admin/nvd-json-data-feeds
1
0
Fork 0
mirror of https://github.com/fkie-cad/nvd-json-data-feeds.git synced 2025-06-21 17:41:05 +00:00
Code Issues Packages Projects Releases Wiki Activity

Auto-Update: 2024-07-16T14:00:19.856501+00:00

Browse Source
This commit is contained in:
cad-safe-bot 2024-07-16 14:03:16 +00:00
parent 7e9baab0b5
commit 8fd9bcb1fb
166 changed files with 4097 additions and 210 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
CVE-2021/CVE-2021-476xx/CVE-2021-47622.json Normal file
View File

@ -0,0 +1,29 @@
{
"id": "CVE-2021-47622",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T12:15:02.400",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ufs: Fix a deadlock in the error handler\n\nThe following deadlock has been observed on a test setup:\n\n - All tags allocated\n\n - The SCSI error handler calls ufshcd_eh_host_reset_handler()\n\n - ufshcd_eh_host_reset_handler() queues work that calls\n ufshcd_err_handler()\n\n - ufshcd_err_handler() locks up as follows:\n\nWorkqueue: ufs_eh_wq_0 ufshcd_err_handler.cfi_jt\nCall trace:\n __switch_to+0x298/0x5d8\n __schedule+0x6cc/0xa94\n schedule+0x12c/0x298\n blk_mq_get_tag+0x210/0x480\n __blk_mq_alloc_request+0x1c8/0x284\n blk_get_request+0x74/0x134\n ufshcd_exec_dev_cmd+0x68/0x640\n ufshcd_verify_dev_init+0x68/0x35c\n ufshcd_probe_hba+0x12c/0x1cb8\n ufshcd_host_reset_and_restore+0x88/0x254\n ufshcd_reset_and_restore+0xd0/0x354\n ufshcd_err_handler+0x408/0xc58\n process_one_work+0x24c/0x66c\n worker_thread+0x3e8/0xa4c\n kthread+0x150/0x1b4\n ret_from_fork+0x10/0x30\n\nFix this lockup by making ufshcd_exec_dev_cmd() allocate a reserved\nrequest."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/493c9e850677df8b4eda150c2364b1c1a72ed724",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/945c3cca05d78351bba29fa65d93834cb7934c7b",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/d69d98d8edf90e25e4e09930dd36dd6d09dd6768",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

33
CVE-2021/CVE-2021-476xx/CVE-2021-47623.json Normal file
View File

@ -0,0 +1,33 @@
{
"id": "CVE-2021-47623",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T12:15:02.483",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/fixmap: Fix VM debug warning on unmap\n\nUnmapping a fixmap entry is done by calling __set_fixmap()\nwith FIXMAP_PAGE_CLEAR as flags.\n\nToday, powerpc __set_fixmap() calls map_kernel_page().\n\nmap_kernel_page() is not happy when called a second time\nfor the same page.\n\n\tWARNING: CPU: 0 PID: 1 at arch/powerpc/mm/pgtable.c:194 set_pte_at+0xc/0x1e8\n\tCPU: 0 PID: 1 Comm: swapper Not tainted 5.16.0-rc3-s3k-dev-01993-g350ff07feb7d-dirty #682\n\tNIP: c0017cd4 LR: c00187f0 CTR: 00000010\n\tREGS: e1011d50 TRAP: 0700 Not tainted (5.16.0-rc3-s3k-dev-01993-g350ff07feb7d-dirty)\n\tMSR: 00029032 <EE,ME,IR,DR,RI> CR: 42000208 XER: 00000000\n\n\tGPR00: c0165fec e1011e10 c14c0000 c0ee2550 ff800000 c0f3d000 00000000 c001686c\n\tGPR08: 00001000 b00045a9 00000001 c0f58460 c0f50000 00000000 c0007e10 00000000\n\tGPR16: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000\n\tGPR24: 00000000 00000000 c0ee2550 00000000 c0f57000 00000ff8 00000000 ff800000\n\tNIP [c0017cd4] set_pte_at+0xc/0x1e8\n\tLR [c00187f0] map_kernel_page+0x9c/0x100\n\tCall Trace:\n\t[e1011e10] [c0736c68] vsnprintf+0x358/0x6c8 (unreliable)\n\t[e1011e30] [c0165fec] __set_fixmap+0x30/0x44\n\t[e1011e40] [c0c13bdc] early_iounmap+0x11c/0x170\n\t[e1011e70] [c0c06cb0] ioremap_legacy_serial_console+0x88/0xc0\n\t[e1011e90] [c0c03634] do_one_initcall+0x80/0x178\n\t[e1011ef0] [c0c0385c] kernel_init_freeable+0xb4/0x250\n\t[e1011f20] [c0007e34] kernel_init+0x24/0x140\n\t[e1011f30] [c0016268] ret_from_kernel_thread+0x5c/0x64\n\tInstruction dump:\n\t7fe3fb78 48019689 80010014 7c630034 83e1000c 5463d97e 7c0803a6 38210010\n\t4e800020 81250000 712a0001 41820008 <0fe00000> 9421ffe0 93e1001c 48000030\n\nImplement unmap_kernel_page() which clears an existing pte."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/033fd42c18d9b2121595b6f1e8419a115f9ac5b7",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/43ae0ccc4d2722b833fb59b905af129428e06d03",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/67baac10dd5ad1e9f50e8f2659984b3b0728d54e",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/aec982603aa8cc0a21143681feb5f60ecc69d718",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

29
CVE-2021/CVE-2021-476xx/CVE-2021-47624.json Normal file
View File

@ -0,0 +1,29 @@
{
"id": "CVE-2021-47624",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T12:15:02.553",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sunrpc: fix reference count leaks in rpc_sysfs_xprt_state_change\n\nThe refcount leak issues take place in an error handling path. When the\n3rd argument buf doesn't match with \"offline\", \"online\" or \"remove\", the\nfunction simply returns -EINVAL and forgets to decrease the reference\ncount of a rpc_xprt object and a rpc_xprt_switch object increased by\nrpc_sysfs_xprt_kobj_get_xprt() and\nrpc_sysfs_xprt_kobj_get_xprt_switch(), causing reference count leaks of\nboth unused objects.\n\nFix this issue by jumping to the error handling path labelled with\nout_put when buf matches none of \"offline\", \"online\" or \"remove\"."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/4b22aa42bd4d2d630ef1854c139275c3532937cb",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/5f6024c05a2c0fdd180b29395aaf686d25af3a0f",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/776d794f28c95051bc70405a7b1fa40115658a18",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

33
CVE-2022/CVE-2022-487xx/CVE-2022-48773.json Normal file
View File

@ -0,0 +1,33 @@
{
"id": "CVE-2022-48773",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T12:15:02.640",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxprtrdma: fix pointer derefs in error cases of rpcrdma_ep_create\n\nIf there are failures then we must not leave the non-NULL pointers with\nthe error value, otherwise `rpcrdma_ep_destroy` gets confused and tries\nfree them, resulting in an Oops."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/1e7433fb95ccc01629a5edaa4ced0cd8c98d0ae0",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/2526d4d8b209dc5ac1fbeb468149774888b2a141",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/9921c866dc369577c3ebb9adf2383b01b58c18de",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/a9c10b5b3b67b3750a10c8b089b2e05f5e176e33",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

29
CVE-2022/CVE-2022-487xx/CVE-2022-48774.json Normal file
View File

@ -0,0 +1,29 @@
{
"id": "CVE-2022-48774",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T12:15:02.717",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: ptdma: Fix the error handling path in pt_core_init()\n\nIn order to free resources correctly in the error handling path of\npt_core_init(), 2 goto's have to be switched. Otherwise, some resources\nwill leak and we will try to release things that have not been allocated\nyet.\n\nAlso move a dev_err() to a place where it is more meaningful."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/3c62fd3406e0b2277c76a6984d3979c7f3f1d129",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/3e41445287afa3cf6d572778e5aab31d25e60a8d",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/d7de1e4820c5a42441ff7276174c8c0e63575c1b",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

41
CVE-2022/CVE-2022-487xx/CVE-2022-48775.json Normal file
View File

@ -0,0 +1,41 @@
{
"id": "CVE-2022-48775",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T12:15:02.793",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nDrivers: hv: vmbus: Fix memory leak in vmbus_add_channel_kobj\n\nkobject_init_and_add() takes reference even when it fails.\nAccording to the doc of kobject_init_and_add()?\n\n If this function returns an error, kobject_put() must be called to\n properly clean up the memory associated with the object.\n\nFix memory leak by calling kobject_put()."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/417947891bd5ae327f15efed1a0da2b12ef24962",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/8bc69f86328e87a0ffa79438430cc82f3aa6a194",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/91d8866ca55232d21995a3d54fac96de33c9e20c",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/92e25b637cd4e010f776c86e4810300e773eac5c",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/c377e2ba78d3fe9a1f0b4ec424e75f81da7e81e9",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/fe595759c2a4a5bb41c438474f15947d8ae32f5c",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

29
CVE-2022/CVE-2022-487xx/CVE-2022-48776.json Normal file
View File

@ -0,0 +1,29 @@
{
"id": "CVE-2022-48776",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T12:15:02.867",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmtd: parsers: qcom: Fix missing free for pparts in cleanup\n\nMtdpart doesn't free pparts when a cleanup function is declared.\nAdd missing free for pparts in cleanup function for smem to fix the\nleak."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/1b37889f9a151d26a3fb0d3870f6e1046dee2e24",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/3dd8ba961b9356c4113b96541c752c73d98fef70",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/3eb5185896a68373714dc7d0009111744adc3345",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

29
CVE-2022/CVE-2022-487xx/CVE-2022-48777.json Normal file
View File

@ -0,0 +1,29 @@
{
"id": "CVE-2022-48777",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T12:15:02.940",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmtd: parsers: qcom: Fix kernel panic on skipped partition\n\nIn the event of a skipped partition (case when the entry name is empty)\nthe kernel panics in the cleanup function as the name entry is NULL.\nRework the parser logic by first checking the real partition number and\nthen allocate the space and set the data for the valid partitions.\n\nThe logic was also fundamentally wrong as with a skipped partition, the\nparts number returned was incorrect by not decreasing it for the skipped\npartitions."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/65d003cca335cabc0160d3cd7daa689eaa9dd3cd",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/a2995fe23095ceda2dc382fbe057f5e164595548",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/eb03cb6e03ffd9173e18e5fe87e4e3ce83820453",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

37
CVE-2022/CVE-2022-487xx/CVE-2022-48778.json Normal file
View File

@ -0,0 +1,37 @@
{
"id": "CVE-2022-48778",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T12:15:03.010",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmtd: rawnand: gpmi: don't leak PM reference in error path\n\nIf gpmi_nfc_apply_timings() fails, the PM runtime usage counter must be\ndropped."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/4a7ec50298b1127c5024a750c969ea0794899545",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/4cd3281a910a5adf73b2a0a82241dd67844d0b25",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/58d3111eafce9e4398654b07f0b1dac27f26ee5b",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/9161f365c91614e5a3f5c6dcc44c3b1b33bc59c0",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/a4eeeaca50199e3f19eb13ac3b7e0bbb93e22de4",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

25
CVE-2022/CVE-2022-487xx/CVE-2022-48779.json Normal file
View File

@ -0,0 +1,25 @@
{
"id": "CVE-2022-48779",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T12:15:03.077",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mscc: ocelot: fix use-after-free in ocelot_vlan_del()\n\nocelot_vlan_member_del() will free the struct ocelot_bridge_vlan, so if\nthis is the same as the port's pvid_vlan which we access afterwards,\nwhat we're accessing is freed memory.\n\nFix the bug by determining whether to clear ocelot_port->pvid_vlan prior\nto calling ocelot_vlan_member_del()."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/c98bed60cdd7f22237ae256cc9c1c3087206b8a2",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/ef57640575406f57f5b3393cf57f457b0ace837e",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

29
CVE-2022/CVE-2022-487xx/CVE-2022-48780.json Normal file
View File

@ -0,0 +1,29 @@
{
"id": "CVE-2022-48780",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T12:15:03.143",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: Avoid overwriting the copies of clcsock callback functions\n\nThe callback functions of clcsock will be saved and replaced during\nthe fallback. But if the fallback happens more than once, then the\ncopies of these callback functions will be overwritten incorrectly,\nresulting in a loop call issue:\n\nclcsk->sk_error_report\n |- smc_fback_error_report() <------------------------------|\n |- smc_fback_forward_wakeup() | (loop)\n |- clcsock_callback() (incorrectly overwritten) |\n |- smc->clcsk_error_report() ------------------|\n\nSo this patch fixes the issue by saving these function pointers only\nonce in the fallback and avoiding overwriting."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/1de9770d121ee9294794cca0e0be8fbfa0134ee8",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/7de7ba7a8bd4fde0141de8674c13514d0072f0e6",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/f00b6c976ae0dfbd9b891175f713f59095d23842",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

25
CVE-2022/CVE-2022-487xx/CVE-2022-48781.json Normal file
View File

@ -0,0 +1,25 @@
{
"id": "CVE-2022-48781",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T12:15:03.217",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: af_alg - get rid of alg_memory_allocated\n\nalg_memory_allocated does not seem to be really used.\n\nalg_proto does have a .memory_allocated field, but no\ncorresponding .sysctl_mem.\n\nThis means sk_has_account() returns true, but all sk_prot_mem_limits()\nusers will trigger a NULL dereference [1].\n\nTHis was not a problem until SO_RESERVE_MEM addition.\n\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN\nKASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]\nCPU: 1 PID: 3591 Comm: syz-executor153 Not tainted 5.17.0-rc3-syzkaller-00316-gb81b1829e7e3 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nRIP: 0010:sk_prot_mem_limits include/net/sock.h:1523 [inline]\nRIP: 0010:sock_reserve_memory+0x1d7/0x330 net/core/sock.c:1000\nCode: 08 00 74 08 48 89 ef e8 27 20 bb f9 4c 03 7c 24 10 48 8b 6d 00 48 83 c5 08 48 89 e8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 08 48 89 ef e8 fb 1f bb f9 48 8b 6d 00 4c 89 ff 48\nRSP: 0018:ffffc90001f1fb68 EFLAGS: 00010202\nRAX: 0000000000000001 RBX: ffff88814aabc000 RCX: dffffc0000000000\nRDX: 0000000000000001 RSI: 0000000000000008 RDI: ffffffff90e18120\nRBP: 0000000000000008 R08: dffffc0000000000 R09: fffffbfff21c3025\nR10: fffffbfff21c3025 R11: 0000000000000000 R12: ffffffff8d109840\nR13: 0000000000001002 R14: 0000000000000001 R15: 0000000000000001\nFS: 0000555556e08300(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007fc74416f130 CR3: 0000000073d9e000 CR4: 00000000003506e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n <TASK>\n sock_setsockopt+0x14a9/0x3a30 net/core/sock.c:1446\n __sys_setsockopt+0x5af/0x980 net/socket.c:2176\n __do_sys_setsockopt net/socket.c:2191 [inline]\n __se_sys_setsockopt net/socket.c:2188 [inline]\n __x64_sys_setsockopt+0xb1/0xc0 net/socket.c:2188\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\nRIP: 0033:0x7fc7440fddc9\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007ffe98f07968 EFLAGS: 00000246 ORIG_RAX: 0000000000000036\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fc7440fddc9\nRDX: 0000000000000049 RSI: 0000000000000001 RDI: 0000000000000004\nRBP: 0000000000000000 R08: 0000000000000004 R09: 00007ffe98f07990\nR10: 0000000020000000 R11: 0000000000000246 R12: 00007ffe98f0798c\nR13: 00007ffe98f079a0 R14: 00007ffe98f079e0 R15: 0000000000000000\n </TASK>\nModules linked in:\n---[ end trace 0000000000000000 ]---\nRIP: 0010:sk_prot_mem_limits include/net/sock.h:1523 [inline]\nRIP: 0010:sock_reserve_memory+0x1d7/0x330 net/core/sock.c:1000\nCode: 08 00 74 08 48 89 ef e8 27 20 bb f9 4c 03 7c 24 10 48 8b 6d 00 48 83 c5 08 48 89 e8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 08 48 89 ef e8 fb 1f bb f9 48 8b 6d 00 4c 89 ff 48\nRSP: 0018:ffffc90001f1fb68 EFLAGS: 00010202\nRAX: 0000000000000001 RBX: ffff88814aabc000 RCX: dffffc0000000000\nRDX: 0000000000000001 RSI: 0000000000000008 RDI: ffffffff90e18120\nRBP: 0000000000000008 R08: dffffc0000000000 R09: fffffbfff21c3025\nR10: fffffbfff21c3025 R11: 0000000000000000 R12: ffffffff8d109840\nR13: 0000000000001002 R14: 0000000000000001 R15: 0000000000000001\nFS: 0000555556e08300(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007fc74416f130 CR3: 0000000073d9e000 CR4: 00000000003506e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000"
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/25206111512de994dfc914f5b2972a22aa904ef3",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/9d06f489b9e901580159e21fdc29f73df7ed08dc",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

25
CVE-2022/CVE-2022-487xx/CVE-2022-48782.json Normal file
View File

@ -0,0 +1,25 @@
{
"id": "CVE-2022-48782",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T12:15:03.290",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmctp: fix use after free\n\nClang static analysis reports this problem\nroute.c:425:4: warning: Use of memory after it is freed\n trace_mctp_key_acquire(key);\n ^~~~~~~~~~~~~~~~~~~~~~~~~~~\nWhen mctp_key_add() fails, key is freed but then is later\nused in trace_mctp_key_acquire(). Add an else statement\nto use the key only when mctp_key_add() is successful."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/1dd3ecbec5f606b2a526c47925c8634b1a6bb81e",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/7e5b6a5c8c44310784c88c1c198dde79f6402f7b",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

33
CVE-2022/CVE-2022-487xx/CVE-2022-48783.json Normal file
View File

@ -0,0 +1,33 @@
{
"id": "CVE-2022-48783",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T12:15:03.350",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: lantiq_gswip: fix use after free in gswip_remove()\n\nof_node_put(priv->ds->slave_mii_bus->dev.of_node) should be\ndone before mdiobus_free(priv->ds->slave_mii_bus)."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/8c6ae46150a453f8ae9a6cd49b45f354f478587d",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/c61f599b8d33adfa256126a6695c734c0de331cb",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/df2495f329b08ac0d0d3e6334a01955ae839005e",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/f48bd34137718042872d06f2c7332b3267a29165",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

29
CVE-2022/CVE-2022-487xx/CVE-2022-48784.json Normal file
View File

@ -0,0 +1,29 @@
{
"id": "CVE-2022-48784",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T12:15:03.427",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncfg80211: fix race in netlink owner interface destruction\n\nMy previous fix here to fix the deadlock left a race where\nthe exact same deadlock (see the original commit referenced\nbelow) can still happen if cfg80211_destroy_ifaces() already\nruns while nl80211_netlink_notify() is still marking some\ninterfaces as nl_owner_dead.\n\nThe race happens because we have two loops here - first we\ndev_close() all the netdevs, and then we destroy them. If we\nalso have two netdevs (first one need only be a wdev though)\nthen we can find one during the first iteration, close it,\nand go to the second iteration -- but then find two, and try\nto destroy also the one we didn't close yet.\n\nFix this by only iterating once."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/241e633cb379c4f332fc1baf2abec95ec840cbeb",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/c979f792a2baf6d0f3419587668a1a6eba46a3d2",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/f0a6fd1527067da537e9c48390237488719948ed",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

29
CVE-2022/CVE-2022-487xx/CVE-2022-48785.json Normal file
View File

@ -0,0 +1,29 @@
{
"id": "CVE-2022-48785",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T12:15:03.493",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: mcast: use rcu-safe version of ipv6_get_lladdr()\n\nSome time ago 8965779d2c0e (\"ipv6,mcast: always hold idev->lock before mca_lock\")\nswitched ipv6_get_lladdr() to __ipv6_get_lladdr(), which is rcu-unsafe\nversion. That was OK, because idev->lock was held for these codepaths.\n\nIn 88e2ca308094 (\"mld: convert ifmcaddr6 to RCU\") these external locks were\nremoved, so we probably need to restore the original rcu-safe call.\n\nOtherwise, we occasionally get a machine crashed/stalled with the following\nin dmesg:\n\n[ 3405.966610][T230589] general protection fault, probably for non-canonical address 0xdead00000000008c: 0000 [#1] SMP NOPTI\n[ 3405.982083][T230589] CPU: 44 PID: 230589 Comm: kworker/44:3 Tainted: G O 5.15.19-cloudflare-2022.2.1 #1\n[ 3405.998061][T230589] Hardware name: SUPA-COOL-SERV\n[ 3406.009552][T230589] Workqueue: mld mld_ifc_work\n[ 3406.017224][T230589] RIP: 0010:__ipv6_get_lladdr+0x34/0x60\n[ 3406.025780][T230589] Code: 57 10 48 83 c7 08 48 89 e5 48 39 d7 74 3e 48 8d 82 38 ff ff ff eb 13 48 8b 90 d0 00 00 00 48 8d 82 38 ff ff ff 48 39 d7 74 22 <66> 83 78 32 20 77 1b 75 e4 89 ca 23 50 2c 75 dd 48 8b 50 08 48 8b\n[ 3406.055748][T230589] RSP: 0018:ffff94e4b3fc3d10 EFLAGS: 00010202\n[ 3406.065617][T230589] RAX: dead00000000005a RBX: ffff94e4b3fc3d30 RCX: 0000000000000040\n[ 3406.077477][T230589] RDX: dead000000000122 RSI: ffff94e4b3fc3d30 RDI: ffff8c3a31431008\n[ 3406.089389][T230589] RBP: ffff94e4b3fc3d10 R08: 0000000000000000 R09: 0000000000000000\n[ 3406.101445][T230589] R10: ffff8c3a31430000 R11: 000000000000000b R12: ffff8c2c37887100\n[ 3406.113553][T230589] R13: ffff8c3a39537000 R14: 00000000000005dc R15: ffff8c3a31431000\n[ 3406.125730][T230589] FS: 0000000000000000(0000) GS:ffff8c3b9fc80000(0000) knlGS:0000000000000000\n[ 3406.138992][T230589] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 3406.149895][T230589] CR2: 00007f0dfea1db60 CR3: 000000387b5f2000 CR4: 0000000000350ee0\n[ 3406.162421][T230589] Call Trace:\n[ 3406.170235][T230589] <TASK>\n[ 3406.177736][T230589] mld_newpack+0xfe/0x1a0\n[ 3406.186686][T230589] add_grhead+0x87/0xa0\n[ 3406.195498][T230589] add_grec+0x485/0x4e0\n[ 3406.204310][T230589] ? newidle_balance+0x126/0x3f0\n[ 3406.214024][T230589] mld_ifc_work+0x15d/0x450\n[ 3406.223279][T230589] process_one_work+0x1e6/0x380\n[ 3406.232982][T230589] worker_thread+0x50/0x3a0\n[ 3406.242371][T230589] ? rescuer_thread+0x360/0x360\n[ 3406.252175][T230589] kthread+0x127/0x150\n[ 3406.261197][T230589] ? set_kthread_struct+0x40/0x40\n[ 3406.271287][T230589] ret_from_fork+0x22/0x30\n[ 3406.280812][T230589] </TASK>\n[ 3406.288937][T230589] Modules linked in: ... [last unloaded: kheaders]\n[ 3406.476714][T230589] ---[ end trace 3525a7655f2f3b9e ]---"
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/26394fc118d6115390bd5b3a0fb17096271da227",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/27f567c84f446048670376827e356f9c92033bf9",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/3e11ef1903cf6c2fba35594b193a3570854d9e9e",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

49
CVE-2022/CVE-2022-487xx/CVE-2022-48786.json Normal file
View File

@ -0,0 +1,49 @@
{
"id": "CVE-2022-48786",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T12:15:03.560",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvsock: remove vsock from connected table when connect is interrupted by a signal\n\nvsock_connect() expects that the socket could already be in the\nTCP_ESTABLISHED state when the connecting task wakes up with a signal\npending. If this happens the socket will be in the connected table, and\nit is not removed when the socket state is reset. In this situation it's\ncommon for the process to retry connect(), and if the connection is\nsuccessful the socket will be added to the connected table a second\ntime, corrupting the list.\n\nPrevent this by calling vsock_remove_connected() if a signal is received\nwhile waiting for a connection. This is harmless if the socket is not in\nthe connected table, and if it is in the table then removing it will\nprevent list corruption from a double add.\n\nNote for backporting: this patch requires d5afa82c977e (\"vsock: correct\nremoval of socket from the list\"), which is in all current stable trees\nexcept 4.9.y."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/0bb88f3f7e8d506f3efe46d694964117e20efbfc",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/2910bcb9f67551a45397735e47b6d456eb8cd549",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/5f326fe2aef411a6575628f92bd861463ea91df7",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/787468ee7a435777521d33399d012fd591ae2f94",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/87cd1bbd6677411e17369cd4b7389ab1e1fdba44",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/addd62a8cb6fa90aa322365c62487da61f6baab8",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/b9208492fcaecff8f43915529ae34b3bcb03877c",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/e3b3939fd137aab6d00d54bee0ee9244b286a608",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

45
CVE-2022/CVE-2022-487xx/CVE-2022-48787.json Normal file
View File

@ -0,0 +1,45 @@
{
"id": "CVE-2022-48787",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T12:15:03.633",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niwlwifi: fix use-after-free\n\nIf no firmware was present at all (or, presumably, all of the\nfirmware files failed to parse), we end up unbinding by calling\ndevice_release_driver(), which calls remove(), which then in\niwlwifi calls iwl_drv_stop(), freeing the 'drv' struct. However\nthe new code I added will still erroneously access it after it\nwas freed.\n\nSet 'failure=false' in this case to avoid the access, all data\nwas already freed anyway."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/008508c16af0087cda0394e1ac6f0493b01b6063",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/494de920d98f125b099f27a2d274850750aff957",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/7d6475179b85a83186ccce59cdc359d4f07d0bcb",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/9958b9cbb22145295ee1ffaea0904c383da2c05d",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/bea2662e7818e15d7607d17d57912ac984275d94",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/d3b98fe36f8a06ce654049540773256ab59cb53d",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/ddd46059f7d99119b62d44c519df7a79f2e6a515",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

41
CVE-2022/CVE-2022-487xx/CVE-2022-48788.json Normal file
View File

@ -0,0 +1,41 @@
{
"id": "CVE-2022-48788",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T12:15:03.703",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-rdma: fix possible use-after-free in transport error_recovery work\n\nWhile nvme_rdma_submit_async_event_work is checking the ctrl and queue\nstate before preparing the AER command and scheduling io_work, in order\nto fully prevent a race where this check is not reliable the error\nrecovery work must flush async_event_work before continuing to destroy\nthe admin queue after setting the ctrl state to RESETTING such that\nthere is no race .submit_async_event and the error recovery handler\nitself changing the ctrl state."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/324f5bdc52ecb6a6dadb31a62823ef8c709d1439",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/5593f72d1922403c11749532e3a0aa4cf61414e9",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/646952b2210f19e584d2bf9eb5d092abdca2fcc1",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/b6bb1722f34bbdbabed27acdceaf585d300c5fd2",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/d411b2a5da68b8a130c23097014434ac140a2ace",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/ea86027ac467a055849c4945906f799e7f65ab99",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

37
CVE-2022/CVE-2022-487xx/CVE-2022-48789.json Normal file
View File

@ -0,0 +1,37 @@
{
"id": "CVE-2022-48789",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T12:15:03.773",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-tcp: fix possible use-after-free in transport error_recovery work\n\nWhile nvme_tcp_submit_async_event_work is checking the ctrl and queue\nstate before preparing the AER command and scheduling io_work, in order\nto fully prevent a race where this check is not reliable the error\nrecovery work must flush async_event_work before continuing to destroy\nthe admin queue after setting the ctrl state to RESETTING such that\nthere is no race .submit_async_event and the error recovery handler\nitself changing the ctrl state."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/5e42fca37ccc76f39f73732661bd47254cad5982",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/61a26ffd5ad3ece456d74c4c79f7b5e3f440a141",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/bb0d8fb35c4ff00a503c2c4dca4cce8d102a21c4",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/e192184cf8bce8dd55d619f5611a2eaba996fa05",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/ff9fc7ebf5c06de1ef72a69f9b1ab40af8b07f9e",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

41
CVE-2022/CVE-2022-487xx/CVE-2022-48790.json Normal file
View File

@ -0,0 +1,41 @@
{
"id": "CVE-2022-48790",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T12:15:03.843",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme: fix a possible use-after-free in controller reset during load\n\nUnlike .queue_rq, in .submit_async_event drivers may not check the ctrl\nreadiness for AER submission. This may lead to a use-after-free\ncondition that was observed with nvme-tcp.\n\nThe race condition may happen in the following scenario:\n1. driver executes its reset_ctrl_work\n2. -> nvme_stop_ctrl - flushes ctrl async_event_work\n3. ctrl sends AEN which is received by the host, which in turn\n schedules AEN handling\n4. teardown admin queue (which releases the queue socket)\n5. AEN processed, submits another AER, calling the driver to submit\n6. driver attempts to send the cmd\n==> use-after-free\n\nIn order to fix that, add ctrl state check to validate the ctrl\nis actually able to accept the AER submission.\n\nThis addresses the above race in controller resets because the driver\nduring teardown should:\n1. change ctrl state to RESETTING\n2. flush async_event_work (as well as other async work elements)\n\nSo after 1,2, any other AER command will find the\nctrl state to be RESETTING and bail out without submitting the AER."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/0ead57ceb21bbf15963b4874c2ac67143455382f",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/0fa0f99fc84e41057cbdd2efbfe91c6b2f47dd9d",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/70356b756a58704e5c8818cb09da5854af87e765",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/9e956a2596ae276124ef0d96829c013dd0faf861",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/a25e460fbb0340488d119fb2e28fe3f829b7417e",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/e043fb5a0336ee74614e26f0d9f36f1f5bb6d606",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

33
CVE-2022/CVE-2022-487xx/CVE-2022-48791.json Normal file
View File

@ -0,0 +1,33 @@
{
"id": "CVE-2022-48791",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T12:15:03.910",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: pm8001: Fix use-after-free for aborted TMF sas_task\n\nCurrently a use-after-free may occur if a TMF sas_task is aborted before we\nhandle the IO completion in mpi_ssp_completion(). The abort occurs due to\ntimeout.\n\nWhen the timeout occurs, the SAS_TASK_STATE_ABORTED flag is set and the\nsas_task is freed in pm8001_exec_internal_tmf_task().\n\nHowever, if the I/O completion occurs later, the I/O completion still\nthinks that the sas_task is available. Fix this by clearing the ccb->task\nif the TMF times out - the I/O completion handler does nothing if this\npointer is cleared."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/3c334cdfd94945b8edb94022a0371a8665b17366",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/510b21442c3a2e3ecc071ba3e666b320e7acdd61",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/61f162aa4381845acbdc7f2be4dfb694d027c018",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/d872e7b5fe38f325f5206b6872746fa02c2b4819",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

33
CVE-2022/CVE-2022-487xx/CVE-2022-48792.json Normal file
View File

@ -0,0 +1,33 @@
{
"id": "CVE-2022-48792",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T12:15:03.983",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: pm8001: Fix use-after-free for aborted SSP/STP sas_task\n\nCurrently a use-after-free may occur if a sas_task is aborted by the upper\nlayer before we handle the I/O completion in mpi_ssp_completion() or\nmpi_sata_completion().\n\nIn this case, the following are the two steps in handling those I/O\ncompletions:\n\n - Call complete() to inform the upper layer handler of completion of\n the I/O.\n\n - Release driver resources associated with the sas_task in\n pm8001_ccb_task_free() call.\n\nWhen complete() is called, the upper layer may free the sas_task. As such,\nwe should not touch the associated sas_task afterwards, but we do so in the\npm8001_ccb_task_free() call.\n\nFix by swapping the complete() and pm8001_ccb_task_free() calls ordering."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/d9d93f32534a0a80a1c26bdb0746d90a7b19c2c2",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/df7abcaa1246e2537ab4016077b5443bb3c09378",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/f61f9fccb2cb4bb275674a79d638704db6bc2171",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/fe9ac3eaa2e387a5742b380b73a5a6bc237bf184",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

29
CVE-2022/CVE-2022-487xx/CVE-2022-48793.json Normal file
View File

@ -0,0 +1,29 @@
{
"id": "CVE-2022-48793",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T12:15:04.067",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: nSVM: fix potential NULL derefernce on nested migration\n\nTurns out that due to review feedback and/or rebases\nI accidentally moved the call to nested_svm_load_cr3 to be too early,\nbefore the NPT is enabled, which is very wrong to do.\n\nKVM can't even access guest memory at that point as nested NPT\nis needed for that, and of course it won't initialize the walk_mmu,\nwhich is main issue the patch was addressing.\n\nFix this for real."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/352193edda48e08e8824a7ece09aec830a603cfe",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/74b426bea4f7e3b081add2b88d4fba16d3af7ab6",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/e1779c2714c3023e4629825762bcbc43a3b943df",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

49
CVE-2022/CVE-2022-487xx/CVE-2022-48794.json Normal file
View File

@ -0,0 +1,49 @@
{
"id": "CVE-2022-48794",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T12:15:04.147",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ieee802154: at86rf230: Stop leaking skb's\n\nUpon error the ieee802154_xmit_complete() helper is not called. Only\nieee802154_wake_queue() is called manually. In the Tx case we then leak\nthe skb structure.\n\nFree the skb structure upon error before returning when appropriate.\n\nAs the 'is_tx = 0' cannot be moved in the complete handler because of a\npossible race between the delay in switching to STATE_RX_AACK_ON and a\nnew interrupt, we introduce an intermediate 'was_tx' boolean just for\nthis purpose.\n\nThere is no Fixes tag applying here, many changes have been made on this\narea and the issue kind of always existed."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/0fd484644c68897c490a3307bfcc8bf767df5a43",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/1c72f04d52b7200bb83426a9bed378668271ea4a",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/23b2a25382400168427ea278f3d8bf4ecfd333bf",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/455ef08d6e5473526fa6763f75a93f7198206966",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/6312f6a53fd3ea38125dcaca5e3c9aa7d8a60cf7",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/af649e5c95f56df64363bc46f6746b87819f9c0d",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/d2a1eaf51b7d4412319adb6acef114ba472d1692",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/e5ce576d45bf72fd0e3dc37eff897bfcc488f6a9",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

49
CVE-2022/CVE-2022-487xx/CVE-2022-48795.json Normal file
View File

@ -0,0 +1,49 @@
{
"id": "CVE-2022-48795",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T12:15:04.220",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nparisc: Fix data TLB miss in sba_unmap_sg\n\nRolf Eike Beer reported the following bug:\n\n[1274934.746891] Bad Address (null pointer deref?): Code=15 (Data TLB miss fault) at addr 0000004140000018\n[1274934.746891] CPU: 3 PID: 5549 Comm: cmake Not tainted 5.15.4-gentoo-parisc64 #4\n[1274934.746891] Hardware name: 9000/785/C8000\n[1274934.746891]\n[1274934.746891] YZrvWESTHLNXBCVMcbcbcbcbOGFRQPDI\n[1274934.746891] PSW: 00001000000001001111111000001110 Not tainted\n[1274934.746891] r00-03 000000ff0804fe0e 0000000040bc9bc0 00000000406760e4 0000004140000000\n[1274934.746891] r04-07 0000000040b693c0 0000004140000000 000000004a2b08b0 0000000000000001\n[1274934.746891] r08-11 0000000041f98810 0000000000000000 000000004a0a7000 0000000000000001\n[1274934.746891] r12-15 0000000040bddbc0 0000000040c0cbc0 0000000040bddbc0 0000000040bddbc0\n[1274934.746891] r16-19 0000000040bde3c0 0000000040bddbc0 0000000040bde3c0 0000000000000007\n[1274934.746891] r20-23 0000000000000006 000000004a368950 0000000000000000 0000000000000001\n[1274934.746891] r24-27 0000000000001fff 000000000800000e 000000004a1710f0 0000000040b693c0\n[1274934.746891] r28-31 0000000000000001 0000000041f988b0 0000000041f98840 000000004a171118\n[1274934.746891] sr00-03 00000000066e5800 0000000000000000 0000000000000000 00000000066e5800\n[1274934.746891] sr04-07 0000000000000000 0000000000000000 0000000000000000 0000000000000000\n[1274934.746891]\n[1274934.746891] IASQ: 0000000000000000 0000000000000000 IAOQ: 00000000406760e8 00000000406760ec\n[1274934.746891] IIR: 48780030 ISR: 0000000000000000 IOR: 0000004140000018\n[1274934.746891] CPU: 3 CR30: 00000040e3a9c000 CR31: ffffffffffffffff\n[1274934.746891] ORIG_R28: 0000000040acdd58\n[1274934.746891] IAOQ[0]: sba_unmap_sg+0xb0/0x118\n[1274934.746891] IAOQ[1]: sba_unmap_sg+0xb4/0x118\n[1274934.746891] RP(r2): sba_unmap_sg+0xac/0x118\n[1274934.746891] Backtrace:\n[1274934.746891] [<00000000402740cc>] dma_unmap_sg_attrs+0x6c/0x70\n[1274934.746891] [<000000004074d6bc>] scsi_dma_unmap+0x54/0x60\n[1274934.746891] [<00000000407a3488>] mptscsih_io_done+0x150/0xd70\n[1274934.746891] [<0000000040798600>] mpt_interrupt+0x168/0xa68\n[1274934.746891] [<0000000040255a48>] __handle_irq_event_percpu+0xc8/0x278\n[1274934.746891] [<0000000040255c34>] handle_irq_event_percpu+0x3c/0xd8\n[1274934.746891] [<000000004025ecb4>] handle_percpu_irq+0xb4/0xf0\n[1274934.746891] [<00000000402548e0>] generic_handle_irq+0x50/0x70\n[1274934.746891] [<000000004019a254>] call_on_stack+0x18/0x24\n[1274934.746891]\n[1274934.746891] Kernel panic - not syncing: Bad Address (null pointer deref?)\n\nThe bug is caused by overrunning the sglist and incorrectly testing\nsg_dma_len(sglist) before nents. Normally this doesn't cause a crash,\nbut in this case sglist crossed a page boundary. This occurs in the\nfollowing code:\n\n\twhile (sg_dma_len(sglist) && nents--) {\n\nThe fix is simply to test nents first and move the decrement of nents\ninto the loop."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/867e50231c7605547d9334904d70a181f39f2d9e",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/8c8e949ae81e7f5ab58f9f9f8e9b573b93173dd2",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/b7d6f44a0fa716a82969725516dc0b16bc7cd514",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/de75676ee99bf9f25b1124ff301b3f7b8ba597d4",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/e40ae3133ed87d6d526f3c8fc6a5f9a2d72dcdbf",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/efccc9b0c7e28d0eb7918a236e59f60dc23db4c3",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/f23f0444ead4d941165aa82ce2fcbb997dc00e97",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/f8f519d7df66c334b5e08f896ac70ee3b53add3b",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

33
CVE-2022/CVE-2022-487xx/CVE-2022-48796.json Normal file
View File

@ -0,0 +1,33 @@
{
"id": "CVE-2022-48796",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T12:15:04.293",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu: Fix potential use-after-free during probe\n\nKasan has reported the following use after free on dev->iommu.\nwhen a device probe fails and it is in process of freeing dev->iommu\nin dev_iommu_free function, a deferred_probe_work_func runs in parallel\nand tries to access dev->iommu->fwspec in of_iommu_configure path thus\ncausing use after free.\n\nBUG: KASAN: use-after-free in of_iommu_configure+0xb4/0x4a4\nRead of size 8 at addr ffffff87a2f1acb8 by task kworker/u16:2/153\n\nWorkqueue: events_unbound deferred_probe_work_func\nCall trace:\n dump_backtrace+0x0/0x33c\n show_stack+0x18/0x24\n dump_stack_lvl+0x16c/0x1e0\n print_address_description+0x84/0x39c\n __kasan_report+0x184/0x308\n kasan_report+0x50/0x78\n __asan_load8+0xc0/0xc4\n of_iommu_configure+0xb4/0x4a4\n of_dma_configure_id+0x2fc/0x4d4\n platform_dma_configure+0x40/0x5c\n really_probe+0x1b4/0xb74\n driver_probe_device+0x11c/0x228\n __device_attach_driver+0x14c/0x304\n bus_for_each_drv+0x124/0x1b0\n __device_attach+0x25c/0x334\n device_initial_probe+0x24/0x34\n bus_probe_device+0x78/0x134\n deferred_probe_work_func+0x130/0x1a8\n process_one_work+0x4c8/0x970\n worker_thread+0x5c8/0xaec\n kthread+0x1f8/0x220\n ret_from_fork+0x10/0x18\n\nAllocated by task 1:\n ____kasan_kmalloc+0xd4/0x114\n __kasan_kmalloc+0x10/0x1c\n kmem_cache_alloc_trace+0xe4/0x3d4\n __iommu_probe_device+0x90/0x394\n probe_iommu_group+0x70/0x9c\n bus_for_each_dev+0x11c/0x19c\n bus_iommu_probe+0xb8/0x7d4\n bus_set_iommu+0xcc/0x13c\n arm_smmu_bus_init+0x44/0x130 [arm_smmu]\n arm_smmu_device_probe+0xb88/0xc54 [arm_smmu]\n platform_drv_probe+0xe4/0x13c\n really_probe+0x2c8/0xb74\n driver_probe_device+0x11c/0x228\n device_driver_attach+0xf0/0x16c\n __driver_attach+0x80/0x320\n bus_for_each_dev+0x11c/0x19c\n driver_attach+0x38/0x48\n bus_add_driver+0x1dc/0x3a4\n driver_register+0x18c/0x244\n __platform_driver_register+0x88/0x9c\n init_module+0x64/0xff4 [arm_smmu]\n do_one_initcall+0x17c/0x2f0\n do_init_module+0xe8/0x378\n load_module+0x3f80/0x4a40\n __se_sys_finit_module+0x1a0/0x1e4\n __arm64_sys_finit_module+0x44/0x58\n el0_svc_common+0x100/0x264\n do_el0_svc+0x38/0xa4\n el0_svc+0x20/0x30\n el0_sync_handler+0x68/0xac\n el0_sync+0x160/0x180\n\nFreed by task 1:\n kasan_set_track+0x4c/0x84\n kasan_set_free_info+0x28/0x4c\n ____kasan_slab_free+0x120/0x15c\n __kasan_slab_free+0x18/0x28\n slab_free_freelist_hook+0x204/0x2fc\n kfree+0xfc/0x3a4\n __iommu_probe_device+0x284/0x394\n probe_iommu_group+0x70/0x9c\n bus_for_each_dev+0x11c/0x19c\n bus_iommu_probe+0xb8/0x7d4\n bus_set_iommu+0xcc/0x13c\n arm_smmu_bus_init+0x44/0x130 [arm_smmu]\n arm_smmu_device_probe+0xb88/0xc54 [arm_smmu]\n platform_drv_probe+0xe4/0x13c\n really_probe+0x2c8/0xb74\n driver_probe_device+0x11c/0x228\n device_driver_attach+0xf0/0x16c\n __driver_attach+0x80/0x320\n bus_for_each_dev+0x11c/0x19c\n driver_attach+0x38/0x48\n bus_add_driver+0x1dc/0x3a4\n driver_register+0x18c/0x244\n __platform_driver_register+0x88/0x9c\n init_module+0x64/0xff4 [arm_smmu]\n do_one_initcall+0x17c/0x2f0\n do_init_module+0xe8/0x378\n load_module+0x3f80/0x4a40\n __se_sys_finit_module+0x1a0/0x1e4\n __arm64_sys_finit_module+0x44/0x58\n el0_svc_common+0x100/0x264\n do_el0_svc+0x38/0xa4\n el0_svc+0x20/0x30\n el0_sync_handler+0x68/0xac\n el0_sync+0x160/0x180\n\nFix this by setting dev->iommu to NULL first and\nthen freeing dev_iommu structure in dev_iommu_free\nfunction."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/65ab30f6a6952fa9ee13009862736cf8d110e6e5",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/b54240ad494300ff0994c4539a531727874381f4",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/cb86e511e78e796de6947b8f3acca1b7c76fb2ff",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/f74fc4b5bd533ea3d30ce47cccb8ef8d21fda85a",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

33
CVE-2022/CVE-2022-487xx/CVE-2022-48797.json Normal file
View File

@ -0,0 +1,33 @@
{
"id": "CVE-2022-48797",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T12:15:04.360",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: don't try to NUMA-migrate COW pages that have other uses\n\nOded Gabbay reports that enabling NUMA balancing causes corruption with\nhis Gaudi accelerator test load:\n\n \"All the details are in the bug, but the bottom line is that somehow,\n this patch causes corruption when the numa balancing feature is\n enabled AND we don't use process affinity AND we use GUP to pin pages\n so our accelerator can DMA to/from system memory.\n\n Either disabling numa balancing, using process affinity to bind to\n specific numa-node or reverting this patch causes the bug to\n disappear\"\n\nand Oded bisected the issue to commit 09854ba94c6a (\"mm: do_wp_page()\nsimplification\").\n\nNow, the NUMA balancing shouldn't actually be changing the writability\nof a page, and as such shouldn't matter for COW. But it appears it\ndoes. Suspicious.\n\nHowever, regardless of that, the condition for enabling NUMA faults in\nchange_pte_range() is nonsensical. It uses \"page_mapcount(page)\" to\ndecide if a COW page should be NUMA-protected or not, and that makes\nabsolutely no sense.\n\nThe number of mappings a page has is irrelevant: not only does GUP get a\nreference to a page as in Oded's case, but the other mappings migth be\npaged out and the only reference to them would be in the page count.\n\nSince we should never try to NUMA-balance a page that we can't move\nanyway due to other references, just fix the code to use 'page_count()'.\nOded confirms that that fixes his issue.\n\nNow, this does imply that something in NUMA balancing ends up changing\npage protections (other than the obvious one of making the page\ninaccessible to get the NUMA faulting information). Otherwise the COW\nsimplification wouldn't matter - since doing the GUP on the page would\nmake sure it's writable.\n\nThe cause of that permission change would be good to figure out too,\nsince it clearly results in spurious COW events - but fixing the\nnonsensical test that just happened to work before is obviously the\nCorrectThing(tm) to do regardless."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/254090925e16abd914c87b4ad1b489440d89c4c3",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/80d47f5de5e311cbc0d01ebb6ee684e8f4c196c6",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/b3dc4b9d3ca68b370c4aeab5355007eedf948849",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/d187eeb02d18446e5e54ed6bcbf8b47e6551daea",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

29
CVE-2022/CVE-2022-487xx/CVE-2022-48798.json Normal file
View File

@ -0,0 +1,29 @@
{
"id": "CVE-2022-48798",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T12:15:04.430",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/cio: verify the driver availability for path_event call\n\nIf no driver is attached to a device or the driver does not provide the\npath_event function, an FCES path-event on this device could end up in a\nkernel-panic. Verify the driver availability before the path_event\nfunction call."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/a0619027f11590b2070624297530c34dc7f91bcd",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/dd9cb842fa9d90653a9b48aba52f89c069f3bc50",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/fe990b7bf6ac93f1d850d076b8f0e758268aa4ab",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

45
CVE-2022/CVE-2022-487xx/CVE-2022-48799.json Normal file
View File

@ -0,0 +1,45 @@
{
"id": "CVE-2022-48799",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T12:15:04.490",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf: Fix list corruption in perf_cgroup_switch()\n\nThere's list corruption on cgrp_cpuctx_list. This happens on the\nfollowing path:\n\n perf_cgroup_switch: list_for_each_entry(cgrp_cpuctx_list)\n cpu_ctx_sched_in\n ctx_sched_in\n ctx_pinned_sched_in\n merge_sched_in\n perf_cgroup_event_disable: remove the event from the list\n\nUse list_for_each_entry_safe() to allow removing an entry during\niteration."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/2142bc1469a316fddd10012d76428f7265258f81",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/30d9f3cbe47e1018ddc8069ac5b5c9e66fbdf727",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/5d76ed4223403f90421782adb2f20a9ecbc93186",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/5f4e5ce638e6a490b976ade4a40017b40abb2da0",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/7969fe91c9830e045901970e9d755b7505881d4a",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/a2ed7b29d0673ba361546e2d87dbbed149456c45",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/f6b5d51976fcefef5732da3e3feb3ccff680f7c8",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

25
CVE-2022/CVE-2022-488xx/CVE-2022-48800.json Normal file
View File

@ -0,0 +1,25 @@
{
"id": "CVE-2022-48800",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T12:15:04.563",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: vmscan: remove deadlock due to throttling failing to make progress\n\nA soft lockup bug in kcompactd was reported in a private bugzilla with\nthe following visible in dmesg;\n\n watchdog: BUG: soft lockup - CPU#33 stuck for 26s! [kcompactd0:479]\n watchdog: BUG: soft lockup - CPU#33 stuck for 52s! [kcompactd0:479]\n watchdog: BUG: soft lockup - CPU#33 stuck for 78s! [kcompactd0:479]\n watchdog: BUG: soft lockup - CPU#33 stuck for 104s! [kcompactd0:479]\n\nThe machine had 256G of RAM with no swap and an earlier failed\nallocation indicated that node 0 where kcompactd was run was potentially\nunreclaimable;\n\n Node 0 active_anon:29355112kB inactive_anon:2913528kB active_file:0kB\n inactive_file:0kB unevictable:64kB isolated(anon):0kB isolated(file):0kB\n mapped:8kB dirty:0kB writeback:0kB shmem:26780kB shmem_thp:\n 0kB shmem_pmdmapped: 0kB anon_thp: 23480320kB writeback_tmp:0kB\n kernel_stack:2272kB pagetables:24500kB all_unreclaimable? yes\n\nVlastimil Babka investigated a crash dump and found that a task\nmigrating pages was trying to drain PCP lists;\n\n PID: 52922 TASK: ffff969f820e5000 CPU: 19 COMMAND: \"kworker/u128:3\"\n Call Trace:\n __schedule\n schedule\n schedule_timeout\n wait_for_completion\n __flush_work\n __drain_all_pages\n __alloc_pages_slowpath.constprop.114\n __alloc_pages\n alloc_migration_target\n migrate_pages\n migrate_to_node\n do_migrate_pages\n cpuset_migrate_mm_workfn\n process_one_work\n worker_thread\n kthread\n ret_from_fork\n\nThis failure is specific to CONFIG_PREEMPT=n builds. The root of the\nproblem is that kcompact0 is not rescheduling on a CPU while a task that\nhas isolated a large number of the pages from the LRU is waiting on\nkcompact0 to reschedule so the pages can be released. While\nshrink_inactive_list() only loops once around too_many_isolated, reclaim\ncan continue without rescheduling if sc->skipped_deactivate == 1 which\ncould happen if there was no file LRU and the inactive anon list was not\nlow."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/3980cff6349687f73d5109f156f23cb261c24164",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/b485c6f1f9f54b81443efda5f3d8a5036ba2cd91",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

29
CVE-2022/CVE-2022-488xx/CVE-2022-48801.json Normal file
View File

@ -0,0 +1,29 @@
{
"id": "CVE-2022-48801",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T12:15:04.630",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: buffer: Fix file related error handling in IIO_BUFFER_GET_FD_IOCTL\n\nIf we fail to copy the just created file descriptor to userland, we\ntry to clean up by putting back 'fd' and freeing 'ib'. The code uses\nput_unused_fd() for the former which is wrong, as the file descriptor\nwas already published by fd_install() which gets called internally by\nanon_inode_getfd().\n\nThis makes the error handling code leaving a half cleaned up file\ndescriptor table around and a partially destructed 'file' object,\nallowing userland to play use-after-free tricks on us, by abusing\nthe still usable fd and making the code operate on a dangling\n'file->private_data' pointer.\n\nInstead of leaving the kernel in a partially corrupted state, don't\nattempt to explicitly clean up and leave this to the process exit\npath that'll release any still valid fds, including the one created\nby the previous call to anon_inode_getfd(). Simply return -EFAULT to\nindicate the error."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/202071d2518537866d291aa7cf26af54e674f4d4",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/b7f54894aa7517d2b6c797a499b9f491e9db9083",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/c72ea20503610a4a7ba26c769357d31602769c01",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

33
CVE-2022/CVE-2022-488xx/CVE-2022-48802.json Normal file
View File

@ -0,0 +1,33 @@
{
"id": "CVE-2022-48802",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T12:15:04.690",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/proc: task_mmu.c: don't read mapcount for migration entry\n\nThe syzbot reported the below BUG:\n\n kernel BUG at include/linux/page-flags.h:785!\n invalid opcode: 0000 [#1] PREEMPT SMP KASAN\n CPU: 1 PID: 4392 Comm: syz-executor560 Not tainted 5.16.0-rc6-syzkaller #0\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\n RIP: 0010:PageDoubleMap include/linux/page-flags.h:785 [inline]\n RIP: 0010:__page_mapcount+0x2d2/0x350 mm/util.c:744\n Call Trace:\n page_mapcount include/linux/mm.h:837 [inline]\n smaps_account+0x470/0xb10 fs/proc/task_mmu.c:466\n smaps_pte_entry fs/proc/task_mmu.c:538 [inline]\n smaps_pte_range+0x611/0x1250 fs/proc/task_mmu.c:601\n walk_pmd_range mm/pagewalk.c:128 [inline]\n walk_pud_range mm/pagewalk.c:205 [inline]\n walk_p4d_range mm/pagewalk.c:240 [inline]\n walk_pgd_range mm/pagewalk.c:277 [inline]\n __walk_page_range+0xe23/0x1ea0 mm/pagewalk.c:379\n walk_page_vma+0x277/0x350 mm/pagewalk.c:530\n smap_gather_stats.part.0+0x148/0x260 fs/proc/task_mmu.c:768\n smap_gather_stats fs/proc/task_mmu.c:741 [inline]\n show_smap+0xc6/0x440 fs/proc/task_mmu.c:822\n seq_read_iter+0xbb0/0x1240 fs/seq_file.c:272\n seq_read+0x3e0/0x5b0 fs/seq_file.c:162\n vfs_read+0x1b5/0x600 fs/read_write.c:479\n ksys_read+0x12d/0x250 fs/read_write.c:619\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nThe reproducer was trying to read /proc/$PID/smaps when calling\nMADV_FREE at the mean time. MADV_FREE may split THPs if it is called\nfor partial THP. It may trigger the below race:\n\n CPU A CPU B\n ----- -----\n smaps walk: MADV_FREE:\n page_mapcount()\n PageCompound()\n split_huge_page()\n page = compound_head(page)\n PageDoubleMap(page)\n\nWhen calling PageDoubleMap() this page is not a tail page of THP anymore\nso the BUG is triggered.\n\nThis could be fixed by elevated refcount of the page before calling\nmapcount, but that would prevent it from counting migration entries, and\nit seems overkilling because the race just could happen when PMD is\nsplit so all PTE entries of tail pages are actually migration entries,\nand smaps_account() does treat migration entries as mapcount == 1 as\nKirill pointed out.\n\nAdd a new parameter for smaps_account() to tell this entry is migration\nentry then skip calling page_mapcount(). Don't skip getting mapcount\nfor device private entries since they do track references with mapcount.\n\nPagemap also has the similar issue although it was not reported. Fixed\nit as well.\n\n[shy828301@gmail.com: v4]\n Link: https://lkml.kernel.org/r/20220203182641.824731-1-shy828301@gmail.com\n[nathan@kernel.org: avoid unused variable warning in pagemap_pmd_range()]\n Link: https://lkml.kernel.org/r/20220207171049.1102239-1-nathan@kernel.org"
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/05d3f8045efa59457b323caf00bdb9273b7962fa",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/24d7275ce2791829953ed4e72f68277ceb2571c6",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/a8dd0cfa37792863b6c4bf9542975212a6715d49",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/db3f3636e4aed2cba3e4e7897a053323f7a62249",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

33
CVE-2022/CVE-2022-488xx/CVE-2022-48803.json Normal file
View File

@ -0,0 +1,33 @@
{
"id": "CVE-2022-48803",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T12:15:04.760",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nphy: ti: Fix missing sentinel for clk_div_table\n\n_get_table_maxdiv() tries to access \"clk_div_table\" array out of bound\ndefined in phy-j721e-wiz.c. Add a sentinel entry to prevent\nthe following global-out-of-bounds error reported by enabling KASAN.\n\n[ 9.552392] BUG: KASAN: global-out-of-bounds in _get_maxdiv+0xc0/0x148\n[ 9.558948] Read of size 4 at addr ffff8000095b25a4 by task kworker/u4:1/38\n[ 9.565926]\n[ 9.567441] CPU: 1 PID: 38 Comm: kworker/u4:1 Not tainted 5.16.0-116492-gdaadb3bd0e8d-dirty #360\n[ 9.576242] Hardware name: Texas Instruments J721e EVM (DT)\n[ 9.581832] Workqueue: events_unbound deferred_probe_work_func\n[ 9.587708] Call trace:\n[ 9.590174] dump_backtrace+0x20c/0x218\n[ 9.594038] show_stack+0x18/0x68\n[ 9.597375] dump_stack_lvl+0x9c/0xd8\n[ 9.601062] print_address_description.constprop.0+0x78/0x334\n[ 9.606830] kasan_report+0x1f0/0x260\n[ 9.610517] __asan_load4+0x9c/0xd8\n[ 9.614030] _get_maxdiv+0xc0/0x148\n[ 9.617540] divider_determine_rate+0x88/0x488\n[ 9.622005] divider_round_rate_parent+0xc8/0x124\n[ 9.626729] wiz_clk_div_round_rate+0x54/0x68\n[ 9.631113] clk_core_determine_round_nolock+0x124/0x158\n[ 9.636448] clk_core_round_rate_nolock+0x68/0x138\n[ 9.641260] clk_core_set_rate_nolock+0x268/0x3a8\n[ 9.645987] clk_set_rate+0x50/0xa8\n[ 9.649499] cdns_sierra_phy_init+0x88/0x248\n[ 9.653794] phy_init+0x98/0x108\n[ 9.657046] cdns_pcie_enable_phy+0xa0/0x170\n[ 9.661340] cdns_pcie_init_phy+0x250/0x2b0\n[ 9.665546] j721e_pcie_probe+0x4b8/0x798\n[ 9.669579] platform_probe+0x8c/0x108\n[ 9.673350] really_probe+0x114/0x630\n[ 9.677037] __driver_probe_device+0x18c/0x220\n[ 9.681505] driver_probe_device+0xac/0x150\n[ 9.685712] __device_attach_driver+0xec/0x170\n[ 9.690178] bus_for_each_drv+0xf0/0x158\n[ 9.694124] __device_attach+0x184/0x210\n[ 9.698070] device_initial_probe+0x14/0x20\n[ 9.702277] bus_probe_device+0xec/0x100\n[ 9.706223] deferred_probe_work_func+0x124/0x180\n[ 9.710951] process_one_work+0x4b0/0xbc0\n[ 9.714983] worker_thread+0x74/0x5d0\n[ 9.718668] kthread+0x214/0x230\n[ 9.721919] ret_from_fork+0x10/0x20\n[ 9.725520]\n[ 9.727032] The buggy address belongs to the variable:\n[ 9.732183] clk_div_table+0x24/0x440"
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/3c75d1017cb362b6a4e0935746ef5da28250919f",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/5b0c9569135a37348c1267c81e8b0274b21a86ed",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/6d1e6bcb31663ee83aaea1f171f3dbfe95dd4a69",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/7a360e546ad9e7c3fd53d6bb60348c660cd28f54",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

49
CVE-2022/CVE-2022-488xx/CVE-2022-48804.json Normal file
View File

@ -0,0 +1,49 @@
{
"id": "CVE-2022-48804",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T12:15:04.830",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvt_ioctl: fix array_index_nospec in vt_setactivate\n\narray_index_nospec ensures that an out-of-bounds value is set to zero\non the transient path. Decreasing the value by one afterwards causes\na transient integer underflow. vsa.console should be decreased first\nand then sanitized with array_index_nospec.\n\nKasper Acknowledgements: Jakob Koschel, Brian Johannesmeyer, Kaveh\nRazavi, Herbert Bos, Cristiano Giuffrida from the VUSec group at VU\nAmsterdam."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/170325aba4608bde3e7d21c9c19b7bc266ac0885",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/2a45a6bd1e6d651770aafff57ab3e1d3bb0b42e0",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/61cc70d9e8ef5b042d4ed87994d20100ec8896d9",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/6550bdf52846f85a2a3726a5aa0c7c4399f2fc02",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/778302ca09498b448620edd372dc908bebf80bdf",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/830c5aa302ec16b4ee641aec769462c37f802c90",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/ae3d57411562260ee3f4fd5e875f410002341104",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/ffe54289b02e9c732d6f04c8ebbe3b2d90d32118",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

49
CVE-2022/CVE-2022-488xx/CVE-2022-48805.json Normal file
View File

@ -0,0 +1,49 @@
{
"id": "CVE-2022-48805",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T12:15:04.907",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: ax88179_178a: Fix out-of-bounds accesses in RX fixup\n\nax88179_rx_fixup() contains several out-of-bounds accesses that can be\ntriggered by a malicious (or defective) USB device, in particular:\n\n - The metadata array (hdr_off..hdr_off+2*pkt_cnt) can be out of bounds,\n causing OOB reads and (on big-endian systems) OOB endianness flips.\n - A packet can overlap the metadata array, causing a later OOB\n endianness flip to corrupt data used by a cloned SKB that has already\n been handed off into the network stack.\n - A packet SKB can be constructed whose tail is far beyond its end,\n causing out-of-bounds heap data to be considered part of the SKB's\n data.\n\nI have tested that this can be used by a malicious USB device to send a\nbogus ICMPv6 Echo Request and receive an ICMPv6 Echo Reply in response\nthat contains random kernel heap data.\nIt's probably also possible to get OOB writes from this on a\nlittle-endian system somehow - maybe by triggering skb_cow() via IP\noptions processing -, but I haven't tested that."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/1668781ed24da43498799aa4f65714a7de201930",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/57bc3d3ae8c14df3ceb4e17d26ddf9eeab304581",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/63f0cfb36c1f1964a59ce544156677601e2d8740",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/711b6bf3fb052f0a6b5b3205d50e30c0c2980382",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/758290defe93a865a2880d10c5d5abd288b64b5d",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/9681823f96a811268265f35307072ad80713c274",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/a0fd5492ee769029a636f1fb521716b022b1423d",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/ffd0393adcdcefab7e131488e10dcfde5e02d6eb",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

37
CVE-2022/CVE-2022-488xx/CVE-2022-48806.json Normal file
View File

@ -0,0 +1,37 @@
{
"id": "CVE-2022-48806",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T12:15:04.980",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\neeprom: ee1004: limit i2c reads to I2C_SMBUS_BLOCK_MAX\n\nCommit effa453168a7 (\"i2c: i801: Don't silently correct invalid transfer\nsize\") revealed that ee1004_eeprom_read() did not properly limit how\nmany bytes to read at once.\n\nIn particular, i2c_smbus_read_i2c_block_data_or_emulated() takes the\nlength to read as an u8. If count == 256 after taking into account the\noffset and page boundary, the cast to u8 overflows. And this is common\nwhen user space tries to read the entire EEPROM at once.\n\nTo fix it, limit each read to I2C_SMBUS_BLOCK_MAX (32) bytes, already\nthe maximum length i2c_smbus_read_i2c_block_data_or_emulated() allows."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/3937c35493ee2847aaefcfa5460e94b7443eef49",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/9443ddeb3754e9e382a396b50adc1961301713ce",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/9a5f471ae380f9fcb9756d453c12ca1f8595a93c",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/a37960df7eac3cc8094bd1ab84864e9e32c91345",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/c0689e46be23160d925dca95dfc411f1a0462708",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

29
CVE-2022/CVE-2022-488xx/CVE-2022-48807.json Normal file
View File

@ -0,0 +1,29 @@
{
"id": "CVE-2022-48807",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T12:15:05.050",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: Fix KASAN error in LAG NETDEV_UNREGISTER handler\n\nCurrently, the same handler is called for both a NETDEV_BONDING_INFO\nLAG unlink notification as for a NETDEV_UNREGISTER call. This is\ncausing a problem though, since the netdev_notifier_info passed has\na different structure depending on which event is passed. The problem\nmanifests as a call trace from a BUG: KASAN stack-out-of-bounds error.\n\nFix this by creating a handler specific to NETDEV_UNREGISTER that only\nis passed valid elements in the netdev_notifier_info struct for the\nNETDEV_UNREGISTER event.\n\nAlso included is the removal of an unbalanced dev_put on the peer_netdev\nand related braces."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/bea1898f65b9b7096cb4e73e97c83b94718f1fa1",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/f9daedc3ab8f673e3a9374b91a89fbf1174df469",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/faa9bcf700ca1a0d09f92502a6b65d3ce313fb46",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

29
CVE-2022/CVE-2022-488xx/CVE-2022-48808.json Normal file
View File

@ -0,0 +1,29 @@
{
"id": "CVE-2022-48808",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T12:15:05.120",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: fix panic when DSA master device unbinds on shutdown\n\nRafael reports that on a system with LX2160A and Marvell DSA switches,\nif a reboot occurs while the DSA master (dpaa2-eth) is up, the following\npanic can be seen:\n\nsystemd-shutdown[1]: Rebooting.\nUnable to handle kernel paging request at virtual address 00a0000800000041\n[00a0000800000041] address between user and kernel address ranges\nInternal error: Oops: 96000004 [#1] PREEMPT SMP\nCPU: 6 PID: 1 Comm: systemd-shutdow Not tainted 5.16.5-00042-g8f5585009b24 #32\npc : dsa_slave_netdevice_event+0x130/0x3e4\nlr : raw_notifier_call_chain+0x50/0x6c\nCall trace:\n dsa_slave_netdevice_event+0x130/0x3e4\n raw_notifier_call_chain+0x50/0x6c\n call_netdevice_notifiers_info+0x54/0xa0\n __dev_close_many+0x50/0x130\n dev_close_many+0x84/0x120\n unregister_netdevice_many+0x130/0x710\n unregister_netdevice_queue+0x8c/0xd0\n unregister_netdev+0x20/0x30\n dpaa2_eth_remove+0x68/0x190\n fsl_mc_driver_remove+0x20/0x5c\n __device_release_driver+0x21c/0x220\n device_release_driver_internal+0xac/0xb0\n device_links_unbind_consumers+0xd4/0x100\n __device_release_driver+0x94/0x220\n device_release_driver+0x28/0x40\n bus_remove_device+0x118/0x124\n device_del+0x174/0x420\n fsl_mc_device_remove+0x24/0x40\n __fsl_mc_device_remove+0xc/0x20\n device_for_each_child+0x58/0xa0\n dprc_remove+0x90/0xb0\n fsl_mc_driver_remove+0x20/0x5c\n __device_release_driver+0x21c/0x220\n device_release_driver+0x28/0x40\n bus_remove_device+0x118/0x124\n device_del+0x174/0x420\n fsl_mc_bus_remove+0x80/0x100\n fsl_mc_bus_shutdown+0xc/0x1c\n platform_shutdown+0x20/0x30\n device_shutdown+0x154/0x330\n __do_sys_reboot+0x1cc/0x250\n __arm64_sys_reboot+0x20/0x30\n invoke_syscall.constprop.0+0x4c/0xe0\n do_el0_svc+0x4c/0x150\n el0_svc+0x24/0xb0\n el0t_64_sync_handler+0xa8/0xb0\n el0t_64_sync+0x178/0x17c\n\nIt can be seen from the stack trace that the problem is that the\nderegistration of the master causes a dev_close(), which gets notified\nas NETDEV_GOING_DOWN to dsa_slave_netdevice_event().\nBut dsa_switch_shutdown() has already run, and this has unregistered the\nDSA slave interfaces, and yet, the NETDEV_GOING_DOWN handler attempts to\ncall dev_close_many() on those slave interfaces, leading to the problem.\n\nThe previous attempt to avoid the NETDEV_GOING_DOWN on the master after\ndsa_switch_shutdown() was called seems improper. Unregistering the slave\ninterfaces is unnecessary and unhelpful. Instead, after the slaves have\nstopped being uppers of the DSA master, we can now reset to NULL the\nmaster->dsa_ptr pointer, which will make DSA start ignoring all future\nnotifier events on the master."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/89b60402d43cdab4387dbbf24afebda5cf092ae7",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/ee534378f00561207656663d93907583958339ae",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/ff45899e732e57088985e3a497b1d9100571c0f5",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

49
CVE-2022/CVE-2022-488xx/CVE-2022-48809.json Normal file
View File

@ -0,0 +1,49 @@
{
"id": "CVE-2022-48809",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T12:15:05.190",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix a memleak when uncloning an skb dst and its metadata\n\nWhen uncloning an skb dst and its associated metadata, a new\ndst+metadata is allocated and later replaces the old one in the skb.\nThis is helpful to have a non-shared dst+metadata attached to a specific\nskb.\n\nThe issue is the uncloned dst+metadata is initialized with a refcount of\n1, which is increased to 2 before attaching it to the skb. When\ntun_dst_unclone returns, the dst+metadata is only referenced from a\nsingle place (the skb) while its refcount is 2. Its refcount will never\ndrop to 0 (when the skb is consumed), leading to a memory leak.\n\nFix this by removing the call to dst_hold in tun_dst_unclone, as the\ndst+metadata refcount is already 1."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/00e6d6c3bc14dfe32824e2c515f0e0f2d6ecf2f1",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/0be943916d781df2b652793bb2d3ae4f9624c10a",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/4ac84498fbe84a00e7aef185e2bb3e40ce71eca4",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/8b1087b998e273f07be13dcb5f3ca4c309c7f108",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/9eeabdf17fa0ab75381045c867c370f4cc75a613",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/a80817adc2a4c1ba26a7aa5f3ed886e4a18dff88",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/c1ff27d100e2670b03cbfddb9117e5f9fc672540",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/fdcb263fa5cda15b8cb24a641fa2718c47605314",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

49
CVE-2022/CVE-2022-488xx/CVE-2022-48810.json Normal file
View File

@ -0,0 +1,49 @@
{
"id": "CVE-2022-48810",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T12:15:05.280",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipmr,ip6mr: acquire RTNL before calling ip[6]mr_free_table() on failure path\n\nip[6]mr_free_table() can only be called under RTNL lock.\n\nRTNL: assertion failed at net/core/dev.c (10367)\nWARNING: CPU: 1 PID: 5890 at net/core/dev.c:10367 unregister_netdevice_many+0x1246/0x1850 net/core/dev.c:10367\nModules linked in:\nCPU: 1 PID: 5890 Comm: syz-executor.2 Not tainted 5.16.0-syzkaller-11627-g422ee58dc0ef #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nRIP: 0010:unregister_netdevice_many+0x1246/0x1850 net/core/dev.c:10367\nCode: 0f 85 9b ee ff ff e8 69 07 4b fa ba 7f 28 00 00 48 c7 c6 00 90 ae 8a 48 c7 c7 40 90 ae 8a c6 05 6d b1 51 06 01 e8 8c 90 d8 01 <0f> 0b e9 70 ee ff ff e8 3e 07 4b fa 4c 89 e7 e8 86 2a 59 fa e9 ee\nRSP: 0018:ffffc900046ff6e0 EFLAGS: 00010286\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000\nRDX: ffff888050f51d00 RSI: ffffffff815fa008 RDI: fffff520008dfece\nRBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\nR10: ffffffff815f3d6e R11: 0000000000000000 R12: 00000000fffffff4\nR13: dffffc0000000000 R14: ffffc900046ff750 R15: ffff88807b7dc000\nFS: 00007f4ab736e700(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007fee0b4f8990 CR3: 000000001e7d2000 CR4: 00000000003506e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n <TASK>\n mroute_clean_tables+0x244/0xb40 net/ipv6/ip6mr.c:1509\n ip6mr_free_table net/ipv6/ip6mr.c:389 [inline]\n ip6mr_rules_init net/ipv6/ip6mr.c:246 [inline]\n ip6mr_net_init net/ipv6/ip6mr.c:1306 [inline]\n ip6mr_net_init+0x3f0/0x4e0 net/ipv6/ip6mr.c:1298\n ops_init+0xaf/0x470 net/core/net_namespace.c:140\n setup_net+0x54f/0xbb0 net/core/net_namespace.c:331\n copy_net_ns+0x318/0x760 net/core/net_namespace.c:475\n create_new_namespaces+0x3f6/0xb20 kernel/nsproxy.c:110\n copy_namespaces+0x391/0x450 kernel/nsproxy.c:178\n copy_process+0x2e0c/0x7300 kernel/fork.c:2167\n kernel_clone+0xe7/0xab0 kernel/fork.c:2555\n __do_sys_clone+0xc8/0x110 kernel/fork.c:2672\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\nRIP: 0033:0x7f4ab89f9059\nCode: Unable to access opcode bytes at RIP 0x7f4ab89f902f.\nRSP: 002b:00007f4ab736e118 EFLAGS: 00000206 ORIG_RAX: 0000000000000038\nRAX: ffffffffffffffda RBX: 00007f4ab8b0bf60 RCX: 00007f4ab89f9059\nRDX: 0000000020000280 RSI: 0000000020000270 RDI: 0000000040200000\nRBP: 00007f4ab8a5308d R08: 0000000020000300 R09: 0000000020000300\nR10: 00000000200002c0 R11: 0000000000000206 R12: 0000000000000000\nR13: 00007ffc3977cc1f R14: 00007f4ab736e300 R15: 0000000000022000\n </TASK>"
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/09ac0fcb0a82d647f2c61d3d488d367b7ee5bd51",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/12b6703e9546902c56b4b9048b893ad49d62bdd4",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/16dcfde98a25340ff0f7879a16bea141d824a196",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/3cab045c99dbb9a94eb2d1d405f399916eec698a",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/5611a00697c8ecc5aad04392bea629e9d6a20463",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/80c529322600dfb1f985b5e3f14c3c6f522ce154",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/b541845dfc4e7df551955e70deec0921d6b297c3",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/feb9597e22755dce782aae26ac0590c06737e049",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

29
CVE-2022/CVE-2022-488xx/CVE-2022-48811.json Normal file
View File

@ -0,0 +1,29 @@
{
"id": "CVE-2022-48811",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T12:15:05.367",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nibmvnic: don't release napi in __ibmvnic_open()\n\nIf __ibmvnic_open() encounters an error such as when setting link state,\nit calls release_resources() which frees the napi structures needlessly.\nInstead, have __ibmvnic_open() only clean up the work it did so far (i.e.\ndisable napi and irqs) and leave the rest to the callers.\n\nIf caller of __ibmvnic_open() is ibmvnic_open(), it should release the\nresources immediately. If the caller is do_reset() or do_hard_reset(),\nthey will release the resources on the next reset.\n\nThis fixes following crash that occurred when running the drmgr command\nseveral times to add/remove a vnic interface:\n\n\t[102056] ibmvnic 30000003 env3: Disabling rx_scrq[6] irq\n\t[102056] ibmvnic 30000003 env3: Disabling rx_scrq[7] irq\n\t[102056] ibmvnic 30000003 env3: Replenished 8 pools\n\tKernel attempted to read user page (10) - exploit attempt? (uid: 0)\n\tBUG: Kernel NULL pointer dereference on read at 0x00000010\n\tFaulting instruction address: 0xc000000000a3c840\n\tOops: Kernel access of bad area, sig: 11 [#1]\n\tLE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries\n\t...\n\tCPU: 9 PID: 102056 Comm: kworker/9:2 Kdump: loaded Not tainted 5.16.0-rc5-autotest-g6441998e2e37 #1\n\tWorkqueue: events_long __ibmvnic_reset [ibmvnic]\n\tNIP: c000000000a3c840 LR: c0080000029b5378 CTR: c000000000a3c820\n\tREGS: c0000000548e37e0 TRAP: 0300 Not tainted (5.16.0-rc5-autotest-g6441998e2e37)\n\tMSR: 8000000000009033 <SF,EE,ME,IR,DR,RI,LE> CR: 28248484 XER: 00000004\n\tCFAR: c0080000029bdd24 DAR: 0000000000000010 DSISR: 40000000 IRQMASK: 0\n\tGPR00: c0080000029b55d0 c0000000548e3a80 c0000000028f0200 0000000000000000\n\t...\n\tNIP [c000000000a3c840] napi_enable+0x20/0xc0\n\tLR [c0080000029b5378] __ibmvnic_open+0xf0/0x430 [ibmvnic]\n\tCall Trace:\n\t[c0000000548e3a80] [0000000000000006] 0x6 (unreliable)\n\t[c0000000548e3ab0] [c0080000029b55d0] __ibmvnic_open+0x348/0x430 [ibmvnic]\n\t[c0000000548e3b40] [c0080000029bcc28] __ibmvnic_reset+0x500/0xdf0 [ibmvnic]\n\t[c0000000548e3c60] [c000000000176228] process_one_work+0x288/0x570\n\t[c0000000548e3d00] [c000000000176588] worker_thread+0x78/0x660\n\t[c0000000548e3da0] [c0000000001822f0] kthread+0x1c0/0x1d0\n\t[c0000000548e3e10] [c00000000000cf64] ret_from_kernel_thread+0x5c/0x64\n\tInstruction dump:\n\t7d2948f8 792307e0 4e800020 60000000 3c4c01eb 384239e0 f821ffd1 39430010\n\t38a0fff6 e92d1100 f9210028 39200000 <e9030010> f9010020 60420000 e9210020\n\t---[ end trace 5f8033b08fd27706 ]---"
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/61772b0908c640d0309c40f7d41d062ca4e979fa",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/960dfaf3b578dd23af012590e809ae2d58ba1827",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/e08cb9056fb2564d1f6bad789bdf79ab09bf2f81",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

33
CVE-2022/CVE-2022-488xx/CVE-2022-48812.json Normal file
View File

@ -0,0 +1,33 @@
{
"id": "CVE-2022-48812",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T12:15:05.430",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: lantiq_gswip: don't use devres for mdiobus\n\nAs explained in commits:\n74b6d7d13307 (\"net: dsa: realtek: register the MDIO bus under devres\")\n5135e96a3dd2 (\"net: dsa: don't allocate the slave_mii_bus using devres\")\n\nmdiobus_free() will panic when called from devm_mdiobus_free() <-\ndevres_release_all() <- __device_release_driver(), and that mdiobus was\nnot previously unregistered.\n\nThe GSWIP switch is a platform device, so the initial set of constraints\nthat I thought would cause this (I2C or SPI buses which call ->remove on\n->shutdown) do not apply. But there is one more which applies here.\n\nIf the DSA master itself is on a bus that calls ->remove from ->shutdown\n(like dpaa2-eth, which is on the fsl-mc bus), there is a device link\nbetween the switch and the DSA master, and device_links_unbind_consumers()\nwill unbind the GSWIP switch driver on shutdown.\n\nSo the same treatment must be applied to all DSA switch drivers, which\nis: either use devres for both the mdiobus allocation and registration,\nor don't use devres at all.\n\nThe gswip driver has the code structure in place for orderly mdiobus\nremoval, so just replace devm_mdiobus_alloc() with the non-devres\nvariant, and add manual free where necessary, to ensure that we don't\nlet devres free a still-registered bus."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/0d120dfb5d67edc5bcd1804e167dba2b30809afd",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/2443ba2fe396bdde187a2fdfa6a57375643ae93c",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/b5652bc50dde7b84e93dfb25479b64b817e377c1",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/e177d2e85ebcd3008c4b2abc293f4118e04eedef",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

33
CVE-2022/CVE-2022-488xx/CVE-2022-48813.json Normal file
View File

@ -0,0 +1,33 @@
{
"id": "CVE-2022-48813",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T12:15:05.493",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: felix: don't use devres for mdiobus\n\nAs explained in commits:\n74b6d7d13307 (\"net: dsa: realtek: register the MDIO bus under devres\")\n5135e96a3dd2 (\"net: dsa: don't allocate the slave_mii_bus using devres\")\n\nmdiobus_free() will panic when called from devm_mdiobus_free() <-\ndevres_release_all() <- __device_release_driver(), and that mdiobus was\nnot previously unregistered.\n\nThe Felix VSC9959 switch is a PCI device, so the initial set of\nconstraints that I thought would cause this (I2C or SPI buses which call\n->remove on ->shutdown) do not apply. But there is one more which\napplies here.\n\nIf the DSA master itself is on a bus that calls ->remove from ->shutdown\n(like dpaa2-eth, which is on the fsl-mc bus), there is a device link\nbetween the switch and the DSA master, and device_links_unbind_consumers()\nwill unbind the felix switch driver on shutdown.\n\nSo the same treatment must be applied to all DSA switch drivers, which\nis: either use devres for both the mdiobus allocation and registration,\nor don't use devres at all.\n\nThe felix driver has the code structure in place for orderly mdiobus\nremoval, so just replace devm_mdiobus_alloc_size() with the non-devres\nvariant, and add manual free where necessary, to ensure that we don't\nlet devres free a still-registered bus."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/209bdb7ec6a28c7cdf580a0a98afbc9fc3b98932",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/8cda7577a0b4018572f31e0caadfabd305ea2786",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/95e5402f9430b3c7d885dd3ec4c8c02c17936923",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/9db6f056efd089e80d81c774c01b639adf30c097",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

29
CVE-2022/CVE-2022-488xx/CVE-2022-48814.json Normal file
View File

@ -0,0 +1,29 @@
{
"id": "CVE-2022-48814",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T12:15:05.563",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: seville: register the mdiobus under devres\n\nAs explained in commits:\n74b6d7d13307 (\"net: dsa: realtek: register the MDIO bus under devres\")\n5135e96a3dd2 (\"net: dsa: don't allocate the slave_mii_bus using devres\")\n\nmdiobus_free() will panic when called from devm_mdiobus_free() <-\ndevres_release_all() <- __device_release_driver(), and that mdiobus was\nnot previously unregistered.\n\nThe Seville VSC9959 switch is a platform device, so the initial set of\nconstraints that I thought would cause this (I2C or SPI buses which call\n->remove on ->shutdown) do not apply. But there is one more which\napplies here.\n\nIf the DSA master itself is on a bus that calls ->remove from ->shutdown\n(like dpaa2-eth, which is on the fsl-mc bus), there is a device link\nbetween the switch and the DSA master, and device_links_unbind_consumers()\nwill unbind the seville switch driver on shutdown.\n\nSo the same treatment must be applied to all DSA switch drivers, which\nis: either use devres for both the mdiobus allocation and registration,\nor don't use devres at all.\n\nThe seville driver has a code structure that could accommodate both the\nmdiobus_unregister and mdiobus_free calls, but it has an external\ndependency upon mscc_miim_setup() from mdio-mscc-miim.c, which calls\ndevm_mdiobus_alloc_size() on its behalf. So rather than restructuring\nthat, and exporting yet one more symbol mscc_miim_teardown(), let's work\nwith devres and replace of_mdiobus_register with the devres variant.\nWhen we use all-devres, we can ensure that devres doesn't free a\nstill-registered bus (it either runs both callbacks, or none)."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/0e816362d823cd46c666e64d8bffe329ee22f4cc",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/1d13e7221035947c62800c9d3d99b4ed570e27e7",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/bd488afc3b39e045ba71aab472233f2a78726e7b",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

33
CVE-2022/CVE-2022-488xx/CVE-2022-48815.json Normal file
View File

@ -0,0 +1,33 @@
{
"id": "CVE-2022-48815",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T12:15:05.623",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: bcm_sf2: don't use devres for mdiobus\n\nAs explained in commits:\n74b6d7d13307 (\"net: dsa: realtek: register the MDIO bus under devres\")\n5135e96a3dd2 (\"net: dsa: don't allocate the slave_mii_bus using devres\")\n\nmdiobus_free() will panic when called from devm_mdiobus_free() <-\ndevres_release_all() <- __device_release_driver(), and that mdiobus was\nnot previously unregistered.\n\nThe Starfighter 2 is a platform device, so the initial set of\nconstraints that I thought would cause this (I2C or SPI buses which call\n->remove on ->shutdown) do not apply. But there is one more which\napplies here.\n\nIf the DSA master itself is on a bus that calls ->remove from ->shutdown\n(like dpaa2-eth, which is on the fsl-mc bus), there is a device link\nbetween the switch and the DSA master, and device_links_unbind_consumers()\nwill unbind the bcm_sf2 switch driver on shutdown.\n\nSo the same treatment must be applied to all DSA switch drivers, which\nis: either use devres for both the mdiobus allocation and registration,\nor don't use devres at all.\n\nThe bcm_sf2 driver has the code structure in place for orderly mdiobus\nremoval, so just replace devm_mdiobus_alloc() with the non-devres\nvariant, and add manual free where necessary, to ensure that we don't\nlet devres free a still-registered bus."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/08e1a3554e99a1a5bd2835907381e2383ee85cae",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/08f1a20822349004bb9cc1b153ecb516e9f2889d",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/2770b795294ed312375c11ef1d0b810499c66b83",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/caabb5f64f5c32fceed93356bb688ef1ec6c5783",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

25
CVE-2022/CVE-2022-488xx/CVE-2022-48816.json Normal file
View File

@ -0,0 +1,25 @@
{
"id": "CVE-2022-48816",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T12:15:05.687",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nSUNRPC: lock against ->sock changing during sysfs read\n\n->sock can be set to NULL asynchronously unless ->recv_mutex is held.\nSo it is important to hold that mutex. Otherwise a sysfs read can\ntrigger an oops.\nCommit 17f09d3f619a (\"SUNRPC: Check if the xprt is connected before\nhandling sysfs reads\") appears to attempt to fix this problem, but it\nonly narrows the race window."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/9482ab4540f5bcc869b44c067ae99b5fca16bd07",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/b49ea673e119f59c71645e2f65b3ccad857c90ee",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

33
CVE-2022/CVE-2022-488xx/CVE-2022-48817.json Normal file
View File

@ -0,0 +1,33 @@
{
"id": "CVE-2022-48817",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T12:15:05.747",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: ar9331: register the mdiobus under devres\n\nAs explained in commits:\n74b6d7d13307 (\"net: dsa: realtek: register the MDIO bus under devres\")\n5135e96a3dd2 (\"net: dsa: don't allocate the slave_mii_bus using devres\")\n\nmdiobus_free() will panic when called from devm_mdiobus_free() <-\ndevres_release_all() <- __device_release_driver(), and that mdiobus was\nnot previously unregistered.\n\nThe ar9331 is an MDIO device, so the initial set of constraints that I\nthought would cause this (I2C or SPI buses which call ->remove on\n->shutdown) do not apply. But there is one more which applies here.\n\nIf the DSA master itself is on a bus that calls ->remove from ->shutdown\n(like dpaa2-eth, which is on the fsl-mc bus), there is a device link\nbetween the switch and the DSA master, and device_links_unbind_consumers()\nwill unbind the ar9331 switch driver on shutdown.\n\nSo the same treatment must be applied to all DSA switch drivers, which\nis: either use devres for both the mdiobus allocation and registration,\nor don't use devres at all.\n\nThe ar9331 driver doesn't have a complex code structure for mdiobus\nremoval, so just replace of_mdiobus_register with the devres variant in\norder to be all-devres and ensure that we don't free a still-registered\nbus."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/475ce5dcf2d88fd4f3c213a0ac944e3e40702970",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/50facd86e9fbc4b93fe02e5fe05776047f45dbfb",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/aae1c6a1d3d696fc33b609fb12fe744a556d1dc5",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/f1842a8cb71de4d7eb75a86f76e88c7ee739218c",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

33
CVE-2022/CVE-2022-488xx/CVE-2022-48818.json Normal file
View File

@ -0,0 +1,33 @@
{
"id": "CVE-2022-48818",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T12:15:05.813",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: mv88e6xxx: don't use devres for mdiobus\n\nAs explained in commits:\n74b6d7d13307 (\"net: dsa: realtek: register the MDIO bus under devres\")\n5135e96a3dd2 (\"net: dsa: don't allocate the slave_mii_bus using devres\")\n\nmdiobus_free() will panic when called from devm_mdiobus_free() <-\ndevres_release_all() <- __device_release_driver(), and that mdiobus was\nnot previously unregistered.\n\nThe mv88e6xxx is an MDIO device, so the initial set of constraints that\nI thought would cause this (I2C or SPI buses which call ->remove on\n->shutdown) do not apply. But there is one more which applies here.\n\nIf the DSA master itself is on a bus that calls ->remove from ->shutdown\n(like dpaa2-eth, which is on the fsl-mc bus), there is a device link\nbetween the switch and the DSA master, and device_links_unbind_consumers()\nwill unbind the Marvell switch driver on shutdown.\n\nsystemd-shutdown[1]: Powering off.\nmv88e6085 0x0000000008b96000:00 sw_gl0: Link is Down\nfsl-mc dpbp.9: Removing from iommu group 7\nfsl-mc dpbp.8: Removing from iommu group 7\n------------[ cut here ]------------\nkernel BUG at drivers/net/phy/mdio_bus.c:677!\nInternal error: Oops - BUG: 0 [#1] PREEMPT SMP\nModules linked in:\nCPU: 0 PID: 1 Comm: systemd-shutdow Not tainted 5.16.5-00040-gdc05f73788e5 #15\npc : mdiobus_free+0x44/0x50\nlr : devm_mdiobus_free+0x10/0x20\nCall trace:\n mdiobus_free+0x44/0x50\n devm_mdiobus_free+0x10/0x20\n devres_release_all+0xa0/0x100\n __device_release_driver+0x190/0x220\n device_release_driver_internal+0xac/0xb0\n device_links_unbind_consumers+0xd4/0x100\n __device_release_driver+0x4c/0x220\n device_release_driver_internal+0xac/0xb0\n device_links_unbind_consumers+0xd4/0x100\n __device_release_driver+0x94/0x220\n device_release_driver+0x28/0x40\n bus_remove_device+0x118/0x124\n device_del+0x174/0x420\n fsl_mc_device_remove+0x24/0x40\n __fsl_mc_device_remove+0xc/0x20\n device_for_each_child+0x58/0xa0\n dprc_remove+0x90/0xb0\n fsl_mc_driver_remove+0x20/0x5c\n __device_release_driver+0x21c/0x220\n device_release_driver+0x28/0x40\n bus_remove_device+0x118/0x124\n device_del+0x174/0x420\n fsl_mc_bus_remove+0x80/0x100\n fsl_mc_bus_shutdown+0xc/0x1c\n platform_shutdown+0x20/0x30\n device_shutdown+0x154/0x330\n kernel_power_off+0x34/0x6c\n __do_sys_reboot+0x15c/0x250\n __arm64_sys_reboot+0x20/0x30\n invoke_syscall.constprop.0+0x4c/0xe0\n do_el0_svc+0x4c/0x150\n el0_svc+0x24/0xb0\n el0t_64_sync_handler+0xa8/0xb0\n el0t_64_sync+0x178/0x17c\n\nSo the same treatment must be applied to all DSA switch drivers, which\nis: either use devres for both the mdiobus allocation and registration,\nor don't use devres at all.\n\nThe Marvell driver already has a good structure for mdiobus removal, so\njust plug in mdiobus_free and get rid of devres."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/1b451c3994a2d322f8e55032c62c8b47b7d95900",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/8b626d45127d6f5ada7d815b83cfdc09e8cb1394",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/8ccebe77df6e0d88c72ba5e69cf1835927e53b6c",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/f53a2ce893b2c7884ef94471f170839170a4eba0",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

25
CVE-2022/CVE-2022-488xx/CVE-2022-48819.json Normal file
View File

@ -0,0 +1,25 @@
{
"id": "CVE-2022-48819",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T12:15:05.883",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: take care of mixed splice()/sendmsg(MSG_ZEROCOPY) case\n\nsyzbot found that mixing sendpage() and sendmsg(MSG_ZEROCOPY)\ncalls over the same TCP socket would again trigger the\ninfamous warning in inet_sock_destruct()\n\n\tWARN_ON(sk_forward_alloc_get(sk));\n\nWhile Talal took into account a mix of regular copied data\nand MSG_ZEROCOPY one in the same skb, the sendpage() path\nhas been forgotten.\n\nWe want the charging to happen for sendpage(), because\npages could be coming from a pipe. What is missing is the\ndowngrading of pure zerocopy status to make sure\nsk_forward_alloc will stay synced.\n\nAdd tcp_downgrade_zcopy_pure() helper so that we can\nuse it from the two callers."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/47f3860c4931175f112f28dcac66eacca9b1040f",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/f8d9d938514f46c4892aff6bfe32f425e84d81cc",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

29
CVE-2022/CVE-2022-488xx/CVE-2022-48820.json Normal file
View File

@ -0,0 +1,29 @@
{
"id": "CVE-2022-48820",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T12:15:05.943",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nphy: stm32: fix a refcount leak in stm32_usbphyc_pll_enable()\n\nThis error path needs to decrement \"usbphyc->n_pll_cons.counter\" before\nreturning."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/0ad1a88fa3eb0ded7798f52b79bc33f75fc9a6d2",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/94b16ca86ab688ed6fad4548f70137f93cf1f0a9",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/cfc826c88a79e22ba5d8001556eb2c7efd8a01b6",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

37
CVE-2022/CVE-2022-488xx/CVE-2022-48821.json Normal file
View File

@ -0,0 +1,37 @@
{
"id": "CVE-2022-48821",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T12:15:06.010",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc: fastrpc: avoid double fput() on failed usercopy\n\nIf the copy back to userland fails for the FASTRPC_IOCTL_ALLOC_DMA_BUFF\nioctl(), we shouldn't assume that 'buf->dmabuf' is still valid. In fact,\ndma_buf_fd() called fd_install() before, i.e. \"consumed\" one reference,\nleaving us with none.\n\nCalling dma_buf_put() will therefore put a reference we no longer own,\nleading to a valid file descritor table entry for an already released\n'file' object which is a straight use-after-free.\n\nSimply avoid calling dma_buf_put() and rely on the process exit code to\ndo the necessary cleanup, if needed, i.e. if the file descriptor is\nstill valid."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/46963e2e0629cb31c96b1d47ddd89dc3d8990b34",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/4e6fd2b5fcf8e7119305a6042bd92e7f2b9ed215",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/76f85c307ef9f10aa2cef1b1d5ee654c1f3345fc",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/a5ce7ee5fcc07583159f54ab4af5164de00148f5",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/e4382d0a39f9a1e260d62fdc079ddae5293c037d",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

45
CVE-2022/CVE-2022-488xx/CVE-2022-48822.json Normal file
View File

@ -0,0 +1,45 @@
{
"id": "CVE-2022-48822",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T12:15:06.073",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: f_fs: Fix use-after-free for epfile\n\nConsider a case where ffs_func_eps_disable is called from\nffs_func_disable as part of composition switch and at the\nsame time ffs_epfile_release get called from userspace.\nffs_epfile_release will free up the read buffer and call\nffs_data_closed which in turn destroys ffs->epfiles and\nmark it as NULL. While this was happening the driver has\nalready initialized the local epfile in ffs_func_eps_disable\nwhich is now freed and waiting to acquire the spinlock. Once\nspinlock is acquired the driver proceeds with the stale value\nof epfile and tries to free the already freed read buffer\ncausing use-after-free.\n\nFollowing is the illustration of the race:\n\n CPU1 CPU2\n\n ffs_func_eps_disable\n epfiles (local copy)\n\t\t\t\t\tffs_epfile_release\n\t\t\t\t\tffs_data_closed\n\t\t\t\t\tif (last file closed)\n\t\t\t\t\tffs_data_reset\n\t\t\t\t\tffs_data_clear\n\t\t\t\t\tffs_epfiles_destroy\nspin_lock\ndereference epfiles\n\nFix this races by taking epfiles local copy & assigning it under\nspinlock and if epfiles(local) is null then update it in ffs->epfiles\nthen finally destroy it.\nExtending the scope further from the race, protecting the ep related\nstructures, and concurrent accesses."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/0042178a69eb77a979e36a50dcce9794a3140ef8",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/32048f4be071f9a6966744243f1786f45bb22dc2",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/3e078b18753669615301d946297bafd69294ad2c",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/72a8aee863af099d4434314c4536d6c9a61dcf3c",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/c9fc422c9a43e3d58d246334a71f3390401781dc",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/cfe5f6fd335d882bcc829a1c8a7d462a455c626e",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/ebe2b1add1055b903e2acd86b290a85297edc0b3",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

37
CVE-2022/CVE-2022-488xx/CVE-2022-48823.json Normal file
View File

@ -0,0 +1,37 @@
{
"id": "CVE-2022-48823",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T12:15:06.147",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qedf: Fix refcount issue when LOGO is received during TMF\n\nHung task call trace was seen during LOGO processing.\n\n[ 974.309060] [0000:00:00.0]:[qedf_eh_device_reset:868]: 1:0:2:0: LUN RESET Issued...\n[ 974.309065] [0000:00:00.0]:[qedf_initiate_tmf:2422]: tm_flags 0x10 sc_cmd 00000000c16b930f op = 0x2a target_id = 0x2 lun=0\n[ 974.309178] [0000:00:00.0]:[qedf_initiate_tmf:2431]: portid=016900 tm_flags =LUN RESET\n[ 974.309222] [0000:00:00.0]:[qedf_initiate_tmf:2438]: orig io_req = 00000000ec78df8f xid = 0x180 ref_cnt = 1.\n[ 974.309625] host1: rport 016900: Received LOGO request while in state Ready\n[ 974.309627] host1: rport 016900: Delete port\n[ 974.309642] host1: rport 016900: work event 3\n[ 974.309644] host1: rport 016900: lld callback ev 3\n[ 974.313243] [0000:61:00.2]:[qedf_execute_tmf:2383]:1: fcport is uploading, not executing flush.\n[ 974.313295] [0000:61:00.2]:[qedf_execute_tmf:2400]:1: task mgmt command success...\n[ 984.031088] INFO: task jbd2/dm-15-8:7645 blocked for more than 120 seconds.\n[ 984.031136] Not tainted 4.18.0-305.el8.x86_64 #1\n\n[ 984.031166] \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n[ 984.031209] jbd2/dm-15-8 D 0 7645 2 0x80004080\n[ 984.031212] Call Trace:\n[ 984.031222] __schedule+0x2c4/0x700\n[ 984.031230] ? unfreeze_partials.isra.83+0x16e/0x1a0\n[ 984.031233] ? bit_wait_timeout+0x90/0x90\n[ 984.031235] schedule+0x38/0xa0\n[ 984.031238] io_schedule+0x12/0x40\n[ 984.031240] bit_wait_io+0xd/0x50\n[ 984.031243] __wait_on_bit+0x6c/0x80\n[ 984.031248] ? free_buffer_head+0x21/0x50\n[ 984.031251] out_of_line_wait_on_bit+0x91/0xb0\n[ 984.031257] ? init_wait_var_entry+0x50/0x50\n[ 984.031268] jbd2_journal_commit_transaction+0x112e/0x19f0 [jbd2]\n[ 984.031280] kjournald2+0xbd/0x270 [jbd2]\n[ 984.031284] ? finish_wait+0x80/0x80\n[ 984.031291] ? commit_timeout+0x10/0x10 [jbd2]\n[ 984.031294] kthread+0x116/0x130\n[ 984.031300] ? kthread_flush_work_fn+0x10/0x10\n[ 984.031305] ret_from_fork+0x1f/0x40\n\nThere was a ref count issue when LOGO is received during TMF. This leads to\none of the I/Os hanging with the driver. Fix the ref count."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/5239ab63f17cee643bd4bf6addfedebaa7d4f41e",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/6be8eaad75ca73131e2a697f0270dc8ee73814a8",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/7cc32ff0cd6c44a3c26de5faecfe8b5546198fad",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/7fcbed38503bb34c6e6538b6a9482d1c6bead1e8",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/87f187e5265bc8e3b38faef8b9db864cdd61dde7",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

37
CVE-2022/CVE-2022-488xx/CVE-2022-48824.json Normal file
View File

@ -0,0 +1,37 @@
{
"id": "CVE-2022-48824",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T12:15:06.210",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: myrs: Fix crash in error case\n\nIn myrs_detect(), cs->disable_intr is NULL when privdata->hw_init() fails\nwith non-zero. In this case, myrs_cleanup(cs) will call a NULL ptr and\ncrash the kernel.\n\n[ 1.105606] myrs 0000:00:03.0: Unknown Initialization Error 5A\n[ 1.105872] myrs 0000:00:03.0: Failed to initialize Controller\n[ 1.106082] BUG: kernel NULL pointer dereference, address: 0000000000000000\n[ 1.110774] Call Trace:\n[ 1.110950] myrs_cleanup+0xe4/0x150 [myrs]\n[ 1.111135] myrs_probe.cold+0x91/0x56a [myrs]\n[ 1.111302] ? DAC960_GEM_intr_handler+0x1f0/0x1f0 [myrs]\n[ 1.111500] local_pci_probe+0x48/0x90"
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/0e42c4a3d732517edc3766dd45a14e60d29dd929",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/1d6cd26605b4d662063a83c15c776b5299a1cb23",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/4db09593af0b0b4d7d4805ebb3273df51d7cc30d",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/5c5ceea00c8c9df150708e66cb9f2891192c1162",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/6207f35c213f6cb2fc3f13b5e77f08c710e1de19",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

33
CVE-2022/CVE-2022-488xx/CVE-2022-48825.json Normal file
View File

@ -0,0 +1,33 @@
{
"id": "CVE-2022-48825",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T12:15:06.270",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qedf: Add stag_work to all the vports\n\nCall trace seen when creating NPIV ports, only 32 out of 64 show online.\nstag work was not initialized for vport, hence initialize the stag work.\n\nWARNING: CPU: 8 PID: 645 at kernel/workqueue.c:1635 __queue_delayed_work+0x68/0x80\nCPU: 8 PID: 645 Comm: kworker/8:1 Kdump: loaded Tainted: G IOE --------- --\n 4.18.0-348.el8.x86_64 #1\nHardware name: Dell Inc. PowerEdge MX740c/0177V9, BIOS 2.12.2 07/09/2021\nWorkqueue: events fc_lport_timeout [libfc]\nRIP: 0010:__queue_delayed_work+0x68/0x80\nCode: 89 b2 88 00 00 00 44 89 82 90 00 00 00 48 01 c8 48 89 42 50 41 81\nf8 00 20 00 00 75 1d e9 60 24 07 00 44 89 c7 e9 98 f6 ff ff <0f> 0b eb\nc5 0f 0b eb a1 0f 0b eb a7 0f 0b eb ac 44 89 c6 e9 40 23\nRSP: 0018:ffffae514bc3be40 EFLAGS: 00010006\nRAX: ffff8d25d6143750 RBX: 0000000000000202 RCX: 0000000000000002\nRDX: ffff8d2e31383748 RSI: ffff8d25c000d600 RDI: ffff8d2e31383788\nRBP: ffff8d2e31380de0 R08: 0000000000002000 R09: ffff8d2e31383750\nR10: ffffffffc0c957e0 R11: ffff8d2624800000 R12: ffff8d2e31380a58\nR13: ffff8d2d915eb000 R14: ffff8d25c499b5c0 R15: ffff8d2e31380e18\nFS: 0000000000000000(0000) GS:ffff8d2d1fb00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000055fd0484b8b8 CR3: 00000008ffc10006 CR4: 00000000007706e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nPKRU: 55555554\nCall Trace:\n queue_delayed_work_on+0x36/0x40\n qedf_elsct_send+0x57/0x60 [qedf]\n fc_lport_enter_flogi+0x90/0xc0 [libfc]\n fc_lport_timeout+0xb7/0x140 [libfc]\n process_one_work+0x1a7/0x360\n ? create_worker+0x1a0/0x1a0\n worker_thread+0x30/0x390\n ? create_worker+0x1a0/0x1a0\n kthread+0x116/0x130\n ? kthread_flush_work_fn+0x10/0x10\n ret_from_fork+0x35/0x40\n ---[ end trace 008f00f722f2c2ff ]--\n\nInitialize stag work for all the vports."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/0be556512cd0dfcf5ec1a140d9f42d88221a5d4e",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/1f53bbf27a876f7e61262bd74c18680ac11d4c31",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/aa7352aa155e19815b41f09f114fe9f110fde4d8",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/b70a99fd13282d7885f69bf1372e28b7506a1613",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

29
CVE-2022/CVE-2022-488xx/CVE-2022-48826.json Normal file
View File

@ -0,0 +1,29 @@
{
"id": "CVE-2022-48826",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T12:15:06.347",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vc4: Fix deadlock on DSI device attach error\n\nDSI device attach to DSI host will be done with host device's lock\nheld.\n\nUn-registering host in \"device attach\" error path (ex: probe retry)\nwill result in deadlock with below call trace and non operational\nDSI display.\n\nStartup Call trace:\n[ 35.043036] rt_mutex_slowlock.constprop.21+0x184/0x1b8\n[ 35.043048] mutex_lock_nested+0x7c/0xc8\n[ 35.043060] device_del+0x4c/0x3e8\n[ 35.043075] device_unregister+0x20/0x40\n[ 35.043082] mipi_dsi_remove_device_fn+0x18/0x28\n[ 35.043093] device_for_each_child+0x68/0xb0\n[ 35.043105] mipi_dsi_host_unregister+0x40/0x90\n[ 35.043115] vc4_dsi_host_attach+0xf0/0x120 [vc4]\n[ 35.043199] mipi_dsi_attach+0x30/0x48\n[ 35.043209] tc358762_probe+0x128/0x164 [tc358762]\n[ 35.043225] mipi_dsi_drv_probe+0x28/0x38\n[ 35.043234] really_probe+0xc0/0x318\n[ 35.043244] __driver_probe_device+0x80/0xe8\n[ 35.043254] driver_probe_device+0xb8/0x118\n[ 35.043263] __device_attach_driver+0x98/0xe8\n[ 35.043273] bus_for_each_drv+0x84/0xd8\n[ 35.043281] __device_attach+0xf0/0x150\n[ 35.043290] device_initial_probe+0x1c/0x28\n[ 35.043300] bus_probe_device+0xa4/0xb0\n[ 35.043308] deferred_probe_work_func+0xa0/0xe0\n[ 35.043318] process_one_work+0x254/0x700\n[ 35.043330] worker_thread+0x4c/0x448\n[ 35.043339] kthread+0x19c/0x1a8\n[ 35.043348] ret_from_fork+0x10/0x20\n\nShutdown Call trace:\n[ 365.565417] Call trace:\n[ 365.565423] __switch_to+0x148/0x200\n[ 365.565452] __schedule+0x340/0x9c8\n[ 365.565467] schedule+0x48/0x110\n[ 365.565479] schedule_timeout+0x3b0/0x448\n[ 365.565496] wait_for_completion+0xac/0x138\n[ 365.565509] __flush_work+0x218/0x4e0\n[ 365.565523] flush_work+0x1c/0x28\n[ 365.565536] wait_for_device_probe+0x68/0x158\n[ 365.565550] device_shutdown+0x24/0x348\n[ 365.565561] kernel_restart_prepare+0x40/0x50\n[ 365.565578] kernel_restart+0x20/0x70\n[ 365.565591] __do_sys_reboot+0x10c/0x220\n[ 365.565605] __arm64_sys_reboot+0x2c/0x38\n[ 365.565619] invoke_syscall+0x4c/0x110\n[ 365.565634] el0_svc_common.constprop.3+0xfc/0x120\n[ 365.565648] do_el0_svc+0x2c/0x90\n[ 365.565661] el0_svc+0x4c/0xf0\n[ 365.565671] el0t_64_sync_handler+0x90/0xb8\n[ 365.565682] el0t_64_sync+0x180/0x184"
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/0a3d12ab5097b1d045e693412e6b366b7e82031b",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/770d1ba9a8201ce9bee0946eb03746449b6f3b80",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/dddd832f35096fbc5004e3a7e58fb4d2cefb8deb",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

33
CVE-2022/CVE-2022-488xx/CVE-2022-48827.json Normal file
View File

@ -0,0 +1,33 @@
{
"id": "CVE-2022-48827",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T12:15:06.420",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: Fix the behavior of READ near OFFSET_MAX\n\nDan Aloni reports:\n> Due to commit 8cfb9015280d (\"NFS: Always provide aligned buffers to\n> the RPC read layers\") on the client, a read of 0xfff is aligned up\n> to server rsize of 0x1000.\n>\n> As a result, in a test where the server has a file of size\n> 0x7fffffffffffffff, and the client tries to read from the offset\n> 0x7ffffffffffff000, the read causes loff_t overflow in the server\n> and it returns an NFS code of EINVAL to the client. The client as\n> a result indefinitely retries the request.\n\nThe Linux NFS client does not handle NFS?ERR_INVAL, even though all\nNFS specifications permit servers to return that status code for a\nREAD.\n\nInstead of NFS?ERR_INVAL, have out-of-range READ requests succeed\nand return a short result. Set the EOF flag in the result to prevent\nthe client from retrying the READ request. This behavior appears to\nbe consistent with Solaris NFS servers.\n\nNote that NFSv3 and NFSv4 use u64 offset values on the wire. These\nmust be converted to loff_t internally before use -- an implicit\ntype cast is not adequate for this purpose. Otherwise VFS checks\nagainst sb->s_maxbytes do not work properly."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/0cb4d23ae08c48f6bf3c29a8e5c4a74b8388b960",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/1726a39b0879acfb490b22dca643f26f4f907da9",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/44502aca8e02ab32d6b0eb52e006a5ec9402719b",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/c6eff5c4277146a78b4fb8c9b668dd64542c41b0",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

33
CVE-2022/CVE-2022-488xx/CVE-2022-48828.json Normal file
View File

@ -0,0 +1,33 @@
{
"id": "CVE-2022-48828",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T12:15:06.477",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: Fix ia_size underflow\n\niattr::ia_size is a loff_t, which is a signed 64-bit type. NFSv3 and\nNFSv4 both define file size as an unsigned 64-bit type. Thus there\nis a range of valid file size values an NFS client can send that is\nalready larger than Linux can handle.\n\nCurrently decode_fattr4() dumps a full u64 value into ia_size. If\nthat value happens to be larger than S64_MAX, then ia_size\nunderflows. I'm about to fix up the NFSv3 behavior as well, so let's\ncatch the underflow in the common code path: nfsd_setattr()."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/38d02ba22e43b6fc7d291cf724bc6e3b7be6626b",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/8e0ecaf7a7e57b30284d6b3289cc436100fadc48",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/da22ca1ad548429d7822011c54cfe210718e0aa7",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/e6faac3f58c7c4176b66f63def17a34232a17b0e",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

33
CVE-2022/CVE-2022-488xx/CVE-2022-48829.json Normal file
View File

@ -0,0 +1,33 @@
{
"id": "CVE-2022-48829",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T12:15:06.550",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: Fix NFSv3 SETATTR/CREATE's handling of large file sizes\n\niattr::ia_size is a loff_t, so these NFSv3 procedures must be\ncareful to deal with incoming client size values that are larger\nthan s64_max without corrupting the value.\n\nSilently capping the value results in storing a different value\nthan the client passed in which is unexpected behavior, so remove\nthe min_t() check in decode_sattr3().\n\nNote that RFC 1813 permits only the WRITE procedure to return\nNFS3ERR_FBIG. We believe that NFSv3 reference implementations\nalso return NFS3ERR_FBIG when ia_size is too large."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/37f2d2cd8eadddbbd9c7bda327a9393399b2f89b",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/a231ae6bb50e7c0a9e9efd7b0d10687f1d71b3a3",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/a648fdeb7c0e17177a2280344d015dba3fbe3314",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/aa9051ddb4b378bd22e72a67bc77b9fc1482c5f0",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

33
CVE-2022/CVE-2022-488xx/CVE-2022-48830.json Normal file
View File

@ -0,0 +1,33 @@
{
"id": "CVE-2022-48830",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T12:15:06.613",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: isotp: fix potential CAN frame reception race in isotp_rcv()\n\nWhen receiving a CAN frame the current code logic does not consider\nconcurrently receiving processes which do not show up in real world\nusage.\n\nZiyang Xuan writes:\n\nThe following syz problem is one of the scenarios. so->rx.len is\nchanged by isotp_rcv_ff() during isotp_rcv_cf(), so->rx.len equals\n0 before alloc_skb() and equals 4096 after alloc_skb(). That will\ntrigger skb_over_panic() in skb_put().\n\n=======================================================\nCPU: 1 PID: 19 Comm: ksoftirqd/1 Not tainted 5.16.0-rc8-syzkaller #0\nRIP: 0010:skb_panic+0x16c/0x16e net/core/skbuff.c:113\nCall Trace:\n <TASK>\n skb_over_panic net/core/skbuff.c:118 [inline]\n skb_put.cold+0x24/0x24 net/core/skbuff.c:1990\n isotp_rcv_cf net/can/isotp.c:570 [inline]\n isotp_rcv+0xa38/0x1e30 net/can/isotp.c:668\n deliver net/can/af_can.c:574 [inline]\n can_rcv_filter+0x445/0x8d0 net/can/af_can.c:635\n can_receive+0x31d/0x580 net/can/af_can.c:665\n can_rcv+0x120/0x1c0 net/can/af_can.c:696\n __netif_receive_skb_one_core+0x114/0x180 net/core/dev.c:5465\n __netif_receive_skb+0x24/0x1b0 net/core/dev.c:5579\n\nTherefore we make sure the state changes and data structures stay\nconsistent at CAN frame reception time by adding a spin_lock in\nisotp_rcv(). This fixes the issue reported by syzkaller but does not\naffect real world operation."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/5b068f33bc8acfcfd5ea7992a2dafb30d89bad30",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/7b53d2204ce79b27a878074a77d64f40ec21dbca",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/7c759040c1dd03954f650f147ae7175476d51314",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/f90cc68f9f4b5d8585ad5d0a206a9d37ac299ef3",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

29
CVE-2022/CVE-2022-488xx/CVE-2022-48831.json Normal file
View File

@ -0,0 +1,29 @@
{
"id": "CVE-2022-48831",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T12:15:06.683",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nima: fix reference leak in asymmetric_verify()\n\nDon't leak a reference to the key if its algorithm is unknown."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/0838d6d68182f0b28a5434bc6d50727c4757e35b",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/89f586d3398f4cc0432ed870949dffb702940754",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/926fd9f23b27ca6587492c3f58f4c7f4cd01dad5",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

25
CVE-2022/CVE-2022-488xx/CVE-2022-48832.json Normal file
View File

@ -0,0 +1,25 @@
{
"id": "CVE-2022-48832",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T12:15:06.750",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\naudit: don't deref the syscall args when checking the openat2 open_how::flags\n\nAs reported by Jeff, dereferencing the openat2 syscall argument in\naudit_match_perm() to obtain the open_how::flags can result in an\noops/page-fault. This patch fixes this by using the open_how struct\nthat we store in the audit_context with audit_openat2_how().\n\nIndependent of this patch, Richard Guy Briggs posted a similar patch\nto the audit mailing list roughly 40 minutes after this patch was\nposted."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/310c9ddfdf1f8d3c9834f02175eae79c8b254b6c",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/7a82f89de92aac5a244d3735b2bd162c1147620c",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

29
CVE-2022/CVE-2022-488xx/CVE-2022-48833.json Normal file
View File

@ -0,0 +1,29 @@
{
"id": "CVE-2022-48833",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T13:15:10.897",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: skip reserved bytes warning on unmount after log cleanup failure\n\nAfter the recent changes made by commit c2e39305299f01 (\"btrfs: clear\nextent buffer uptodate when we fail to write it\") and its followup fix,\ncommit 651740a5024117 (\"btrfs: check WRITE_ERR when trying to read an\nextent buffer\"), we can now end up not cleaning up space reservations of\nlog tree extent buffers after a transaction abort happens, as well as not\ncleaning up still dirty extent buffers.\n\nThis happens because if writeback for a log tree extent buffer failed,\nthen we have cleared the bit EXTENT_BUFFER_UPTODATE from the extent buffer\nand we have also set the bit EXTENT_BUFFER_WRITE_ERR on it. Later on,\nwhen trying to free the log tree with free_log_tree(), which iterates\nover the tree, we can end up getting an -EIO error when trying to read\na node or a leaf, since read_extent_buffer_pages() returns -EIO if an\nextent buffer does not have EXTENT_BUFFER_UPTODATE set and has the\nEXTENT_BUFFER_WRITE_ERR bit set. Getting that -EIO means that we return\nimmediately as we can not iterate over the entire tree.\n\nIn that case we never update the reserved space for an extent buffer in\nthe respective block group and space_info object.\n\nWhen this happens we get the following traces when unmounting the fs:\n\n[174957.284509] BTRFS: error (device dm-0) in cleanup_transaction:1913: errno=-5 IO failure\n[174957.286497] BTRFS: error (device dm-0) in free_log_tree:3420: errno=-5 IO failure\n[174957.399379] ------------[ cut here ]------------\n[174957.402497] WARNING: CPU: 2 PID: 3206883 at fs/btrfs/block-group.c:127 btrfs_put_block_group+0x77/0xb0 [btrfs]\n[174957.407523] Modules linked in: btrfs overlay dm_zero (...)\n[174957.424917] CPU: 2 PID: 3206883 Comm: umount Tainted: G W 5.16.0-rc5-btrfs-next-109 #1\n[174957.426689] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\n[174957.428716] RIP: 0010:btrfs_put_block_group+0x77/0xb0 [btrfs]\n[174957.429717] Code: 21 48 8b bd (...)\n[174957.432867] RSP: 0018:ffffb70d41cffdd0 EFLAGS: 00010206\n[174957.433632] RAX: 0000000000000001 RBX: ffff8b09c3848000 RCX: ffff8b0758edd1c8\n[174957.434689] RDX: 0000000000000001 RSI: ffffffffc0b467e7 RDI: ffff8b0758edd000\n[174957.436068] RBP: ffff8b0758edd000 R08: 0000000000000000 R09: 0000000000000000\n[174957.437114] R10: 0000000000000246 R11: 0000000000000000 R12: ffff8b09c3848148\n[174957.438140] R13: ffff8b09c3848198 R14: ffff8b0758edd188 R15: dead000000000100\n[174957.439317] FS: 00007f328fb82800(0000) GS:ffff8b0a2d200000(0000) knlGS:0000000000000000\n[174957.440402] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[174957.441164] CR2: 00007fff13563e98 CR3: 0000000404f4e005 CR4: 0000000000370ee0\n[174957.442117] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[174957.443076] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[174957.443948] Call Trace:\n[174957.444264] <TASK>\n[174957.444538] btrfs_free_block_groups+0x255/0x3c0 [btrfs]\n[174957.445238] close_ctree+0x301/0x357 [btrfs]\n[174957.445803] ? call_rcu+0x16c/0x290\n[174957.446250] generic_shutdown_super+0x74/0x120\n[174957.446832] kill_anon_super+0x14/0x30\n[174957.447305] btrfs_kill_super+0x12/0x20 [btrfs]\n[174957.447890] deactivate_locked_super+0x31/0xa0\n[174957.448440] cleanup_mnt+0x147/0x1c0\n[174957.448888] task_work_run+0x5c/0xa0\n[174957.449336] exit_to_user_mode_prepare+0x1e5/0x1f0\n[174957.449934] syscall_exit_to_user_mode+0x16/0x40\n[174957.450512] do_syscall_64+0x48/0xc0\n[174957.450980] entry_SYSCALL_64_after_hwframe+0x44/0xae\n[174957.451605] RIP: 0033:0x7f328fdc4a97\n[174957.452059] Code: 03 0c 00 f7 (...)\n[174957.454320] RSP: 002b:00007fff13564ec8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6\n[174957.455262] RAX: 0000000000000000 RBX: 00007f328feea264 RCX: 00007f328fdc4a97\n[174957.456131] RDX: 0000000000000000 RSI: 00000000000000\n---truncated---"
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/40cdc509877bacb438213b83c7541c5e24a1d9ec",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/44557a8f539a822c91238c1f95a95f98a5093d82",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/4c5d94990fa2fd609360ecd0f7e183212a7d115c",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

37
CVE-2022/CVE-2022-488xx/CVE-2022-48834.json Normal file
View File

@ -0,0 +1,37 @@
{
"id": "CVE-2022-48834",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T13:15:10.983",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: usbtmc: Fix bug in pipe direction for control transfers\n\nThe syzbot fuzzer reported a minor bug in the usbtmc driver:\n\nusb 5-1: BOGUS control dir, pipe 80001e80 doesn't match bRequestType 0\nWARNING: CPU: 0 PID: 3813 at drivers/usb/core/urb.c:412\nusb_submit_urb+0x13a5/0x1970 drivers/usb/core/urb.c:410\nModules linked in:\nCPU: 0 PID: 3813 Comm: syz-executor122 Not tainted\n5.17.0-rc5-syzkaller-00306-g2293be58d6a1 #0\n...\nCall Trace:\n <TASK>\n usb_start_wait_urb+0x113/0x530 drivers/usb/core/message.c:58\n usb_internal_control_msg drivers/usb/core/message.c:102 [inline]\n usb_control_msg+0x2a5/0x4b0 drivers/usb/core/message.c:153\n usbtmc_ioctl_request drivers/usb/class/usbtmc.c:1947 [inline]\n\nThe problem is that usbtmc_ioctl_request() uses usb_rcvctrlpipe() for\nall of its transfers, whether they are in or out. It's easy to fix."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/10a805334a11acd547602d6c4cf540a0f6ab5c6e",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/5f6a2d63c68c12cf61259df7c3527a0e05dce952",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/700a0715854c1e79a73341724ce4f5bb01abc016",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/c69aef9db878ab277068a8cc1b4bf0cf309dc2b7",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/e9b667a82cdcfe21d590344447d65daed52b353b",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

33
CVE-2022/CVE-2022-488xx/CVE-2022-48835.json Normal file
View File

@ -0,0 +1,33 @@
{
"id": "CVE-2022-48835",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T13:15:11.053",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: mpt3sas: Page fault in reply q processing\n\nA page fault was encountered in mpt3sas on a LUN reset error path:\n\n[ 145.763216] mpt3sas_cm1: Task abort tm failed: handle(0x0002),timeout(30) tr_method(0x0) smid(3) msix_index(0)\n[ 145.778932] scsi 1:0:0:0: task abort: FAILED scmd(0x0000000024ba29a2)\n[ 145.817307] scsi 1:0:0:0: attempting device reset! scmd(0x0000000024ba29a2)\n[ 145.827253] scsi 1:0:0:0: [sg1] tag#2 CDB: Receive Diagnostic 1c 01 01 ff fc 00\n[ 145.837617] scsi target1:0:0: handle(0x0002), sas_address(0x500605b0000272b9), phy(0)\n[ 145.848598] scsi target1:0:0: enclosure logical id(0x500605b0000272b8), slot(0)\n[ 149.858378] mpt3sas_cm1: Poll ReplyDescriptor queues for completion of smid(0), task_type(0x05), handle(0x0002)\n[ 149.875202] BUG: unable to handle page fault for address: 00000007fffc445d\n[ 149.885617] #PF: supervisor read access in kernel mode\n[ 149.894346] #PF: error_code(0x0000) - not-present page\n[ 149.903123] PGD 0 P4D 0\n[ 149.909387] Oops: 0000 [#1] PREEMPT SMP NOPTI\n[ 149.917417] CPU: 24 PID: 3512 Comm: scsi_eh_1 Kdump: loaded Tainted: G S O 5.10.89-altav-1 #1\n[ 149.934327] Hardware name: DDN 200NVX2 /200NVX2-MB , BIOS ATHG2.2.02.01 09/10/2021\n[ 149.951871] RIP: 0010:_base_process_reply_queue+0x4b/0x900 [mpt3sas]\n[ 149.961889] Code: 0f 84 22 02 00 00 8d 48 01 49 89 fd 48 8d 57 38 f0 0f b1 4f 38 0f 85 d8 01 00 00 49 8b 45 10 45 31 e4 41 8b 55 0c 48 8d 1c d0 <0f> b6 03 83 e0 0f 3c 0f 0f 85 a2 00 00 00 e9 e6 01 00 00 0f b7 ee\n[ 149.991952] RSP: 0018:ffffc9000f1ebcb8 EFLAGS: 00010246\n[ 150.000937] RAX: 0000000000000055 RBX: 00000007fffc445d RCX: 000000002548f071\n[ 150.011841] RDX: 00000000ffff8881 RSI: 0000000000000001 RDI: ffff888125ed50d8\n[ 150.022670] RBP: 0000000000000000 R08: 0000000000000000 R09: c0000000ffff7fff\n[ 150.033445] R10: ffffc9000f1ebb68 R11: ffffc9000f1ebb60 R12: 0000000000000000\n[ 150.044204] R13: ffff888125ed50d8 R14: 0000000000000080 R15: 34cdc00034cdea80\n[ 150.054963] FS: 0000000000000000(0000) GS:ffff88dfaf200000(0000) knlGS:0000000000000000\n[ 150.066715] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 150.076078] CR2: 00000007fffc445d CR3: 000000012448a006 CR4: 0000000000770ee0\n[ 150.086887] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 150.097670] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 150.108323] PKRU: 55555554\n[ 150.114690] Call Trace:\n[ 150.120497] ? printk+0x48/0x4a\n[ 150.127049] mpt3sas_scsih_issue_tm.cold.114+0x2e/0x2b3 [mpt3sas]\n[ 150.136453] mpt3sas_scsih_issue_locked_tm+0x86/0xb0 [mpt3sas]\n[ 150.145759] scsih_dev_reset+0xea/0x300 [mpt3sas]\n[ 150.153891] scsi_eh_ready_devs+0x541/0x9e0 [scsi_mod]\n[ 150.162206] ? __scsi_host_match+0x20/0x20 [scsi_mod]\n[ 150.170406] ? scsi_try_target_reset+0x90/0x90 [scsi_mod]\n[ 150.178925] ? blk_mq_tagset_busy_iter+0x45/0x60\n[ 150.186638] ? scsi_try_target_reset+0x90/0x90 [scsi_mod]\n[ 150.195087] scsi_error_handler+0x3a5/0x4a0 [scsi_mod]\n[ 150.203206] ? __schedule+0x1e9/0x610\n[ 150.209783] ? scsi_eh_get_sense+0x210/0x210 [scsi_mod]\n[ 150.217924] kthread+0x12e/0x150\n[ 150.224041] ? kthread_worker_fn+0x130/0x130\n[ 150.231206] ret_from_fork+0x1f/0x30\n\nThis is caused by mpt3sas_base_sync_reply_irqs() using an invalid reply_q\npointer outside of the list_for_each_entry() loop. At the end of the full\nlist traversal the pointer is invalid.\n\nMove the _base_process_reply_queue() call inside of the loop."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/0cd2dd4bcf4abc812148c4943f966a3c8dccb00f",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/3916e33b917581e2b2086e856c291cb86ea98a05",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/69ad4ef868c1fc7609daa235dfa46d28ba7a3ba3",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/98e7a654a5bebaf1a28e987af5e44c002544a413",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

49
CVE-2022/CVE-2022-488xx/CVE-2022-48836.json Normal file
View File

@ -0,0 +1,49 @@
{
"id": "CVE-2022-48836",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T13:15:11.133",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: aiptek - properly check endpoint type\n\nSyzbot reported warning in usb_submit_urb() which is caused by wrong\nendpoint type. There was a check for the number of endpoints, but not\nfor the type of endpoint.\n\nFix it by replacing old desc.bNumEndpoints check with\nusb_find_common_endpoints() helper for finding endpoints\n\nFail log:\n\nusb 5-1: BOGUS urb xfer, pipe 1 != type 3\nWARNING: CPU: 2 PID: 48 at drivers/usb/core/urb.c:502 usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502\nModules linked in:\nCPU: 2 PID: 48 Comm: kworker/2:2 Not tainted 5.17.0-rc6-syzkaller-00226-g07ebd38a0da2 #0\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014\nWorkqueue: usb_hub_wq hub_event\n...\nCall Trace:\n <TASK>\n aiptek_open+0xd5/0x130 drivers/input/tablet/aiptek.c:830\n input_open_device+0x1bb/0x320 drivers/input/input.c:629\n kbd_connect+0xfe/0x160 drivers/tty/vt/keyboard.c:1593"
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/35069e654bcab567ff8b9f0e68e1caf82c15dcd7",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/5600f6986628dde8881734090588474f54a540a8",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/57277a8b5d881e02051ba9d7f6cb3f915c229821",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/6de20111cd0bb7da9b2294073ba00c7d2a6c1c4f",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/e732b0412f8c603d1e998f3bff41b5e7d5c3914c",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/e762f57ff255af28236cd02ca9fc5c7e5a089d31",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/f0d43d22d24182b94d7eb78a2bf6ae7e2b33204a",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/fc8033a55e2796d21e370260a784ac9fbb8305a6",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

49
CVE-2022/CVE-2022-488xx/CVE-2022-48837.json Normal file
View File

@ -0,0 +1,49 @@
{
"id": "CVE-2022-48837",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T13:15:11.203",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: rndis: prevent integer overflow in rndis_set_response()\n\nIf \"BufOffset\" is very large the \"BufOffset + 8\" operation can have an\ninteger overflow."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/138d4f739b35dfb40438a0d5d7054965763bfbe7",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/21829376268397f9fd2c35cfa9135937b6aa3a1e",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/28bc0267399f42f987916a7174e2e32f0833cc65",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/56b38e3ca4064041d93c1ca18828c8cedad2e16c",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/65f3324f4b6fed78b8761c3b74615ecf0ffa81fa",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/8b3e4d26bc9cd0f6373d0095b9ffd99e7da8006b",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/c7953cf03a26876d676145ce5d2ae6d8c9630b90",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/df7e088d51cdf78b1a0bf1f3d405c2593295c7b0",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

49
CVE-2022/CVE-2022-488xx/CVE-2022-48838.json Normal file
View File

@ -0,0 +1,49 @@
{
"id": "CVE-2022-48838",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T13:15:11.280",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: Fix use-after-free bug by not setting udc->dev.driver\n\nThe syzbot fuzzer found a use-after-free bug:\n\nBUG: KASAN: use-after-free in dev_uevent+0x712/0x780 drivers/base/core.c:2320\nRead of size 8 at addr ffff88802b934098 by task udevd/3689\n\nCPU: 2 PID: 3689 Comm: udevd Not tainted 5.17.0-rc4-syzkaller-00229-g4f12b742eb2b #0\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106\n print_address_description.constprop.0.cold+0x8d/0x303 mm/kasan/report.c:255\n __kasan_report mm/kasan/report.c:442 [inline]\n kasan_report.cold+0x83/0xdf mm/kasan/report.c:459\n dev_uevent+0x712/0x780 drivers/base/core.c:2320\n uevent_show+0x1b8/0x380 drivers/base/core.c:2391\n dev_attr_show+0x4b/0x90 drivers/base/core.c:2094\n\nAlthough the bug manifested in the driver core, the real cause was a\nrace with the gadget core. dev_uevent() does:\n\n\tif (dev->driver)\n\t\tadd_uevent_var(env, \"DRIVER=%s\", dev->driver->name);\n\nand between the test and the dereference of dev->driver, the gadget\ncore sets dev->driver to NULL.\n\nThe race wouldn't occur if the gadget core registered its devices on\na real bus, using the standard synchronization techniques of the\ndriver core. However, it's not necessary to make such a large change\nin order to fix this bug; all we need to do is make sure that\nudc->dev.driver is always NULL.\n\nIn fact, there is no reason for udc->dev.driver ever to be set to\nanything, let alone to the value it currently gets: the address of the\ngadget's driver. After all, a gadget driver only knows how to manage\na gadget, not how to manage a UDC.\n\nThis patch simply removes the statements in the gadget core that touch\nudc->dev.driver."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/00bdd9bf1ac6d401ad926d3d8df41b9f1399f646",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/16b1941eac2bd499f065a6739a40ce0011a3d740",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/2015c23610cd0efadaeca4d3a8d1dae9a45aa35a",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/2282a6eb6d4e118e294e43dcc421e0e0fe4040b5",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/27d64436984fb8835a8b7e95993193cc478b162e",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/4325124dde6726267813c736fee61226f1d38f0b",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/609a7119bffe3ddd7c93f2fa65be8917e02a0b7e",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/e2d3a7009e505e120805f449c832942660f3f7f3",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

49
CVE-2022/CVE-2022-488xx/CVE-2022-48839.json Normal file
View File

@ -0,0 +1,49 @@
{
"id": "CVE-2022-48839",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T13:15:11.353",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/packet: fix slab-out-of-bounds access in packet_recvmsg()\n\nsyzbot found that when an AF_PACKET socket is using PACKET_COPY_THRESH\nand mmap operations, tpacket_rcv() is queueing skbs with\ngarbage in skb->cb[], triggering a too big copy [1]\n\nPresumably, users of af_packet using mmap() already gets correct\nmetadata from the mapped buffer, we can simply make sure\nto clear 12 bytes that might be copied to user space later.\n\nBUG: KASAN: stack-out-of-bounds in memcpy include/linux/fortify-string.h:225 [inline]\nBUG: KASAN: stack-out-of-bounds in packet_recvmsg+0x56c/0x1150 net/packet/af_packet.c:3489\nWrite of size 165 at addr ffffc9000385fb78 by task syz-executor233/3631\n\nCPU: 0 PID: 3631 Comm: syz-executor233 Not tainted 5.17.0-rc7-syzkaller-02396-g0b3660695e80 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106\n print_address_description.constprop.0.cold+0xf/0x336 mm/kasan/report.c:255\n __kasan_report mm/kasan/report.c:442 [inline]\n kasan_report.cold+0x83/0xdf mm/kasan/report.c:459\n check_region_inline mm/kasan/generic.c:183 [inline]\n kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189\n memcpy+0x39/0x60 mm/kasan/shadow.c:66\n memcpy include/linux/fortify-string.h:225 [inline]\n packet_recvmsg+0x56c/0x1150 net/packet/af_packet.c:3489\n sock_recvmsg_nosec net/socket.c:948 [inline]\n sock_recvmsg net/socket.c:966 [inline]\n sock_recvmsg net/socket.c:962 [inline]\n ____sys_recvmsg+0x2c4/0x600 net/socket.c:2632\n ___sys_recvmsg+0x127/0x200 net/socket.c:2674\n __sys_recvmsg+0xe2/0x1a0 net/socket.c:2704\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\nRIP: 0033:0x7fdfd5954c29\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 41 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007ffcf8e71e48 EFLAGS: 00000246 ORIG_RAX: 000000000000002f\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fdfd5954c29\nRDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000005\nRBP: 0000000000000000 R08: 000000000000000d R09: 000000000000000d\nR10: 0000000000000000 R11: 0000000000000246 R12: 00007ffcf8e71e60\nR13: 00000000000f4240 R14: 000000000000c1ff R15: 00007ffcf8e71e54\n </TASK>\n\naddr ffffc9000385fb78 is located in stack of task syz-executor233/3631 at offset 32 in frame:\n ____sys_recvmsg+0x0/0x600 include/linux/uio.h:246\n\nthis frame has 1 object:\n [32, 160) 'addr'\n\nMemory state around the buggy address:\n ffffc9000385fa80: 00 04 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00\n ffffc9000385fb00: 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00\n>ffffc9000385fb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f3\n ^\n ffffc9000385fc00: f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 f1\n ffffc9000385fc80: f1 f1 f1 00 f2 f2 f2 00 f2 f2 f2 00 00 00 00 00\n=================================================================="
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/268dcf1f7b3193bc446ec3d14e08a240e9561e4d",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/70b7b3c055fd4a464da8da55ff4c1f84269f9b02",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/a055f5f2841f7522b44a2b1eccb1951b4b03d51a",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/a33dd1e6693f80d805155b3f69c18c2f642915da",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/b1e27cda1e3c12b705875bb7e247a97168580e33",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/b9d5772d60f8e7ef34e290f72fc20e3a4883e7d0",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/c700525fcc06b05adfea78039de02628af79e07a",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/ef591b35176029fdefea38e8388ffa371e18f4b2",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

29
CVE-2022/CVE-2022-488xx/CVE-2022-48840.json Normal file
View File

@ -0,0 +1,29 @@
{
"id": "CVE-2022-48840",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T13:15:11.440",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niavf: Fix hang during reboot/shutdown\n\nRecent commit 974578017fc1 (\"iavf: Add waiting so the port is\ninitialized in remove\") adds a wait-loop at the beginning of\niavf_remove() to ensure that port initialization is finished\nprior unregistering net device. This causes a regression\nin reboot/shutdown scenario because in this case callback\niavf_shutdown() is called and this callback detaches the device,\nmakes it down if it is running and sets its state to __IAVF_REMOVE.\nLater shutdown callback of associated PF driver (e.g. ice_shutdown)\nis called. That callback calls among other things sriov_disable()\nthat calls indirectly iavf_remove() (see stack trace below).\nAs the adapter state is already __IAVF_REMOVE then the mentioned\nloop is end-less and shutdown process hangs.\n\nThe patch fixes this by checking adapter's state at the beginning\nof iavf_remove() and skips the rest of the function if the adapter\nis already in remove state (shutdown is in progress).\n\nReproducer:\n1. Create VF on PF driven by ice or i40e driver\n2. Ensure that the VF is bound to iavf driver\n3. Reboot\n\n[52625.981294] sysrq: SysRq : Show Blocked State\n[52625.988377] task:reboot state:D stack: 0 pid:17359 ppid: 1 f2\n[52625.996732] Call Trace:\n[52625.999187] __schedule+0x2d1/0x830\n[52626.007400] schedule+0x35/0xa0\n[52626.010545] schedule_hrtimeout_range_clock+0x83/0x100\n[52626.020046] usleep_range+0x5b/0x80\n[52626.023540] iavf_remove+0x63/0x5b0 [iavf]\n[52626.027645] pci_device_remove+0x3b/0xc0\n[52626.031572] device_release_driver_internal+0x103/0x1f0\n[52626.036805] pci_stop_bus_device+0x72/0xa0\n[52626.040904] pci_stop_and_remove_bus_device+0xe/0x20\n[52626.045870] pci_iov_remove_virtfn+0xba/0x120\n[52626.050232] sriov_disable+0x2f/0xe0\n[52626.053813] ice_free_vfs+0x7c/0x340 [ice]\n[52626.057946] ice_remove+0x220/0x240 [ice]\n[52626.061967] ice_shutdown+0x16/0x50 [ice]\n[52626.065987] pci_device_shutdown+0x34/0x60\n[52626.070086] device_shutdown+0x165/0x1c5\n[52626.074011] kernel_restart+0xe/0x30\n[52626.077593] __do_sys_reboot+0x1d2/0x210\n[52626.093815] do_syscall_64+0x5b/0x1a0\n[52626.097483] entry_SYSCALL_64_after_hwframe+0x65/0xca"
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/4477b9a4193b35eb3a8afd2adf2d42add2f88d57",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/80974bb730270199c6fcb189af04d5945b87e813",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/b04683ff8f0823b869c219c78ba0d974bddea0b5",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

25
CVE-2022/CVE-2022-488xx/CVE-2022-48841.json Normal file
View File

@ -0,0 +1,25 @@
{
"id": "CVE-2022-48841",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T13:15:11.513",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: fix NULL pointer dereference in ice_update_vsi_tx_ring_stats()\n\nIt is possible to do NULL pointer dereference in routine that updates\nTx ring stats. Currently only stats and bytes are updated when ring\npointer is valid, but later on ring is accessed to propagate gathered Tx\nstats onto VSI stats.\n\nChange the existing logic to move to next ring when ring is NULL."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/2397270ec97c5e3009a58ac110a25e1869e9d6ff",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/f153546913bada41a811722f2c6d17c3243a0333",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

29
CVE-2022/CVE-2022-488xx/CVE-2022-48842.json Normal file
View File

@ -0,0 +1,29 @@
{
"id": "CVE-2022-48842",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T13:15:11.577",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: Fix race condition during interface enslave\n\nCommit 5dbbbd01cbba83 (\"ice: Avoid RTNL lock when re-creating\nauxiliary device\") changes a process of re-creation of aux device\nso ice_plug_aux_dev() is called from ice_service_task() context.\nThis unfortunately opens a race window that can result in dead-lock\nwhen interface has left LAG and immediately enters LAG again.\n\nReproducer:\n```\n#!/bin/sh\n\nip link add lag0 type bond mode 1 miimon 100\nip link set lag0\n\nfor n in {1..10}; do\n echo Cycle: $n\n ip link set ens7f0 master lag0\n sleep 1\n ip link set ens7f0 nomaster\ndone\n```\n\nThis results in:\n[20976.208697] Workqueue: ice ice_service_task [ice]\n[20976.213422] Call Trace:\n[20976.215871] __schedule+0x2d1/0x830\n[20976.219364] schedule+0x35/0xa0\n[20976.222510] schedule_preempt_disabled+0xa/0x10\n[20976.227043] __mutex_lock.isra.7+0x310/0x420\n[20976.235071] enum_all_gids_of_dev_cb+0x1c/0x100 [ib_core]\n[20976.251215] ib_enum_roce_netdev+0xa4/0xe0 [ib_core]\n[20976.256192] ib_cache_setup_one+0x33/0xa0 [ib_core]\n[20976.261079] ib_register_device+0x40d/0x580 [ib_core]\n[20976.266139] irdma_ib_register_device+0x129/0x250 [irdma]\n[20976.281409] irdma_probe+0x2c1/0x360 [irdma]\n[20976.285691] auxiliary_bus_probe+0x45/0x70\n[20976.289790] really_probe+0x1f2/0x480\n[20976.298509] driver_probe_device+0x49/0xc0\n[20976.302609] bus_for_each_drv+0x79/0xc0\n[20976.306448] __device_attach+0xdc/0x160\n[20976.310286] bus_probe_device+0x9d/0xb0\n[20976.314128] device_add+0x43c/0x890\n[20976.321287] __auxiliary_device_add+0x43/0x60\n[20976.325644] ice_plug_aux_dev+0xb2/0x100 [ice]\n[20976.330109] ice_service_task+0xd0c/0xed0 [ice]\n[20976.342591] process_one_work+0x1a7/0x360\n[20976.350536] worker_thread+0x30/0x390\n[20976.358128] kthread+0x10a/0x120\n[20976.365547] ret_from_fork+0x1f/0x40\n...\n[20976.438030] task:ip state:D stack: 0 pid:213658 ppid:213627 flags:0x00004084\n[20976.446469] Call Trace:\n[20976.448921] __schedule+0x2d1/0x830\n[20976.452414] schedule+0x35/0xa0\n[20976.455559] schedule_preempt_disabled+0xa/0x10\n[20976.460090] __mutex_lock.isra.7+0x310/0x420\n[20976.464364] device_del+0x36/0x3c0\n[20976.467772] ice_unplug_aux_dev+0x1a/0x40 [ice]\n[20976.472313] ice_lag_event_handler+0x2a2/0x520 [ice]\n[20976.477288] notifier_call_chain+0x47/0x70\n[20976.481386] __netdev_upper_dev_link+0x18b/0x280\n[20976.489845] bond_enslave+0xe05/0x1790 [bonding]\n[20976.494475] do_setlink+0x336/0xf50\n[20976.502517] __rtnl_newlink+0x529/0x8b0\n[20976.543441] rtnl_newlink+0x43/0x60\n[20976.546934] rtnetlink_rcv_msg+0x2b1/0x360\n[20976.559238] netlink_rcv_skb+0x4c/0x120\n[20976.563079] netlink_unicast+0x196/0x230\n[20976.567005] netlink_sendmsg+0x204/0x3d0\n[20976.570930] sock_sendmsg+0x4c/0x50\n[20976.574423] ____sys_sendmsg+0x1eb/0x250\n[20976.586807] ___sys_sendmsg+0x7c/0xc0\n[20976.606353] __sys_sendmsg+0x57/0xa0\n[20976.609930] do_syscall_64+0x5b/0x1a0\n[20976.613598] entry_SYSCALL_64_after_hwframe+0x65/0xca\n\n1. Command 'ip link ... set nomaster' causes that ice_plug_aux_dev()\n is called from ice_service_task() context, aux device is created\n and associated device->lock is taken.\n2. Command 'ip link ... set master...' calls ice's notifier under\n RTNL lock and that notifier calls ice_unplug_aux_dev(). That\n function tries to take aux device->lock but this is already taken\n by ice_plug_aux_dev() in step 1\n3. Later ice_plug_aux_dev() tries to take RTNL lock but this is already\n taken in step 2\n4. Dead-lock\n\nThe patch fixes this issue by following changes:\n- Bit ICE_FLAG_PLUG_AUX_DEV is kept to be set during ice_plug_aux_dev()\n call in ice_service_task()\n- The bit is checked in ice_clear_rdma_cap() and only if it is not set\n then ice_unplug_aux_dev() is called. If it is set (in other words\n plugging of aux device was requested and ice_plug_aux_dev() is\n potentially running) then the function only clears the\n---truncated---"
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/5cb1ebdbc4342b1c2ce89516e19808d64417bdbc",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/a9bbacc53d1f5ed8febbfdf31401d20e005f49ef",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/e1014fc5572375658fa421531cedb6e084f477dc",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

37
CVE-2022/CVE-2022-488xx/CVE-2022-48843.json Normal file
View File

@ -0,0 +1,37 @@
{
"id": "CVE-2022-48843",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T13:15:11.650",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vrr: Set VRR capable prop only if it is attached to connector\n\nVRR capable property is not attached by default to the connector\nIt is attached only if VRR is supported.\nSo if the driver tries to call drm core set prop function without\nit being attached that causes NULL dereference."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/0ba557d330946c23559aaea2d51ea649fdeca98a",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/3534c5c005ef99a1804ed50b8a72cdae254cabb5",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/62929726ef0ec72cbbe9440c5d125d4278b99894",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/85271e92ae4f13aa679acaa6cf76b3c36bcb7bab",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/941e8bcd2b2ba95490738e33dfeca27168452779",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

29
CVE-2022/CVE-2022-488xx/CVE-2022-48844.json Normal file
View File

@ -0,0 +1,29 @@
{
"id": "CVE-2022-48844",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T13:15:11.733",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_core: Fix leaking sent_cmd skb\n\nsent_cmd memory is not freed before freeing hci_dev causing it to leak\nit contents."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/3679ccc09d8806686d579095ed504e045af7f7d6",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/9473d06bd1c8da49eafb685aa95a290290c672dd",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/dd3b1dc3dd050f1f47cd13e300732852414270f8",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

49
CVE-2022/CVE-2022-488xx/CVE-2022-48845.json Normal file
View File

@ -0,0 +1,49 @@
{
"id": "CVE-2022-48845",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T13:15:11.803",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nMIPS: smp: fill in sibling and core maps earlier\n\nAfter enabling CONFIG_SCHED_CORE (landed during 5.14 cycle),\n2-core 2-thread-per-core interAptiv (CPS-driven) started emitting\nthe following:\n\n[ 0.025698] CPU1 revision is: 0001a120 (MIPS interAptiv (multi))\n[ 0.048183] ------------[ cut here ]------------\n[ 0.048187] WARNING: CPU: 1 PID: 0 at kernel/sched/core.c:6025 sched_core_cpu_starting+0x198/0x240\n[ 0.048220] Modules linked in:\n[ 0.048233] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.17.0-rc3+ #35 b7b319f24073fd9a3c2aa7ad15fb7993eec0b26f\n[ 0.048247] Stack : 817f0000 00000004 327804c8 810eb050 00000000 00000004 00000000 c314fdd1\n[ 0.048278] 830cbd64 819c0000 81800000 817f0000 83070bf4 00000001 830cbd08 00000000\n[ 0.048307] 00000000 00000000 815fcbc4 00000000 00000000 00000000 00000000 00000000\n[ 0.048334] 00000000 00000000 00000000 00000000 817f0000 00000000 00000000 817f6f34\n[ 0.048361] 817f0000 818a3c00 817f0000 00000004 00000000 00000000 4dc33260 0018c933\n[ 0.048389] ...\n[ 0.048396] Call Trace:\n[ 0.048399] [<8105a7bc>] show_stack+0x3c/0x140\n[ 0.048424] [<8131c2a0>] dump_stack_lvl+0x60/0x80\n[ 0.048440] [<8108b5c0>] __warn+0xc0/0xf4\n[ 0.048454] [<8108b658>] warn_slowpath_fmt+0x64/0x10c\n[ 0.048467] [<810bd418>] sched_core_cpu_starting+0x198/0x240\n[ 0.048483] [<810c6514>] sched_cpu_starting+0x14/0x80\n[ 0.048497] [<8108c0f8>] cpuhp_invoke_callback_range+0x78/0x140\n[ 0.048510] [<8108d914>] notify_cpu_starting+0x94/0x140\n[ 0.048523] [<8106593c>] start_secondary+0xbc/0x280\n[ 0.048539]\n[ 0.048543] ---[ end trace 0000000000000000 ]---\n[ 0.048636] Synchronize counters for CPU 1: done.\n\n...for each but CPU 0/boot.\nBasic debug printks right before the mentioned line say:\n\n[ 0.048170] CPU: 1, smt_mask:\n\nSo smt_mask, which is sibling mask obviously, is empty when entering\nthe function.\nThis is critical, as sched_core_cpu_starting() calculates\ncore-scheduling parameters only once per CPU start, and it's crucial\nto have all the parameters filled in at that moment (at least it\nuses cpu_smt_mask() which in fact is `&cpu_sibling_map[cpu]` on\nMIPS).\n\nA bit of debugging led me to that set_cpu_sibling_map() performing\nthe actual map calculation, was being invocated after\nnotify_cpu_start(), and exactly the latter function starts CPU HP\ncallback round (sched_core_cpu_starting() is basically a CPU HP\ncallback).\nWhile the flow is same on ARM64 (maps after the notifier, although\nbefore calling set_cpu_online()), x86 started calculating sibling\nmaps earlier than starting the CPU HP callbacks in Linux 4.14 (see\n[0] for the reference). Neither me nor my brief tests couldn't find\nany potential caveats in calculating the maps right after performing\ndelay calibration, but the WARN splat is now gone.\nThe very same debug prints now yield exactly what I expected from\nthem:\n\n[ 0.048433] CPU: 1, smt_mask: 0-1\n\n[0] https://git.kernel.org/pub/scm/linux/kernel/git/mips/linux.git/commit/?id=76ce7cfe35ef"
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/32813321f18d5432cec1b1a6ecc964f9ea26d565",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/56eaacb8137ba2071ce48d4e3d91979270e139a7",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/7315f8538db009605ffba00370678142ef00ac98",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/94647aec80d03d6914aa664b7b8e103cd9d63239",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/be538b764a46be1d0700fd3b6e82fb76bd17f13a",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/c2420bc3333111184cdcb112282d13afe1338dd7",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/e8ad9ecc406974deb5e7c070f51cc1d09d21dc4b",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/f2703def339c793674010cc9f01bfe4980231808",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

29
CVE-2022/CVE-2022-488xx/CVE-2022-48846.json Normal file
View File

@ -0,0 +1,29 @@
{
"id": "CVE-2022-48846",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T13:15:11.883",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: release rq qos structures for queue without disk\n\nblkcg_init_queue() may add rq qos structures to request queue, previously\nblk_cleanup_queue() calls rq_qos_exit() to release them, but commit\n8e141f9eb803 (\"block: drain file system I/O on del_gendisk\")\nmoves rq_qos_exit() into del_gendisk(), so memory leak is caused\nbecause queues may not have disk, such as un-present scsi luns, nvme\nadmin queue, ...\n\nFixes the issue by adding rq_qos_exit() to blk_cleanup_queue() back.\n\nBTW, v5.18 won't need this patch any more since we move\nblkcg_init_queue()/blkcg_exit_queue() into disk allocation/release\nhandler, and patches have been in for-5.18/block."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/60c2c8e2ef3a3ec79de8cbc80a06ca0c21df8c29",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/d4ad8736ac982111bb0be8306bf19c8207f6600e",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/daaca3522a8e67c46e39ef09c1d542e866f85f3b",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

33
CVE-2022/CVE-2022-488xx/CVE-2022-48847.json Normal file
View File

@ -0,0 +1,33 @@
{
"id": "CVE-2022-48847",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T13:15:11.950",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwatch_queue: Fix filter limit check\n\nIn watch_queue_set_filter(), there are a couple of places where we check\nthat the filter type value does not exceed what the type_filter bitmap\ncan hold. One place calculates the number of bits by:\n\n if (tf[i].type >= sizeof(wfilter->type_filter) * 8)\n\nwhich is fine, but the second does:\n\n if (tf[i].type >= sizeof(wfilter->type_filter) * BITS_PER_LONG)\n\nwhich is not. This can lead to a couple of out-of-bounds writes due to\na too-large type:\n\n (1) __set_bit() on wfilter->type_filter\n (2) Writing more elements in wfilter->filters[] than we allocated.\n\nFix this by just using the proper WATCH_TYPE__NR instead, which is the\nnumber of types we actually know about.\n\nThe bug may cause an oops looking something like:\n\n BUG: KASAN: slab-out-of-bounds in watch_queue_set_filter+0x659/0x740\n Write of size 4 at addr ffff88800d2c66bc by task watch_queue_oob/611\n ...\n Call Trace:\n <TASK>\n dump_stack_lvl+0x45/0x59\n print_address_description.constprop.0+0x1f/0x150\n ...\n kasan_report.cold+0x7f/0x11b\n ...\n watch_queue_set_filter+0x659/0x740\n ...\n __x64_sys_ioctl+0x127/0x190\n do_syscall_64+0x43/0x90\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\n Allocated by task 611:\n kasan_save_stack+0x1e/0x40\n __kasan_kmalloc+0x81/0xa0\n watch_queue_set_filter+0x23a/0x740\n __x64_sys_ioctl+0x127/0x190\n do_syscall_64+0x43/0x90\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\n The buggy address belongs to the object at ffff88800d2c66a0\n which belongs to the cache kmalloc-32 of size 32\n The buggy address is located 28 bytes inside of\n 32-byte region [ffff88800d2c66a0, ffff88800d2c66c0)"
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/1b09f28f70a5046acd64138075ae3f095238b045",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/648895da69ced90ca770fd941c3d9479a9d72c16",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/b36588ebbcef74583824c08352e75838d6fb4ff2",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/c993ee0f9f81caf5767a50d1faeba39a0dc82af2",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

25
CVE-2022/CVE-2022-488xx/CVE-2022-48848.json Normal file
View File

@ -0,0 +1,25 @@
{
"id": "CVE-2022-48848",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T13:15:12.023",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing/osnoise: Do not unregister events twice\n\nNicolas reported that using:\n\n # trace-cmd record -e all -M 10 -p osnoise --poll\n\nResulted in the following kernel warning:\n\n ------------[ cut here ]------------\n WARNING: CPU: 0 PID: 1217 at kernel/tracepoint.c:404 tracepoint_probe_unregister+0x280/0x370\n [...]\n CPU: 0 PID: 1217 Comm: trace-cmd Not tainted 5.17.0-rc6-next-20220307-nico+ #19\n RIP: 0010:tracepoint_probe_unregister+0x280/0x370\n [...]\n CR2: 00007ff919b29497 CR3: 0000000109da4005 CR4: 0000000000170ef0\n Call Trace:\n <TASK>\n osnoise_workload_stop+0x36/0x90\n tracing_set_tracer+0x108/0x260\n tracing_set_trace_write+0x94/0xd0\n ? __check_object_size.part.0+0x10a/0x150\n ? selinux_file_permission+0x104/0x150\n vfs_write+0xb5/0x290\n ksys_write+0x5f/0xe0\n do_syscall_64+0x3b/0x90\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n RIP: 0033:0x7ff919a18127\n [...]\n ---[ end trace 0000000000000000 ]---\n\nThe warning complains about an attempt to unregister an\nunregistered tracepoint.\n\nThis happens on trace-cmd because it first stops tracing, and\nthen switches the tracer to nop. Which is equivalent to:\n\n # cd /sys/kernel/tracing/\n # echo osnoise > current_tracer\n # echo 0 > tracing_on\n # echo nop > current_tracer\n\nThe osnoise tracer stops the workload when no trace instance\nis actually collecting data. This can be caused both by\ndisabling tracing or disabling the tracer itself.\n\nTo avoid unregistering events twice, use the existing\ntrace_osnoise_callback_enabled variable to check if the events\n(and the workload) are actually active before trying to\ndeactivate them."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/4e10787d18379d9b296290c2288097feddef16d4",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/f0cfe17bcc1dd2f0872966b554a148e888833ee9",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

29
CVE-2022/CVE-2022-488xx/CVE-2022-48849.json Normal file
View File

@ -0,0 +1,29 @@
{
"id": "CVE-2022-48849",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T13:15:12.103",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: bypass tiling flag check in virtual display case (v2)\n\nvkms leverages common amdgpu framebuffer creation, and\nalso as it does not support FB modifier, there is no need\nto check tiling flags when initing framebuffer when virtual\ndisplay is enabled.\n\nThis can fix below calltrace:\n\namdgpu 0000:00:08.0: GFX9+ requires FB check based on format modifier\nWARNING: CPU: 0 PID: 1023 at drivers/gpu/drm/amd/amdgpu/amdgpu_display.c:1150 amdgpu_display_framebuffer_init+0x8e7/0xb40 [amdgpu]\n\nv2: check adev->enable_virtual_display instead as vkms can be\n\tenabled in bare metal as well."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/cb29021be49858059138f75d6311a7c35a9379b2",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/e2b993302f40c4eb714ecf896dd9e1c5be7d4cd7",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/fcd1d79aa943fff4fbaa0cce1d576995a7960699",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

49
CVE-2022/CVE-2022-488xx/CVE-2022-48850.json Normal file
View File

@ -0,0 +1,49 @@
{
"id": "CVE-2022-48850",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T13:15:12.170",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet-sysfs: add check for netdevice being present to speed_show\n\nWhen bringing down the netdevice or system shutdown, a panic can be\ntriggered while accessing the sysfs path because the device is already\nremoved.\n\n [ 755.549084] mlx5_core 0000:12:00.1: Shutdown was called\n [ 756.404455] mlx5_core 0000:12:00.0: Shutdown was called\n ...\n [ 757.937260] BUG: unable to handle kernel NULL pointer dereference at (null)\n [ 758.031397] IP: [<ffffffff8ee11acb>] dma_pool_alloc+0x1ab/0x280\n\n crash> bt\n ...\n PID: 12649 TASK: ffff8924108f2100 CPU: 1 COMMAND: \"amsd\"\n ...\n #9 [ffff89240e1a38b0] page_fault at ffffffff8f38c778\n [exception RIP: dma_pool_alloc+0x1ab]\n RIP: ffffffff8ee11acb RSP: ffff89240e1a3968 RFLAGS: 00010046\n RAX: 0000000000000246 RBX: ffff89243d874100 RCX: 0000000000001000\n RDX: 0000000000000000 RSI: 0000000000000246 RDI: ffff89243d874090\n RBP: ffff89240e1a39c0 R8: 000000000001f080 R9: ffff8905ffc03c00\n R10: ffffffffc04680d4 R11: ffffffff8edde9fd R12: 00000000000080d0\n R13: ffff89243d874090 R14: ffff89243d874080 R15: 0000000000000000\n ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018\n #10 [ffff89240e1a39c8] mlx5_alloc_cmd_msg at ffffffffc04680f3 [mlx5_core]\n #11 [ffff89240e1a3a18] cmd_exec at ffffffffc046ad62 [mlx5_core]\n #12 [ffff89240e1a3ab8] mlx5_cmd_exec at ffffffffc046b4fb [mlx5_core]\n #13 [ffff89240e1a3ae8] mlx5_core_access_reg at ffffffffc0475434 [mlx5_core]\n #14 [ffff89240e1a3b40] mlx5e_get_fec_caps at ffffffffc04a7348 [mlx5_core]\n #15 [ffff89240e1a3bb0] get_fec_supported_advertised at ffffffffc04992bf [mlx5_core]\n #16 [ffff89240e1a3c08] mlx5e_get_link_ksettings at ffffffffc049ab36 [mlx5_core]\n #17 [ffff89240e1a3ce8] __ethtool_get_link_ksettings at ffffffff8f25db46\n #18 [ffff89240e1a3d48] speed_show at ffffffff8f277208\n #19 [ffff89240e1a3dd8] dev_attr_show at ffffffff8f0b70e3\n #20 [ffff89240e1a3df8] sysfs_kf_seq_show at ffffffff8eedbedf\n #21 [ffff89240e1a3e18] kernfs_seq_show at ffffffff8eeda596\n #22 [ffff89240e1a3e28] seq_read at ffffffff8ee76d10\n #23 [ffff89240e1a3e98] kernfs_fop_read at ffffffff8eedaef5\n #24 [ffff89240e1a3ed8] vfs_read at ffffffff8ee4e3ff\n #25 [ffff89240e1a3f08] sys_read at ffffffff8ee4f27f\n #26 [ffff89240e1a3f50] system_call_fastpath at ffffffff8f395f92\n\n crash> net_device.state ffff89443b0c0000\n state = 0x5 (__LINK_STATE_START| __LINK_STATE_NOCARRIER)\n\nTo prevent this scenario, we also make sure that the netdevice is present."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/081369ad088a76429984483b8a5f7e967a125aad",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/3a79f380b3e10edf6caa9aac90163a5d7a282204",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/4224cfd7fb6523f7a9d1c8bb91bb5df1e38eb624",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/75fc8363227a999e8f3d17e2eb28dce5600dcd3f",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/8879b5313e9fa5e0c6d6812a0d25d83aed0110e2",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/8d5e69d8fbf3a35ab4fbe56b8f092802b43f3ef6",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/a7b9ab04c5932dee7ec95e0abc58b0df350c0dd2",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/d15c9f6e3335002fea1c33bc8f71a705fa96976c",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

49
CVE-2022/CVE-2022-488xx/CVE-2022-48851.json Normal file
View File

@ -0,0 +1,49 @@
{
"id": "CVE-2022-48851",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T13:15:12.247",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: gdm724x: fix use after free in gdm_lte_rx()\n\nThe netif_rx_ni() function frees the skb so we can't dereference it to\nsave the skb->len."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/1fb9dd3787495b4deb0efe66c58306b65691a48f",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/403e3afe241b62401de1f8629c9c6b9b3d69dbff",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/48ecdf3e29a6e514e8196691589c7dfc6c4ac169",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/6d9700b445098dbbce0caff4b8cfca214cf1e757",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/6dc7b87c62423bfa68139fe95e85028aab584c9a",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/83a9c886c2b5a0d28c0b37e1736b47f38d61332a",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/d39dc79513e99147b4c158a8a9e46743e23944f5",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/fc7f750dc9d102c1ed7bbe4591f991e770c99033",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

29
CVE-2022/CVE-2022-488xx/CVE-2022-48852.json Normal file
View File

@ -0,0 +1,29 @@
{
"id": "CVE-2022-48852",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T13:15:12.320",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vc4: hdmi: Unregister codec device on unbind\n\nOn bind we will register the HDMI codec device but we don't unregister\nit on unbind, leading to a device leakage. Unregister our device at\nunbind."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/1ed68d776246f167aee9cd79f63f089c40a5e2a3",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/e40945ab7c7f966d0c37b7bd7b0596497dfe228d",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/ee22082c3e2f230028afa0e22aa8773b1de3c919",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

49
CVE-2022/CVE-2022-488xx/CVE-2022-48853.json Normal file
View File

@ -0,0 +1,49 @@
{
"id": "CVE-2022-48853",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T13:15:12.380",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nswiotlb: fix info leak with DMA_FROM_DEVICE\n\nThe problem I'm addressing was discovered by the LTP test covering\ncve-2018-1000204.\n\nA short description of what happens follows:\n1) The test case issues a command code 00 (TEST UNIT READY) via the SG_IO\n interface with: dxfer_len == 524288, dxdfer_dir == SG_DXFER_FROM_DEV\n and a corresponding dxferp. The peculiar thing about this is that TUR\n is not reading from the device.\n2) In sg_start_req() the invocation of blk_rq_map_user() effectively\n bounces the user-space buffer. As if the device was to transfer into\n it. Since commit a45b599ad808 (\"scsi: sg: allocate with __GFP_ZERO in\n sg_build_indirect()\") we make sure this first bounce buffer is\n allocated with GFP_ZERO.\n3) For the rest of the story we keep ignoring that we have a TUR, so the\n device won't touch the buffer we prepare as if the we had a\n DMA_FROM_DEVICE type of situation. My setup uses a virtio-scsi device\n and the buffer allocated by SG is mapped by the function\n virtqueue_add_split() which uses DMA_FROM_DEVICE for the \"in\" sgs (here\n scatter-gather and not scsi generics). This mapping involves bouncing\n via the swiotlb (we need swiotlb to do virtio in protected guest like\n s390 Secure Execution, or AMD SEV).\n4) When the SCSI TUR is done, we first copy back the content of the second\n (that is swiotlb) bounce buffer (which most likely contains some\n previous IO data), to the first bounce buffer, which contains all\n zeros. Then we copy back the content of the first bounce buffer to\n the user-space buffer.\n5) The test case detects that the buffer, which it zero-initialized,\n ain't all zeros and fails.\n\nOne can argue that this is an swiotlb problem, because without swiotlb\nwe leak all zeros, and the swiotlb should be transparent in a sense that\nit does not affect the outcome (if all other participants are well\nbehaved).\n\nCopying the content of the original buffer into the swiotlb buffer is\nthe only way I can think of to make swiotlb transparent in such\nscenarios. So let's do just that if in doubt, but allow the driver\nto tell us that the whole mapped buffer is going to be overwritten,\nin which case we can preserve the old behavior and avoid the performance\nimpact of the extra bounce."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/270475d6d2410ec66e971bf181afe1958dad565e",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/6bfc5377a210dbda2a237f16d94d1bd4f1335026",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/7403f4118ab94be837ab9d770507537a8057bc63",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/8d9ac1b6665c73f23e963775f85d99679fd8e192",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/971e5dadffd02beba1063e7dd9c3a82de17cf534",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/c132f2ba716b5ee6b35f82226a6e5417d013d753",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/d4d975e7921079f877f828099bb8260af335508f",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/ddbd89deb7d32b1fbb879f48d68fda1a8ac58e8e",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

25
CVE-2022/CVE-2022-488xx/CVE-2022-48854.json Normal file
View File

@ -0,0 +1,25 @@
{
"id": "CVE-2022-48854",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T13:15:12.457",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: arc_emac: Fix use after free in arc_mdio_probe()\n\nIf bus->state is equal to MDIOBUS_ALLOCATED, mdiobus_free(bus) will free\nthe \"bus\". But bus->name is still used in the next line, which will lead\nto a use after free.\n\nWe can fix it by putting the name in a local variable and make the\nbus->name point to the rodata section \"name\",then use the name in the\nerror message without referring to bus to avoid the uaf."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/84c831803785c2c3bec5c28c0e8a0b72f6b41d4d",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/bc0e610a6eb0d46e4123fafdbe5e6141d9fff3be",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

49
CVE-2022/CVE-2022-488xx/CVE-2022-48855.json Normal file
View File

@ -0,0 +1,49 @@
{
"id": "CVE-2022-48855",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T13:15:12.550",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: fix kernel-infoleak for SCTP sockets\n\nsyzbot reported a kernel infoleak [1] of 4 bytes.\n\nAfter analysis, it turned out r->idiag_expires is not initialized\nif inet_sctp_diag_fill() calls inet_diag_msg_common_fill()\n\nMake sure to clear idiag_timer/idiag_retrans/idiag_expires\nand let inet_diag_msg_sctpasoc_fill() fill them again if needed.\n\n[1]\n\nBUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:121 [inline]\nBUG: KMSAN: kernel-infoleak in copyout lib/iov_iter.c:154 [inline]\nBUG: KMSAN: kernel-infoleak in _copy_to_iter+0x6ef/0x25a0 lib/iov_iter.c:668\n instrument_copy_to_user include/linux/instrumented.h:121 [inline]\n copyout lib/iov_iter.c:154 [inline]\n _copy_to_iter+0x6ef/0x25a0 lib/iov_iter.c:668\n copy_to_iter include/linux/uio.h:162 [inline]\n simple_copy_to_iter+0xf3/0x140 net/core/datagram.c:519\n __skb_datagram_iter+0x2d5/0x11b0 net/core/datagram.c:425\n skb_copy_datagram_iter+0xdc/0x270 net/core/datagram.c:533\n skb_copy_datagram_msg include/linux/skbuff.h:3696 [inline]\n netlink_recvmsg+0x669/0x1c80 net/netlink/af_netlink.c:1977\n sock_recvmsg_nosec net/socket.c:948 [inline]\n sock_recvmsg net/socket.c:966 [inline]\n __sys_recvfrom+0x795/0xa10 net/socket.c:2097\n __do_sys_recvfrom net/socket.c:2115 [inline]\n __se_sys_recvfrom net/socket.c:2111 [inline]\n __x64_sys_recvfrom+0x19d/0x210 net/socket.c:2111\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nUninit was created at:\n slab_post_alloc_hook mm/slab.h:737 [inline]\n slab_alloc_node mm/slub.c:3247 [inline]\n __kmalloc_node_track_caller+0xe0c/0x1510 mm/slub.c:4975\n kmalloc_reserve net/core/skbuff.c:354 [inline]\n __alloc_skb+0x545/0xf90 net/core/skbuff.c:426\n alloc_skb include/linux/skbuff.h:1158 [inline]\n netlink_dump+0x3e5/0x16c0 net/netlink/af_netlink.c:2248\n __netlink_dump_start+0xcf8/0xe90 net/netlink/af_netlink.c:2373\n netlink_dump_start include/linux/netlink.h:254 [inline]\n inet_diag_handler_cmd+0x2e7/0x400 net/ipv4/inet_diag.c:1341\n sock_diag_rcv_msg+0x24a/0x620\n netlink_rcv_skb+0x40c/0x7e0 net/netlink/af_netlink.c:2494\n sock_diag_rcv+0x63/0x80 net/core/sock_diag.c:277\n netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]\n netlink_unicast+0x1093/0x1360 net/netlink/af_netlink.c:1343\n netlink_sendmsg+0x14d9/0x1720 net/netlink/af_netlink.c:1919\n sock_sendmsg_nosec net/socket.c:705 [inline]\n sock_sendmsg net/socket.c:725 [inline]\n sock_write_iter+0x594/0x690 net/socket.c:1061\n do_iter_readv_writev+0xa7f/0xc70\n do_iter_write+0x52c/0x1500 fs/read_write.c:851\n vfs_writev fs/read_write.c:924 [inline]\n do_writev+0x645/0xe00 fs/read_write.c:967\n __do_sys_writev fs/read_write.c:1040 [inline]\n __se_sys_writev fs/read_write.c:1037 [inline]\n __x64_sys_writev+0xe5/0x120 fs/read_write.c:1037\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nBytes 68-71 of 2508 are uninitialized\nMemory access of size 2508 starts at ffff888114f9b000\nData copied to user address 00007f7fe09ff2e0\n\nCPU: 1 PID: 3478 Comm: syz-executor306 Not tainted 5.17.0-rc4-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011"
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/1502f15b9f29c41883a6139f2923523873282a83",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/2d8fa3fdf4542a2174a72d92018f488d65d848c5",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/3fc0fd724d199e061432b66a8d85b7d48fe485f7",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/41a2864cf719c17294f417726edd411643462ab8",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/633593a808980f82d251d0ca89730d8bb8b0220c",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/b7e4d9ba2ddb78801488b4c623875b81fb46b545",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/bbf59d7ae558940cfa2b36a287fd1e88d83f89f8",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/d828b0fe6631f3ae8709ac9a10c77c5836c76a08",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

41
CVE-2022/CVE-2022-488xx/CVE-2022-48856.json Normal file
View File

@ -0,0 +1,41 @@
{
"id": "CVE-2022-48856",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T13:15:12.647",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngianfar: ethtool: Fix refcount leak in gfar_get_ts_info\n\nThe of_find_compatible_node() function returns a node pointer with\nrefcount incremented, We should use of_node_put() on it when done\nAdd the missing of_node_put() to release the refcount."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/0e1b9a2078e07fb1e6e91bf8badfd89ecab1e848",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/21044e679ed535345042d2023f7df0ca8e897e2a",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/2ac5b58e645c66932438bb021cb5b52097ce70b0",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/6263f2eb93a85ad7df504daf0c341a7fb6bbe8a6",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/f49f646f9ec296fc0afe7ae92c2bb47f23e3846c",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/f7b3b520349193f8a82cca74daf366199e06add9",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

49
CVE-2022/CVE-2022-488xx/CVE-2022-48857.json Normal file
View File

@ -0,0 +1,49 @@
{
"id": "CVE-2022-48857",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T13:15:12.733",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFC: port100: fix use-after-free in port100_send_complete\n\nSyzbot reported UAF in port100_send_complete(). The root case is in\nmissing usb_kill_urb() calls on error handling path of ->probe function.\n\nport100_send_complete() accesses devm allocated memory which will be\nfreed on probe failure. We should kill this urbs before returning an\nerror from probe function to prevent reported use-after-free\n\nFail log:\n\nBUG: KASAN: use-after-free in port100_send_complete+0x16e/0x1a0 drivers/nfc/port100.c:935\nRead of size 1 at addr ffff88801bb59540 by task ksoftirqd/2/26\n...\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106\n print_address_description.constprop.0.cold+0x8d/0x303 mm/kasan/report.c:255\n __kasan_report mm/kasan/report.c:442 [inline]\n kasan_report.cold+0x83/0xdf mm/kasan/report.c:459\n port100_send_complete+0x16e/0x1a0 drivers/nfc/port100.c:935\n __usb_hcd_giveback_urb+0x2b0/0x5c0 drivers/usb/core/hcd.c:1670\n\n...\n\nAllocated by task 1255:\n kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38\n kasan_set_track mm/kasan/common.c:45 [inline]\n set_alloc_info mm/kasan/common.c:436 [inline]\n ____kasan_kmalloc mm/kasan/common.c:515 [inline]\n ____kasan_kmalloc mm/kasan/common.c:474 [inline]\n __kasan_kmalloc+0xa6/0xd0 mm/kasan/common.c:524\n alloc_dr drivers/base/devres.c:116 [inline]\n devm_kmalloc+0x96/0x1d0 drivers/base/devres.c:823\n devm_kzalloc include/linux/device.h:209 [inline]\n port100_probe+0x8a/0x1320 drivers/nfc/port100.c:1502\n\nFreed by task 1255:\n kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38\n kasan_set_track+0x21/0x30 mm/kasan/common.c:45\n kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370\n ____kasan_slab_free mm/kasan/common.c:366 [inline]\n ____kasan_slab_free+0xff/0x140 mm/kasan/common.c:328\n kasan_slab_free include/linux/kasan.h:236 [inline]\n __cache_free mm/slab.c:3437 [inline]\n kfree+0xf8/0x2b0 mm/slab.c:3794\n release_nodes+0x112/0x1a0 drivers/base/devres.c:501\n devres_release_all+0x114/0x190 drivers/base/devres.c:530\n really_probe+0x626/0xcc0 drivers/base/dd.c:670"
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/0e721b8f2ee5e11376dd55363f9ccb539d754b8a",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/205c4ec78e71cbf561794e6043da80e7bae6790f",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/2b1c85f56512d49e43bc53741fce2f508cd90029",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/32e866ae5a7af590597ef4bcff8451bf96d5f980",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/7194737e1be8fdc89d2a9382bd2f371f7ee2eda8",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/b1db33d4e54bc35d8db96ce143ea0ef92e23d58e",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/cd2a5c0da0d1ddf11d1f84e9c9b1949f50f6e161",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/f80cfe2f26581f188429c12bd937eb905ad3ac7b",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

37
CVE-2022/CVE-2022-488xx/CVE-2022-48858.json Normal file
View File

@ -0,0 +1,37 @@
{
"id": "CVE-2022-48858",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T13:15:12.803",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Fix a race on command flush flow\n\nFix a refcount use after free warning due to a race on command entry.\nSuch race occurs when one of the commands releases its last refcount and\nfrees its index and entry while another process running command flush\nflow takes refcount to this command entry. The process which handles\ncommands flush may see this command as needed to be flushed if the other\nprocess released its refcount but didn't release the index yet. Fix it\nby adding the needed spin lock.\n\nIt fixes the following warning trace:\n\nrefcount_t: addition on 0; use-after-free.\nWARNING: CPU: 11 PID: 540311 at lib/refcount.c:25 refcount_warn_saturate+0x80/0xe0\n...\nRIP: 0010:refcount_warn_saturate+0x80/0xe0\n...\nCall Trace:\n <TASK>\n mlx5_cmd_trigger_completions+0x293/0x340 [mlx5_core]\n mlx5_cmd_flush+0x3a/0xf0 [mlx5_core]\n enter_error_state+0x44/0x80 [mlx5_core]\n mlx5_fw_fatal_reporter_err_work+0x37/0xe0 [mlx5_core]\n process_one_work+0x1be/0x390\n worker_thread+0x4d/0x3d0\n ? rescuer_thread+0x350/0x350\n kthread+0x141/0x160\n ? set_kthread_struct+0x40/0x40\n ret_from_fork+0x1f/0x30\n </TASK>"
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/0401bfb27a91d7bdd74b1635c1aae57cbb128da6",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/063bd355595428750803d8736a9bb7c8db67d42d",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/1a4017926eeea56c7540cc41b42106746ee8a0ee",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/7c519f769f555ff7d9d4ccba3497bbb589df360a",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/f3331bc17449f15832c31823f27573f4c0e13e5f",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

29
CVE-2022/CVE-2022-488xx/CVE-2022-48859.json Normal file
View File

@ -0,0 +1,29 @@
{
"id": "CVE-2022-48859",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T13:15:12.873",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: marvell: prestera: Add missing of_node_put() in prestera_switch_set_base_mac_addr\n\nThis node pointer is returned by of_find_compatible_node() with\nrefcount incremented. Calling of_node_put() to aovid the refcount leak."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/4cc66bf17220ff9631f9fa99b02a872e0ad5a08b",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/b7c2fd1d126329340639adfb8dd2938fe4b65df7",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/c9ffa3e2bc451816ce0295e40063514fabf2bd36",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

49
CVE-2022/CVE-2022-488xx/CVE-2022-48860.json Normal file
View File

@ -0,0 +1,49 @@
{
"id": "CVE-2022-48860",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T13:15:12.940",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nethernet: Fix error handling in xemaclite_of_probe\n\nThis node pointer is returned by of_parse_phandle() with refcount\nincremented in this function. Calling of_node_put() to avoid the\nrefcount leak. As the remove function do."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/1852854ee349881efb78ccdbbb237838975902e4",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/5e7c402892e189a7bc152b125e72261154aa585d",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/669172ce976608b25a2f76f3c65d47f042d125c9",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/8609e29611befc4bfbe7a91bb50fc65ae72ff549",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/8ee065a7a9b6a3976c16340503677efc4d8351f6",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/979b418b96e35f07136f77962ccfaa54cf3e30e1",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/b19ab4b38b06aae12442b2de95ccf58b5dc53584",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/b7220f8e9d6c6b9594ddfb3125dad938cd478b1f",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

29
CVE-2022/CVE-2022-488xx/CVE-2022-48861.json Normal file
View File

@ -0,0 +1,29 @@
{
"id": "CVE-2022-48861",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T13:15:13.030",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvdpa: fix use-after-free on vp_vdpa_remove\n\nWhen vp_vdpa driver is unbind, vp_vdpa is freed in vdpa_unregister_device\nand then vp_vdpa->mdev.pci_dev is dereferenced in vp_modern_remove,\ntriggering use-after-free.\n\nCall Trace of unbinding driver free vp_vdpa :\ndo_syscall_64\n vfs_write\n kernfs_fop_write_iter\n device_release_driver_internal\n pci_device_remove\n vp_vdpa_remove\n vdpa_unregister_device\n kobject_release\n device_release\n kfree\n\nCall Trace of dereference vp_vdpa->mdev.pci_dev:\nvp_modern_remove\n pci_release_selected_regions\n pci_release_region\n pci_resource_len\n pci_resource_end\n (dev)->resource[(bar)].end"
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/4b1743bc715a3691a63ac21b349079b07bf1b19e",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/dc54ba9932aeaaa1a21fe214af1f446593a78274",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/eb057b44dbe35ae14527830236a92f51de8f9184",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

29
CVE-2022/CVE-2022-488xx/CVE-2022-48862.json Normal file
View File

@ -0,0 +1,29 @@
{
"id": "CVE-2022-48862",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T13:15:13.100",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvhost: fix hung thread due to erroneous iotlb entries\n\nIn vhost_iotlb_add_range_ctx(), range size can overflow to 0 when\nstart is 0 and last is ULONG_MAX. One instance where it can happen\nis when userspace sends an IOTLB message with iova=size=uaddr=0\n(vhost_process_iotlb_msg). So, an entry with size = 0, start = 0,\nlast = ULONG_MAX ends up in the iotlb. Next time a packet is sent,\niotlb_access_ok() loops indefinitely due to that erroneous entry.\n\n\tCall Trace:\n\t <TASK>\n\t iotlb_access_ok+0x21b/0x3e0 drivers/vhost/vhost.c:1340\n\t vq_meta_prefetch+0xbc/0x280 drivers/vhost/vhost.c:1366\n\t vhost_transport_do_send_pkt+0xe0/0xfd0 drivers/vhost/vsock.c:104\n\t vhost_worker+0x23d/0x3d0 drivers/vhost/vhost.c:372\n\t kthread+0x2e9/0x3a0 kernel/kthread.c:377\n\t ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295\n\t </TASK>\n\nReported by syzbot at:\n\thttps://syzkaller.appspot.com/bug?extid=0abd373e2e50d704db87\n\nTo fix this, do two things:\n\n1. Return -EINVAL in vhost_chr_write_iter() when userspace asks to map\n a range with size 0.\n2. Fix vhost_iotlb_add_range_ctx() to handle the range [0, ULONG_MAX]\n by splitting it into two entries."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/d9a747e6b6561280bf1791bb24c5e9e082193dad",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/e2ae38cf3d91837a493cb2093c87700ff3cbe667",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/f8d88e86e90ea1002226d7ac2430152bfea003d1",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

33
CVE-2022/CVE-2022-488xx/CVE-2022-48863.json Normal file
View File

@ -0,0 +1,33 @@
{
"id": "CVE-2022-48863",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T13:15:13.163",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmISDN: Fix memory leak in dsp_pipeline_build()\n\ndsp_pipeline_build() allocates dup pointer by kstrdup(cfg),\nbut then it updates dup variable by strsep(&dup, \"|\").\nAs a result when it calls kfree(dup), the dup variable contains NULL.\n\nFound by Linux Driver Verification project (linuxtesting.org) with SVACE."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/640445d6fc059d4514ffea79eb4196299e0e2d0f",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/7777b1f795af1bb43867375d8a776080111aae1b",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/a3d5fcc6cf2ecbba5a269631092570aa285a24cb",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/c6a502c2299941c8326d029cfc8a3bc8a4607ad5",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

29
CVE-2022/CVE-2022-488xx/CVE-2022-48864.json Normal file
View File

@ -0,0 +1,29 @@
{
"id": "CVE-2022-48864",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T13:15:13.233",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvdpa/mlx5: add validation for VIRTIO_NET_CTRL_MQ_VQ_PAIRS_SET command\n\nWhen control vq receives a VIRTIO_NET_CTRL_MQ_VQ_PAIRS_SET command\nrequest from the driver, presently there is no validation against the\nnumber of queue pairs to configure, or even if multiqueue had been\nnegotiated or not is unverified. This may lead to kernel panic due to\nuninitialized resource for the queues were there any bogus request\nsent down by untrusted driver. Tie up the loose ends there."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/9f6effca75626c7a7c7620dabcb1a254ca530230",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/e7e118416465f2ba8b55007e5b789823e101421e",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/ed0f849fc3a63ed2ddf5e72cdb1de3bdbbb0f8eb",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

33
CVE-2022/CVE-2022-488xx/CVE-2022-48865.json Normal file
View File

@ -0,0 +1,33 @@
{
"id": "CVE-2022-48865",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T13:15:13.300",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: fix kernel panic when enabling bearer\n\nWhen enabling a bearer on a node, a kernel panic is observed:\n\n[ 4.498085] RIP: 0010:tipc_mon_prep+0x4e/0x130 [tipc]\n...\n[ 4.520030] Call Trace:\n[ 4.520689] <IRQ>\n[ 4.521236] tipc_link_build_proto_msg+0x375/0x750 [tipc]\n[ 4.522654] tipc_link_build_state_msg+0x48/0xc0 [tipc]\n[ 4.524034] __tipc_node_link_up+0xd7/0x290 [tipc]\n[ 4.525292] tipc_rcv+0x5da/0x730 [tipc]\n[ 4.526346] ? __netif_receive_skb_core+0xb7/0xfc0\n[ 4.527601] tipc_l2_rcv_msg+0x5e/0x90 [tipc]\n[ 4.528737] __netif_receive_skb_list_core+0x20b/0x260\n[ 4.530068] netif_receive_skb_list_internal+0x1bf/0x2e0\n[ 4.531450] ? dev_gro_receive+0x4c2/0x680\n[ 4.532512] napi_complete_done+0x6f/0x180\n[ 4.533570] virtnet_poll+0x29c/0x42e [virtio_net]\n...\n\nThe node in question is receiving activate messages in another\nthread after changing bearer status to allow message sending/\nreceiving in current thread:\n\n thread 1 | thread 2\n -------- | --------\n |\ntipc_enable_bearer() |\n test_and_set_bit_lock() |\n tipc_bearer_xmit_skb() |\n | tipc_l2_rcv_msg()\n | tipc_rcv()\n | __tipc_node_link_up()\n | tipc_link_build_state_msg()\n | tipc_link_build_proto_msg()\n | tipc_mon_prep()\n | {\n | ...\n | // null-pointer dereference\n | u16 gen = mon->dom_gen;\n | ...\n | }\n // Not being executed yet |\n tipc_mon_create() |\n { |\n ... |\n // allocate |\n mon = kzalloc(); |\n ... |\n } |\n\nMonitoring pointer in thread 2 is dereferenced before monitoring data\nis allocated in thread 1. This causes kernel panic.\n\nThis commit fixes it by allocating the monitoring data before enabling\nthe bearer to receive messages."
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/2de76d37d4a6dca9b96ea51da24d4290e6cfa1a5",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/be4977b847f5d5cedb64d50eaaf2218c3a55a3a3",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/f4f59fdbc748805b08c13dae14c01f0518c77c94",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/f96dc3adb9a97b8f3dfdb88796483491a3006b71",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

29
CVE-2022/CVE-2022-488xx/CVE-2022-48866.json Normal file
View File

@ -0,0 +1,29 @@
{
"id": "CVE-2022-48866",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T13:15:13.377",
"lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: hid-thrustmaster: fix OOB read in thrustmaster_interrupts\n\nSyzbot reported an slab-out-of-bounds Read in thrustmaster_probe() bug.\nThe root case is in missing validation check of actual number of endpoints.\n\nCode should not blindly access usb_host_interface::endpoint array, since\nit may contain less endpoints than code expects.\n\nFix it by adding missing validaion check and print an error if\nnumber of endpoints do not match expected number"
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/3ffbe85cda7f523dad896bae08cecd8db8b555ab",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/56185434e1e50acecee56d8f5850135009b87947",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/fc3ef2e3297b3c0e2006b5d7b3d66965e3392036",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}

4
CVE-2023/CVE-2023-522xx/CVE-2023-52290.json
View File

@ -2,8 +2,8 @@
"id": "CVE-2023-52290", "id": "CVE-2023-52290",
"sourceIdentifier": "security@apache.org", "sourceIdentifier": "security@apache.org",
"published": "2024-07-16T08:15:02.050", "published": "2024-07-16T08:15:02.050",
"lastModified": "2024-07-16T08:15:02.050", "lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Received", "vulnStatus": "Awaiting Analysis",
"cveTags": [], "cveTags": [],
"descriptions": [ "descriptions": [
{ {

4
CVE-2023/CVE-2023-528xx/CVE-2023-52886.json
View File

@ -2,8 +2,8 @@
"id": "CVE-2023-52886", "id": "CVE-2023-52886",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2024-07-16T10:15:02.493", "published": "2024-07-16T10:15:02.493",
"lastModified": "2024-07-16T10:15:02.493", "lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Received", "vulnStatus": "Awaiting Analysis",
"cveTags": [], "cveTags": [],
"descriptions": [ "descriptions": [
{ {

4
CVE-2024/CVE-2024-19xx/CVE-2024-1937.json
View File

@ -2,8 +2,8 @@
"id": "CVE-2024-1937", "id": "CVE-2024-1937",
"sourceIdentifier": "security@wordfence.com", "sourceIdentifier": "security@wordfence.com",
"published": "2024-07-16T09:15:02.257", "published": "2024-07-16T09:15:02.257",
"lastModified": "2024-07-16T09:15:02.257", "lastModified": "2024-07-16T13:43:58.773",
"vulnStatus": "Received", "vulnStatus": "Awaiting Analysis",
"cveTags": [], "cveTags": [],
"descriptions": [ "descriptions": [
{ {

Some files were not shown because too many files have changed in this diff Show More