diff --git a/mapping.csv b/mapping.csv index a0c8fd9f4d..2937871480 100644 --- a/mapping.csv +++ b/mapping.csv @@ -263684,3 +263684,36 @@ vulnerability,CVE-2025-0193,vulnerability--7103bfbb-6ebb-4816-8663-db8644346b54 vulnerability,CVE-2024-5198,vulnerability--a59c5c27-7d4d-4c0c-9db9-4be216c97ca2 vulnerability,CVE-2024-11029,vulnerability--838c4ea9-72d5-4717-9eca-e75f40d9bdf0 vulnerability,CVE-2024-13215,vulnerability--1c1e129a-43b5-4635-9dd5-9d093e78de95 +vulnerability,CVE-2024-57883,vulnerability--0e5658e2-ec05-4b67-a3d8-2c1fdf64ceed +vulnerability,CVE-2024-57901,vulnerability--dc429a42-c1f6-4eed-850a-f8b66cb054e2 +vulnerability,CVE-2024-57903,vulnerability--b7c6b147-481c-4257-864f-971750aa48dc +vulnerability,CVE-2024-57894,vulnerability--d60e9561-b74c-4fed-b11e-2993f070db8c +vulnerability,CVE-2024-57887,vulnerability--07547116-48c4-49f6-baad-257bf1e144f4 +vulnerability,CVE-2024-57885,vulnerability--1db2ae3b-4414-4a00-b552-95bc92096874 +vulnerability,CVE-2024-57893,vulnerability--96f2cabf-15ad-4666-92bb-0a6b89f39642 +vulnerability,CVE-2024-57899,vulnerability--4c7f5bd9-3c09-494d-8493-6783c7831daa +vulnerability,CVE-2024-57795,vulnerability--cd9b5cca-91c1-46ff-aa14-34e588c15140 +vulnerability,CVE-2024-57896,vulnerability--dec05a2a-41fd-4f1b-ad86-d04c27efb1e7 +vulnerability,CVE-2024-57891,vulnerability--4afabc82-3769-42bc-900b-2d0b8ac41706 +vulnerability,CVE-2024-57886,vulnerability--13c77d6e-7cdd-49a9-82a0-daff768646a2 +vulnerability,CVE-2024-57888,vulnerability--ac6e4bae-4359-4116-8737-65464b40c802 +vulnerability,CVE-2024-57900,vulnerability--6b9291b6-6967-4f71-acbf-e0cee1cc28ae +vulnerability,CVE-2024-57898,vulnerability--914b378a-c346-4d51-b5bb-95eafc5f6dcd +vulnerability,CVE-2024-57890,vulnerability--c8696c40-02e5-4340-8978-a2b01bb28d1f +vulnerability,CVE-2024-57844,vulnerability--41a93a26-7e1a-4537-a477-dadacc5c9f9f +vulnerability,CVE-2024-57802,vulnerability--1e16999e-3f14-497d-bf9d-6220103aff39 +vulnerability,CVE-2024-57882,vulnerability--230b497b-f1fe-46e8-9c67-d84bf38b110c +vulnerability,CVE-2024-57897,vulnerability--28edc1a2-0fb3-4ce4-9c60-82c343e79e16 +vulnerability,CVE-2024-57895,vulnerability--3c82ecaa-5ad5-4074-9f34-c5731619d038 +vulnerability,CVE-2024-57902,vulnerability--e97e44fc-8e24-4c8c-a297-cb4e614c97fd +vulnerability,CVE-2024-57892,vulnerability--9957be47-47fa-44df-a649-976dde912e82 +vulnerability,CVE-2024-57801,vulnerability--d3ec54b2-ecc1-4f08-ad67-b8ef24d9826c +vulnerability,CVE-2024-57889,vulnerability--6182343a-f7ff-4d38-88f6-a681e1dff677 +vulnerability,CVE-2024-57884,vulnerability--e6a1dbff-1630-48df-8fbb-194fab4ea077 +vulnerability,CVE-2024-57841,vulnerability--f3cce38d-98e9-4e91-8096-6576ca0513e7 +vulnerability,CVE-2024-53681,vulnerability--a4dd5c85-a6e8-43f3-bdea-a9bd2f5e2593 +vulnerability,CVE-2024-39282,vulnerability--381debc4-2b6f-4550-acdd-70b9fdcd33d5 +vulnerability,CVE-2024-54031,vulnerability--cda82f24-d447-41fb-b67a-9c1f7e5383de +vulnerability,CVE-2024-36476,vulnerability--abf35f53-1a43-444c-9672-c373fe8a0107 +vulnerability,CVE-2025-21629,vulnerability--759892ba-a89b-4bd3-a8b4-06c05284353c +vulnerability,CVE-2025-21630,vulnerability--950ec7ff-9ec9-49a2-82f2-721cb7cb2662 diff --git a/objects/vulnerability/vulnerability--07547116-48c4-49f6-baad-257bf1e144f4.json b/objects/vulnerability/vulnerability--07547116-48c4-49f6-baad-257bf1e144f4.json new file mode 100644 index 0000000000..1506ee7ad1 --- /dev/null +++ b/objects/vulnerability/vulnerability--07547116-48c4-49f6-baad-257bf1e144f4.json @@ -0,0 +1,22 @@ +{ + "type": "bundle", + "id": "bundle--97e84cb2-683d-47ab-bf05-1412f73c5064", + "objects": [ + { + "type": "vulnerability", + "spec_version": "2.1", + "id": "vulnerability--07547116-48c4-49f6-baad-257bf1e144f4", + "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a", + "created": "2025-01-15T14:18:03.350793Z", + "modified": "2025-01-15T14:18:03.350793Z", + "name": "CVE-2024-57887", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm: adv7511: Fix use-after-free in adv7533_attach_dsi()\n\nThe host_node pointer was assigned and freed in adv7533_parse_dt(), and\nlater, adv7533_attach_dsi() uses the same. Fix this use-after-free issue\nby dropping of_node_put() in adv7533_parse_dt() and calling of_node_put()\nin error path of probe() and also in the remove().", + "external_references": [ + { + "source_name": "cve", + "external_id": "CVE-2024-57887" + } + ] + } + ] +} \ No newline at end of file diff --git a/objects/vulnerability/vulnerability--0e5658e2-ec05-4b67-a3d8-2c1fdf64ceed.json b/objects/vulnerability/vulnerability--0e5658e2-ec05-4b67-a3d8-2c1fdf64ceed.json new file mode 100644 index 0000000000..63e2b3fe20 --- /dev/null +++ b/objects/vulnerability/vulnerability--0e5658e2-ec05-4b67-a3d8-2c1fdf64ceed.json @@ -0,0 +1,22 @@ +{ + "type": "bundle", + "id": "bundle--7aa9bd4e-0c60-4785-8ac2-c886c973c33b", + "objects": [ + { + "type": "vulnerability", + "spec_version": "2.1", + "id": "vulnerability--0e5658e2-ec05-4b67-a3d8-2c1fdf64ceed", + "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a", + "created": "2025-01-15T14:18:03.335368Z", + "modified": "2025-01-15T14:18:03.335368Z", + "name": "CVE-2024-57883", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: hugetlb: independent PMD page table shared count\n\nThe folio refcount may be increased unexpectly through try_get_folio() by\ncaller such as split_huge_pages. In huge_pmd_unshare(), we use refcount\nto check whether a pmd page table is shared. The check is incorrect if\nthe refcount is increased by the above caller, and this can cause the page\ntable leaked:\n\n BUG: Bad page state in process sh pfn:109324\n page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x66 pfn:0x109324\n flags: 0x17ffff800000000(node=0|zone=2|lastcpupid=0xfffff)\n page_type: f2(table)\n raw: 017ffff800000000 0000000000000000 0000000000000000 0000000000000000\n raw: 0000000000000066 0000000000000000 00000000f2000000 0000000000000000\n page dumped because: nonzero mapcount\n ...\n CPU: 31 UID: 0 PID: 7515 Comm: sh Kdump: loaded Tainted: G B 6.13.0-rc2master+ #7\n Tainted: [B]=BAD_PAGE\n Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015\n Call trace:\n show_stack+0x20/0x38 (C)\n dump_stack_lvl+0x80/0xf8\n dump_stack+0x18/0x28\n bad_page+0x8c/0x130\n free_page_is_bad_report+0xa4/0xb0\n free_unref_page+0x3cc/0x620\n __folio_put+0xf4/0x158\n split_huge_pages_all+0x1e0/0x3e8\n split_huge_pages_write+0x25c/0x2d8\n full_proxy_write+0x64/0xd8\n vfs_write+0xcc/0x280\n ksys_write+0x70/0x110\n __arm64_sys_write+0x24/0x38\n invoke_syscall+0x50/0x120\n el0_svc_common.constprop.0+0xc8/0xf0\n do_el0_svc+0x24/0x38\n el0_svc+0x34/0x128\n el0t_64_sync_handler+0xc8/0xd0\n el0t_64_sync+0x190/0x198\n\nThe issue may be triggered by damon, offline_page, page_idle, etc, which\nwill increase the refcount of page table.\n\n1. The page table itself will be discarded after reporting the\n \"nonzero mapcount\".\n\n2. The HugeTLB page mapped by the page table miss freeing since we\n treat the page table as shared and a shared page table will not be\n unmapped.\n\nFix it by introducing independent PMD page table shared count. As\ndescribed by comment, pt_index/pt_mm/pt_frag_refcount are used for s390\ngmap, x86 pgds and powerpc, pt_share_count is used for x86/arm64/riscv\npmds, so we can reuse the field as pt_share_count.", + "external_references": [ + { + "source_name": "cve", + "external_id": "CVE-2024-57883" + } + ] + } + ] +} \ No newline at end of file diff --git a/objects/vulnerability/vulnerability--13c77d6e-7cdd-49a9-82a0-daff768646a2.json b/objects/vulnerability/vulnerability--13c77d6e-7cdd-49a9-82a0-daff768646a2.json new file mode 100644 index 0000000000..973c374a13 --- /dev/null +++ b/objects/vulnerability/vulnerability--13c77d6e-7cdd-49a9-82a0-daff768646a2.json @@ -0,0 +1,22 @@ +{ + "type": "bundle", + "id": "bundle--94842ebe-b7bd-41ab-abd2-9c68189cef8b", + "objects": [ + { + "type": "vulnerability", + "spec_version": "2.1", + "id": "vulnerability--13c77d6e-7cdd-49a9-82a0-daff768646a2", + "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a", + "created": "2025-01-15T14:18:03.369499Z", + "modified": "2025-01-15T14:18:03.369499Z", + "name": "CVE-2024-57886", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/core: fix new damon_target objects leaks on damon_commit_targets()\n\nPatch series \"mm/damon/core: fix memory leaks and ignored inputs from\ndamon_commit_ctx()\".\n\nDue to two bugs in damon_commit_targets() and damon_commit_schemes(),\nwhich are called from damon_commit_ctx(), some user inputs can be ignored,\nand some mmeory objects can be leaked. Fix those.\n\nNote that only DAMON sysfs interface users are affected. Other DAMON core\nAPI user modules that more focused more on simple and dedicated production\nusages, including DAMON_RECLAIM and DAMON_LRU_SORT are not using the buggy\nfunction in the way, so not affected.\n\n\nThis patch (of 2):\n\nWhen new DAMON targets are added via damon_commit_targets(), the newly\ncreated targets are not deallocated when updating the internal data\n(damon_commit_target()) is failed. Worse yet, even if the setup is\nsuccessfully done, the new target is not linked to the context. Hence,\nthe new targets are always leaked regardless of the internal data setup\nfailure. Fix the leaks.", + "external_references": [ + { + "source_name": "cve", + "external_id": "CVE-2024-57886" + } + ] + } + ] +} \ No newline at end of file diff --git a/objects/vulnerability/vulnerability--1db2ae3b-4414-4a00-b552-95bc92096874.json b/objects/vulnerability/vulnerability--1db2ae3b-4414-4a00-b552-95bc92096874.json new file mode 100644 index 0000000000..cae3c0e9cf --- /dev/null +++ b/objects/vulnerability/vulnerability--1db2ae3b-4414-4a00-b552-95bc92096874.json @@ -0,0 +1,22 @@ +{ + "type": "bundle", + "id": "bundle--3847c6b3-324b-4945-b7a8-4531dd58aaac", + "objects": [ + { + "type": "vulnerability", + "spec_version": "2.1", + "id": "vulnerability--1db2ae3b-4414-4a00-b552-95bc92096874", + "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a", + "created": "2025-01-15T14:18:03.351916Z", + "modified": "2025-01-15T14:18:03.351916Z", + "name": "CVE-2024-57885", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/kmemleak: fix sleeping function called from invalid context at print message\n\nAddress a bug in the kernel that triggers a \"sleeping function called from\ninvalid context\" warning when /sys/kernel/debug/kmemleak is printed under\nspecific conditions:\n- CONFIG_PREEMPT_RT=y\n- Set SELinux as the LSM for the system\n- Set kptr_restrict to 1\n- kmemleak buffer contains at least one item\n\nBUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48\nin_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 136, name: cat\npreempt_count: 1, expected: 0\nRCU nest depth: 2, expected: 2\n6 locks held by cat/136:\n #0: ffff32e64bcbf950 (&p->lock){+.+.}-{3:3}, at: seq_read_iter+0xb8/0xe30\n #1: ffffafe6aaa9dea0 (scan_mutex){+.+.}-{3:3}, at: kmemleak_seq_start+0x34/0x128\n #3: ffff32e6546b1cd0 (&object->lock){....}-{2:2}, at: kmemleak_seq_show+0x3c/0x1e0\n #4: ffffafe6aa8d8560 (rcu_read_lock){....}-{1:2}, at: has_ns_capability_noaudit+0x8/0x1b0\n #5: ffffafe6aabbc0f8 (notif_lock){+.+.}-{2:2}, at: avc_compute_av+0xc4/0x3d0\nirq event stamp: 136660\nhardirqs last enabled at (136659): [] _raw_spin_unlock_irqrestore+0xa8/0xd8\nhardirqs last disabled at (136660): [] _raw_spin_lock_irqsave+0x8c/0xb0\nsoftirqs last enabled at (0): [] copy_process+0x11d8/0x3df8\nsoftirqs last disabled at (0): [<0000000000000000>] 0x0\nPreemption disabled at:\n[] kmemleak_seq_show+0x3c/0x1e0\nCPU: 1 UID: 0 PID: 136 Comm: cat Tainted: G E 6.11.0-rt7+ #34\nTainted: [E]=UNSIGNED_MODULE\nHardware name: linux,dummy-virt (DT)\nCall trace:\n dump_backtrace+0xa0/0x128\n show_stack+0x1c/0x30\n dump_stack_lvl+0xe8/0x198\n dump_stack+0x18/0x20\n rt_spin_lock+0x8c/0x1a8\n avc_perm_nonode+0xa0/0x150\n cred_has_capability.isra.0+0x118/0x218\n selinux_capable+0x50/0x80\n security_capable+0x7c/0xd0\n has_ns_capability_noaudit+0x94/0x1b0\n has_capability_noaudit+0x20/0x30\n restricted_pointer+0x21c/0x4b0\n pointer+0x298/0x760\n vsnprintf+0x330/0xf70\n seq_printf+0x178/0x218\n print_unreferenced+0x1a4/0x2d0\n kmemleak_seq_show+0xd0/0x1e0\n seq_read_iter+0x354/0xe30\n seq_read+0x250/0x378\n full_proxy_read+0xd8/0x148\n vfs_read+0x190/0x918\n ksys_read+0xf0/0x1e0\n __arm64_sys_read+0x70/0xa8\n invoke_syscall.constprop.0+0xd4/0x1d8\n el0_svc+0x50/0x158\n el0t_64_sync+0x17c/0x180\n\n%pS and %pK, in the same back trace line, are redundant, and %pS can void\n%pK service in certain contexts.\n\n%pS alone already provides the necessary information, and if it cannot\nresolve the symbol, it falls back to printing the raw address voiding\nthe original intent behind the %pK.\n\nAdditionally, %pK requires a privilege check CAP_SYSLOG enforced through\nthe LSM, which can trigger a \"sleeping function called from invalid\ncontext\" warning under RT_PREEMPT kernels when the check occurs in an\natomic context. This issue may also affect other LSMs.\n\nThis change avoids the unnecessary privilege check and resolves the\nsleeping function warning without any loss of information.", + "external_references": [ + { + "source_name": "cve", + "external_id": "CVE-2024-57885" + } + ] + } + ] +} \ No newline at end of file diff --git a/objects/vulnerability/vulnerability--1e16999e-3f14-497d-bf9d-6220103aff39.json b/objects/vulnerability/vulnerability--1e16999e-3f14-497d-bf9d-6220103aff39.json new file mode 100644 index 0000000000..d991781b6c --- /dev/null +++ b/objects/vulnerability/vulnerability--1e16999e-3f14-497d-bf9d-6220103aff39.json @@ -0,0 +1,22 @@ +{ + "type": "bundle", + "id": "bundle--ebe3d6e6-3531-4983-b6ba-5f1c9011d4f5", + "objects": [ + { + "type": "vulnerability", + "spec_version": "2.1", + "id": "vulnerability--1e16999e-3f14-497d-bf9d-6220103aff39", + "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a", + "created": "2025-01-15T14:18:03.385553Z", + "modified": "2025-01-15T14:18:03.385553Z", + "name": "CVE-2024-57802", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetrom: check buffer length before accessing it\n\nSyzkaller reports an uninit value read from ax25cmp when sending raw message\nthrough ieee802154 implementation.\n\n=====================================================\nBUG: KMSAN: uninit-value in ax25cmp+0x3a5/0x460 net/ax25/ax25_addr.c:119\n ax25cmp+0x3a5/0x460 net/ax25/ax25_addr.c:119\n nr_dev_get+0x20e/0x450 net/netrom/nr_route.c:601\n nr_route_frame+0x1a2/0xfc0 net/netrom/nr_route.c:774\n nr_xmit+0x5a/0x1c0 net/netrom/nr_dev.c:144\n __netdev_start_xmit include/linux/netdevice.h:4940 [inline]\n netdev_start_xmit include/linux/netdevice.h:4954 [inline]\n xmit_one net/core/dev.c:3548 [inline]\n dev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3564\n __dev_queue_xmit+0x33b8/0x5130 net/core/dev.c:4349\n dev_queue_xmit include/linux/netdevice.h:3134 [inline]\n raw_sendmsg+0x654/0xc10 net/ieee802154/socket.c:299\n ieee802154_sock_sendmsg+0x91/0xc0 net/ieee802154/socket.c:96\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg net/socket.c:745 [inline]\n ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584\n ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638\n __sys_sendmsg net/socket.c:2667 [inline]\n __do_sys_sendmsg net/socket.c:2676 [inline]\n __se_sys_sendmsg net/socket.c:2674 [inline]\n __x64_sys_sendmsg+0x307/0x490 net/socket.c:2674\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nUninit was created at:\n slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768\n slab_alloc_node mm/slub.c:3478 [inline]\n kmem_cache_alloc_node+0x5e9/0xb10 mm/slub.c:3523\n kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560\n __alloc_skb+0x318/0x740 net/core/skbuff.c:651\n alloc_skb include/linux/skbuff.h:1286 [inline]\n alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6334\n sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2780\n sock_alloc_send_skb include/net/sock.h:1884 [inline]\n raw_sendmsg+0x36d/0xc10 net/ieee802154/socket.c:282\n ieee802154_sock_sendmsg+0x91/0xc0 net/ieee802154/socket.c:96\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg net/socket.c:745 [inline]\n ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584\n ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638\n __sys_sendmsg net/socket.c:2667 [inline]\n __do_sys_sendmsg net/socket.c:2676 [inline]\n __se_sys_sendmsg net/socket.c:2674 [inline]\n __x64_sys_sendmsg+0x307/0x490 net/socket.c:2674\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nCPU: 0 PID: 5037 Comm: syz-executor166 Not tainted 6.7.0-rc7-syzkaller-00003-gfbafc3e621c3 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023\n=====================================================\n\nThis issue occurs because the skb buffer is too small, and it's actual\nallocation is aligned. This hides an actual issue, which is that nr_route_frame\ndoes not validate the buffer size before using it.\n\nFix this issue by checking skb->len before accessing any fields in skb->data.\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.", + "external_references": [ + { + "source_name": "cve", + "external_id": "CVE-2024-57802" + } + ] + } + ] +} \ No newline at end of file diff --git a/objects/vulnerability/vulnerability--230b497b-f1fe-46e8-9c67-d84bf38b110c.json b/objects/vulnerability/vulnerability--230b497b-f1fe-46e8-9c67-d84bf38b110c.json new file mode 100644 index 0000000000..6ee78f619f --- /dev/null +++ b/objects/vulnerability/vulnerability--230b497b-f1fe-46e8-9c67-d84bf38b110c.json @@ -0,0 +1,22 @@ +{ + "type": "bundle", + "id": "bundle--e82fb632-0cf0-4b8b-b9b0-c4348d887154", + "objects": [ + { + "type": "vulnerability", + "spec_version": "2.1", + "id": "vulnerability--230b497b-f1fe-46e8-9c67-d84bf38b110c", + "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a", + "created": "2025-01-15T14:18:03.386758Z", + "modified": "2025-01-15T14:18:03.386758Z", + "name": "CVE-2024-57882", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix TCP options overflow.\n\nSyzbot reported the following splat:\n\nOops: general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]\nCPU: 1 UID: 0 PID: 5836 Comm: sshd Not tainted 6.13.0-rc3-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/25/2024\nRIP: 0010:_compound_head include/linux/page-flags.h:242 [inline]\nRIP: 0010:put_page+0x23/0x260 include/linux/mm.h:1552\nCode: 90 90 90 90 90 90 90 55 41 57 41 56 53 49 89 fe 48 bd 00 00 00 00 00 fc ff df e8 f8 5e 12 f8 49 8d 5e 08 48 89 d8 48 c1 e8 03 <80> 3c 28 00 74 08 48 89 df e8 8f c7 78 f8 48 8b 1b 48 89 de 48 83\nRSP: 0000:ffffc90003916c90 EFLAGS: 00010202\nRAX: 0000000000000001 RBX: 0000000000000008 RCX: ffff888030458000\nRDX: 0000000000000100 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: dffffc0000000000 R08: ffffffff898ca81d R09: 1ffff110054414ac\nR10: dffffc0000000000 R11: ffffed10054414ad R12: 0000000000000007\nR13: ffff88802a20a542 R14: 0000000000000000 R15: 0000000000000000\nFS: 00007f34f496e800(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f9d6ec9ec28 CR3: 000000004d260000 CR4: 00000000003526f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n skb_page_unref include/linux/skbuff_ref.h:43 [inline]\n __skb_frag_unref include/linux/skbuff_ref.h:56 [inline]\n skb_release_data+0x483/0x8a0 net/core/skbuff.c:1119\n skb_release_all net/core/skbuff.c:1190 [inline]\n __kfree_skb+0x55/0x70 net/core/skbuff.c:1204\n tcp_clean_rtx_queue net/ipv4/tcp_input.c:3436 [inline]\n tcp_ack+0x2442/0x6bc0 net/ipv4/tcp_input.c:4032\n tcp_rcv_state_process+0x8eb/0x44e0 net/ipv4/tcp_input.c:6805\n tcp_v4_do_rcv+0x77d/0xc70 net/ipv4/tcp_ipv4.c:1939\n tcp_v4_rcv+0x2dc0/0x37f0 net/ipv4/tcp_ipv4.c:2351\n ip_protocol_deliver_rcu+0x22e/0x440 net/ipv4/ip_input.c:205\n ip_local_deliver_finish+0x341/0x5f0 net/ipv4/ip_input.c:233\n NF_HOOK+0x3a4/0x450 include/linux/netfilter.h:314\n NF_HOOK+0x3a4/0x450 include/linux/netfilter.h:314\n __netif_receive_skb_one_core net/core/dev.c:5672 [inline]\n __netif_receive_skb+0x2bf/0x650 net/core/dev.c:5785\n process_backlog+0x662/0x15b0 net/core/dev.c:6117\n __napi_poll+0xcb/0x490 net/core/dev.c:6883\n napi_poll net/core/dev.c:6952 [inline]\n net_rx_action+0x89b/0x1240 net/core/dev.c:7074\n handle_softirqs+0x2d4/0x9b0 kernel/softirq.c:561\n __do_softirq kernel/softirq.c:595 [inline]\n invoke_softirq kernel/softirq.c:435 [inline]\n __irq_exit_rcu+0xf7/0x220 kernel/softirq.c:662\n irq_exit_rcu+0x9/0x30 kernel/softirq.c:678\n instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline]\n sysvec_apic_timer_interrupt+0x57/0xc0 arch/x86/kernel/apic/apic.c:1049\n asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702\nRIP: 0033:0x7f34f4519ad5\nCode: 85 d2 74 0d 0f 10 02 48 8d 54 24 20 0f 11 44 24 20 64 8b 04 25 18 00 00 00 85 c0 75 27 41 b8 08 00 00 00 b8 0f 01 00 00 0f 05 <48> 3d 00 f0 ff ff 76 75 48 8b 15 24 73 0d 00 f7 d8 64 89 02 48 83\nRSP: 002b:00007ffec5b32ce0 EFLAGS: 00000246\nRAX: 0000000000000001 RBX: 00000000000668a0 RCX: 00007f34f4519ad5\nRDX: 00007ffec5b32d00 RSI: 0000000000000004 RDI: 0000564f4bc6cae0\nRBP: 0000564f4bc6b5a0 R08: 0000000000000008 R09: 0000000000000000\nR10: 00007ffec5b32de8 R11: 0000000000000246 R12: 0000564f48ea8aa4\nR13: 0000000000000001 R14: 0000564f48ea93e8 R15: 00007ffec5b32d68\n \n\nEric noted a probable shinfo->nr_frags corruption, which indeed\noccurs.\n\nThe root cause is a buggy MPTCP option len computation in some\ncircumstances: the ADD_ADDR option should be mutually exclusive\nwith DSS since the blamed commit.\n\nStill, mptcp_established_options_add_addr() tries to set the\nrelevant info in mptcp_out_options, if \n---truncated---", + "external_references": [ + { + "source_name": "cve", + "external_id": "CVE-2024-57882" + } + ] + } + ] +} \ No newline at end of file diff --git a/objects/vulnerability/vulnerability--28edc1a2-0fb3-4ce4-9c60-82c343e79e16.json b/objects/vulnerability/vulnerability--28edc1a2-0fb3-4ce4-9c60-82c343e79e16.json new file mode 100644 index 0000000000..f1b444150a --- /dev/null +++ b/objects/vulnerability/vulnerability--28edc1a2-0fb3-4ce4-9c60-82c343e79e16.json @@ -0,0 +1,22 @@ +{ + "type": "bundle", + "id": "bundle--15982c89-3469-483e-ae5e-bc7e3c10d905", + "objects": [ + { + "type": "vulnerability", + "spec_version": "2.1", + "id": "vulnerability--28edc1a2-0fb3-4ce4-9c60-82c343e79e16", + "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a", + "created": "2025-01-15T14:18:03.38787Z", + "modified": "2025-01-15T14:18:03.38787Z", + "name": "CVE-2024-57897", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: Correct the migration DMA map direction\n\nThe SVM DMA device map direction should be set the same as\nthe DMA unmap setting, otherwise the DMA core will report\nthe following warning.\n\nBefore finialize this solution, there're some discussion on\nthe DMA mapping type(stream-based or coherent) in this KFD\nmigration case, followed by https://lore.kernel.org/all/04d4ab32\n-45a1-4b88-86ee-fb0f35a0ca40@amd.com/T/.\n\nAs there's no dma_sync_single_for_*() in the DMA buffer accessed\nthat because this migration operation should be sync properly and\nautomatically. Give that there's might not be a performance problem\nin various cache sync policy of DMA sync. Therefore, in order to\nsimplify the DMA direction setting alignment, let's set the DMA map\ndirection as BIDIRECTIONAL.\n\n[ 150.834218] WARNING: CPU: 8 PID: 1812 at kernel/dma/debug.c:1028 check_unmap+0x1cc/0x930\n[ 150.834225] Modules linked in: amdgpu(OE) amdxcp drm_exec(OE) gpu_sched drm_buddy(OE) drm_ttm_helper(OE) ttm(OE) drm_suballoc_helper(OE) drm_display_helper(OE) drm_kms_helper(OE) i2c_algo_bit rpcsec_gss_krb5 auth_rpcgss nfsv4 nfs lockd grace netfs xt_conntrack xt_MASQUERADE nf_conntrack_netlink xfrm_user xfrm_algo iptable_nat xt_addrtype iptable_filter br_netfilter nvme_fabrics overlay nfnetlink_cttimeout nfnetlink openvswitch nsh nf_conncount nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c bridge stp llc sch_fq_codel intel_rapl_msr amd_atl intel_rapl_common snd_hda_codec_realtek snd_hda_codec_generic snd_hda_scodec_component snd_hda_codec_hdmi snd_hda_intel snd_intel_dspcfg edac_mce_amd snd_pci_acp6x snd_hda_codec snd_acp_config snd_hda_core snd_hwdep snd_soc_acpi kvm_amd sunrpc snd_pcm kvm binfmt_misc snd_seq_midi crct10dif_pclmul snd_seq_midi_event ghash_clmulni_intel sha512_ssse3 snd_rawmidi nls_iso8859_1 sha256_ssse3 sha1_ssse3 snd_seq aesni_intel snd_seq_device crypto_simd snd_timer cryptd input_leds\n[ 150.834310] wmi_bmof serio_raw k10temp rapl snd sp5100_tco ipmi_devintf soundcore ccp ipmi_msghandler cm32181 industrialio mac_hid msr parport_pc ppdev lp parport efi_pstore drm(OE) ip_tables x_tables pci_stub crc32_pclmul nvme ahci libahci i2c_piix4 r8169 nvme_core i2c_designware_pci realtek i2c_ccgx_ucsi video wmi hid_generic cdc_ether usbnet usbhid hid r8152 mii\n[ 150.834354] CPU: 8 PID: 1812 Comm: rocrtst64 Tainted: G OE 6.10.0-custom #492\n[ 150.834358] Hardware name: AMD Majolica-RN/Majolica-RN, BIOS RMJ1009A 06/13/2021\n[ 150.834360] RIP: 0010:check_unmap+0x1cc/0x930\n[ 150.834363] Code: c0 4c 89 4d c8 e8 34 bf 86 00 4c 8b 4d c8 4c 8b 45 c0 48 8b 4d b8 48 89 c6 41 57 4c 89 ea 48 c7 c7 80 49 b4 84 e8 b4 81 f3 ff <0f> 0b 48 c7 c7 04 83 ac 84 e8 76 ba fc ff 41 8b 76 4c 49 8d 7e 50\n[ 150.834365] RSP: 0018:ffffaac5023739e0 EFLAGS: 00010086\n[ 150.834368] RAX: 0000000000000000 RBX: ffffffff8566a2e0 RCX: 0000000000000027\n[ 150.834370] RDX: ffff8f6a8f621688 RSI: 0000000000000001 RDI: ffff8f6a8f621680\n[ 150.834372] RBP: ffffaac502373a30 R08: 00000000000000c9 R09: ffffaac502373850\n[ 150.834373] R10: ffffaac502373848 R11: ffffffff84f46328 R12: ffffaac502373a40\n[ 150.834375] R13: ffff8f6741045330 R14: ffff8f6741a77700 R15: ffffffff84ac831b\n[ 150.834377] FS: 00007faf0fc94c00(0000) GS:ffff8f6a8f600000(0000) knlGS:0000000000000000\n[ 150.834379] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 150.834381] CR2: 00007faf0b600020 CR3: 000000010a52e000 CR4: 0000000000350ef0\n[ 150.834383] Call Trace:\n[ 150.834385] \n[ 150.834387] ? show_regs+0x6d/0x80\n[ 150.834393] ? __warn+0x8c/0x140\n[ 150.834397] ? check_unmap+0x1cc/0x930\n[ 150.834400] ? report_bug+0x193/0x1a0\n[ 150.834406] ? handle_bug+0x46/0x80\n[ 150.834410] ? exc_invalid_op+0x1d/0x80\n[ 150.834413] ? asm_exc_invalid_op+0x1f/0x30\n[ 150.834420] ? check_unmap+0x1cc/0x930\n[ 150.834425] debug_dma_unmap_page+0x86/0x90\n[ 150.834431] ? srso_return_thunk+0x5/0x5f\n[ 150.834435] \n---truncated---", + "external_references": [ + { + "source_name": "cve", + "external_id": "CVE-2024-57897" + } + ] + } + ] +} \ No newline at end of file diff --git a/objects/vulnerability/vulnerability--381debc4-2b6f-4550-acdd-70b9fdcd33d5.json b/objects/vulnerability/vulnerability--381debc4-2b6f-4550-acdd-70b9fdcd33d5.json new file mode 100644 index 0000000000..55317a1c21 --- /dev/null +++ b/objects/vulnerability/vulnerability--381debc4-2b6f-4550-acdd-70b9fdcd33d5.json @@ -0,0 +1,22 @@ +{ + "type": "bundle", + "id": "bundle--78453392-8070-4884-823d-2daab4b5fe81", + "objects": [ + { + "type": "vulnerability", + "spec_version": "2.1", + "id": "vulnerability--381debc4-2b6f-4550-acdd-70b9fdcd33d5", + "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a", + "created": "2025-01-15T14:18:03.69227Z", + "modified": "2025-01-15T14:18:03.69227Z", + "name": "CVE-2024-39282", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: wwan: t7xx: Fix FSM command timeout issue\n\nWhen driver processes the internal state change command, it use an\nasynchronous thread to process the command operation. If the main\nthread detects that the task has timed out, the asynchronous thread\nwill panic when executing the completion notification because the\nmain thread completion object has been released.\n\nBUG: unable to handle page fault for address: fffffffffffffff8\nPGD 1f283a067 P4D 1f283a067 PUD 1f283c067 PMD 0\nOops: 0000 [#1] PREEMPT SMP NOPTI\nRIP: 0010:complete_all+0x3e/0xa0\n[...]\nCall Trace:\n \n ? __die_body+0x68/0xb0\n ? page_fault_oops+0x379/0x3e0\n ? exc_page_fault+0x69/0xa0\n ? asm_exc_page_fault+0x22/0x30\n ? complete_all+0x3e/0xa0\n fsm_main_thread+0xa3/0x9c0 [mtk_t7xx (HASH:1400 5)]\n ? __pfx_autoremove_wake_function+0x10/0x10\n kthread+0xd8/0x110\n ? __pfx_fsm_main_thread+0x10/0x10 [mtk_t7xx (HASH:1400 5)]\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x38/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1b/0x30\n \n[...]\nCR2: fffffffffffffff8\n---[ end trace 0000000000000000 ]---\n\nUse the reference counter to ensure safe release as Sergey suggests:\nhttps://lore.kernel.org/all/da90f64c-260a-4329-87bf-1f9ff20a5951@gmail.com/", + "external_references": [ + { + "source_name": "cve", + "external_id": "CVE-2024-39282" + } + ] + } + ] +} \ No newline at end of file diff --git a/objects/vulnerability/vulnerability--3c82ecaa-5ad5-4074-9f34-c5731619d038.json b/objects/vulnerability/vulnerability--3c82ecaa-5ad5-4074-9f34-c5731619d038.json new file mode 100644 index 0000000000..b7d756b4cd --- /dev/null +++ b/objects/vulnerability/vulnerability--3c82ecaa-5ad5-4074-9f34-c5731619d038.json @@ -0,0 +1,22 @@ +{ + "type": "bundle", + "id": "bundle--71ed1dd1-5985-4b56-9a2b-8b204f5d6db5", + "objects": [ + { + "type": "vulnerability", + "spec_version": "2.1", + "id": "vulnerability--3c82ecaa-5ad5-4074-9f34-c5731619d038", + "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a", + "created": "2025-01-15T14:18:03.393052Z", + "modified": "2025-01-15T14:18:03.393052Z", + "name": "CVE-2024-57895", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: set ATTR_CTIME flags when setting mtime\n\nDavid reported that the new warning from setattr_copy_mgtime is coming\nlike the following.\n\n[ 113.215316] ------------[ cut here ]------------\n[ 113.215974] WARNING: CPU: 1 PID: 31 at fs/attr.c:300 setattr_copy+0x1ee/0x200\n[ 113.219192] CPU: 1 UID: 0 PID: 31 Comm: kworker/1:1 Not tainted 6.13.0-rc1+ #234\n[ 113.220127] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014\n[ 113.221530] Workqueue: ksmbd-io handle_ksmbd_work [ksmbd]\n[ 113.222220] RIP: 0010:setattr_copy+0x1ee/0x200\n[ 113.222833] Code: 24 28 49 8b 44 24 30 48 89 53 58 89 43 6c 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 48 89 df e8 77 d6 ff ff e9 cd fe ff ff <0f> 0b e9 be fe ff ff 66 0\n[ 113.225110] RSP: 0018:ffffaf218010fb68 EFLAGS: 00010202\n[ 113.225765] RAX: 0000000000000120 RBX: ffffa446815f8568 RCX: 0000000000000003\n[ 113.226667] RDX: ffffaf218010fd38 RSI: ffffa446815f8568 RDI: ffffffff94eb03a0\n[ 113.227531] RBP: ffffaf218010fb90 R08: 0000001a251e217d R09: 00000000675259fa\n[ 113.228426] R10: 0000000002ba8a6d R11: ffffa4468196c7a8 R12: ffffaf218010fd38\n[ 113.229304] R13: 0000000000000120 R14: ffffffff94eb03a0 R15: 0000000000000000\n[ 113.230210] FS: 0000000000000000(0000) GS:ffffa44739d00000(0000) knlGS:0000000000000000\n[ 113.231215] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 113.232055] CR2: 00007efe0053d27e CR3: 000000000331a000 CR4: 00000000000006b0\n[ 113.232926] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 113.233812] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 113.234797] Call Trace:\n[ 113.235116] \n[ 113.235393] ? __warn+0x73/0xd0\n[ 113.235802] ? setattr_copy+0x1ee/0x200\n[ 113.236299] ? report_bug+0xf3/0x1e0\n[ 113.236757] ? handle_bug+0x4d/0x90\n[ 113.237202] ? exc_invalid_op+0x13/0x60\n[ 113.237689] ? asm_exc_invalid_op+0x16/0x20\n[ 113.238185] ? setattr_copy+0x1ee/0x200\n[ 113.238692] btrfs_setattr+0x80/0x820 [btrfs]\n[ 113.239285] ? get_stack_info_noinstr+0x12/0xf0\n[ 113.239857] ? __module_address+0x22/0xa0\n[ 113.240368] ? handle_ksmbd_work+0x6e/0x460 [ksmbd]\n[ 113.240993] ? __module_text_address+0x9/0x50\n[ 113.241545] ? __module_address+0x22/0xa0\n[ 113.242033] ? unwind_next_frame+0x10e/0x920\n[ 113.242600] ? __pfx_stack_trace_consume_entry+0x10/0x10\n[ 113.243268] notify_change+0x2c2/0x4e0\n[ 113.243746] ? stack_depot_save_flags+0x27/0x730\n[ 113.244339] ? set_file_basic_info+0x130/0x2b0 [ksmbd]\n[ 113.244993] set_file_basic_info+0x130/0x2b0 [ksmbd]\n[ 113.245613] ? process_scheduled_works+0xbe/0x310\n[ 113.246181] ? worker_thread+0x100/0x240\n[ 113.246696] ? kthread+0xc8/0x100\n[ 113.247126] ? ret_from_fork+0x2b/0x40\n[ 113.247606] ? ret_from_fork_asm+0x1a/0x30\n[ 113.248132] smb2_set_info+0x63f/0xa70 [ksmbd]\n\nksmbd is trying to set the atime and mtime via notify_change without also\nsetting the ctime. so This patch add ATTR_CTIME flags when setting mtime\nto avoid a warning.", + "external_references": [ + { + "source_name": "cve", + "external_id": "CVE-2024-57895" + } + ] + } + ] +} \ No newline at end of file diff --git a/objects/vulnerability/vulnerability--41a93a26-7e1a-4537-a477-dadacc5c9f9f.json b/objects/vulnerability/vulnerability--41a93a26-7e1a-4537-a477-dadacc5c9f9f.json new file mode 100644 index 0000000000..c3ce88b12e --- /dev/null +++ b/objects/vulnerability/vulnerability--41a93a26-7e1a-4537-a477-dadacc5c9f9f.json @@ -0,0 +1,22 @@ +{ + "type": "bundle", + "id": "bundle--e06c18f4-f614-4883-b32e-df35d7817de9", + "objects": [ + { + "type": "vulnerability", + "spec_version": "2.1", + "id": "vulnerability--41a93a26-7e1a-4537-a477-dadacc5c9f9f", + "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a", + "created": "2025-01-15T14:18:03.382283Z", + "modified": "2025-01-15T14:18:03.382283Z", + "name": "CVE-2024-57844", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: Fix fault on fd close after unbind\n\nIf userspace holds an fd open, unbinds the device and then closes it,\nthe driver shouldn't try to access the hardware. Protect it by using\ndrm_dev_enter()/drm_dev_exit(). This fixes the following page fault:\n\n<6> [IGT] xe_wedged: exiting, ret=98\n<1> BUG: unable to handle page fault for address: ffffc901bc5e508c\n<1> #PF: supervisor read access in kernel mode\n<1> #PF: error_code(0x0000) - not-present page\n...\n<4> xe_lrc_update_timestamp+0x1c/0xd0 [xe]\n<4> xe_exec_queue_update_run_ticks+0x50/0xb0 [xe]\n<4> xe_exec_queue_fini+0x16/0xb0 [xe]\n<4> __guc_exec_queue_fini_async+0xc4/0x190 [xe]\n<4> guc_exec_queue_fini_async+0xa0/0xe0 [xe]\n<4> guc_exec_queue_fini+0x23/0x40 [xe]\n<4> xe_exec_queue_destroy+0xb3/0xf0 [xe]\n<4> xe_file_close+0xd4/0x1a0 [xe]\n<4> drm_file_free+0x210/0x280 [drm]\n<4> drm_close_helper.isra.0+0x6d/0x80 [drm]\n<4> drm_release_noglobal+0x20/0x90 [drm]\n\n(cherry picked from commit 4ca1fd418338d4d135428a0eb1e16e3b3ce17ee8)", + "external_references": [ + { + "source_name": "cve", + "external_id": "CVE-2024-57844" + } + ] + } + ] +} \ No newline at end of file diff --git a/objects/vulnerability/vulnerability--4afabc82-3769-42bc-900b-2d0b8ac41706.json b/objects/vulnerability/vulnerability--4afabc82-3769-42bc-900b-2d0b8ac41706.json new file mode 100644 index 0000000000..2d32efaa3b --- /dev/null +++ b/objects/vulnerability/vulnerability--4afabc82-3769-42bc-900b-2d0b8ac41706.json @@ -0,0 +1,22 @@ +{ + "type": "bundle", + "id": "bundle--b70a9c63-762c-431e-9265-021d7e10b94e", + "objects": [ + { + "type": "vulnerability", + "spec_version": "2.1", + "id": "vulnerability--4afabc82-3769-42bc-900b-2d0b8ac41706", + "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a", + "created": "2025-01-15T14:18:03.366944Z", + "modified": "2025-01-15T14:18:03.366944Z", + "name": "CVE-2024-57891", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched_ext: Fix invalid irq restore in scx_ops_bypass()\n\nWhile adding outer irqsave/restore locking, 0e7ffff1b811 (\"scx: Fix raciness\nin scx_ops_bypass()\") forgot to convert an inner rq_unlock_irqrestore() to\nrq_unlock() which could re-enable IRQ prematurely leading to the following\nwarning:\n\n raw_local_irq_restore() called with IRQs enabled\n WARNING: CPU: 1 PID: 96 at kernel/locking/irqflag-debug.c:10 warn_bogus_irq_restore+0x30/0x40\n ...\n Sched_ext: create_dsq (enabling)\n pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : warn_bogus_irq_restore+0x30/0x40\n lr : warn_bogus_irq_restore+0x30/0x40\n ...\n Call trace:\n warn_bogus_irq_restore+0x30/0x40 (P)\n warn_bogus_irq_restore+0x30/0x40 (L)\n scx_ops_bypass+0x224/0x3b8\n scx_ops_enable.isra.0+0x2c8/0xaa8\n bpf_scx_reg+0x18/0x30\n ...\n irq event stamp: 33739\n hardirqs last enabled at (33739): [] scx_ops_bypass+0x174/0x3b8\n hardirqs last disabled at (33738): [] _raw_spin_lock_irqsave+0xb4/0xd8\n\nDrop the stray _irqrestore().", + "external_references": [ + { + "source_name": "cve", + "external_id": "CVE-2024-57891" + } + ] + } + ] +} \ No newline at end of file diff --git a/objects/vulnerability/vulnerability--4c7f5bd9-3c09-494d-8493-6783c7831daa.json b/objects/vulnerability/vulnerability--4c7f5bd9-3c09-494d-8493-6783c7831daa.json new file mode 100644 index 0000000000..eee0ab4b3f --- /dev/null +++ b/objects/vulnerability/vulnerability--4c7f5bd9-3c09-494d-8493-6783c7831daa.json @@ -0,0 +1,22 @@ +{ + "type": "bundle", + "id": "bundle--7645ac25-a59b-461a-a00e-6a4247cedb0c", + "objects": [ + { + "type": "vulnerability", + "spec_version": "2.1", + "id": "vulnerability--4c7f5bd9-3c09-494d-8493-6783c7831daa", + "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a", + "created": "2025-01-15T14:18:03.357769Z", + "modified": "2025-01-15T14:18:03.357769Z", + "name": "CVE-2024-57899", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: fix mbss changed flags corruption on 32 bit systems\n\nOn 32-bit systems, the size of an unsigned long is 4 bytes,\nwhile a u64 is 8 bytes. Therefore, when using\nor_each_set_bit(bit, &bits, sizeof(changed) * BITS_PER_BYTE),\nthe code is incorrectly searching for a bit in a 32-bit\nvariable that is expected to be 64 bits in size,\nleading to incorrect bit finding.\n\nSolution: Ensure that the size of the bits variable is correctly\nadjusted for each architecture.\n\n Call Trace:\n ? show_regs+0x54/0x58\n ? __warn+0x6b/0xd4\n ? ieee80211_link_info_change_notify+0xcc/0xd4 [mac80211]\n ? report_bug+0x113/0x150\n ? exc_overflow+0x30/0x30\n ? handle_bug+0x27/0x44\n ? exc_invalid_op+0x18/0x50\n ? handle_exception+0xf6/0xf6\n ? exc_overflow+0x30/0x30\n ? ieee80211_link_info_change_notify+0xcc/0xd4 [mac80211]\n ? exc_overflow+0x30/0x30\n ? ieee80211_link_info_change_notify+0xcc/0xd4 [mac80211]\n ? ieee80211_mesh_work+0xff/0x260 [mac80211]\n ? cfg80211_wiphy_work+0x72/0x98 [cfg80211]\n ? process_one_work+0xf1/0x1fc\n ? worker_thread+0x2c0/0x3b4\n ? kthread+0xc7/0xf0\n ? mod_delayed_work_on+0x4c/0x4c\n ? kthread_complete_and_exit+0x14/0x14\n ? ret_from_fork+0x24/0x38\n ? kthread_complete_and_exit+0x14/0x14\n ? ret_from_fork_asm+0xf/0x14\n ? entry_INT80_32+0xf0/0xf0\n\n[restore no-op path for no changes]", + "external_references": [ + { + "source_name": "cve", + "external_id": "CVE-2024-57899" + } + ] + } + ] +} \ No newline at end of file diff --git a/objects/vulnerability/vulnerability--6182343a-f7ff-4d38-88f6-a681e1dff677.json b/objects/vulnerability/vulnerability--6182343a-f7ff-4d38-88f6-a681e1dff677.json new file mode 100644 index 0000000000..bb5f16c597 --- /dev/null +++ b/objects/vulnerability/vulnerability--6182343a-f7ff-4d38-88f6-a681e1dff677.json @@ -0,0 +1,22 @@ +{ + "type": "bundle", + "id": "bundle--a3fbf5d4-eda9-4f44-89a4-a962211d7767", + "objects": [ + { + "type": "vulnerability", + "spec_version": "2.1", + "id": "vulnerability--6182343a-f7ff-4d38-88f6-a681e1dff677", + "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a", + "created": "2025-01-15T14:18:03.401436Z", + "modified": "2025-01-15T14:18:03.401436Z", + "name": "CVE-2024-57889", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: mcp23s08: Fix sleeping in atomic context due to regmap locking\n\nIf a device uses MCP23xxx IO expander to receive IRQs, the following\nbug can happen:\n\n BUG: sleeping function called from invalid context\n at kernel/locking/mutex.c:283\n in_atomic(): 1, irqs_disabled(): 1, non_block: 0, ...\n preempt_count: 1, expected: 0\n ...\n Call Trace:\n ...\n __might_resched+0x104/0x10e\n __might_sleep+0x3e/0x62\n mutex_lock+0x20/0x4c\n regmap_lock_mutex+0x10/0x18\n regmap_update_bits_base+0x2c/0x66\n mcp23s08_irq_set_type+0x1ae/0x1d6\n __irq_set_trigger+0x56/0x172\n __setup_irq+0x1e6/0x646\n request_threaded_irq+0xb6/0x160\n ...\n\nWe observed the problem while experimenting with a touchscreen driver which\nused MCP23017 IO expander (I2C).\n\nThe regmap in the pinctrl-mcp23s08 driver uses a mutex for protection from\nconcurrent accesses, which is the default for regmaps without .fast_io,\n.disable_locking, etc.\n\nmcp23s08_irq_set_type() calls regmap_update_bits_base(), and the latter\nlocks the mutex.\n\nHowever, __setup_irq() locks desc->lock spinlock before calling these\nfunctions. As a result, the system tries to lock the mutex whole holding\nthe spinlock.\n\nIt seems, the internal regmap locks are not needed in this driver at all.\nmcp->lock seems to protect the regmap from concurrent accesses already,\nexcept, probably, in mcp_pinconf_get/set.\n\nmcp23s08_irq_set_type() and mcp23s08_irq_mask/unmask() are called under\nchip_bus_lock(), which calls mcp23s08_irq_bus_lock(). The latter takes\nmcp->lock and enables regmap caching, so that the potentially slow I2C\naccesses are deferred until chip_bus_unlock().\n\nThe accesses to the regmap from mcp23s08_probe_one() do not need additional\nlocking.\n\nIn all remaining places where the regmap is accessed, except\nmcp_pinconf_get/set(), the driver already takes mcp->lock.\n\nThis patch adds locking in mcp_pinconf_get/set() and disables internal\nlocking in the regmap config. Among other things, it fixes the sleeping\nin atomic context described above.", + "external_references": [ + { + "source_name": "cve", + "external_id": "CVE-2024-57889" + } + ] + } + ] +} \ No newline at end of file diff --git a/objects/vulnerability/vulnerability--6b9291b6-6967-4f71-acbf-e0cee1cc28ae.json b/objects/vulnerability/vulnerability--6b9291b6-6967-4f71-acbf-e0cee1cc28ae.json new file mode 100644 index 0000000000..9c21dc7891 --- /dev/null +++ b/objects/vulnerability/vulnerability--6b9291b6-6967-4f71-acbf-e0cee1cc28ae.json @@ -0,0 +1,22 @@ +{ + "type": "bundle", + "id": "bundle--c1e93b48-bb3e-42ee-a917-395fa2dc8a0d", + "objects": [ + { + "type": "vulnerability", + "spec_version": "2.1", + "id": "vulnerability--6b9291b6-6967-4f71-acbf-e0cee1cc28ae", + "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a", + "created": "2025-01-15T14:18:03.373035Z", + "modified": "2025-01-15T14:18:03.373035Z", + "name": "CVE-2024-57900", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nila: serialize calls to nf_register_net_hooks()\n\nsyzbot found a race in ila_add_mapping() [1]\n\ncommit 031ae72825ce (\"ila: call nf_unregister_net_hooks() sooner\")\nattempted to fix a similar issue.\n\nLooking at the syzbot repro, we have concurrent ILA_CMD_ADD commands.\n\nAdd a mutex to make sure at most one thread is calling nf_register_net_hooks().\n\n[1]\n BUG: KASAN: slab-use-after-free in rht_key_hashfn include/linux/rhashtable.h:159 [inline]\n BUG: KASAN: slab-use-after-free in __rhashtable_lookup.constprop.0+0x426/0x550 include/linux/rhashtable.h:604\nRead of size 4 at addr ffff888028f40008 by task dhcpcd/5501\n\nCPU: 1 UID: 0 PID: 5501 Comm: dhcpcd Not tainted 6.13.0-rc4-syzkaller-00054-gd6ef8b40d075 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\nCall Trace:\n \n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xc3/0x620 mm/kasan/report.c:489\n kasan_report+0xd9/0x110 mm/kasan/report.c:602\n rht_key_hashfn include/linux/rhashtable.h:159 [inline]\n __rhashtable_lookup.constprop.0+0x426/0x550 include/linux/rhashtable.h:604\n rhashtable_lookup include/linux/rhashtable.h:646 [inline]\n rhashtable_lookup_fast include/linux/rhashtable.h:672 [inline]\n ila_lookup_wildcards net/ipv6/ila/ila_xlat.c:127 [inline]\n ila_xlat_addr net/ipv6/ila/ila_xlat.c:652 [inline]\n ila_nf_input+0x1ee/0x620 net/ipv6/ila/ila_xlat.c:185\n nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]\n nf_hook_slow+0xbb/0x200 net/netfilter/core.c:626\n nf_hook.constprop.0+0x42e/0x750 include/linux/netfilter.h:269\n NF_HOOK include/linux/netfilter.h:312 [inline]\n ipv6_rcv+0xa4/0x680 net/ipv6/ip6_input.c:309\n __netif_receive_skb_one_core+0x12e/0x1e0 net/core/dev.c:5672\n __netif_receive_skb+0x1d/0x160 net/core/dev.c:5785\n process_backlog+0x443/0x15f0 net/core/dev.c:6117\n __napi_poll.constprop.0+0xb7/0x550 net/core/dev.c:6883\n napi_poll net/core/dev.c:6952 [inline]\n net_rx_action+0xa94/0x1010 net/core/dev.c:7074\n handle_softirqs+0x213/0x8f0 kernel/softirq.c:561\n __do_softirq kernel/softirq.c:595 [inline]\n invoke_softirq kernel/softirq.c:435 [inline]\n __irq_exit_rcu+0x109/0x170 kernel/softirq.c:662\n irq_exit_rcu+0x9/0x30 kernel/softirq.c:678\n instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline]\n sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1049", + "external_references": [ + { + "source_name": "cve", + "external_id": "CVE-2024-57900" + } + ] + } + ] +} \ No newline at end of file diff --git a/objects/vulnerability/vulnerability--759892ba-a89b-4bd3-a8b4-06c05284353c.json b/objects/vulnerability/vulnerability--759892ba-a89b-4bd3-a8b4-06c05284353c.json new file mode 100644 index 0000000000..16d7236da0 --- /dev/null +++ b/objects/vulnerability/vulnerability--759892ba-a89b-4bd3-a8b4-06c05284353c.json @@ -0,0 +1,22 @@ +{ + "type": "bundle", + "id": "bundle--3699b406-b0a4-4f38-bd26-3e046dbf3302", + "objects": [ + { + "type": "vulnerability", + "spec_version": "2.1", + "id": "vulnerability--759892ba-a89b-4bd3-a8b4-06c05284353c", + "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a", + "created": "2025-01-15T14:18:08.854602Z", + "modified": "2025-01-15T14:18:08.854602Z", + "name": "CVE-2025-21629", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: reenable NETIF_F_IPV6_CSUM offload for BIG TCP packets\n\nThe blamed commit disabled hardware offoad of IPv6 packets with\nextension headers on devices that advertise NETIF_F_IPV6_CSUM,\nbased on the definition of that feature in skbuff.h:\n\n * * - %NETIF_F_IPV6_CSUM\n * - Driver (device) is only able to checksum plain\n * TCP or UDP packets over IPv6. These are specifically\n * unencapsulated packets of the form IPv6|TCP or\n * IPv6|UDP where the Next Header field in the IPv6\n * header is either TCP or UDP. IPv6 extension headers\n * are not supported with this feature. This feature\n * cannot be set in features for a device with\n * NETIF_F_HW_CSUM also set. This feature is being\n * DEPRECATED (see below).\n\nThe change causes skb_warn_bad_offload to fire for BIG TCP\npackets.\n\n[ 496.310233] WARNING: CPU: 13 PID: 23472 at net/core/dev.c:3129 skb_warn_bad_offload+0xc4/0xe0\n\n[ 496.310297] ? skb_warn_bad_offload+0xc4/0xe0\n[ 496.310300] skb_checksum_help+0x129/0x1f0\n[ 496.310303] skb_csum_hwoffload_help+0x150/0x1b0\n[ 496.310306] validate_xmit_skb+0x159/0x270\n[ 496.310309] validate_xmit_skb_list+0x41/0x70\n[ 496.310312] sch_direct_xmit+0x5c/0x250\n[ 496.310317] __qdisc_run+0x388/0x620\n\nBIG TCP introduced an IPV6_TLV_JUMBO IPv6 extension header to\ncommunicate packet length, as this is an IPv6 jumbogram. But, the\nfeature is only enabled on devices that support BIG TCP TSO. The\nheader is only present for PF_PACKET taps like tcpdump, and not\ntransmitted by physical devices.\n\nFor this specific case of extension headers that are not\ntransmitted, return to the situation before the blamed commit\nand support hardware offload.\n\nipv6_has_hopopt_jumbo() tests not only whether this header is present,\nbut also that it is the only extension header before a terminal (L4)\nheader.", + "external_references": [ + { + "source_name": "cve", + "external_id": "CVE-2025-21629" + } + ] + } + ] +} \ No newline at end of file diff --git a/objects/vulnerability/vulnerability--914b378a-c346-4d51-b5bb-95eafc5f6dcd.json b/objects/vulnerability/vulnerability--914b378a-c346-4d51-b5bb-95eafc5f6dcd.json new file mode 100644 index 0000000000..79568fa7a0 --- /dev/null +++ b/objects/vulnerability/vulnerability--914b378a-c346-4d51-b5bb-95eafc5f6dcd.json @@ -0,0 +1,22 @@ +{ + "type": "bundle", + "id": "bundle--c471c4a9-a348-495c-924b-94cab61e02bf", + "objects": [ + { + "type": "vulnerability", + "spec_version": "2.1", + "id": "vulnerability--914b378a-c346-4d51-b5bb-95eafc5f6dcd", + "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a", + "created": "2025-01-15T14:18:03.375464Z", + "modified": "2025-01-15T14:18:03.375464Z", + "name": "CVE-2024-57898", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: cfg80211: clear link ID from bitmap during link delete after clean up\n\nCurrently, during link deletion, the link ID is first removed from the\nvalid_links bitmap before performing any clean-up operations. However, some\nfunctions require the link ID to remain in the valid_links bitmap. One\nsuch example is cfg80211_cac_event(). The flow is -\n\nnl80211_remove_link()\n cfg80211_remove_link()\n ieee80211_del_intf_link()\n ieee80211_vif_set_links()\n ieee80211_vif_update_links()\n ieee80211_link_stop()\n cfg80211_cac_event()\n\ncfg80211_cac_event() requires link ID to be present but it is cleared\nalready in cfg80211_remove_link(). Ultimately, WARN_ON() is hit.\n\nTherefore, clear the link ID from the bitmap only after completing the link\nclean-up.", + "external_references": [ + { + "source_name": "cve", + "external_id": "CVE-2024-57898" + } + ] + } + ] +} \ No newline at end of file diff --git a/objects/vulnerability/vulnerability--950ec7ff-9ec9-49a2-82f2-721cb7cb2662.json b/objects/vulnerability/vulnerability--950ec7ff-9ec9-49a2-82f2-721cb7cb2662.json new file mode 100644 index 0000000000..3fc8c82662 --- /dev/null +++ b/objects/vulnerability/vulnerability--950ec7ff-9ec9-49a2-82f2-721cb7cb2662.json @@ -0,0 +1,22 @@ +{ + "type": "bundle", + "id": "bundle--96da5039-cdb8-4d98-939a-acc8b67065c6", + "objects": [ + { + "type": "vulnerability", + "spec_version": "2.1", + "id": "vulnerability--950ec7ff-9ec9-49a2-82f2-721cb7cb2662", + "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a", + "created": "2025-01-15T14:18:08.872145Z", + "modified": "2025-01-15T14:18:08.872145Z", + "name": "CVE-2025-21630", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/net: always initialize kmsg->msg.msg_inq upfront\n\nsyzbot reports that ->msg_inq may get used uinitialized from the\nfollowing path:\n\nBUG: KMSAN: uninit-value in io_recv_buf_select io_uring/net.c:1094 [inline]\nBUG: KMSAN: uninit-value in io_recv+0x930/0x1f90 io_uring/net.c:1158\n io_recv_buf_select io_uring/net.c:1094 [inline]\n io_recv+0x930/0x1f90 io_uring/net.c:1158\n io_issue_sqe+0x420/0x2130 io_uring/io_uring.c:1740\n io_queue_sqe io_uring/io_uring.c:1950 [inline]\n io_req_task_submit+0xfa/0x1d0 io_uring/io_uring.c:1374\n io_handle_tw_list+0x55f/0x5c0 io_uring/io_uring.c:1057\n tctx_task_work_run+0x109/0x3e0 io_uring/io_uring.c:1121\n tctx_task_work+0x6d/0xc0 io_uring/io_uring.c:1139\n task_work_run+0x268/0x310 kernel/task_work.c:239\n io_run_task_work+0x43a/0x4a0 io_uring/io_uring.h:343\n io_cqring_wait io_uring/io_uring.c:2527 [inline]\n __do_sys_io_uring_enter io_uring/io_uring.c:3439 [inline]\n __se_sys_io_uring_enter+0x204f/0x4ce0 io_uring/io_uring.c:3330\n __x64_sys_io_uring_enter+0x11f/0x1a0 io_uring/io_uring.c:3330\n x64_sys_call+0xce5/0x3c30 arch/x86/include/generated/asm/syscalls_64.h:427\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nand it is correct, as it's never initialized upfront. Hence the first\nsubmission can end up using it uninitialized, if the recv wasn't\nsuccessful and the networking stack didn't honor ->msg_get_inq being set\nand filling in the output value of ->msg_inq as requested.\n\nSet it to 0 upfront when it's allocated, just to silence this KMSAN\nwarning. There's no side effect of using it uninitialized, it'll just\npotentially cause the next receive to use a recv value hint that's not\naccurate.", + "external_references": [ + { + "source_name": "cve", + "external_id": "CVE-2025-21630" + } + ] + } + ] +} \ No newline at end of file diff --git a/objects/vulnerability/vulnerability--96f2cabf-15ad-4666-92bb-0a6b89f39642.json b/objects/vulnerability/vulnerability--96f2cabf-15ad-4666-92bb-0a6b89f39642.json new file mode 100644 index 0000000000..b376ff7d18 --- /dev/null +++ b/objects/vulnerability/vulnerability--96f2cabf-15ad-4666-92bb-0a6b89f39642.json @@ -0,0 +1,22 @@ +{ + "type": "bundle", + "id": "bundle--a642010f-dc02-4892-b731-e23f08405896", + "objects": [ + { + "type": "vulnerability", + "spec_version": "2.1", + "id": "vulnerability--96f2cabf-15ad-4666-92bb-0a6b89f39642", + "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a", + "created": "2025-01-15T14:18:03.354857Z", + "modified": "2025-01-15T14:18:03.354857Z", + "name": "CVE-2024-57893", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: seq: oss: Fix races at processing SysEx messages\n\nOSS sequencer handles the SysEx messages split in 6 bytes packets, and\nALSA sequencer OSS layer tries to combine those. It stores the data\nin the internal buffer and this access is racy as of now, which may\nlead to the out-of-bounds access.\n\nAs a temporary band-aid fix, introduce a mutex for serializing the\nprocess of the SysEx message packets.", + "external_references": [ + { + "source_name": "cve", + "external_id": "CVE-2024-57893" + } + ] + } + ] +} \ No newline at end of file diff --git a/objects/vulnerability/vulnerability--9957be47-47fa-44df-a649-976dde912e82.json b/objects/vulnerability/vulnerability--9957be47-47fa-44df-a649-976dde912e82.json new file mode 100644 index 0000000000..069b602810 --- /dev/null +++ b/objects/vulnerability/vulnerability--9957be47-47fa-44df-a649-976dde912e82.json @@ -0,0 +1,22 @@ +{ + "type": "bundle", + "id": "bundle--15d190fe-eca2-42d3-aa9b-91a5fc306abf", + "objects": [ + { + "type": "vulnerability", + "spec_version": "2.1", + "id": "vulnerability--9957be47-47fa-44df-a649-976dde912e82", + "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a", + "created": "2025-01-15T14:18:03.397104Z", + "modified": "2025-01-15T14:18:03.397104Z", + "name": "CVE-2024-57892", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: fix slab-use-after-free due to dangling pointer dqi_priv\n\nWhen mounting ocfs2 and then remounting it as read-only, a\nslab-use-after-free occurs after the user uses a syscall to\nquota_getnextquota. Specifically, sb_dqinfo(sb, type)->dqi_priv is the\ndangling pointer.\n\nDuring the remounting process, the pointer dqi_priv is freed but is never\nset as null leaving it to be accessed. Additionally, the read-only option\nfor remounting sets the DQUOT_SUSPENDED flag instead of setting the\nDQUOT_USAGE_ENABLED flags. Moreover, later in the process of getting the\nnext quota, the function ocfs2_get_next_id is called and only checks the\nquota usage flags and not the quota suspended flags.\n\nTo fix this, I set dqi_priv to null when it is freed after remounting with\nread-only and put a check for DQUOT_SUSPENDED in ocfs2_get_next_id.\n\n[akpm@linux-foundation.org: coding-style cleanups]", + "external_references": [ + { + "source_name": "cve", + "external_id": "CVE-2024-57892" + } + ] + } + ] +} \ No newline at end of file diff --git a/objects/vulnerability/vulnerability--a4dd5c85-a6e8-43f3-bdea-a9bd2f5e2593.json b/objects/vulnerability/vulnerability--a4dd5c85-a6e8-43f3-bdea-a9bd2f5e2593.json new file mode 100644 index 0000000000..d7d823dc89 --- /dev/null +++ b/objects/vulnerability/vulnerability--a4dd5c85-a6e8-43f3-bdea-a9bd2f5e2593.json @@ -0,0 +1,22 @@ +{ + "type": "bundle", + "id": "bundle--18fce227-4bc7-4e39-8aec-6dc45b452ac7", + "objects": [ + { + "type": "vulnerability", + "spec_version": "2.1", + "id": "vulnerability--a4dd5c85-a6e8-43f3-bdea-a9bd2f5e2593", + "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a", + "created": "2025-01-15T14:18:03.406501Z", + "modified": "2025-01-15T14:18:03.406501Z", + "name": "CVE-2024-53681", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet: Don't overflow subsysnqn\n\nnvmet_root_discovery_nqn_store treats the subsysnqn string like a fixed\nsize buffer, even though it is dynamically allocated to the size of the\nstring.\n\nCreate a new string with kstrndup instead of using the old buffer.", + "external_references": [ + { + "source_name": "cve", + "external_id": "CVE-2024-53681" + } + ] + } + ] +} \ No newline at end of file diff --git a/objects/vulnerability/vulnerability--abf35f53-1a43-444c-9672-c373fe8a0107.json b/objects/vulnerability/vulnerability--abf35f53-1a43-444c-9672-c373fe8a0107.json new file mode 100644 index 0000000000..5ba907e932 --- /dev/null +++ b/objects/vulnerability/vulnerability--abf35f53-1a43-444c-9672-c373fe8a0107.json @@ -0,0 +1,22 @@ +{ + "type": "bundle", + "id": "bundle--c836a785-697a-431b-967c-63605b0dd093", + "objects": [ + { + "type": "vulnerability", + "spec_version": "2.1", + "id": "vulnerability--abf35f53-1a43-444c-9672-c373fe8a0107", + "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a", + "created": "2025-01-15T14:18:04.604235Z", + "modified": "2025-01-15T14:18:04.604235Z", + "name": "CVE-2024-36476", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rtrs: Ensure 'ib_sge list' is accessible\n\nMove the declaration of the 'ib_sge list' variable outside the\n'always_invalidate' block to ensure it remains accessible for use\nthroughout the function.\n\nPreviously, 'ib_sge list' was declared within the 'always_invalidate'\nblock, limiting its accessibility, then caused a\n'BUG: kernel NULL pointer dereference'[1].\n ? __die_body.cold+0x19/0x27\n ? page_fault_oops+0x15a/0x2d0\n ? search_module_extables+0x19/0x60\n ? search_bpf_extables+0x5f/0x80\n ? exc_page_fault+0x7e/0x180\n ? asm_exc_page_fault+0x26/0x30\n ? memcpy_orig+0xd5/0x140\n rxe_mr_copy+0x1c3/0x200 [rdma_rxe]\n ? rxe_pool_get_index+0x4b/0x80 [rdma_rxe]\n copy_data+0xa5/0x230 [rdma_rxe]\n rxe_requester+0xd9b/0xf70 [rdma_rxe]\n ? finish_task_switch.isra.0+0x99/0x2e0\n rxe_sender+0x13/0x40 [rdma_rxe]\n do_task+0x68/0x1e0 [rdma_rxe]\n process_one_work+0x177/0x330\n worker_thread+0x252/0x390\n ? __pfx_worker_thread+0x10/0x10\n\nThis change ensures the variable is available for subsequent operations\nthat require it.\n\n[1] https://lore.kernel.org/linux-rdma/6a1f3e8f-deb0-49f9-bc69-a9b03ecfcda7@fujitsu.com/", + "external_references": [ + { + "source_name": "cve", + "external_id": "CVE-2024-36476" + } + ] + } + ] +} \ No newline at end of file diff --git a/objects/vulnerability/vulnerability--ac6e4bae-4359-4116-8737-65464b40c802.json b/objects/vulnerability/vulnerability--ac6e4bae-4359-4116-8737-65464b40c802.json new file mode 100644 index 0000000000..0c18328dab --- /dev/null +++ b/objects/vulnerability/vulnerability--ac6e4bae-4359-4116-8737-65464b40c802.json @@ -0,0 +1,22 @@ +{ + "type": "bundle", + "id": "bundle--a8defcc6-bdc6-4a2d-a6ed-7383db51e961", + "objects": [ + { + "type": "vulnerability", + "spec_version": "2.1", + "id": "vulnerability--ac6e4bae-4359-4116-8737-65464b40c802", + "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a", + "created": "2025-01-15T14:18:03.371664Z", + "modified": "2025-01-15T14:18:03.371664Z", + "name": "CVE-2024-57888", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nworkqueue: Do not warn when cancelling WQ_MEM_RECLAIM work from !WQ_MEM_RECLAIM worker\n\nAfter commit\n746ae46c1113 (\"drm/sched: Mark scheduler work queues with WQ_MEM_RECLAIM\")\namdgpu started seeing the following warning:\n\n [ ] workqueue: WQ_MEM_RECLAIM sdma0:drm_sched_run_job_work [gpu_sched] is flushing !WQ_MEM_RECLAIM events:amdgpu_device_delay_enable_gfx_off [amdgpu]\n...\n [ ] Workqueue: sdma0 drm_sched_run_job_work [gpu_sched]\n...\n [ ] Call Trace:\n [ ] \n...\n [ ] ? check_flush_dependency+0xf5/0x110\n...\n [ ] cancel_delayed_work_sync+0x6e/0x80\n [ ] amdgpu_gfx_off_ctrl+0xab/0x140 [amdgpu]\n [ ] amdgpu_ring_alloc+0x40/0x50 [amdgpu]\n [ ] amdgpu_ib_schedule+0xf4/0x810 [amdgpu]\n [ ] ? drm_sched_run_job_work+0x22c/0x430 [gpu_sched]\n [ ] amdgpu_job_run+0xaa/0x1f0 [amdgpu]\n [ ] drm_sched_run_job_work+0x257/0x430 [gpu_sched]\n [ ] process_one_work+0x217/0x720\n...\n [ ] \n\nThe intent of the verifcation done in check_flush_depedency is to ensure\nforward progress during memory reclaim, by flagging cases when either a\nmemory reclaim process, or a memory reclaim work item is flushed from a\ncontext not marked as memory reclaim safe.\n\nThis is correct when flushing, but when called from the\ncancel(_delayed)_work_sync() paths it is a false positive because work is\neither already running, or will not be running at all. Therefore\ncancelling it is safe and we can relax the warning criteria by letting the\nhelper know of the calling context.\n\nReferences: 746ae46c1113 (\"drm/sched: Mark scheduler work queues with WQ_MEM_RECLAIM\")", + "external_references": [ + { + "source_name": "cve", + "external_id": "CVE-2024-57888" + } + ] + } + ] +} \ No newline at end of file diff --git a/objects/vulnerability/vulnerability--b7c6b147-481c-4257-864f-971750aa48dc.json b/objects/vulnerability/vulnerability--b7c6b147-481c-4257-864f-971750aa48dc.json new file mode 100644 index 0000000000..e52dcf0efd --- /dev/null +++ b/objects/vulnerability/vulnerability--b7c6b147-481c-4257-864f-971750aa48dc.json @@ -0,0 +1,22 @@ +{ + "type": "bundle", + "id": "bundle--15ec8a4b-a0d4-41b7-90f9-d34615222550", + "objects": [ + { + "type": "vulnerability", + "spec_version": "2.1", + "id": "vulnerability--b7c6b147-481c-4257-864f-971750aa48dc", + "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a", + "created": "2025-01-15T14:18:03.346715Z", + "modified": "2025-01-15T14:18:03.346715Z", + "name": "CVE-2024-57903", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: restrict SO_REUSEPORT to inet sockets\n\nAfter blamed commit, crypto sockets could accidentally be destroyed\nfrom RCU call back, as spotted by zyzbot [1].\n\nTrying to acquire a mutex in RCU callback is not allowed.\n\nRestrict SO_REUSEPORT socket option to inet sockets.\n\nv1 of this patch supported TCP, UDP and SCTP sockets,\nbut fcnal-test.sh test needed RAW and ICMP support.\n\n[1]\nBUG: sleeping function called from invalid context at kernel/locking/mutex.c:562\nin_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 24, name: ksoftirqd/1\npreempt_count: 100, expected: 0\nRCU nest depth: 0, expected: 0\n1 lock held by ksoftirqd/1/24:\n #0: ffffffff8e937ba0 (rcu_callback){....}-{0:0}, at: rcu_lock_acquire include/linux/rcupdate.h:337 [inline]\n #0: ffffffff8e937ba0 (rcu_callback){....}-{0:0}, at: rcu_do_batch kernel/rcu/tree.c:2561 [inline]\n #0: ffffffff8e937ba0 (rcu_callback){....}-{0:0}, at: rcu_core+0xa37/0x17a0 kernel/rcu/tree.c:2823\nPreemption disabled at:\n [] softirq_handle_begin kernel/softirq.c:402 [inline]\n [] handle_softirqs+0x128/0x9b0 kernel/softirq.c:537\nCPU: 1 UID: 0 PID: 24 Comm: ksoftirqd/1 Not tainted 6.13.0-rc3-syzkaller-00174-ga024e377efed #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\nCall Trace:\n \n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\n __might_resched+0x5d4/0x780 kernel/sched/core.c:8758\n __mutex_lock_common kernel/locking/mutex.c:562 [inline]\n __mutex_lock+0x131/0xee0 kernel/locking/mutex.c:735\n crypto_put_default_null_skcipher+0x18/0x70 crypto/crypto_null.c:179\n aead_release+0x3d/0x50 crypto/algif_aead.c:489\n alg_do_release crypto/af_alg.c:118 [inline]\n alg_sock_destruct+0x86/0xc0 crypto/af_alg.c:502\n __sk_destruct+0x58/0x5f0 net/core/sock.c:2260\n rcu_do_batch kernel/rcu/tree.c:2567 [inline]\n rcu_core+0xaaa/0x17a0 kernel/rcu/tree.c:2823\n handle_softirqs+0x2d4/0x9b0 kernel/softirq.c:561\n run_ksoftirqd+0xca/0x130 kernel/softirq.c:950\n smpboot_thread_fn+0x544/0xa30 kernel/smpboot.c:164\n kthread+0x2f0/0x390 kernel/kthread.c:389\n ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n ", + "external_references": [ + { + "source_name": "cve", + "external_id": "CVE-2024-57903" + } + ] + } + ] +} \ No newline at end of file diff --git a/objects/vulnerability/vulnerability--c8696c40-02e5-4340-8978-a2b01bb28d1f.json b/objects/vulnerability/vulnerability--c8696c40-02e5-4340-8978-a2b01bb28d1f.json new file mode 100644 index 0000000000..1e0a0b83d1 --- /dev/null +++ b/objects/vulnerability/vulnerability--c8696c40-02e5-4340-8978-a2b01bb28d1f.json @@ -0,0 +1,22 @@ +{ + "type": "bundle", + "id": "bundle--c24d5eb0-69a4-44d0-925b-bc74ef35cd5b", + "objects": [ + { + "type": "vulnerability", + "spec_version": "2.1", + "id": "vulnerability--c8696c40-02e5-4340-8978-a2b01bb28d1f", + "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a", + "created": "2025-01-15T14:18:03.379036Z", + "modified": "2025-01-15T14:18:03.379036Z", + "name": "CVE-2024-57890", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/uverbs: Prevent integer overflow issue\n\nIn the expression \"cmd.wqe_size * cmd.wr_count\", both variables are u32\nvalues that come from the user so the multiplication can lead to integer\nwrapping. Then we pass the result to uverbs_request_next_ptr() which also\ncould potentially wrap. The \"cmd.sge_count * sizeof(struct ib_uverbs_sge)\"\nmultiplication can also overflow on 32bit systems although it's fine on\n64bit systems.\n\nThis patch does two things. First, I've re-arranged the condition in\nuverbs_request_next_ptr() so that the use controlled variable \"len\" is on\none side of the comparison by itself without any math. Then I've modified\nall the callers to use size_mul() for the multiplications.", + "external_references": [ + { + "source_name": "cve", + "external_id": "CVE-2024-57890" + } + ] + } + ] +} \ No newline at end of file diff --git a/objects/vulnerability/vulnerability--cd9b5cca-91c1-46ff-aa14-34e588c15140.json b/objects/vulnerability/vulnerability--cd9b5cca-91c1-46ff-aa14-34e588c15140.json new file mode 100644 index 0000000000..bb9a17019f --- /dev/null +++ b/objects/vulnerability/vulnerability--cd9b5cca-91c1-46ff-aa14-34e588c15140.json @@ -0,0 +1,22 @@ +{ + "type": "bundle", + "id": "bundle--cc6511fb-d052-4466-84e2-b73bc6cac384", + "objects": [ + { + "type": "vulnerability", + "spec_version": "2.1", + "id": "vulnerability--cd9b5cca-91c1-46ff-aa14-34e588c15140", + "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a", + "created": "2025-01-15T14:18:03.359265Z", + "modified": "2025-01-15T14:18:03.359265Z", + "name": "CVE-2024-57795", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Remove the direct link to net_device\n\nThe similar patch in siw is in the link:\nhttps://git.kernel.org/rdma/rdma/c/16b87037b48889\n\nThis problem also occurred in RXE. The following analyze this problem.\nIn the following Call Traces:\n\"\nBUG: KASAN: slab-use-after-free in dev_get_flags+0x188/0x1d0 net/core/dev.c:8782\nRead of size 4 at addr ffff8880554640b0 by task kworker/1:4/5295\n\nCPU: 1 UID: 0 PID: 5295 Comm: kworker/1:4 Not tainted\n6.12.0-rc3-syzkaller-00399-g9197b73fd7bb #0\nHardware name: Google Compute Engine/Google Compute Engine,\nBIOS Google 09/13/2024\nWorkqueue: infiniband ib_cache_event_task\nCall Trace:\n \n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:488\n kasan_report+0x143/0x180 mm/kasan/report.c:601\n dev_get_flags+0x188/0x1d0 net/core/dev.c:8782\n rxe_query_port+0x12d/0x260 drivers/infiniband/sw/rxe/rxe_verbs.c:60\n __ib_query_port drivers/infiniband/core/device.c:2111 [inline]\n ib_query_port+0x168/0x7d0 drivers/infiniband/core/device.c:2143\n ib_cache_update+0x1a9/0xb80 drivers/infiniband/core/cache.c:1494\n ib_cache_event_task+0xf3/0x1e0 drivers/infiniband/core/cache.c:1568\n process_one_work kernel/workqueue.c:3229 [inline]\n process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310\n worker_thread+0x870/0xd30 kernel/workqueue.c:3391\n kthread+0x2f2/0x390 kernel/kthread.c:389\n ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n \n\"\n\n1). In the link [1],\n\n\"\n infiniband syz2: set down\n\"\n\nThis means that on 839.350575, the event ib_cache_event_task was sent andi\nqueued in ib_wq.\n\n2). In the link [1],\n\n\"\n team0 (unregistering): Port device team_slave_0 removed\n\"\n\nIt indicates that before 843.251853, the net device should be freed.\n\n3). In the link [1],\n\n\"\n BUG: KASAN: slab-use-after-free in dev_get_flags+0x188/0x1d0\n\"\n\nThis means that on 850.559070, this slab-use-after-free problem occurred.\n\nIn all, on 839.350575, the event ib_cache_event_task was sent and queued\nin ib_wq,\n\nbefore 843.251853, the net device veth was freed.\n\non 850.559070, this event was executed, and the mentioned freed net device\nwas called. Thus, the above call trace occurred.\n\n[1] https://syzkaller.appspot.com/x/log.txt?x=12e7025f980000", + "external_references": [ + { + "source_name": "cve", + "external_id": "CVE-2024-57795" + } + ] + } + ] +} \ No newline at end of file diff --git a/objects/vulnerability/vulnerability--cda82f24-d447-41fb-b67a-9c1f7e5383de.json b/objects/vulnerability/vulnerability--cda82f24-d447-41fb-b67a-9c1f7e5383de.json new file mode 100644 index 0000000000..5d686d6637 --- /dev/null +++ b/objects/vulnerability/vulnerability--cda82f24-d447-41fb-b67a-9c1f7e5383de.json @@ -0,0 +1,22 @@ +{ + "type": "bundle", + "id": "bundle--6aeaaa79-9f92-48ff-a37d-b7167d2a0721", + "objects": [ + { + "type": "vulnerability", + "spec_version": "2.1", + "id": "vulnerability--cda82f24-d447-41fb-b67a-9c1f7e5383de", + "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a", + "created": "2025-01-15T14:18:04.237652Z", + "modified": "2025-01-15T14:18:04.237652Z", + "name": "CVE-2024-54031", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_set_hash: unaligned atomic read on struct nft_set_ext\n\nAccess to genmask field in struct nft_set_ext results in unaligned\natomic read:\n\n[ 72.130109] Unable to handle kernel paging request at virtual address ffff0000c2bb708c\n[ 72.131036] Mem abort info:\n[ 72.131213] ESR = 0x0000000096000021\n[ 72.131446] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 72.132209] SET = 0, FnV = 0\n[ 72.133216] EA = 0, S1PTW = 0\n[ 72.134080] FSC = 0x21: alignment fault\n[ 72.135593] Data abort info:\n[ 72.137194] ISV = 0, ISS = 0x00000021, ISS2 = 0x00000000\n[ 72.142351] CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n[ 72.145989] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[ 72.150115] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000237d27000\n[ 72.154893] [ffff0000c2bb708c] pgd=0000000000000000, p4d=180000023ffff403, pud=180000023f84b403, pmd=180000023f835403,\n+pte=0068000102bb7707\n[ 72.163021] Internal error: Oops: 0000000096000021 [#1] SMP\n[...]\n[ 72.170041] CPU: 7 UID: 0 PID: 54 Comm: kworker/7:0 Tainted: G E 6.13.0-rc3+ #2\n[ 72.170509] Tainted: [E]=UNSIGNED_MODULE\n[ 72.170720] Hardware name: QEMU QEMU Virtual Machine, BIOS edk2-stable202302-for-qemu 03/01/2023\n[ 72.171192] Workqueue: events_power_efficient nft_rhash_gc [nf_tables]\n[ 72.171552] pstate: 21400005 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\n[ 72.171915] pc : nft_rhash_gc+0x200/0x2d8 [nf_tables]\n[ 72.172166] lr : nft_rhash_gc+0x128/0x2d8 [nf_tables]\n[ 72.172546] sp : ffff800081f2bce0\n[ 72.172724] x29: ffff800081f2bd40 x28: ffff0000c2bb708c x27: 0000000000000038\n[ 72.173078] x26: ffff0000c6780ef0 x25: ffff0000c643df00 x24: ffff0000c6778f78\n[ 72.173431] x23: 000000000000001a x22: ffff0000c4b1f000 x21: ffff0000c6780f78\n[ 72.173782] x20: ffff0000c2bb70dc x19: ffff0000c2bb7080 x18: 0000000000000000\n[ 72.174135] x17: ffff0000c0a4e1c0 x16: 0000000000003000 x15: 0000ac26d173b978\n[ 72.174485] x14: ffffffffffffffff x13: 0000000000000030 x12: ffff0000c6780ef0\n[ 72.174841] x11: 0000000000000000 x10: ffff800081f2bcf8 x9 : ffff0000c3000000\n[ 72.175193] x8 : 00000000000004be x7 : 0000000000000000 x6 : 0000000000000000\n[ 72.175544] x5 : 0000000000000040 x4 : ffff0000c3000010 x3 : 0000000000000000\n[ 72.175871] x2 : 0000000000003a98 x1 : ffff0000c2bb708c x0 : 0000000000000004\n[ 72.176207] Call trace:\n[ 72.176316] nft_rhash_gc+0x200/0x2d8 [nf_tables] (P)\n[ 72.176653] process_one_work+0x178/0x3d0\n[ 72.176831] worker_thread+0x200/0x3f0\n[ 72.176995] kthread+0xe8/0xf8\n[ 72.177130] ret_from_fork+0x10/0x20\n[ 72.177289] Code: 54fff984 d503201f d2800080 91003261 (f820303f)\n[ 72.177557] ---[ end trace 0000000000000000 ]---\n\nAlign struct nft_set_ext to word size to address this and\ndocumentation it.\n\npahole reports that this increases the size of elements for rhash and\npipapo in 8 bytes on x86_64.", + "external_references": [ + { + "source_name": "cve", + "external_id": "CVE-2024-54031" + } + ] + } + ] +} \ No newline at end of file diff --git a/objects/vulnerability/vulnerability--d3ec54b2-ecc1-4f08-ad67-b8ef24d9826c.json b/objects/vulnerability/vulnerability--d3ec54b2-ecc1-4f08-ad67-b8ef24d9826c.json new file mode 100644 index 0000000000..8d585e075b --- /dev/null +++ b/objects/vulnerability/vulnerability--d3ec54b2-ecc1-4f08-ad67-b8ef24d9826c.json @@ -0,0 +1,22 @@ +{ + "type": "bundle", + "id": "bundle--0f7ab76c-50f9-451d-b25a-69a38d9e1b83", + "objects": [ + { + "type": "vulnerability", + "spec_version": "2.1", + "id": "vulnerability--d3ec54b2-ecc1-4f08-ad67-b8ef24d9826c", + "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a", + "created": "2025-01-15T14:18:03.398488Z", + "modified": "2025-01-15T14:18:03.398488Z", + "name": "CVE-2024-57801", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Skip restore TC rules for vport rep without loaded flag\n\nDuring driver unload, unregister_netdev is called after unloading\nvport rep. So, the mlx5e_rep_priv is already freed while trying to get\nrpriv->netdev, or walk rpriv->tc_ht, which results in use-after-free.\nSo add the checking to make sure access the data of vport rep which is\nstill loaded.", + "external_references": [ + { + "source_name": "cve", + "external_id": "CVE-2024-57801" + } + ] + } + ] +} \ No newline at end of file diff --git a/objects/vulnerability/vulnerability--d60e9561-b74c-4fed-b11e-2993f070db8c.json b/objects/vulnerability/vulnerability--d60e9561-b74c-4fed-b11e-2993f070db8c.json new file mode 100644 index 0000000000..fb610adec6 --- /dev/null +++ b/objects/vulnerability/vulnerability--d60e9561-b74c-4fed-b11e-2993f070db8c.json @@ -0,0 +1,22 @@ +{ + "type": "bundle", + "id": "bundle--aa9f0210-6d01-4a7b-8da2-8c2495904737", + "objects": [ + { + "type": "vulnerability", + "spec_version": "2.1", + "id": "vulnerability--d60e9561-b74c-4fed-b11e-2993f070db8c", + "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a", + "created": "2025-01-15T14:18:03.348129Z", + "modified": "2025-01-15T14:18:03.348129Z", + "name": "CVE-2024-57894", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_core: Fix sleeping function called from invalid context\n\nThis reworks hci_cb_list to not use mutex hci_cb_list_lock to avoid bugs\nlike the bellow:\n\nBUG: sleeping function called from invalid context at kernel/locking/mutex.c:585\nin_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 5070, name: kworker/u9:2\npreempt_count: 0, expected: 0\nRCU nest depth: 1, expected: 0\n4 locks held by kworker/u9:2/5070:\n #0: ffff888015be3948 ((wq_completion)hci0#2){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3229 [inline]\n #0: ffff888015be3948 ((wq_completion)hci0#2){+.+.}-{0:0}, at: process_scheduled_works+0x8e0/0x1770 kernel/workqueue.c:3335\n #1: ffffc90003b6fd00 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3230 [inline]\n #1: ffffc90003b6fd00 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_scheduled_works+0x91b/0x1770 kernel/workqueue.c:3335\n #2: ffff8880665d0078 (&hdev->lock){+.+.}-{3:3}, at: hci_le_create_big_complete_evt+0xcf/0xae0 net/bluetooth/hci_event.c:6914\n #3: ffffffff8e132020 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:298 [inline]\n #3: ffffffff8e132020 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:750 [inline]\n #3: ffffffff8e132020 (rcu_read_lock){....}-{1:2}, at: hci_le_create_big_complete_evt+0xdb/0xae0 net/bluetooth/hci_event.c:6915\nCPU: 0 PID: 5070 Comm: kworker/u9:2 Not tainted 6.8.0-syzkaller-08073-g480e035fc4c7 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\nWorkqueue: hci0 hci_rx_work\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114\n __might_resched+0x5d4/0x780 kernel/sched/core.c:10187\n __mutex_lock_common kernel/locking/mutex.c:585 [inline]\n __mutex_lock+0xc1/0xd70 kernel/locking/mutex.c:752\n hci_connect_cfm include/net/bluetooth/hci_core.h:2004 [inline]\n hci_le_create_big_complete_evt+0x3d9/0xae0 net/bluetooth/hci_event.c:6939\n hci_event_func net/bluetooth/hci_event.c:7514 [inline]\n hci_event_packet+0xa53/0x1540 net/bluetooth/hci_event.c:7569\n hci_rx_work+0x3e8/0xca0 net/bluetooth/hci_core.c:4171\n process_one_work kernel/workqueue.c:3254 [inline]\n process_scheduled_works+0xa00/0x1770 kernel/workqueue.c:3335\n worker_thread+0x86d/0xd70 kernel/workqueue.c:3416\n kthread+0x2f0/0x390 kernel/kthread.c:388\n ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:243\n ", + "external_references": [ + { + "source_name": "cve", + "external_id": "CVE-2024-57894" + } + ] + } + ] +} \ No newline at end of file diff --git a/objects/vulnerability/vulnerability--dc429a42-c1f6-4eed-850a-f8b66cb054e2.json b/objects/vulnerability/vulnerability--dc429a42-c1f6-4eed-850a-f8b66cb054e2.json new file mode 100644 index 0000000000..0c78e8314a --- /dev/null +++ b/objects/vulnerability/vulnerability--dc429a42-c1f6-4eed-850a-f8b66cb054e2.json @@ -0,0 +1,22 @@ +{ + "type": "bundle", + "id": "bundle--75b53c30-ec94-4ae9-a18d-6a20152cef63", + "objects": [ + { + "type": "vulnerability", + "spec_version": "2.1", + "id": "vulnerability--dc429a42-c1f6-4eed-850a-f8b66cb054e2", + "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a", + "created": "2025-01-15T14:18:03.337638Z", + "modified": "2025-01-15T14:18:03.337638Z", + "name": "CVE-2024-57901", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_packet: fix vlan_get_protocol_dgram() vs MSG_PEEK\n\nBlamed commit forgot MSG_PEEK case, allowing a crash [1] as found\nby syzbot.\n\nRework vlan_get_protocol_dgram() to not touch skb at all,\nso that it can be used from many cpus on the same skb.\n\nAdd a const qualifier to skb argument.\n\n[1]\nskbuff: skb_under_panic: text:ffffffff8a8ccd05 len:29 put:14 head:ffff88807fc8e400 data:ffff88807fc8e3f4 tail:0x11 end:0x140 dev:\n------------[ cut here ]------------\n kernel BUG at net/core/skbuff.c:206 !\nOops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI\nCPU: 1 UID: 0 PID: 5892 Comm: syz-executor883 Not tainted 6.13.0-rc4-syzkaller-00054-gd6ef8b40d075 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\n RIP: 0010:skb_panic net/core/skbuff.c:206 [inline]\n RIP: 0010:skb_under_panic+0x14b/0x150 net/core/skbuff.c:216\nCode: 0b 8d 48 c7 c6 86 d5 25 8e 48 8b 54 24 08 8b 0c 24 44 8b 44 24 04 4d 89 e9 50 41 54 41 57 41 56 e8 5a 69 79 f7 48 83 c4 20 90 <0f> 0b 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3\nRSP: 0018:ffffc900038d7638 EFLAGS: 00010282\nRAX: 0000000000000087 RBX: dffffc0000000000 RCX: 609ffd18ea660600\nRDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000\nRBP: ffff88802483c8d0 R08: ffffffff817f0a8c R09: 1ffff9200071ae60\nR10: dffffc0000000000 R11: fffff5200071ae61 R12: 0000000000000140\nR13: ffff88807fc8e400 R14: ffff88807fc8e3f4 R15: 0000000000000011\nFS: 00007fbac5e006c0(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007fbac5e00d58 CR3: 000000001238e000 CR4: 00000000003526f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n skb_push+0xe5/0x100 net/core/skbuff.c:2636\n vlan_get_protocol_dgram+0x165/0x290 net/packet/af_packet.c:585\n packet_recvmsg+0x948/0x1ef0 net/packet/af_packet.c:3552\n sock_recvmsg_nosec net/socket.c:1033 [inline]\n sock_recvmsg+0x22f/0x280 net/socket.c:1055\n ____sys_recvmsg+0x1c6/0x480 net/socket.c:2803\n ___sys_recvmsg net/socket.c:2845 [inline]\n do_recvmmsg+0x426/0xab0 net/socket.c:2940\n __sys_recvmmsg net/socket.c:3014 [inline]\n __do_sys_recvmmsg net/socket.c:3037 [inline]\n __se_sys_recvmmsg net/socket.c:3030 [inline]\n __x64_sys_recvmmsg+0x199/0x250 net/socket.c:3030\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f", + "external_references": [ + { + "source_name": "cve", + "external_id": "CVE-2024-57901" + } + ] + } + ] +} \ No newline at end of file diff --git a/objects/vulnerability/vulnerability--dec05a2a-41fd-4f1b-ad86-d04c27efb1e7.json b/objects/vulnerability/vulnerability--dec05a2a-41fd-4f1b-ad86-d04c27efb1e7.json new file mode 100644 index 0000000000..706656615f --- /dev/null +++ b/objects/vulnerability/vulnerability--dec05a2a-41fd-4f1b-ad86-d04c27efb1e7.json @@ -0,0 +1,22 @@ +{ + "type": "bundle", + "id": "bundle--aa7b9f19-5788-419f-b649-9eb7841cbd46", + "objects": [ + { + "type": "vulnerability", + "spec_version": "2.1", + "id": "vulnerability--dec05a2a-41fd-4f1b-ad86-d04c27efb1e7", + "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a", + "created": "2025-01-15T14:18:03.365186Z", + "modified": "2025-01-15T14:18:03.365186Z", + "name": "CVE-2024-57896", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: flush delalloc workers queue before stopping cleaner kthread during unmount\n\nDuring the unmount path, at close_ctree(), we first stop the cleaner\nkthread, using kthread_stop() which frees the associated task_struct, and\nthen stop and destroy all the work queues. However after we stopped the\ncleaner we may still have a worker from the delalloc_workers queue running\ninode.c:submit_compressed_extents(), which calls btrfs_add_delayed_iput(),\nwhich in turn tries to wake up the cleaner kthread - which was already\ndestroyed before, resulting in a use-after-free on the task_struct.\n\nSyzbot reported this with the following stack traces:\n\n BUG: KASAN: slab-use-after-free in __lock_acquire+0x78/0x2100 kernel/locking/lockdep.c:5089\n Read of size 8 at addr ffff8880259d2818 by task kworker/u8:3/52\n\n CPU: 1 UID: 0 PID: 52 Comm: kworker/u8:3 Not tainted 6.13.0-rc1-syzkaller-00002-gcdd30ebb1b9f #0\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\n Workqueue: btrfs-delalloc btrfs_work_helper\n Call Trace:\n \n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:489\n kasan_report+0x143/0x180 mm/kasan/report.c:602\n __lock_acquire+0x78/0x2100 kernel/locking/lockdep.c:5089\n lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5849\n __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]\n _raw_spin_lock_irqsave+0xd5/0x120 kernel/locking/spinlock.c:162\n class_raw_spinlock_irqsave_constructor include/linux/spinlock.h:551 [inline]\n try_to_wake_up+0xc2/0x1470 kernel/sched/core.c:4205\n submit_compressed_extents+0xdf/0x16e0 fs/btrfs/inode.c:1615\n run_ordered_work fs/btrfs/async-thread.c:288 [inline]\n btrfs_work_helper+0x96f/0xc40 fs/btrfs/async-thread.c:324\n process_one_work kernel/workqueue.c:3229 [inline]\n process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3310\n worker_thread+0x870/0xd30 kernel/workqueue.c:3391\n kthread+0x2f0/0x390 kernel/kthread.c:389\n ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n \n\n Allocated by task 2:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n unpoison_slab_object mm/kasan/common.c:319 [inline]\n __kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:345\n kasan_slab_alloc include/linux/kasan.h:250 [inline]\n slab_post_alloc_hook mm/slub.c:4104 [inline]\n slab_alloc_node mm/slub.c:4153 [inline]\n kmem_cache_alloc_node_noprof+0x1d9/0x380 mm/slub.c:4205\n alloc_task_struct_node kernel/fork.c:180 [inline]\n dup_task_struct+0x57/0x8c0 kernel/fork.c:1113\n copy_process+0x5d1/0x3d50 kernel/fork.c:2225\n kernel_clone+0x223/0x870 kernel/fork.c:2807\n kernel_thread+0x1bc/0x240 kernel/fork.c:2869\n create_kthread kernel/kthread.c:412 [inline]\n kthreadd+0x60d/0x810 kernel/kthread.c:767\n ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n\n Freed by task 24:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:582\n poison_slab_object mm/kasan/common.c:247 [inline]\n __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264\n kasan_slab_free include/linux/kasan.h:233 [inline]\n slab_free_hook mm/slub.c:2338 [inline]\n slab_free mm/slub.c:4598 [inline]\n kmem_cache_free+0x195/0x410 mm/slub.c:4700\n put_task_struct include/linux/sched/task.h:144 [inline]\n delayed_put_task_struct+0x125/0x300 kernel/exit.c:227\n rcu_do_batch kernel/rcu/tree.c:2567 [inline]\n rcu_core+0xaaa/0x17a0 kernel/rcu/tree.c:2823\n handle_softirqs+0x2d4/0x9b0 kernel/softirq.c:554\n run_ksoftirqd+0xca/0x130 kernel/softirq.c:943\n \n---truncated---", + "external_references": [ + { + "source_name": "cve", + "external_id": "CVE-2024-57896" + } + ] + } + ] +} \ No newline at end of file diff --git a/objects/vulnerability/vulnerability--e6a1dbff-1630-48df-8fbb-194fab4ea077.json b/objects/vulnerability/vulnerability--e6a1dbff-1630-48df-8fbb-194fab4ea077.json new file mode 100644 index 0000000000..78aa4ae304 --- /dev/null +++ b/objects/vulnerability/vulnerability--e6a1dbff-1630-48df-8fbb-194fab4ea077.json @@ -0,0 +1,22 @@ +{ + "type": "bundle", + "id": "bundle--03a81534-3302-4b9a-b8d9-d07e17bebc64", + "objects": [ + { + "type": "vulnerability", + "spec_version": "2.1", + "id": "vulnerability--e6a1dbff-1630-48df-8fbb-194fab4ea077", + "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a", + "created": "2025-01-15T14:18:03.402696Z", + "modified": "2025-01-15T14:18:03.402696Z", + "name": "CVE-2024-57884", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: vmscan: account for free pages to prevent infinite Loop in throttle_direct_reclaim()\n\nThe task sometimes continues looping in throttle_direct_reclaim() because\nallow_direct_reclaim(pgdat) keeps returning false. \n\n #0 [ffff80002cb6f8d0] __switch_to at ffff8000080095ac\n #1 [ffff80002cb6f900] __schedule at ffff800008abbd1c\n #2 [ffff80002cb6f990] schedule at ffff800008abc50c\n #3 [ffff80002cb6f9b0] throttle_direct_reclaim at ffff800008273550\n #4 [ffff80002cb6fa20] try_to_free_pages at ffff800008277b68\n #5 [ffff80002cb6fae0] __alloc_pages_nodemask at ffff8000082c4660\n #6 [ffff80002cb6fc50] alloc_pages_vma at ffff8000082e4a98\n #7 [ffff80002cb6fca0] do_anonymous_page at ffff80000829f5a8\n #8 [ffff80002cb6fce0] __handle_mm_fault at ffff8000082a5974\n #9 [ffff80002cb6fd90] handle_mm_fault at ffff8000082a5bd4\n\nAt this point, the pgdat contains the following two zones:\n\n NODE: 4 ZONE: 0 ADDR: ffff00817fffe540 NAME: \"DMA32\"\n SIZE: 20480 MIN/LOW/HIGH: 11/28/45\n VM_STAT:\n NR_FREE_PAGES: 359\n NR_ZONE_INACTIVE_ANON: 18813\n NR_ZONE_ACTIVE_ANON: 0\n NR_ZONE_INACTIVE_FILE: 50\n NR_ZONE_ACTIVE_FILE: 0\n NR_ZONE_UNEVICTABLE: 0\n NR_ZONE_WRITE_PENDING: 0\n NR_MLOCK: 0\n NR_BOUNCE: 0\n NR_ZSPAGES: 0\n NR_FREE_CMA_PAGES: 0\n\n NODE: 4 ZONE: 1 ADDR: ffff00817fffec00 NAME: \"Normal\"\n SIZE: 8454144 PRESENT: 98304 MIN/LOW/HIGH: 68/166/264\n VM_STAT:\n NR_FREE_PAGES: 146\n NR_ZONE_INACTIVE_ANON: 94668\n NR_ZONE_ACTIVE_ANON: 3\n NR_ZONE_INACTIVE_FILE: 735\n NR_ZONE_ACTIVE_FILE: 78\n NR_ZONE_UNEVICTABLE: 0\n NR_ZONE_WRITE_PENDING: 0\n NR_MLOCK: 0\n NR_BOUNCE: 0\n NR_ZSPAGES: 0\n NR_FREE_CMA_PAGES: 0\n\nIn allow_direct_reclaim(), while processing ZONE_DMA32, the sum of\ninactive/active file-backed pages calculated in zone_reclaimable_pages()\nbased on the result of zone_page_state_snapshot() is zero. \n\nAdditionally, since this system lacks swap, the calculation of inactive/\nactive anonymous pages is skipped.\n\n crash> p nr_swap_pages\n nr_swap_pages = $1937 = {\n counter = 0\n }\n\nAs a result, ZONE_DMA32 is deemed unreclaimable and skipped, moving on to\nthe processing of the next zone, ZONE_NORMAL, despite ZONE_DMA32 having\nfree pages significantly exceeding the high watermark.\n\nThe problem is that the pgdat->kswapd_failures hasn't been incremented.\n\n crash> px ((struct pglist_data *) 0xffff00817fffe540)->kswapd_failures\n $1935 = 0x0\n\nThis is because the node deemed balanced. The node balancing logic in\nbalance_pgdat() evaluates all zones collectively. If one or more zones\n(e.g., ZONE_DMA32) have enough free pages to meet their watermarks, the\nentire node is deemed balanced. This causes balance_pgdat() to exit early\nbefore incrementing the kswapd_failures, as it considers the overall\nmemory state acceptable, even though some zones (like ZONE_NORMAL) remain\nunder significant pressure.\n\n\nThe patch ensures that zone_reclaimable_pages() includes free pages\n(NR_FREE_PAGES) in its calculation when no other reclaimable pages are\navailable (e.g., file-backed or anonymous pages). This change prevents\nzones like ZONE_DMA32, which have sufficient free pages, from being\nmistakenly deemed unreclaimable. By doing so, the patch ensures proper\nnode balancing, avoids masking pressure on other zones like ZONE_NORMAL,\nand prevents infinite loops in throttle_direct_reclaim() caused by\nallow_direct_reclaim(pgdat) repeatedly returning false.\n\n\nThe kernel hangs due to a task stuck in throttle_direct_reclaim(), caused\nby a node being incorrectly deemed balanced despite pressure in certain\nzones, such as ZONE_NORMAL. This issue arises from\nzone_reclaimable_pages\n---truncated---", + "external_references": [ + { + "source_name": "cve", + "external_id": "CVE-2024-57884" + } + ] + } + ] +} \ No newline at end of file diff --git a/objects/vulnerability/vulnerability--e97e44fc-8e24-4c8c-a297-cb4e614c97fd.json b/objects/vulnerability/vulnerability--e97e44fc-8e24-4c8c-a297-cb4e614c97fd.json new file mode 100644 index 0000000000..51be5d26ca --- /dev/null +++ b/objects/vulnerability/vulnerability--e97e44fc-8e24-4c8c-a297-cb4e614c97fd.json @@ -0,0 +1,22 @@ +{ + "type": "bundle", + "id": "bundle--71ec4a9d-559c-4c6e-8aa6-cd156886a5ef", + "objects": [ + { + "type": "vulnerability", + "spec_version": "2.1", + "id": "vulnerability--e97e44fc-8e24-4c8c-a297-cb4e614c97fd", + "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a", + "created": "2025-01-15T14:18:03.394477Z", + "modified": "2025-01-15T14:18:03.394477Z", + "name": "CVE-2024-57902", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_packet: fix vlan_get_tci() vs MSG_PEEK\n\nBlamed commit forgot MSG_PEEK case, allowing a crash [1] as found\nby syzbot.\n\nRework vlan_get_tci() to not touch skb at all,\nso that it can be used from many cpus on the same skb.\n\nAdd a const qualifier to skb argument.\n\n[1]\nskbuff: skb_under_panic: text:ffffffff8a8da482 len:32 put:14 head:ffff88807a1d5800 data:ffff88807a1d5810 tail:0x14 end:0x140 dev:\n------------[ cut here ]------------\n kernel BUG at net/core/skbuff.c:206 !\nOops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI\nCPU: 0 UID: 0 PID: 5880 Comm: syz-executor172 Not tainted 6.13.0-rc3-syzkaller-00762-g9268abe611b0 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\n RIP: 0010:skb_panic net/core/skbuff.c:206 [inline]\n RIP: 0010:skb_under_panic+0x14b/0x150 net/core/skbuff.c:216\nCode: 0b 8d 48 c7 c6 9e 6c 26 8e 48 8b 54 24 08 8b 0c 24 44 8b 44 24 04 4d 89 e9 50 41 54 41 57 41 56 e8 3a 5a 79 f7 48 83 c4 20 90 <0f> 0b 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3\nRSP: 0018:ffffc90003baf5b8 EFLAGS: 00010286\nRAX: 0000000000000087 RBX: dffffc0000000000 RCX: 8565c1eec37aa000\nRDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000\nRBP: ffff88802616fb50 R08: ffffffff817f0a4c R09: 1ffff92000775e50\nR10: dffffc0000000000 R11: fffff52000775e51 R12: 0000000000000140\nR13: ffff88807a1d5800 R14: ffff88807a1d5810 R15: 0000000000000014\nFS: 00007fa03261f6c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007ffd65753000 CR3: 0000000031720000 CR4: 00000000003526f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n skb_push+0xe5/0x100 net/core/skbuff.c:2636\n vlan_get_tci+0x272/0x550 net/packet/af_packet.c:565\n packet_recvmsg+0x13c9/0x1ef0 net/packet/af_packet.c:3616\n sock_recvmsg_nosec net/socket.c:1044 [inline]\n sock_recvmsg+0x22f/0x280 net/socket.c:1066\n ____sys_recvmsg+0x1c6/0x480 net/socket.c:2814\n ___sys_recvmsg net/socket.c:2856 [inline]\n do_recvmmsg+0x426/0xab0 net/socket.c:2951\n __sys_recvmmsg net/socket.c:3025 [inline]\n __do_sys_recvmmsg net/socket.c:3048 [inline]\n __se_sys_recvmmsg net/socket.c:3041 [inline]\n __x64_sys_recvmmsg+0x199/0x250 net/socket.c:3041\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83", + "external_references": [ + { + "source_name": "cve", + "external_id": "CVE-2024-57902" + } + ] + } + ] +} \ No newline at end of file diff --git a/objects/vulnerability/vulnerability--f3cce38d-98e9-4e91-8096-6576ca0513e7.json b/objects/vulnerability/vulnerability--f3cce38d-98e9-4e91-8096-6576ca0513e7.json new file mode 100644 index 0000000000..1bcf12e10c --- /dev/null +++ b/objects/vulnerability/vulnerability--f3cce38d-98e9-4e91-8096-6576ca0513e7.json @@ -0,0 +1,22 @@ +{ + "type": "bundle", + "id": "bundle--0e6d1b3f-84bf-4df5-890d-2a4f57ccca36", + "objects": [ + { + "type": "vulnerability", + "spec_version": "2.1", + "id": "vulnerability--f3cce38d-98e9-4e91-8096-6576ca0513e7", + "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a", + "created": "2025-01-15T14:18:03.404314Z", + "modified": "2025-01-15T14:18:03.404314Z", + "name": "CVE-2024-57841", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix memory leak in tcp_conn_request()\n\nIf inet_csk_reqsk_queue_hash_add() return false, tcp_conn_request() will\nreturn without free the dst memory, which allocated in af_ops->route_req.\n\nHere is the kmemleak stack:\n\nunreferenced object 0xffff8881198631c0 (size 240):\n comm \"softirq\", pid 0, jiffies 4299266571 (age 1802.392s)\n hex dump (first 32 bytes):\n 00 10 9b 03 81 88 ff ff 80 98 da bc ff ff ff ff ................\n 81 55 18 bb ff ff ff ff 00 00 00 00 00 00 00 00 .U..............\n backtrace:\n [] kmem_cache_alloc+0x60c/0xa80\n [] dst_alloc+0x55/0x250\n [] rt_dst_alloc+0x46/0x1d0\n [] __mkroute_output+0x29a/0xa50\n [] ip_route_output_key_hash+0x10b/0x240\n [] ip_route_output_flow+0x1d/0x90\n [] inet_csk_route_req+0x2c5/0x500\n [] tcp_conn_request+0x691/0x12c0\n [] tcp_rcv_state_process+0x3c8/0x11b0\n [] tcp_v4_do_rcv+0x156/0x3b0\n [] tcp_v4_rcv+0x1cf8/0x1d80\n [] ip_protocol_deliver_rcu+0xf6/0x360\n [] ip_local_deliver_finish+0xe6/0x1e0\n [] ip_local_deliver+0xee/0x360\n [] ip_rcv+0xad/0x2f0\n [] __netif_receive_skb_one_core+0x123/0x140\n\nCall dst_release() to free the dst memory when\ninet_csk_reqsk_queue_hash_add() return false in tcp_conn_request().", + "external_references": [ + { + "source_name": "cve", + "external_id": "CVE-2024-57841" + } + ] + } + ] +} \ No newline at end of file