference count may be 0. So use the new fscache_try_get_volume() helper\nfunction try to get its reference count.\n\nIf the reference count of fscache_volume is 0, fscache_put_volume() is\nfreeing it, so wait for it to be removed from cache->volumes.\n\nIf its reference count is not 0, call cachefiles_withdraw_volume() with\nreference count protection to avoid the above issue."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/38b88d544216f806d93a273a62ff8ebe82254003",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/522018a0de6b6fcce60c04f86dfc5f0e4b6a1b36",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/90f17e47f1e209c6a3c92a1d038a0a80c95c460e",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/9dd7f5663899ea13a6a73216106d9c13c37453e3",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

49
CVE-2024/CVE-2024-410xx/CVE-2024-41059.json Normal file
View File

@ -0,0 +1,49 @@
{
"id": "CVE-2024-41059",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-29T15:15:13.927",
"lastModified": "2024-07-29T15:15:13.927",
"vulnStatus": "Received",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhfsplus: fix uninit-value in copy_name\n\n[syzbot reported]\nBUG: KMSAN: uninit-value in sized_strscpy+0xc4/0x160\n sized_strscpy+0xc4/0x160\n copy_name+0x2af/0x320 fs/hfsplus/xattr.c:411\n hfsplus_listxattr+0x11e9/0x1a50 fs/hfsplus/xattr.c:750\n vfs_listxattr fs/xattr.c:493 [inline]\n listxattr+0x1f3/0x6b0 fs/xattr.c:840\n path_listxattr fs/xattr.c:864 [inline]\n __do_sys_listxattr fs/xattr.c:876 [inline]\n __se_sys_listxattr fs/xattr.c:873 [inline]\n __x64_sys_listxattr+0x16b/0x2f0 fs/xattr.c:873\n x64_sys_call+0x2ba0/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:195\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nUninit was created at:\n slab_post_alloc_hook mm/slub.c:3877 [inline]\n slab_alloc_node mm/slub.c:3918 [inline]\n kmalloc_trace+0x57b/0xbe0 mm/slub.c:4065\n kmalloc include/linux/slab.h:628 [inline]\n hfsplus_listxattr+0x4cc/0x1a50 fs/hfsplus/xattr.c:699\n vfs_listxattr fs/xattr.c:493 [inline]\n listxattr+0x1f3/0x6b0 fs/xattr.c:840\n path_listxattr fs/xattr.c:864 [inline]\n __do_sys_listxattr fs/xattr.c:876 [inline]\n __se_sys_listxattr fs/xattr.c:873 [inline]\n __x64_sys_listxattr+0x16b/0x2f0 fs/xattr.c:873\n x64_sys_call+0x2ba0/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:195\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n[Fix]\nWhen allocating memory to strbuf, initialize memory to 0."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/0570730c16307a72f8241df12363f76600baf57d",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/22999936b91ba545ce1fbbecae6895127945e91c",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/34f8efd2743f2d961e92e8e994de4c7a2f9e74a0",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/72805debec8f7aa342da194fe0ed7bc8febea335",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/ad57dc2caf1e0a3c0a9904400fae7afbc9f74bb2",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/c733e24a61cbcff10f660041d6d84d32bb7e4cb4",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/d02d8c1dacafb28930c39e16d48e40bb6e4cbc70",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/f08956d8e0f80fd0d4ad84ec917302bb2f3a9c6a",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

37
CVE-2024/CVE-2024-410xx/CVE-2024-41060.json Normal file
View File

@ -0,0 +1,37 @@
{
"id": "CVE-2024-41060",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-29T15:15:14.030",
"lastModified": "2024-07-29T15:15:14.030",
"vulnStatus": "Received",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/radeon: check bo_va->bo is non-NULL before using it\n\nThe call to radeon_vm_clear_freed might clear bo_va->bo, so\nwe have to check it before dereferencing it."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/6fb15dcbcf4f212930350eaee174bb60ed40a536",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/8a500b3a5f0a58c6f99039091fbd715f64f2f8af",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/a2b201f83971df03c8e81a480b2f2846ae8ce1a3",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/a9100f17428cb733c4f6fbb132d98bed76318342",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/f13c96e0e325a057c03f8a47734adb360e112efe",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

25
CVE-2024/CVE-2024-410xx/CVE-2024-41061.json Normal file
View File

@ -0,0 +1,25 @@
{
"id": "CVE-2024-41061",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-29T15:15:14.103",
"lastModified": "2024-07-29T15:15:14.103",
"vulnStatus": "Received",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix array-index-out-of-bounds in dml2/FCLKChangeSupport\n\n[Why]\nPotential out of bounds access in dml2_calculate_rq_and_dlg_params()\nbecause the value of out_lowest_state_idx used as an index for FCLKChangeSupport\narray can be greater than 1.\n\n[How]\nCurrently dml2 core specifies identical values for all FCLKChangeSupport\nelements. Always use index 0 in the condition to avoid out of bounds access."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/0ad4b4a2f6357c45fbe444ead1a929a0b4017d03",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/94166fe12543fbef122ca2d093e794ea41073a85",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

33
CVE-2024/CVE-2024-410xx/CVE-2024-41062.json Normal file
View File

@ -0,0 +1,33 @@
{
"id": "CVE-2024-41062",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-29T15:15:14.173",
"lastModified": "2024-07-29T15:15:14.173",
"vulnStatus": "Received",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbluetooth/l2cap: sync sock recv cb and release\n\nThe problem occurs between the system call to close the sock and hci_rx_work,\nwhere the former releases the sock and the latter accesses it without lock protection.\n\n CPU0 CPU1\n ---- ----\n sock_close hci_rx_work\n\t l2cap_sock_release hci_acldata_packet\n\t l2cap_sock_kill l2cap_recv_frame\n\t sk_free l2cap_conless_channel\n\t l2cap_sock_recv_cb\n\nIf hci_rx_work processes the data that needs to be received before the sock is\nclosed, then everything is normal; Otherwise, the work thread may access the\nreleased sock when receiving data.\n\nAdd a chan mutex in the rx callback of the sock to achieve synchronization between\nthe sock release and recv cb.\n\nSock is dead, so set chan data to NULL, avoid others use invalid sock pointer."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/3b732449b78183d17178db40be3a4401cf3cd629",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/605572e64cd9cebb05ed609d96cff05b50d18cdf",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/89e856e124f9ae548572c56b1b70c2255705f8fe",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/b803f30ea23e0968b6c8285c42adf0d862ab2bf6",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

49
CVE-2024/CVE-2024-410xx/CVE-2024-41063.json Normal file
View File

@ -0,0 +1,49 @@
{
"id": "CVE-2024-41063",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-29T15:15:14.243",
"lastModified": "2024-07-29T15:15:14.243",
"vulnStatus": "Received",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_core: cancel all works upon hci_unregister_dev()\n\nsyzbot is reporting that calling hci_release_dev() from hci_error_reset()\ndue to hci_dev_put() from hci_error_reset() can cause deadlock at\ndestroy_workqueue(), for hci_error_reset() is called from\nhdev->req_workqueue which destroy_workqueue() needs to flush.\n\nWe need to make sure that hdev->{rx_work,cmd_work,tx_work} which are\nqueued into hdev->workqueue and hdev->{power_on,error_reset} which are\nqueued into hdev->req_workqueue are no longer running by the moment\n\n destroy_workqueue(hdev->workqueue);\n destroy_workqueue(hdev->req_workqueue);\n\nare called from hci_release_dev().\n\nCall cancel_work_sync() on these work items from hci_unregister_dev()\nas soon as hdev->list is removed from hci_dev_list."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/0d151a103775dd9645c78c97f77d6e2a5298d913",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/3f939bd73fed12dddc2a32a76116c19ca47c7678",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/48542881997e17b49dc16b93fe910e0cfcf7a9f9",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/96600c2e5ee8213dbab5df1617293d8e847bb4fa",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/9cfc84b1d464cc024286f42a090718f9067b80ed",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/d2ce562a5aff1dcd0c50d9808ea825ef90da909f",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/d6cbce18370641a21dd889e8613d8153df15eb39",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/ddeda6ca5f218b668b560d90fc31ae469adbfd92",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

45
CVE-2024/CVE-2024-410xx/CVE-2024-41064.json Normal file
View File

@ -0,0 +1,45 @@
{
"id": "CVE-2024-41064",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-29T15:15:14.330",
"lastModified": "2024-07-29T15:15:14.330",
"vulnStatus": "Received",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/eeh: avoid possible crash when edev->pdev changes\n\nIf a PCI device is removed during eeh_pe_report_edev(), edev->pdev\nwill change and can cause a crash, hold the PCI rescan/remove lock\nwhile taking a copy of edev->pdev->bus."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/033c51dfdbb6b79ab43fb3587276fa82d0a329e1",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/428d940a8b6b3350b282c14d3f63350bde65c48b",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/4bc246d2d60d071314842fa448faa4ed39082aff",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/4fad7fef847b6028475dd7b4c14fcb82b3e51274",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/8836e1bf5838ac6c08760e0a2dd7cf6410aa7ff3",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/a1216e62d039bf63a539bbe718536ec789a853dd",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/f23c3d1ca9c4b2d626242a4e7e1ec1770447f7b5",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

45
CVE-2024/CVE-2024-410xx/CVE-2024-41065.json Normal file
View File

@ -0,0 +1,45 @@
{
"id": "CVE-2024-41065",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-29T15:15:14.410",
"lastModified": "2024-07-29T15:15:14.410",
"vulnStatus": "Received",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/pseries: Whitelist dtl slub object for copying to userspace\n\nReading the dispatch trace log from /sys/kernel/debug/powerpc/dtl/cpu-*\nresults in a BUG() when the config CONFIG_HARDENED_USERCOPY is enabled as\nshown below.\n\n kernel BUG at mm/usercopy.c:102!\n Oops: Exception in kernel mode, sig: 5 [#1]\n LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries\n Modules linked in: xfs libcrc32c dm_service_time sd_mod t10_pi sg ibmvfc\n scsi_transport_fc ibmveth pseries_wdt dm_multipath dm_mirror dm_region_hash dm_log dm_mod fuse\n CPU: 27 PID: 1815 Comm: python3 Not tainted 6.10.0-rc3 #85\n Hardware name: IBM,9040-MRX POWER10 (raw) 0x800200 0xf000006 of:IBM,FW1060.00 (NM1060_042) hv:phyp pSeries\n NIP: c0000000005d23d4 LR: c0000000005d23d0 CTR: 00000000006ee6f8\n REGS: c000000120c078c0 TRAP: 0700 Not tainted (6.10.0-rc3)\n MSR: 8000000000029033 <SF,EE,ME,IR,DR,RI,LE> CR: 2828220f XER: 0000000e\n CFAR: c0000000001fdc80 IRQMASK: 0\n [ ... GPRs omitted ... ]\n NIP [c0000000005d23d4] usercopy_abort+0x78/0xb0\n LR [c0000000005d23d0] usercopy_abort+0x74/0xb0\n Call Trace:\n usercopy_abort+0x74/0xb0 (unreliable)\n __check_heap_object+0xf8/0x120\n check_heap_object+0x218/0x240\n __check_object_size+0x84/0x1a4\n dtl_file_read+0x17c/0x2c4\n full_proxy_read+0x8c/0x110\n vfs_read+0xdc/0x3a0\n ksys_read+0x84/0x144\n system_call_exception+0x124/0x330\n system_call_vectored_common+0x15c/0x2ec\n --- interrupt: 3000 at 0x7fff81f3ab34\n\nCommit 6d07d1cd300f (\"usercopy: Restrict non-usercopy caches to size 0\")\nrequires that only whitelisted areas in slab/slub objects can be copied to\nuserspace when usercopy hardening is enabled using CONFIG_HARDENED_USERCOPY.\nDtl contains hypervisor dispatch events which are expected to be read by\nprivileged users. Hence mark this safe for user access.\nSpecify useroffset=0 and usersize=DISPATCH_LOG_BYTES to whitelist the\nentire object."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/0f5892212c27be31792ef1daa89c8dac1b3047e4",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/1a14150e1656f7a332a943154fc486504db4d586",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/1ee68686d1e2a5da35d5650be0be1ce06fe2ceb2",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/6b16098148ea58a67430d90e20476be2377c3acd",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/a7b952941ce07e1e7a2cafd08c64a98e14f553e6",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/e512a59b472684d8585125101ab03b86c2c1348a",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/e59822f9d700349cd17968d22c979db23a2d347f",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

33
CVE-2024/CVE-2024-410xx/CVE-2024-41066.json Normal file
View File

@ -0,0 +1,33 @@
{
"id": "CVE-2024-41066",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-29T15:15:14.480",
"lastModified": "2024-07-29T15:15:14.480",
"vulnStatus": "Received",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nibmvnic: Add tx check to prevent skb leak\n\nBelow is a summary of how the driver stores a reference to an skb during\ntransmit:\n tx_buff[free_map[consumer_index]]->skb = new_skb;\n free_map[consumer_index] = IBMVNIC_INVALID_MAP;\n consumer_index ++;\nWhere variable data looks like this:\n free_map == [4, IBMVNIC_INVALID_MAP, IBMVNIC_INVALID_MAP, 0, 3]\n \tconsumer_index^\n tx_buff == [skb=null, skb=<ptr>, skb=<ptr>, skb=null, skb=null]\n\nThe driver has checks to ensure that free_map[consumer_index] pointed to\na valid index but there was no check to ensure that this index pointed\nto an unused/null skb address. So, if, by some chance, our free_map and\ntx_buff lists become out of sync then we were previously risking an\nskb memory leak. This could then cause tcp congestion control to stop\nsending packets, eventually leading to ETIMEDOUT.\n\nTherefore, add a conditional to ensure that the skb address is null. If\nnot then warn the user (because this is still a bug that should be\npatched) and free the old pointer to prevent memleak/tcp problems."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/0983d288caf984de0202c66641577b739caad561",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/16ad1557cae582e79bb82dddd612d9bdfaa11d4c",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/267c61c4afed0ff9a2e83462abad3f41d8ca1f06",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/e7b75def33eae61ddaad6cb616c517dc3882eb2a",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

25
CVE-2024/CVE-2024-410xx/CVE-2024-41067.json Normal file
View File

@ -0,0 +1,25 @@
{
"id": "CVE-2024-41067",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-29T15:15:14.560",
"lastModified": "2024-07-29T15:15:14.560",
"vulnStatus": "Received",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: scrub: handle RST lookup error correctly\n\n[BUG]\nWhen running btrfs/060 with forced RST feature, it would crash the\nfollowing ASSERT() inside scrub_read_endio():\n\n\tASSERT(sector_nr < stripe->nr_sectors);\n\nBefore that, we would have tree dump from\nbtrfs_get_raid_extent_offset(), as we failed to find the RST entry for\nthe range.\n\n[CAUSE]\nInside scrub_submit_extent_sector_read() every time we allocated a new\nbbio we immediately called btrfs_map_block() to make sure there was some\nRST range covering the scrub target.\n\nBut if btrfs_map_block() fails, we immediately call endio for the bbio,\nwhile the bbio is newly allocated, it's completely empty.\n\nThen inside scrub_read_endio(), we go through the bvecs to find\nthe sector number (as bi_sector is no longer reliable if the bio is\nsubmitted to lower layers).\n\nAnd since the bio is empty, such bvecs iteration would not find any\nsector matching the sector, and return sector_nr == stripe->nr_sectors,\ntriggering the ASSERT().\n\n[FIX]\nInstead of calling btrfs_map_block() after allocating a new bbio, call\nbtrfs_map_block() first.\n\nSince our only objective of calling btrfs_map_block() is only to update\nstripe_len, there is really no need to do that after btrfs_alloc_bio().\n\nThis new timing would avoid the problem of handling empty bbio\ncompletely, and in fact fixes a possible race window for the old code,\nwhere if the submission thread is the only owner of the pending_io, the\nscrub would never finish (since we didn't decrease the pending_io\ncounter).\n\nAlthough the root cause of RST lookup failure still needs to be\naddressed."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/17d1fd302a53d7e456a7412da74be74a0cf63a72",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/2c49908634a2b97b1c3abe0589be2739ac5e7fd5",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

49
CVE-2024/CVE-2024-410xx/CVE-2024-41068.json Normal file
View File

@ -0,0 +1,49 @@
{
"id": "CVE-2024-41068",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-29T15:15:14.630",
"lastModified": "2024-07-29T15:15:14.630",
"vulnStatus": "Received",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/sclp: Fix sclp_init() cleanup on failure\n\nIf sclp_init() fails it only partially cleans up: if there are multiple\nfailing calls to sclp_init() sclp_state_change_event will be added several\ntimes to sclp_reg_list, which results in the following warning:\n\n------------[ cut here ]------------\nlist_add double add: new=000003ffe1598c10, prev=000003ffe1598bf0, next=000003ffe1598c10.\nWARNING: CPU: 0 PID: 1 at lib/list_debug.c:35 __list_add_valid_or_report+0xde/0xf8\nCPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.10.0-rc3\nKrnl PSW : 0404c00180000000 000003ffe0d6076a (__list_add_valid_or_report+0xe2/0xf8)\n R:0 T:1 IO:0 EX:0 Key:0 M:1 W:0 P:0 AS:3 CC:0 PM:0 RI:0 EA:3\n...\nCall Trace:\n [<000003ffe0d6076a>] __list_add_valid_or_report+0xe2/0xf8\n([<000003ffe0d60766>] __list_add_valid_or_report+0xde/0xf8)\n [<000003ffe0a8d37e>] sclp_init+0x40e/0x450\n [<000003ffe00009f2>] do_one_initcall+0x42/0x1e0\n [<000003ffe15b77a6>] do_initcalls+0x126/0x150\n [<000003ffe15b7a0a>] kernel_init_freeable+0x1ba/0x1f8\n [<000003ffe0d6650e>] kernel_init+0x2e/0x180\n [<000003ffe000301c>] __ret_from_fork+0x3c/0x60\n [<000003ffe0d759ca>] ret_from_fork+0xa/0x30\n\nFix this by removing sclp_state_change_event from sclp_reg_list when\nsclp_init() fails."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/0a31b3fdc7e735c4f8c65fe4339945c717ed6808",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/2e51db7ab71b89dc5a17068f5e201c69f13a4c9a",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/455a6653d8700a81aa8ed2b6442a3be476007090",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/6434b33faaa063df500af355ee6c3942e0f8d982",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/79b4be70d5a160969b805f638ac5b4efd0aac7a3",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/a778987afc36d5dc02a1f82d352a81edcaf7eb83",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/be0259796d0b76bbc7461e12c186814a9e58244c",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/cf521049fcd07071ed42dc9758fce7d5ee120ec6",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

33
CVE-2024/CVE-2024-410xx/CVE-2024-41069.json Normal file
View File

@ -0,0 +1,33 @@
{
"id": "CVE-2024-41069",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-29T15:15:14.713",
"lastModified": "2024-07-29T15:15:14.713",
"vulnStatus": "Received",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: topology: Fix references to freed memory\n\nMost users after parsing a topology file, release memory used by it, so\nhaving pointer references directly into topology file contents is wrong.\nUse devm_kmemdup(), to allocate memory as needed."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/97ab304ecd95c0b1703ff8c8c3956dc6e2afe8e1",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/ab5a6208b4d6872b1c6ecea1867940fc668cc76d",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/b188d7f3dfab10e332e3c1066e18857964a520d2",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/ccae5c6a1fab9494c86b7856faf05e296c617702",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

45
CVE-2024/CVE-2024-410xx/CVE-2024-41070.json Normal file
View File

@ -0,0 +1,45 @@
{
"id": "CVE-2024-41070",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-29T15:15:14.787",
"lastModified": "2024-07-29T15:15:14.787",
"vulnStatus": "Received",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: PPC: Book3S HV: Prevent UAF in kvm_spapr_tce_attach_iommu_group()\n\nAl reported a possible use-after-free (UAF) in kvm_spapr_tce_attach_iommu_group().\n\nIt looks up `stt` from tablefd, but then continues to use it after doing\nfdput() on the returned fd. After the fdput() the tablefd is free to be\nclosed by another thread. The close calls kvm_spapr_tce_release() and\nthen release_spapr_tce_table() (via call_rcu()) which frees `stt`.\n\nAlthough there are calls to rcu_read_lock() in\nkvm_spapr_tce_attach_iommu_group() they are not sufficient to prevent\nthe UAF, because `stt` is used outside the locked regions.\n\nWith an artifcial delay after the fdput() and a userspace program which\ntriggers the race, KASAN detects the UAF:\n\n BUG: KASAN: slab-use-after-free in kvm_spapr_tce_attach_iommu_group+0x298/0x720 [kvm]\n Read of size 4 at addr c000200027552c30 by task kvm-vfio/2505\n CPU: 54 PID: 2505 Comm: kvm-vfio Not tainted 6.10.0-rc3-next-20240612-dirty #1\n Hardware name: 8335-GTH POWER9 0x4e1202 opal:skiboot-v6.5.3-35-g1851b2a06 PowerNV\n Call Trace:\n dump_stack_lvl+0xb4/0x108 (unreliable)\n print_report+0x2b4/0x6ec\n kasan_report+0x118/0x2b0\n __asan_load4+0xb8/0xd0\n kvm_spapr_tce_attach_iommu_group+0x298/0x720 [kvm]\n kvm_vfio_set_attr+0x524/0xac0 [kvm]\n kvm_device_ioctl+0x144/0x240 [kvm]\n sys_ioctl+0x62c/0x1810\n system_call_exception+0x190/0x440\n system_call_vectored_common+0x15c/0x2ec\n ...\n Freed by task 0:\n ...\n kfree+0xec/0x3e0\n release_spapr_tce_table+0xd4/0x11c [kvm]\n rcu_core+0x568/0x16a0\n handle_softirqs+0x23c/0x920\n do_softirq_own_stack+0x6c/0x90\n do_softirq_own_stack+0x58/0x90\n __irq_exit_rcu+0x218/0x2d0\n irq_exit+0x30/0x80\n arch_local_irq_restore+0x128/0x230\n arch_local_irq_enable+0x1c/0x30\n cpuidle_enter_state+0x134/0x5cc\n cpuidle_enter+0x6c/0xb0\n call_cpuidle+0x7c/0x100\n do_idle+0x394/0x410\n cpu_startup_entry+0x60/0x70\n start_secondary+0x3fc/0x410\n start_secondary_prolog+0x10/0x14\n\nFix it by delaying the fdput() until `stt` is no longer in use, which\nis effectively the entire function. To keep the patch minimal add a call\nto fdput() at each of the existing return paths. Future work can convert\nthe function to goto or __cleanup style cleanup.\n\nWith the fix in place the test case no longer triggers the UAF."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/4cdf6926f443c84f680213c7aafbe6f91a5fcbc0",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/5f856023971f97fff74cfaf21b48ec320147b50a",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/82c7a4cf14aa866f8f7f09e662b02eddc49ee0bf",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/9975f93c760a32453d7639cf6fcf3f73b4e71ffe",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/a986fa57fd81a1430e00b3c6cf8a325d6f894a63",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/b26c8c85463ef27a522d24fcd05651f0bb039e47",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/be847bb20c809de8ac124431b556f244400b0491",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

25
CVE-2024/CVE-2024-410xx/CVE-2024-41071.json Normal file
View File

@ -0,0 +1,25 @@
{
"id": "CVE-2024-41071",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-29T15:15:14.863",
"lastModified": "2024-07-29T15:15:14.863",
"vulnStatus": "Received",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: Avoid address calculations via out of bounds array indexing\n\nreq->n_channels must be set before req->channels[] can be used.\n\nThis patch fixes one of the issues encountered in [1].\n\n[ 83.964255] UBSAN: array-index-out-of-bounds in net/mac80211/scan.c:364:4\n[ 83.964258] index 0 is out of range for type 'struct ieee80211_channel *[]'\n[...]\n[ 83.964264] Call Trace:\n[ 83.964267] <TASK>\n[ 83.964269] dump_stack_lvl+0x3f/0xc0\n[ 83.964274] __ubsan_handle_out_of_bounds+0xec/0x110\n[ 83.964278] ieee80211_prep_hw_scan+0x2db/0x4b0\n[ 83.964281] __ieee80211_start_scan+0x601/0x990\n[ 83.964291] nl80211_trigger_scan+0x874/0x980\n[ 83.964295] genl_family_rcv_msg_doit+0xe8/0x160\n[ 83.964298] genl_rcv_msg+0x240/0x270\n[...]\n\n[1] https://bugzilla.kernel.org/show_bug.cgi?id=218810"
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/2663d0462eb32ae7c9b035300ab6b1523886c718",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/4f43a614b1b84f0d1e3c48cc541c3bfdf414a6d0",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

49
CVE-2024/CVE-2024-410xx/CVE-2024-41072.json Normal file
View File

@ -0,0 +1,49 @@
{
"id": "CVE-2024-41072",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-29T15:15:14.937",
"lastModified": "2024-07-29T15:15:14.937",
"vulnStatus": "Received",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: cfg80211: wext: add extra SIOCSIWSCAN data check\n\nIn 'cfg80211_wext_siwscan()', add extra check whether number of\nchannels passed via 'ioctl(sock, SIOCSIWSCAN, ...)' doesn't exceed\nIW_MAX_FREQUENCIES and reject invalid request with -EINVAL otherwise."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/001120ff0c9e3557dee9b5ee0d358e0fc189996f",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/35cee10ccaee5bd451a480521bbc25dc9f07fa5b",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/6295bad58f988eaafcf0e6f8b198a580398acb3b",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/6ef09cdc5ba0f93826c09d810c141a8d103a80fc",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/a43cc0558530b6c065976b6b9246f512f8d3593b",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/b02ba9a0b55b762bd04743a22f3d9f9645005e79",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/de5fcf757e33596eed32de170ce5a93fa44dd2ac",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/fe9644efd86704afe50e56b64b609de340ab7c95",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

37
CVE-2024/CVE-2024-410xx/CVE-2024-41073.json Normal file
View File

@ -0,0 +1,37 @@
{
"id": "CVE-2024-41073",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-29T15:15:15.020",
"lastModified": "2024-07-29T15:15:15.020",
"vulnStatus": "Received",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme: avoid double free special payload\n\nIf a discard request needs to be retried, and that retry may fail before\na new special payload is added, a double free will result. Clear the\nRQF_SPECIAL_LOAD when the request is cleaned."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/1b9fd1265fac85916f90b4648de02adccdb7220b",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/ae84383c96d6662c24697ab6b44aae855ab670aa",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/c5942a14f795de957ae9d66027aac8ff4fe70057",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/e5d574ab37f5f2e7937405613d9b1a724811e5ad",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/f3ab45aacd25d957547fb6d115c1574c20964b3b",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

33
CVE-2024/CVE-2024-410xx/CVE-2024-41074.json Normal file
View File

@ -0,0 +1,33 @@
{
"id": "CVE-2024-41074",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-29T15:15:15.097",
"lastModified": "2024-07-29T15:15:15.097",
"vulnStatus": "Received",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncachefiles: Set object to close if ondemand_id < 0 in copen\n\nIf copen is maliciously called in the user mode, it may delete the request\ncorresponding to the random id. And the request may have not been read yet.\n\nNote that when the object is set to reopen, the open request will be done\nwith the still reopen state in above case. As a result, the request\ncorresponding to this object is always skipped in select_req function, so\nthe read request is never completed and blocks other process.\n\nFix this issue by simply set object to close if its id < 0 in copen."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/0845c553db11c84ff53fccd59da11b6d6ece4a60",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/4f8703fb3482f92edcfd31661857b16fec89c2c0",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/703bea37d13e4ccdafd17ae7c4cb583752ba7663",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/c32ee78fbc670e6f90989a45d340748e34cad333",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

33
CVE-2024/CVE-2024-410xx/CVE-2024-41075.json Normal file
View File

@ -0,0 +1,33 @@
{
"id": "CVE-2024-41075",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-29T15:15:15.163",
"lastModified": "2024-07-29T15:15:15.163",
"vulnStatus": "Received",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncachefiles: add consistency check for copen/cread\n\nThis prevents malicious processes from completing random copen/cread\nrequests and crashing the system. Added checks are listed below:\n\n * Generic, copen can only complete open requests, and cread can only\n complete read requests.\n * For copen, ondemand_id must not be 0, because this indicates that the\n request has not been read by the daemon.\n * For cread, the object corresponding to fd and req should be the same."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/36d845ccd7bf527110a65fe953886a176c209539",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/3b744884c0431b5a62c92900e64bfd0ed61e8e2a",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/8aaa6c5dd2940ab934d6cd296175f43dbb32b34a",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/a26dc49df37e996876f50a0210039b2d211fdd6f",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

33
CVE-2024/CVE-2024-410xx/CVE-2024-41076.json Normal file
View File

@ -0,0 +1,33 @@
{
"id": "CVE-2024-41076",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-29T15:15:15.237",
"lastModified": "2024-07-29T15:15:15.237",
"vulnStatus": "Received",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSv4: Fix memory leak in nfs4_set_security_label\n\nWe leak nfs_fattr and nfs4_label every time we set a security xattr."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/899604a7c958771840941caff9ee3dd8193d984c",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/aad11473f8f4be3df86461081ce35ec5b145ba68",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/b98090699319e64f5de1e8db5bb75870f1eb1c6e",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/d130220ccc94d74d70da984a199477937e7bf03c",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

41
CVE-2024/CVE-2024-410xx/CVE-2024-41077.json Normal file
View File

@ -0,0 +1,41 @@
{
"id": "CVE-2024-41077",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-29T15:15:15.303",
"lastModified": "2024-07-29T15:15:15.303",
"vulnStatus": "Received",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnull_blk: fix validation of block size\n\nBlock size should be between 512 and PAGE_SIZE and be a power of 2. The current\ncheck does not validate this, so update the check.\n\nWithout this patch, null_blk would Oops due to a null pointer deref when\nloaded with bs=1536 [1].\n\n\n[axboe: remove unnecessary braces and != 0 check]"
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/08f03186b96e25e3154916a2e70732557c770ea7",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/2772ed2fc075eef7df3789906fc9dae01e4e132e",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/9625afe1dd4a158a14bb50f81af9e2dac634c0b1",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/9b873bdaae64bddade9d8c6df23c8a31948d47d0",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/c462ecd659b5fce731f1d592285832fd6ad54053",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/f92409a9da02f27d05d713bff5f865e386cef9b3",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

41
CVE-2024/CVE-2024-410xx/CVE-2024-41078.json Normal file
View File

@ -0,0 +1,41 @@
{
"id": "CVE-2024-41078",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-29T15:15:15.380",
"lastModified": "2024-07-29T15:15:15.380",
"vulnStatus": "Received",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: qgroup: fix quota root leak after quota disable failure\n\nIf during the quota disable we fail when cleaning the quota tree or when\ndeleting the root from the root tree, we jump to the 'out' label without\never dropping the reference on the quota root, resulting in a leak of the\nroot since fs_info->quota_root is no longer pointing to the root (we have\nset it to NULL just before those steps).\n\nFix this by always doing a btrfs_put_root() call under the 'out' label.\nThis is a problem that exists since qgroups were first added in 2012 by\ncommit bed92eae26cc (\"Btrfs: qgroup implementation and prototypes\"), but\nback then we missed a kfree on the quota root and free_extent_buffer()\ncalls on its root and commit root nodes, since back then roots were not\nyet reference counted."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/5ef3961682e5310f2221bae99bcf9f5d0f4b0d51",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/7dd6a5b96157a21245566b21fd58276a214357ff",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/8a69529f22590b67bb018de9acbcf94abc8603cf",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/94818bdb00ef34a996a06aa63d11f591074cb757",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/a7e4c6a3031c74078dba7fa36239d0f4fe476c53",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/f88aeff5a173e8ba3133314eb4b964236ef3589d",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

33
CVE-2024/CVE-2024-410xx/CVE-2024-41079.json Normal file
View File

@ -0,0 +1,33 @@
{
"id": "CVE-2024-41079",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-29T15:15:15.457",
"lastModified": "2024-07-29T15:15:15.457",
"vulnStatus": "Received",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet: always initialize cqe.result\n\nThe spec doesn't mandate that the first two double words (aka results)\nfor the command queue entry need to be set to 0 when they are not\nused (not specified). Though, the target implemention returns 0 for TCP\nand FC but not for RDMA.\n\nLet's make RDMA behave the same and thus explicitly initializing the\nresult field. This prevents leaking any data from the stack."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/0990e8a863645496b9e3f91cfcfd63cd95c80319",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/10967873b80742261527a071954be8b54f0f8e4d",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/30d35b24b7957922f81cfdaa66f2e1b1e9b9aed2",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/cd0c1b8e045a8d2785342b385cb2684d9b48e426",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

25
CVE-2024/CVE-2024-410xx/CVE-2024-41080.json Normal file
View File

@ -0,0 +1,25 @@
{
"id": "CVE-2024-41080",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-29T15:15:15.523",
"lastModified": "2024-07-29T15:15:15.523",
"vulnStatus": "Received",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: fix possible deadlock in io_register_iowq_max_workers()\n\nThe io_register_iowq_max_workers() function calls io_put_sq_data(),\nwhich acquires the sqd->lock without releasing the uring_lock.\nSimilar to the commit 009ad9f0c6ee (\"io_uring: drop ctx->uring_lock\nbefore acquiring sqd->lock\"), this can lead to a potential deadlock\nsituation.\n\nTo resolve this issue, the uring_lock is released before calling\nio_put_sq_data(), and then it is re-acquired after the function call.\n\nThis change ensures that the locks are acquired in the correct\norder, preventing the possibility of a deadlock."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/73254a297c2dd094abec7c9efee32455ae875bdf",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/b571a367502c7ef94c688ef9c7f7d69a2ce3bcca",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

49
CVE-2024/CVE-2024-410xx/CVE-2024-41081.json Normal file
View File

@ -0,0 +1,49 @@
{
"id": "CVE-2024-41081",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-29T15:15:15.593",
"lastModified": "2024-07-29T15:15:15.593",
"vulnStatus": "Received",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nila: block BH in ila_output()\n\nAs explained in commit 1378817486d6 (\"tipc: block BH\nbefore using dst_cache\"), net/core/dst_cache.c\nhelpers need to be called with BH disabled.\n\nila_output() is called from lwtunnel_output()\npossibly from process context, and under rcu_read_lock().\n\nWe might be interrupted by a softirq, re-enter ila_output()\nand corrupt dst_cache data structures.\n\nFix the race by using local_bh_disable()."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/522c3336c2025818fa05e9daf0ac35711e55e316",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/7435bd2f84a25aba607030237261b3795ba782da",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/96103371091c6476eb07f4c66624bdd1b42f758a",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/9f9c79d8e527d867e0875868b14fb76e6011e70c",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/a0cafb7b0b94d18e4813ee4b712a056f280e7b5a",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/b4eb25a3d70df925a9fa4e82d17a958a0a228f5f",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/cf28ff8e4c02e1ffa850755288ac954b6ff0db8c",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/feac2391e26b086f73be30e9b1ab215eada8d830",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

25
CVE-2024/CVE-2024-410xx/CVE-2024-41082.json Normal file
View File

@ -0,0 +1,25 @@
{
"id": "CVE-2024-41082",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-29T15:15:15.670",
"lastModified": "2024-07-29T15:15:15.670",
"vulnStatus": "Received",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-fabrics: use reserved tag for reg read/write command\n\nIn some scenarios, if too many commands are issued by nvme command in\nthe same time by user tasks, this may exhaust all tags of admin_q. If\na reset (nvme reset or IO timeout) occurs before these commands finish,\nreconnect routine may fail to update nvme regs due to insufficient tags,\nwhich will cause kernel hang forever. In order to workaround this issue,\nmaybe we can let reg_read32()/reg_read64()/reg_write32() use reserved\ntags. This maybe safe for nvmf:\n\n1. For the disable ctrl path, we will not issue connect command\n2. For the enable ctrl / fw activate path, since connect and reg_xx()\n are called serially.\n\nSo the reserved tags may still be enough while reg_xx() use reserved tags."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/165da9c67a26f08c9b956c15d701da7690f45bcb",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/7dc3bfcb4c9cc58970fff6aaa48172cb224d85aa",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

8
CVE-2024/CVE-2024-410xx/CVE-2024-41090.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2024-41090",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-29T07:15:07.287",
"lastModified": "2024-07-29T07:15:07.287",
"vulnStatus": "Received",
"lastModified": "2024-07-29T14:12:08.783",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntap: add missing verification for short frame\n\nThe cited commit missed to check against the validity of the frame length\nin the tap_get_user_xdp() path, which could cause a corrupted skb to be\nsent downstack. Even before the skb is transmitted, the\ntap_get_user_xdp()-->skb_set_network_header() may assume the size is more\nthan ETH_HLEN. Once transmitted, this could either cause out-of-bound\naccess beyond the actual length, or confuse the underlayer with incorrect\nor inconsistent header length in the skb metadata.\n\nIn the alternative path, tap_get_user() already prohibits short frame which\nhas the length less than Ethernet header size from being transmitted.\n\nThis is to drop any frame shorter than the Ethernet header size just like\nhow tap_get_user() does.\n\nCVE: CVE-2024-41090"
},
{
"lang": "es",
"value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: tap: agregar verificaci\u00f3n faltante para marco corto La confirmaci\u00f3n citada no pudo verificar la validez de la longitud del marco en la ruta tap_get_user_xdp(), lo que podr\u00eda causar que un skb corrupto se env\u00ede hacia abajo. Incluso antes de que se transmita el skb, tap_get_user_xdp()--&gt;skb_set_network_header() puede asumir que el tama\u00f1o es mayor que ETH_HLEN. Una vez transmitido, esto podr\u00eda provocar un acceso fuera de los l\u00edmites m\u00e1s all\u00e1 de la longitud real o confundir la capa subyacente con una longitud de encabezado incorrecta o inconsistente en los metadatos de skb. En la ruta alternativa, tap_get_user() ya proh\u00edbe la transmisi\u00f3n de tramas cortas que tengan una longitud menor que el tama\u00f1o del encabezado Ethernet. Esto es para eliminar cualquier trama m\u00e1s corta que el tama\u00f1o del encabezado de Ethernet tal como lo hace tap_get_user(). CVE: CVE-2024-41090"
}
],
"metrics": {},

8
CVE-2024/CVE-2024-410xx/CVE-2024-41091.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2024-41091",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-29T07:15:07.553",
"lastModified": "2024-07-29T07:15:07.553",
"vulnStatus": "Received",
"lastModified": "2024-07-29T14:12:08.783",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntun: add missing verification for short frame\n\nThe cited commit missed to check against the validity of the frame length\nin the tun_xdp_one() path, which could cause a corrupted skb to be sent\ndownstack. Even before the skb is transmitted, the\ntun_xdp_one-->eth_type_trans() may access the Ethernet header although it\ncan be less than ETH_HLEN. Once transmitted, this could either cause\nout-of-bound access beyond the actual length, or confuse the underlayer\nwith incorrect or inconsistent header length in the skb metadata.\n\nIn the alternative path, tun_get_user() already prohibits short frame which\nhas the length less than Ethernet header size from being transmitted for\nIFF_TAP.\n\nThis is to drop any frame shorter than the Ethernet header size just like\nhow tun_get_user() does.\n\nCVE: CVE-2024-41091"
},
{
"lang": "es",
"value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: tun: agrega verificaci\u00f3n faltante para marcos cortos La confirmaci\u00f3n citada no pudo verificar la validez de la longitud del marco en la ruta tun_xdp_one(), lo que podr\u00eda provocar que un skb da\u00f1ado se env\u00ede hacia abajo. Incluso antes de que se transmita el skb, tun_xdp_one--&gt;eth_type_trans() puede acceder al encabezado de Ethernet aunque puede ser menor que ETH_HLEN. Una vez transmitido, esto podr\u00eda provocar un acceso fuera de los l\u00edmites m\u00e1s all\u00e1 de la longitud real o confundir la capa subyacente con una longitud de encabezado incorrecta o inconsistente en los metadatos de skb. En la ruta alternativa, tun_get_user() ya proh\u00edbe la transmisi\u00f3n de tramas cortas que tengan una longitud menor que el tama\u00f1o del encabezado Ethernet para IFF_TAP. Esto es para eliminar cualquier trama m\u00e1s corta que el tama\u00f1o del encabezado de Ethernet tal como lo hace tun_get_user(). CVE: CVE-2024-41091"
}
],
"metrics": {},

10
CVE-2024/CVE-2024-411xx/CVE-2024-41112.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2024-41112",
"sourceIdentifier": "security-advisories@github.com",
"published": "2024-07-26T20:15:05.237",
"lastModified": "2024-07-26T20:15:05.237",
"vulnStatus": "Received",
"lastModified": "2024-07-29T14:12:08.783",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "streamlit-geospatial is a streamlit multipage app for geospatial applications. Prior to commit c4f81d9616d40c60584e36abb15300853a66e489, the palette variable in `pages/1_\ud83d\udcf7_Timelapse.py` takes user input, which is later used in the `eval()` function on line 380, leading to remote code execution. Commit c4f81d9616d40c60584e36abb15300853a66e489 fixes this issue."
"value": "streamlit-geospatial is a streamlit multipage app for geospatial applications. Prior to commit c4f81d9616d40c60584e36abb15300853a66e489, the palette variable in `pages/1_?_Timelapse.py` takes user input, which is later used in the `eval()` function on line 380, leading to remote code execution. Commit c4f81d9616d40c60584e36abb15300853a66e489 fixes this issue."
},
{
"lang": "es",
"value": " streamlit-geospatial es una aplicaci\u00f3n multip\u00e1gina optimizada para aplicaciones geoespaciales. Antes de la confirmaci\u00f3n c4f81d9616d40c60584e36abb15300853a66e489, la variable palette en `pages/1_?_Timelapse.py` toma la entrada del usuario, que luego se usa en la funci\u00f3n `eval()` en la l\u00ednea 380, lo que lleva a la ejecuci\u00f3n remota de c\u00f3digo. La confirmaci\u00f3n c4f81d9616d40c60584e36abb15300853a66e489 soluciona este problema."
}
],
"metrics": {

10
CVE-2024/CVE-2024-411xx/CVE-2024-41113.json
View File

@ -2,13 +2,17 @@
"id": "CVE-2024-41113",
"sourceIdentifier": "security-advisories@github.com",
"published": "2024-07-26T20:15:05.560",
"lastModified": "2024-07-26T20:15:05.560",
"vulnStatus": "Received",
"lastModified": "2024-07-29T14:12:08.783",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "streamlit-geospatial is a streamlit multipage app for geospatial applications. Prior to commit c4f81d9616d40c60584e36abb15300853a66e489, the `vis_params` variable on line 383 or line 390 in `pages/1_\ud83d\udcf7_Timelapse.py` takes user input, which is later used in the `eval()` function on line 395, leading to remote code execution. Commit c4f81d9616d40c60584e36abb15300853a66e489 fixes this issue."
"value": "streamlit-geospatial is a streamlit multipage app for geospatial applications. Prior to commit c4f81d9616d40c60584e36abb15300853a66e489, the `vis_params` variable on line 383 or line 390 in `pages/1_?_Timelapse.py` takes user input, which is later used in the `eval()` function on line 395, leading to remote code execution. Commit c4f81d9616d40c60584e36abb15300853a66e489 fixes this issue."
},
{
"lang": "es",
"value": "streamlit-geospatial es una aplicaci\u00f3n multip\u00e1gina optimizada para aplicaciones geoespaciales. Antes de la confirmaci\u00f3n c4f81d9616d40c60584e36abb15300853a66e489, la variable `vis_params` en la l\u00ednea 383 o la l\u00ednea 390 en `pages/1_?_Timelapse.py` toma la entrada del usuario, que luego se usa en la funci\u00f3n `eval()` en la l\u00ednea 395, lo que lleva a la ejecuci\u00f3n de c\u00f3digo remoto . La confirmaci\u00f3n c4f81d9616d40c60584e36abb15300853a66e489 soluciona este problema."
}
],
"metrics": {

Some files were not shown because too many files have changed in this diff Show More